Add call graph fixtures for various languages and scenarios

- Introduced `all-edge-reasons.json` to test edge resolution reasons in .NET.
- Added `all-visibility-levels.json` to validate method visibility levels in .NET.
- Created `dotnet-aspnetcore-minimal.json` for a minimal ASP.NET Core application.
- Included `go-gin-api.json` for a Go Gin API application structure.
- Added `java-spring-boot.json` for the Spring PetClinic application in Java.
- Introduced `legacy-no-schema.json` for legacy application structure without schema.
- Created `node-express-api.json` for an Express.js API application structure.

src/Cli/StellaOps.Cli/Commands/CommandFactory.cs

@@ -80,6 +80,7 @@ internal static class CommandFactory
         root.Add(BuildSdkCommand(services, verboseOption, cancellationToken));
         root.Add(BuildMirrorCommand(services, verboseOption, cancellationToken));
         root.Add(BuildAirgapCommand(services, verboseOption, cancellationToken));
+        root.Add(OfflineCommandGroup.BuildOfflineCommand(services, verboseOption, cancellationToken));
         root.Add(BuildDevPortalCommand(services, verboseOption, cancellationToken));
         root.Add(BuildSymbolsCommand(services, verboseOption, cancellationToken));
         root.Add(SystemCommandBuilder.BuildSystemCommand(services, verboseOption, cancellationToken));
@@ -9338,6 +9339,53 @@ internal static class CommandFactory
         start.Add(startAttestation);
         export.Add(start);
 
+        var cache = new Command("cache", "Local evidence cache operations.");
+        var scanOutputPathOption = new Option<string>("--scan-output", new[] { "-p" })
+        {
+            Description = "Path to scan output directory containing a local evidence cache (.evidence).",
+            Required = true
+        };
+
+        var cacheStats = new Command("stats", "Show local evidence cache statistics.");
+        cacheStats.Add(scanOutputPathOption);
+        cacheStats.Add(jsonOption);
+        cacheStats.Add(verboseOption);
+        cacheStats.SetAction((parseResult, _) =>
+        {
+            var scanOutputPath = parseResult.GetValue(scanOutputPathOption) ?? string.Empty;
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleExportCacheStatsAsync(
+                services,
+                scanOutputPath,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        var cacheProcessQueue = new Command("process-queue", "Process deferred enrichment queue for local evidence cache.");
+        cacheProcessQueue.Add(scanOutputPathOption);
+        cacheProcessQueue.Add(jsonOption);
+        cacheProcessQueue.Add(verboseOption);
+        cacheProcessQueue.SetAction((parseResult, _) =>
+        {
+            var scanOutputPath = parseResult.GetValue(scanOutputPathOption) ?? string.Empty;
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleExportCacheProcessQueueAsync(
+                services,
+                scanOutputPath,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        cache.Add(cacheStats);
+        cache.Add(cacheProcessQueue);
+        export.Add(cache);
+
         return export;
     }
 

