semi implemented and features implemented save checkpoint

docs/features/unchecked/cli/advisory-database-status-and-connector-cli-commands.md

@@ -0,0 +1,36 @@
+# Advisory Database Status and Connector CLI Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands `stella db status` and `stella db connectors` for checking advisory database health, connector status, sync timestamps, and reason codes for connector failures.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/DbCommandGroup.cs` -- `DbCommandGroup` (static class)
+- **Commands**:
+  - `stella db status` -- checks database connectivity, schema version, migration status, connection pool (via `/api/v1/health/database`). Options: `--format text|json`, `--server <url>`, `--verbose`.
+  - `stella db connectors list` -- lists configured advisory connectors with category/status/last-sync/error-count/reason-code. Options: `--format table|json`, `--category <cat>`, `--status <status>`.
+  - `stella db connectors status` -- shows health status summary for all connectors.
+  - `stella db connectors test <connector>` -- tests connectivity for a specific connector (DNS, TLS, auth, API request). Options: `--format text|json`, `--timeout <duration>`.
+- **DTOs**: `DbStatusResponse`, `ConnectionPoolStatus`, `ConnectorInfo`, `ConnectorStatus`, `ConnectorTestResult`, `ConnectorTestStep` (all nested in `DbCommandGroup`).
+- **Supported connectors**: nvd, cve, ghsa, osv, alpine, debian, ubuntu, redhat, suse, kev, epss, msrc, cisco, oracle.
+- **Exit codes**: 0 = healthy/passed, 1 = error/failed.
+- **Sprint**: SPRINT_20260117_008_CLI (tasks ASC-002 through ASC-005).
+
+## E2E Test Plan
+- [ ] Run `stella db status` and verify output shows Connection, Database Type, Version, Latency, Schema, Migration status
+- [ ] Run `stella db status --format json` and verify valid JSON with `connected`, `databaseType`, `schemaVersion`, `migrationStatus` fields
+- [ ] Run `stella db status --verbose` and verify Connection Pool section appears (Active, Idle, Total)
+- [ ] Run `stella db connectors list` and verify table with all 14 connectors showing Name, Category, Status, Last Sync, Errors, Reason Code
+- [ ] Run `stella db connectors list --category distro` and verify only distro connectors shown (alpine, debian, ubuntu, redhat, suse)
+- [ ] Run `stella db connectors list --status failed` and verify only failed connectors shown
+- [ ] Run `stella db connectors list --format json` and verify valid JSON array output
+- [ ] Run `stella db connectors status` and verify health summary table with healthy/degraded/failed counts
+- [ ] Run `stella db connectors test nvd` and verify test steps (DNS Resolution, TLS Handshake, Authentication, API Request) with pass/fail and latency
+- [ ] Run `stella db connectors test nvd --format json` and verify JSON output with `passed`, `latencyMs`, `tests` array
+- [ ] Run `stella db connectors test nvd --timeout 00:00:01` and verify timeout handling with reason code CON_TIMEOUT_001
+- [ ] Verify exit code is 1 when database is disconnected or connector test fails

docs/features/unchecked/cli/advisory-source-management-cli.md

@@ -0,0 +1,34 @@
+# Advisory Source Management CLI (stella sources list/check/enable/disable/status)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Manage advisory data sources: list by category (primary/distro/ecosystem/scoring), check connectivity, enable/disable sources, and view detailed source status.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Sources/` -- advisory source management commands
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` -- partial class with source-related handlers
+- **Config consolidation**: Sources commands are consolidated under `stella config sources` via route mapping in `src/Cli/StellaOps.Cli/cli-routes.json` (old: `sources list` -> new: `config sources list`)
+- **Commands**:
+  - `stella config sources list` -- list advisory sources filtered by category (primary, distro, ecosystem, scoring)
+  - `stella config sources check` -- verify connectivity to configured advisory sources
+  - `stella config sources enable <source>` -- enable a specific advisory source
+  - `stella config sources disable <source>` -- disable a specific advisory source
+  - `stella config sources status` -- show detailed status for all configured sources
+- **Config Group**: `src/Cli/StellaOps.Cli/Commands/ConfigCommandGroup.cs` -- `ConfigCommandGroup` hosts the sources subcommand
+- **Config Catalog**: `src/Cli/StellaOps.Cli/Commands/ConfigCatalog.cs` -- catalog of configuration items including sources
+
+## E2E Test Plan
+- [ ] Run `stella config sources list` and verify sources listed with name, category, enabled status
+- [ ] Run `stella config sources list --category distro` and verify only distro sources shown
+- [ ] Run `stella config sources check` and verify connectivity status for each source
+- [ ] Run `stella config sources enable nvd` and verify source is enabled
+- [ ] Run `stella config sources disable nvd` and verify source is disabled
+- [ ] Run `stella config sources status` and verify detailed status including last sync, error counts
+- [ ] Verify deprecated alias `stella sources list` still works and shows deprecation warning
+- [ ] Run with `--format json` and verify valid JSON output
+- [ ] Verify exit code is non-zero when connectivity check fails

docs/features/unchecked/cli/advisoryai-chat-cli.md

@@ -0,0 +1,31 @@
+# AdvisoryAI Chat CLI (stella advise ask)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Interactive AI chat queries from the terminal scoped to specific container images, digests, or environments for security advisory assistance.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Advise/AdviseChatCommandGroup.cs` -- `AdviseChatCommandGroup` (internal static class)
+- **Chat Renderer**: `src/Cli/StellaOps.Cli/Commands/Advise/ChatRenderer.cs` -- terminal rendering for chat responses
+- **Chat Service**: `src/Cli/StellaOps.Cli/Services/Chat/` -- backend chat client and models
+- **Chat Models**: `src/Cli/StellaOps.Cli/Services/Models/Chat/` -- request/response DTOs
+- **Commands**:
+  - `stella advise ask <query>` -- ask the advisory AI assistant a question. Options: `--image|-i <ref>` (scope to container image), `--digest|-d <digest>` (scope to artifact digest), `--environment|-e <env>` (scope to environment)
+  - `stella advise chat-doctor` -- diagnose advisory AI connectivity and configuration
+  - `stella advise chat-settings` -- view/update chat configuration
+- **Configuration**: `src/Cli/StellaOps.Cli/Configuration/StellaOpsCliOptions.cs` -- CLI options including advisory AI endpoint settings
+
+## E2E Test Plan
+- [ ] Run `stella advise ask "What CVEs affect this image?"` and verify a response is returned
+- [ ] Run `stella advise ask "Is CVE-2024-1234 reachable?" --image myregistry/app:v1.0` and verify image-scoped response
+- [ ] Run `stella advise ask "Show risk summary" --digest sha256:abc123` and verify digest-scoped response
+- [ ] Run `stella advise ask "What's the risk?" --environment production` and verify environment-scoped response
+- [ ] Run `stella advise chat-doctor` and verify connectivity/configuration diagnostics
+- [ ] Run `stella advise chat-settings` and verify settings are displayed
+- [ ] Verify error handling when advisory AI service is unavailable
+- [ ] Verify `--verbose` flag shows additional request/response details

docs/features/unchecked/cli/ai-code-guard-cli.md

@@ -0,0 +1,30 @@
+# AI Code Guard CLI (stella guard run/status)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for analyzing AI-generated code for security issues including secrets scanning, attribution checking, and license hygiene. Provides `stella guard run` to analyze directories/files and `stella guard status` to check guard configuration.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/GuardCommandGroup.cs` -- `GuardCommandGroup` (public static class)
+- **Sprint**: SPRINT_20260112_010_CLI_ai_code_guard_command (tasks CLI-AIGUARD-001/002)
+- **Policy DSL extensions**: `src/Policy/StellaOps.PolicyDsl/AiCodeGuardSignalContextExtensions.cs` -- signal context for AI code guard in policy DSL
+- **Commands**:
+  - `stella guard run <path>` -- analyze a directory or file for AI-generated code issues (secrets, attribution, license). Options: `--format text|json`, `--verbose`
+  - `stella guard status` -- check guard configuration and enabled analyzers
+- **Output**: Uses Spectre.Console for rich terminal rendering
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/GuardCommandTests.cs`
+
+## E2E Test Plan
+- [ ] Run `stella guard run ./src` and verify analysis output showing detected issues (secrets, attribution, license)
+- [ ] Run `stella guard run ./src --format json` and verify valid JSON output with findings array
+- [ ] Run `stella guard run ./src --verbose` and verify detailed analyzer output
+- [ ] Run `stella guard status` and verify guard configuration including enabled analyzers
+- [ ] Run `stella guard run` on a clean directory and verify no findings reported with exit code 0
+- [ ] Run `stella guard run` on a directory with known secrets and verify detection with exit code 1
+- [ ] Verify error handling for non-existent paths
+- [ ] Verify AI-generated code attribution checks identify code without proper attribution

docs/features/unchecked/cli/audit-bundle-generation-and-verification-cli.md

@@ -0,0 +1,33 @@
+# Audit Bundle Generation and Verification CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command `stella audit bundle <digest>` that generates self-contained, auditor-ready evidence packages containing verdict, evidence, policy snapshot, and replay instructions in directory/tar.gz/zip formats, plus `stella audit verify` for bundle integrity verification with manifest hash checking and optional DSSE signature verification.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/AuditCommandGroup.cs` -- `AuditCommandGroup` (internal static class)
+- **Audit Verify**: `src/Cli/StellaOps.Cli/Commands/AuditVerifyCommand.cs` -- standalone audit verify command
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Audit.cs` -- `CommandHandlers` partial class with audit handlers
+- **Bundle Service**: `src/Cli/StellaOps.Cli/Audit/AuditBundleService.cs` / `IAuditBundleService.cs` -- bundle generation and verification logic
+- **Bundle Verifier**: `src/Cli/StellaOps.Cli/Services/AttestationBundleVerifier.cs` / `IAttestationBundleVerifier.cs`
+- **Sprint**: SPRINT_20260117_027_CLI
+- **Commands**:
+  - `stella audit bundle <digest>` -- generate audit bundle for an artifact digest. Options: `--output <path>`, `--format dir|tar.gz|zip`
+  - `stella audit verify <bundle-path>` -- verify bundle integrity (manifest hash, DSSE signature)
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/VerifyBundleCommandTests.cs`
+
+## E2E Test Plan
+- [ ] Run `stella audit bundle sha256:abc123 --output ./audit-bundle` and verify directory created with verdict, evidence, policy snapshot, replay instructions
+- [ ] Run `stella audit bundle sha256:abc123 --format tar.gz` and verify tar.gz archive created
+- [ ] Run `stella audit bundle sha256:abc123 --format zip` and verify zip archive created
+- [ ] Run `stella audit verify ./audit-bundle` and verify manifest hash checking passes for valid bundle
+- [ ] Run `stella audit verify ./audit-bundle` with tampered content and verify integrity failure detected
+- [ ] Verify DSSE signature verification when `--verify-signature` flag is used
+- [ ] Verify bundle contains replay instructions that can reproduce the verdict
+- [ ] Verify exit code 0 for valid bundle verification, non-zero for failures
+- [ ] Verify error handling for non-existent digests or bundle paths

docs/features/unchecked/cli/auth-revocation-bundle-export-verify-cli.md

@@ -0,0 +1,28 @@
+# Auth Revocation Bundle Export/Verify CLI (stella auth revoke export/verify)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Export revocation bundles with JWS signatures to disk and verify bundles against detached JWS signatures using PEM public keys for offline revocation verification.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/AuthCommandGroup.cs` -- `AuthCommandGroup` (public static class), Sprint SPRINT_20260117_016_CLI_auth_access (tasks AAC-001 through AAC-005)
+- **Revocation Client**: `src/Cli/StellaOps.Cli/Services/AuthorityRevocationClient.cs` / `IAuthorityRevocationClient.cs` -- handles revocation bundle export and verification
+- **Authority Client**: `src/Cli/StellaOps.Cli/Services/AuthorityConsoleClient.cs` / `IAuthorityConsoleClient.cs` -- authority API operations
+- **Commands**:
+  - `stella auth revoke export --output <path>` -- export revocation bundle with JWS signature to disk
+  - `stella auth revoke verify --bundle <path> --key <pem-path>` -- verify revocation bundle against JWS signature using PEM public key
+- **Subcommands under `stella auth`**: clients, roles, scopes, token, api-keys (all part of AuthCommandGroup)
+
+## E2E Test Plan
+- [ ] Run `stella auth revoke export --output ./revocation-bundle.json` and verify bundle file created with JWS signature
+- [ ] Run `stella auth revoke verify --bundle ./revocation-bundle.json --key ./public.pem` and verify signature validation passes
+- [ ] Verify bundle verification fails with wrong public key
+- [ ] Verify bundle verification fails with tampered bundle content
+- [ ] Verify offline verification works without network connectivity
+- [ ] Run with `--format json` and verify structured output
+- [ ] Verify exit code 0 for valid verification, non-zero for failures

docs/features/unchecked/cli/backward-compatible-command-aliases.md

@@ -0,0 +1,35 @@
+# Backward-Compatible Command Aliases
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Old command paths preserved as aliases with deprecation warnings, allowing smooth migration without breaking existing CI pipelines.
+
+## Implementation Details
+- **Route Mapping**: `src/Cli/StellaOps.Cli/cli-routes.json` -- JSON-driven route mapping with 60+ deprecated-to-new mappings. Each mapping defines `old` path, `new` path, `type: "deprecated"`, `removeIn` version, and `reason`.
+- **Command Router**: `src/Cli/StellaOps.Cli/Infrastructure/` -- route-based command router that intercepts old paths and redirects to new commands
+- **Deprecation System**: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs` -- command factory that registers aliases alongside primary commands
+- **Key consolidation mappings**:
+  - `notify *` -> `config notify *` (settings consolidation)
+  - `admin feeds *` -> `config feeds *` (feed configuration)
+  - `feeds list` -> `config feeds list` (feed configuration)
+  - `integrations *` -> `config integrations *` (integration configuration)
+  - `registry list` -> `config registry list` (registry configuration)
+  - `sources list` -> `config sources list` (source configuration)
+  - `signals list` -> `config signals list` (signal configuration)
+  - `attest verify` -> `verify attestation` (verification consolidation)
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Integration/DeprecationWarningTests.cs`, `src/Cli/__Tests/StellaOps.Cli.Tests/Infrastructure/CommandRouterTests.cs`
+
+## E2E Test Plan
+- [ ] Run deprecated `stella notify channels list` and verify it works but shows deprecation warning pointing to `stella config notify channels list`
+- [ ] Run deprecated `stella feeds list` and verify deprecation warning pointing to `stella config feeds list`
+- [ ] Run deprecated `stella attest verify` and verify deprecation warning pointing to `stella verify attestation`
+- [ ] Verify the deprecation warning includes the `removeIn` version (e.g., "will be removed in 3.0")
+- [ ] Verify the new command path works without deprecation warnings
+- [ ] Run deprecated command with `--format json` and verify output still works correctly with warning on stderr
+- [ ] Verify CI pipelines using old commands still exit with correct exit codes
+- [ ] Verify all 60+ route mappings in cli-routes.json have corresponding working aliases

docs/features/unchecked/cli/ci-template-generator-cli-command.md

@@ -0,0 +1,31 @@
+# CI Template Generator CLI Command (stella ci init)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command `stella ci init` generating ready-to-run CI pipeline templates for GitHub Actions, GitLab CI, and Gitea. Supports gate/scan/verify/full template types, offline-friendly bundles with pinned scanner image digests, and template validation via `stella ci validate`.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/CiCommandGroup.cs` -- `CiCommandGroup` (public static class)
+- **CI Templates**: `src/Cli/StellaOps.Cli/Commands/CiTemplates.cs` -- template definitions and generation logic
+- **Sprint**: SPRINT_20251229_015_CLI_ci_template_generator
+- **Commands**:
+  - `stella ci init` -- generate CI pipeline templates. Options: `--provider github|gitlab|gitea`, `--type gate|scan|verify|full`, `--output <path>`
+  - `stella ci validate` -- validate generated CI templates for correctness
+- **Template types**: gate (policy gate only), scan (scan + gate), verify (full verification), full (complete pipeline)
+- **Offline support**: Templates include pinned scanner image digests for air-gapped environments
+
+## E2E Test Plan
+- [ ] Run `stella ci init --provider github --type full --output .github/workflows/` and verify GitHub Actions workflow file created
+- [ ] Run `stella ci init --provider gitlab --type scan` and verify .gitlab-ci.yml created with scan stage
+- [ ] Run `stella ci init --provider gitea --type gate` and verify Gitea workflow created with gate stage
+- [ ] Run `stella ci init --type verify` and verify verification pipeline template generated
+- [ ] Run `stella ci validate .github/workflows/stella.yml` and verify template validation passes
+- [ ] Verify generated templates contain pinned scanner image digests (sha256 references)
+- [ ] Verify templates are functional when run in their respective CI environments
+- [ ] Verify offline-friendly bundle mode generates self-contained templates
+- [ ] Run with invalid `--provider` and verify helpful error message

docs/features/unchecked/cli/cli-and-automation-ux.md

@@ -0,0 +1,37 @@
+# CLI and Automation UX
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Full CLI with command groups for replay, verdict, air-gap, prove, audit, and feeds operations.
+
+## Implementation Details
+- **Entry Point**: `src/Cli/StellaOps.Cli/Program.cs` -- CLI application bootstrap
+- **Application**: `src/Cli/StellaOps.Cli/CliApplication.cs` -- command tree assembly and DI configuration
+- **Command Factory**: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs` -- factory for building the full command hierarchy
+- **Key Command Groups** (all under `src/Cli/StellaOps.Cli/Commands/`):
+  - `ReplayCommandGroup.cs` -- `stella replay` for deterministic verdict replay
+  - `VerdictCommandGroup.cs` -- `stella verdict` for verdict inspection and verification
+  - `AirGapCommandGroup.cs` -- `stella airgap` for offline/air-gapped operations
+  - `ProveCommandGroup.cs` -- `stella prove` for proof generation and verification
+  - `AuditCommandGroup.cs` -- `stella audit` for audit bundle generation
+  - `FeedsCommandGroup.cs` -- `stella feeds` for advisory feed management (consolidated under `stella config feeds`)
+- **Output**: `src/Cli/StellaOps.Cli/Output/` -- output renderer extensions for consistent formatting
+- **Configuration**: `src/Cli/StellaOps.Cli/Configuration/` -- CLI configuration and bootstrapping
+- **~18 top-level command groups**: scan, release, verify, attest, evidence, policy, vex, reachability, sbom, crypto, config, auth, admin, ci, setup, explain, tools, doctor
+
+## E2E Test Plan
+- [ ] Run `stella --help` and verify top-level command groups are listed with descriptions
+- [ ] Run `stella replay run <digest>` and verify replay execution with deterministic output
+- [ ] Run `stella verdict show <digest>` and verify verdict details displayed
+- [ ] Run `stella airgap export` and verify offline bundle creation
+- [ ] Run `stella prove generate <digest>` and verify proof generation
+- [ ] Run `stella audit bundle <digest>` and verify audit package creation
+- [ ] Run `stella config feeds list` and verify feed listing
+- [ ] Verify `--format json` works across all command groups for automation
+- [ ] Verify `--verbose` flag provides additional output across all commands
+- [ ] Verify exit codes follow convention: 0=success, 1=error, 2=block

