stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Stabilize U

Browse Source
This commit is contained in:
master
2026-02-16 07:33:20 +02:00
parent 45c0f1bb59
commit 70fdbfcf25
166 changed files with 20156 additions and 4833 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
docs/qa/feature-checks/runs/cli/cli-e2e-tests/batch-a-results.md Normal file
View File

@@ -0,0 +1,115 @@
# CLI Batch A -- E2E Test Results
**Date:** 2026-02-15
**Agent:** batch-a
**CLI Project:** `src/Cli/StellaOps.Cli/StellaOps.Cli.csproj`
**Configuration:** Release (pre-built, `--no-build`)
**Environment note:** SM remote probe fails (expected -- no SM remote service running). Adds ~4s startup latency per invocation.
---
## Top-Level Command Summary
| # | Command | Description | Subcommands | --help OK | Behavioral Test | Exit Code | Notes |
|---|---------|-------------|-------------|-----------|-----------------|-----------|-------|
| 1 | `scanner` | Manage scanner artifacts and lifecycle | `download`, `workers` | YES | N/A (container-dependent) | 0 | 2 subcommands |
| 2 | `scan` | Execute scanners and manage scan outputs | `entrytrace`, `sarif`, `replay`, `gate-policy`, `gate-results`, `layers`, `layer-sbom`, `recipe`, `diff`, `delta`, `verify-patches`, `download`, `workers`, `secrets`, `image`, `run`, `upload`, `graph` | YES | N/A (requires scan data) | 0 | 18 subcommands -- richest command |
| 3 | `image` | OCI image operations | `inspect` | YES | N/A (requires registry) | 0 | 1 subcommand |
| 4 | `ruby` | Work with Ruby analyzer outputs | `inspect`, `resolve` | YES | `ruby inspect --help` OK | 0 | 2 subcommands |
| 5 | `php` | Work with PHP analyzer outputs | `inspect` | YES | N/A | 0 | 1 subcommand |
| 6 | `python` | Work with Python analyzer outputs | `inspect` | YES | N/A | 0 | 1 subcommand |
| 7 | `bun` | Work with Bun analyzer outputs | `inspect`, `resolve` | YES | N/A | 0 | 2 subcommands |
| 8 | `db` | Trigger Concelier database operations | `fetch`, `merge`, `export` | YES | N/A (requires backend) | 0 | 3 subcommands |
| 9 | `sources` | Interact with source ingestion workflows | `ingest`, `list`, `check`, `enable`, `disable`, `status` | YES | `sources list` CRASH (exit 1), `sources status` CRASH (exit 1) | 0 (help) / 1 (run) | **BUG: ISourceRegistry not registered in DI** |
| 10 | `aoc` | Aggregation-Only Contract verification | `verify` | YES | `aoc verify` exits 71 (tenant required) | 0 (help) / 71 (run) | Correct error: requires `--tenant` |
| 11 | `auth` | Manage authentication | `login`, `logout`, `status`, `whoami`, `revoke`, `token` | YES | `auth status` exits 1 (authority not configured) | 0 (help) / 1 (run) | Expected: no Authority URL configured |
| 12 | `tenants` | Manage tenant contexts | `list`, `use`, `current`, `clear` | YES | `tenants current` exits 0: "No active tenant configured." | 0 | Correct offline behavior |
| 13 | `policy` | Interact with Policy Engine | `simulate`, `activate`, `lint`, `edit`, `test`, `new`, `history`, `explain`, `init`, `compile`, `version`, `submit`, `review`, `publish`, `rollback`, `sign`, `verify-signature`, `lattice`, `verdicts`, `promote`, `validate-yaml`, `install`, `list-packs`, `export`, `import`, `validate`, `evaluate` | YES | `policy lint /nonexistent.stella` exits 4 (file not found) | 0 (help) / 4 (lint) | 27 subcommands; correct error for missing file |
| 14 | `tools` | Local policy tooling | `policy-dsl-validate`, `policy-schema-export`, `policy-simulation-smoke`, `lint`, `benchmark`, `migrate` | YES | N/A | 0 | 6 subcommands; benchmark has sub-subs (policy/scan/crypto) |
| 15 | `task-runner` | Interact with Task Runner | `simulate` | YES | N/A | 0 | 1 subcommand |
| 16 | `findings` | Inspect policy findings | `ls`, `get`, `explain` | YES | `findings ls` exits 1 (--policy required) | 0 (help) / 1 (run) | Correct: shows required option hint |
| 17 | `advise` | Advisory AI pipelines | `run`, `summarize`, `explain`, `remediate`, `batch`, `open-pr`, `ask`, `chat-doctor`, `chat-settings`, `export` | YES | `advise run --help` OK | 0 | 10 subcommands |
| 18 | `config` | Manage configuration | `show`, `list`, `notify`, `integrations`, `feeds`, `registry`, `sources`, `signals` | YES | `config show` exits 0 (shows defaults), `config list` exits 0 (lists paths) | 0 | 8 subcommands; behavioral tests pass |
| 19 | `kms` | Manage signing keys | `export`, `import` | YES | Both `--help` OK | 0 | 2 subcommands |
| 20 | `key` | Key management | `list`, `add`, `revoke`, `rotate`, `status`, `history`, `verify` | YES | N/A (requires anchorId) | 0 | 7 subcommands |
| 21 | `issuer` | Issuer key management | `keys` (sub: `list`, `create`, `rotate`, `revoke`) | YES | `issuer keys --help` OK | 0 | Nested: keys has 4 sub-subcommands |
---
## Subcommand --help Verification
| Parent | Subcommand | --help OK | Exit Code | Notes |