src/Cli/StellaOps.Cli/Commands/CommandHandlers.ExportCache.cs

@@ -0,0 +1,113 @@
+using System.Globalization;
+using System.Text.Json;
+using Microsoft.Extensions.DependencyInjection;
+using Spectre.Console;
+using StellaOps.ExportCenter.Core.EvidenceCache;
+
+namespace StellaOps.Cli.Commands;
+
+internal static partial class CommandHandlers
+{
+    internal static async Task<int> HandleExportCacheStatsAsync(
+        IServiceProvider services,
+        string scanOutputPath,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+
+        if (string.IsNullOrWhiteSpace(scanOutputPath))
+        {
+            AnsiConsole.MarkupLine("[red]Scan output path is required.[/]");
+            return 1;
+        }
+
+        scanOutputPath = Path.GetFullPath(scanOutputPath);
+        if (!Directory.Exists(scanOutputPath))
+        {
+            AnsiConsole.MarkupLine($"[red]Scan output directory not found:[/] {Markup.Escape(scanOutputPath)}");
+            return 1;
+        }
+
+        var cache = services.GetRequiredService<IEvidenceCacheService>();
+        var statistics = await cache.GetStatisticsAsync(scanOutputPath, cancellationToken).ConfigureAwait(false);
+
+        if (json)
+        {
+            var payload = new
+            {
+                scanOutput = scanOutputPath,
+                statistics
+            };
+
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(payload, JsonOptions));
+            return 0;
+        }
+
+        if (statistics.TotalBundles == 0)
+        {
+            AnsiConsole.MarkupLine("[yellow]No evidence cache entries found.[/]");
+        }
+
+        var table = new Table().AddColumns("Field", "Value");
+        table.AddRow("Scan output", Markup.Escape(scanOutputPath));
+        table.AddRow("Total bundles", statistics.TotalBundles.ToString(CultureInfo.InvariantCulture));
+        table.AddRow("Fully available", statistics.FullyAvailable.ToString(CultureInfo.InvariantCulture));
+        table.AddRow("Partially available", statistics.PartiallyAvailable.ToString(CultureInfo.InvariantCulture));
+        table.AddRow("Pending enrichment", statistics.PendingEnrichment.ToString(CultureInfo.InvariantCulture));
+        table.AddRow("Offline resolvable", FormattableString.Invariant($"{statistics.OfflineResolvablePercentage:0.##}%"));
+        table.AddRow("Total size", FormatBytes(statistics.TotalSizeBytes));
+
+        AnsiConsole.Write(table);
+        return 0;
+    }
+
+    internal static async Task<int> HandleExportCacheProcessQueueAsync(
+        IServiceProvider services,
+        string scanOutputPath,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+
+        if (string.IsNullOrWhiteSpace(scanOutputPath))
+        {
+            AnsiConsole.MarkupLine("[red]Scan output path is required.[/]");
+            return 1;
+        }
+
+        scanOutputPath = Path.GetFullPath(scanOutputPath);
+        if (!Directory.Exists(scanOutputPath))
+        {
+            AnsiConsole.MarkupLine($"[red]Scan output directory not found:[/] {Markup.Escape(scanOutputPath)}");
+            return 1;
+        }
+
+        var cache = services.GetRequiredService<IEvidenceCacheService>();
+        var result = await cache.ProcessEnrichmentQueueAsync(scanOutputPath, cancellationToken).ConfigureAwait(false);
+
+        if (json)
+        {
+            var payload = new
+            {
+                scanOutput = scanOutputPath,
+                result
+            };
+
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(payload, JsonOptions));
+            return 0;
+        }
+
+        var table = new Table().AddColumns("Field", "Value");
+        table.AddRow("Scan output", Markup.Escape(scanOutputPath));
+        table.AddRow("Processed", result.ProcessedCount.ToString(CultureInfo.InvariantCulture));
+        table.AddRow("Failed", result.FailedCount.ToString(CultureInfo.InvariantCulture));
+        table.AddRow("Remaining", result.RemainingCount.ToString(CultureInfo.InvariantCulture));
+
+        AnsiConsole.Write(table);
+        return 0;
+    }
+}
+

src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs

@@ -49,10 +49,14 @@ using StellaOps.Scanner.Analyzers.Lang.Php;
 using StellaOps.Scanner.Analyzers.Lang.Bun;
 using StellaOps.Policy;
 using StellaOps.PolicyDsl;
+using StellaOps.AirGap.Importer.Contracts;
+using StellaOps.AirGap.Importer.Quarantine;
+using StellaOps.AirGap.Importer.Validation;
+using StellaOps.AirGap.Importer.Versioning;
 
 namespace StellaOps.Cli.Commands;
 
-internal static class CommandHandlers
+internal static partial class CommandHandlers
 {
     private const string KmsPassphraseEnvironmentVariable = "STELLAOPS_KMS_PASSPHRASE";
     private static readonly JsonSerializerOptions KmsJsonOptions = new(JsonSerializerDefaults.Web)