docs/features/unchecked/cli/cli-and-web-ui-for-proof-inspection.md

@@ -0,0 +1,32 @@
+# CLI and Web UI for Proof Inspection
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for proof chain verification and web UI proof visualization components.
+
+## Implementation Details
+- **CLI**: `src/Cli/StellaOps.Cli/Commands/Proof/ProofCommandGroup.cs` implements `proof verify` (bundle verification with offline mode, JSON/text output) and `proof spine show` (spine display, partially implemented)
+- **CLI Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ProofCommandTests.cs`
+- **Web UI proof-chain page**: `src/Web/StellaOps.Web/src/app/features/proof-chain/proof-chain.component.html`
+- **Web UI proof-studio**: `src/Web/StellaOps.Web/src/app/features/proof-studio/` (confidence factor chips, container component)
+- **Proof spine component**: `src/Web/StellaOps.Web/src/app/shared/components/proof-spine/proof-spine.component.spec.ts`
+- **Proof tree component**: `src/Web/StellaOps.Web/src/app/shared/components/proof-tree.component.spec.ts`
+- **DSSE envelope viewer**: `src/Web/StellaOps.Web/src/app/shared/components/dsse-envelope-viewer.component.spec.ts`
+- **Quick verify drawer**: `src/Web/StellaOps.Web/src/app/shared/components/quick-verify-drawer/quick-verify-drawer.component.ts`
+- **Backend libraries**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/` (proof generation, verification pipelines, DSSE signing, Rekor integration, Merkle trees)
+
+## E2E Test Plan
+- Verify `stella proof verify --bundle <path>` works with valid and invalid bundles
+- Test offline mode (`--offline`) skips Rekor verification
+- Test JSON output format (`--output json`)
+- Verify proof chain page renders in Web UI
+- Validate proof spine and proof tree components display correctly
+
+## Source
+- Feature matrix scan
+
+## Notes
+- Module: Cli
+- Modules referenced: `src/Cli/StellaOps.Cli/Commands/Proof/`, `src/Web/StellaOps.Web/src/app/features/proof-chain/`, `src/Web/StellaOps.Web/src/app/features/proof-studio/`

docs/features/unchecked/cli/cli-api-spec-download-command.md

@@ -0,0 +1,25 @@
+# CLI API Spec Download Command
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+`stella api spec download` command for retrieving the aggregate OpenAPI specification with checksum/ETag verification, enabling offline API reference consumption.
+
+## Implementation Details
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` -- partial class containing API spec download handler
+- **Command Registration**: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs` -- registers `api spec download` in command tree
+- **Sprint**: SPRINT_0204_0001_0004_cli_iv
+- **Commands**:
+  - `stella api spec download` -- download the aggregate OpenAPI spec. Options: `--output <path>`, `--format json|yaml`, `--verify` (checksum/ETag verification)
+
+## E2E Test Plan
+- [ ] Run `stella api spec download --output ./openapi.json` and verify OpenAPI spec file created
+- [ ] Run `stella api spec download --format yaml` and verify YAML format output
+- [ ] Run `stella api spec download --verify` and verify checksum/ETag verification passes
+- [ ] Run command again and verify ETag caching skips re-download when spec unchanged
+- [ ] Verify downloaded spec is valid OpenAPI 3.x format
+- [ ] Verify error handling when API server is unreachable

docs/features/unchecked/cli/cli-command-router-infrastructure.md

@@ -0,0 +1,30 @@
+# CLI Command Router Infrastructure
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Foundation infrastructure for CLI command consolidation including a route-based command router, JSON-driven route mapping (60+ mappings), command group builder for hierarchical command trees, and deprecation warning system.
+
+## Implementation Details
+- **Infrastructure**: `src/Cli/StellaOps.Cli/Infrastructure/` -- command router, route resolver, deprecation middleware
+- **Route Mapping**: `src/Cli/StellaOps.Cli/cli-routes.json` -- JSON file with 60+ route mappings defining old->new command paths, deprecation versions, and reasons
+- **Command Factory**: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs` -- hierarchical command tree builder using route mappings
+- **Sprint**: SPRINT_20260118_010_CLI_consolidation_foundation
+- **Architecture**:
+  - Route-based command router intercepts old command paths and redirects to new consolidated paths
+  - Each mapping has `old` path, `new` path, `type` (deprecated), `removeIn` version, and `reason`
+  - Supports settings consolidation (Sprint 011), verification consolidation (Sprint 012), and scanning consolidation (Sprint 013)
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Infrastructure/CommandRouterTests.cs`
+
+## E2E Test Plan
+- [ ] Verify all 60+ route mappings correctly redirect old commands to new paths
+- [ ] Verify deprecation warnings are emitted on stderr for deprecated command paths
+- [ ] Verify new command paths work without deprecation warnings
+- [ ] Verify command tree hierarchy is properly built from route mappings
+- [ ] Verify `--help` on deprecated commands shows migration guidance
+- [ ] Verify route resolver handles unknown commands gracefully with error message
+- [ ] Verify route mapping JSON is valid and parseable at startup

docs/features/unchecked/cli/cli-commands-for-ground-truth-and-golden-set-management.md

@@ -0,0 +1,32 @@
+# CLI Commands for Ground-Truth and Golden Set Management
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command groups for ground-truth management (`stella groundtruth`) and golden set operations including fix verification commands.
+
+## Implementation Details
+- **Ground Truth Command Group**: `src/Cli/StellaOps.Cli/Commands/GroundTruthCommandGroup.cs` -- `GroundTruthCommandGroup` for `stella groundtruth` commands
+- **Ground Truth Validation**: `src/Cli/Commands/GroundTruth/GroundTruthValidateCommands.cs` -- validation commands for ground-truth datasets
+- **Golden Set Command Group**: `src/Cli/StellaOps.Cli/Commands/GoldenSet/GoldenSetCommandGroup.cs` -- golden set operations
+- **Fix Verification**: `src/Cli/StellaOps.Cli/Commands/GoldenSet/VerifyFixCommandGroup.cs` -- verify fix commands for golden set
+- **Commands**:
+  - `stella groundtruth list` -- list ground-truth datasets
+  - `stella groundtruth validate` -- validate ground-truth data integrity
+  - `stella groundtruth import` -- import ground-truth datasets
+  - `stella golden list` -- list golden sets
+  - `stella golden verify-fix` -- verify fixes against golden set expectations
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/GoldenOutput/` -- golden output test suite
+
+## E2E Test Plan
+- [ ] Run `stella groundtruth list` and verify ground-truth datasets displayed
+- [ ] Run `stella groundtruth validate` and verify data integrity validation
+- [ ] Run `stella groundtruth import <path>` and verify dataset imported
+- [ ] Run `stella golden list` and verify golden sets listed
+- [ ] Run `stella golden verify-fix <digest>` and verify fix verification against golden set
+- [ ] Verify golden output tests pass deterministically
+- [ ] Verify error handling for invalid ground-truth data

docs/features/unchecked/cli/cli-config-command-hub.md

@@ -0,0 +1,40 @@
+# CLI Config Command Hub (list/show/set/export/import)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Extended `stella config` command with list/show/set/export/import subcommands, consolidating notify/feeds/integrations/registry/sources/signals under the config umbrella.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ConfigCommandGroup.cs` -- `ConfigCommandGroup` (internal static class)
+- **Config Catalog**: `src/Cli/StellaOps.Cli/Commands/ConfigCatalog.cs` -- catalog of all configuration items
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Config.cs` -- `CommandHandlers` partial with config handlers
+- **Sprint**: SPRINT_20260118_011_CLI_settings_consolidation
+- **Commands**:
+  - `stella config list` -- list all configuration categories
+  - `stella config show <key>` -- show a specific configuration value
+  - `stella config set <key> <value>` -- set a configuration value
+  - `stella config export --output <path>` -- export configuration to file
+  - `stella config import --file <path>` -- import configuration from file
+  - `stella config notify *` -- notification configuration (channels, templates)
+  - `stella config feeds *` -- advisory feed configuration
+  - `stella config integrations *` -- integration configuration
+  - `stella config registry *` -- container registry configuration
+  - `stella config sources *` -- advisory source configuration
+  - `stella config signals *` -- signal configuration
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Integration/SettingsConsolidationTests.cs`
+
+## E2E Test Plan
+- [ ] Run `stella config list` and verify all configuration categories shown (notify, feeds, integrations, registry, sources, signals)
+- [ ] Run `stella config show <key>` and verify specific config value displayed
+- [ ] Run `stella config set <key> <value>` and verify value persisted
+- [ ] Run `stella config export --output ./config.yaml` and verify configuration exported
+- [ ] Run `stella config import --file ./config.yaml` and verify configuration imported
+- [ ] Run `stella config notify channels list` and verify notification channels listed
+- [ ] Run `stella config feeds list` and verify feed configuration listed
+- [ ] Run `stella config integrations list` and verify integrations listed
+- [ ] Verify old paths (e.g., `stella notify`) still work with deprecation warnings

docs/features/unchecked/cli/cli-deprecation-warning-system.md

@@ -0,0 +1,26 @@
+# CLI Deprecation Warning System
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Deprecation warnings displayed when users invoke old command paths, guiding them to the new consolidated equivalents.
+
+## Implementation Details
+- **Route Mapping**: `src/Cli/StellaOps.Cli/cli-routes.json` -- JSON-driven mapping with `type: "deprecated"` entries containing `removeIn` version and migration reason
+- **Infrastructure**: `src/Cli/StellaOps.Cli/Infrastructure/` -- deprecation warning middleware that emits warnings to stderr
+- **Command Factory**: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs` -- integrates deprecation checks into command resolution
+- **Warning format**: "WARNING: 'stella <old>' is deprecated and will be removed in <version>. Use 'stella <new>' instead. Reason: <reason>"
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Integration/DeprecationWarningTests.cs`
+
+## E2E Test Plan
+- [ ] Run a deprecated command (e.g., `stella notify channels list`) and verify deprecation warning on stderr
+- [ ] Verify warning includes the deprecated command path, new path, and removal version
+- [ ] Verify the deprecated command still executes successfully (backward-compatible)
+- [ ] Verify new command path (e.g., `stella config notify channels list`) shows no warning
+- [ ] Verify warnings go to stderr (not stdout) so they don't break JSON output parsing
+- [ ] Verify `--quiet` or `--no-warnings` suppresses deprecation warnings
+- [ ] Verify all route mappings with `type: "deprecated"` emit warnings

docs/features/unchecked/cli/cli-determinism-score-report-generator.md

@@ -0,0 +1,28 @@
+# CLI Determinism Score Report Generator
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+`stella detscore report` command that aggregates determinism.json results into table, markdown, CSV, and JSON formats for CI/CD determinism compliance reporting.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ScoreCommandGroup.cs` -- score command group including `detscore`
+- **Determinism Harness**: `src/Cli/StellaOps.Cli/Services/DeterminismHarness.cs` / `IDeterminismHarness.cs` -- determinism evaluation service
+- **Sprint**: SPRINT_0203_0001_0003_cli_iii
+- **Commands**:
+  - `stella detscore report` -- aggregate determinism.json results into a report. Options: `--format table|markdown|csv|json`, `--input <path>`, `--output <path>`
+- **Output formats**: table (human-readable), markdown (for PR comments), CSV (spreadsheet import), JSON (automation)
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Determinism/CliDeterminismTests.cs`
+
+## E2E Test Plan
+- [ ] Run `stella detscore report --input ./determinism.json` and verify table format output with pass/fail status
+- [ ] Run `stella detscore report --format markdown` and verify markdown report suitable for PR comments
+- [ ] Run `stella detscore report --format csv --output ./report.csv` and verify CSV file created
+- [ ] Run `stella detscore report --format json` and verify JSON output with structured results
+- [ ] Verify report aggregates multiple determinism.json files when directory provided
+- [ ] Verify exit code 0 when all determinism checks pass, non-zero when failures detected
+- [ ] Verify report includes component-level determinism scores

docs/features/unchecked/cli/cli-export-profile-and-run-management.md

@@ -0,0 +1,33 @@
+# CLI Export Profile and Run Management
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for managing export profiles, triggering export runs, downloading artifacts with hash verification, and scheduling evidence/attestation exports with selectors and callbacks.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ExportCommandGroup.cs` -- `ExportCommandGroup` for `stella export` commands
+- **Export Configuration**: `src/Cli/StellaOps.Cli/Export/` -- export profile configuration and management
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.ExportCache.cs` -- export cache handlers
+- **Sprint**: SPRINT_0202_0001_0001_cli_ii
+- **Commands**:
+  - `stella export profile list` -- list configured export profiles
+  - `stella export profile create` -- create a new export profile with selectors
+  - `stella export run <profile>` -- trigger an export run
+  - `stella export download <run-id>` -- download exported artifacts with hash verification
+  - `stella export schedule <profile>` -- schedule recurring exports
+- **Services**: `src/Cli/StellaOps.Cli/Services/PackClient.cs` / `IPackClient.cs` -- evidence pack management
+
+## E2E Test Plan
+- [ ] Run `stella export profile list` and verify export profiles displayed
+- [ ] Run `stella export profile create --name "nightly" --selector "env:production"` and verify profile created
+- [ ] Run `stella export run nightly` and verify export run triggered with progress output
+- [ ] Run `stella export download <run-id> --output ./export/` and verify artifacts downloaded with hash verification
+- [ ] Run `stella export schedule nightly --cron "0 2 * * *"` and verify schedule configured
+- [ ] Verify hash verification fails when artifact is tampered
+- [ ] Verify callback URL is invoked on export completion when configured
+- [ ] Verify `--format json` provides structured output for automation

docs/features/unchecked/cli/cli-forensic-snapshot-commands.md

@@ -0,0 +1,31 @@
+# CLI Forensic Snapshot Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for creating, listing, and showing forensic snapshots with DSSE verification and timeline validation, enabling incident response workflows from the command line.
+
+## Implementation Details
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` -- partial class with forensic snapshot handlers
+- **Forensic Services**: `src/Cli/StellaOps.Cli/Services/ForensicSnapshotClient.cs` / `IForensicSnapshotClient.cs` -- API client for forensic snapshot operations
+- **Forensic Verifier**: `src/Cli/StellaOps.Cli/Services/ForensicVerifier.cs` / `IForensicVerifier.cs` -- DSSE verification for forensic snapshots
+- **Sprint**: SPRINT_0201_0001_0001_cli_i
+- **Commands**:
+  - `stella forensic create --digest <digest> --reason <reason>` -- create a forensic snapshot for an artifact
+  - `stella forensic list` -- list forensic snapshots with status and timestamps
+  - `stella forensic show <snapshot-id>` -- show snapshot details including evidence, timeline
+  - `stella forensic verify <snapshot-id>` -- verify DSSE signature and timeline integrity
+- **DSSE Integration**: Snapshots are DSSE-signed for tamper-evidence
+
+## E2E Test Plan
+- [ ] Run `stella forensic create --digest sha256:abc123 --reason "Incident investigation"` and verify snapshot created
+- [ ] Run `stella forensic list` and verify snapshots listed with ID, digest, reason, timestamp
+- [ ] Run `stella forensic show <id>` and verify detailed snapshot with evidence links and timeline
+- [ ] Run `stella forensic verify <id>` and verify DSSE signature validation passes
+- [ ] Verify timeline validation detects gaps or ordering violations
+- [ ] Verify `--format json` provides structured output
+- [ ] Verify error handling for non-existent snapshot IDs

docs/features/unchecked/cli/cli-help-text-and-discoverability.md

@@ -0,0 +1,24 @@
+# CLI Help Text and Discoverability
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Improved help text generation showing the new command hierarchy with clear categories for better discoverability.
+
+## Implementation Details
+- **Command Factory**: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs` -- builds command hierarchy with descriptive help text
+- **Command Groups**: All command groups under `src/Cli/StellaOps.Cli/Commands/` provide description strings for `new Command("name", "description")`
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Integration/HelpTextTests.cs` -- validates help text output
+- **Resource hierarchy**: ~18 top-level groups (scan, release, verify, attest, evidence, policy, vex, reachability, sbom, crypto, config, auth, admin, ci, setup, explain, tools, doctor)
+
+## E2E Test Plan
+- [ ] Run `stella --help` and verify top-level command categories are listed with descriptions
+- [ ] Run `stella scan --help` and verify scan subcommands listed with descriptions
+- [ ] Run `stella config --help` and verify config subsections (notify, feeds, integrations, etc.)
+- [ ] Verify each top-level command group has a meaningful description
+- [ ] Verify `--help` works on every subcommand level
+- [ ] Verify help text shows option descriptions and default values

docs/features/unchecked/cli/cli-ir-commands.md

@@ -0,0 +1,28 @@
+# CLI IR Commands (stella ir lift/canon/fp/pipeline)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Standalone CLI command group for intermediate representation (IR) operations including `stella ir lift` (binary to IR lifting), `stella ir canon` (IR canonicalization), `stella ir fp` (fingerprint generation from IR), and `stella ir pipeline` (full lift-canon-fingerprint pipeline). While "Semantic Analysis Library" exists in known features, these CLI commands providing direct access to IR operations are a distinct user-facing capability.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Ir/IrCommandGroup.cs` -- `IrCommandGroup` for IR operations
+- **Commands**:
+  - `stella ir lift <binary>` -- lift a binary file to intermediate representation
+  - `stella ir canon <ir-file>` -- canonicalize an IR file for deterministic comparison
+  - `stella ir fp <ir-file>` -- generate fingerprint from IR
+  - `stella ir pipeline <binary>` -- run full lift -> canon -> fingerprint pipeline
+- **Backend**: Uses semantic analysis library for IR operations
+
+## E2E Test Plan
+- [ ] Run `stella ir lift ./binary` and verify IR output generated
+- [ ] Run `stella ir canon ./ir-file.json` and verify canonicalized IR output
+- [ ] Run `stella ir fp ./ir-file.json` and verify fingerprint hash output
+- [ ] Run `stella ir pipeline ./binary` and verify end-to-end pipeline produces fingerprint
+- [ ] Verify pipeline output is deterministic (same binary produces same fingerprint)
+- [ ] Verify `--format json` produces structured output
+- [ ] Verify error handling for unsupported binary formats

docs/features/unchecked/cli/cli-notification-simulation-and-acknowledgment.md

@@ -0,0 +1,31 @@
+# CLI Notification Simulation and Acknowledgment
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for simulating notification rules against events (`stella notify simulate`) and acknowledging incidents (`stella notify ack`) with tenant-scoped operation support.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/NotifyCommandGroup.cs` -- `NotifyCommandGroup` for notification commands
+- **Notify Client**: `src/Cli/StellaOps.Cli/Services/NotifyClient.cs` / `INotifyClient.cs` -- notification API client
+- **Route consolidation**: Notify commands consolidated under `stella config notify` via cli-routes.json
+- **Commands**:
+  - `stella config notify simulate <event-type>` -- simulate notification rules against an event
+  - `stella config notify ack <incident-id>` -- acknowledge an incident notification
+  - `stella config notify channels list` -- list notification channels
+  - `stella config notify channels test <channel>` -- test a notification channel
+  - `stella config notify templates list` -- list notification templates
+- **Tenant scoping**: Operations support `--tenant` flag for multi-tenant environments
+
+## E2E Test Plan
+- [ ] Run `stella config notify simulate gate-failure` and verify notification rules evaluated
+- [ ] Run `stella config notify ack <incident-id>` and verify acknowledgment recorded
+- [ ] Run `stella config notify channels list` and verify channels displayed
+- [ ] Run `stella config notify channels test slack` and verify connectivity test
+- [ ] Run `stella config notify templates list` and verify templates listed
+- [ ] Verify tenant scoping with `--tenant <id>` flag
+- [ ] Verify deprecated `stella notify simulate` still works with warning

docs/features/unchecked/cli/cli-observability-dashboard-commands.md

@@ -0,0 +1,30 @@
+# CLI Observability Dashboard Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Real-time observability commands providing health/SLO/burn-rate dashboards with TUI rendering, distributed trace inspection, and log querying with pagination and evidence links.
+
+## Implementation Details
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` -- observability command handlers
+- **Observability Client**: `src/Cli/StellaOps.Cli/Services/ObservabilityClient.cs` / `IObservabilityClient.cs` -- API client for observability data
+- **Telemetry**: `src/Cli/StellaOps.Cli/Telemetry/` -- CLI telemetry integration
+- **Commands**:
+  - `stella obs health` -- health dashboard with system status
+  - `stella obs slo` -- SLO compliance dashboard with burn-rate metrics
+  - `stella obs trace <trace-id>` -- inspect distributed trace
+  - `stella obs logs` -- query logs with filtering and pagination. Options: `--service`, `--level`, `--from`, `--to`, `--limit`
+- **TUI**: Uses Spectre.Console for rich terminal rendering of dashboards
+
+## E2E Test Plan
+- [ ] Run `stella obs health` and verify health dashboard with component status
+- [ ] Run `stella obs slo` and verify SLO metrics with burn-rate indicators
+- [ ] Run `stella obs trace <trace-id>` and verify trace spans displayed
+- [ ] Run `stella obs logs --service policy --level error --limit 50` and verify filtered log output
+- [ ] Verify log pagination with `--offset` and `--limit`
+- [ ] Verify evidence links in log entries are clickable/actionable
+- [ ] Verify `--format json` output for automation

