@sentriflow/core 0.3.0 → 0.4.0

package/package.json

@@ -1,65 +1,65 @@
-{
-  "name": "@sentriflow/core",
-  "version": "0.3.0",
-  "description": "SentriFlow core engine for network configuration validation",
-  "license": "Apache-2.0",
-  "module": "src/index.ts",
-  "type": "module",
-  "exports": {
-    ".": "./src/index.ts",
-    "./grx2-loader": "./src/grx2-loader/index.ts",
-    "./helpers": "./src/helpers/index.ts",
-    "./helpers/common": "./src/helpers/common/index.ts",
-    "./helpers/arista": "./src/helpers/arista/index.ts",
-    "./helpers/aruba": "./src/helpers/aruba/index.ts",
-    "./helpers/cisco": "./src/helpers/cisco/index.ts",
-    "./helpers/cumulus": "./src/helpers/cumulus/index.ts",
-    "./helpers/extreme": "./src/helpers/extreme/index.ts",
-    "./helpers/fortinet": "./src/helpers/fortinet/index.ts",
-    "./helpers/huawei": "./src/helpers/huawei/index.ts",
-    "./helpers/juniper": "./src/helpers/juniper/index.ts",
-    "./helpers/mikrotik": "./src/helpers/mikrotik/index.ts",
-    "./helpers/nokia": "./src/helpers/nokia/index.ts",
-    "./helpers/paloalto": "./src/helpers/paloalto/index.ts",
-    "./helpers/vyos": "./src/helpers/vyos/index.ts"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/sentriflow/sentriflow.git",
-    "directory": "packages/core"
-  },
-  "homepage": "https://github.com/sentriflow/sentriflow#readme",
-  "bugs": {
-    "url": "https://github.com/sentriflow/sentriflow/issues"
-  },
-  "keywords": [
-    "network",
-    "configuration",
-    "validation",
-    "security",
-    "cisco",
-    "juniper",
-    "arista",
-    "firewall",
-    "linter",
-    "helpers"
-  ],
-  "files": [
-    "src",
-    "LICENSE",
-    "README.md"
-  ],
-  "publishConfig": {
-    "access": "public"
-  },
-  "dependencies": {
-    "node-machine-id": "^1.1.12"
-  },
-  "devDependencies": {
-    "bun-types": "latest",
-    "@types/node": "^20.0.0"
-  },
-  "peerDependencies": {
-    "typescript": "^5.0.0"
-  }
-}
+{
+  "name": "@sentriflow/core",
+  "version": "0.4.0",
+  "description": "SentriFlow core engine for network configuration validation",
+  "license": "Apache-2.0",
+  "module": "src/index.ts",
+  "type": "module",
+  "exports": {
+    ".": "./src/index.ts",
+    "./grx2-loader": "./src/grx2-loader/index.ts",
+    "./helpers": "./src/helpers/index.ts",
+    "./helpers/common": "./src/helpers/common/index.ts",
+    "./helpers/arista": "./src/helpers/arista/index.ts",
+    "./helpers/aruba": "./src/helpers/aruba/index.ts",
+    "./helpers/cisco": "./src/helpers/cisco/index.ts",
+    "./helpers/cumulus": "./src/helpers/cumulus/index.ts",
+    "./helpers/extreme": "./src/helpers/extreme/index.ts",
+    "./helpers/fortinet": "./src/helpers/fortinet/index.ts",
+    "./helpers/huawei": "./src/helpers/huawei/index.ts",
+    "./helpers/juniper": "./src/helpers/juniper/index.ts",
+    "./helpers/mikrotik": "./src/helpers/mikrotik/index.ts",
+    "./helpers/nokia": "./src/helpers/nokia/index.ts",
+    "./helpers/paloalto": "./src/helpers/paloalto/index.ts",
+    "./helpers/vyos": "./src/helpers/vyos/index.ts"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sentriflow/sentriflow.git",
+    "directory": "packages/core"
+  },
+  "homepage": "https://github.com/sentriflow/sentriflow#readme",
+  "bugs": {
+    "url": "https://github.com/sentriflow/sentriflow/issues"
+  },
+  "keywords": [
+    "network",
+    "configuration",
+    "validation",
+    "security",
+    "cisco",
+    "juniper",
+    "arista",
+    "firewall",
+    "linter",
+    "helpers"
+  ],
+  "files": [
+    "src",
+    "LICENSE",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "node-machine-id": "^1.1.12"
+  },
+  "devDependencies": {
+    "bun-types": "latest",
+    "@types/node": "^20.0.0"
+  },
+  "peerDependencies": {
+    "typescript": "^5.0.0"
+  }
+}