|--------|------------|-----------|-----------|-------|
| `scanner` | `download` | YES | 0 | Options: --channel, --output, --overwrite, --no-install |
| `scanner` | `workers` | YES | 0 | Sub-subcommands: get, set |
| `scan` | `entrytrace` | YES | 0 | Options: --scan-id (required), --include-ndjson, --semantic |
| `scan` | `sarif` | YES | 0 | Options: --scan-id (required), -o, --pretty, --include-hardening, --include-reachability, --min-severity |
| `scan` | `replay` | YES | 0 | Options: --artifact (req), --manifest (req), --feeds (req), --policy (req), --offline, --verify-inputs |
| `scan` | `secrets` | YES | 0 | Sub-subcommand: bundle |
| `scan` | `graph` | YES | 0 | Options: --lang (req), --target (req), --format, --upload, --include-tests |
| `image` | `inspect` | YES | 0 | Options: -r, -l, -p platform, -o format, --timeout |
| `auth` | `login` | YES | 0 | Options: --force |
| `auth` | `status` | YES | 0 | No extra options |
| `auth` | `whoami` | YES | 0 | No extra options |
| `db` | `fetch` | YES | 0 | Options: --source (req), --stage, --mode |
| `db` | `merge` | YES | 0 | No extra options |
| `db` | `export` | YES | 0 | Options: --format, --delta, --publish-full, --publish-delta, --bundle-full, --bundle-delta |
| `policy` | `lint` | YES | 0 | Args: file; Options: -f, -o |
| `policy` | `new` | YES | 0 | Args: name; Options: -t template, -o, -d, --tag, --shadow, --fixtures, --git-init |
| `policy` | `compile` | YES | 0 | Args: file; Options: -o, --no-ir, --no-digest, --optimize, --strict |
| `policy` | `validate-yaml` | YES | 0 | Args: path; Options: --schema, --strict |
| `policy` | `list-packs` | YES | 0 | Options: --source |
| `policy` | `evaluate` | YES | 0 | Options: -p policy (req), -i input (req), --format, -e environment, --include-remediation |
| `tenants` | `list` | YES | 0 | Options: --tenant, --json |
| `tenants` | `use` | YES | 0 | Args: tenant-id |
| `tenants` | `clear` | YES | 0 | No extra options |
| `tools` | `lint` | YES | 0 | Options: -i input (req), --fix, --strict, -f format |
| `tools` | `benchmark` | YES | 0 | Sub-subcommands: policy, scan, crypto |
| `tools` | `migrate` | YES | 0 | Sub-subcommands: config, data |
| `task-runner` | `simulate` | YES | 0 | Options: --manifest, --inputs, --format, --output |
| `kms` | `export` | YES | 0 | Options: --root, --key-id (req), --version, --output (req), --force, --passphrase |
| `kms` | `import` | YES | 0 | Options: --root, --key-id (req), --input (req), --version, --passphrase |
| `issuer` | `keys` | YES | 0 | Sub-subcommands: list, create, rotate, revoke |
| `advise` | `run` | YES | 0 | Args: task; Options: --advisory-key (req), many more |
| `findings` | `ls` | YES (via error) | 1 | Shows help with required --policy hint |
| `config` | `show` | YES | 0 | No extra options |
---
## Behavioral Test Results
| Command | Invocation | Exit Code | Behavior | Verdict |
|---------|------------|-----------|----------|---------|
| `auth status` | `auth status` | 1 | "Authority URL not configured. Set STELLAOPS_AUTHORITY_URL and run 'auth login'." | PASS -- correct error |
| `tenants current` | `tenants current` | 0 | "No active tenant configured. Use 'stella tenants use <tenant-id>' to set one." | PASS -- correct offline |
| `config show` | `config show` | 0 | Shows all config keys with defaults (Backend URL, Concelier URL, API Key, etc.) | PASS -- works offline |
| `config list` | `config list` | 0 | Lists all config paths grouped by section (notify, feeds, integrations, etc.) | PASS -- works offline |
| `sources list` | `sources list` | 1 | **CRASH: `InvalidOperationException: No service for type 'ISourceRegistry' has been registered.`** | FAIL -- DI bug |
| `sources status` | `sources status` | 1 | **CRASH: Same `ISourceRegistry` DI exception** | FAIL -- DI bug |
| `aoc verify` | `aoc verify` | 71 | "Tenant must be provided via --tenant or STELLA_TENANT." | PASS -- correct validation |
| `policy lint` | `policy lint /nonexistent.stella` | 4 | "Error: Policy file not found: .../nonexistent.stella" | PASS -- correct file-not-found |
| `findings ls` | `findings ls` | 1 | "Option '--policy' is required." + help text | PASS -- correct validation |
---
## Bugs Found
### BUG-001: `sources list` and `sources status` crash with DI exception
**Severity:** Medium
**Commands affected:** `sources list`, `sources status`
**Error:** `System.InvalidOperationException: No service for type 'StellaOps.Concelier.Core.Sources.ISourceRegistry' has been registered.`
**Location:** `src/Cli/StellaOps.Cli/Commands/Sources/SourcesCommandHandlers.cs:line 35` (list), `line 332` (status)
**Root cause:** The `ISourceRegistry` service is not registered in the CLI's DI container. The `sources --help` works fine, but actual invocation fails.
