Add call graph fixtures for various languages and scenarios

- Introduced `all-edge-reasons.json` to test edge resolution reasons in .NET.
- Added `all-visibility-levels.json` to validate method visibility levels in .NET.
- Created `dotnet-aspnetcore-minimal.json` for a minimal ASP.NET Core application.
- Included `go-gin-api.json` for a Go Gin API application structure.
- Added `java-spring-boot.json` for the Spring PetClinic application in Java.
- Introduced `legacy-no-schema.json` for legacy application structure without schema.
- Created `node-express-api.json` for an Express.js API application structure.

src/Cli/StellaOps.Cli/Output/CliError.cs

@@ -249,6 +249,20 @@ public static class CliErrorCodes
     public const string ValidationFailed = "ERR_VALIDATION_FAILED";
     public const string RateLimited = "ERR_RATE_LIMIT";
     public const string AirGapBlocked = "ERR_AIRGAP_EGRESS_BLOCKED";
+
+    // CLI-AIRGAP-341-001: Offline Kit / AirGap error codes (exit code 7)
+    public const string OfflineKitImportFailed = "ERR_AIRGAP_OFFLINE_KIT_IMPORT_FAILED";
+    public const string OfflineKitStatusFailed = "ERR_AIRGAP_OFFLINE_KIT_STATUS_FAILED";
+    public const string OfflineKitVerifyFailed = "ERR_AIRGAP_OFFLINE_KIT_VERIFY_FAILED";
+    public const string OfflineKitHashMismatch = "ERR_AIRGAP_OFFLINE_KIT_HASH_MISMATCH";
+    public const string OfflineKitCosignSignatureInvalid = "ERR_AIRGAP_OFFLINE_KIT_SIG_FAIL_COSIGN";
+    public const string OfflineKitManifestSignatureInvalid = "ERR_AIRGAP_OFFLINE_KIT_SIG_FAIL_MANIFEST";
+    public const string OfflineKitDsseVerifyFailed = "ERR_AIRGAP_OFFLINE_KIT_DSSE_VERIFY_FAIL";
+    public const string OfflineKitRekorVerifyFailed = "ERR_AIRGAP_OFFLINE_KIT_REKOR_VERIFY_FAIL";
+    public const string OfflineKitSelfTestFailed = "ERR_AIRGAP_OFFLINE_KIT_SELFTEST_FAIL";
+    public const string OfflineKitVersionNonMonotonic = "ERR_AIRGAP_OFFLINE_KIT_VERSION_NON_MONOTONIC";
+    public const string OfflineKitPolicyDenied = "ERR_AIRGAP_OFFLINE_KIT_POLICY_DENY";
+
     public const string AocViolation = "ERR_AOC_001";
     public const string NetworkError = "ERR_NETWORK_FAILED";
     public const string Timeout = "ERR_TIMEOUT";

src/Cli/StellaOps.Cli/Output/CliErrorRenderer.cs

@@ -67,6 +67,11 @@ internal static class CliErrorRenderer
         // Error code
         AnsiConsole.MarkupLine($"[grey]Code:[/] {Markup.Escape(error.Code)}");
 
+        if (TryGetReasonCode(error, out var reasonCode))
+        {
+            AnsiConsole.MarkupLine($"[grey]Reason:[/] {Markup.Escape(reasonCode)}");
+        }
+
         // Detail (if present)
         if (!string.IsNullOrWhiteSpace(error.Detail))
         {
@@ -207,5 +212,41 @@ internal static class CliErrorRenderer
         RenderScopeGuidance(error);
         RenderRateLimitGuidance(error);
         RenderAuthGuidance(error);
+        RenderOfflineKitGuidance(error);
+    }
+
+    private static bool TryGetReasonCode(CliError error, out string reasonCode)
+    {
+        reasonCode = "";
+        if (error.Metadata is null || error.Metadata.Count == 0)
+        {
+            return false;
+        }
+
+        if ((!error.Metadata.TryGetValue("reason_code", out reasonCode) || string.IsNullOrWhiteSpace(reasonCode)) &&
+            (!error.Metadata.TryGetValue("reasonCode", out reasonCode) || string.IsNullOrWhiteSpace(reasonCode)))
+        {
+            return false;
+        }
+
+        reasonCode = OfflineKitReasonCodes.Normalize(reasonCode) ?? "";
+        return reasonCode.Length > 0;
+    }
+
+    private static void RenderOfflineKitGuidance(CliError error)
+    {
+        if (!TryGetReasonCode(error, out var reasonCode))
+        {
+            return;
+        }
+
+        var remediation = OfflineKitReasonCodes.GetRemediation(reasonCode);
+        if (string.IsNullOrWhiteSpace(remediation))
+        {
+            return;
+        }
+
+        AnsiConsole.WriteLine();
+        AnsiConsole.MarkupLine($"[yellow]Remediation:[/] {Markup.Escape(remediation)}");
     }
 }

