stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates

Browse Source 
Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-22 16:06:39 +03:00
parent ad77711ac2
commit 7943cfb3af
121 changed files with 10483 additions and 387 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docs/modules/cli/guides/crypto/crypto-commands.md
View File

@@ -8,6 +8,8 @@
The `stella crypto` command group provides cryptographic operations with regional compliance support. The available crypto providers depend on your distribution build.
`stella crypto sign` resolves a real signing key from the configured provider set and emits an actual `dsse`, detached `jws`, or `raw` signature. `stella crypto verify` performs real verification either against provider-managed key material or a supplied trust policy.
## Distribution Matrix
| Distribution | Build Flag | Crypto Standards | Providers |
@@ -23,6 +25,8 @@ The `stella crypto` command group provides cryptographic operations with regiona
Sign artifacts using configured crypto provider.
The CLI selects a provider-exposed signing key at runtime. When multiple provider keys are available, use `--provider` and `--key-id` to make the selection explicit.
**Usage:**
```bash
stella crypto sign --input <file> [options]
@@ -32,9 +36,9 @@ stella crypto sign --input <file> [options]
- `--input <path>` - Path to file to sign (required)
- `--output <path>` - Output path for signature (default: `<input>.sig`)
- `--provider <name>` - Override crypto provider (e.g., `gost-cryptopro`, `eidas-tsp`, `sm-remote`)
- `--key-id <id>` - Key identifier for signing
- `--key-id <id>` - Key identifier for signing when multiple provider keys are exposed
- `--format <format>` - Signature format: `dsse`, `jws`, `raw` (default: `dsse`)
- `--detached` - Create detached signature (default: true)
- `--detached` - Create detached signature (default: true; `jws` output is detached only)
- `--verbose` - Show detailed output
**Examples:**
@@ -54,6 +58,11 @@ stella crypto sign --input contract.pdf --provider eidas-tsp --format jws
Verify signatures using configured crypto provider.
Verification behavior depends on the signature material:
- `dsse` and detached `jws` can carry key identity metadata, so the CLI can usually resolve the provider key directly.
- `raw` signatures carry no metadata, so `--provider`, `--key-id`, or `--trust-policy` are typically required.
- `--trust-policy` verifies against exported public keys and does not require provider access to private key material.
**Usage:**
```bash
stella crypto verify --input <file> [options]
@@ -63,6 +72,7 @@ stella crypto verify --input <file> [options]
- `--input <path>` - Path to file to verify (required)
- `--signature <path>` - Path to signature file (default: `<input>.sig`)
- `--provider <name>` - Override crypto provider
- `--key-id <id>` - Key identifier used during verification when provider or trust-policy resolution is ambiguous
- `--trust-policy <path>` - Path to trust policy YAML file
- `--format <format>` - Signature format: `dsse`, `jws`, `raw` (auto-detect if omitted)
- `--verbose` - Show detailed output
@@ -77,7 +87,10 @@ stella crypto verify --input artifact.tar.gz
stella crypto verify --input artifact.tar.gz --trust-policy ./policies/production-trust.yaml
# Verify specific provider signature
stella crypto verify --input contract.pdf --provider eidas-tsp --signature contract.jws
stella crypto verify --input contract.pdf --provider eidas-tsp --key-id prod-signing-2025 --signature contract.jws
# Verify a raw signature with explicit provider key selection
stella crypto verify --input artifact.tar.gz --signature artifact.tar.gz.sig --format raw --provider default --key-id prod-signing-2025
```
### `stella crypto profiles`