**Impact:** Users cannot list or check status of advisory sources via CLI without backend connectivity.
---
## Summary
- **21/21 commands** have working `--help` (exit 0)
- **All subcommand --help** tests pass (30+ subcommands tested)
- **9 behavioral tests** run: 7 PASS, 2 FAIL
- **1 bug found:** `sources list`/`sources status` DI registration missing for `ISourceRegistry`
- **Total subcommands discovered:** 100+ across all 21 top-level commands
- **Richest commands:** `policy` (27 subcmds), `scan` (18 subcmds), `advise` (10 subcmds), `config` (8 subcmds)

109
docs/qa/feature-checks/runs/cli/cli-e2e-tests/batch-b-results.md Normal file
View File

@@ -0,0 +1,109 @@
# CLI E2E Test Results - Batch B
**Date:** 2026-02-15
**Runner:** cli-batch-b agent
**CLI Project:** `src/Cli/StellaOps.Cli/StellaOps.Cli.csproj`
**Configuration:** Release (pre-built, `--no-build`)
**Note:** All commands experience ~4s SM remote probe timeout on startup (expected; localhost:56080 not running). This does not affect command functionality.
## Summary
- **Commands tested:** 21/21
- **--help OK:** 21/21 (100%)
- **Behavioral tests run:** 5
- **Behavioral tests passed:** 4/5 (1 expected failure: backend not configured)
- **Crashes:** 0
- **Timeouts:** 0
## Results Table
| # | Command | Description | Subcommands | --help OK | Behavioral Test | Exit Code | Notes |
|---|---------|-------------|-------------|-----------|-----------------|-----------|-------|
| 1 | `vuln` | Explore vulnerability observations | observations, list, show, assign, comment, accept-risk, verify-fix, target-fix, reopen, simulate, export | Yes | N/A (needs backend) | 0 | 11 subcommands |
| 2 | `vex` | Manage VEX consensus data | consensus, simulate, export, obs, explain, gen, gate-scan, verdict, unknowns | Yes | N/A (needs backend) | 0 | 9 subcommands |
| 3 | `decision` | Manage VEX decisions with DSSE signing | export, verify, compare | Yes | N/A (needs file input) | 0 | 3 subcommands |
| 4 | `crypto` | Cryptographic operations | sign, verify, profiles, plugins, keys, encrypt, decrypt, hash, providers | Yes | `crypto providers` -> listed 9 providers in table | 0 | 9 subcommands; behavioral PASS |
| 5 | `admin` | Administrative operations | policy, users, feeds, system, tenants, audit, diagnostics | Yes | N/A (needs backend) | 0 | 7 subcommands |
| 6 | `export` | Manage export profiles | profiles, runs, start, cache | Yes | N/A (needs backend) | 0 | 4 subcommands |
| 7 | `attest` | Verify DSSE attestations | sign, verify, list, show, fetch, key, bundle, attach, oci-list, oci-verify, link | Yes | N/A (needs file input) | 0 | 11 subcommands |
| 8 | `bundle` | Offline evidence bundle ops | verify | Yes | N/A (needs file input) | 0 | 1 subcommand |
| 9 | `risk-profile` | Manage risk profile schemas | validate, schema | Yes | `risk-profile schema` -> emitted full JSON Schema | 0 | 2 subcommands; behavioral PASS |
| 10 | `advisory` | Explore advisory observations | obs, linkset, export | Yes | N/A (needs backend) | 0 | 3 subcommands |
| 11 | `forensic` | Manage forensic snapshots | snapshot, list, show, verify, attest | Yes | N/A (needs backend) | 0 | 5 subcommands |
| 12 | `promotion` | Build promotion attestations | assemble, attest, verify | Yes | N/A (needs image ref) | 0 | 3 subcommands |
| 13 | `detscore` | Scanner determinism scoring | run, report | Yes | N/A (needs config) | 0 | 2 subcommands |
| 14 | `obs` | Platform observability | top, trace, logs, incident-mode | Yes | N/A (needs backend) | 0 | 4 subcommands |