src/Cli/StellaOps.Cli/Commands/OfflineCommandGroup.cs

@@ -0,0 +1,164 @@
+using System.CommandLine;
+using StellaOps.Cli.Extensions;
+
+namespace StellaOps.Cli.Commands;
+
+internal static class OfflineCommandGroup
+{
+    internal static Command BuildOfflineCommand(
+        IServiceProvider services,
+        Option<bool> verboseOption,
+        CancellationToken cancellationToken)
+    {
+        var offline = new Command("offline", "Air-gap and offline kit operations.");
+
+        offline.Add(BuildOfflineImportCommand(services, verboseOption, cancellationToken));
+        offline.Add(BuildOfflineStatusCommand(services, verboseOption, cancellationToken));
+
+        return offline;
+    }
+
+    private static Command BuildOfflineImportCommand(
+        IServiceProvider services,
+        Option<bool> verboseOption,
+        CancellationToken cancellationToken)
+    {
+        var tenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context for the import (defaults to profile/ENV)."
+        };
+
+        var bundleOption = new Option<string>("--bundle", new[] { "-b" })
+        {
+            Description = "Path to the offline kit payload bundle (.tar.zst).",
+            Required = true
+        };
+
+        var manifestOption = new Option<string?>("--manifest", new[] { "-m" })
+        {
+            Description = "Path to offline manifest JSON (defaults to manifest.json next to the bundle)."
+        };
+
+        var verifyDsseOption = new Option<bool>("--verify-dsse")
+        {
+            Description = "Verify DSSE signature on the kit statement."
+        }.SetDefaultValue(true);
+
+        var verifyRekorOption = new Option<bool>("--verify-rekor")
+        {
+            Description = "Verify Rekor receipt (offline mode)."
+        }.SetDefaultValue(true);
+
+        var trustRootOption = new Option<string?>("--trust-root")
+        {
+            Description = "Path to trust root public key file for DSSE verification."
+        };
+
+        var forceActivateOption = new Option<bool>("--force-activate")
+        {
+            Description = "Override monotonicity check (requires justification)."
+        };
+
+        var forceReasonOption = new Option<string?>("--force-reason")
+        {
+            Description = "Justification for force activation (required with --force-activate)."
+        };
+
+        var dryRunOption = new Option<bool>("--dry-run")
+        {
+            Description = "Validate the kit without activating."
+        };
+
+        var outputOption = new Option<string?>("--output", new[] { "-o" })
+        {
+            Description = "Output format: table (default), json."
+        }.SetDefaultValue("table").FromAmong("table", "json");
+
+        var command = new Command("import", "Import an offline kit with verification.")
+        {
+            tenantOption,
+            bundleOption,
+            manifestOption,
+            verifyDsseOption,
+            verifyRekorOption,
+            trustRootOption,
+            forceActivateOption,
+            forceReasonOption,
+            dryRunOption,
+            outputOption,
+            verboseOption
+        };
+
+        command.SetAction(parseResult =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var bundle = parseResult.GetValue(bundleOption) ?? string.Empty;
+            var manifest = parseResult.GetValue(manifestOption);
+            var verifyDsse = parseResult.GetValue(verifyDsseOption);
+            var verifyRekor = parseResult.GetValue(verifyRekorOption);
+            var trustRoot = parseResult.GetValue(trustRootOption);
+            var forceActivate = parseResult.GetValue(forceActivateOption);
+            var forceReason = parseResult.GetValue(forceReasonOption);
+            var dryRun = parseResult.GetValue(dryRunOption);
+            var output = parseResult.GetValue(outputOption) ?? "table";
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOfflineImportAsync(
+                services,
+                tenant,
+                bundle,
+                manifest,
+                verifyDsse,
+                verifyRekor,
+                trustRoot,
+                forceActivate,
+                forceReason,
+                dryRun,
+                output,
+                verbose,
+                cancellationToken);
+        });
+
+        return command;
+    }
+
+    private static Command BuildOfflineStatusCommand(
+        IServiceProvider services,
+        Option<bool> verboseOption,
+        CancellationToken cancellationToken)
+    {
+        var tenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context for the status (defaults to profile/ENV)."
+        };
+
+        var outputOption = new Option<string?>("--output", new[] { "-o" })
+        {
+            Description = "Output format: table (default), json."
+        }.SetDefaultValue("table").FromAmong("table", "json");
+
+        var command = new Command("status", "Display current offline kit status.")
+        {
+            tenantOption,
+            outputOption,
+            verboseOption
+        };
+
+        command.SetAction(parseResult =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var output = parseResult.GetValue(outputOption) ?? "table";
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOfflineStatusAsync(
+                services,
+                tenant,
+                output,
+                verbose,
+                cancellationToken);
+        });
+
+        return command;
+    }
+}
+

src/Cli/StellaOps.Cli/Commands/OfflineExitCodes.cs

@@ -0,0 +1,25 @@
+namespace StellaOps.Cli.Commands;
+
+/// <summary>
+/// Exit codes for offline commands.
+/// Per advisory A11.1-11.2.
+/// </summary>
+internal static class OfflineExitCodes
+{
+    public const int Success = 0;
+    public const int FileNotFound = 1;
+    public const int ChecksumMismatch = 2;         // HASH_MISMATCH
+    public const int SignatureFailure = 3;         // SIG_FAIL_COSIGN, SIG_FAIL_MANIFEST
+    public const int FormatError = 4;
+    public const int DsseVerificationFailed = 5;   // DSSE_VERIFY_FAIL
+    public const int RekorVerificationFailed = 6;  // REKOR_VERIFY_FAIL
+    public const int ImportFailed = 7;
+    public const int VersionNonMonotonic = 8;      // VERSION_NON_MONOTONIC
+    public const int PolicyDenied = 9;             // POLICY_DENY
+    public const int SelftestFailed = 10;          // SELFTEST_FAIL
+    public const int ValidationFailed = 11;
+    public const int VerificationFailed = 12;
+    public const int PolicyLoadFailed = 13;
+    public const int Cancelled = 130;              // Standard SIGINT
+}
+