stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-07 21:30:44 +02:00
parent a2070225ce 608a7f85c0
commit 2096cf49a6
1359 changed files with 61692 additions and 11378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Cli/StellaOps.Cli/Commands/Binary/BinaryCommandHandlers.cs
View File

@@ -594,7 +594,7 @@ internal static class BinaryCommandHandlers
Function = function,
FingerprintId = fingerprintId,
FingerprintHash = Convert.ToHexStringLower(fileHash),
GeneratedAt = (services.GetService<TimeProvider>() ?? TimeProvider.System).GetUtcNow().ToString("O")
GeneratedAt = (services.GetService<TimeProvider>() ?? TimeProvider.System).GetUtcNow().ToString("O", CultureInfo.InvariantCulture)
};
if (format == "json")

7
src/Cli/StellaOps.Cli/Commands/CommandFactory.cs
View File

@@ -124,6 +124,10 @@ internal static class CommandFactory
// Sprint: SPRINT_20260106_003_003_EVIDENCE_export_bundle - Evidence bundle export and verify
root.Add(EvidenceCommandGroup.BuildEvidenceCommand(services, options, verboseOption, cancellationToken));
// Sprint: SPRINT_20260105_002_004_CLI - Facet seal and drift commands
root.Add(SealCommandGroup.BuildSealCommand(services, verboseOption, cancellationToken));
root.Add(DriftCommandGroup.BuildDriftCommand(services, verboseOption, cancellationToken));
// Add scan graph subcommand to existing scan command
var scanCommand = root.Children.OfType<Command>().FirstOrDefault(c => c.Name == "scan");
if (scanCommand is not null)
@@ -4632,6 +4636,9 @@ internal static class CommandFactory
vex.Add(explain);
// Sprint: SPRINT_20260105_002_004_CLI - VEX gen from drift command
vex.Add(VexGenCommandGroup.BuildVexGenCommand(services, verboseOption, cancellationToken));
return vex;
}

3
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs
View File

@@ -4,6 +4,7 @@
// Description: Command handlers for cryptographic signing and verification.
// -----------------------------------------------------------------------------
using System.Globalization;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
@@ -398,7 +399,7 @@ internal static partial class CommandHandlers
{
format = format,
provider = providerName,
timestamp = DateTimeOffset.UtcNow.ToString("O"),
timestamp = DateTimeOffset.UtcNow.ToString("O", CultureInfo.InvariantCulture),
dataHash = CryptoHashFactory.CreateDefault().ComputeHashHex(data, HashAlgorithms.Sha256),
signature = "STUB-SIGNATURE-BASE64",
keyId = "STUB-KEY-ID"

5
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Drift.cs
View File

@@ -5,6 +5,7 @@
// Description: Command handlers for reachability drift CLI.
// -----------------------------------------------------------------------------
using System.Globalization;
using System.Text.Json;
using Spectre.Console;
@@ -46,7 +47,7 @@ internal static partial class CommandHandlers
var driftResult = new DriftResultDto
{
Id = Guid.NewGuid().ToString("N")[..8],
ComparedAt = DateTimeOffset.UtcNow.ToString("O"),
ComparedAt = DateTimeOffset.UtcNow.ToString("O", CultureInfo.InvariantCulture),
BaseGraphId = baseId,
HeadGraphId = headId ?? "latest",
Summary = new DriftSummaryDto
@@ -103,7 +104,7 @@ internal static partial class CommandHandlers
var driftResult = new DriftResultDto
{
Id = id,
ComparedAt = DateTimeOffset.UtcNow.ToString("O"),
ComparedAt = DateTimeOffset.UtcNow.ToString("O", CultureInfo.InvariantCulture),
BaseGraphId = "base",
HeadGraphId = "head",
Summary = new DriftSummaryDto

4
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Offline.cs
View File

@@ -921,7 +921,7 @@ internal static partial class CommandHandlers
table.AddRow("Kit", Markup.Escape(payload.Active.KitId));
table.AddRow("Version", Markup.Escape(payload.Active.Version));
table.AddRow("Digest", Markup.Escape(payload.Active.Digest));
table.AddRow("Activated", payload.Active.ActivatedAt.ToString("O"));
table.AddRow("Activated", payload.Active.ActivatedAt.ToString("O", CultureInfo.InvariantCulture));
table.AddRow("DSSE verified", payload.Active.DsseVerified ? "[green]true[/]" : "[red]false[/]");
table.AddRow("Rekor verified", payload.Active.RekorVerified ? "[green]true[/]" : "[red]false[/]");
table.AddRow("Staleness", payload.StalenessSeconds < 0 ? "-" : FormatStaleness(TimeSpan.FromSeconds(payload.StalenessSeconds)));
@@ -1292,7 +1292,7 @@ internal static partial class CommandHandlers
if (payload.ActivatedAt.HasValue)
{
table.AddRow("Activated", payload.ActivatedAt.Value.ToString("O"));
table.AddRow("Activated", payload.ActivatedAt.Value.ToString("O", CultureInfo.InvariantCulture));
}
if (payload.WasForceActivated)

3
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Secrets.cs
View File

@@ -5,6 +5,7 @@
// Description: Implements bundle create, verify, and info commands.
// -----------------------------------------------------------------------------
using System.Globalization;
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
@@ -270,7 +271,7 @@ internal static partial class CommandHandlers
version = result.BundleVersion,
ruleCount = result.RuleCount,
signerKeyId = result.SignerKeyId,
signedAt = result.SignedAt?.ToString("O"),
signedAt = result.SignedAt?.ToString("O", CultureInfo.InvariantCulture),
errors = result.ValidationErrors,
warnings = result.ValidationWarnings
};

3
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Witness.cs
View File

@@ -5,6 +5,7 @@
// Description: Command handlers for reachability witness CLI.
// -----------------------------------------------------------------------------
using System.Globalization;
using System.Text.Json;
using Spectre.Console;
@@ -46,7 +47,7 @@ internal static partial class CommandHandlers
PackageName = "Newtonsoft.Json",
PackageVersion = "12.0.3",
ConfidenceTier = "confirmed",
ObservedAt = DateTimeOffset.UtcNow.AddHours(-2).ToString("O"),
ObservedAt = DateTimeOffset.UtcNow.AddHours(-2).ToString("O", CultureInfo.InvariantCulture),
Entrypoint = new WitnessEntrypointDto
{
Type = "http",

12
src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs
View File

@@ -9400,13 +9400,13 @@ internal static partial class CommandHandlers
var metadata = new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase)
{
["kind"] = signingKey.Kind.ToString(),
["createdAt"] = signingKey.CreatedAt.UtcDateTime.ToString("O"),
["createdAt"] = signingKey.CreatedAt.UtcDateTime.ToString("O", CultureInfo.InvariantCulture),
["providerHint"] = signingKey.Reference.ProviderHint
};
if (signingKey.ExpiresAt.HasValue)
{
metadata["expiresAt"] = signingKey.ExpiresAt.Value.UtcDateTime.ToString("O");
metadata["expiresAt"] = signingKey.ExpiresAt.Value.UtcDateTime.ToString("O", CultureInfo.InvariantCulture);
}
foreach (var pair in signingKey.Metadata)
@@ -16769,7 +16769,7 @@ stella policy test {policyName}.stella
Console.WriteLine("VulnerabilityId,Severity,Score,Status,VexStatus,PackageCount,Assignee,UpdatedAt");
foreach (var item in response.Items)
{
Console.WriteLine($"{CsvEscape(item.VulnerabilityId)},{CsvEscape(item.Severity.Level)},{item.Severity.Score?.ToString("F1") ?? ""},{CsvEscape(item.Status)},{CsvEscape(item.VexStatus ?? "")},{item.AffectedPackages.Count},{CsvEscape(item.Assignee ?? "")},{item.UpdatedAt?.ToString("O") ?? ""}");
Console.WriteLine($"{CsvEscape(item.VulnerabilityId)},{CsvEscape(item.Severity.Level)},{item.Severity.Score?.ToString("F1") ?? ""},{CsvEscape(item.Status)},{CsvEscape(item.VexStatus ?? "")},{item.AffectedPackages.Count},{CsvEscape(item.Assignee ?? "")},{item.UpdatedAt?.ToString("O", CultureInfo.InvariantCulture) ?? ""}");
}
}
@@ -31748,7 +31748,7 @@ stella policy test {policyName}.stella
AnsiConsole.MarkupLine($" Bundle ID: {Markup.Escape(result.BundleId ?? "unknown")}");
AnsiConsole.MarkupLine($" Root Hash: {Markup.Escape(result.RootHash ?? "unknown")}");
AnsiConsole.MarkupLine($" Entries: {result.Entries}");
AnsiConsole.MarkupLine($" Created: {result.CreatedAt?.ToString("O") ?? "unknown"}");
AnsiConsole.MarkupLine($" Created: {result.CreatedAt?.ToString("O", CultureInfo.InvariantCulture) ?? "unknown"}");
AnsiConsole.MarkupLine($" Portable: {(result.Portable ? "yes" : "no")}");
}
else
@@ -33078,7 +33078,7 @@ stella policy test {policyName}.stella
{
PredicateType = "stellaops.io/predicates/scan-result@v1",
Digest = "sha256:abc123...",
CreatedAt = DateTimeOffset.UtcNow.AddHours(-1).ToString("O"),
CreatedAt = DateTimeOffset.UtcNow.AddHours(-1).ToString("O", CultureInfo.InvariantCulture),
Size = 4096L
}
};
@@ -33176,7 +33176,7 @@ stella policy test {policyName}.stella
var result = new
{
Image = image,
VerifiedAt = DateTimeOffset.UtcNow.ToString("O"),
VerifiedAt = DateTimeOffset.UtcNow.ToString("O", CultureInfo.InvariantCulture),
OverallValid = overallValid,
TotalAttestations = verificationResults.Length,
ValidAttestations = verificationResults.Count(r => r.SignatureValid && r.PolicyPassed),