| 15 | `pack` | Task Pack operations | plan, run, push, pull, verify, runs, secrets, cache | Yes | N/A (needs pack-id) | 0 | 8 subcommands |
| 16 | `exceptions` | Exception governance | list, show, create, promote, revoke, import, export | Yes | N/A (needs backend) | 0 | 7 subcommands |
| 17 | `orch` | Source & Job Orchestrator | sources, backfill, quotas | Yes | N/A (needs backend) | 0 | 3 subcommands |
| 18 | `sbom` | SBOM management | list, upload, show, compare, export, parity-matrix | Yes | `sbom parity-matrix` -> exit 1: "Backend URL not configured" | 1 | 6 subcommands; expected fail (no backend) |
| 19 | `license` | License detection | detect, categorize, validate, extract, summary | Yes | `license validate "MIT"` -> Valid; `license categorize "MIT"` -> Permissive, OSI Approved | 0 | 5 subcommands; behavioral PASS x2 |
| 20 | `analytics` | Analytics insights | sbom-lake | Yes | N/A (needs backend) | 0 | 1 subcommand |
| 21 | `notify` | Manage notifications | channels, rules, deliveries, simulate, send, ack | Yes | N/A (needs backend) | 0 | 6 subcommands |
## Behavioral Test Details
### 1. `crypto providers` - PASS (exit 0)
Listed 9 crypto providers in a formatted table:
- default, cn.sm.soft, cn.sm.remote.http, pq.soft, fips.ecdsa.soft, eu.eidas.soft, kr.kcmvp.hash, sim.crypto.remote, ru.pkcs11
- sim.crypto.remote showed 17 simulation keys (DILITHIUM3, FALCON512, pq.sim, GOST12-256, GOST12-512, SM2, ES256, ES384, ES512, etc.)
### 2. `risk-profile schema` - PASS (exit 0)
Emitted valid JSON Schema for RiskProfile v1:
- Schema ID: `https://stellaops.dev/schemas/risk-profile-schema@1.json`
- Required fields: id, version, signals, weights, overrides
- Signals support boolean/numeric/categorical types with transforms
- Overrides support severity and decision rules
### 3. `sbom parity-matrix` - EXPECTED FAIL (exit 1)
Error: `Backend URL not configured. Set STELLAOPS_BACKEND_URL or use --backend-url.`
This is expected behavior -- the command requires a running backend service.
### 4. `license validate "MIT"` - PASS (exit 0)
Output: "Valid SPDX expression: MIT" with component breakdown showing Permissive category.
### 5. `license categorize "MIT"` - PASS (exit 0)
Output table showing:
- SPDX ID: MIT
- Category: Permissive
- Obligations: Attribution, Include License, No Warranty
- OSI Approved: Yes
- FSF Free: Yes
- Deprecated: No
## Subcommand Count Summary
| Command | Subcommand Count |
|---------|-----------------|
| vuln | 11 |
| vex | 9 |
| decision | 3 |
| crypto | 9 |
| admin | 7 |
| export | 4 |
| attest | 11 |
| bundle | 1 |
| risk-profile | 2 |
| advisory | 3 |
| forensic | 5 |
| promotion | 3 |
| detscore | 2 |
| obs | 4 |
| pack | 8 |
| exceptions | 7 |
| orch | 3 |
| sbom | 6 |
| license | 5 |
| analytics | 1 |
| notify | 6 |
| **Total** | **110** |
## Observations
1. **All 21 commands register correctly** and respond to `--help` with exit code 0.
2. **No crashes or hangs** observed across any command.
3. **SM remote probe warning** is consistent across all invocations (expected; no SM remote service running locally).
4. **Plugin loader** reports no CLI plug-in manifests (expected for dev environment).
5. **Offline-capable commands** (`crypto providers`, `risk-profile schema`, `license validate/categorize`) work fully without a backend.
6. **Backend-dependent commands** (`sbom parity-matrix`, `vuln list`, etc.) fail gracefully with clear error messages when no backend URL is configured.
7. **Total subcommand surface area:** 110 subcommands across 21 top-level commands.