docs/features/unchecked/cli/cli-offline-offline-poe-verification.md

@@ -0,0 +1,31 @@
+# CLI Offline Proof-of-Existence Verification
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI has offline proof-of-existence verification capability documented and implemented through evidence commands.
+
+## Implementation Details
+- **PoE Commands**: `src/Cli/StellaOps.Cli/Commands/PoE/ExportCommand.cs` -- proof-of-existence export
+- **PoE Verify**: `src/Cli/StellaOps.Cli/Commands/PoE/VerifyCommand.cs` -- proof-of-existence verification
+- **Offline Command Group**: `src/Cli/StellaOps.Cli/Commands/OfflineCommandGroup.cs` -- offline operations including PoE
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Offline.cs` -- offline mode handlers
+- **Offline Mode Guard**: `src/Cli/StellaOps.Cli/Services/OfflineModeGuard.cs` -- enforces offline-only operations
+- **Exit Codes**: `src/Cli/StellaOps.Cli/Commands/OfflineExitCodes.cs` -- offline-specific exit codes
+- **Documentation**: `src/Cli/OFFLINE_POE_VERIFICATION.md`
+- **Commands**:
+  - `stella poe export <digest>` -- export proof-of-existence bundle
+  - `stella poe verify <bundle>` -- verify PoE bundle offline
+  - `stella offline verify` -- offline verification mode
+
+## E2E Test Plan
+- [ ] Run `stella poe export sha256:abc123 --output ./poe-bundle/` and verify bundle created with Rekor proofs
+- [ ] Run `stella poe verify ./poe-bundle/` and verify offline PoE verification passes
+- [ ] Verify PoE verification works without network connectivity (air-gapped)
+- [ ] Verify tampered bundle fails verification with clear error message
+- [ ] Run `stella offline verify <digest>` and verify offline verification mode works
+- [ ] Verify exit codes follow OfflineExitCodes convention

docs/features/unchecked/cli/cli-plugin-module-loading-architecture.md

@@ -0,0 +1,30 @@
+# CLI Plugin Module Loading Architecture
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Plugin-based module loading for CLI commands, enabling extensible command registration and routing.
+
+## Implementation Details
+- **Plugin System**: `src/Cli/StellaOps.Cli/Plugins/` -- plugin loading infrastructure
+- **Plugin Directory**: `src/Cli/plugins/` -- plugin module implementations
+- **Plugin Guard**: `src/Cli/__Tests/StellaOps.Cli.Tests/Plugins/RestartOnlyCliPluginGuardTests.cs` -- plugin security guard
+- **Module Loader**: `src/Cli/__Tests/StellaOps.Cli.Tests/Plugins/CliCommandModuleLoaderTests.cs` -- module loader tests
+- **Architecture**:
+  - `ICliCommandModule` interface defines plugin contract
+  - Dynamic module loader discovers and loads plugin assemblies
+  - Plugins register commands into the CLI command tree
+  - Restart-only guard prevents hot-loading for security
+- **Built-in plugins**: VEX, verdict, timestamp, symbols, AOC, delta signatures
+
+## E2E Test Plan
+- [ ] Verify built-in plugin modules are loaded at startup
+- [ ] Verify plugin commands appear in `stella --help` output
+- [ ] Verify plugin command execution works correctly
+- [ ] Verify restart-only guard prevents unauthorized plugin loading
+- [ ] Verify missing plugin gracefully reports error without crashing
+- [ ] Verify plugin loading order is deterministic

docs/features/unchecked/cli/cli-policy-lifecycle-commands.md

@@ -0,0 +1,36 @@
+# CLI Policy Lifecycle Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Full policy lifecycle management from CLI including version bumping, submission, review, approval, simulation, publish/promote/rollback with DSSE signing and canary deployment support.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- `PolicyCommandGroup` for `stella policy` commands
+- **Policy Interop**: `src/Cli/StellaOps.Cli/Commands/Policy/PolicyInteropCommandGroup.cs` -- policy interop commands
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` -- policy-related handlers
+- **Commands**:
+  - `stella policy bump <file> --level patch|minor|major` -- version bump with changelog
+  - `stella policy submit <file> --reviewer <user>` -- submit for review
+  - `stella policy review status <id>` -- check review status
+  - `stella policy approve <id>` -- approve policy review
+  - `stella policy simulate <file>` -- run simulation
+  - `stella policy publish <file>` -- publish approved revision with DSSE signing
+  - `stella policy promote <id> --env <env>` -- promote to environment
+  - `stella policy rollback <id> --to <version>` -- rollback to previous version
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/GoldenOutput/PolicyListCommandGoldenTests.cs`, `PolicyListGoldenOutputTests.cs`
+
+## E2E Test Plan
+- [ ] Run `stella policy bump ./policy.stella --level minor --message "Add reachability gate"` and verify version incremented
+- [ ] Run `stella policy submit ./policy.stella --reviewer admin` and verify submission created
+- [ ] Run `stella policy review status <id>` and verify review status displayed
+- [ ] Run `stella policy approve <id>` and verify approval recorded
+- [ ] Run `stella policy simulate ./policy.stella` and verify simulation results
+- [ ] Run `stella policy publish ./policy.stella --sign` and verify DSSE-signed publication
+- [ ] Run `stella policy promote <id> --env production` and verify promotion
+- [ ] Run `stella policy rollback <id> --to v1.2.0` and verify rollback
+- [ ] Verify canary deployment mode with `--canary` flag

docs/features/unchecked/cli/cli-reachability-trace-export.md

@@ -0,0 +1,28 @@
+# CLI Reachability Trace Export
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+New stella reachability trace command with flags for scan ID, output format (GraphSON/JSON), runtime-confirmed filtering, minimum score threshold, and deterministic output.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ReachabilityCommandGroup.cs` -- `ReachabilityCommandGroup` for reachability commands
+- **ReachGraph Commands**: `src/Cli/StellaOps.Cli/Commands/ReachGraph/ReachGraphCommandGroup.cs` -- reachability graph operations
+- **ReachGraph Handlers**: `src/Cli/StellaOps.Cli/Commands/ReachGraph/ReachGraphCommandHandlers.cs`
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/ReachabilityTraceExportCommandTests.cs`
+- **Commands**:
+  - `stella reachability trace --scan <scan-id>` -- export reachability trace. Options: `--format graphson|json`, `--runtime-only` (confirmed only), `--min-score <threshold>`, `--output <path>`
+- **Determinism**: Output is deterministically ordered for reproducible results
+
+## E2E Test Plan
+- [ ] Run `stella reachability trace --scan <id> --format json` and verify JSON trace export
+- [ ] Run `stella reachability trace --scan <id> --format graphson` and verify GraphSON output
+- [ ] Run `stella reachability trace --scan <id> --runtime-only` and verify only runtime-confirmed paths
+- [ ] Run `stella reachability trace --scan <id> --min-score 0.7` and verify score filtering
+- [ ] Verify output is deterministic (same scan produces byte-identical output)
+- [ ] Verify `--output` flag writes to file instead of stdout
+- [ ] Verify error handling for non-existent scan IDs

docs/features/unchecked/cli/cli-reachability-upload-and-explain-commands.md

@@ -0,0 +1,28 @@
+# CLI Reachability Upload and Explain Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Commands for uploading call graphs (`stella reachability upload-callgraph`) and querying reachability status with explanation (`stella reachability list/explain`), with streaming upload and pagination support.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ReachabilityCommandGroup.cs` -- reachability commands
+- **ReachGraph Commands**: `src/Cli/StellaOps.Cli/Commands/ReachGraph/ReachGraphCommandGroup.cs` -- graph operations
+- **ReachGraph Handlers**: `src/Cli/StellaOps.Cli/Commands/ReachGraph/ReachGraphCommandHandlers.cs` -- upload and query handlers
+- **Commands**:
+  - `stella reachability upload-callgraph <file>` -- upload call graph with streaming support. Options: `--digest <digest>`, `--format <format>`
+  - `stella reachability list` -- list reachability results with pagination. Options: `--scan <id>`, `--status reachable|unreachable|unknown`, `--limit`, `--offset`
+  - `stella reachability explain <cve>` -- explain reachability determination for a CVE with evidence chain
+
+## E2E Test Plan
+- [ ] Run `stella reachability upload-callgraph ./callgraph.json --digest sha256:abc123` and verify upload success
+- [ ] Verify streaming upload for large call graphs
+- [ ] Run `stella reachability list --scan <id>` and verify reachability results displayed
+- [ ] Run `stella reachability list --status reachable` and verify filtering
+- [ ] Run `stella reachability explain CVE-2024-1234` and verify explanation with evidence chain
+- [ ] Verify pagination with `--limit` and `--offset`
+- [ ] Verify `--format json` output for automation

docs/features/unchecked/cli/cli-scan-command-consolidation.md

@@ -0,0 +1,34 @@
+# CLI Scan Command Consolidation
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Unified `stella scan` command hub with run/download/workers/graph/secrets/image subcommands, consolidating previously separate scanning commands.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Scan/` -- consolidated scan command directory
+- **Scan Graph**: `src/Cli/StellaOps.Cli/Commands/ScanGraphCommandGroup.cs` -- scan graph commands
+- **Scanner Executor**: `src/Cli/StellaOps.Cli/Services/ScannerExecutor.cs` / `IScannerExecutor.cs` -- scanner execution service
+- **Scanner Installer**: `src/Cli/StellaOps.Cli/Services/ScannerInstaller.cs` / `IScannerInstaller.cs` -- scanner installation
+- **Commands**:
+  - `stella scan run <image>` -- run a vulnerability scan. Options: `--policy <file>`, `--format json|table|sarif`, `--sbom-format cdx|spdx`
+  - `stella scan download` -- download scanner binaries
+  - `stella scan workers` -- manage scanner workers
+  - `stella scan graph` -- scan graph operations
+  - `stella scan secrets <path>` -- secrets scanning
+  - `stella scan image <image>` -- image-specific scanning
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/GoldenOutput/ScanCommandGoldenTests.cs`, `ScanCommandGoldenOutputTests.cs`, `ScannerDownloadVerifyTests.cs`, `ScannerWorkersCommandTests.cs`
+
+## E2E Test Plan
+- [ ] Run `stella scan run myregistry/app:v1.0` and verify scan execution with results
+- [ ] Run `stella scan run --format sarif --output ./results.sarif` and verify SARIF output
+- [ ] Run `stella scan download` and verify scanner binary download
+- [ ] Run `stella scan workers list` and verify worker status
+- [ ] Run `stella scan secrets ./src` and verify secrets scanning
+- [ ] Run `stella scan image myregistry/app:v1.0` and verify image scanning
+- [ ] Verify golden output tests pass for scan commands
+- [ ] Verify exit codes: 0=clean, 1=vulnerabilities found, 2=error

docs/features/unchecked/cli/cli-slice-management-commands.md

@@ -0,0 +1,29 @@
+# CLI Slice Management Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for reachability slice lifecycle: query by CVE/symbol, verify DSSE signature with replay, export to offline bundle (OCI layout tar.gz), and import from bundle with integrity verification.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Slice/` -- slice management commands
+- **Commands**:
+  - `stella slice query --cve <cve>` -- query slices by CVE
+  - `stella slice query --symbol <symbol>` -- query slices by symbol
+  - `stella slice verify <slice-id>` -- verify DSSE signature and replay integrity
+  - `stella slice export <slice-id> --output <path>` -- export to OCI layout tar.gz offline bundle
+  - `stella slice import <bundle-path>` -- import from bundle with integrity verification
+- **OCI Integration**: Exports use OCI layout format for registry compatibility
+
+## E2E Test Plan
+- [ ] Run `stella slice query --cve CVE-2024-1234` and verify matching slices returned
+- [ ] Run `stella slice query --symbol "org.example.Class.method"` and verify symbol-based query
+- [ ] Run `stella slice verify <id>` and verify DSSE signature validation
+- [ ] Run `stella slice export <id> --output ./slice-bundle.tar.gz` and verify OCI layout tar.gz
+- [ ] Run `stella slice import ./slice-bundle.tar.gz` and verify import with integrity check
+- [ ] Verify import fails for tampered bundles
+- [ ] Verify deterministic replay after import matches original

docs/features/unchecked/cli/cli-tools.md

@@ -0,0 +1,26 @@
+# CLI Tools
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI tooling exists for verdict attestation verification and provenance attestation tooling.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ToolsCommandGroup.cs` -- `ToolsCommandGroup` for `stella tools` commands
+- **Verdict Verifier**: `src/Cli/StellaOps.Cli/Services/VerdictAttestationVerifier.cs` -- verdict attestation verification
+- **DSSE Verifier**: `src/Cli/StellaOps.Cli/Services/DsseSignatureVerifier.cs` / `IDsseSignatureVerifier.cs` -- DSSE signature verification
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ToolsCommandGroupTests.cs`
+- **Commands**:
+  - `stella tools verify-verdict <attestation>` -- verify verdict attestation
+  - `stella tools verify-provenance <attestation>` -- verify provenance attestation
+
+## E2E Test Plan
+- [ ] Run `stella tools verify-verdict ./verdict.json` and verify attestation validation
+- [ ] Run `stella tools verify-provenance ./provenance.json` and verify provenance validation
+- [ ] Verify verification fails for invalid attestations with clear error messages
+- [ ] Verify `--format json` output for automation
+- [ ] Verify offline verification works without network

docs/features/unchecked/cli/cli-verify-command-for-attestation-chain-validation.md

@@ -0,0 +1,33 @@
+# CLI Verify Command for Attestation Chain Validation
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI verify commands validate attestation chains for images with determinism testing and golden output verification.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/VerifyCommandGroup.cs` -- `VerifyCommandGroup` for `stella verify` commands
+- **Image Verification**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyImage.cs` -- image verification handlers
+- **Bundle Verification**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyBundle.cs` -- bundle verification handlers
+- **Offline Verification**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyOffline.cs` -- offline verification handlers
+- **Image Attestation Verifier**: `src/Cli/StellaOps.Cli/Services/ImageAttestationVerifier.cs` / `IImageAttestationVerifier.cs`
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/GoldenOutput/VerifyCommandGoldenTests.cs`, `VerifyCommandGoldenOutputTests.cs`, `VerifyImageCommandTests.cs`, `VerifyImageHandlerTests.cs`
+- **Commands**:
+  - `stella verify attestation <digest>` -- verify attestation chain for an artifact
+  - `stella verify image <image>` -- verify image attestations
+  - `stella verify bundle <path>` -- verify evidence bundle integrity
+  - `stella verify offline <digest>` -- offline verification mode
+- **Integration tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Integration/VerificationConsolidationTests.cs`
+
+## E2E Test Plan
+- [ ] Run `stella verify attestation sha256:abc123` and verify attestation chain validated
+- [ ] Run `stella verify image myregistry/app:v1.0` and verify image attestation check
+- [ ] Run `stella verify bundle ./evidence-bundle/` and verify bundle integrity
+- [ ] Run `stella verify offline sha256:abc123` and verify offline verification without network
+- [ ] Verify golden output tests pass deterministically
+- [ ] Verify exit code 0 for valid chains, non-zero for broken chains
+- [ ] Verify `--format json` provides structured verification results

docs/features/unchecked/cli/cli-vex-consensus-commands.md

@@ -0,0 +1,29 @@
+# CLI VEX Consensus Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+VEX consensus workflow commands (`stella vex consensus list/show/simulate/export`) for querying quorum status, trust/threshold overrides, and exporting NDJSON bundles with signature verification.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/VexCommandGroup.cs` -- VEX command group including consensus subcommands
+- **VEX Gate Scan**: `src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs` -- VEX gate scan operations
+- **VEX Gen**: `src/Cli/StellaOps.Cli/Commands/VexGenCommandGroup.cs` -- VEX generation commands
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/VexGateCommandTests.cs`, `VexVerifyCommandTests.cs`
+- **Commands**:
+  - `stella vex consensus list` -- list consensus states with quorum status
+  - `stella vex consensus show <cve>` -- show consensus details for a CVE
+  - `stella vex consensus simulate --trust <level> --threshold <value>` -- simulate consensus with overrides
+  - `stella vex consensus export --format ndjson` -- export consensus bundle with signatures
+
+## E2E Test Plan
+- [ ] Run `stella vex consensus list` and verify consensus states with quorum indicators
+- [ ] Run `stella vex consensus show CVE-2024-1234` and verify detailed consensus for a CVE
+- [ ] Run `stella vex consensus simulate --trust high --threshold 0.8` and verify simulated outcome
+- [ ] Run `stella vex consensus export --format ndjson --output ./consensus.ndjson` and verify signed bundle
+- [ ] Verify signature verification on exported bundles
+- [ ] Verify `--format json` for automation

docs/features/unchecked/cli/cli-vulnerability-workflow-commands.md

@@ -0,0 +1,38 @@
+# CLI Vulnerability Workflow Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Complete vulnerability triage CLI commands (`stella vuln list/show/assign/comment/accept-risk/verify-fix/target-fix/reopen/simulate/export/bundle verify`) enabling full vulnerability lifecycle management from the command line.
+
+## Implementation Details
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` -- vulnerability workflow handlers
+- **Watchlist Commands**: `src/Cli/StellaOps.Cli/Commands/WatchlistCommandGroup.cs` -- `WatchlistCommandGroup` with `Watchlist/` subdirectory
+- **CVSS Client**: `src/Cli/StellaOps.Cli/Services/CvssClient.cs` / `ICvssClient.cs` -- CVSS scoring client
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/WatchlistCommandGoldenTests.cs`
+- **Commands**:
+  - `stella vuln list` -- list vulnerabilities with filtering. Options: `--severity`, `--status`, `--limit`
+  - `stella vuln show <cve>` -- show vulnerability details
+  - `stella vuln assign <cve> --to <user>` -- assign for triage
+  - `stella vuln comment <cve> --message <text>` -- add triage comment
+  - `stella vuln accept-risk <cve> --reason <text>` -- accept risk with justification
+  - `stella vuln verify-fix <cve>` -- verify fix applied
+  - `stella vuln target-fix <cve> --version <ver>` -- set target fix version
+  - `stella vuln reopen <cve>` -- reopen a closed vulnerability
+  - `stella vuln simulate <cve>` -- simulate policy impact
+  - `stella vuln export` -- export vulnerability data
+  - `stella vuln bundle verify <path>` -- verify vulnerability bundle
+
+## E2E Test Plan
+- [ ] Run `stella vuln list --severity critical` and verify filtered vulnerability listing
+- [ ] Run `stella vuln show CVE-2024-1234` and verify detailed vulnerability info
+- [ ] Run `stella vuln assign CVE-2024-1234 --to admin` and verify assignment
+- [ ] Run `stella vuln comment CVE-2024-1234 --message "Investigating"` and verify comment added
+- [ ] Run `stella vuln accept-risk CVE-2024-1234 --reason "Mitigated by WAF"` and verify risk acceptance
+- [ ] Run `stella vuln verify-fix CVE-2024-1234` and verify fix verification
+- [ ] Run `stella vuln export --format json` and verify JSON export
+- [ ] Verify full lifecycle: assign -> comment -> target-fix -> verify-fix