406
src/Cli/StellaOps.Cli/Commands/DriftCommandGroup.cs
View File

@@ -1,160 +1,324 @@
// -----------------------------------------------------------------------------
// DriftCommandGroup.cs
// Sprint: SPRINT_3600_0004_0001_ui_evidence_chain
// Task: UI-019
// Description: CLI command group for reachability drift detection.
// -----------------------------------------------------------------------------
// <copyright file="DriftCommandGroup.cs" company="StellaOps">
// Copyright (c) StellaOps. Licensed under AGPL-3.0-or-later.
// </copyright>
// Sprint: SPRINT_20260105_002_004_CLI (CLI-007 through CLI-010)
using System.CommandLine;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using StellaOps.Cli.Extensions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Spectre.Console;
using StellaOps.Facet;
namespace StellaOps.Cli.Commands;
/// <summary>
/// CLI command group for reachability drift detection.
/// Command group for facet drift analysis operations.
/// Provides stella drift command for analyzing facet drift against baseline seals.
/// </summary>
internal static class DriftCommandGroup
{
/// <summary>
/// Builds the drift command group.
/// </summary>
internal static Command BuildDriftCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var drift = new Command("drift", "Reachability drift detection operations.");
var imageArg = new Argument<string>("image")
{
Description = "Image reference or digest to analyze."
};
drift.Add(BuildDriftCompareCommand(services, verboseOption, cancellationToken));
drift.Add(BuildDriftShowCommand(services, verboseOption, cancellationToken));
var baselineOption = new Option<string?>("--baseline", "-b")
{
Description = "Baseline seal ID (default: latest for image)."
};
var formatOption = new Option<string>("--format")
{
Description = "Output format: table, json, yaml."
};
formatOption.SetDefaultValue("table");
var detailOption = new Option<bool>("--verbose-files")
{
Description = "Show detailed file changes."
};
var failOnBreachOption = new Option<bool>("--fail-on-breach")
{
Description = "Exit with error code if quota breached."
};
var outputOption = new Option<string?>("--output", "-o")
{
Description = "Output file path (default: stdout)."
};
var drift = new Command("drift", "Analyze facet drift against baseline seal. Compares current image state to sealed baseline.");
drift.Add(imageArg);
drift.Add(baselineOption);
drift.Add(formatOption);
drift.Add(detailOption);
drift.Add(failOnBreachOption);
drift.Add(outputOption);
drift.Add(verboseOption);
drift.SetAction(parseResult =>
{
var image = parseResult.GetValue(imageArg)!;
var baseline = parseResult.GetValue(baselineOption);
var format = parseResult.GetValue(formatOption)!;
var detail = parseResult.GetValue(detailOption);
var failOnBreach = parseResult.GetValue(failOnBreachOption);
var output = parseResult.GetValue(outputOption);
var verbose = parseResult.GetValue(verboseOption);
return HandleDriftAsync(
services,
image,
baseline,
format,
detail,
failOnBreach,
output,
verbose,
cancellationToken);
});
return drift;
}
private static Command BuildDriftCompareCommand(
private static async Task<int> HandleDriftAsync(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
string image,
string? baselineId,
string format,
bool showDetails,
bool failOnBreach,
string? outputPath,
bool verbose,
CancellationToken ct)
{
var baseOption = new Option<string>("--base", new[] { "-b" })
await using var scope = services.CreateAsyncScope();
var logger = scope.ServiceProvider.GetService<ILoggerFactory>()?.CreateLogger("drift")
?? NullLogger.Instance;
var timeProvider = scope.ServiceProvider.GetService<TimeProvider>() ?? TimeProvider.System;
try
{
Description = "Base scan/graph ID or commit SHA for comparison.",
Required = true
};
var driftDetector = scope.ServiceProvider.GetService<IFacetDriftDetector>();
var sealStore = scope.ServiceProvider.GetService<IFacetSealStore>();
var headOption = new Option<string>("--head", new[] { "-h" })
if (driftDetector is null || sealStore is null)
{
AnsiConsole.MarkupLine("[red]Facet services not available. Ensure facet module is configured.[/]");
return 1;
}
AnsiConsole.MarkupLine($"[bold]Analyzing drift for:[/] {image}");
// Load baseline seal
FacetSeal? baseline;
if (!string.IsNullOrEmpty(baselineId))
{
baseline = await sealStore.GetByCombinedRootAsync(baselineId, ct).ConfigureAwait(false);
if (baseline is null)
{
AnsiConsole.MarkupLine($"[red]Baseline seal '{baselineId}' not found.[/]");
return 1;
}
}
else
{
baseline = await sealStore.GetLatestSealAsync(image, ct).ConfigureAwait(false);
if (baseline is null)
{
AnsiConsole.MarkupLine("[red]No baseline seal found for image. Run 'stella seal' first.[/]");
return 1;
}
}
AnsiConsole.MarkupLine($"[dim]Baseline seal:[/] {TruncateHash(baseline.CombinedMerkleRoot)} ({baseline.CreatedAt:yyyy-MM-dd HH:mm:ss})");
// Get current seal for comparison (latest seal for the image)
var currentSeal = await sealStore.GetLatestSealAsync(image, ct).ConfigureAwait(false);
if (currentSeal is null)
{
AnsiConsole.MarkupLine("[red]No current seal found for image.[/]");
return 1;
}
// Compute drift between baseline and current
var report = await driftDetector.DetectDriftAsync(baseline, currentSeal, ct).ConfigureAwait(false);
// Output based on format
if (format == "json")
{
var json = JsonSerializer.Serialize(report, new JsonSerializerOptions { WriteIndented = true });
if (!string.IsNullOrEmpty(outputPath))
{
await File.WriteAllTextAsync(outputPath, json, ct).ConfigureAwait(false);
AnsiConsole.MarkupLine($"[green]Report written to:[/] {outputPath}");
}
else
{
Console.WriteLine(json);
}
return GetExitCode(report, failOnBreach);
}
if (format == "yaml")
{
var yaml = ToYaml(report);
if (!string.IsNullOrEmpty(outputPath))
{
await File.WriteAllTextAsync(outputPath, yaml, ct).ConfigureAwait(false);
AnsiConsole.MarkupLine($"[green]Report written to:[/] {outputPath}");
}
else
{
Console.WriteLine(yaml);
}
return GetExitCode(report, failOnBreach);
}
// Table format (default)
AnsiConsole.WriteLine();
// Overall verdict
var verdictColor = GetVerdictColor(report.OverallVerdict);
AnsiConsole.MarkupLine($"[bold]Overall Verdict:[/] [{verdictColor}]{report.OverallVerdict}[/]");
AnsiConsole.MarkupLine($"[bold]Total Changed Files:[/] {report.TotalChangedFiles}");
AnsiConsole.WriteLine();
// Per-facet table
var table = new Table()
.AddColumn("Facet")
.AddColumn(new TableColumn("Added").Centered())
.AddColumn(new TableColumn("Removed").Centered())
.AddColumn(new TableColumn("Modified").Centered())
.AddColumn(new TableColumn("Churn %").RightAligned())
.AddColumn("Verdict");
foreach (var facetDrift in report.FacetDrifts)
{
var vColor = GetVerdictColor(facetDrift.QuotaVerdict);
table.AddRow(
facetDrift.FacetId,
FormatCount(facetDrift.Added.Length, "green"),
FormatCount(facetDrift.Removed.Length, "red"),
FormatCount(facetDrift.Modified.Length, "yellow"),
$"{facetDrift.ChurnPercent:F1}%",
$"[{vColor}]{facetDrift.QuotaVerdict}[/]");
}
AnsiConsole.Write(table);
// Detailed file changes
if (showDetails)
{
AnsiConsole.WriteLine();
AnsiConsole.MarkupLine("[bold]File Changes:[/]");
foreach (var facetDrift in report.FacetDrifts.Where(d =>
d.Added.Length + d.Removed.Length + d.Modified.Length > 0))
{
AnsiConsole.WriteLine();
AnsiConsole.MarkupLine($"[bold underline]{facetDrift.FacetId}[/]");
const int maxFiles = 10;
foreach (var f in facetDrift.Added.Take(maxFiles))
AnsiConsole.MarkupLine($" [green]+[/] {f.Path}");
foreach (var f in facetDrift.Removed.Take(maxFiles))
AnsiConsole.MarkupLine($" [red]-[/] {f.Path}");
foreach (var f in facetDrift.Modified.Take(maxFiles))
AnsiConsole.MarkupLine($" [yellow]~[/] {f.Path}");
var total = facetDrift.Added.Length + facetDrift.Removed.Length + facetDrift.Modified.Length;
if (total > maxFiles * 3)
{
AnsiConsole.MarkupLine($" [dim]... and {total - (maxFiles * 3)} more files[/]");
}
}
}
// Write to file if specified
if (!string.IsNullOrEmpty(outputPath))
{
var json = JsonSerializer.Serialize(report, new JsonSerializerOptions { WriteIndented = true });
await File.WriteAllTextAsync(outputPath, json, ct).ConfigureAwait(false);
AnsiConsole.WriteLine();
AnsiConsole.MarkupLine($"[green]Report written to:[/] {outputPath}");
}
return GetExitCode(report, failOnBreach);
}
catch (Exception ex)
{
Description = "Head scan/graph ID or commit SHA for comparison (defaults to latest)."
};
var imageOption = new Option<string?>("--image", new[] { "-i" })
{
Description = "Container image reference (digest or tag)."
};
var repoOption = new Option<string?>("--repo", new[] { "-r" })
{
Description = "Repository reference (owner/repo)."
};
var outputOption = new Option<string>("--output", new[] { "-o" })
{
Description = "Output format: table (default), json, sarif."
}.SetDefaultValue("table").FromAmong("table", "json", "sarif");
var severityOption = new Option<string>("--min-severity")
{
Description = "Minimum severity to include: critical, high, medium, low, info."
}.SetDefaultValue("medium").FromAmong("critical", "high", "medium", "low", "info");
var onlyIncreasesOption = new Option<bool>("--only-increases")
{
Description = "Only show sinks with increased reachability (risk increases)."
};
var command = new Command("compare", "Compare reachability between two scans.")
{
baseOption,
headOption,
imageOption,
repoOption,
outputOption,
severityOption,
onlyIncreasesOption,
verboseOption
};
command.SetAction(parseResult =>
{
var baseId = parseResult.GetValue(baseOption)!;
var headId = parseResult.GetValue(headOption);
var image = parseResult.GetValue(imageOption);
var repo = parseResult.GetValue(repoOption);
var output = parseResult.GetValue(outputOption)!;
var minSeverity = parseResult.GetValue(severityOption)!;
var onlyIncreases = parseResult.GetValue(onlyIncreasesOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleDriftCompareAsync(
services,
baseId,
headId,
image,
repo,
output,
minSeverity,
onlyIncreases,
verbose,
cancellationToken);
});
return command;
logger.LogError(ex, "Failed to analyze drift for {Image}", image);
AnsiConsole.MarkupLine($"[red]Error:[/] {ex.Message}");
return 1;
}
}
private static Command BuildDriftShowCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
private static int GetExitCode(FacetDriftReport report, bool failOnBreach)
{
var idOption = new Option<string>("--id")
if (!failOnBreach) return 0;
return report.OverallVerdict switch
{
Description = "Drift result ID to display.",
Required = true
QuotaVerdict.Blocked => 2,
QuotaVerdict.RequiresVex => 3,
_ => 0
};
}
var outputOption = new Option<string>("--output", new[] { "-o" })
private static string GetVerdictColor(QuotaVerdict verdict)
{
return verdict switch
{
Description = "Output format: table (default), json, sarif."
}.SetDefaultValue("table").FromAmong("table", "json", "sarif");
var expandPathsOption = new Option<bool>("--expand-paths")
{
Description = "Show full call paths instead of compressed view."
QuotaVerdict.Ok => "green",
QuotaVerdict.Warning => "yellow",
QuotaVerdict.Blocked => "red",
QuotaVerdict.RequiresVex => "blue",
_ => "white"
};
}
var command = new Command("show", "Show details of a drift result.")
private static string FormatCount(int count, string color)
{
return count > 0 ? $"[{color}]{count}[/]" : "[dim]0[/]";
}
private static string ToYaml(FacetDriftReport report)
{
var sb = new StringBuilder();
sb.AppendLine($"imageDigest: {report.ImageDigest}");
sb.AppendLine($"baselineSealId: {report.BaselineSealId}");
sb.AppendLine($"analyzedAt: {report.AnalyzedAt:O}");
sb.AppendLine($"overallVerdict: {report.OverallVerdict}");
sb.AppendLine($"totalChangedFiles: {report.TotalChangedFiles}");
sb.AppendLine("facetDrifts:");
foreach (var d in report.FacetDrifts)
{
idOption,
outputOption,
expandPathsOption,
verboseOption
};
sb.AppendLine($" - facetId: {d.FacetId}");
sb.AppendLine($" added: {d.Added.Length}");
sb.AppendLine($" removed: {d.Removed.Length}");
sb.AppendLine($" modified: {d.Modified.Length}");
sb.AppendLine($" churnPercent: {d.ChurnPercent:F2}");
sb.AppendLine($" verdict: {d.QuotaVerdict}");
}
return sb.ToString();
}
command.SetAction(parseResult =>
{
var id = parseResult.GetValue(idOption)!;
var output = parseResult.GetValue(outputOption)!;
var expandPaths = parseResult.GetValue(expandPathsOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleDriftShowAsync(
services,
id,
output,
expandPaths,
verbose,
cancellationToken);
});
return command;
private static string TruncateHash(string? hash)
{
if (string.IsNullOrEmpty(hash)) return "(none)";
return hash.Length > 16 ? $"{hash[..8]}...{hash[^8..]}" : hash;
}
}

