partly or unimplemented features - now implemented

2026-02-09 08:53:51 +02:00
parent 1bf6bbf395
commit 4bdc298ec1
674 changed files with 90194 additions and 2271 deletions
--- a/docs/features/unchecked/cli/baseline-selection-logic.md
+++ b/docs/features/unchecked/cli/baseline-selection-logic.md
@@ -0,0 +1,37 @@
+# Baseline Selection Logic (Last Green / Previous Release)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Compare feature infrastructure exists with services and CLI builder. The specific baseline selection logic (last green verdict, previous release tag) and its visibility to users may be partially implemented.
+
+## What's Implemented
+- **Compare Command Builder**: `src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs` -- `CompareCommandBuilder` (internal static class)
+  - Sprint: SPRINT_4200_0002_0004_cli_compare
+  - Implements `stella compare --base <digest> --target <digest>` with options: `--output table|json|sarif`, `--output-file <path>`, `--include-unchanged`
+  - Requires explicit `--base` and `--target` digest arguments (manual selection)
+- **Delta Scan**: `src/Cli/StellaOps.Cli/Commands/Scan/DeltaScanCommandGroup.cs` -- delta scan with baseline comparison
+- **VEX Gen Baseline**: `src/Cli/StellaOps.Cli/Commands/VexGenCommandGroup.cs` -- `--baseline <sealId>` option for facet drift baseline; defaults to latest seal for image
+- **Seal Store**: `IFacetSealStore.GetLatestSealAsync()` for retrieving most recent baseline
+
+## What's Missing
+- **Automatic "last green" selection**: No command or flag like `--baseline last-green` that automatically selects the most recent scan digest with a passing verdict
+- **Previous release tag resolution**: No `--baseline previous-release` that resolves the previous release tag from SCM/registry metadata
+- **Baseline suggestion in output**: Compare results do not suggest a recommended baseline when none is specified
+- **UI baseline picker**: Web UI does not surface baseline selection with "last green" / "previous release" presets
+
+## Implementation Plan
+- Add `--baseline-strategy last-green|previous-release|explicit` option to compare and delta-scan commands
+- Implement `IBaselineResolver` service with strategies for "last green verdict" (query verdict store for latest pass) and "previous release" (query registry for previous tag)
+- Wire baseline resolver into `CompareCommandBuilder` and `DeltaScanCommandGroup`
+- Add baseline suggestion panel to Web UI compare view
+- Add tests for each baseline strategy
+
+## Related Documentation
+- Compare command: `src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs`
+- Delta scan: `src/Cli/StellaOps.Cli/Commands/Scan/DeltaScanCommandGroup.cs`
+- VEX gen baseline: `src/Cli/StellaOps.Cli/Commands/VexGenCommandGroup.cs`
--- a/docs/features/unchecked/cli/cli-parity.md
+++ b/docs/features/unchecked/cli/cli-parity.md
@@ -0,0 +1,40 @@
+# CLI Parity (stella advise)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+The CLI infrastructure is extensive but a dedicated `stella advise` command with `--evidence --no-action` flags as described is not explicitly found. However, the `stella advise ask` command does exist with these flags.