docs/features/unchecked/cli/cli-with-plugin-based-command-modules.md

@@ -0,0 +1,33 @@
+# CLI with Plugin-Based Command Modules
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Modular CLI with ICliCommandModule interface, dynamic module loader, and multiple plugin command modules covering VEX, verdict, timestamp, symbols, AOC, and delta signatures.
+
+## Implementation Details
+- **Plugin System**: `src/Cli/StellaOps.Cli/Plugins/` -- plugin infrastructure with ICliCommandModule interface
+- **Plugin Directory**: `src/Cli/plugins/` -- plugin implementations
+- **Module Loader Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Plugins/CliCommandModuleLoaderTests.cs`
+- **Plugin Guard Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Plugins/RestartOnlyCliPluginGuardTests.cs`
+- **Built-in plugin modules**:
+  - VEX plugin -- VEX generation and verification commands
+  - Verdict plugin -- verdict inspection and verification
+  - Timestamp plugin -- RFC 3161 timestamp operations
+  - Symbols plugin -- symbol table operations
+  - AOC plugin -- attestation of compliance
+  - DeltaSig plugin -- delta signature operations (`src/Cli/StellaOps.Cli/Commands/DeltaSig/`)
+
+## E2E Test Plan
+- [ ] Verify all built-in plugins load at startup
+- [ ] Verify VEX plugin commands are available (stella vex gen, stella vex verify)
+- [ ] Verify verdict plugin commands work (stella verdict show)
+- [ ] Verify timestamp plugin commands work (stella ts verify)
+- [ ] Verify symbols plugin commands work (stella symbols ingest)
+- [ ] Verify DeltaSig plugin commands work (stella deltasig create, verify)
+- [ ] Verify plugin guard prevents unauthorized module loading
+- [ ] Verify graceful degradation when optional plugin is missing

docs/features/unchecked/cli/concelier-database-operations-cli.md

@@ -0,0 +1,29 @@
+# Concelier Database Operations CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Trigger Concelier advisory database operations: connector fetch/parse/map stages with mode selection (init/resume/cursor), canonical merge reconciliation, and export jobs with ORAS publishing and offline bundle toggles.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/FeedsCommandGroup.cs` -- feed management commands (consolidated under config)
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Feeds.cs` -- feed operation handlers
+- **Observations Client**: `src/Cli/StellaOps.Cli/Services/ConcelierObservationsClient.cs` / `IConcelierObservationsClient.cs` -- Concelier API client
+- **Commands**:
+  - `stella config feeds fetch --mode init|resume|cursor` -- trigger connector fetch stage
+  - `stella config feeds parse` -- trigger parse stage
+  - `stella config feeds merge` -- canonical merge reconciliation
+  - `stella config feeds export --oras --offline-bundle` -- export with ORAS publishing and offline bundle options
+
+## E2E Test Plan
+- [ ] Run `stella config feeds fetch --mode init` and verify initial fetch triggered
+- [ ] Run `stella config feeds fetch --mode resume` and verify incremental fetch
+- [ ] Run `stella config feeds parse` and verify parse stage execution
+- [ ] Run `stella config feeds merge` and verify canonical merge reconciliation
+- [ ] Run `stella config feeds export --oras` and verify ORAS publishing
+- [ ] Run `stella config feeds export --offline-bundle` and verify offline bundle created
+- [ ] Verify error handling for failed connector operations

docs/features/unchecked/cli/delta-scan-cli-command.md

@@ -0,0 +1,27 @@
+# Delta Scan CLI Command
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command `stella scan delta --old <image> --new <image>` for delta scanning between container image versions. Supports JSON/text/summary output formats, exit codes for CVE status (0=clean, 1=new CVEs, 2=error), and flags for policy, platform, SBOM format, signing, Rekor submission, and timeout configuration.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/DeltaCommandGroup.cs` -- `DeltaCommandGroup` for `stella delta` / `stella scan delta` commands
+- **Commands**:
+  - `stella scan delta --old <image> --new <image>` -- delta scan between two image versions. Options: `--format json|text|summary`, `--policy <file>`, `--platform <arch>`, `--sbom-format cdx|spdx`, `--sign`, `--rekor`, `--timeout <duration>`
+- **Exit codes**: 0=no new CVEs, 1=new CVEs found, 2=error
+- **Integration**: Connects to Scanner module for diff computation
+
+## E2E Test Plan
+- [ ] Run `stella scan delta --old app:v1.0 --new app:v2.0` and verify delta scan results
+- [ ] Run with `--format json` and verify structured delta output
+- [ ] Run with `--format summary` and verify summary output
+- [ ] Verify exit code 0 when no new CVEs introduced
+- [ ] Verify exit code 1 when new CVEs found in new image
+- [ ] Run with `--sign --rekor` and verify signed results with Rekor entry
+- [ ] Run with `--policy ./policy.stella` and verify policy evaluation against delta
+- [ ] Verify `--timeout` flag works for long-running scans

docs/features/unchecked/cli/deltasig-cli-module.md

@@ -0,0 +1,29 @@
+# DeltaSig CLI Module
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Proposed CLI module for creating, signing, verifying, and packing ELF delta signatures. The BinaryDiff attestation predicates exist as the backend foundation.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/DeltaSig/DeltaSigCommandGroup.cs` -- `DeltaSigCommandGroup` (internal static class)
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/DeltaSig/DeltaSigCommandHandlers.cs` -- `DeltaSigCommandHandlers`
+- **Binary Commands**: `src/Cli/StellaOps.Cli/Commands/Binary/DeltaSigCommandGroup.cs` -- binary-level delta sig
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/DeltaSigCommandTests.cs`
+- **Commands**:
+  - `stella deltasig create --old <binary> --new <binary>` -- create delta signature
+  - `stella deltasig sign <deltasig>` -- sign a delta signature
+  - `stella deltasig verify <deltasig>` -- verify delta signature integrity
+  - `stella deltasig pack <deltasig> --output <path>` -- pack delta signature for distribution
+
+## E2E Test Plan
+- [ ] Run `stella deltasig create --old ./v1.elf --new ./v2.elf` and verify delta signature created
+- [ ] Run `stella deltasig sign ./delta.sig` and verify cryptographic signing
+- [ ] Run `stella deltasig verify ./delta.sig` and verify signature validation
+- [ ] Run `stella deltasig pack ./delta.sig --output ./packed.tar.gz` and verify packed bundle
+- [ ] Verify verification fails for tampered delta signatures
+- [ ] Verify `--format json` output for automation

docs/features/unchecked/cli/deterministic-replayability-for-tests.md

@@ -0,0 +1,29 @@
+# Deterministic Replayability for Tests
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Test infrastructure includes determinism manifests, run manifest validation, test run attestation generation, and golden output replay verification, supporting the advisory's call for deterministic replayability.
+
+## Implementation Details
+- **Replay Infrastructure**: `src/Cli/StellaOps.Cli/Replay/` -- replay command and manifest handling
+- **Determinism Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Determinism/CliDeterminismTests.cs`, `AttestVerifyDeterminismTests.cs`
+- **Golden Output Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/GoldenOutput/DeterminismReplayGoldenTests.cs`
+- **Run Manifest**: `src/Cli/__Tests/StellaOps.Cli.Tests/Replay/RunManifestSerializerTests.cs` -- run manifest serialization
+- **Determinism Harness**: `src/Cli/StellaOps.Cli/Services/DeterminismHarness.cs` / `IDeterminismHarness.cs`
+- **Architecture**:
+  - Run manifests capture all inputs (hashes, versions, timestamps) for reproducible execution
+  - Golden output tests verify byte-identical output from identical inputs
+  - Determinism harness wraps execution with purity checks
+
+## E2E Test Plan
+- [ ] Verify determinism tests pass with identical outputs across runs
+- [ ] Verify run manifests capture all input hashes
+- [ ] Verify golden output replay produces byte-identical results
+- [ ] Verify determinism harness detects non-deterministic behavior
+- [ ] Verify run manifest serialization round-trips correctly
+- [ ] Verify attestation generation for test runs

docs/features/unchecked/cli/doctor-cli-command-group.md

@@ -0,0 +1,33 @@
+# Doctor CLI Command Group
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Top-level `stella doctor` CLI command group providing CLI parity with Doctor web UI, including watch mode for continuous monitoring, per-environment health filtering, export capabilities for health reports, fix execution from CLI, and historical trend reporting.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/DoctorCommandGroup.cs` -- `DoctorCommandGroup` (internal static class)
+- **Doctor Engine**: Uses `StellaOps.Doctor.Engine` library for diagnostic checks
+- **Doctor Export**: Uses `StellaOps.Doctor.Export` for report export
+- **Doctor Packs**: Uses `StellaOps.Doctor.Packs` for diagnostic packs
+- **Doctor Plugins**: Uses `StellaOps.Doctor.Plugins` for extensible health checks
+- **Commands**:
+  - `stella doctor` / `stella doctor run` -- run diagnostic checks. Options: `--category <cat>`, `--tag <tag>`, `--format table|json`, `--verbose`
+  - `stella doctor list` -- list available diagnostic checks
+  - `stella doctor export --output <path>` -- export health report
+  - `stella doctor fix <check-id>` -- execute auto-fix for a failed check
+- **Output**: Uses `StellaOps.Doctor.Output` for formatted console output
+
+## E2E Test Plan
+- [ ] Run `stella doctor` and verify diagnostic checks run with pass/fail/warn status
+- [ ] Run `stella doctor --category connectivity` and verify category filtering
+- [ ] Run `stella doctor --tag critical` and verify tag filtering
+- [ ] Run `stella doctor list` and verify available checks listed with descriptions
+- [ ] Run `stella doctor export --output ./health-report.json` and verify report exported
+- [ ] Run `stella doctor fix <check-id>` and verify auto-fix execution
+- [ ] Run `stella doctor --format json` and verify structured output
+- [ ] Verify `--verbose` shows detailed check execution info

docs/features/unchecked/cli/evidence-card-and-remediation-pr-cli-commands.md

@@ -0,0 +1,29 @@
+# Evidence Card and Remediation PR CLI Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for viewing evidence cards per finding and opening remediation pull requests (`stella remediate open-pr`) directly from CLI output, enabling automated PR creation for AI-generated fix suggestions.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs` -- `EvidenceCommandGroup` with card subcommands
+- **Card Commands**: `BuildCardCommand()`, `BuildCardExportCommand()`, `BuildCardVerifyCommand()` methods in EvidenceCommandGroup
+- **Open PR**: `src/Cli/StellaOps.Cli/Commands/GitHubCommandGroup.cs` -- GitHub integration for PR creation
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/OpenPrCommandTests.cs`
+- **Commands**:
+  - `stella evidence card <finding-id>` -- view evidence card for a finding
+  - `stella evidence card export <finding-id>` -- export evidence card
+  - `stella evidence card verify <finding-id>` -- verify evidence card integrity
+  - `stella remediate open-pr <finding-id>` -- open a remediation PR with AI-generated fix
+
+## E2E Test Plan
+- [ ] Run `stella evidence card <id>` and verify evidence card displayed with finding details
+- [ ] Run `stella evidence card export <id> --output ./card.json` and verify export
+- [ ] Run `stella evidence card verify <id>` and verify card integrity
+- [ ] Run `stella remediate open-pr <id>` and verify PR created with fix suggestion
+- [ ] Verify PR contains AI-generated remediation code
+- [ ] Verify `--format json` output for automation

docs/features/unchecked/cli/evidence-legal-holds-cli.md

@@ -0,0 +1,28 @@
+# Evidence Legal Holds CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for managing legal holds on evidence artifacts. Users can create holds scoped by digest, component, time-range, or all artifacts; list active/released holds; show hold details with affected artifact counts; and release holds with confirmation and audit reasons. Held artifacts are protected from retention policy deletion.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/EvidenceHoldsCommandGroup.cs` -- `EvidenceHoldsCommandGroup` (public static class)
+- **Commands**:
+  - `stella evidence holds create --scope digest|component|time-range|all` -- create a legal hold. Options: `--digest <digest>`, `--component <purl>`, `--from/--to`, `--reason <text>`
+  - `stella evidence holds list` -- list holds. Options: `--status active|released`, `--format table|json`
+  - `stella evidence holds show <hold-id>` -- show hold details with affected artifact count
+  - `stella evidence holds release <hold-id> --reason <text>` -- release a hold with audit reason (requires confirmation)
+
+## E2E Test Plan
+- [ ] Run `stella evidence holds create --scope digest --digest sha256:abc123 --reason "Legal investigation"` and verify hold created
+- [ ] Run `stella evidence holds create --scope all --reason "Litigation hold"` and verify all-artifact hold
+- [ ] Run `stella evidence holds list` and verify active holds displayed
+- [ ] Run `stella evidence holds list --status released` and verify released holds
+- [ ] Run `stella evidence holds show <id>` and verify hold details with affected artifact count
+- [ ] Run `stella evidence holds release <id> --reason "Investigation complete"` and verify release with confirmation
+- [ ] Verify held artifacts are protected from retention policy deletion
+- [ ] Verify `--format json` output for automation

docs/features/unchecked/cli/evidence-pack-download-and-verification.md

@@ -0,0 +1,30 @@
+# Evidence Pack Download and Verification
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Full evidence pack system with UI for browsing, exporting, and ribbon/thread views. CLI for bundle export and verification. Dedicated Evidence Locker module for evidence storage.
+
+## Implementation Details
+- **Bundle Export**: `src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs` -- `BuildExportBundleCommand()` for evidence bundle export
+- **Bundle Verify**: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs` -- `BuildVerifyBundleEnhancedCommand()` for bundle verification
+- **Bundle Command Group**: `src/Cli/StellaOps.Cli/Commands/BundleCommandGroup.cs` -- `stella bundle` commands
+- **Pack Client**: `src/Cli/StellaOps.Cli/Services/PackClient.cs` / `IPackClient.cs` -- evidence pack API client
+- **DevPortal Verifier**: `src/Cli/StellaOps.Cli/Services/DevPortalBundleVerifier.cs` / `IDevPortalBundleVerifier.cs`
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/VerifyBundleCommandTests.cs`, `src/Cli/__Tests/StellaOps.Cli.Tests/Services/DevPortalBundleVerifierTests.cs`
+- **Commands**:
+  - `stella bundle export <digest> --output <path>` -- export evidence bundle
+  - `stella bundle verify <path>` -- verify bundle integrity with manifest hash checking
+  - `stella evidence list-packs` -- list available evidence packs
+
+## E2E Test Plan
+- [ ] Run `stella bundle export sha256:abc123 --output ./bundle/` and verify bundle created
+- [ ] Run `stella bundle verify ./bundle/` and verify integrity check passes
+- [ ] Run `stella bundle verify` with tampered bundle and verify failure detected
+- [ ] Run `stella evidence list-packs` and verify packs listed
+- [ ] Verify bundle contains all evidence artifacts (verdict, policy, SBOM, attestations)
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/excititor-vex-ingest-management-cli.md

@@ -0,0 +1,27 @@
+# Excititor VEX Ingest Management CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Manage Excititor VEX ingest workflows: initialize state with checkpoint resume, pull from providers with time windows and force mode, and run exports.
+
+## Implementation Details
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` -- Excititor-related handlers
+- **VEX Observations Client**: `src/Cli/StellaOps.Cli/Services/VexObservationsClient.cs` / `IVexObservationsClient.cs` -- VEX observations API client
+- **Commands**:
+  - `stella vex ingest init` -- initialize VEX ingest state
+  - `stella vex ingest pull --provider <name> --from <date> --to <date>` -- pull VEX statements from provider
+  - `stella vex ingest pull --force` -- force re-pull all statements
+  - `stella vex ingest export` -- export ingested VEX data
+
+## E2E Test Plan
+- [ ] Run `stella vex ingest init` and verify state initialized
+- [ ] Run `stella vex ingest pull --provider osv` and verify VEX statements pulled
+- [ ] Run `stella vex ingest pull --from 2024-01-01 --to 2024-12-31` and verify time window filtering
+- [ ] Run `stella vex ingest pull --force` and verify force re-pull
+- [ ] Run `stella vex ingest export` and verify export execution
+- [ ] Verify checkpoint resume works after interrupted pull

docs/features/unchecked/cli/explain-block-cli-command.md

@@ -0,0 +1,26 @@
+# Explain Block CLI Command
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command `stella explain block <digest>` that provides a complete "why is this blocked?" explanation with evidence linking, policy rule identification, and deterministic output formatting for audit trails.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ExplainCommandGroup.cs` -- `ExplainCommandGroup` for `stella explain` commands
+- **Verdict Rationale**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerdictRationale.cs` -- verdict rationale handlers
+- **Rationale Client**: `src/Cli/StellaOps.Cli/Services/RationaleClient.cs` / `IRationaleClient.cs` -- rationale API client
+- **Commands**:
+  - `stella explain block <digest>` -- explain why an artifact is blocked. Options: `--format text|json`, `--verbose`
+- **Output includes**: blocking policy rule, triggering findings, evidence links, remediation suggestions
+
+## E2E Test Plan
+- [ ] Run `stella explain block sha256:abc123` and verify block explanation with policy rule identification
+- [ ] Verify evidence links are included in the explanation
+- [ ] Verify `--format json` produces structured explanation with policy, findings, evidence
+- [ ] Verify `--verbose` shows additional rule evaluation details
+- [ ] Verify deterministic output (same digest produces identical explanation)
+- [ ] Verify error handling for non-blocked artifacts (shows "not blocked" message)

docs/features/unchecked/cli/feed-snapshotting-for-deterministic-replay.md

@@ -0,0 +1,28 @@
+# Feed Snapshotting for Deterministic Replay
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Feed snapshot repository with persistence, a fixture harvester command for feed snapshots, and CLI feed commands for managing snapshots.
+
+## Implementation Details
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Feeds.cs` -- feed snapshot handlers
+- **Feed Commands**: `src/Cli/StellaOps.Cli/Commands/FeedsCommandGroup.cs` -- feed management including snapshots
+- **Config consolidation**: Feed commands consolidated under `stella config feeds`
+- **Commands**:
+  - `stella config feeds snapshot create` -- create a feed snapshot for deterministic replay
+  - `stella config feeds snapshot list` -- list available feed snapshots
+  - `stella config feeds snapshot show <id>` -- show snapshot details
+  - `stella config feeds snapshot export <id> --output <path>` -- export snapshot for offline use
+
+## E2E Test Plan
+- [ ] Run `stella config feeds snapshot create` and verify snapshot created with timestamp
+- [ ] Run `stella config feeds snapshot list` and verify snapshots listed
+- [ ] Run `stella config feeds snapshot show <id>` and verify details including feed sources and hashes
+- [ ] Run `stella config feeds snapshot export <id>` and verify offline-usable bundle created
+- [ ] Verify snapshots enable deterministic replay of evaluations
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/function-map-cli.md

@@ -0,0 +1,28 @@
+# Function Map CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Runtime linkage verification workflow: generate function_map predicates from SBOMs defining expected runtime call paths and hot functions, then verify actual runtime observations against the map with DSSE signing and Rekor attestation.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/FunctionMap/FunctionMapCommandGroup.cs` -- `FunctionMapCommandGroup`
+- **Commands**:
+  - `stella function-map generate <sbom>` -- generate function_map predicate from SBOM
+  - `stella function-map verify <map> --observations <file>` -- verify runtime observations against function map
+  - `stella function-map sign <map>` -- DSSE-sign the function map
+  - `stella function-map attest <map>` -- submit function map to Rekor
+- **Proof Commands**: `src/Cli/StellaOps.Cli/Commands/Proof/FuncProofCommandGroup.cs` -- function proof generation
+- **Proof Handlers**: `src/Cli/StellaOps.Cli/Commands/Proof/FuncProofCommandHandlers.cs` -- function proof handlers
+
+## E2E Test Plan
+- [ ] Run `stella function-map generate ./sbom.json` and verify function_map predicate generated
+- [ ] Run `stella function-map verify ./map.json --observations ./runtime.json` and verify verification results
+- [ ] Verify mismatch detection when runtime observations differ from expected map
+- [ ] Run `stella function-map sign ./map.json` and verify DSSE signing
+- [ ] Run `stella function-map attest ./map.json` and verify Rekor submission
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/gitops-controller.md