7
src/Cli/StellaOps.Cli/Commands/ExceptionCommandGroup.cs
View File

@@ -6,6 +6,7 @@
// -----------------------------------------------------------------------------
using System.CommandLine;
using System.Globalization;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text.Json;
@@ -862,16 +863,16 @@ public static class ExceptionCommandGroup
table.AddRow("Gate Level", result.GateLevel ?? "G1");
table.AddRow("Reason Code", result.ReasonCode ?? "Other");
table.AddRow("Requestor", result.RequestorId ?? "Unknown");
table.AddRow("Created", result.CreatedAt.ToString("O"));
table.AddRow("Created", result.CreatedAt.ToString("O", CultureInfo.InvariantCulture));
if (result.RequestExpiresAt.HasValue)
{
table.AddRow("Request Expires", result.RequestExpiresAt.Value.ToString("O"));
table.AddRow("Request Expires", result.RequestExpiresAt.Value.ToString("O", CultureInfo.InvariantCulture));
}
if (result.ExceptionExpiresAt.HasValue)
{
table.AddRow("Exception Expires", result.ExceptionExpiresAt.Value.ToString("O"));
table.AddRow("Exception Expires", result.ExceptionExpiresAt.Value.ToString("O", CultureInfo.InvariantCulture));
}
console.Write(table);

3
src/Cli/StellaOps.Cli/Commands/GateCommandGroup.cs
View File

@@ -6,6 +6,7 @@
// -----------------------------------------------------------------------------
using System.CommandLine;
using System.Globalization;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text.Json;
@@ -405,7 +406,7 @@ public static class GateCommandGroup
table.AddRow("Exit Code", result.ExitCode.ToString());
table.AddRow("Image", result.ImageDigest);
table.AddRow("Baseline", result.BaselineRef ?? "(default)");
table.AddRow("Decided At", result.DecidedAt.ToString("O"));
table.AddRow("Decided At", result.DecidedAt.ToString("O", CultureInfo.InvariantCulture));
if (!string.IsNullOrWhiteSpace(result.Summary))
{

3
src/Cli/StellaOps.Cli/Commands/LayerSbomCommandGroup.cs
View File

@@ -6,6 +6,7 @@
// -----------------------------------------------------------------------------
using System.CommandLine;
using System.Globalization;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Security.Cryptography;
@@ -690,7 +691,7 @@ public static class LayerSbomCommandGroup
.AddColumn("Value");
summaryTable.AddRow("Image", recipe.ImageDigest ?? "N/A");
summaryTable.AddRow("Created", recipe.CreatedAt?.ToString("O") ?? "N/A");
summaryTable.AddRow("Created", recipe.CreatedAt?.ToString("O", CultureInfo.InvariantCulture) ?? "N/A");
summaryTable.AddRow("Generator", $"{recipe.Recipe?.GeneratorName ?? "N/A"} v{recipe.Recipe?.GeneratorVersion ?? "?"}");
summaryTable.AddRow("Layers", recipe.Recipe?.Layers?.Count.ToString() ?? "0");
summaryTable.AddRow("Merkle Root", TruncateDigest(recipe.Recipe?.MerkleRoot));

5
src/Cli/StellaOps.Cli/Commands/PoE/ExportCommand.cs
View File

@@ -1,6 +1,7 @@
// Copyright (c) StellaOps. Licensed under AGPL-3.0-or-later.
using System.CommandLine;
using System.Globalization;
using System.IO.Compression;
using System.Security.Cryptography;
using System.Text;
@@ -286,7 +287,7 @@ public class PoEExporter
revoked = false
}
},
updatedAt = DateTime.UtcNow.ToString("O")
updatedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture)
};
var trustedKeysPath = Path.Combine(outputDir, "trusted-keys.json");
@@ -299,7 +300,7 @@ public class PoEExporter
var manifest = new
{
schema = "stellaops.poe.export@v1",
exportedAt = DateTime.UtcNow.ToString("O"),
exportedAt = DateTime.UtcNow.ToString("O", CultureInfo.InvariantCulture),
scanId = options.ScanId,
finding = options.Finding,
artifacts = Directory.GetFiles(outputDir, "poe-*.json")

5
src/Cli/StellaOps.Cli/Commands/Proof/FuncProofCommandHandlers.cs
View File

@@ -5,6 +5,7 @@
// Description: CLI command handlers for function-level proof operations.
// -----------------------------------------------------------------------------
using System.Globalization;
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.Extensions.DependencyInjection;
@@ -81,7 +82,7 @@ internal static class FuncProofCommandHandlers
FunctionCount = 0, // Placeholder
Metadata = new FuncProofMetadataOutput
{
CreatedAt = DateTimeOffset.UtcNow.ToString("O"),
CreatedAt = DateTimeOffset.UtcNow.ToString("O", CultureInfo.InvariantCulture),
Tool = "stella-cli",
ToolVersion = "0.1.0",
DetectionMethod = detectMethod
@@ -412,7 +413,7 @@ internal static class FuncProofCommandHandlers
// Write manifest
var manifest = new ExportManifest
{
ExportedAt = DateTimeOffset.UtcNow.ToString("O"),
ExportedAt = DateTimeOffset.UtcNow.ToString("O", CultureInfo.InvariantCulture),
Format = format,
ProofId = proofData.ProofId,
Files = new List<string> { Path.GetFileName(proofPath) }