package/src/grx2-loader/GRX2ExtendedLoader.ts

@@ -358,9 +358,8 @@ export async function loadExtendedPack(
   machineId: string,
   debug?: (msg: string) => void
 ): Promise<RulePack> {
-  debug?.(`[GRX2Loader] Loading pack: ${filePath}`);
-  debug?.(`[GRX2Loader] License key length: ${licenseKey.length}, first 20 chars: ${licenseKey.substring(0, 20)}...`);
-  debug?.(`[GRX2Loader] Machine ID: "${machineId}" (length: ${machineId.length})`);
+  debug?.(`[GRX2Loader] Loading pack: ${filePath}`);
+  debug?.(`[GRX2Loader] Machine ID: "${machineId}" (length: ${machineId.length})`);
 
   // Read pack file
   const data = await readFile(filePath);

package/src/grx2-loader/index.ts

@@ -31,7 +31,9 @@ export {
   GRX2_KDF_PBKDF2,
   GRX2_KEY_TYPE_TMK,
   GRX2_KEY_TYPE_CTMK,
+  SENTRIFLOW_HOME,
   DEFAULT_PACKS_DIRECTORY,
+  DEFAULT_RULES_DIRECTORY,
   CACHE_DIRECTORY,
 } from './types';
 

package/src/grx2-loader/types.ts

@@ -25,13 +25,13 @@ export interface LicensePayload {
   sub: string;
 
   /** Customer tier */
-  tier: 'community' | 'professional' | 'enterprise';
+  tier: 'basic' | 'professional' | 'enterprise';
 
   /** Entitled feed IDs */
   feeds: string[];
 
-  /** API URL for cloud updates */
-  api: string;
+  /** API URL for cloud updates (optional - derived from domain at runtime if not set) */
+  api?: string;
 
   /** Expiration timestamp (Unix seconds) */
   exp: number;
@@ -229,7 +229,8 @@ export type EncryptedPackErrorCode =
   | 'DECRYPTION_FAILED'
   | 'MACHINE_MISMATCH'
   | 'NETWORK_ERROR'
-  | 'API_ERROR';
+  | 'API_ERROR'
+  | 'ACTIVATION_FAILED';
 
 /**
  * Encrypted pack error
@@ -273,8 +274,14 @@ export const GRX2_KEY_TYPE_TMK = 1;
 /** CTMK key type */
 export const GRX2_KEY_TYPE_CTMK = 2;
 
+/** Base SentriFlow home directory (platform-aware: ~/.sentriflow or %USERPROFILE%\.sentriflow) */
+export const SENTRIFLOW_HOME = join(homedir(), '.sentriflow');
+
 /** Default packs directory (platform-aware) */
-export const DEFAULT_PACKS_DIRECTORY = join(homedir(), '.sentriflow', 'packs');
+export const DEFAULT_PACKS_DIRECTORY = join(SENTRIFLOW_HOME, 'packs');
+
+/** Default custom rules directory (platform-aware) */
+export const DEFAULT_RULES_DIRECTORY = join(SENTRIFLOW_HOME, 'rules');
 
 /** Cache directory (for downloaded packs, platform-aware) */
-export const CACHE_DIRECTORY = join(homedir(), '.sentriflow', 'cache');
+export const CACHE_DIRECTORY = join(SENTRIFLOW_HOME, 'cache');

package/src/helpers/cisco/helpers.ts

@@ -10,6 +10,7 @@ import {
   includesIgnoreCase,
   startsWithIgnoreCase,
   parseInteger,
+  findParentSection,
 } from '../common/helpers';
 
 // Re-export common helpers for convenience
@@ -214,6 +215,24 @@ export const hasWeakUsernamePassword = (node: ConfigNode): boolean => {
   return false;
 };
 