@@ -0,0 +1,25 @@
+# GitOps Controller
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+GitOps controller for Git event handling that triggers automated releases from Git events, enabling Git-native release workflows.
+
+## Implementation Details
+- **GitOps Module**: `src/Cli/StellaOps.Cli/GitOps/` -- GitOps controller implementation
+- **GitHub Commands**: `src/Cli/StellaOps.Cli/Commands/GitHubCommandGroup.cs` -- GitHub integration commands
+- **Commands**:
+  - `stella github webhook` -- handle GitHub webhook events
+  - `stella github open-pr` -- create a pull request
+  - `stella release trigger --source git` -- trigger release from Git event
+
+## E2E Test Plan
+- [ ] Verify GitOps controller handles push events and triggers releases
+- [ ] Verify tag creation events trigger appropriate release workflows
+- [ ] Run `stella github open-pr` and verify PR creation
+- [ ] Verify webhook processing for supported event types
+- [ ] Verify error handling for unsupported Git events

docs/features/unchecked/cli/hlc-status-and-timeline-query-cli-commands.md

@@ -0,0 +1,30 @@
+# HLC Status and Timeline Query CLI Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands `stella hlc status` for Hybrid Logical Clock status inspection and `stella timeline query` for querying the immutable event timeline with temporal filtering and deterministic output ordering.
+
+## Implementation Details
+- **HLC Command Group**: `src/Cli/StellaOps.Cli/Commands/HlcCommandGroup.cs` -- HLC status commands
+- **Timeline Commands**: `src/Cli/StellaOps.Cli/Commands/TimelineCommandGroup.cs` -- timeline query commands
+- **Timestamp Commands**: `src/Cli/StellaOps.Cli/Commands/TimestampCommandGroup.cs` -- timestamp operations
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/TimestampCommandTests.cs`
+- **Commands**:
+  - `stella hlc status` -- show Hybrid Logical Clock status (node ID, current time, drift)
+  - `stella hlc now` -- get current HLC timestamp
+  - `stella timeline query` -- query event timeline. Options: `--from <time>`, `--to <time>`, `--type <event-type>`, `--limit`, `--format table|json`
+- **Deterministic ordering**: Timeline output uses HLC ordering for consistency
+
+## E2E Test Plan
+- [ ] Run `stella hlc status` and verify HLC status including node ID and clock drift
+- [ ] Run `stella hlc now` and verify current HLC timestamp
+- [ ] Run `stella timeline query` and verify event timeline displayed
+- [ ] Run `stella timeline query --from 2024-01-01 --to 2024-12-31` and verify temporal filtering
+- [ ] Run `stella timeline query --type verdict` and verify event type filtering
+- [ ] Verify deterministic output ordering (HLC-based)
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/image-inspect-cli-command.md

@@ -0,0 +1,30 @@
+# Image Inspect CLI Command
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command `stella image inspect` for querying OCI image metadata including manifest type, architecture platforms, layer digests, annotations, and SBOM/attestation referrers in table or JSON output.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ImageCommandGroup.cs` -- `ImageCommandGroup` for `stella image` commands
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Image.cs` -- image command handlers
+- **OCI Registry Client**: `src/Cli/StellaOps.Cli/Services/OciRegistryClient.cs` / `IOciRegistryClient.cs` -- OCI registry operations
+- **OCI Reference Parser**: `src/Cli/StellaOps.Cli/Services/OciImageReferenceParser.cs` -- parses image references
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/GoldenOutput/ImageInspectGoldenOutputTests.cs`
+- **Commands**:
+  - `stella image inspect <image>` -- inspect OCI image metadata. Options: `--format table|json`, `--verbose`
+  - Shows: manifest type, architecture platforms, layer digests, annotations, referrers (SBOMs, attestations)
+
+## E2E Test Plan
+- [ ] Run `stella image inspect myregistry/app:v1.0` and verify metadata displayed
+- [ ] Verify manifest type shown (OCI, Docker)
+- [ ] Verify architecture platforms listed (linux/amd64, linux/arm64, etc.)
+- [ ] Verify layer digests displayed with sizes
+- [ ] Verify annotations shown
+- [ ] Verify SBOM/attestation referrers listed
+- [ ] Run with `--format json` and verify structured JSON output
+- [ ] Verify golden output tests pass

docs/features/unchecked/cli/incident-response-cli.md

@@ -0,0 +1,28 @@
+# Incident Response CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for incident response lifecycle management. Users can start incident mode with severity/scope/description (auto-creates evidence holds and sends notifications), view incident status with timeline, end incidents with resolution notes and optional evidence hold release/report generation, and list all incidents filtered by status.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/IncidentCommandGroup.cs` -- `IncidentCommandGroup` for `stella incident` commands
+- **IR Commands**: `src/Cli/StellaOps.Cli/Commands/Ir/IrCommandGroup.cs` -- incident response operations
+- **Commands**:
+  - `stella incident start --severity <level> --scope <scope> --description <text>` -- start incident mode (auto-creates evidence holds, sends notifications)
+  - `stella incident status <incident-id>` -- view incident status with timeline
+  - `stella incident end <incident-id> --resolution <text>` -- end incident. Options: `--release-holds`, `--generate-report`
+  - `stella incident list` -- list incidents. Options: `--status open|closed|all`
+
+## E2E Test Plan
+- [ ] Run `stella incident start --severity critical --scope "production" --description "CVE-2024-1234 exploited"` and verify incident created
+- [ ] Verify evidence holds auto-created on incident start
+- [ ] Verify notifications sent on incident start
+- [ ] Run `stella incident status <id>` and verify timeline displayed
+- [ ] Run `stella incident end <id> --resolution "Patched" --release-holds --generate-report` and verify incident closed
+- [ ] Run `stella incident list --status open` and verify open incidents listed
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/key-rotation-cli.md

@@ -0,0 +1,33 @@
+# Key Rotation CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Comprehensive key rotation lifecycle: list keys (with include-revoked filtering), add, revoke, rotate, check status, view history, and verify validity.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/KeysCommandGroup.cs` -- `KeysCommandGroup` for `stella keys` commands
+- **Key Rotation**: `src/Cli/StellaOps.Cli/Commands/Proof/KeyRotationCommandGroup.cs` -- key rotation operations
+- **Issuer Keys**: `src/Cli/StellaOps.Cli/Commands/IssuerKeysCommandGroup.cs` -- issuer key management
+- **Commands**:
+  - `stella keys list` -- list signing keys. Options: `--include-revoked`
+  - `stella keys add --algorithm <alg> --label <label>` -- add a new signing key
+  - `stella keys revoke <key-id>` -- revoke a signing key
+  - `stella keys rotate` -- rotate to a new active key
+  - `stella keys status` -- check key status and validity
+  - `stella keys history` -- view key rotation history
+  - `stella keys verify <key-id>` -- verify key validity
+
+## E2E Test Plan
+- [ ] Run `stella keys list` and verify active keys displayed
+- [ ] Run `stella keys list --include-revoked` and verify revoked keys also shown
+- [ ] Run `stella keys add --algorithm ecdsa-sha256 --label "production-2024"` and verify key added
+- [ ] Run `stella keys revoke <id>` and verify key revoked
+- [ ] Run `stella keys rotate` and verify new active key generated
+- [ ] Run `stella keys status` and verify key validity status
+- [ ] Run `stella keys history` and verify rotation history timeline
+- [ ] Run `stella keys verify <id>` and verify key validity check

docs/features/unchecked/cli/kms-key-export-import-cli.md

@@ -0,0 +1,27 @@
+# KMS Key Export/Import CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+File-backed signing key management via export/import with passphrase protection, version selection, and force-overwrite options for portable key bundles.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs` -- `CryptoCommandGroup` for crypto operations
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs` -- crypto handlers
+- **Crypto Profile Validator**: `src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs` -- crypto profile validation
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs`
+- **Commands**:
+  - `stella crypto export --key <key-id> --output <path> --passphrase <pass>` -- export signing key with passphrase protection. Options: `--version <ver>`, `--force`
+  - `stella crypto import --file <path> --passphrase <pass>` -- import signing key from file
+
+## E2E Test Plan
+- [ ] Run `stella crypto export --key <id> --output ./key.enc --passphrase "secret"` and verify encrypted key exported
+- [ ] Run `stella crypto import --file ./key.enc --passphrase "secret"` and verify key imported
+- [ ] Verify wrong passphrase fails import with clear error
+- [ ] Run with `--version 2` and verify specific version exported
+- [ ] Run with `--force` and verify overwrite of existing file
+- [ ] Verify imported key can be used for signing operations

docs/features/unchecked/cli/local-validator-for-offline-config-checking.md

@@ -0,0 +1,25 @@
+# Local Validator for Offline Config Checking
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Offline local validator that checks stella.yaml configuration files without requiring server connectivity, enabling developers to validate configs before committing.
+
+## Implementation Details
+- **Validation Module**: `src/Cli/StellaOps.Cli/Validation/` -- offline validation infrastructure
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ConfigCommandGroup.cs` -- config validation under config commands
+- **Commands**:
+  - `stella config validate` / `stella config validate-yaml <path>` -- validate stella.yaml configuration offline
+- **Validation checks**: schema compliance, required fields, value ranges, cross-field consistency
+
+## E2E Test Plan
+- [ ] Run `stella config validate ./stella.yaml` and verify validation passes for valid config
+- [ ] Run with invalid config and verify validation errors reported with line numbers
+- [ ] Verify validation works without network connectivity (offline)
+- [ ] Verify schema compliance checks for all required fields
+- [ ] Verify value range validation (e.g., port numbers, timeout values)
+- [ ] Verify cross-field consistency checks

docs/features/unchecked/cli/notification-channel-management-cli-commands.md

@@ -0,0 +1,31 @@
+# Notification Channel Management CLI Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for notification channel management including `stella notify channels list/test`, `stella notify templates list/render`, and `stella notify preferences export/import` for managing notification channels, testing connectivity, previewing templates, and bulk-configuring user notification preferences.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/NotifyCommandGroup.cs` -- `NotifyCommandGroup`
+- **Notify Client**: `src/Cli/StellaOps.Cli/Services/NotifyClient.cs` / `INotifyClient.cs` -- notification API client
+- **Route consolidation**: Commands consolidated under `stella config notify` via cli-routes.json
+- **Commands**:
+  - `stella config notify channels list` -- list configured notification channels
+  - `stella config notify channels test <channel>` -- test channel connectivity
+  - `stella config notify templates list` -- list notification templates
+  - `stella config notify templates render <template> --event <type>` -- preview rendered template
+  - `stella config notify preferences export --output <path>` -- export user notification preferences
+  - `stella config notify preferences import --file <path>` -- import notification preferences
+
+## E2E Test Plan
+- [ ] Run `stella config notify channels list` and verify channels displayed (slack, email, webhook, etc.)
+- [ ] Run `stella config notify channels test slack` and verify connectivity test result
+- [ ] Run `stella config notify templates list` and verify templates listed
+- [ ] Run `stella config notify templates render gate-failure --event "gate.failed"` and verify rendered output
+- [ ] Run `stella config notify preferences export --output ./prefs.json` and verify export
+- [ ] Run `stella config notify preferences import --file ./prefs.json` and verify import
+- [ ] Verify deprecated `stella notify channels list` shows deprecation warning

docs/features/unchecked/cli/oci-referrer-based-artifact-association.md

@@ -0,0 +1,25 @@
+# OCI Referrer-Based Artifact Association
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+OCI referrer-based attachment of SBOMs, attestations, and verdicts to image digests using the OCI referrers API, with discovery, publishing, and fallback mechanisms.
+
+## Implementation Details
+- **OCI Registry Client**: `src/Cli/StellaOps.Cli/Services/OciRegistryClient.cs` / `IOciRegistryClient.cs` -- OCI registry operations including referrers API
+- **OCI Attestation Registry**: `src/Cli/StellaOps.Cli/Services/OciAttestationRegistryClient.cs` -- attestation-specific OCI operations
+- **Commands**:
+  - `stella oci-list <digest>` -- list OCI referrers for an image digest
+  - `stella oci-verify <digest>` -- verify OCI-attached attestations
+- **Architecture**: Uses OCI referrers API (fallback to tag-based discovery for older registries)
+
+## E2E Test Plan
+- [ ] Run `stella oci-list sha256:abc123` and verify referrers listed (SBOMs, attestations, verdicts)
+- [ ] Run `stella oci-verify sha256:abc123` and verify attached attestation verification
+- [ ] Verify fallback to tag-based discovery when referrers API unavailable
+- [ ] Verify SBOM attachment discovery and content retrieval
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/offline-sbom-verification-cli.md

@@ -0,0 +1,26 @@
+# Offline SBOM Verification CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command `stella sbom verify` for offline SBOM verification including signature validation, canonical hash recomputation, and format compliance checks for CycloneDX/SPDX documents without network connectivity.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/SbomCommandGroup.cs` -- `SbomCommandGroup` for `stella sbom` commands
+- **SBOM Client**: `src/Cli/StellaOps.Cli/Services/SbomClient.cs` / `ISbomClient.cs` -- SBOM operations
+- **SBOMer Client**: `src/Cli/StellaOps.Cli/Services/SbomerClient.cs` / `ISbomerClient.cs` -- SBOM generation client
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/SbomCommandTests.cs`, `src/Cli/__Tests/StellaOps.Cli.Tests/Integration/SbomCanonicalVerifyIntegrationTests.cs`, `SbomVerifyIntegrationTests.cs`
+- **Commands**:
+  - `stella sbom verify <file>` -- verify SBOM offline. Options: `--format cdx|spdx`, `--check-signature`, `--recompute-hash`
+
+## E2E Test Plan
+- [ ] Run `stella sbom verify ./sbom.cdx.json` and verify CycloneDX compliance check
+- [ ] Run `stella sbom verify ./sbom.spdx.json` and verify SPDX compliance check
+- [ ] Run with `--check-signature` and verify SBOM signature validation
+- [ ] Run with `--recompute-hash` and verify canonical hash matches
+- [ ] Verify offline operation (no network required)
+- [ ] Verify invalid SBOM produces clear error with specific violations

docs/features/unchecked/cli/offline-verdict-verification-cli-plugin.md

@@ -0,0 +1,29 @@
+# Offline Verdict Verification CLI Plugin
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Offline and online verdict verification via CLI plugin: verify verdict signatures, replay bundles for deterministic verification, and validate input hashes using knowledge snapshots without server connectivity.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/VerdictCommandGroup.cs` -- `VerdictCommandGroup` for verdict commands
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerdictVerify.cs` -- verdict verification handlers
+- **Verdict Verifier**: `src/Cli/StellaOps.Cli/Services/VerdictAttestationVerifier.cs` -- verdict attestation verification
+- **Offline Kit**: `src/Cli/StellaOps.Cli/Services/OfflineKitStateStore.cs` -- offline kit state management
+- **Offline Mode Guard**: `src/Cli/StellaOps.Cli/Services/OfflineModeGuard.cs` -- offline mode enforcement
+- **Commands**:
+  - `stella verdict verify <digest>` -- verify verdict signature and integrity
+  - `stella verdict replay <digest>` -- replay verdict for deterministic verification
+  - `stella verdict verify-offline <bundle>` -- offline verification using knowledge snapshot
+
+## E2E Test Plan
+- [ ] Run `stella verdict verify sha256:abc123` and verify signature validation
+- [ ] Run `stella verdict replay sha256:abc123` and verify deterministic replay
+- [ ] Run `stella verdict verify-offline ./bundle/` and verify offline verification
+- [ ] Verify offline mode works without network connectivity
+- [ ] Verify input hash validation against knowledge snapshot
+- [ ] Verify exit code 0 for valid, non-zero for invalid

docs/features/unchecked/cli/policy-dsl-compiler-cli.md

@@ -0,0 +1,32 @@
+# Policy DSL Compiler CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Compile policy DSL files to intermediate representation (IR) with optimization passes, strict mode (warnings as errors), SHA-256 digest output, and validation-only mode.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy commands including compile
+- **Policy DSL**: `src/Policy/StellaOps.PolicyDsl/` -- DSL compiler infrastructure
+  - `PolicyCompiler.cs` -- main compiler
+  - `PolicyParser.cs` -- DSL parser
+  - `PolicyTokenizer.cs` / `DslTokenizer.cs` -- tokenization
+  - `PolicyIr.cs` -- intermediate representation
+  - `PolicyIrSerializer.cs` -- IR serialization
+  - `PolicySyntaxNodes.cs` -- syntax tree nodes
+  - `PolicyEngineFactory.cs` -- engine instantiation from compiled policy
+- **Commands**:
+  - `stella policy compile <file>` -- compile DSL to IR. Options: `--strict` (warnings as errors), `--digest` (output SHA-256), `--validate-only`, `--output <path>`
+
+## E2E Test Plan
+- [ ] Run `stella policy compile ./policy.stella` and verify IR output generated
+- [ ] Run with `--strict` and verify warnings treated as errors
+- [ ] Run with `--digest` and verify SHA-256 digest output
+- [ ] Run with `--validate-only` and verify syntax validation without compilation
+- [ ] Run with `--output ./compiled.ir` and verify IR written to file
+- [ ] Verify error messages include line numbers and descriptive messages
+- [ ] Verify invalid DSL syntax produces clear compilation errors

docs/features/unchecked/cli/policy-dsl-testing-cli.md

@@ -0,0 +1,24 @@
+# Policy DSL Testing CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Run coverage test fixtures against policy DSL files with fixture directory selection, pattern filtering, fail-fast mode, and multi-format output.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy test commands
+- **Policy DSL**: `src/Policy/StellaOps.PolicyDsl/` -- DSL test infrastructure
+- **Commands**:
+  - `stella policy test <file>` -- run tests against policy DSL. Options: `--fixtures <dir>`, `--pattern <glob>`, `--fail-fast`, `--format table|json|junit`
+
+## E2E Test Plan
+- [ ] Run `stella policy test ./policy.stella --fixtures ./fixtures/` and verify test execution
+- [ ] Run with `--pattern "*critical*"` and verify pattern filtering
+- [ ] Run with `--fail-fast` and verify early exit on first failure
+- [ ] Run with `--format junit` and verify JUnit XML output
+- [ ] Verify coverage report generated
+- [ ] Verify clear pass/fail indicators per test case

docs/features/unchecked/cli/policy-history-cli.md

@@ -0,0 +1,23 @@
+# Policy History CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+View policy run history with filtering by tenant, time range (from/to ISO-8601), status (completed/failed/running), pagination, and table/JSON output.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy history commands
+- **Commands**:
+  - `stella policy history` -- view policy run history. Options: `--tenant <id>`, `--from <ISO-8601>`, `--to <ISO-8601>`, `--status completed|failed|running`, `--limit`, `--offset`, `--format table|json`
+
+## E2E Test Plan
+- [ ] Run `stella policy history` and verify policy run history displayed
+- [ ] Run with `--tenant <id>` and verify tenant filtering
+- [ ] Run with `--from 2024-01-01 --to 2024-12-31` and verify time range filtering
+- [ ] Run with `--status failed` and verify status filtering
+- [ ] Verify pagination with `--limit` and `--offset`
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/policy-publish-and-sign-cli.md

