@sentriflow/core 0.3.2 → 0.4.1

package/README.md

@@ -1,10 +1,12 @@
 # @sentriflow/core
 
-Core engine for SentriFlow - a network configuration compliance validator.
+Core engine for SentriFlow - a network configuration validator.
 
 ## Overview
 
-`@sentriflow/core` provides the fundamental building blocks for parsing and analyzing network device configurations across multiple vendors, checking them against compliance rules—whether industry best practices or your organization's specific requirements.
+`@sentriflow/core` provides the fundamental building blocks for parsing and analyzing network device configurations across multiple vendors, validating them against policy rules—whether industry best practices or your organization's specific requirements.
+
+SentriFlow is a validation tool that assesses configuration alignment with policies and standards.
 
 ## Installation
 
@@ -18,7 +20,7 @@ bun add @sentriflow/core
 
 - **Multi-vendor support**: Cisco IOS/NX-OS, Juniper JunOS, Arista EOS, Fortinet FortiGate, Palo Alto PAN-OS, and more
 - **AST-based parsing**: Converts configurations into a vendor-agnostic Abstract Syntax Tree
-- **Extensible rule engine**: Define compliance rules for best practices or organization-specific policies
+- **Extensible rule engine**: Define validation rules for best practices or organization-specific policies
 - **IP/Subnet Extraction**: Extract and deduplicate IP addresses and CIDR subnets from configurations
 - **GRX2 Loader**: Load and decrypt extended encrypted rule packs for offline usage
 - **TypeScript native**: Full type safety with comprehensive type definitions
@@ -173,9 +175,13 @@ try {
 ## Related Packages
 
 - [`@sentriflow/cli`](https://github.com/sentriflow/sentriflow/tree/main/packages/cli) - Command-line interface
-- [`@sentriflow/rules-default`](https://github.com/sentriflow/sentriflow/tree/main/packages/rules-default) - Default compliance rules
+- [`@sentriflow/rules-default`](https://github.com/sentriflow/sentriflow/tree/main/packages/rules-default) - Default validation rules
 - [`@sentriflow/rule-helpers`](https://github.com/sentriflow/sentriflow/tree/main/packages/rule-helpers) - Helper functions for rule development
 
+## Disclaimer
+
+SentriFlow provides automated configuration validation. Validation results do not constitute compliance certification.
+
 ## License
 