+/**
+ * Check if password is under a line configuration section (vty, console, aux).
+ * Line passwords cannot be encrypted in Cisco IOS - they only support plaintext.
+ * Security for these should be enforced via AAA authentication instead.
+ *
+ * @param ast The full AST (array of ConfigNode)
+ * @param node The password node to check
+ * @returns true if the password is under a line vty/console/aux section
+ */
+export const isLineConfigPassword = (ast: ConfigNode[], node: ConfigNode): boolean => {
+  const parent = findParentSection(ast, node);
+  if (!parent) return false;
+  const parentId = parent.id.toLowerCase();
+  return parentId.startsWith('line vty') ||
+         parentId.startsWith('line console') ||
+         parentId.startsWith('line aux');
+};
+
 /**
  * Get SSH version from configuration
  */

package/src/helpers/cisco/index.ts

@@ -8,4 +8,5 @@ export {
   hasChildCommand,
   getChildCommand,
   getChildCommands,
+  findParentSection,
 } from '../common/helpers';

package/src/helpers/common/helpers.ts

@@ -202,6 +202,35 @@ export const isShutdown = (node: ConfigNode): boolean => {
   });
 };
 
+/**
+ * Find the parent section of a node in the AST.
+ * Traverses the AST to locate the parent section containing the target node.
+ * Useful for context-aware rules that need to check parent context.
+ *
+ * @param ast The full AST (array of ConfigNode)
+ * @param targetNode The node to find the parent for
+ * @returns The parent section node, or undefined if not found
+ */
+export const findParentSection = (
+  ast: ConfigNode[],
+  targetNode: ConfigNode
+): ConfigNode | undefined => {
+  for (const node of ast) {
+    if (node.type === 'section') {
+      // Check if target is a direct child (by line number match)
+      if (node.children.some(child =>
+        child.loc.startLine === targetNode.loc.startLine
+      )) {
+        return node;
+      }
+      // Recurse into children
+      const found = findParentSection(node.children, targetNode);
+      if (found) return found;
+    }
+  }
+  return undefined;
+};
+
 /**
  * Check if a node is an actual interface definition (not a reference or sub-command).
  * Interface definitions are top-level sections that define physical/logical interfaces.