@@ -0,0 +1,25 @@
+# Policy Publish and Sign CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Publish approved policy revisions with optional cryptographic signing using configurable algorithm (ecdsa-sha256, ed25519) and key ID selection.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy publish commands
+- **Sign Commands**: `src/Cli/StellaOps.Cli/Commands/SignCommandGroup.cs` -- signing operations
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Sign.cs` -- signing handlers
+- **Commands**:
+  - `stella policy publish <file>` -- publish approved policy revision. Options: `--sign`, `--algorithm ecdsa-sha256|ed25519`, `--key-id <id>`
+
+## E2E Test Plan
+- [ ] Run `stella policy publish ./policy.stella` and verify policy published
+- [ ] Run with `--sign --algorithm ecdsa-sha256` and verify DSSE-signed publication
+- [ ] Run with `--sign --algorithm ed25519 --key-id <id>` and verify Ed25519 signing
+- [ ] Verify published policy is retrievable via `stella policy show`
+- [ ] Verify signing key selection with `--key-id`
+- [ ] Verify error when trying to publish unapproved policy

docs/features/unchecked/cli/policy-review-workflow-cli.md

@@ -0,0 +1,27 @@
+# Policy Review Workflow CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Full policy review workflow from CLI: submit policies for review with reviewer assignment and urgency marking, check review status, add blocking/non-blocking comments with line/rule references, approve reviews, and reject reviews with reasons.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy review commands
+- **Commands**:
+  - `stella policy review submit <file> --reviewer <user>` -- submit for review. Options: `--urgent`
+  - `stella policy review status <id>` -- check review status
+  - `stella policy review comment <id> --message <text>` -- add comment. Options: `--blocking`, `--line <num>`, `--rule <name>`
+  - `stella policy review approve <id>` -- approve review
+  - `stella policy review reject <id> --reason <text>` -- reject with reason
+
+## E2E Test Plan
+- [ ] Run `stella policy review submit ./policy.stella --reviewer admin` and verify submission
+- [ ] Run with `--urgent` and verify urgency flag
+- [ ] Run `stella policy review status <id>` and verify status displayed
+- [ ] Run `stella policy review comment <id> --message "Missing gate" --blocking` and verify blocking comment
+- [ ] Run `stella policy review approve <id>` and verify approval
+- [ ] Run `stella policy review reject <id> --reason "Incomplete coverage"` and verify rejection

docs/features/unchecked/cli/policy-rollback-cli.md

@@ -0,0 +1,22 @@
+# Policy Rollback CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Rollback a policy to a previous version with environment scoping, incident association, and reason documentation for audit trail.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy rollback commands
+- **Commands**:
+  - `stella policy rollback <id> --to <version>` -- rollback policy. Options: `--env <environment>`, `--incident <id>`, `--reason <text>`
+
+## E2E Test Plan
+- [ ] Run `stella policy rollback <id> --to v1.2.0` and verify rollback
+- [ ] Run with `--env production` and verify environment scoping
+- [ ] Run with `--incident INC-001 --reason "Regression detected"` and verify audit trail
+- [ ] Verify rolled-back version is active after rollback
+- [ ] Verify rollback event recorded in policy history

docs/features/unchecked/cli/policy-scaffolding-cli.md

@@ -0,0 +1,24 @@
+# Policy Scaffolding CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Create new policy files from templates (minimal, baseline, vex-precedence, reachability, secret-leak, full) with metadata tagging, shadow mode configuration, and optional Git repository/fixtures initialization.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy scaffolding commands
+- **Commands**:
+  - `stella policy new <name>` -- create new policy from template. Options: `--template minimal|baseline|vex-precedence|reachability|secret-leak|full`, `--shadow`, `--tags <tags>`, `--init-git`, `--init-fixtures`
+
+## E2E Test Plan
+- [ ] Run `stella policy new my-policy --template minimal` and verify minimal policy created
+- [ ] Run with `--template full` and verify comprehensive policy with all gates
+- [ ] Run with `--template reachability` and verify reachability-focused policy
+- [ ] Run with `--shadow` and verify shadow mode configured
+- [ ] Run with `--tags "team:security,env:production"` and verify metadata tags
+- [ ] Run with `--init-git` and verify Git repository initialized
+- [ ] Run with `--init-fixtures` and verify test fixtures directory created

docs/features/unchecked/cli/policy-simulation-batch-mode-with-sbom-selectors.md

@@ -0,0 +1,23 @@
+# Policy Simulation Batch Mode with SBOM Selectors
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Batch mode policy simulation with SBOM selector patterns (e.g., registry:docker.io/*, tag:production), severity heatmap summaries, and manifest download for offline analysis.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy simulation commands
+- **Commands**:
+  - `stella policy simulate <file> --batch --selector <pattern>` -- batch simulation. Options: `--severity-heatmap`, `--download-manifests`, `--output <path>`, `--format table|json`
+- **Selector patterns**: `registry:docker.io/*`, `tag:production`, `label:team=security`
+
+## E2E Test Plan
+- [ ] Run `stella policy simulate ./policy.stella --batch --selector "registry:docker.io/*"` and verify batch results
+- [ ] Run with `--severity-heatmap` and verify severity distribution summary
+- [ ] Run with `--download-manifests` and verify manifests downloaded for offline analysis
+- [ ] Verify selector pattern matching (registry, tag, label patterns)
+- [ ] Verify `--format json` output with per-artifact results

docs/features/unchecked/cli/policy-simulation-reachability-overrides.md

@@ -0,0 +1,24 @@
+# Policy Simulation Reachability Overrides
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+What-if reachability overrides in policy simulation: override reachability states (reachable/unreachable) and scores for specific vulnerabilities or packages to model hypothetical scenarios.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy simulation commands
+- **Commands**:
+  - `stella policy simulate <file> --override-reachability <cve>=reachable|unreachable` -- override reachability state
+  - `stella policy simulate <file> --override-score <cve>=<score>` -- override reachability score
+- **What-if engine**: Applies overrides before evaluation to model hypothetical scenarios
+
+## E2E Test Plan
+- [ ] Run `stella policy simulate ./policy.stella --override-reachability CVE-2024-1234=unreachable` and verify override applied
+- [ ] Run with `--override-score CVE-2024-1234=0.1` and verify score override
+- [ ] Verify simulation results differ from baseline when overrides change gate outcomes
+- [ ] Verify multiple overrides can be specified simultaneously
+- [ ] Verify `--format json` output includes override annotations

docs/features/unchecked/cli/policy-version-bump-cli.md

@@ -0,0 +1,22 @@
+# Policy Version Bump CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Bump policy versions using semantic versioning (patch/minor/major) with changelog messages and DSL file upload.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy version commands
+- **Commands**:
+  - `stella policy bump <file> --level patch|minor|major` -- bump policy version. Options: `--message <changelog>`
+
+## E2E Test Plan
+- [ ] Run `stella policy bump ./policy.stella --level patch --message "Fix gate threshold"` and verify patch version bump
+- [ ] Run with `--level minor` and verify minor version bump
+- [ ] Run with `--level major` and verify major version bump
+- [ ] Verify changelog message recorded
+- [ ] Verify DSL file updated with new version

docs/features/unchecked/cli/policy-workspace-initialization-cli.md

@@ -0,0 +1,24 @@
+# Policy Workspace Initialization CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Initialize a policy workspace directory with template support (minimal, baseline, vex-precedence, reachability, secret-leak, full). Creates policy files, optional Git repository, README, and test fixtures directory.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy workspace commands
+- **Commands**:
+  - `stella policy init <dir>` -- initialize policy workspace. Options: `--template minimal|baseline|vex-precedence|reachability|secret-leak|full`, `--git`, `--fixtures`
+- **Creates**: policy file, README.md, optional .git, optional fixtures/ directory
+
+## E2E Test Plan
+- [ ] Run `stella policy init ./my-policies --template baseline` and verify workspace created
+- [ ] Verify policy file created with baseline template content
+- [ ] Run with `--git` and verify Git repository initialized
+- [ ] Run with `--fixtures` and verify fixtures directory with sample test data
+- [ ] Verify README.md created with workspace documentation
+- [ ] Verify all template types generate valid policy files

docs/features/unchecked/cli/proof-of-exposure-export-verify-cli.md

@@ -0,0 +1,27 @@
+# Proof of Exposure Export/Verify CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for exporting and verifying Proof of Exposure artifacts for offline verification. Exports include Rekor inclusion proofs, richgraph subgraphs, and SBOM artifacts in tar.gz format. Verification validates bundle integrity independently.
+
+## Implementation Details
+- **PoE Export**: `src/Cli/StellaOps.Cli/Commands/PoE/ExportCommand.cs` -- PoE export command
+- **PoE Verify**: `src/Cli/StellaOps.Cli/Commands/PoE/VerifyCommand.cs` -- PoE verification command
+- **Proof Commands**: `src/Cli/StellaOps.Cli/Commands/Proof/ProofCommandGroup.cs` -- proof operations
+- **Commands**:
+  - `stella poe export <digest> --output <path>` -- export PoE bundle (tar.gz with Rekor proofs, richgraph, SBOM)
+  - `stella poe verify <bundle>` -- verify PoE bundle integrity offline
+
+## E2E Test Plan
+- [ ] Run `stella poe export sha256:abc123 --output ./poe.tar.gz` and verify bundle created
+- [ ] Verify bundle contains Rekor inclusion proofs
+- [ ] Verify bundle contains richgraph subgraph
+- [ ] Verify bundle contains SBOM artifacts
+- [ ] Run `stella poe verify ./poe.tar.gz` and verify bundle integrity
+- [ ] Verify offline verification without network
+- [ ] Verify tampered bundle fails verification

docs/features/unchecked/cli/python-workspace-analyzer-cli.md

@@ -0,0 +1,24 @@
+# Python Workspace Analyzer CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Language-specific CLI for inspecting Python workspaces and virtual environments with site-packages scanning, framework detection, and capability signal analysis.
+
+## Implementation Details
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` -- Python workspace handlers
+- **Commands**:
+  - `stella scan python <path>` -- analyze Python workspace. Options: `--venv <path>`, `--format table|json`
+- **Analysis**: site-packages scanning, framework detection (Django, Flask, FastAPI), capability signal analysis
+
+## E2E Test Plan
+- [ ] Run `stella scan python ./project` and verify workspace analysis
+- [ ] Verify site-packages scanning detects installed packages
+- [ ] Verify framework detection identifies Django/Flask/FastAPI
+- [ ] Verify capability signal analysis
+- [ ] Run with `--venv ./venv` and verify virtual environment scanning
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/reachability-aware-security-as-gate.md

@@ -0,0 +1,28 @@
+# Reachability-Aware Security as Gate
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Reachability-aware vulnerability triage with score gating for release decisions is implemented across Scanner, ReachGraph, and CLI modules.
+
+## Implementation Details
+- **Gate Command**: `src/Cli/StellaOps.Cli/Commands/GateCommandGroup.cs` -- `GateCommandGroup` for `stella gate` commands
+- **VEX Gate Scan**: `src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs` -- VEX-gated scan operations
+- **Score Gate**: `src/Cli/StellaOps.Cli/Commands/ScoreGateCommandGroup.cs` -- score-based gating
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ScoreGateCommandTests.cs`, `VexGateCommandTests.cs`
+- **Commands**:
+  - `stella gate evaluate <digest>` -- evaluate all gates for an artifact
+  - `stella gate scan <image>` -- scan with gate evaluation
+- **Exit codes**: 0=pass, 1=warn, 2=fail/block
+
+## E2E Test Plan
+- [ ] Run `stella gate evaluate sha256:abc123` and verify gate evaluation with reachability awareness
+- [ ] Verify unreachable CVEs do not trigger gate failures
+- [ ] Verify reachable CVEs with high scores trigger appropriate gate level
+- [ ] Run `stella gate scan myregistry/app:v1.0` and verify scan with gate evaluation
+- [ ] Verify exit codes: 0=pass, 1=warn, 2=block
+- [ ] Verify `--format json` output with gate details

docs/features/unchecked/cli/reachability-query-api-and-triage-flow.md

@@ -0,0 +1,25 @@
+# Reachability Query API and Triage Flow
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands and policy engine services consume reachability facts to drive triage decisions (reachable/unreachable/unknown).
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ReachabilityCommandGroup.cs` -- reachability query commands
+- **ReachGraph Commands**: `src/Cli/StellaOps.Cli/Commands/ReachGraph/ReachGraphCommandGroup.cs` -- graph query operations
+- **Commands**:
+  - `stella reachability list --scan <id>` -- list reachability results
+  - `stella reachability explain <cve>` -- explain reachability determination
+  - `stella reachability query <cve> --digest <digest>` -- query reachability for specific CVE/artifact pair
+
+## E2E Test Plan
+- [ ] Run `stella reachability list --scan <id>` and verify reachability results (reachable/unreachable/unknown)
+- [ ] Run `stella reachability explain CVE-2024-1234` and verify explanation with call path evidence
+- [ ] Run `stella reachability query CVE-2024-1234 --digest sha256:abc123` and verify specific query
+- [ ] Verify triage decisions based on reachability status
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/rekor-cli-commands.md

@@ -0,0 +1,24 @@
+# Rekor CLI Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for attestation and checkpoint operations related to Rekor transparency log.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/RegistryCommandGroup.cs` -- registry commands including Rekor operations
+- **Proof Commands**: `src/Cli/StellaOps.Cli/Commands/Proof/ProofCommandGroup.cs` -- proof operations with Rekor integration
+- **Commands**:
+  - `stella proof submit <attestation>` -- submit attestation to Rekor
+  - `stella proof verify <entry-id>` -- verify Rekor inclusion proof
+  - `stella proof checkpoint` -- get latest Rekor checkpoint
+
+## E2E Test Plan
+- [ ] Run `stella proof submit ./attestation.json` and verify Rekor entry created
+- [ ] Run `stella proof verify <entry-id>` and verify inclusion proof
+- [ ] Run `stella proof checkpoint` and verify checkpoint retrieved
+- [ ] Verify Rekor integration in attestation workflow

docs/features/unchecked/cli/replay-button-determinism-as-ux.md

@@ -0,0 +1,27 @@
+# Replay Button / Determinism as UX
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Replay executor with drift tracking, dedicated Replay web service, and determinism golden tests implement the "replay this verdict" capability.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ReplayCommandGroup.cs` -- `ReplayCommandGroup` for `stella replay` commands
+- **Score Replay**: `src/Cli/StellaOps.Cli/Commands/ScoreReplayCommandGroup.cs` -- score replay operations
+- **Replay Infrastructure**: `src/Cli/StellaOps.Cli/Replay/` -- replay execution infrastructure
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/GoldenOutput/DeterminismReplayGoldenTests.cs`
+- **Commands**:
+  - `stella replay run <digest>` -- replay a verdict evaluation
+  - `stella replay verify <digest>` -- verify replay matches original verdict
+  - `stella replay drift <digest>` -- check for drift between original and replayed verdict
+
+## E2E Test Plan
+- [ ] Run `stella replay run sha256:abc123` and verify verdict replayed
+- [ ] Run `stella replay verify sha256:abc123` and verify replay matches original
+- [ ] Run `stella replay drift sha256:abc123` and verify drift detection
+- [ ] Verify deterministic output (byte-identical across replays)
+- [ ] Verify golden output tests pass

docs/features/unchecked/cli/replay-command-generator-service.md

@@ -0,0 +1,25 @@
+# Replay Command Generator Service
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Backend service that generates copy-ready replay commands for deterministic verdict reproduction. Builds command strings with all necessary hashes (artifact, manifest, feeds, policy) and provides downloadable evidence bundles as ZIP for one-click replay from the UI.
+
+## Implementation Details
+- **Replay Infrastructure**: `src/Cli/StellaOps.Cli/Replay/` -- replay command generation
+- **Determinism Harness**: `src/Cli/StellaOps.Cli/Services/DeterminismHarness.cs` -- determinism enforcement
+- **Commands**:
+  - `stella replay generate <digest>` -- generate replay command with all input hashes
+  - `stella replay bundle <digest> --output <path>` -- download evidence bundle as ZIP
+- **Output**: Copy-ready command string with all hashes pinned for deterministic reproduction
+
+## E2E Test Plan
+- [ ] Run `stella replay generate sha256:abc123` and verify command string output
+- [ ] Verify generated command includes artifact hash, manifest hash, feeds hash, policy hash
+- [ ] Run the generated command and verify deterministic reproduction
+- [ ] Run `stella replay bundle sha256:abc123 --output ./replay.zip` and verify ZIP created
+- [ ] Verify ZIP bundle enables offline replay

docs/features/unchecked/cli/resource-oriented-cli-hierarchy.md

@@ -0,0 +1,24 @@
+# Resource-Oriented CLI Hierarchy
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Reduction of 81+ top-level CLI commands to a resource-oriented hierarchy with ~18 top-level groups (scan, release, verify, attest, evidence, policy, vex, reachability, sbom, crypto, config, auth, admin, ci, setup, explain, tools). A FullConsolidationTests test suite validates the entire consolidation.
+
+## Implementation Details
+- **Command Factory**: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs` -- builds resource-oriented hierarchy
+- **Infrastructure**: `src/Cli/StellaOps.Cli/Infrastructure/` -- command router and resolution
+- **Route Mapping**: `src/Cli/StellaOps.Cli/cli-routes.json` -- 60+ route mappings for backward compatibility
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Integration/FullConsolidationTests.cs` -- validates entire consolidation
+- **Top-level groups**: scan, release, verify, attest, evidence, policy, vex, reachability, sbom, crypto, config, auth, admin, ci, setup, explain, tools, doctor
+
+## E2E Test Plan
+- [ ] Run `stella --help` and verify ~18 top-level groups listed (not 81+)
+- [ ] Verify each top-level group contains appropriate subcommands
+- [ ] Run FullConsolidationTests and verify all consolidation mappings valid
+- [ ] Verify old command paths still work via backward-compatible aliases
+- [ ] Verify help text shows clear resource-oriented hierarchy

docs/features/unchecked/cli/runtime-observations-query-cli.md

@@ -0,0 +1,22 @@
+# Runtime Observations Query CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for querying historical runtime observations filtered by symbol name (glob pattern), node hash, container, pod, or namespace with time window filtering. Complements function-map verification for runtime linkage analysis.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Observations/ObservationsCommandGroup.cs` -- `ObservationsCommandGroup` for runtime observations
+- **Commands**:
+  - `stella obs query` -- query runtime observations. Options: `--symbol <glob>`, `--node <hash>`, `--container <name>`, `--pod <name>`, `--namespace <ns>`, `--from <time>`, `--to <time>`, `--format table|json`
+
+## E2E Test Plan
+- [ ] Run `stella obs query --symbol "org.example.*"` and verify glob pattern matching
+- [ ] Run with `--container my-app` and verify container filtering
+- [ ] Run with `--from 2024-01-01 --to 2024-12-31` and verify time window filtering
+- [ ] Verify pagination support
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/sbom-analytics-cli-commands.md

@@ -0,0 +1,30 @@
+# SBOM Analytics CLI Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command group for SBOM analytics queries (stella analytics suppliers, licenses, vulnerabilities, backlog, attestation-coverage, trends) with tabular and CSV output formats.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/AnalyticsCommandGroup.cs` -- `AnalyticsCommandGroup` (public static class)
+- **Commands**:
+  - `stella analytics suppliers` -- supplier distribution analysis
+  - `stella analytics licenses` -- license distribution analysis
+  - `stella analytics vulnerabilities` -- vulnerability statistics
+  - `stella analytics backlog` -- vulnerability backlog metrics
+  - `stella analytics attestation-coverage` -- attestation coverage report
+  - `stella analytics trends` -- trend analysis over time
+- **Output formats**: table, CSV, JSON
+
+## E2E Test Plan
+- [ ] Run `stella analytics suppliers` and verify supplier distribution
+- [ ] Run `stella analytics licenses` and verify license breakdown
+- [ ] Run `stella analytics vulnerabilities` and verify vulnerability statistics
+- [ ] Run `stella analytics backlog` and verify backlog metrics
+- [ ] Run `stella analytics attestation-coverage` and verify coverage percentages
+- [ ] Run `stella analytics trends --format csv` and verify CSV output
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/sbom-deterministic-generation-cli.md