73
docs/qa/feature-checks/runs/cli/cli-e2e-tests/batch-c-results.md Normal file
View File

@@ -0,0 +1,73 @@
# CLI E2E Test Results -- Batch C
**Date:** 2026-02-15T22:49Z
**Runner:** cli-batch-c agent
**CLI Project:** `src/Cli/StellaOps.Cli/StellaOps.Cli.csproj`
**Configuration:** Release (pre-built, --no-build)
**Note:** All commands exhibit ~4s SM remote probe timeout on startup (expected, no SM service running).
## Summary
- **Commands tested:** 20
- **All --help pass:** 20/20
- **Behavioral tests attempted:** 3 (trust-profile list, offline status, sdk list)
- **Behavioral tests passed:** 2/3 (sdk list requires backend URL -- expected)
- **Crashes/hangs:** 0
- **Total subcommands discovered:** 98
## Top-Level Command Results
| # | Command | Description | Subcommands | --help OK | Exit Code | Notes |
|---|---------|-------------|-------------|-----------|-----------|-------|
| 1 | `sbomer` | SBOM composition | layer, compose, composition, drift | Yes | 0 | 4 subcommands |
| 2 | `cvss` | CVSS v4.0 receipt operations | score, show, history, export | Yes | 0 | 4 subcommands |
| 3 | `risk` | Manage risk profiles | profile, simulate, results, bundle | Yes | 0 | 4 subcommands |
| 4 | `graph` | Call graph evidence | explain, lineage, verify, bundles | Yes | 0 | 4 subcommands |
| 5 | `deltasig` | Binary delta signature operations | extract, author, sign, verify, match, pack, inspect | Yes | 0 | 7 subcommands |
| 6 | `binary` | Binary reachability analysis | submit, info, symbols, verify, inspect, lookup, fingerprint, callgraph, ops, delta-sig, diff | Yes | 0 | 11 subcommands |
| 7 | `api` | API management | spec | Yes | 0 | 1 subcommand |
| 8 | `sdk` | SDK management | update, list | Yes | 0 | 2 subcommands |
| 9 | `mirror` | Air-gap mirror bundles | create | Yes | 0 | 1 subcommand |
| 10 | `airgap` | Air-gapped environment ops | import, seal, export-evidence | Yes | 0 | 3 subcommands |
| 11 | `trust-profile` | Manage trust profiles | list, show, apply | Yes | 0 | 3 subcommands |
| 12 | `offline` | Air-gap and offline kit ops | import, status | Yes | 0 | 2 subcommands |
| 13 | `verify` | Unified verification | offline, image, bundle, release, attestation, vex, patch, sbom | Yes | 0 | 8 subcommands |
| 14 | `devportal` | DevPortal offline ops | verify | Yes | 0 | 1 subcommand |
| 15 | `symbols` | Symbol bundles management | bundle, verify, extract, inspect | Yes | 0 | 4 subcommands |
| 16 | `system` | System operations | migrations-run, migrations-status, migrations-verify | Yes | 0 | 3 subcommands |
| 17 | `score` | Score computation and replay | replay, bundle, verify, explain | Yes | 0 | 4 subcommands |
| 18 | `unknowns` | Unknowns registry operations | list, escalate, resolve, budget, summary, show, proof, export, triage | Yes | 0 | 9 subcommands |
| 19 | `proof` | Proof chain verification | verify, spine | Yes | 0 | 2 subcommands |
| 20 | `chain` | Attestation chain traversal | show, verify, graph, layer | Yes | 0 | 4 subcommands |
## Subcommand --help Verification
| Parent | Subcommand | --help OK | Exit Code | Notes |
|--------|-----------|-----------|-----------|-------|
| `sbomer` | `layer` | Yes | 0 | Sub-subs: list, show, verify |
| `sbomer` | `layer list` | Yes (implied) | 0 | -- |
| `trust-profile` | `list` | Yes | 0 | Options: --profiles-dir, -f/--format, -v/--verbose |
| `offline` | `status` | Yes | 0 | Options: --tenant, -o/--output, -v/--verbose |
| `sdk` | `list` | Yes | 0 | Options: -t/--tenant, -l/--language, --json, -v/--verbose |
| `system` | `migrations-status` | Yes | 0 | Options: --module, --connection |
| `binary` | `inspect` | Yes | 0 | Args: file. Options: -f/--format, -v/--verbose |
| `unknowns` | `summary` | Yes | 0 | Options: -f/--format, -v/--verbose |
## Behavioral Test Results
| Command | Invocation | Exit Code | Result | Output Summary |
|---------|-----------|-----------|--------|----------------|
| `trust-profile` | `trust-profile list` | 0 | PASS | Listed 4 profiles: bg-gov, eu-eidas, global, us-fips. Formatted table output. |
| `offline` | `offline status` | 0 | PASS | Reported "No active offline kit." for default tenant. |
| `sdk` | `sdk list` | 1 | EXPECTED FAIL | "Backend URL is not configured. Provide STELLAOPS_BACKEND_URL or configure appsettings." -- requires running backend. |
## Observations
1. **All 20 commands register and respond to --help correctly** with exit code 0.
2. **98 total subcommands** discovered across 20 parent commands. `binary` has the most (11), followed by `unknowns` (9) and `verify` (8).
3. **No crashes, hangs, or unhandled exceptions.** All commands handle missing backend/data gracefully.
4. **SM remote probe timeout** (~4s) occurs on every invocation -- expected behavior when SM remote service is not running.