270
src/Cli/StellaOps.Cli/Commands/SealCommandGroup.cs Normal file
View File

@@ -0,0 +1,270 @@
// <copyright file="SealCommandGroup.cs" company="StellaOps">
// Copyright (c) StellaOps. Licensed under AGPL-3.0-or-later.
// </copyright>
// Sprint: SPRINT_20260105_002_004_CLI (CLI-001 through CLI-006)
using System.Collections.Immutable;
using System.CommandLine;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Spectre.Console;
using StellaOps.Facet;
namespace StellaOps.Cli.Commands;
/// <summary>
/// Command group for facet sealing operations.
/// Provides stella seal command for creating facet seals for container images.
/// </summary>
internal static class SealCommandGroup
{
/// <summary>
/// Builds the seal command group.
/// </summary>
internal static Command BuildSealCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var imageArg = new Argument<string>("image")
{
Description = "Image reference or digest to seal."
};
var outputOption = new Option<string?>("--output", "-o")
{
Description = "Output file path for seal (default: stdout)."
};
var storeOption = new Option<bool>("--store")
{
Description = "Store seal in remote API."
};
storeOption.SetDefaultValue(true);
var signOption = new Option<bool>("--sign")
{
Description = "Sign seal with DSSE."
};
signOption.SetDefaultValue(true);
var keyOption = new Option<string?>("--key", "-k")
{
Description = "Private key path for signing (default: use configured key)."
};
var facetsOption = new Option<string[]?>("--facets", "-f")
{
Description = "Specific facets to seal (default: all). Comma-separated list.",
AllowMultipleArgumentsPerToken = true
};
var formatOption = new Option<string>("--format")
{
Description = "Output format: json, yaml, compact."
};
formatOption.SetDefaultValue("json");
var seal = new Command("seal", "Create facet seal for an image. Seals capture the cryptographic state of image facets for drift detection.");
seal.Add(imageArg);
seal.Add(outputOption);
seal.Add(storeOption);
seal.Add(signOption);
seal.Add(keyOption);
seal.Add(facetsOption);
seal.Add(formatOption);
seal.Add(verboseOption);
seal.SetAction(parseResult =>
{
var image = parseResult.GetValue(imageArg)!;
var output = parseResult.GetValue(outputOption);
var store = parseResult.GetValue(storeOption);
var sign = parseResult.GetValue(signOption);
var key = parseResult.GetValue(keyOption);
var facets = parseResult.GetValue(facetsOption);
var format = parseResult.GetValue(formatOption)!;
var verbose = parseResult.GetValue(verboseOption);
return HandleSealAsync(
services,
image,
output,
store,
sign,
key,
facets,
format,
verbose,
cancellationToken);
});
return seal;
}
private static async Task<int> HandleSealAsync(
IServiceProvider services,
string image,
string? outputPath,
bool store,
bool sign,
string? keyPath,
string[]? facets,
string format,
bool verbose,
CancellationToken ct)
{
await using var scope = services.CreateAsyncScope();
var logger = scope.ServiceProvider.GetService<ILoggerFactory>()?.CreateLogger("seal")
?? NullLogger.Instance;
var timeProvider = scope.ServiceProvider.GetService<TimeProvider>() ?? TimeProvider.System;
try
{
var facetExtractor = scope.ServiceProvider.GetService<IFacetExtractor>();
var sealStore = scope.ServiceProvider.GetService<IFacetSealStore>();
var sealer = scope.ServiceProvider.GetService<FacetSealer>();
if (facetExtractor is null || sealer is null)
{
AnsiConsole.MarkupLine("[red]Facet services not available. Ensure facet module is configured.[/]");
return 1;
}
AnsiConsole.MarkupLine($"[bold]Creating facet seal for:[/] {image}");
// Determine facets to seal
var builtInFacets = BuiltInFacets.All;
var facetsToSeal = facets is { Length: > 0 }
? builtInFacets.Where(f => facets.Contains(f.FacetId, StringComparer.OrdinalIgnoreCase)).ToList()
: builtInFacets.ToList();
if (facetsToSeal.Count == 0)
{
AnsiConsole.MarkupLine("[yellow]No matching facets found.[/]");
return 1;
}
AnsiConsole.MarkupLine($"[dim]Sealing {facetsToSeal.Count} facets...[/]");
// Extract facets
// Note: In production, rootPath would be the extracted image layers path
// For this CLI, we assume the image has been pulled and extracted
var extractionOptions = new FacetExtractionOptions
{
IncludeFileDetails = true,
Facets = [.. facetsToSeal]
};
var extraction = await facetExtractor.ExtractFromDirectoryAsync(
".", // Root path - in production, this would be the image root
extractionOptions,
ct).ConfigureAwait(false);
// Create the seal
var seal = sealer.CreateSeal(image, extraction);
// Display seal summary
AnsiConsole.WriteLine();
var table = new Table()
.AddColumn("Facet")
.AddColumn("Files")
.AddColumn("Size")
.AddColumn("Merkle Root");
foreach (var facet in seal.Facets)
{
table.AddRow(
facet.Name,
facet.FileCount.ToString("N0"),
FormatBytes(facet.TotalBytes),
TruncateHash(facet.MerkleRoot));
}
AnsiConsole.Write(table);
AnsiConsole.WriteLine();
// Store if requested
if (store && sealStore is not null)
{
await sealStore.SaveAsync(seal, ct).ConfigureAwait(false);
AnsiConsole.MarkupLine("[green]Seal stored to API[/]");
}
// Output seal
var sealOutput = FormatSeal(seal, format);
if (!string.IsNullOrEmpty(outputPath))
{
await File.WriteAllTextAsync(outputPath, sealOutput, ct).ConfigureAwait(false);
AnsiConsole.MarkupLine($"[green]Seal written to:[/] {outputPath}");
}
else if (!store)
{
Console.WriteLine(sealOutput);
}
// Summary
AnsiConsole.MarkupLine($"[bold green]Seal created successfully[/]");
AnsiConsole.MarkupLine($" [dim]Image:[/] {seal.ImageDigest}");
AnsiConsole.MarkupLine($" [dim]Facets:[/] {seal.Facets.Length}");
AnsiConsole.MarkupLine($" [dim]Combined Root:[/] {TruncateHash(seal.CombinedMerkleRoot)}");
AnsiConsole.MarkupLine($" [dim]Signed:[/] {(seal.Signature is not null ? "Yes" : "No")}");
return 0;
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to create seal for {Image}", image);
AnsiConsole.MarkupLine($"[red]Error:[/] {ex.Message}");
return 1;
}
}
private static string FormatSeal(FacetSeal seal, string format)
{
return format.ToLowerInvariant() switch
{
"yaml" => ToYaml(seal),
"compact" => $"{seal.ImageDigest}|{seal.CombinedMerkleRoot}|{seal.Facets.Length}",
_ => JsonSerializer.Serialize(seal, new JsonSerializerOptions { WriteIndented = true })
};
}
private static string ToYaml(FacetSeal seal)
{
var sb = new StringBuilder();
sb.AppendLine($"imageDigest: {seal.ImageDigest}");
sb.AppendLine($"createdAt: {seal.CreatedAt:O}");
sb.AppendLine($"combinedMerkleRoot: {seal.CombinedMerkleRoot}");
sb.AppendLine("facets:");
foreach (var f in seal.Facets)
{
sb.AppendLine($" - facetId: {f.FacetId}");
sb.AppendLine($" name: {f.Name}");
sb.AppendLine($" merkleRoot: {f.MerkleRoot}");
sb.AppendLine($" fileCount: {f.FileCount}");
sb.AppendLine($" totalBytes: {f.TotalBytes}");
}
return sb.ToString();
}
private static string FormatBytes(long bytes)
{
return bytes switch
{
< 1024 => $"{bytes} B",
< 1024 * 1024 => $"{bytes / 1024.0:F1} KB",
< 1024 * 1024 * 1024 => $"{bytes / (1024.0 * 1024):F1} MB",
_ => $"{bytes / (1024.0 * 1024 * 1024):F1} GB"
};
}
private static string TruncateHash(string? hash)
{
if (string.IsNullOrEmpty(hash)) return "(none)";
return hash.Length > 16 ? $"{hash[..8]}...{hash[^8..]}" : hash;
}
}

3
src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs
View File

@@ -6,6 +6,7 @@
// -----------------------------------------------------------------------------
using System.CommandLine;
using System.Globalization;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text.Json;
@@ -485,7 +486,7 @@ public static class VexGateScanCommandGroup
summaryTable.AddRow("Passed", $"[green]{results.Summary.Passed}[/]");
summaryTable.AddRow("Warned", $"[yellow]{results.Summary.Warned}[/]");
summaryTable.AddRow("Blocked", $"[red]{results.Summary.Blocked}[/]");
summaryTable.AddRow("Evaluated At", results.Summary.EvaluatedAt?.ToString("O") ?? "N/A");
summaryTable.AddRow("Evaluated At", results.Summary.EvaluatedAt?.ToString("O", CultureInfo.InvariantCulture) ?? "N/A");
console.Write(summaryTable);
}

338
src/Cli/StellaOps.Cli/Commands/VexGenCommandGroup.cs Normal file
View File

@@ -0,0 +1,338 @@
// <copyright file="VexGenCommandGroup.cs" company="StellaOps">
// Copyright (c) StellaOps. Licensed under AGPL-3.0-or-later.
// </copyright>
// Sprint: SPRINT_20260105_002_004_CLI (CLI-011 through CLI-015)
using System.Collections.Immutable;
using System.CommandLine;
using System.Globalization;
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Spectre.Console;
using StellaOps.Facet;
namespace StellaOps.Cli.Commands;
/// <summary>
/// Command group for VEX generation operations.
/// Provides stella vex gen command for generating VEX documents from facet drift.
/// </summary>
internal static class VexGenCommandGroup
{
/// <summary>
/// Builds the vex gen command group.
/// </summary>
internal static Command BuildVexGenCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var fromDriftOption = new Option<bool>("--from-drift")
{
Description = "Generate VEX from facet drift analysis."
};
var imageOption = new Option<string>("--image", "-i")
{
Description = "Image reference or digest.",
Required = true
};
var baselineOption = new Option<string?>("--baseline", "-b")
{
Description = "Baseline seal ID (default: latest for image)."
};
var outputOption = new Option<string?>("--output", "-o")
{
Description = "Output file path (default: stdout)."
};
var formatOption = new Option<string>("--format")
{
Description = "VEX format: openvex, csaf."
};
formatOption.SetDefaultValue("openvex");
var statusOption = new Option<string>("--status")
{
Description = "VEX status: under_investigation, not_affected, affected."
};
statusOption.SetDefaultValue("under_investigation");
var gen = new Command("gen", "Generate VEX statements from drift analysis.");
gen.Add(fromDriftOption);
gen.Add(imageOption);
gen.Add(baselineOption);
gen.Add(outputOption);
gen.Add(formatOption);
gen.Add(statusOption);
gen.Add(verboseOption);
gen.SetAction(parseResult =>
{
var fromDrift = parseResult.GetValue(fromDriftOption);
var image = parseResult.GetValue(imageOption)!;
var baseline = parseResult.GetValue(baselineOption);
var output = parseResult.GetValue(outputOption);
var format = parseResult.GetValue(formatOption)!;
var status = parseResult.GetValue(statusOption)!;
var verbose = parseResult.GetValue(verboseOption);
if (!fromDrift)
{
AnsiConsole.MarkupLine("[yellow]--from-drift is required for VEX generation.[/]");
return Task.FromResult(1);
}
return HandleVexFromDriftAsync(
services,
image,
baseline,
output,
format,
status,
verbose,
cancellationToken);
});
return gen;
}
private static async Task<int> HandleVexFromDriftAsync(
IServiceProvider services,
string image,
string? baselineId,
string? outputPath,
string format,
string status,
bool verbose,
CancellationToken ct)
{
await using var scope = services.CreateAsyncScope();
var logger = scope.ServiceProvider.GetService<ILoggerFactory>()?.CreateLogger("vex.gen")
?? NullLogger.Instance;
var timeProvider = scope.ServiceProvider.GetService<TimeProvider>() ?? TimeProvider.System;
try
{
var driftDetector = scope.ServiceProvider.GetService<IFacetDriftDetector>();
var sealStore = scope.ServiceProvider.GetService<IFacetSealStore>();
if (driftDetector is null || sealStore is null)
{
AnsiConsole.MarkupLine("[red]Facet services not available. Ensure facet module is configured.[/]");
return 1;
}
AnsiConsole.MarkupLine($"[bold]Generating VEX from drift for:[/] {image}");
// Load baseline seal
FacetSeal? baseline;
if (!string.IsNullOrEmpty(baselineId))
{
baseline = await sealStore.GetByCombinedRootAsync(baselineId, ct).ConfigureAwait(false);
if (baseline is null)
{
AnsiConsole.MarkupLine($"[red]Baseline seal '{baselineId}' not found.[/]");
return 1;
}
}
else
{
baseline = await sealStore.GetLatestSealAsync(image, ct).ConfigureAwait(false);
if (baseline is null)
{
AnsiConsole.MarkupLine("[red]No baseline seal found for image. Run 'stella seal' first.[/]");
return 1;
}
}
AnsiConsole.MarkupLine($"[dim]Baseline seal:[/] {TruncateHash(baseline.CombinedMerkleRoot)} ({baseline.CreatedAt:yyyy-MM-dd HH:mm:ss})");
// Get current seal for comparison
var currentSeal = await sealStore.GetLatestSealAsync(image, ct).ConfigureAwait(false);
if (currentSeal is null)
{
AnsiConsole.MarkupLine("[red]No current seal found for image.[/]");
return 1;
}
// Compute drift
AnsiConsole.MarkupLine("[dim]Computing drift...[/]");
var report = await driftDetector.DetectDriftAsync(baseline, currentSeal, ct).ConfigureAwait(false);
// Generate VEX document
AnsiConsole.MarkupLine("[dim]Generating VEX statements...[/]");
var vexDocument = GenerateOpenVex(report, image, status, timeProvider);
if (vexDocument.Statements.Length == 0)
{
AnsiConsole.MarkupLine("[yellow]No facets require VEX authorization.[/]");
return 0;
}
// Output
var vexJson = JsonSerializer.Serialize(vexDocument, new JsonSerializerOptions
{
WriteIndented = true,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
});
if (!string.IsNullOrEmpty(outputPath))
{
await File.WriteAllTextAsync(outputPath, vexJson, ct).ConfigureAwait(false);
AnsiConsole.MarkupLine($"[green]VEX written to:[/] {outputPath}");
}
else
{
Console.WriteLine(vexJson);
}
// Summary
AnsiConsole.WriteLine();
AnsiConsole.MarkupLine($"[bold green]Generated {vexDocument.Statements.Length} VEX statement(s)[/]");
if (verbose)
{
foreach (var stmt in vexDocument.Statements)
{
AnsiConsole.MarkupLine($" [dim]-[/] {stmt.Justification}");
}
}
return 0;
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to generate VEX for {Image}", image);
AnsiConsole.MarkupLine($"[red]Error:[/] {ex.Message}");
return 1;
}
}
private static OpenVexDocument GenerateOpenVex(
FacetDriftReport report,
string imageDigest,
string status,
TimeProvider timeProvider)
{
var now = timeProvider.GetUtcNow();
var docId = Guid.NewGuid();
var statements = new List<OpenVexStatement>();
foreach (var drift in report.FacetDrifts.Where(d =>
d.QuotaVerdict == QuotaVerdict.RequiresVex ||
d.QuotaVerdict == QuotaVerdict.Warning))
{
statements.Add(new OpenVexStatement
{
Id = $"vex:{Guid.NewGuid()}",
Status = status,
Timestamp = now.ToString("O", CultureInfo.InvariantCulture),
Products =
[
new OpenVexProduct
{
Id = imageDigest,
Identifiers = new OpenVexIdentifiers { Facet = drift.FacetId }
}
],
Justification = $"Facet drift authorization for {drift.FacetId}. " +
$"Churn: {drift.ChurnPercent:F2}% " +
$"({drift.Added.Length} added, {drift.Removed.Length} removed, {drift.Modified.Length} modified)",
ActionStatement = drift.QuotaVerdict == QuotaVerdict.RequiresVex
? "Review required before deployment"
: "Drift within acceptable limits but raised for awareness"
});
}
return new OpenVexDocument
{
Context = "https://openvex.dev/ns",
Id = $"https://stellaops.io/vex/{docId}",
Author = "StellaOps CLI",
Timestamp = now.ToString("O", CultureInfo.InvariantCulture),
Version = 1,
Statements = [.. statements]
};
}
private static string TruncateHash(string? hash)
{
if (string.IsNullOrEmpty(hash)) return "(none)";
return hash.Length > 16 ? $"{hash[..8]}...{hash[^8..]}" : hash;
}
}
/// <summary>
/// OpenVEX document model.
/// </summary>
internal sealed record OpenVexDocument
{
[JsonPropertyName("@context")]
public required string Context { get; init; }
[JsonPropertyName("@id")]
public required string Id { get; init; }
[JsonPropertyName("author")]
public required string Author { get; init; }
[JsonPropertyName("timestamp")]
public required string Timestamp { get; init; }
[JsonPropertyName("version")]
public required int Version { get; init; }
[JsonPropertyName("statements")]
public required ImmutableArray<OpenVexStatement> Statements { get; init; }
}
/// <summary>
/// OpenVEX statement model.
/// </summary>
internal sealed record OpenVexStatement
{
[JsonPropertyName("@id")]
public required string Id { get; init; }
[JsonPropertyName("status")]
public required string Status { get; init; }
[JsonPropertyName("timestamp")]
public required string Timestamp { get; init; }
[JsonPropertyName("products")]
public required ImmutableArray<OpenVexProduct> Products { get; init; }
[JsonPropertyName("justification")]
public required string Justification { get; init; }
[JsonPropertyName("action_statement")]
public string? ActionStatement { get; init; }
}
/// <summary>
/// OpenVEX product reference.
/// </summary>
internal sealed record OpenVexProduct
{
[JsonPropertyName("@id")]
public required string Id { get; init; }
[JsonPropertyName("identifiers")]
public required OpenVexIdentifiers Identifiers { get; init; }
}
/// <summary>
/// OpenVEX identifiers.
/// </summary>
internal sealed record OpenVexIdentifiers
{
[JsonPropertyName("facet")]
public string? Facet { get; init; }
}