@@ -0,0 +1,26 @@
+# SBOM Deterministic Generation CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Deterministic SBOM generation from container images or directories in CycloneDX, SPDX, or both formats. Includes hash computation and verification for SBOM determinism validation.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/SbomCommandGroup.cs` -- SBOM generation commands
+- **SBOM Client**: `src/Cli/StellaOps.Cli/Services/SbomClient.cs` / `ISbomClient.cs`
+- **SBOMer Client**: `src/Cli/StellaOps.Cli/Services/SbomerClient.cs` / `ISbomerClient.cs`
+- **Commands**:
+  - `stella sbom generate <image|dir>` -- generate deterministic SBOM. Options: `--format cdx|spdx|both`, `--output <path>`, `--verify-determinism`
+- **Determinism**: Same input produces byte-identical SBOM output
+
+## E2E Test Plan
+- [ ] Run `stella sbom generate myregistry/app:v1.0 --format cdx` and verify CycloneDX SBOM
+- [ ] Run with `--format spdx` and verify SPDX SBOM
+- [ ] Run with `--format both` and verify both formats generated
+- [ ] Run with `--verify-determinism` and verify hash matches across runs
+- [ ] Verify deterministic output (same image produces identical SBOM)
+- [ ] Verify directory-based SBOM generation

docs/features/unchecked/cli/sbom-format-conversion-cli.md

@@ -0,0 +1,23 @@
+# SBOM Format Conversion CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command `stella sbom convert` to convert between SPDX and CycloneDX SBOM formats with deterministic output, plus `stella sbom export --type cbom` for Cryptographic BOM export.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/SbomCommandGroup.cs` -- SBOM conversion commands
+- **Commands**:
+  - `stella sbom convert <file> --to cdx|spdx` -- convert SBOM format. Options: `--output <path>`
+  - `stella sbom export --type cbom` -- export Cryptographic BOM
+
+## E2E Test Plan
+- [ ] Run `stella sbom convert ./sbom.spdx.json --to cdx` and verify CycloneDX output
+- [ ] Run `stella sbom convert ./sbom.cdx.json --to spdx` and verify SPDX output
+- [ ] Verify deterministic conversion (same input produces identical output)
+- [ ] Run `stella sbom export --type cbom` and verify CBOM export
+- [ ] Verify component data preserved during conversion

docs/features/unchecked/cli/scan-entry-trace-analysis-cli.md

@@ -0,0 +1,22 @@
+# Scan Entry Trace Analysis CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Show entry trace summary for a scan with optional raw NDJSON output and semantic entrypoint analysis covering intent, capabilities, and threat vectors.
+
+## Implementation Details
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs` -- entry trace handlers
+- **Commands**:
+  - `stella scan entrytrace <scan-id>` -- show entry trace summary. Options: `--raw` (NDJSON output), `--format table|json`
+- **Analysis**: semantic entrypoint analysis including intent classification, capability detection, threat vector identification
+
+## E2E Test Plan
+- [ ] Run `stella scan entrytrace <scan-id>` and verify entry trace summary
+- [ ] Run with `--raw` and verify NDJSON output
+- [ ] Verify semantic analysis includes intent, capabilities, threat vectors
+- [ ] Verify `--format json` output

docs/features/unchecked/cli/scan-reproducibility-verification-flag.md

@@ -0,0 +1,23 @@
+# Scan Reproducibility Verification Flag
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI flag to trigger reproducibility verification (rebuild) during scans, verifying whether builds are reproducible as part of the build provenance verification pipeline.
+
+## Implementation Details
+- **Scan Commands**: `src/Cli/StellaOps.Cli/Commands/Scan/` -- scan command extensions
+- **Provenance Commands**: `src/Cli/StellaOps.Cli/Commands/ProvCommandGroup.cs` -- provenance verification
+- **Commands**:
+  - `stella scan run <image> --verify-reproducibility` -- scan with reproducibility verification
+  - `stella prov verify <image>` -- verify build provenance
+
+## E2E Test Plan
+- [ ] Run `stella scan run myregistry/app:v1.0 --verify-reproducibility` and verify reproducibility check
+- [ ] Verify reproducible build produces matching digest
+- [ ] Verify non-reproducible build is flagged
+- [ ] Run `stella prov verify myregistry/app:v1.0` and verify provenance verification

docs/features/unchecked/cli/scan-snapshot-compare-cli.md

@@ -0,0 +1,22 @@
+# Scan Snapshot Compare CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Compare two scan snapshots by digest producing structured security state diffs with severity filtering and multiple output formats (table, JSON, SARIF).
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs` -- `CompareCommandBuilder` for compare operations
+- **Commands**:
+  - `stella compare <old-digest> <new-digest>` -- compare scan snapshots. Options: `--severity critical|high|medium|low`, `--format table|json|sarif`, `--output <path>`
+
+## E2E Test Plan
+- [ ] Run `stella compare sha256:old sha256:new` and verify diff output
+- [ ] Run with `--severity critical` and verify severity filtering
+- [ ] Run with `--format sarif` and verify SARIF output
+- [ ] Run with `--format json` and verify structured diff
+- [ ] Verify new/removed/changed vulnerabilities identified

docs/features/unchecked/cli/settings-consolidation-under-stella-config.md

@@ -0,0 +1,25 @@
+# Settings Consolidation under stella config
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Unification of scattered settings commands (notify, feeds, integrations, registry) under a single `stella config` umbrella for improved discoverability.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ConfigCommandGroup.cs` -- consolidated config commands
+- **Config Catalog**: `src/Cli/StellaOps.Cli/Commands/ConfigCatalog.cs` -- catalog of config items
+- **Route Mapping**: `src/Cli/StellaOps.Cli/cli-routes.json` -- deprecated routes for old paths
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Integration/SettingsConsolidationTests.cs`
+- **Consolidated paths**: notify -> config notify, feeds -> config feeds, integrations -> config integrations, registry -> config registry, sources -> config sources, signals -> config signals
+
+## E2E Test Plan
+- [ ] Run `stella config notify channels list` and verify consolidated path works
+- [ ] Run `stella config feeds list` and verify feed listing
+- [ ] Run `stella config integrations list` and verify integrations
+- [ ] Run `stella config registry list` and verify registries
+- [ ] Verify old paths show deprecation warnings
+- [ ] Verify SettingsConsolidationTests pass

docs/features/unchecked/cli/setup-wizard-cli.md

@@ -0,0 +1,31 @@
+# Setup Wizard CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Interactive setup wizard with checkpoint-based state management: run full or specific steps, resume from interruption, check status, reset state, and validate configuration. Supports YAML config files and non-interactive mode.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Setup/` -- setup wizard commands
+- **Prompts**: `src/Cli/StellaOps.Cli/Prompts/` -- interactive prompt infrastructure
+- **Commands**:
+  - `stella setup` -- run full setup wizard interactively
+  - `stella setup run --step <name>` -- run a specific setup step
+  - `stella setup status` -- check setup completion status
+  - `stella setup resume` -- resume from last checkpoint
+  - `stella setup reset` -- reset setup state
+  - `stella setup validate` -- validate current configuration
+- **Non-interactive**: `--config <yaml>` for automated setup
+
+## E2E Test Plan
+- [ ] Run `stella setup` and verify interactive wizard prompts
+- [ ] Run `stella setup run --step database` and verify specific step execution
+- [ ] Run `stella setup status` and verify step completion status
+- [ ] Interrupt setup and run `stella setup resume` and verify resumption from checkpoint
+- [ ] Run `stella setup reset` and verify state cleared
+- [ ] Run `stella setup validate` and verify configuration validation
+- [ ] Run with `--config ./setup.yaml` for non-interactive mode

docs/features/unchecked/cli/stella-admin-cli-command-group.md

@@ -0,0 +1,29 @@
+# Stella Admin CLI Command Group
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Consolidated `stella admin` CLI command group providing administrative operations for policy management, user administration, feed management, and system diagnostics. Replaces previously scattered admin operations.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Admin/AdminCommandGroup.cs` -- `AdminCommandGroup` (internal static class)
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/Admin/AdminCommandHandlers.cs` -- `AdminCommandHandlers`
+- **Backend Operations**: `src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs` / `IBackendOperationsClient.cs`
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Services/BackendOperationsClientTests.cs`
+- **Commands**:
+  - `stella admin users list` -- list users
+  - `stella admin users create` -- create a user
+  - `stella admin policy list` -- list policies (admin view)
+  - `stella admin feeds list` -- list advisory feeds (deprecated, use config feeds)
+  - `stella admin diagnostics` -- system diagnostics
+
+## E2E Test Plan
+- [ ] Run `stella admin users list` and verify user listing
+- [ ] Run `stella admin users create --name <user>` and verify user creation
+- [ ] Run `stella admin policy list` and verify admin policy view
+- [ ] Run `stella admin diagnostics` and verify system diagnostics
+- [ ] Verify admin commands require admin role authorization

docs/features/unchecked/cli/symbol-ingestion-cli.md

@@ -0,0 +1,26 @@
+# Symbol Ingestion CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Symbol table operations: ingest symbols from binary files, upload manifests to backend, verify symbol integrity, and check service health. Supports dry-run mode.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/SignalsCommandGroup.cs` -- signals including symbol operations
+- **Commands**:
+  - `stella symbols ingest <binary>` -- ingest symbols from binary. Options: `--dry-run`, `--format json`
+  - `stella symbols upload <manifest>` -- upload symbol manifest
+  - `stella symbols verify` -- verify symbol integrity
+  - `stella symbols health` -- check symbol service health
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/SignalsCommandTests.cs`
+
+## E2E Test Plan
+- [ ] Run `stella symbols ingest ./binary.elf` and verify symbol ingestion
+- [ ] Run with `--dry-run` and verify no actual upload
+- [ ] Run `stella symbols upload ./manifest.json` and verify manifest upload
+- [ ] Run `stella symbols verify` and verify integrity check
+- [ ] Run `stella symbols health` and verify service status

docs/features/unchecked/cli/system-database-migrations-cli.md

@@ -0,0 +1,29 @@
+# System Database Migrations CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+PostgreSQL database migration management across modules (Authority, Scheduler, Concelier, Policy, Notify, Excititor) with category selection (startup/release/seed/data), dry-run mode, connection string overrides, and timeout configuration.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/SystemCommandBuilder.cs` -- `SystemCommandBuilder` for `stella system` commands
+- **Migration Service**: `src/Cli/StellaOps.Cli/Services/MigrationCommandService.cs` -- migration execution
+- **Migration Registry**: `src/Cli/StellaOps.Cli/Services/MigrationModuleRegistry.cs` -- module registry
+- **Migration Runner**: `src/Cli/StellaOps.Cli/Services/MigrationRunnerAdapter.cs` -- runner adapter
+- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/SystemCommandBuilderTests.cs`
+- **Commands**:
+  - `stella system migrations-run --module <name>` -- run migrations. Options: `--category startup|release|seed|data`, `--dry-run`, `--connection <connstr>`, `--timeout <duration>`
+  - `stella system migrations-status` -- show migration status per module
+  - `stella system migrations-verify` -- verify migration integrity
+
+## E2E Test Plan
+- [ ] Run `stella system migrations-status` and verify per-module migration status
+- [ ] Run `stella system migrations-run --module Authority` and verify Authority migrations
+- [ ] Run with `--category startup` and verify category filtering
+- [ ] Run with `--dry-run` and verify no actual changes
+- [ ] Run `stella system migrations-verify` and verify integrity check
+- [ ] Verify timeout with `--timeout 00:05:00`

docs/features/unchecked/cli/tenant-context-management-cli.md

@@ -0,0 +1,25 @@
+# Tenant Context Management CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Multi-tenant context switching: list available tenants, set/use a default tenant context, show current tenant, and clear the active context.
+
+## Implementation Details
+- **Tenant Store**: `src/Cli/StellaOps.Cli/Services/TenantProfileStore.cs` -- tenant profile management
+- **Commands**:
+  - `stella tenants list` -- list available tenants
+  - `stella tenants use <tenant-id>` -- set default tenant context
+  - `stella tenants current` -- show current active tenant
+  - `stella tenants clear` -- clear active tenant context
+
+## E2E Test Plan
+- [ ] Run `stella tenants list` and verify tenant listing
+- [ ] Run `stella tenants use <id>` and verify context set
+- [ ] Run `stella tenants current` and verify current tenant shown
+- [ ] Run `stella tenants clear` and verify context cleared
+- [ ] Verify subsequent commands use selected tenant context

docs/features/unchecked/cli/token-minting-and-delegation-cli.md

@@ -0,0 +1,24 @@
+# Token Minting and Delegation CLI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Service account token minting with scope/expiry/tenant control, and token delegation to other principals with scope restriction and audit reasons.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/AuthCommandGroup.cs` -- auth token commands
+- **Authority Console Client**: `src/Cli/StellaOps.Cli/Services/AuthorityConsoleClient.cs` / `IAuthorityConsoleClient.cs`
+- **Commands**:
+  - `stella auth token mint --scope <scopes> --expiry <duration> --tenant <id>` -- mint service account token
+  - `stella auth token delegate --to <principal> --scope <scopes> --reason <text>` -- delegate token with scope restriction
+
+## E2E Test Plan
+- [ ] Run `stella auth token mint --scope "read:policy" --expiry 24h` and verify token minted
+- [ ] Run with `--tenant <id>` and verify tenant-scoped token
+- [ ] Run `stella auth token delegate --to service-a --scope "read:evidence" --reason "CI pipeline"` and verify delegation
+- [ ] Verify delegated token has restricted scopes
+- [ ] Verify audit reason recorded for delegation

docs/features/unchecked/cli/trust-anchor-management-cli.md

@@ -0,0 +1,44 @@
+# Trust Anchor Management CLI (stella proof anchor list/show/create/revoke-key)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Manage root trust anchors used in proof chain verification: list, show details, create new anchors, and revoke individual keys within anchors. Supports two implementations: the top-level `stella trust-anchors` command group (CA, publickey, OIDC, TUF anchor types) and the proof-scoped `stella proof anchor` command group (PURL-pattern-based anchors with key ID binding).
+
+## Implementation Details
+- **Top-Level Command Group**: `src/Cli/StellaOps.Cli/Commands/TrustAnchorsCommandGroup.cs` -- `TrustAnchorsCommandGroup` (static class)
+  - Sprint: SPRINT_20260117_011_CLI_attestation_signing (ATS-002)
+  - Supports anchor types: `ca`, `publickey`, `oidc`, `tuf`
+- **Proof-Scoped Command Group**: `src/Cli/StellaOps.Cli/Commands/Proof/AnchorCommandGroup.cs` -- `AnchorCommandGroup` (instance class with DI)
+  - Implements `stella proof anchor list/show/create/revoke-key`
+  - Uses `ITrustAnchorManager` and `IKeyRotationService` for backend operations
+- **DTOs**: `TrustAnchor` (Id, Name, Type, Status, Fingerprint, CreatedAt, ExpiresAt, UsageCount)
+- **Commands (top-level)**:
+  - `stella trust-anchors list [--type ca|publickey|oidc|tuf] [--format table|json]` -- list configured trust anchors with type filtering
+  - `stella trust-anchors add --type <type> --name <name> [--cert <path>] [--key <path>] [--issuer <url>] [--tuf-root <path>]` -- add new anchor with type-specific validation
+  - `stella trust-anchors remove <anchor-id> --confirm` -- remove a trust anchor (requires confirmation)
+  - `stella trust-anchors show <anchor-id> [--format text|json]` -- show anchor details including fingerprint, creation/expiry, usage count
+- **Commands (proof-scoped)**:
+  - `stella proof anchor list [--output text|json]` -- list active trust anchors
+  - `stella proof anchor show <anchorId>` -- show trust anchor details
+  - `stella proof anchor create <pattern> --key-id <id> [--policy-version <ver>]` -- create anchor with PURL glob pattern
+  - `stella proof anchor revoke-key <anchorId> <keyId> [--reason <text>]` -- revoke a key within an anchor
+- **Exit codes**: 0 = success, 1 = error, defined in `ProofExitCodes`
+
+## E2E Test Plan
+- [ ] Run `stella trust-anchors list` and verify table output shows ID, Type, Name, Status columns
+- [ ] Run `stella trust-anchors list --type ca` and verify filtering to CA anchors only
+- [ ] Run `stella trust-anchors list --format json` and verify valid JSON array output
+- [ ] Run `stella trust-anchors add --type ca --name "Test CA" --cert ./ca.pem` and verify anchor creation
+- [ ] Run `stella trust-anchors add --type publickey --name "Test Key"` without `--key` and verify error: "--key is required for type=publickey"
+- [ ] Run `stella trust-anchors add --type unknown --name "Bad"` and verify error: "Unknown anchor type"
+- [ ] Run `stella trust-anchors show <id> --format json` and verify JSON output with all fields
+- [ ] Run `stella trust-anchors remove <id>` without `--confirm` and verify warning prompt
+- [ ] Run `stella trust-anchors remove <id> --confirm` and verify removal message
+- [ ] Run `stella proof anchor list` and verify anchor listing
+- [ ] Run `stella proof anchor create "pkg:npm/*" --key-id key1` and verify creation
+- [ ] Run `stella proof anchor revoke-key <id> <keyId> --reason "compromised"` and verify revocation

docs/features/unchecked/cli/verdict-ladder-ui.md

@@ -0,0 +1,31 @@
+# Verdict Ladder UI (8-step verdict explainability)
+
+## Module
+Cli (with Web frontend)
+
+## Status
+IMPLEMENTED
+
+## Description
+8-step verdict ladder providing visual explainability for verdict computation stages. Both CLI verdict commands and Angular UI component are implemented.
+
+## Implementation Details
+- **Verdict CLI commands**: `src/Cli/StellaOps.Cli/Commands/VerdictCommandGroup.cs` -- `stella verdict verify`, `stella verdict list`, `stella verdict push`, `stella verdict rationale`
+- **Compare CLI**: `src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs` -- `stella compare` with base/target diff
+- **Explain CLI**: `src/Cli/StellaOps.Cli/Commands/ExplainCommandGroup.cs` -- `stella explain` for block/decision explanations
+- **Score Gate CLI**: `src/Cli/StellaOps.Cli/Commands/ScoreGateCommandGroup.cs` -- score gate with baseline comparison
+- **Verdict Ladder Angular component**: `src/Web/StellaOps.Web/src/app/features/triage/components/verdict-ladder/verdict-ladder.component.ts` -- full stepper visualization with `VerdictLadderStep` (step, name, status: complete/partial/missing/na, summary, evidence items), `EvidenceItem` (type, title, source, hash, signed, signedBy, uri, preview), `VerdictLadderData` model
+- **Verdict Ladder builder service**: `src/Web/StellaOps.Web/src/app/features/triage/services/verdict-ladder-builder.service.ts` -- builds ladder data from backend evidence
+- **Policy explainability library**: `src/Policy/__Libraries/StellaOps.Policy.Explainability/` -- policy decision explainability
+- **Policy engine**: `src/Policy/StellaOps.Policy.Engine/` -- verdict computation with deterministic evaluation
+
+## E2E Test Plan
+- [ ] Verify verdict ladder renders all 8 steps with correct pass/fail/skip status
+- [ ] Verify clicking a ladder step expands to show underlying evidence
+- [ ] Verify evidence items show hash, signature status, and source
+- [ ] Verify `stella verdict rationale` CLI output matches ladder steps
+- [ ] Verify ladder updates when verdict is recomputed
+
+## Related Documentation
+- Verdict CLI: `src/Cli/StellaOps.Cli/Commands/VerdictCommandGroup.cs`
+- Verdict ladder UI: `src/Web/StellaOps.Web/src/app/features/triage/components/verdict-ladder/`

docs/features/unchecked/cli/verification-command-consolidation.md

@@ -0,0 +1,40 @@
+# Verification Command Consolidation (verify umbrella)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Consolidation of `attest verify`, `vex verify`, `patchverify` etc. under a unified `stella verify` umbrella command with sub-commands for attestation, vex, patch, image, bundle, sbom, and offline verification.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/VerifyCommandGroup.cs` -- `VerifyCommandGroup` (internal static class)
+  - Sprint: SPRINT_20260118_012_CLI_verification_consolidation (CLI-V-002 through CLI-V-005)
+  - Delegates to `CommandHandlers.HandleVerifyOfflineAsync`, `HandleVerifyImageAsync`, `HandleVerifyBundleAsync`
+- **Handler Partials**:
+  - `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyOffline.cs` -- offline verification handler
+  - `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyBundle.cs` -- bundle verification handler
+- **Commands**:
+  - `stella verify offline --evidence-dir <path> --artifact <digest> --policy <file> [--output-dir <dir>] [--output table|json]` -- verify offline evidence for artifact
+  - `stella verify image <reference> [--require sbom,vex,decision] [--trust-policy <file>] [--output table|json|sarif] [--strict]` -- verify attestation chain for container image
+  - `stella verify bundle --bundle <path> [--skip-replay] [--output table|json]` -- verify E2E evidence bundle for reproducibility
+  - `stella verify attestation --image <ref> [--predicate-type <uri>] [--policy <file>] [--output table|json] [--strict]` -- verify attestations (moved from `stella attest verify`)
+  - `stella verify vex <artifact> [--vex-file <path>] [--output table|json]` -- verify VEX statements (moved from `stella vex verify`)
+  - `stella verify patch <artifact> [--cve <ids>] [--confidence-threshold 0.7] [--output table|json]` -- verify patches in binaries (moved from `stella patchverify`)
+  - `stella verify sbom <file> [--format spdx|cyclonedx] [--strict] [--output table|json]` -- verify SBOM integrity and completeness (also via `stella sbom verify`)
+- **Route Consolidation**: `cli-routes.json` maps deprecated paths: `attest verify` -> `verify attestation`, `vex verify` -> `verify vex`, `patchverify` -> `verify patch`
+
+## E2E Test Plan
+- [ ] Run `stella verify image registry.example.com/app@sha256:abc123` and verify attestation chain results
+- [ ] Run `stella verify image <ref> --require sbom,vex,decision --strict` and verify strict mode fails on missing attestations
+- [ ] Run `stella verify image <ref> --output json` and verify JSON with verified:true/false per attestation
+- [ ] Run `stella verify offline --evidence-dir ./evidence --artifact sha256:abc --policy ./policy.yaml` and verify offline evaluation
+- [ ] Run `stella verify bundle --bundle ./evidence.tar.gz` and verify E2E reproducibility check
+- [ ] Run `stella verify bundle --bundle ./evidence.tar.gz --skip-replay` and verify hash-only validation
+- [ ] Run `stella verify attestation --image <ref> --predicate-type "https://slsa.dev/provenance/v1"` and verify type-filtered attestation check
+- [ ] Run `stella verify vex <artifact>` and verify VEX statement verification
+- [ ] Run `stella verify patch <artifact> --cve CVE-2024-1234 --confidence-threshold 0.9` and verify patch check
+- [ ] Run `stella verify sbom ./sbom.json --strict` and verify strict mode catches warnings as errors
+- [ ] Verify deprecated routes still work: `stella attest verify` routes to `stella verify attestation`