 Apache-2.0

package/package.json

@@ -1,65 +1,65 @@
-{
-  "name": "@sentriflow/core",
-  "version": "0.3.2",
-  "description": "SentriFlow core engine for network configuration validation",
-  "license": "Apache-2.0",
-  "module": "src/index.ts",
-  "type": "module",
-  "exports": {
-    ".": "./src/index.ts",
-    "./grx2-loader": "./src/grx2-loader/index.ts",
-    "./helpers": "./src/helpers/index.ts",
-    "./helpers/common": "./src/helpers/common/index.ts",
-    "./helpers/arista": "./src/helpers/arista/index.ts",
-    "./helpers/aruba": "./src/helpers/aruba/index.ts",
-    "./helpers/cisco": "./src/helpers/cisco/index.ts",
-    "./helpers/cumulus": "./src/helpers/cumulus/index.ts",
-    "./helpers/extreme": "./src/helpers/extreme/index.ts",
-    "./helpers/fortinet": "./src/helpers/fortinet/index.ts",
-    "./helpers/huawei": "./src/helpers/huawei/index.ts",
-    "./helpers/juniper": "./src/helpers/juniper/index.ts",
-    "./helpers/mikrotik": "./src/helpers/mikrotik/index.ts",
-    "./helpers/nokia": "./src/helpers/nokia/index.ts",
-    "./helpers/paloalto": "./src/helpers/paloalto/index.ts",
-    "./helpers/vyos": "./src/helpers/vyos/index.ts"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/sentriflow/sentriflow.git",
-    "directory": "packages/core"
-  },
-  "homepage": "https://github.com/sentriflow/sentriflow#readme",
-  "bugs": {
-    "url": "https://github.com/sentriflow/sentriflow/issues"
-  },
-  "keywords": [
-    "network",
-    "configuration",
-    "validation",
-    "security",
-    "cisco",
-    "juniper",
-    "arista",
-    "firewall",
-    "linter",
-    "helpers"
-  ],
-  "files": [
-    "src",
-    "LICENSE",
-    "README.md"
-  ],
-  "publishConfig": {
-    "access": "public"
-  },
-  "dependencies": {
-    "node-machine-id": "^1.1.12"
-  },
-  "devDependencies": {
-    "bun-types": "latest",
-    "@types/node": "^20.0.0"
-  },
-  "peerDependencies": {
-    "typescript": "^5.0.0"
-  }
-}
+{
+  "name": "@sentriflow/core",
+  "version": "0.4.1",
+  "description": "SentriFlow core engine for network configuration validation",
+  "license": "Apache-2.0",
+  "module": "src/index.ts",
+  "type": "module",
+  "exports": {
+    ".": "./src/index.ts",
+    "./grx2-loader": "./src/grx2-loader/index.ts",
+    "./helpers": "./src/helpers/index.ts",
+    "./helpers/common": "./src/helpers/common/index.ts",
+    "./helpers/arista": "./src/helpers/arista/index.ts",
+    "./helpers/aruba": "./src/helpers/aruba/index.ts",
+    "./helpers/cisco": "./src/helpers/cisco/index.ts",
+    "./helpers/cumulus": "./src/helpers/cumulus/index.ts",
+    "./helpers/extreme": "./src/helpers/extreme/index.ts",
+    "./helpers/fortinet": "./src/helpers/fortinet/index.ts",
+    "./helpers/huawei": "./src/helpers/huawei/index.ts",
+    "./helpers/juniper": "./src/helpers/juniper/index.ts",
+    "./helpers/mikrotik": "./src/helpers/mikrotik/index.ts",
+    "./helpers/nokia": "./src/helpers/nokia/index.ts",
+    "./helpers/paloalto": "./src/helpers/paloalto/index.ts",
+    "./helpers/vyos": "./src/helpers/vyos/index.ts"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sentriflow/sentriflow.git",
+    "directory": "packages/core"
+  },
+  "homepage": "https://github.com/sentriflow/sentriflow#readme",
+  "bugs": {
+    "url": "https://github.com/sentriflow/sentriflow/issues"
+  },
+  "keywords": [
+    "network",
+    "configuration",
+    "validation",
+    "security",
+    "cisco",
+    "juniper",
+    "arista",
+    "firewall",
+    "linter",
+    "helpers"
+  ],
+  "files": [
+    "src",
+    "LICENSE",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "node-machine-id": "^1.1.12"
+  },
+  "devDependencies": {
+    "bun-types": "latest",
+    "@types/node": "^20.0.0"
+  },
+  "peerDependencies": {
+    "typescript": "^5.0.0"
+  }
+}

package/src/grx2-loader/GRX2ExtendedLoader.ts

@@ -358,9 +358,8 @@ export async function loadExtendedPack(
   machineId: string,
   debug?: (msg: string) => void
 ): Promise<RulePack> {
-  debug?.(`[GRX2Loader] Loading pack: ${filePath}`);
-  debug?.(`[GRX2Loader] License key length: ${licenseKey.length}, first 20 chars: ${licenseKey.substring(0, 20)}...`);
-  debug?.(`[GRX2Loader] Machine ID: "${machineId}" (length: ${machineId.length})`);
+  debug?.(`[GRX2Loader] Loading pack: ${filePath}`);
+  debug?.(`[GRX2Loader] Machine ID: "${machineId}" (length: ${machineId.length})`);
 
   // Read pack file
   const data = await readFile(filePath);

package/src/grx2-loader/index.ts

@@ -31,7 +31,9 @@ export {
   GRX2_KDF_PBKDF2,
   GRX2_KEY_TYPE_TMK,
   GRX2_KEY_TYPE_CTMK,
+  SENTRIFLOW_HOME,
   DEFAULT_PACKS_DIRECTORY,
+  DEFAULT_RULES_DIRECTORY,
   CACHE_DIRECTORY,
 } from './types';
 

package/src/grx2-loader/types.ts

@@ -25,7 +25,7 @@ export interface LicensePayload {
   sub: string;
 
   /** Customer tier */
-  tier: 'community' | 'professional' | 'enterprise';
+  tier: 'basic' | 'professional' | 'enterprise';
 