4
src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs
View File

@@ -3647,9 +3647,9 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
if (!string.IsNullOrWhiteSpace(request.Tenant))
queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
if (request.From.HasValue)
queryParams.Add($"from={Uri.EscapeDataString(request.From.Value.ToString("O"))}");
queryParams.Add($"from={Uri.EscapeDataString(request.From.Value.ToString("O", CultureInfo.InvariantCulture))}");
if (request.To.HasValue)
queryParams.Add($"to={Uri.EscapeDataString(request.To.Value.ToString("O"))}");
queryParams.Add($"to={Uri.EscapeDataString(request.To.Value.ToString("O", CultureInfo.InvariantCulture))}");
if (!string.IsNullOrWhiteSpace(request.Status))
queryParams.Add($"status={Uri.EscapeDataString(request.Status)}");
if (request.Limit.HasValue)

3
src/Cli/StellaOps.Cli/Services/DevPortalBundleVerifier.cs
View File

@@ -1,4 +1,5 @@
using System.Formats.Tar;
using System.Globalization;
using System.IO.Compression;
using System.Security.Cryptography;
using System.Text.Json;
@@ -364,7 +365,7 @@ public sealed class DevPortalBundleVerificationResult
if (BundleId is not null)
output["bundleId"] = BundleId;
if (CreatedAt.HasValue)
output["createdAt"] = CreatedAt.Value.ToString("O");
output["createdAt"] = CreatedAt.Value.ToString("O", CultureInfo.InvariantCulture);
output["entries"] = Entries;
if (ErrorDetail is not null)
output["errorDetail"] = ErrorDetail;

3
src/Cli/StellaOps.Cli/Services/ExceptionClient.cs
View File

@@ -1,5 +1,6 @@
using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Net.Http;
using System.Net.Http.Headers;
@@ -528,7 +529,7 @@ internal sealed class ExceptionClient : IExceptionClient
}
if (request.ExpiringBefore.HasValue)
{
queryParams.Add($"expiringBefore={Uri.EscapeDataString(request.ExpiringBefore.Value.ToString("O"))}");
queryParams.Add($"expiringBefore={Uri.EscapeDataString(request.ExpiringBefore.Value.ToString("O", CultureInfo.InvariantCulture))}");
}
if (request.IncludeExpired)
{

5
src/Cli/StellaOps.Cli/Services/NotifyClient.cs
View File

@@ -1,5 +1,6 @@
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Text;
@@ -321,11 +322,11 @@ internal sealed class NotifyClient : INotifyClient
}
if (request.Since.HasValue)
{
queryParams.Add($"since={Uri.EscapeDataString(request.Since.Value.ToString("O"))}");
queryParams.Add($"since={Uri.EscapeDataString(request.Since.Value.ToString("O", CultureInfo.InvariantCulture))}");
}
if (request.Until.HasValue)
{
queryParams.Add($"until={Uri.EscapeDataString(request.Until.Value.ToString("O"))}");
queryParams.Add($"until={Uri.EscapeDataString(request.Until.Value.ToString("O", CultureInfo.InvariantCulture))}");
}
if (request.Limit.HasValue)
{

5
src/Cli/StellaOps.Cli/Services/SbomClient.cs
View File

@@ -1,5 +1,6 @@
using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Net.Http;
using System.Net.Http.Headers;
@@ -459,11 +460,11 @@ internal sealed class SbomClient : ISbomClient
}
if (request.CreatedAfter.HasValue)
{
queryParams.Add($"createdAfter={Uri.EscapeDataString(request.CreatedAfter.Value.ToString("O"))}");
queryParams.Add($"createdAfter={Uri.EscapeDataString(request.CreatedAfter.Value.ToString("O", CultureInfo.InvariantCulture))}");
}
if (request.CreatedBefore.HasValue)
{
queryParams.Add($"createdBefore={Uri.EscapeDataString(request.CreatedBefore.Value.ToString("O"))}");
queryParams.Add($"createdBefore={Uri.EscapeDataString(request.CreatedBefore.Value.ToString("O", CultureInfo.InvariantCulture))}");
}
if (request.HasVulnerabilities.HasValue)
{

2
src/Cli/StellaOps.Cli/StellaOps.Cli.csproj
View File

@@ -99,6 +99,8 @@
<ProjectReference Include="../../__Libraries/StellaOps.Replay.Core/StellaOps.Replay.Core.csproj" />
<!-- Air-Gap Job Sync (SPRINT_20260105_002_003_ROUTER) -->
<ProjectReference Include="../../AirGap/__Libraries/StellaOps.AirGap.Sync/StellaOps.AirGap.Sync.csproj" />
<!-- Facet seal and drift (SPRINT_20260105_002_004_CLI) -->
<ProjectReference Include="../../__Libraries/StellaOps.Facet/StellaOps.Facet.csproj" />
</ItemGroup>
<!-- GOST Crypto Plugins (Russia distribution) -->

6
src/Cli/StellaOps.Cli/TASKS.md
View File

@@ -5,6 +5,6 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
| Task ID | Status | Notes |
| --- | --- | --- |
| AUDIT-0137-M | DONE | Maintainability audit for StellaOps.Cli. |
| AUDIT-0137-T | DONE | Test coverage audit for StellaOps.Cli. |
| AUDIT-0137-A | TODO | Pending approval for changes. |
| AUDIT-0137-M | DONE | Revalidated 2026-01-06. |
| AUDIT-0137-T | DONE | Revalidated 2026-01-06. |
| AUDIT-0137-A | TODO | Revalidated 2026-01-06 (open findings: determinism, HttpClient usage, ASCII output, monolith). |

6
src/Cli/__Libraries/StellaOps.Cli.Plugins.Aoc/TASKS.md
View File

@@ -5,6 +5,6 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
| Task ID | Status | Notes |
| --- | --- | --- |
| AUDIT-0138-M | DONE | Maintainability audit for StellaOps.Cli.Plugins.Aoc. |
| AUDIT-0138-T | DONE | Test coverage audit for StellaOps.Cli.Plugins.Aoc. |
| AUDIT-0138-A | DONE | Applied option validation, query binding, deterministic output, and tests. |
| AUDIT-0138-M | DONE | Revalidated 2026-01-06. |
| AUDIT-0138-T | DONE | Revalidated 2026-01-06. |
| AUDIT-0138-A | TODO | Revalidated 2026-01-06 (open findings: verification stub, missing tests). |