package/src/ip/classifier.ts

@@ -0,0 +1,416 @@
+// packages/core/src/ip/classifier.ts
+
+import type { IPSummary, IPCounts } from './types';
+
+// ============================================================================
+// IP Classification Types
+// ============================================================================
+
+/**
+ * Classification categories for IP addresses.
+ */
+export type IPClassification =
+  | 'public'      // Globally routable
+  | 'private'     // RFC 1918 private ranges
+  | 'loopback'    // 127.0.0.0/8, ::1
+  | 'link-local'  // 169.254.0.0/16, fe80::/10
+  | 'multicast'   // 224.0.0.0/4, ff00::/8
+  | 'reserved'    // 240.0.0.0/4, other reserved
+  | 'unspecified' // 0.0.0.0, ::
+  | 'broadcast'   // 255.255.255.255
+  | 'documentation' // 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 2001:db8::/32
+  | 'cgnat';      // 100.64.0.0/10 (Carrier-grade NAT)
+
+/**
+ * Options for filtering IP addresses.
+ */
+export interface IPFilterOptions {
+  /**
+   * Keep public (globally routable) addresses.
+   * @default true
+   */
+  keepPublic?: boolean;
+
+  /**
+   * Keep private (RFC 1918) addresses.
+   * @default true
+   */
+  keepPrivate?: boolean;
+
+  /**
+   * Keep loopback addresses (127.x.x.x, ::1).
+   * @default false
+   */
+  keepLoopback?: boolean;
+
+  /**
+   * Keep link-local addresses (169.254.x.x, fe80::).
+   * @default false
+   */
+  keepLinkLocal?: boolean;
+
+  /**
+   * Keep multicast addresses (224.x.x.x - 239.x.x.x, ff00::).
+   * @default false
+   */
+  keepMulticast?: boolean;
+
+  /**
+   * Keep reserved/future use addresses (240.x.x.x - 255.x.x.x).
+   * @default false
+   */
+  keepReserved?: boolean;
+
+  /**
+   * Keep unspecified addresses (0.0.0.0, ::).
+   * @default false
+   */
+  keepUnspecified?: boolean;
+
+  /**
+   * Keep broadcast address (255.255.255.255).
+   * @default false
+   */
+  keepBroadcast?: boolean;
+
+  /**
+   * Keep documentation addresses (TEST-NET ranges, 2001:db8::).
+   * @default false
+   */
+  keepDocumentation?: boolean;
+
+  /**
+   * Keep CGNAT addresses (100.64.0.0/10).
+   * @default true
+   */
+  keepCgnat?: boolean;
+}
+
+/**
+ * Default filter options - keep only public and private addresses.
+ */
+export const DEFAULT_FILTER_OPTIONS: Required<IPFilterOptions> = {
+  keepPublic: true,
+  keepPrivate: true,
+  keepLoopback: false,
+  keepLinkLocal: false,
+  keepMulticast: false,
+  keepReserved: false,
+  keepUnspecified: false,
+  keepBroadcast: false,
+  keepDocumentation: false,
+  keepCgnat: true,
+};
+
+// ============================================================================
+// IPv4 Classification
+// ============================================================================
+
+/**
+ * Convert IPv4 address string to 32-bit number.
+ */
+function ipv4ToNumber(ip: string): number {
+  const parts = ip.split('.');
+  if (parts.length !== 4) return 0;
+
+  let result = 0;
+  for (let i = 0; i < 4; i++) {
+    const octet = parseInt(parts[i] ?? '0', 10);
+    if (isNaN(octet) || octet < 0 || octet > 255) return 0;
+    result = (result << 8) + octet;
+  }
+  return result >>> 0; // Ensure unsigned
+}
+
+/**
+ * Check if IPv4 address is in a given CIDR range.
+ */
+function isInIPv4Range(ip: string, network: string, prefix: number): boolean {
+  const ipNum = ipv4ToNumber(ip);
+  const netNum = ipv4ToNumber(network);
+  const mask = prefix === 0 ? 0 : (~0 << (32 - prefix)) >>> 0;
+  return (ipNum & mask) === (netNum & mask);
+}
+
+/**
+ * Classify an IPv4 address.
+ */
+export function classifyIPv4(ip: string): IPClassification {
+  // Unspecified
+  if (ip === '0.0.0.0') return 'unspecified';
+
+  // Broadcast
+  if (ip === '255.255.255.255') return 'broadcast';
+
+  // Current network (0.0.0.0/8) - treat as unspecified
+  if (isInIPv4Range(ip, '0.0.0.0', 8)) return 'unspecified';
+
+  // Loopback (127.0.0.0/8)
+  if (isInIPv4Range(ip, '127.0.0.0', 8)) return 'loopback';
+
+  // Link-local (169.254.0.0/16)
+  if (isInIPv4Range(ip, '169.254.0.0', 16)) return 'link-local';
+
+  // Private ranges (RFC 1918)
+  if (isInIPv4Range(ip, '10.0.0.0', 8)) return 'private';
+  if (isInIPv4Range(ip, '172.16.0.0', 12)) return 'private';
+  if (isInIPv4Range(ip, '192.168.0.0', 16)) return 'private';
+
+  // CGNAT (100.64.0.0/10)
+  if (isInIPv4Range(ip, '100.64.0.0', 10)) return 'cgnat';
+
+  // Documentation ranges (TEST-NET)
+  if (isInIPv4Range(ip, '192.0.2.0', 24)) return 'documentation';
+  if (isInIPv4Range(ip, '198.51.100.0', 24)) return 'documentation';
+  if (isInIPv4Range(ip, '203.0.113.0', 24)) return 'documentation';
+
+  // Multicast (224.0.0.0/4)
+  if (isInIPv4Range(ip, '224.0.0.0', 4)) return 'multicast';
+
+  // Reserved for future use (240.0.0.0/4)
+  if (isInIPv4Range(ip, '240.0.0.0', 4)) return 'reserved';
+
+  // Everything else is public
+  return 'public';
+}
+
+/**
+ * Classify an IPv4 subnet (uses network address for classification).
+ */
+export function classifyIPv4Subnet(subnet: string): IPClassification {
+  const slashIndex = subnet.lastIndexOf('/');
+  if (slashIndex === -1) return classifyIPv4(subnet);
+
+  const network = subnet.substring(0, slashIndex);
+  return classifyIPv4(network);
+}
+
+// ============================================================================
+// IPv6 Classification
+// ============================================================================
+
+/**
+ * Expand IPv6 address to full form and return as array of 16-bit values.
+ */
+function expandIPv6(ip: string): number[] {
+  // Strip zone ID if present
+  const zoneIndex = ip.indexOf('%');
+  const addr = zoneIndex !== -1 ? ip.substring(0, zoneIndex) : ip;
+
+  const parts = addr.split(':');
+  const result: number[] = [];
+
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i] ?? '';
+    if (part === '' && i > 0 && i < parts.length - 1) {
+      // Middle :: - expand
+      const nonEmpty = parts.filter((p) => p !== '').length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push(0);