5. **trust-profile list** works fully offline, reading from `etc/trust-profiles/` directory.
6. **offline status** works fully offline, reporting no active kit.
7. **sdk list** correctly requires backend URL configuration -- proper error message and exit code 1.
8. **Plugin system** reports no CLI plugins discovered (expected for dev environment).

74
docs/qa/feature-checks/runs/cli/cli-e2e-tests/batch-d-results.md Normal file
View File

@@ -0,0 +1,74 @@
# CLI E2E Test Results -- Batch D
**Date:** 2026-02-15
**Runner:** CLI E2E subagent (batch-d)
**CLI project:** `src/Cli/StellaOps.Cli/StellaOps.Cli.csproj` (Release, --no-build)
## Summary
- **Total commands tested:** 24
- **All --help pass:** 24/24
- **Behavioral tests run:** 4 (doctor list, ci list, golden list, fmap alias)
- **Behavioral passes:** 3/4 (golden list exits 1 -- expected, no corpus dir)
- **Crashes / hangs:** 0
All commands exhibit the expected ~4s SM remote probe timeout on startup (localhost:56080 refused). This is benign and does not affect command functionality.
## Results Table
| # | Command | Subcommands | --help OK | Behavioral Test | Exit Code | Notes |
|---|---------|-------------|-----------|-----------------|-----------|-------|
| 1 | `replay` | verify, diff, batch, snapshot, export | Yes (exit 0) | --help only (requires --manifest) | 0 | Has REQUIRED --manifest option |
| 2 | `delta` | compute, check, attach, verify, push | Yes (exit 0) | --help only | 0 | |
| 3 | `budget` | status, consume, check, history, list | Yes (exit 0) | --help only | 0 | |
| 4 | `reachability` | show, export, trace, explain, witness, guards, graph, slice, witness-ops | Yes (exit 0) | --help only | 0 | 9 subcommands; graph/slice/witness-ops from plugins |
| 5 | `witness` | generate, verify, bundle | Yes (exit 0) | --help only | 0 | generate/verify require args |
| 6 | `watchlist` | add, list, get, update, remove, test, alerts | Yes (exit 0) | --help only | 0 | 7 subcommands |
| 7 | `function-map` | generate, verify | Yes (exit 0) | --help only | 0 | Alias: `fmap` |
| 8 | `fmap` (alias) | generate, verify | Yes (exit 0) | fmap --help | 0 | Alias works, shows same as function-map |
| 9 | `observations` | query | Yes (exit 0) | --help only | 0 | Single subcommand |
| 10 | `gate` | evaluate, status, score | Yes (exit 0) | --help only | 0 | score uses EWS |
| 11 | `ci` | init, list, validate | Yes (exit 0) | `ci list` | 0 | Lists 12 templates (github/gitlab/gitea x gate/scan/verify/full) |
| 12 | `github` | upload-sarif, list-alerts, get-alert, update-alert, upload-status | Yes (exit 0) | --help only | 0 | 5 subcommands |
| 13 | `exception` | request, approve, reject, list, status | Yes (exit 0) | --help only | 0 | Full CRUD workflow |
| 14 | `feedser` | bundle, sites | Yes (exit 0) | --help only | 0 | Federation bundle ops |
| 15 | `prove` | (none -- leaf command) | Yes (exit 0) | --help only | 0 | Requires --image; supports --bundle for offline |
| 16 | `evidence` | export, verify, store, status, card, reindex, verify-continuity, migrate, holds, audit, replay, proof, provenance, seal, push-referrer, list-referrers | Yes (exit 0) | --help only | 0 | 16 subcommands |
| 17 | `seal` | (none -- leaf with `<image>` arg) | Yes (exit 0) | --help only | 0 | Requires `<image>` argument |
| 18 | `drift` | (none -- leaf with `<image>` arg) | Yes (exit 0) | --help only | 0 | Requires `<image>` argument; has --fail-on-breach |
| 19 | `golden` | init, validate, import, list, show, build-index | Yes (exit 0) | `golden list` | 1 | Expected: "Corpus directory not found: ./golden-corpus" |
| 20 | `verify-fix` | (none -- leaf with `<vuln-id>` arg) | Yes (exit 0) | --help only | 0 | Requires `<vuln-id>`, --pre, --post; supports --attest |
| 21 | `change-trace` | build, export, verify | Yes (exit 0) | --help only | 0 | |
| 22 | `doctor` | run, list, export, fix | Yes (exit 0) | `doctor list` | 0 | Lists 23 checks (Core/Database/Security categories) |
| 23 | `ts` | rfc3161, verify, info | Yes (exit 0) | --help only | 0 | RFC-3161 timestamp ops |
| 24 | `explain` | block | Yes (exit 0) | --help only | 0 | block requires `<digest>` arg |
| 25 | `setup` | run, resume, status, reset, validate | Yes (exit 0) | --help only (interactive) | 0 | Has --non-interactive flag; skipped interactive run |
## Behavioral Test Details
### `doctor list` (exit 0)
Lists 23 diagnostic checks across 3 categories:
- **Core** (9 checks): auth.config, config.loaded, config.required, crypto.available, env.diskspace, env.memory, env.variables, services.dependencies, services.health
- **Database** (8 checks): connection, latency, migrations.failed, migrations.pending, permissions, pool.health, pool.size, schema.version
- **Security** (6 checks): binaryanalysis.buildinfo.cache, corpus.kpi.baseline, corpus.mirror.freshness, ddeb.enabled, debuginfod.available, symbol.recovery.fallback
### `ci list` (exit 0)
Outputs formatted table with 12 CI/CD templates:
- Platforms: github, gitlab, gitea
- Templates per platform: gate, scan, verify, full
### `golden list` (exit 1)
Expected error: "Corpus directory not found: ./golden-corpus"
This is correct behavior -- no golden corpus exists in the working directory.