6
src/Cli/__Libraries/StellaOps.Cli.Plugins.NonCore/TASKS.md
View File

@@ -5,6 +5,6 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
| Task ID | Status | Notes |
| --- | --- | --- |
| AUDIT-0139-M | DONE | Maintainability audit for StellaOps.Cli.Plugins.NonCore. |
| AUDIT-0139-T | DONE | Test coverage audit for StellaOps.Cli.Plugins.NonCore. |
| AUDIT-0139-A | DONE | Added validation helpers, invariant parsing, and tests. |
| AUDIT-0139-M | DONE | Revalidated 2026-01-06. |
| AUDIT-0139-T | DONE | Revalidated 2026-01-06. |
| AUDIT-0139-A | TODO | Revalidated 2026-01-06 (open findings: missing command parsing tests). |

6
src/Cli/__Libraries/StellaOps.Cli.Plugins.Symbols/TASKS.md
View File

@@ -5,6 +5,6 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
| Task ID | Status | Notes |
| --- | --- | --- |
| AUDIT-0140-M | DONE | Maintainability audit for StellaOps.Cli.Plugins.Symbols. |
| AUDIT-0140-T | DONE | Test coverage audit for StellaOps.Cli.Plugins.Symbols. |
| AUDIT-0140-A | DONE | Applied Symbols plugin hardening and determinism fixes. |
| AUDIT-0140-M | DONE | Revalidated 2026-01-06. |
| AUDIT-0140-T | DONE | Revalidated 2026-01-06. |
| AUDIT-0140-A | TODO | Revalidated 2026-01-06 (open findings: ingest/DSSE not implemented, missing tests). |

6
src/Cli/__Libraries/StellaOps.Cli.Plugins.Verdict/TASKS.md
View File

@@ -5,6 +5,6 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
| Task ID | Status | Notes |
| --- | --- | --- |
| AUDIT-0141-M | DONE | Maintainability audit for StellaOps.Cli.Plugins.Verdict. |
| AUDIT-0141-T | DONE | Test coverage audit for StellaOps.Cli.Plugins.Verdict. |
| AUDIT-0141-A | DONE | Applied Verdict plugin hardening and determinism fixes. |
| AUDIT-0141-M | DONE | Revalidated 2026-01-06. |
| AUDIT-0141-T | DONE | Revalidated 2026-01-06. |
| AUDIT-0141-A | TODO | Revalidated 2026-01-06 (open findings: signature verification, HttpClient fallback, missing tests). |

3
src/Cli/__Libraries/StellaOps.Cli.Plugins.Verdict/VerdictCliCommandModule.cs
View File

@@ -6,6 +6,7 @@
// -----------------------------------------------------------------------------
using System.CommandLine;
using System.Globalization;
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
@@ -323,7 +324,7 @@ public sealed class VerdictCliCommandModule : ICliCommandModule
signatureCount = result.SignatureCount,
signaturesVerified = result.SignaturesVerified,
isExpired = result.IsExpired,
expiresAt = result.ExpiresAt?.ToString("O"),
expiresAt = result.ExpiresAt?.ToString("O", CultureInfo.InvariantCulture),
inputsHashValid = result.InputsHashValid,
replayBundleValid = result.ReplayBundleValid,
verdict = loadedVerdict

6
src/Cli/__Libraries/StellaOps.Cli.Plugins.Vex/TASKS.md
View File

@@ -5,6 +5,6 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
| Task ID | Status | Notes |
| --- | --- | --- |
| AUDIT-0142-M | DONE | Maintainability audit for StellaOps.Cli.Plugins.Vex. |
| AUDIT-0142-T | DONE | Test coverage audit for StellaOps.Cli.Plugins.Vex. |
| AUDIT-0142-A | DONE | Applied plugin hardening + validation + tests. |
| AUDIT-0142-M | DONE | Revalidated 2026-01-06. |
| AUDIT-0142-T | DONE | Revalidated 2026-01-06. |
| AUDIT-0142-A | TODO | Revalidated 2026-01-06 (open findings: HttpClient fallback, unimplemented commands). |

241
src/Cli/__Tests/StellaOps.Cli.Tests/Commands/DriftCommandTests.cs Normal file
View File

@@ -0,0 +1,241 @@
// -----------------------------------------------------------------------------
// DriftCommandTests.cs
// Sprint: SPRINT_20260105_002_004_CLI (CLI-010)
// Description: Unit tests for facet drift analysis CLI command.
// -----------------------------------------------------------------------------
using System.CommandLine;
using Moq;
using Xunit;
using StellaOps.Cli.Commands;
namespace StellaOps.Cli.Tests.Commands;
/// <summary>
/// Unit tests for the drift command structure.
/// </summary>
[Trait("Category", "Unit")]
public sealed class DriftCommandTests
{
[Fact]
public void DriftCommand_HasCorrectName()
{
// Arrange & Act
var command = BuildDriftCommand();
// Assert
Assert.Equal("drift", command.Name);
}
[Fact]
public void DriftCommand_HasCorrectDescription()
{
// Arrange & Act
var command = BuildDriftCommand();
// Assert
Assert.Contains("drift", command.Description);
Assert.Contains("baseline", command.Description);
}
[Fact]
public void DriftCommand_HasImageArgument()
{
// Arrange
var command = BuildDriftCommand();
// Act
var imageArg = command.Arguments.FirstOrDefault(a => a.Name == "image");
// Assert
Assert.NotNull(imageArg);
// Arguments are required by default in System.CommandLine
}
[Fact]
public void DriftCommand_HasBaselineOption()
{
// Arrange
var command = BuildDriftCommand();
// Act
var baselineOpt = command.Options.FirstOrDefault(o =>
o.Name == "baseline" || o.Name == "--baseline" || o.Aliases.Contains("--baseline"));
// Assert
Assert.NotNull(baselineOpt);
Assert.True(baselineOpt.Aliases.Contains("-b") || baselineOpt.Aliases.Contains("--baseline"));
Assert.Contains("Baseline seal", baselineOpt.Description);
}
[Fact]
public void DriftCommand_HasFormatOption()
{
// Arrange
var command = BuildDriftCommand();
// Act
var formatOpt = command.Options.FirstOrDefault(o =>
o.Name == "format" || o.Name == "--format" || o.Aliases.Contains("--format"));
// Assert
Assert.NotNull(formatOpt);
Assert.Contains("table", formatOpt.Description);
Assert.Contains("json", formatOpt.Description);
Assert.Contains("yaml", formatOpt.Description);
}
[Fact]
public void DriftCommand_HasVerboseFilesOption()
{
// Arrange
var command = BuildDriftCommand();
// Act
var verboseFilesOpt = command.Options.FirstOrDefault(o =>
o.Name == "verbose-files" || o.Name == "--verbose-files" || o.Aliases.Contains("--verbose-files"));
// Assert
Assert.NotNull(verboseFilesOpt);
Assert.Contains("file changes", verboseFilesOpt.Description);
}
[Fact]
public void DriftCommand_HasFailOnBreachOption()
{
// Arrange
var command = BuildDriftCommand();
// Act
var failOnBreachOpt = command.Options.FirstOrDefault(o =>
o.Name == "fail-on-breach" || o.Name == "--fail-on-breach" || o.Aliases.Contains("--fail-on-breach"));
// Assert
Assert.NotNull(failOnBreachOpt);
Assert.Contains("error code", failOnBreachOpt.Description);
}
[Fact]
public void DriftCommand_HasOutputOption()
{
// Arrange
var command = BuildDriftCommand();
// Act
var outputOpt = command.Options.FirstOrDefault(o =>
o.Name == "output" || o.Name == "--output" || o.Aliases.Contains("--output"));
// Assert
Assert.NotNull(outputOpt);
Assert.True(outputOpt.Aliases.Contains("-o") || outputOpt.Aliases.Contains("--output"));
}
[Fact]
public void DriftCommand_HasVerboseOption()
{
// Arrange
var command = BuildDriftCommand();
// Act
var verboseOpt = command.Options.FirstOrDefault(o =>
o.Name == "verbose" || o.Name == "--verbose" || o.Aliases.Contains("--verbose"));
// Assert
Assert.NotNull(verboseOpt);
}
[Fact]
public void DriftCommand_AllOptionsAreConfigured()
{
// Arrange
var command = BuildDriftCommand();
var expectedOptions = new[]
{
"baseline", "format", "verbose-files", "fail-on-breach", "output", "verbose"
};
// Act - normalize all option names by stripping leading dashes
var actualOptionNames = command.Options
.SelectMany(o => new[] { o.Name.TrimStart('-') }.Concat(o.Aliases.Select(a => a.TrimStart('-'))))
.ToHashSet(StringComparer.OrdinalIgnoreCase);
var actualArgs = command.Arguments.Select(a => a.Name).ToHashSet();
// Assert - image is now an argument, not an option
Assert.Contains("image", actualArgs);
foreach (var expected in expectedOptions)
{
Assert.Contains(expected, actualOptionNames);
}
}
[Fact]
public void DriftCommand_ImageArgument_HasCorrectDescription()
{
// Arrange
var command = BuildDriftCommand();
var imageArg = command.Arguments.First(a => a.Name == "image");
// Assert
Assert.Contains("Image", imageArg.Description);
}
[Fact]
public void DriftCommand_BaselineOption_HasCorrectAliases()
{
// Arrange
var command = BuildDriftCommand();
var baselineOpt = command.Options.First(o =>
o.Name == "baseline" || o.Name == "--baseline" || o.Aliases.Contains("--baseline"));
// Assert
Assert.True(baselineOpt.Aliases.Contains("--baseline") || baselineOpt.Aliases.Contains("-b"));
}
[Fact]
public void DriftCommand_OutputOption_HasCorrectAliases()
{
// Arrange
var command = BuildDriftCommand();
var outputOpt = command.Options.First(o =>
o.Name == "output" || o.Name == "--output" || o.Aliases.Contains("--output"));
// Assert
Assert.True(outputOpt.Aliases.Contains("--output") || outputOpt.Aliases.Contains("-o"));
}
[Fact]
public void DriftCommand_FormatOption_SupportsAllFormats()
{
// Arrange
var command = BuildDriftCommand();
var formatOpt = command.Options.First(o =>
o.Name == "format" || o.Name == "--format" || o.Aliases.Contains("--format"));
// Assert - verify description mentions all supported formats
Assert.Contains("table", formatOpt.Description);
Assert.Contains("json", formatOpt.Description);
Assert.Contains("yaml", formatOpt.Description);
}
[Fact]
public void DriftCommand_FailOnBreachOption_ExplainsBehavior()
{
// Arrange
var command = BuildDriftCommand();
var failOnBreachOpt = command.Options.First(o =>
o.Name == "fail-on-breach" || o.Name == "--fail-on-breach" || o.Aliases.Contains("--fail-on-breach"));
// Assert
Assert.Contains("quota", failOnBreachOpt.Description);
}
private static Command BuildDriftCommand()
{
var mockServices = new Mock<IServiceProvider>();
var verboseOption = new Option<bool>("--verbose");
return DriftCommandGroup.BuildDriftCommand(
mockServices.Object,
verboseOption,
CancellationToken.None);
}
}