+
+## What's Implemented
+- **Advise Chat Command Group**: `src/Cli/StellaOps.Cli/Commands/Advise/AdviseChatCommandGroup.cs` -- `AdviseChatCommandGroup` (internal static class)
+  - Implements `stella advise ask <query>` with options:
+    - `--image <ref>` / `--digest <digest>` / `--environment <env>` -- scope the advisory query
+    - `--no-action` (`-n`) -- suppress proposed actions (read-only mode), default: true
+    - `--evidence` -- include evidence links and citations in response
+    - `--format table|json|markdown` -- output format
+    - `--output <path>` -- write to file
+    - `--conversation-id <id>` -- follow-up queries in same conversation
+    - `--tenant <id>` -- tenant scoping
+  - Chat rendering: `src/Cli/StellaOps.Cli/Commands/Advise/ChatRenderer.cs`
+  - Services: `src/Cli/StellaOps.Cli/Services/Chat/` -- chat client services
+- **Chat sub-commands**: `chat-doctor` and `chat-settings` subcommands also registered
+
+## What's Missing
+- **Full parity check**: Need to verify all advisory operations available in Web UI are also exposed through CLI
+- **Batch advisory queries**: No `--batch` or `--file` option for processing multiple queries from a file
+- **Advisory export**: No dedicated `stella advise export` for exporting advisory conversation history
+- **Advisory templates**: No `--template` option for pre-defined query templates
+
+## Implementation Plan
+- Audit Web UI advisory features against CLI surface for parity gaps
+- Add batch query support via `--file <queries.jsonl>` option
+- Add conversation export command `stella advise export --conversation-id <id>`
+- Add template support if Web UI has pre-built query templates
+
+## Related Documentation
+- Advise chat commands: `src/Cli/StellaOps.Cli/Commands/Advise/AdviseChatCommandGroup.cs`
+- Chat services: `src/Cli/StellaOps.Cli/Services/Chat/`
--- a/docs/features/unchecked/cli/determinism-hash-signature-verification-in-ui.md
+++ b/docs/features/unchecked/cli/determinism-hash-signature-verification-in-ui.md
@@ -0,0 +1,38 @@
+# Determinism Hash / Signature Verification in UI
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Proofs and proof-studio UI features exist for browsing proof artifacts. Bundle verification exists in CLI. Full inline determinism hash and signature verification status display in the compare view may be partially wired up.
+
+## What's Implemented
+- **Bundle Verification CLI**: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs` -- `BundleVerifyCommand` (static class)
+  - Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-003)
+  - Implements `stella bundle verify --bundle <path> [--trust-root <pem>] [--rekor-checkpoint <path>]`
+  - Full cryptographic verification: checksums, DSSE signatures, Rekor proofs
+  - Uses `StellaOps.Attestor.Core.Signing`, `StellaOps.Cryptography`
+- **Compare Command**: `src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs` -- compare with `--base` and `--target` digests
+- **Verdict Verification**: `src/Cli/StellaOps.Cli/Commands/VerdictCommandGroup.cs` -- `stella verdict verify <ref>` with `--sbom-digest`, `--feeds-digest`, `--policy-digest`, `--decision` verification
+- **Proof Command Group**: `src/Cli/StellaOps.Cli/Commands/Proof/ProofCommandGroup.cs` -- proof browsing and verification
+
+## What's Missing
+- **Inline verification status in compare view**: The Web UI compare view does not display per-artifact hash verification status alongside diff results
+- **Signature verification badges in UI**: No visual badge/icon showing DSSE signature verification pass/fail for each evidence artifact in the proof studio
+- **Live re-verification**: No "re-verify now" button in UI that triggers determinism hash recomputation against stored evidence
+- **Determinism score integration**: CLI `stella determinism score` report not linked to compare view
+
+## Implementation Plan
+- Add verification status column to Web UI compare view showing per-artifact hash match status
+- Add DSSE signature verification badge component to proof-studio evidence browser
+- Wire `BundleVerifyCommand` logic as a service callable from Web UI API
+- Add "verify" action button in proof-studio that triggers re-verification and displays results inline
+- Integrate determinism score into compare view header
+
+## Related Documentation
+- Bundle verification: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs`
+- Verdict verification: `src/Cli/StellaOps.Cli/Commands/VerdictCommandGroup.cs`
+- Compare: `src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs`
--- a/docs/features/unchecked/cli/oci-referrers-for-evidence-storage.md
+++ b/docs/features/unchecked/cli/oci-referrers-for-evidence-storage.md
@@ -0,0 +1,43 @@
+# OCI Referrers for Evidence Storage (StellaBundle)
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Bundle export, verification, and CLI commands exist. The pattern for storing evidence as OCI referrers is partially implemented through the bundle system and verifier module.