+      }
+    } else if (part !== '') {
+      result.push(parseInt(part, 16) || 0);
+    } else if (i === 0 && (parts[1] ?? '') === '') {
+      // Leading ::
+      const nonEmpty = parts.filter((p) => p !== '').length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push(0);
+      }
+    }
+  }
+
+  // Pad to 8 if needed
+  while (result.length < 8) {
+    result.push(0);
+  }
+
+  return result.slice(0, 8);
+}
+
+/**
+ * Check if IPv6 starts with a specific prefix.
+ */
+function ipv6StartsWith(ip: string, prefixHex: number, prefixBits: number): boolean {
+  const parts = expandIPv6(ip);
+
+  // Calculate how many 16-bit groups we need to check
+  const fullGroups = Math.floor(prefixBits / 16);
+  const remainingBits = prefixBits % 16;
+
+  // Build the prefix value from parts
+  let value = 0;
+  for (let i = 0; i < fullGroups && i < parts.length; i++) {
+    value = (value << 16) | (parts[i] ?? 0);
+  }
+
+  if (remainingBits > 0 && fullGroups < parts.length) {
+    const mask = (~0 << (16 - remainingBits)) & 0xffff;
+    value = (value << remainingBits) | (((parts[fullGroups] ?? 0) & mask) >> (16 - remainingBits));
+  }
+
+  return value === prefixHex;
+}
+
+/**
+ * Classify an IPv6 address.
+ */
+export function classifyIPv6(ip: string): IPClassification {
+  const parts = expandIPv6(ip);
+
+  // Unspecified (::)
+  if (parts.every((p) => p === 0)) return 'unspecified';
+
+  // Loopback (::1)
+  if (parts.slice(0, 7).every((p) => p === 0) && parts[7] === 1) return 'loopback';
+
+  // Link-local (fe80::/10)
+  if ((parts[0] ?? 0) >= 0xfe80 && (parts[0] ?? 0) <= 0xfebf) return 'link-local';
+
+  // Multicast (ff00::/8)
+  if (((parts[0] ?? 0) & 0xff00) === 0xff00) return 'multicast';
+
+  // Documentation (2001:db8::/32)
+  if (parts[0] === 0x2001 && parts[1] === 0x0db8) return 'documentation';
+
+  // Unique local (fc00::/7) - similar to private
+  if (((parts[0] ?? 0) & 0xfe00) === 0xfc00) return 'private';
+
+  // Everything else is public
+  return 'public';
+}
+
+/**
+ * Classify an IPv6 subnet (uses network address for classification).
+ */
+export function classifyIPv6Subnet(subnet: string): IPClassification {
+  const slashIndex = subnet.lastIndexOf('/');
+  if (slashIndex === -1) return classifyIPv6(subnet);
+
+  const network = subnet.substring(0, slashIndex);
+  return classifyIPv6(network);
+}
+
+// ============================================================================
+// Filtering Functions
+// ============================================================================
+
+/**
+ * Check if a classification should be kept based on filter options.
+ */
+function shouldKeepClassification(
+  classification: IPClassification,
+  options: Required<IPFilterOptions>
+): boolean {
+  switch (classification) {
+    case 'public':
+      return options.keepPublic;
+    case 'private':
+      return options.keepPrivate;
+    case 'loopback':
+      return options.keepLoopback;
+    case 'link-local':
+      return options.keepLinkLocal;
+    case 'multicast':
+      return options.keepMulticast;
+    case 'reserved':
+      return options.keepReserved;
+    case 'unspecified':
+      return options.keepUnspecified;
+    case 'broadcast':
+      return options.keepBroadcast;
+    case 'documentation':
+      return options.keepDocumentation;
+    case 'cgnat':
+      return options.keepCgnat;
+    default:
+      return true;
+  }
+}
+
+/**
+ * Filter an array of IPv4 addresses based on classification.
+ */
+export function filterIPv4Addresses(
+  addresses: string[],
+  options: IPFilterOptions = {}
+): string[] {
+  const opts: Required<IPFilterOptions> = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return addresses.filter((ip) => {
+    const classification = classifyIPv4(ip);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+
+/**
+ * Filter an array of IPv6 addresses based on classification.
+ */
+export function filterIPv6Addresses(
+  addresses: string[],
+  options: IPFilterOptions = {}
+): string[] {
+  const opts: Required<IPFilterOptions> = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return addresses.filter((ip) => {
+    const classification = classifyIPv6(ip);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+
+/**
+ * Filter an array of IPv4 subnets based on classification.
+ */
+export function filterIPv4Subnets(
+  subnets: string[],
+  options: IPFilterOptions = {}
+): string[] {
+  const opts: Required<IPFilterOptions> = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return subnets.filter((subnet) => {
+    const classification = classifyIPv4Subnet(subnet);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+
+/**
+ * Filter an array of IPv6 subnets based on classification.
+ */
+export function filterIPv6Subnets(
+  subnets: string[],
+  options: IPFilterOptions = {}
+): string[] {
+  const opts: Required<IPFilterOptions> = { ...DEFAULT_FILTER_OPTIONS, ...options };
+  return subnets.filter((subnet) => {
+    const classification = classifyIPv6Subnet(subnet);
+    return shouldKeepClassification(classification, opts);
+  });
+}
+
+/**
+ * Filter an entire IPSummary based on classification options.
+ * Returns a new IPSummary with filtered results and updated counts.
+ */
+export function filterIPSummary(
+  summary: IPSummary,
+  options: IPFilterOptions = {}
+): IPSummary {
+  const ipv4Addresses = filterIPv4Addresses(summary.ipv4Addresses, options);
+  const ipv6Addresses = filterIPv6Addresses(summary.ipv6Addresses, options);
+  const ipv4Subnets = filterIPv4Subnets(summary.ipv4Subnets, options);
+  const ipv6Subnets = filterIPv6Subnets(summary.ipv6Subnets, options);
+
+  const counts: IPCounts = {
+    ipv4: ipv4Addresses.length,
+    ipv6: ipv6Addresses.length,
+    ipv4Subnets: ipv4Subnets.length,
+    ipv6Subnets: ipv6Subnets.length,
+    total: ipv4Addresses.length + ipv6Addresses.length + ipv4Subnets.length + ipv6Subnets.length,
+  };
+
+  return {
+    ipv4Addresses,
+    ipv6Addresses,
+    ipv4Subnets,
+    ipv6Subnets,
+    counts,
+  };
+}