### `fmap --help` (exit 0)
Alias for `function-map` works correctly, shows identical help output.
## Notes
1. **SM Remote Probe:** All commands show a ~4s timeout connecting to localhost:56080 (SM remote crypto service). This is expected in dev environments without SM remote running.
2. **No crashes or hangs:** All 24 commands completed within timeout.
3. **setup** was tested with --help only to avoid interactive mode. It supports `--non-interactive` and `--config` for automated runs.
4. **doctor** was tested with `list` subcommand (safe, non-destructive) rather than `run` to avoid executing actual diagnostic checks.
5. **prove** is a leaf command (no subcommands) that requires `--image` flag.
6. **evidence** has the most subcommands (16) of any command in this batch.

185
docs/qa/feature-checks/runs/cli/cli-e2e-tests/run-001/tier2-cli-check.json Normal file
View File

@@ -0,0 +1,185 @@
{
"tier": "2b",
"timestamp": "2026-02-15T21:15:00Z",
"runId": "run-001-phase-c",
"agent": "cli-agent",
"method": "dotnet test per-csproj with -v normal",
"cliTestProjects": [
{
"project": "StellaOps.Cli.Tests.csproj",
"path": "src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj",
"testsRun": 1182,
"testsPassed": 1182,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "11.990s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 1182, Skipped: 0, Total: 1182, Duration: 11s 990ms - StellaOps.Cli.Tests.dll (net10.0|x64)"
},
{
"project": "StellaOps.Cli.Commands.Setup.Tests.csproj",
"path": "src/Cli/__Tests/StellaOps.Cli.Commands.Setup.Tests/StellaOps.Cli.Commands.Setup.Tests.csproj",
"testsRun": 79,
"testsPassed": 79,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.640s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 79, Skipped: 0, Total: 79, Duration: 640ms - StellaOps.Cli.Commands.Setup.Tests.dll (net10.0|x64)"
},
{
"project": "StellaOps.Cli.AdviseParity.Tests.csproj",
"path": "src/Cli/__Tests/StellaOps.Cli.AdviseParity.Tests/StellaOps.Cli.AdviseParity.Tests.csproj",
"testsRun": 2,
"testsPassed": 2,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.598s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 2, Skipped: 0, Total: 2, Duration: 598ms - StellaOps.Cli.AdviseParity.Tests.dll (net10.0|x64)"
},
{
"project": "StellaOps.Cli.CompareOverlay.Tests.csproj",
"path": "src/Cli/__Tests/StellaOps.Cli.CompareOverlay.Tests/StellaOps.Cli.CompareOverlay.Tests.csproj",
"testsRun": 3,
"testsPassed": 3,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.688s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 3, Skipped: 0, Total: 3, Duration: 688ms - StellaOps.Cli.CompareOverlay.Tests.dll (net10.0|x64)"
},
{
"project": "StellaOps.Cli.UnknownsExport.Tests.csproj",
"path": "src/Cli/__Tests/StellaOps.Cli.UnknownsExport.Tests/StellaOps.Cli.UnknownsExport.Tests.csproj",
"testsRun": 3,
"testsPassed": 3,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.796s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 3, Skipped: 0, Total: 3, Duration: 796ms - StellaOps.Cli.UnknownsExport.Tests.dll (net10.0|x64)"
}
],
"toolsTestProjects": [
{
"project": "StellaOps.Tools.GoldenPairs.Tests.csproj",
"path": "src/Tools/__Tests/StellaOps.Tools.GoldenPairs.Tests/StellaOps.Tools.GoldenPairs.Tests.csproj",
"testsRun": 10,
"testsPassed": 10,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "1.470s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 10, Skipped: 0, Total: 10, Duration: 1s 470ms - StellaOps.Tools.GoldenPairs.Tests.dll (net10.0|x64)"
},
{
"project": "FixtureUpdater.Tests.csproj",
"path": "src/Tools/__Tests/FixtureUpdater.Tests/FixtureUpdater.Tests.csproj",
"testsRun": 4,
"testsPassed": 4,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "1.302s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 4, Skipped: 0, Total: 4, Duration: 1s 302ms - FixtureUpdater.Tests.dll (net10.0|x64)"
},
{
"project": "LanguageAnalyzerSmoke.Tests.csproj",
"path": "src/Tools/__Tests/LanguageAnalyzerSmoke.Tests/LanguageAnalyzerSmoke.Tests.csproj",
"testsRun": 4,