docs/features/unchecked/cli/verification-receipt-cli.md

@@ -0,0 +1,33 @@
+# Verification Receipt CLI (stella proof receipt get/verify)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Retrieve and verify verification receipts by proof bundle ID in text, JSON, or CBOR format for audit trail cryptographic proof.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Proof/ReceiptCommandGroup.cs` -- `ReceiptCommandGroup` (instance class with DI logger)
+  - Registered under `stella proof receipt` command tree
+  - Uses `IReceiptGenerator` for receipt retrieval (integration pending)
+- **Exit Codes**: Defined in `src/Cli/StellaOps.Cli/Commands/Proof/ProofExitCodes.cs` -- `ProofExitCodes.Success`, `SystemError`, `VerificationFailed`
+- **Commands**:
+  - `stella proof receipt get <bundleId> [--output text|json|cbor]` -- retrieve verification receipt by proof bundle ID
+  - `stella proof receipt verify <receiptFile> [--offline]` -- verify a stored receipt file (DSSE signature, ProofBundleID recomputation, optional Rekor inclusion)
+- **Verification Steps** (planned):
+  1. Load receipt from file
+  2. Verify DSSE signature on receipt
+  3. Recompute ProofBundleID from claims
+  4. Optionally verify Rekor inclusion (skipped in `--offline` mode)
+
+## E2E Test Plan
+- [ ] Run `stella proof receipt get <bundleId>` and verify text output showing Bundle ID and receipt details
+- [ ] Run `stella proof receipt get <bundleId> --output json` and verify valid JSON with proofBundleId field
+- [ ] Run `stella proof receipt get <bundleId> --output cbor` and verify CBOR-encoded output
+- [ ] Run `stella proof receipt verify ./receipt.json` and verify signature and Rekor verification
+- [ ] Run `stella proof receipt verify ./receipt.json --offline` and verify offline mode skips Rekor check
+- [ ] Run `stella proof receipt verify ./nonexistent.json` and verify error: "Receipt file not found"
+- [ ] Verify exit code 0 on successful verification, non-zero on failure

docs/features/unchecked/cli/vex-gated-policy-decisions.md

@@ -0,0 +1,34 @@
+# VEX-gated policy decisions (gate decision with decision hash)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+VEX gate service and policy evaluator for blocking/allowing based on VEX status, with CLI command support and UI gate summary panel. Evaluates findings against policy rules based on vendor status, exploitability, reachability, compensating controls, and severity levels.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs` -- `VexGateScanCommandGroup` (static class)
+  - Sprint: SPRINT_20260106_003_002_SCANNER_vex_gate_service (T026, T027)
+  - Uses Spectre.Console for rich table output
+  - Calls Scanner API: `api/v1/vex-gate/policy` and `api/v1/scans/{scanId}/gate-results`
+- **Commands**:
+  - `stella scan gate-policy show [--tenant <id>] [--output table|json|yaml]` -- display current VEX gate policy including rules, priorities, and conditions
+  - `stella scan gate-results --scan-id <id> [--decision Pass|Warn|Block] [--output table|json] [--limit <n>]` -- get VEX gate results for a scan with decision filtering
+- **DTOs**: `VexGatePolicyDto` (PolicyId, Version, DefaultDecision, Rules), `VexGatePolicyRuleDto` (RuleId, Priority, Decision, Condition), `VexGatePolicyConditionDto` (VendorStatus, IsExploitable, IsReachable, HasCompensatingControl, SeverityLevels), `VexGateResultsDto` (ScanId, Summary, GatedFindings), `VexGateSummaryDto` (TotalFindings, Passed, Warned, Blocked, EvaluatedAt), `GatedFindingDto` (FindingId, Cve, Purl, Decision, Rationale, PolicyRuleMatched, Evidence)
+- **Decision Types**: Pass (green), Warn (yellow), Block (red)
+- **Output Formats**: Table with Spectre.Console styling, JSON, YAML
+
+## E2E Test Plan
+- [ ] Run `stella scan gate-policy show` and verify policy table with Policy ID, Version, Default Decision, Rules Count
+- [ ] Run `stella scan gate-policy show --output json` and verify valid JSON with policy rules
+- [ ] Run `stella scan gate-policy show --output yaml` and verify YAML output with rule hierarchy
+- [ ] Run `stella scan gate-policy show --tenant <id>` and verify tenant-specific policy
+- [ ] Run `stella scan gate-results --scan-id <id>` and verify summary table (Total, Passed, Warned, Blocked) and findings table
+- [ ] Run `stella scan gate-results --scan-id <id> --decision Block` and verify only blocked findings shown
+- [ ] Run `stella scan gate-results --scan-id <id> --output json` and verify JSON with gateSummary and gatedFindings
+- [ ] Run `stella scan gate-results --scan-id <id> --limit 5` and verify at most 5 findings
+- [ ] Verify 404 response for unknown scan ID returns warning, not error
+- [ ] Verify exit code 0 on success, 1 on API error

docs/features/unchecked/cli/vex-generation-with-evidence-links.md

@@ -0,0 +1,39 @@
+# VEX Generation with Evidence Links (`--link-evidence` CLI Flag)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Extension to `stella vex gen` command with `--link-evidence` flag that includes binary-diff evidence links in VEX output, showing evidence type, confidence score, and URI in both table and JSON formats. Generates OpenVEX documents from facet drift analysis with deterministic IDs.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/VexGenCommandGroup.cs` -- `VexGenCommandGroup` (internal static class)
+  - Sprint: SPRINT_20260105_002_004_CLI (CLI-011 through CLI-015) and SPRINT_20260113_003_002_CLI_vex_evidence_integration
+  - Uses `IFacetDriftDetector`, `IFacetSealStore`, `IVexEvidenceLinker` from DI
+  - Generates deterministic IDs via SHA-256 of concatenated content
+- **Evidence Integration**: `IVexEvidenceLinker.GetLinksAsync()` fetches evidence links; `AttachEvidenceLinksAsync()` enriches VEX statements with evidence
+- **Models** (defined in same file):
+  - `OpenVexDocument` (@context, @id, author, timestamp, version, statements)
+  - `OpenVexStatement` (@id, status, timestamp, products, justification, action_statement, evidence)
+  - `OpenVexEvidence` (type, uri, confidence, predicateType, envelopeDigest, validatedSignature, rekorIndex, signer)
+  - `EvidenceSummary` (StatementId, Type, Confidence, EvidenceUri)
+- **Commands**:
+  - `stella vex gen --from-drift --image <ref> [--baseline <sealId>] [--output <path>] [--format openvex|csaf] [--status under_investigation|not_affected|affected] [--link-evidence] [--evidence-threshold 0.8] [--show-evidence-uri]` -- generate VEX from facet drift with evidence linking
+- **Output**: OpenVEX JSON document to stdout or file; evidence summary table in console with confidence scores
+- **Exit codes**: 0 = success, 1 = error or missing `--from-drift`
+
+## E2E Test Plan
+- [ ] Run `stella vex gen --from-drift --image registry/app@sha256:abc` and verify OpenVEX JSON output
+- [ ] Run with `--output vex.json` and verify file written with correct OpenVEX schema (@context, @id, author, timestamp, statements)
+- [ ] Run with `--link-evidence` and verify evidence fields in statements (type, uri, confidence, validatedSignature)
+- [ ] Run with `--evidence-threshold 0.5` and verify lower threshold includes more evidence links
+- [ ] Run with `--evidence-threshold 1.0` and verify high threshold excludes low-confidence evidence
+- [ ] Run with `--show-evidence-uri` and verify full URIs in console evidence summary
+- [ ] Run with `--format csaf` and verify CSAF-formatted output
+- [ ] Run with `--status not_affected` and verify status field in generated statements
+- [ ] Run with `--baseline <sealId>` and verify specific baseline used for drift comparison
+- [ ] Run without `--from-drift` and verify error: "--from-drift is required"
+- [ ] Verify deterministic: running same command twice produces identical document IDs

docs/features/unchecked/cli/vex-observation-and-webhooks-cli.md

@@ -0,0 +1,45 @@
+# VEX Observation and Webhooks CLI (stella vex evidence/webhooks/observation)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Extended VEX CLI plugin providing evidence linking, webhook management for VEX events, and VEX observation commands with Rekor attestation support for transparency log integration. Consolidates vex, vexgen, vexlens, and advisory commands under a unified `stella vex` umbrella.
+
+## Implementation Details
+- **Unified VEX Command Group**: `src/Cli/StellaOps.Cli/Commands/VexCommandGroup.cs` -- `VexCommandGroup` (static class)
+  - Sprint: SPRINT_20260118_014_CLI_evidence_remaining_consolidation (CLI-E-008)
+  - Consolidates: vex, vexgen, vexlens, advisory commands
+- **VEX Generation**: `src/Cli/StellaOps.Cli/Commands/VexGenCommandGroup.cs` -- `VexGenCommandGroup` with evidence linking via `IVexEvidenceLinker`
+- **Runtime Observations**: `src/Cli/StellaOps.Cli/Commands/Observations/ObservationsCommandGroup.cs` -- `ObservationsCommandGroup` (static class)
+  - Sprint: SPRINT_20260122_039_Scanner_runtime_linkage_verification (RLV-008)
+  - Uses `IObservationStore` and verification services from Scanner module
+- **Commands (VEX umbrella)**:
+  - `stella vex generate --scan <id> [--format openvex|csaf|cyclonedx] [--output <path>] [--product <name>] [--supplier <name>] [--sign]` -- generate VEX documents
+  - `stella vex validate --input <file> [--strict] [--schema <file>]` -- validate VEX document schema and consistency
+  - `stella vex query [--cve <id>] [--product <name>] [--status affected|not_affected|under_investigation] [--format table|json] [--limit <n>]` -- query VEX statements
+  - `stella vex advisory list [--severity critical|high|medium|low] [--source nvd|osv|ghsa] [--after <date>]` -- list advisories
+  - `stella vex advisory show <cve-id> [--format text|json]` -- show advisory details
+  - `stella vex advisory sync [--source <name>] [--force]` -- sync advisory feeds
+  - `stella vex lens analyze --scan <id> [--cve <id>] [--depth <n>]` -- reachability analysis for VEX determination
+  - `stella vex lens explain --scan <id> --cve <id>` -- explain VEX determination reasoning with evidence chain
+  - `stella vex apply --scan <id> --vex <file> [--dry-run]` -- apply VEX statements to scan results
+- **Commands (observations)**:
+  - `stella observations query [--symbol <glob>] [--node-hash <sha256>] [--container <id>] [--pod <name>] [--namespace <ns>]` -- query runtime observations
+
+## E2E Test Plan
+- [ ] Run `stella vex generate --scan <id>` and verify VEX document with statement counts
+- [ ] Run `stella vex generate --scan <id> --format csaf --sign` and verify signed CSAF output
+- [ ] Run `stella vex validate --input vex.json` and verify schema/statement/product/CVE validation passes
+- [ ] Run `stella vex validate --input vex.json --strict` and verify strict mode
+- [ ] Run `stella vex query --status not_affected` and verify filtered query results
+- [ ] Run `stella vex advisory list --severity critical` and verify critical-only listing
+- [ ] Run `stella vex advisory show CVE-2024-1234` and verify advisory details (severity, CWE, affected products)
+- [ ] Run `stella vex advisory sync` and verify feed sync counts per source
+- [ ] Run `stella vex lens analyze --scan <id>` and verify reachability analysis with REACHABLE/EXPLOITABLE columns
+- [ ] Run `stella vex lens explain --scan <id> --cve CVE-2024-1234` and verify determination explanation with evidence
+- [ ] Run `stella vex apply --scan <id> --vex vex.json --dry-run` and verify preview of VEX suppressions
+- [ ] Run `stella observations query --symbol "SSL_*"` and verify symbol-filtered observation results

docs/features/unchecked/cli/witness-cli-commands.md

@@ -0,0 +1,41 @@
+# Witness CLI Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI command group for managing witnesses with core witness operations and handler implementations. Provides two witness subsystems: reachability witness operations (show, verify, list, export) and binary micro-witness operations (generate, verify, bundle) for patch verification.
+
+## Implementation Details
+- **Reachability Witness Command Group**: `src/Cli/StellaOps.Cli/Commands/WitnessCommandGroup.cs` -- `WitnessCommandGroup` (internal static class)
+  - Sprint: SPRINT_3700_0005_0001_witness_ui_cli (CLI-001 through CLI-004)
+  - Delegates to `CommandHandlers.HandleWitnessShowAsync`, `HandleWitnessVerifyAsync`, `HandleWitnessListAsync`, `HandleWitnessExportAsync`
+- **Binary Micro-Witness Command Group**: `src/Cli/StellaOps.Cli/Commands/Witness/WitnessCoreCommandGroup.cs` -- `WitnessCoreCommandGroup` (internal static class)
+  - Sprint: SPRINT_0128_001_BinaryIndex_binary_micro_witness (TASK-003)
+  - Handlers in `src/Cli/StellaOps.Cli/Commands/Witness/WitnessCoreCommandHandlers.cs`
+- **Commands (reachability witnesses)**:
+  - `stella witness show <witness-id> [--format text|json|yaml] [--no-color] [--path-only]` -- display witness with call path visualization
+  - `stella witness verify <witness-id> [--public-key <path>] [--offline]` -- verify witness signature (local key or server-fetched)
+  - `stella witness list --scan <id> [--vuln <cve>] [--tier confirmed|likely|present|unreachable] [--reachable-only] [--probe-type kprobe|uprobe|tracepoint|usdt|fentry|fexit] [--format table|json] [--limit <n>]` -- list witnesses for a scan with filtering
+  - `stella witness export <witness-id> [--format json|sarif] [--output <path>] [--include-dsse]` -- export witness to file with optional DSSE envelope
+- **Commands (binary micro-witnesses)**:
+  - `stella witness generate <binary> --cve <id> [--sbom <path>] [--output <path>] [--sign] [--rekor] [--format json|envelope]` -- generate micro-witness for binary patch verification
+  - `stella witness verify <witness> [--offline] [--sbom <path>] [--format text|json]` -- verify micro-witness signature and Rekor proof
+  - `stella witness bundle <witness> --output <dir> [--include-binary] [--include-sbom]` -- export self-contained verification bundle for air-gapped audits
+
+## E2E Test Plan
+- [ ] Run `stella witness show wit:sha256:abc123` and verify call path visualization output
+- [ ] Run `stella witness show wit:sha256:abc123 --format json` and verify JSON witness details
+- [ ] Run `stella witness show wit:sha256:abc123 --path-only` and verify only call path shown
+- [ ] Run `stella witness verify wit:sha256:abc123` and verify signature verification result
+- [ ] Run `stella witness verify wit:sha256:abc123 --offline` and verify offline-only verification
+- [ ] Run `stella witness list --scan <id>` and verify witness table with ID, CVE, tier columns
+- [ ] Run `stella witness list --scan <id> --tier confirmed --reachable-only` and verify filtered results
+- [ ] Run `stella witness list --scan <id> --probe-type uprobe` and verify eBPF probe type filtering
+- [ ] Run `stella witness export wit:sha256:abc123 --format sarif --output witness.sarif` and verify SARIF file
+- [ ] Run `stella witness export wit:sha256:abc123 --include-dsse` and verify DSSE envelope included
+- [ ] Run `stella witness generate ./binary.elf --cve CVE-2024-0567 --sign --rekor` and verify signed micro-witness with Rekor log
+- [ ] Run `stella witness bundle ./witness.json --output ./bundle --include-binary --include-sbom` and verify self-contained bundle

docs/features/unchecked/cli/zastava-cli-commands.md

@@ -0,0 +1,36 @@
+# Zastava CLI Commands
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Zastava CLI commands backed by dedicated Zastava module with agent, observer, and webhook components for Kubernetes admission controller management. Provides install, configure, status, logs, and uninstall operations for the admission webhook.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ZastavaCommandGroup.cs` -- `ZastavaCommandGroup` (static class)
+  - Sprint: SPRINT_20260117_020_CLI_zastava_webhooks (ZAS-001 through ZAS-005)
+- **Backend Module**: `src/Zastava/` -- Zastava Kubernetes admission controller
+- **DTOs**: `ZastavaConfig` (Namespace, Policy, AllowedRegistries, BlockUnsigned, BlockCritical), `ZastavaStatus` (Namespace, WebhookRegistered, WebhookMode, PodStatus, Replicas, CertificateExpires, Statistics), `AdmissionStats` (TotalRequests, Allowed, Denied, Errors, Since)
+- **Commands**:
+  - `stella zastava install [--namespace <ns>] [--mode validating|mutating|both] [--output <path>] [--apply] [--dry-run]` -- install admission webhook with manifest generation. Generates: Namespace, ServiceAccount, RBAC, TLS Certificate Secret, Deployment, Service, WebhookConfiguration
+  - `stella zastava configure [--policy <id>] [--allow-registries <list>] [--block-unsigned] [--block-critical] [--namespace <ns>] [--format text|json]` -- configure enforcement rules persisted to ConfigMap
+  - `stella zastava status [--namespace <ns>] [--format table|json]` -- show webhook status including registration, pod status, replicas, certificate expiry, and admission statistics (total/allowed/denied/errors)
+  - `stella zastava logs [--follow] [--since <duration>] [--decision allowed|denied|error] [--image <pattern>] [--namespace <ns>]` -- show webhook admission logs with streaming and filtering
+  - `stella zastava uninstall --confirm [--namespace <ns>] [--remove-secrets]` -- remove webhook (requires confirmation); optionally removes TLS secrets
+
+## E2E Test Plan
+- [ ] Run `stella zastava install --dry-run` and verify manifest preview without cluster changes
+- [ ] Run `stella zastava install --namespace test-ns --mode validating --apply` and verify all resources created
+- [ ] Run `stella zastava install --mode mutating --output ./manifests` and verify manifest files written
+- [ ] Run `stella zastava configure --policy prod-policy --block-unsigned --block-critical` and verify configuration update
+- [ ] Run `stella zastava configure --allow-registries ghcr.io,registry.example.com --format json` and verify JSON config
+- [ ] Run `stella zastava status` and verify table with Webhook Registered, Mode, Pod Status, Replicas, Certificate Expires
+- [ ] Run `stella zastava status --format json` and verify JSON with admission statistics
+- [ ] Run `stella zastava logs --decision denied` and verify only denied admission logs shown
+- [ ] Run `stella zastava logs --image "docker.io/*" --since 1h` and verify image and time filtering
+- [ ] Run `stella zastava logs --follow` and verify streaming mode indicator
+- [ ] Run `stella zastava uninstall` without `--confirm` and verify error requiring confirmation
+- [ ] Run `stella zastava uninstall --confirm --remove-secrets` and verify all resources plus TLS secrets removed