stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/features/unchecked/cli/trust-anchor-management-cli.md Normal file
View File

@@ -0,0 +1,44 @@
# Trust Anchor Management CLI (stella proof anchor list/show/create/revoke-key)
## Module
Cli
## Status
IMPLEMENTED
## Description
Manage root trust anchors used in proof chain verification: list, show details, create new anchors, and revoke individual keys within anchors. Supports two implementations: the top-level `stella trust-anchors` command group (CA, publickey, OIDC, TUF anchor types) and the proof-scoped `stella proof anchor` command group (PURL-pattern-based anchors with key ID binding).
## Implementation Details
- **Top-Level Command Group**: `src/Cli/StellaOps.Cli/Commands/TrustAnchorsCommandGroup.cs` -- `TrustAnchorsCommandGroup` (static class)
- Sprint: SPRINT_20260117_011_CLI_attestation_signing (ATS-002)
- Supports anchor types: `ca`, `publickey`, `oidc`, `tuf`
- **Proof-Scoped Command Group**: `src/Cli/StellaOps.Cli/Commands/Proof/AnchorCommandGroup.cs` -- `AnchorCommandGroup` (instance class with DI)
- Implements `stella proof anchor list/show/create/revoke-key`
- Uses `ITrustAnchorManager` and `IKeyRotationService` for backend operations
- **DTOs**: `TrustAnchor` (Id, Name, Type, Status, Fingerprint, CreatedAt, ExpiresAt, UsageCount)
- **Commands (top-level)**:
- `stella trust-anchors list [--type ca|publickey|oidc|tuf] [--format table|json]` -- list configured trust anchors with type filtering
- `stella trust-anchors add --type <type> --name <name> [--cert <path>] [--key <path>] [--issuer <url>] [--tuf-root <path>]` -- add new anchor with type-specific validation
- `stella trust-anchors remove <anchor-id> --confirm` -- remove a trust anchor (requires confirmation)
- `stella trust-anchors show <anchor-id> [--format text|json]` -- show anchor details including fingerprint, creation/expiry, usage count
- **Commands (proof-scoped)**:
- `stella proof anchor list [--output text|json]` -- list active trust anchors
- `stella proof anchor show <anchorId>` -- show trust anchor details
- `stella proof anchor create <pattern> --key-id <id> [--policy-version <ver>]` -- create anchor with PURL glob pattern
- `stella proof anchor revoke-key <anchorId> <keyId> [--reason <text>]` -- revoke a key within an anchor
- **Exit codes**: 0 = success, 1 = error, defined in `ProofExitCodes`
## E2E Test Plan
- [ ] Run `stella trust-anchors list` and verify table output shows ID, Type, Name, Status columns
- [ ] Run `stella trust-anchors list --type ca` and verify filtering to CA anchors only
- [ ] Run `stella trust-anchors list --format json` and verify valid JSON array output
- [ ] Run `stella trust-anchors add --type ca --name "Test CA" --cert ./ca.pem` and verify anchor creation
- [ ] Run `stella trust-anchors add --type publickey --name "Test Key"` without `--key` and verify error: "--key is required for type=publickey"
- [ ] Run `stella trust-anchors add --type unknown --name "Bad"` and verify error: "Unknown anchor type"
- [ ] Run `stella trust-anchors show <id> --format json` and verify JSON output with all fields
- [ ] Run `stella trust-anchors remove <id>` without `--confirm` and verify warning prompt
- [ ] Run `stella trust-anchors remove <id> --confirm` and verify removal message
- [ ] Run `stella proof anchor list` and verify anchor listing
- [ ] Run `stella proof anchor create "pkg:npm/*" --key-id key1` and verify creation
- [ ] Run `stella proof anchor revoke-key <id> <keyId> --reason "compromised"` and verify revocation