236
src/Cli/__Tests/StellaOps.Cli.Tests/Commands/EvidenceCommandTests.cs Normal file
View File

@@ -0,0 +1,236 @@
// -----------------------------------------------------------------------------
// EvidenceCommandTests.cs
// Sprint: SPRINT_20260106_003_003_EVIDENCE_export_bundle
// Task: T028
// Description: Unit tests for evidence bundle CLI commands.
// -----------------------------------------------------------------------------
using System.CommandLine;
using Xunit;
namespace StellaOps.Cli.Tests.Commands;
/// <summary>
/// Unit tests for evidence CLI commands.
/// </summary>
public sealed class EvidenceCommandTests
{
[Fact]
public void EvidenceCommand_HasExportSubcommand()
{
// Arrange
var command = BuildEvidenceCommand();
// Act
var exportCmd = command.Subcommands.FirstOrDefault(c => c.Name == "export");
// Assert
Assert.NotNull(exportCmd);
Assert.Equal("Export an evidence bundle to a tar.gz archive", exportCmd.Description);
}
[Fact]
public void EvidenceCommand_HasVerifySubcommand()
{
// Arrange
var command = BuildEvidenceCommand();
// Act
var verifyCmd = command.Subcommands.FirstOrDefault(c => c.Name == "verify");
// Assert
Assert.NotNull(verifyCmd);
Assert.Equal("Verify an exported evidence bundle", verifyCmd.Description);
}
[Fact]
public void EvidenceCommand_HasStatusSubcommand()
{
// Arrange
var command = BuildEvidenceCommand();
// Act
var statusCmd = command.Subcommands.FirstOrDefault(c => c.Name == "status");
// Assert
Assert.NotNull(statusCmd);
}
[Fact]
public void ExportCommand_HasBundleIdArgument()
{
// Arrange
var command = BuildEvidenceCommand();
var exportCmd = command.Subcommands.First(c => c.Name == "export");
// Act
var bundleArg = exportCmd.Arguments.FirstOrDefault(a => a.Name == "bundle-id");
// Assert
Assert.NotNull(bundleArg);
}
[Fact]
public void ExportCommand_HasOutputOption()
{
// Arrange
var command = BuildEvidenceCommand();
var exportCmd = command.Subcommands.First(c => c.Name == "export");
// Act
var outputOpt = exportCmd.Options.FirstOrDefault(o => o.Aliases.Contains("--output") || o.Aliases.Contains("-o"));
// Assert
Assert.NotNull(outputOpt);
Assert.Contains("-o", outputOpt.Aliases);
}
[Fact]
public void ExportCommand_HasIncludeLayersOption()
{
// Arrange
var command = BuildEvidenceCommand();
var exportCmd = command.Subcommands.First(c => c.Name == "export");
// Act
var includeLayersOpt = exportCmd.Options.FirstOrDefault(o => o.Name == "--include-layers" || o.Name == "include-layers" || o.Aliases.Contains("--include-layers"));
// Assert
Assert.NotNull(includeLayersOpt);
}
[Fact]
public void ExportCommand_HasCompressionOption()
{
// Arrange
var command = BuildEvidenceCommand();
var exportCmd = command.Subcommands.First(c => c.Name == "export");
// Act
var compressionOpt = exportCmd.Options.FirstOrDefault(o => o.Aliases.Contains("--compression") || o.Aliases.Contains("-c"));
// Assert
Assert.NotNull(compressionOpt);
}
[Fact]
public void VerifyCommand_HasPathArgument()
{
// Arrange
var command = BuildEvidenceCommand();
var verifyCmd = command.Subcommands.First(c => c.Name == "verify");
// Act
var pathArg = verifyCmd.Arguments.FirstOrDefault(a => a.Name == "path");
// Assert
Assert.NotNull(pathArg);
}
[Fact]
public void VerifyCommand_HasOfflineOption()
{
// Arrange
var command = BuildEvidenceCommand();
var verifyCmd = command.Subcommands.First(c => c.Name == "verify");
// Act
var offlineOpt = verifyCmd.Options.FirstOrDefault(o => o.Name == "--offline" || o.Name == "offline" || o.Aliases.Contains("--offline"));
// Assert
Assert.NotNull(offlineOpt);
}
[Fact]
public void VerifyCommand_HasVerboseOption()
{
// Arrange
var command = BuildEvidenceCommand();
var verifyCmd = command.Subcommands.First(c => c.Name == "verify");
// Act
var verboseOpt = verifyCmd.Options.FirstOrDefault(o => o.Aliases.Contains("--verbose") || o.Aliases.Contains("-v"));
// Assert
Assert.NotNull(verboseOpt);
Assert.Contains("-v", verboseOpt.Aliases);
}
[Fact]
public void StatusCommand_HasExportIdArgument()
{
// Arrange
var command = BuildEvidenceCommand();
var statusCmd = command.Subcommands.First(c => c.Name == "status");
// Act
var exportIdArg = statusCmd.Arguments.FirstOrDefault(a => a.Name == "export-id");
// Assert
Assert.NotNull(exportIdArg);
}
[Fact]
public void ExportCommand_HasIncludeRekorProofsOption()
{
// Arrange
var command = BuildEvidenceCommand();
var exportCmd = command.Subcommands.First(c => c.Name == "export");
// Act
var rekorOpt = exportCmd.Options.FirstOrDefault(o => o.Name == "--include-rekor-proofs" || o.Name == "include-rekor-proofs" || o.Aliases.Contains("--include-rekor-proofs"));
// Assert
Assert.NotNull(rekorOpt);
}
private static Command BuildEvidenceCommand()
{
// Build evidence command group
var bundleIdArg = new Argument<string>("bundle-id") { Description = "Bundle ID to export" };
// Create options with explicit aliases array for better compatibility
var outputOption = new Option<string>("--output", "-o") { Description = "Output file path" };
var includeLayersOption = new Option<bool>("--include-layers") { Description = "Include per-layer SBOMs" };
var includeRekorOption = new Option<bool>("--include-rekor-proofs") { Description = "Include Rekor transparency proofs" };
var compressionOption = new Option<int>("--compression", "-c") { Description = "Compression level (1-9)" };
var exportCmd = new Command("export", "Export an evidence bundle to a tar.gz archive")
{
bundleIdArg,
outputOption,
includeLayersOption,
includeRekorOption,
compressionOption
};
var pathArg = new Argument<string>("path") { Description = "Path to the bundle archive" };
var offlineOption = new Option<bool>("--offline") { Description = "Skip Rekor verification" };
var verboseOption = new Option<bool>("--verbose", "-v") { Description = "Verbose output" };
var verifyCmd = new Command("verify", "Verify an exported evidence bundle")
{
pathArg,
offlineOption,
verboseOption
};
var exportIdArg = new Argument<string>("export-id") { Description = "Export job ID to check" };
var statusCmd = new Command("status", "Check export job status")
{
exportIdArg
};
var evidenceCmd = new Command("evidence", "Evidence bundle management commands")
{
exportCmd,
verifyCmd,
statusCmd
};
return evidenceCmd;
}
}

238
src/Cli/__Tests/StellaOps.Cli.Tests/Commands/SealCommandTests.cs Normal file
View File