+
+## What's Implemented
+- **Bundle Export**: `src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs` -- `BundleExportCommand` (static class)
+  - Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-002)
+  - Implements `stella evidence export-bundle --image <ref> [--output <path>] [--include-dsse] [--include-rekor-proof]`
+  - Produces advisory-compliant bundles with DSSE envelopes, Rekor proofs, and OCI referrer metadata
+- **Bundle Verification**: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs` -- `BundleVerifyCommand` (static class)
+  - Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-003)
+  - Implements `stella bundle verify --bundle <path> [--trust-root <pem>] [--rekor-checkpoint <path>]`
+  - Full offline cryptographic verification chain
+- **Bundle Command Group**: `src/Cli/StellaOps.Cli/Commands/BundleCommandGroup.cs` -- additional bundle operations
+- **Evidence Command Group**: `src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs` -- evidence management commands
+- **Checkpoint Commands**: `src/Cli/StellaOps.Cli/Commands/CheckpointCommands.cs` -- checkpoint operations for bundle management
+- **Verifier Module**: `src/Verifier/` -- evidence verification backend
+
+## What's Missing
+- **OCI Referrers API integration**: No direct `oras` or OCI Distribution API client for pushing/pulling evidence as OCI referrers (artifacts are stored as bundles, not native OCI referrers)
+- **`stella evidence push-referrer`**: No command to push evidence artifacts as OCI referrers to a registry using the OCI Referrers API
+- **`stella evidence list-referrers`**: No command to list all referrers attached to an OCI artifact digest
+- **Referrer discovery**: No automated discovery of evidence referrers when running verify commands against a registry
+- **ORAS integration**: No integration with ORAS library for native OCI artifact handling
+
+## Implementation Plan
+- Add OCI Distribution client with Referrers API support (v2 manifest list)
+- Implement `stella evidence push-referrer --image <ref> --artifact-type <type> --file <path>` for pushing evidence as OCI referrers
+- Implement `stella evidence list-referrers <ref>` for listing attached referrers by artifact type
+- Add `--use-referrers` flag to `stella verify image` to auto-discover evidence from registry referrers
+- Integrate with existing bundle export to optionally push as OCI referrers instead of tar.gz
+
+## Related Documentation
+- Bundle export: `src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs`
+- Bundle verify: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs`
+- Evidence commands: `src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs`
--- a/docs/features/unchecked/cli/unknowns-export-artifacts.md
+++ b/docs/features/unchecked/cli/unknowns-export-artifacts.md
@@ -0,0 +1,40 @@
+# Unknowns Export Artifacts
+
+## Module
+Cli
+
+## Status
+IMPLEMENTED
+
+## Description
+Backend unknowns ranking and proof emission services exist along with CLI command group. However, explicit export schema artifacts for reproducible offline export of unknowns data were not located as standalone schema documents.
+
+## What's Implemented
+- **Unknowns Command Group**: `src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs` -- `UnknownsCommandGroup` (static class)
+  - Sprint: SPRINT_3500_0004_0001_cli_verbs, SPRINT_5100_0004_0001_unknowns_budget_ci_gates, SPRINT_20260112_010_CLI_unknowns_grey_queue_cli
+  - Implements: `stella unknowns list`, `escalate`, `resolve`, `budget check/status`, `summary`, `show`, `proof`, `export`, `triage`
+  - Uses `StellaOps.Policy.Unknowns.Models` for DTOs
+- **Export Command**: `stella unknowns export` exists within the command group (BuildExportCommand)
+- **Proof Command**: `stella unknowns proof` for proof emission of unknowns data
+- **Budget Operations**: `stella unknowns budget check --scan-id <id>` and `stella unknowns budget status` for CI gate budget enforcement
+- **Backend**: `src/Unknowns/` -- unknowns registry and ranking services
+- **Policy Integration**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/` -- unknowns models and policy integration
+
+## What's Missing
+- **Export schema document**: No standalone JSON Schema or specification document for the unknowns export format
+- **Deterministic export format**: Export output format not formally specified for reproducible offline comparison
+- **Export versioning**: No schema version header in exported data for forward compatibility
+- **Offline import**: No `stella unknowns import` command for ingesting previously exported unknowns data in air-gapped environments
+- **Export attestation**: Exported unknowns data not wrapped in a DSSE envelope for tamper evidence
+
+## Implementation Plan
+- Define formal JSON Schema for unknowns export format with version field
+- Add `--schema-version` and `--format` options to `stella unknowns export`
+- Add DSSE signing to export output via `--sign` flag
+- Implement `stella unknowns import <file>` for air-gapped unknowns ingestion
+- Publish export schema as part of the API specification
+
+## Related Documentation
+- Unknowns CLI: `src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs`
+- Unknowns backend: `src/Unknowns/`
+- Policy unknowns library: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/`