   /** Entitled feed IDs */
   feeds: string[];
@@ -274,8 +274,14 @@ export const GRX2_KEY_TYPE_TMK = 1;
 /** CTMK key type */
 export const GRX2_KEY_TYPE_CTMK = 2;
 
+/** Base SentriFlow home directory (platform-aware: ~/.sentriflow or %USERPROFILE%\.sentriflow) */
+export const SENTRIFLOW_HOME = join(homedir(), '.sentriflow');
+
 /** Default packs directory (platform-aware) */
-export const DEFAULT_PACKS_DIRECTORY = join(homedir(), '.sentriflow', 'packs');
+export const DEFAULT_PACKS_DIRECTORY = join(SENTRIFLOW_HOME, 'packs');
+
+/** Default custom rules directory (platform-aware) */
+export const DEFAULT_RULES_DIRECTORY = join(SENTRIFLOW_HOME, 'rules');
 
 /** Cache directory (for downloaded packs, platform-aware) */
-export const CACHE_DIRECTORY = join(homedir(), '.sentriflow', 'cache');
+export const CACHE_DIRECTORY = join(SENTRIFLOW_HOME, 'cache');

package/src/helpers/cisco/helpers.ts

@@ -10,6 +10,7 @@ import {
   includesIgnoreCase,
   startsWithIgnoreCase,
   parseInteger,
+  findParentSection,
 } from '../common/helpers';
 
 // Re-export common helpers for convenience
@@ -214,6 +215,24 @@ export const hasWeakUsernamePassword = (node: ConfigNode): boolean => {
   return false;
 };
 
+/**
+ * Check if password is under a line configuration section (vty, console, aux).
+ * Line passwords cannot be encrypted in Cisco IOS - they only support plaintext.
+ * Security for these should be enforced via AAA authentication instead.
+ *
+ * @param ast The full AST (array of ConfigNode)
+ * @param node The password node to check
+ * @returns true if the password is under a line vty/console/aux section
+ */
+export const isLineConfigPassword = (ast: ConfigNode[], node: ConfigNode): boolean => {
+  const parent = findParentSection(ast, node);
+  if (!parent) return false;
+  const parentId = parent.id.toLowerCase();
+  return parentId.startsWith('line vty') ||
+         parentId.startsWith('line console') ||
+         parentId.startsWith('line aux');
+};
+
 /**
  * Get SSH version from configuration
  */

package/src/helpers/cisco/index.ts

@@ -8,4 +8,5 @@ export {
   hasChildCommand,
   getChildCommand,
   getChildCommands,
+  findParentSection,
 } from '../common/helpers';

package/src/helpers/common/helpers.ts

@@ -202,6 +202,35 @@ export const isShutdown = (node: ConfigNode): boolean => {
   });
 };
 
+/**
+ * Find the parent section of a node in the AST.
+ * Traverses the AST to locate the parent section containing the target node.
+ * Useful for context-aware rules that need to check parent context.
+ *
+ * @param ast The full AST (array of ConfigNode)
+ * @param targetNode The node to find the parent for
+ * @returns The parent section node, or undefined if not found
+ */
+export const findParentSection = (
+  ast: ConfigNode[],
+  targetNode: ConfigNode
+): ConfigNode | undefined => {
+  for (const node of ast) {
+    if (node.type === 'section') {
+      // Check if target is a direct child (by line number match)
+      if (node.children.some(child =>
+        child.loc.startLine === targetNode.loc.startLine
+      )) {
+        return node;
+      }
+      // Recurse into children
+      const found = findParentSection(node.children, targetNode);
+      if (found) return found;
+    }
+  }
+  return undefined;
+};
+
 /**
  * Check if a node is an actual interface definition (not a reference or sub-command).
  * Interface definitions are top-level sections that define physical/logical interfaces.

package/src/pack-provider/PackProvider.ts

@@ -39,7 +39,7 @@ export interface PackProviderLicenseStatus {
   isValid: boolean;
 
   /** License tier */
-  tier: 'community' | 'professional' | 'enterprise' | string;
+  tier: 'basic' | 'professional' | 'enterprise' | string;
 
   /** List of entitled feed/pack IDs */
   entitledFeeds: string[];