package/src/ip/index.ts

@@ -25,3 +25,19 @@ export type {
 } from './types';
 
 export { InputValidationError, DEFAULT_MAX_CONTENT_SIZE } from './types';
+
+// IP Classification and Filtering
+export {
+  classifyIPv4,
+  classifyIPv6,
+  classifyIPv4Subnet,
+  classifyIPv6Subnet,
+  filterIPv4Addresses,
+  filterIPv6Addresses,
+  filterIPv4Subnets,
+  filterIPv6Subnets,
+  filterIPSummary,
+  DEFAULT_FILTER_OPTIONS,
+} from './classifier';
+
+export type { IPClassification, IPFilterOptions } from './classifier';

package/src/json-rules/schema.json

@@ -1,6 +1,6 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "$id": "https://sentriflow.io/schemas/json-rules/v1.0.json",
+  "$id": "https://sentriflow.com.au/schemas/json-rules/v1.0.json",
   "title": "SentriFlow JSON Rules",
   "description": "Schema for SentriFlow JSON rule files",
   "type": "object",

package/src/pack-loader/index.ts

@@ -14,7 +14,7 @@
  */
 
 export * from './types';
-export { loadEncryptedPack, validatePackFormat } from './PackLoader';
+export { loadEncryptedPack, validatePackFormat, compileNativeCheckFunction } from './PackLoader';
 
 // Pack format detection (shared with CLI and VS Code)
 export {

package/src/pack-provider/PackProvider.ts

@@ -39,7 +39,7 @@ export interface PackProviderLicenseStatus {
   isValid: boolean;
 
   /** License tier */
-  tier: 'community' | 'professional' | 'enterprise' | string;
+  tier: 'basic' | 'professional' | 'enterprise' | string;
 
   /** List of entitled feed/pack IDs */
   entitledFeeds: string[];