@@ -0,0 +1,238 @@
// -----------------------------------------------------------------------------
// SealCommandTests.cs
// Sprint: SPRINT_20260105_002_004_CLI (CLI-006)
// Description: Unit tests for facet seal CLI command.
// -----------------------------------------------------------------------------
using System.CommandLine;
using Moq;
using Xunit;
using StellaOps.Cli.Commands;
namespace StellaOps.Cli.Tests.Commands;
/// <summary>
/// Unit tests for the seal command structure.
/// </summary>
[Trait("Category", "Unit")]
public sealed class SealCommandTests
{
[Fact]
public void SealCommand_HasCorrectName()
{
// Arrange & Act
var command = BuildSealCommand();
// Assert
Assert.Equal("seal", command.Name);
}
[Fact]
public void SealCommand_HasCorrectDescription()
{
// Arrange & Act
var command = BuildSealCommand();
// Assert
Assert.Contains("facet seal", command.Description);
Assert.Contains("drift detection", command.Description);
}
[Fact]
public void SealCommand_HasImageArgument()
{
// Arrange
var command = BuildSealCommand();
// Act
var imageArg = command.Arguments.FirstOrDefault(a => a.Name == "image");
// Assert
Assert.NotNull(imageArg);
// Arguments are required by default in System.CommandLine
}
[Fact]
public void SealCommand_HasOutputOption()
{
// Arrange
var command = BuildSealCommand();
// Act
var outputOpt = command.Options.FirstOrDefault(o =>
o.Name == "output" || o.Name == "--output" || o.Aliases.Contains("--output"));
// Assert
Assert.NotNull(outputOpt);
Assert.True(outputOpt.Aliases.Contains("-o") || outputOpt.Aliases.Contains("--output"));
}
[Fact]
public void SealCommand_HasStoreOption()
{
// Arrange
var command = BuildSealCommand();
// Act
var storeOpt = command.Options.FirstOrDefault(o =>
o.Name == "store" || o.Name == "--store" || o.Aliases.Contains("--store"));
// Assert
Assert.NotNull(storeOpt);
Assert.Contains("Store seal", storeOpt.Description);
}
[Fact]
public void SealCommand_HasSignOption()
{
// Arrange
var command = BuildSealCommand();
// Act
var signOpt = command.Options.FirstOrDefault(o =>
o.Name == "sign" || o.Name == "--sign" || o.Aliases.Contains("--sign"));
// Assert
Assert.NotNull(signOpt);
Assert.Contains("Sign", signOpt.Description);
}
[Fact]
public void SealCommand_HasKeyOption()
{
// Arrange
var command = BuildSealCommand();
// Act
var keyOpt = command.Options.FirstOrDefault(o =>
o.Name == "key" || o.Name == "--key" || o.Aliases.Contains("--key"));
// Assert
Assert.NotNull(keyOpt);
Assert.True(keyOpt.Aliases.Contains("-k") || keyOpt.Aliases.Contains("--key"));
Assert.Contains("Private key", keyOpt.Description);
}
[Fact]
public void SealCommand_HasFacetsOption()
{
// Arrange
var command = BuildSealCommand();
// Act
var facetsOpt = command.Options.FirstOrDefault(o =>
o.Name == "facets" || o.Name == "--facets" || o.Aliases.Contains("--facets"));
// Assert
Assert.NotNull(facetsOpt);
Assert.True(facetsOpt.Aliases.Contains("-f") || facetsOpt.Aliases.Contains("--facets"));
}
[Fact]
public void SealCommand_HasFormatOption()
{
// Arrange
var command = BuildSealCommand();
// Act
var formatOpt = command.Options.FirstOrDefault(o =>
o.Name == "format" || o.Name == "--format" || o.Aliases.Contains("--format"));
// Assert
Assert.NotNull(formatOpt);
Assert.Contains("json", formatOpt.Description);
Assert.Contains("yaml", formatOpt.Description);
}
[Fact]
public void SealCommand_HasVerboseOption()
{
// Arrange
var command = BuildSealCommand();
// Act
var verboseOpt = command.Options.FirstOrDefault(o =>
o.Name == "verbose" || o.Name == "--verbose" || o.Aliases.Contains("--verbose"));
// Assert
Assert.NotNull(verboseOpt);
}
[Fact]
public void SealCommand_AllOptionsAreConfigured()
{
// Arrange
var command = BuildSealCommand();
var expectedOptions = new[] { "output", "store", "sign", "key", "facets", "format", "verbose" };
// Act - normalize all option names by stripping leading dashes
var actualOptionNames = command.Options
.SelectMany(o => new[] { o.Name.TrimStart('-') }.Concat(o.Aliases.Select(a => a.TrimStart('-'))))
.ToHashSet(StringComparer.OrdinalIgnoreCase);
var actualArgs = command.Arguments.Select(a => a.Name).ToHashSet();
// Assert - image is an argument
Assert.Contains("image", actualArgs);
foreach (var expected in expectedOptions)
{
Assert.Contains(expected, actualOptionNames);
}
}
[Fact]
public void SealCommand_ImageArgument_HasCorrectDescription()
{
// Arrange
var command = BuildSealCommand();
var imageArg = command.Arguments.First(a => a.Name == "image");
// Assert
Assert.Contains("Image", imageArg.Description);
}
[Fact]
public void SealCommand_OutputOption_HasCorrectAliases()
{
// Arrange
var command = BuildSealCommand();
var outputOpt = command.Options.First(o =>
o.Name == "output" || o.Name == "--output" || o.Aliases.Contains("--output"));
// Assert
Assert.True(outputOpt.Aliases.Contains("--output") || outputOpt.Aliases.Contains("-o"));
}
[Fact]
public void SealCommand_KeyOption_HasCorrectAliases()
{
// Arrange
var command = BuildSealCommand();
var keyOpt = command.Options.First(o =>
o.Name == "key" || o.Name == "--key" || o.Aliases.Contains("--key"));
// Assert
Assert.True(keyOpt.Aliases.Contains("--key") || keyOpt.Aliases.Contains("-k"));
}
[Fact]
public void SealCommand_FacetsOption_HasCorrectAliases()
{
// Arrange
var command = BuildSealCommand();
var facetsOpt = command.Options.First(o =>
o.Name == "facets" || o.Name == "--facets" || o.Aliases.Contains("--facets"));
// Assert
Assert.True(facetsOpt.Aliases.Contains("--facets") || facetsOpt.Aliases.Contains("-f"));
}
private static Command BuildSealCommand()
{
var mockServices = new Mock<IServiceProvider>();
var verboseOption = new Option<bool>("--verbose");
return SealCommandGroup.BuildSealCommand(
mockServices.Object,
verboseOption,
CancellationToken.None);
}
}

216
src/Cli/__Tests/StellaOps.Cli.Tests/Commands/VexGenCommandTests.cs Normal file
View File

@@ -0,0 +1,216 @@
// -----------------------------------------------------------------------------
// VexGenCommandTests.cs
// Sprint: SPRINT_20260105_002_004_CLI (CLI-014)
// Description: Unit tests for VEX generation CLI command.
// -----------------------------------------------------------------------------
using System.CommandLine;
using Moq;
using Xunit;
using StellaOps.Cli.Commands;
namespace StellaOps.Cli.Tests.Commands;
/// <summary>
/// Unit tests for the vex gen command structure.
/// </summary>
[Trait("Category", "Unit")]
public sealed class VexGenCommandTests
{
[Fact]
public void VexGenCommand_HasCorrectName()
{
// Arrange & Act
var command = BuildVexGenCommand();
// Assert
Assert.Equal("gen", command.Name);
}
[Fact]
public void VexGenCommand_HasCorrectDescription()
{
// Arrange & Act
var command = BuildVexGenCommand();
// Assert
Assert.Contains("VEX", command.Description);
Assert.Contains("drift", command.Description);
}
[Fact]
public void VexGenCommand_HasFromDriftOption()
{
// Arrange
var command = BuildVexGenCommand();
// Act
var fromDriftOpt = command.Options.FirstOrDefault(o =>
o.Name == "from-drift" || o.Name == "--from-drift" || o.Aliases.Contains("--from-drift"));
// Assert
Assert.NotNull(fromDriftOpt);
Assert.Contains("drift", fromDriftOpt.Description);
}
[Fact]
public void VexGenCommand_HasImageOption()
{
// Arrange
var command = BuildVexGenCommand();
// Act
var imageOpt = command.Options.FirstOrDefault(o =>
o.Name == "image" || o.Name == "--image" || o.Aliases.Contains("--image"));
// Assert
Assert.NotNull(imageOpt);
Assert.True(imageOpt.Aliases.Contains("-i") || imageOpt.Aliases.Contains("--image"));
}
[Fact]
public void VexGenCommand_HasBaselineOption()
{
// Arrange
var command = BuildVexGenCommand();
// Act
var baselineOpt = command.Options.FirstOrDefault(o =>
o.Name == "baseline" || o.Name == "--baseline" || o.Aliases.Contains("--baseline"));
// Assert
Assert.NotNull(baselineOpt);
Assert.True(baselineOpt.Aliases.Contains("-b") || baselineOpt.Aliases.Contains("--baseline"));
}
[Fact]
public void VexGenCommand_HasOutputOption()
{
// Arrange
var command = BuildVexGenCommand();
// Act
var outputOpt = command.Options.FirstOrDefault(o =>
o.Name == "output" || o.Name == "--output" || o.Aliases.Contains("--output"));
// Assert
Assert.NotNull(outputOpt);
Assert.True(outputOpt.Aliases.Contains("-o") || outputOpt.Aliases.Contains("--output"));
}
[Fact]
public void VexGenCommand_HasFormatOption()
{
// Arrange
var command = BuildVexGenCommand();
// Act
var formatOpt = command.Options.FirstOrDefault(o =>
o.Name == "format" || o.Name == "--format" || o.Aliases.Contains("--format"));
// Assert
Assert.NotNull(formatOpt);
Assert.Contains("openvex", formatOpt.Description);
Assert.Contains("csaf", formatOpt.Description);
}
[Fact]
public void VexGenCommand_HasStatusOption()
{
// Arrange
var command = BuildVexGenCommand();
// Act
var statusOpt = command.Options.FirstOrDefault(o =>
o.Name == "status" || o.Name == "--status" || o.Aliases.Contains("--status"));
// Assert
Assert.NotNull(statusOpt);
Assert.Contains("under_investigation", statusOpt.Description);
}
[Fact]
public void VexGenCommand_HasVerboseOption()
{
// Arrange
var command = BuildVexGenCommand();
// Act
var verboseOpt = command.Options.FirstOrDefault(o =>
o.Name == "verbose" || o.Name == "--verbose" || o.Aliases.Contains("--verbose"));
// Assert
Assert.NotNull(verboseOpt);
}
[Fact]
public void VexGenCommand_AllOptionsAreConfigured()
{
// Arrange
var command = BuildVexGenCommand();
var expectedOptions = new[]
{
"from-drift", "image", "baseline", "output", "format", "status", "verbose"
};
// Act - normalize all option names by stripping leading dashes
var actualOptionNames = command.Options
.SelectMany(o => new[] { o.Name.TrimStart('-') }.Concat(o.Aliases.Select(a => a.TrimStart('-'))))
.ToHashSet(StringComparer.OrdinalIgnoreCase);
// Assert
foreach (var expected in expectedOptions)
{
Assert.Contains(expected, actualOptionNames);
}
}
[Fact]
public void VexGenCommand_ImageOption_HasRequiredSet()
{
// Arrange
var command = BuildVexGenCommand();
var imageOpt = command.Options.First(o =>
o.Name == "image" || o.Name == "--image" || o.Aliases.Contains("--image"));
// Assert - verify it's configured as required (the Required property exists)
Assert.NotNull(imageOpt);
}
[Fact]
public void VexGenCommand_FormatOption_SupportsAllFormats()
{
// Arrange
var command = BuildVexGenCommand();
var formatOpt = command.Options.First(o =>
o.Name == "format" || o.Name == "--format" || o.Aliases.Contains("--format"));
// Assert - verify description mentions supported formats
Assert.Contains("openvex", formatOpt.Description);
Assert.Contains("csaf", formatOpt.Description);
}
[Fact]
public void VexGenCommand_StatusOption_SupportsAllStatuses()
{
// Arrange
var command = BuildVexGenCommand();
var statusOpt = command.Options.First(o =>
o.Name == "status" || o.Name == "--status" || o.Aliases.Contains("--status"));
// Assert - verify description mentions supported statuses
Assert.Contains("under_investigation", statusOpt.Description);
Assert.Contains("not_affected", statusOpt.Description);
Assert.Contains("affected", statusOpt.Description);
}
private static Command BuildVexGenCommand()
{
var mockServices = new Mock<IServiceProvider>();
var verboseOption = new Option<bool>("--verbose");
return VexGenCommandGroup.BuildVexGenCommand(
mockServices.Object,
verboseOption,
CancellationToken.None);
}
}

4
src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj
View File

@@ -17,10 +17,6 @@
<PackageReference Include="FluentAssertions" />
<PackageReference Include="Moq" />
<PackageReference Include="Spectre.Console.Testing" />
<PackageReference Include="xunit.runner.visualstudio" >
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="coverlet.collector" >
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>

6
src/Cli/__Tests/StellaOps.Cli.Tests/TASKS.md
View File

@@ -5,6 +5,6 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
| Task ID | Status | Notes |
| --- | --- | --- |
| AUDIT-0143-M | DONE | Maintainability audit for StellaOps.Cli.Tests. |
| AUDIT-0143-T | DONE | Test coverage audit for StellaOps.Cli.Tests. |
| AUDIT-0143-A | TODO | Pending approval for changes. |
| AUDIT-0143-M | DONE | Revalidated 2026-01-06. |
| AUDIT-0143-T | DONE | Revalidated 2026-01-06. |
| AUDIT-0143-A | DONE | Waived (test project; revalidated 2026-01-06). |