"testsPassed": 4,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.433s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 4, Skipped: 0, Total: 4, Duration: 433ms - LanguageAnalyzerSmoke.Tests.dll (net10.0|x64)"
},
{
"project": "NotifySmokeCheck.Tests.csproj",
"path": "src/Tools/__Tests/NotifySmokeCheck.Tests/NotifySmokeCheck.Tests.csproj",
"testsRun": 4,
"testsPassed": 4,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.570s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 4, Skipped: 0, Total: 4, Duration: 570ms - NotifySmokeCheck.Tests.dll (net10.0|x64)"
},
{
"project": "PolicyDslValidator.Tests.csproj",
"path": "src/Tools/__Tests/PolicyDslValidator.Tests/PolicyDslValidator.Tests.csproj",
"testsRun": 2,
"testsPassed": 2,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.625s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 2, Skipped: 0, Total: 2, Duration: 625ms - PolicyDslValidator.Tests.dll (net10.0|x64)"
},
{
"project": "PolicySchemaExporter.Tests.csproj",
"path": "src/Tools/__Tests/PolicySchemaExporter.Tests/PolicySchemaExporter.Tests.csproj",
"testsRun": 3,
"testsPassed": 3,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "1.076s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 3, Skipped: 0, Total: 3, Duration: 1s 076ms - PolicySchemaExporter.Tests.dll (net10.0|x64)"
},
{
"project": "PolicySimulationSmoke.Tests.csproj",
"path": "src/Tools/__Tests/PolicySimulationSmoke.Tests/PolicySimulationSmoke.Tests.csproj",
"testsRun": 3,
"testsPassed": 3,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.515s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 3, Skipped: 0, Total: 3, Duration: 515ms - PolicySimulationSmoke.Tests.dll (net10.0|x64)"
},
{
"project": "RustFsMigrator.Tests.csproj",
"path": "src/Tools/__Tests/RustFsMigrator.Tests/RustFsMigrator.Tests.csproj",
"testsRun": 2,
"testsPassed": 2,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.452s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 2, Skipped: 0, Total: 2, Duration: 452ms - RustFsMigrator.Tests.dll (net10.0|x64)"
},
{
"project": "StellaOps.Tools.WorkflowGenerator.Tests.csproj",
"path": "src/Tools/__Tests/StellaOps.Tools.WorkflowGenerator.Tests/StellaOps.Tools.WorkflowGenerator.Tests.csproj",
"testsRun": 76,
"testsPassed": 76,
"testsFailed": 0,
"testsSkipped": 0,
"duration": "0.584s",
"rawOutputSnippet": "Passed! - Failed: 0, Passed: 76, Skipped: 0, Total: 76, Duration: 584ms - StellaOps.Tools.WorkflowGenerator.Tests.dll (net10.0|x64)"
}
],
"totalCliTests": 1269,
"totalCliPassed": 1269,
"totalCliFailed": 0,
"totalCliSkipped": 0,
"totalToolsTests": 108,
"totalToolsPassed": 108,
"totalToolsFailed": 0,
"totalToolsSkipped": 0,
"grandTotalTests": 1377,
"grandTotalPassed": 1377,
"grandTotalFailed": 0,
"grandTotalSkipped": 0,
"disabledTests": [],
"coverageGaps": [],
"assertionQualityReview": {
"reviewed": true,
"filesReviewed": [
"CommandHandlersTests.cs - verifies exit codes, job kinds, actual API call values",
"CliSpecTests.cs - verifies CLI spec YAML contains required fields (privacy defaults, exit codes, pinned digests)",
"CliExitCodeTests.cs - verifies concrete exit code constants using FluentAssertions",
"CliDeterminismTests.cs - verifies same-input-same-output determinism with hash comparison",
"VexGenCommandTests.cs - verifies command structure, options, descriptions",
"PolicyCommandTests.cs - invokes full command pipeline with JSON output parsing"
],
"quality": "strong",
"notes": "Tests exercise real command handlers with stub backends, verify exit codes, parse JSON output, assert determinism. No shallow null-checks found."
},
"notes": [
"All 5 CLI test projects pass with 0 failures, 0 skips",
"All 9 Tools test projects pass with 0 failures, 0 skips",
"No disabled/skipped tests found (grep for Skip, #if false, DISABLED returned no matches)",
"Test assertions are substantive: exit code verification, JSON parsing, determinism checks, command structure validation",
"Known issue: scan delta and chain commands have System.CommandLine OOM risk at runtime (not in tests)"
]
}