src/Cli/StellaOps.Cli/Output/OfflineKitReasonCodes.cs

@@ -0,0 +1,63 @@
+using StellaOps.Cli.Commands;
+
+namespace StellaOps.Cli.Output;
+
+public static class OfflineKitReasonCodes
+{
+    public const string HashMismatch = "HASH_MISMATCH";
+    public const string SigFailCosign = "SIG_FAIL_COSIGN";
+    public const string SigFailManifest = "SIG_FAIL_MANIFEST";
+    public const string DsseVerifyFail = "DSSE_VERIFY_FAIL";
+    public const string RekorVerifyFail = "REKOR_VERIFY_FAIL";
+    public const string SelfTestFail = "SELFTEST_FAIL";
+    public const string VersionNonMonotonic = "VERSION_NON_MONOTONIC";
+    public const string PolicyDeny = "POLICY_DENY";
+
+    public static string? Normalize(string? reasonCode)
+        => string.IsNullOrWhiteSpace(reasonCode) ? null : reasonCode.Trim().ToUpperInvariant();
+
+    public static int GetExitCode(string? reasonCode)
+    {
+        reasonCode = Normalize(reasonCode);
+        return reasonCode switch
+        {
+            HashMismatch => OfflineExitCodes.ChecksumMismatch,
+            SigFailCosign => OfflineExitCodes.SignatureFailure,
+            SigFailManifest => OfflineExitCodes.SignatureFailure,
+            DsseVerifyFail => OfflineExitCodes.DsseVerificationFailed,
+            RekorVerifyFail => OfflineExitCodes.RekorVerificationFailed,
+            VersionNonMonotonic => OfflineExitCodes.VersionNonMonotonic,
+            PolicyDeny => OfflineExitCodes.PolicyDenied,
+            SelfTestFail => OfflineExitCodes.SelftestFailed,
+            null => OfflineExitCodes.ImportFailed,
+            _ => OfflineExitCodes.ImportFailed
+        };
+    }
+
+    public static string? GetRemediation(string? reasonCode)
+    {
+        reasonCode = Normalize(reasonCode);
+        return reasonCode switch
+        {
+            HashMismatch =>
+                "Re-download the bundle and re-run import. If using removable media, verify the device is healthy and that the bundle digest matches the manifest.",
+            SigFailCosign =>
+                "Verify the Cosign signature and trust roots. Ensure you imported the correct signing public keys and that the signature matches the bundle.",
+            SigFailManifest =>
+                "Verify the manifest signature and trust roots. Ensure the manifest and its detached signature belong to the same kit version.",
+            DsseVerifyFail =>
+                "Verify DSSE trust roots and that the envelope key ID matches an allowed signer. Re-export the kit if the envelope is missing or malformed.",
+            RekorVerifyFail =>
+                "Verify Rekor inclusion proof settings (offline snapshot, UUID/index) and re-run verification. Check for time skew and stale transparency data.",
+            VersionNonMonotonic =>
+                "The incoming kit version is older than the active version. Import a newer kit, or use --force-activate (with a reason) for emergency rollback testing only.",
+            PolicyDeny =>
+                "The current policy denies activation. Review policy gates, waivers, and VEX precedence; then re-run import after updating policy inputs.",
+            SelfTestFail =>
+                "Run the Offline Kit self-test and review its output. Confirm required binaries, permissions, and disk space are available in the air-gapped environment.",
+            null => null,
+            _ => null
+        };
+    }
+}
+