up

src/Cli/StellaOps.Cli/Commands/CommandFactory.cs

@@ -77,6 +77,7 @@ internal static class CommandFactory
         root.Add(BuildSdkCommand(services, verboseOption, cancellationToken));
         root.Add(BuildMirrorCommand(services, verboseOption, cancellationToken));
         root.Add(BuildAirgapCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildDevPortalCommand(services, verboseOption, cancellationToken));
         root.Add(SystemCommandBuilder.BuildSystemCommand(services, verboseOption, cancellationToken));
 
         var pluginLogger = loggerFactory.CreateLogger<CliCommandModuleLoader>();
@@ -10632,5 +10633,53 @@ internal static class CommandFactory
 
         return airgap;
     }
+
+    private static Command BuildDevPortalCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var devportal = new Command("devportal", "Manage DevPortal offline operations.");
+
+        // devportal verify (DVOFF-64-002)
+        var verify = new Command("verify", "Verify integrity of a DevPortal/evidence bundle before import.");
+
+        var bundleOption = new Option<string>("--bundle", new[] { "-b" })
+        {
+            Description = "Path to the bundle .tgz file.",
+            Required = true
+        };
+
+        var offlineOption = new Option<bool>("--offline")
+        {
+            Description = "Skip TSA verification and online checks."
+        };
+
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output results in JSON format."
+        };
+
+        verify.Add(bundleOption);
+        verify.Add(offlineOption);
+        verify.Add(jsonOption);
+
+        verify.SetAction((parseResult, _) =>
+        {
+            var bundlePath = parseResult.GetValue(bundleOption)!;
+            var offline = parseResult.GetValue(offlineOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleDevPortalVerifyAsync(
+                services,
+                bundlePath,
+                offline,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        devportal.Add(verify);
+
+        return devportal;
+    }
 }
 

src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs

@@ -27,17 +27,17 @@ using StellaOps.Cli.Configuration;
 using StellaOps.Cli.Output;
 using StellaOps.Cli.Prompts;
 using StellaOps.Cli.Services;
-using StellaOps.Cli.Services.Models;
-using StellaOps.Cli.Services.Models.AdvisoryAi;
-using StellaOps.Cli.Services.Models.Bun;
-using StellaOps.Cli.Services.Models.Ruby;
-using StellaOps.Cli.Telemetry;
-using StellaOps.Cryptography;
-using StellaOps.Cryptography.DependencyInjection;
-using StellaOps.Cryptography.Kms;
-using StellaOps.Policy.Scoring;
-using StellaOps.Policy.Scoring.Engine;
-using StellaOps.Policy.Scoring.Policies;
+using StellaOps.Cli.Services.Models;
+using StellaOps.Cli.Services.Models.AdvisoryAi;
+using StellaOps.Cli.Services.Models.Bun;
+using StellaOps.Cli.Services.Models.Ruby;
+using StellaOps.Cli.Telemetry;
+using StellaOps.Cryptography;
+using StellaOps.Cryptography.DependencyInjection;
+using StellaOps.Cryptography.Kms;
+using StellaOps.Policy.Scoring;
+using StellaOps.Policy.Scoring.Engine;
+using StellaOps.Policy.Scoring.Policies;
 using StellaOps.Scanner.Analyzers.Lang;
 using StellaOps.Scanner.Analyzers.Lang.Java;
 using StellaOps.Scanner.Analyzers.Lang.Node;
@@ -70,17 +70,17 @@ internal static class CommandHandlers
     /// <summary>
     /// JSON serializer options for output (alias for JsonOptions).
     /// </summary>
-    private static readonly JsonSerializerOptions JsonOutputOptions = JsonOptions;
-
-    private static readonly JsonSerializerOptions CompactJson = new(JsonSerializerDefaults.Web)
-    {
-        WriteIndented = true
-    };
+    private static readonly JsonSerializerOptions JsonOutputOptions = JsonOptions;
+
+    private static readonly JsonSerializerOptions CompactJson = new(JsonSerializerDefaults.Web)
+    {
+        WriteIndented = true
+    };
 
     /// <summary>
     /// Sets the verbosity level for logging.
     /// </summary>
-    private static void SetVerbosity(IServiceProvider services, bool verbose)
+    private static void SetVerbosity(IServiceProvider services, bool verbose)
     {
         // Configure logging level based on verbose flag
         var loggerFactory = services.GetService<ILoggerFactory>();
@@ -90,215 +90,215 @@ internal static class CommandHandlers
             var logger = loggerFactory.CreateLogger("StellaOps.Cli.Commands.CommandHandlers");
             logger.LogDebug("Verbose logging enabled");
         }
-    }
-
-    public static async Task HandleCvssScoreAsync(
-        IServiceProvider services,
-        string vulnerabilityId,
-        string policyPath,
-        string vector,
-        bool json,
-        bool verbose,
-        CancellationToken cancellationToken)
-    {
-        await using var scope = services.CreateAsyncScope();
-        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("cvss-score");
-        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
-        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
-
-        try
-        {
-            var policyJson = await File.ReadAllTextAsync(policyPath, cancellationToken).ConfigureAwait(false);
-            var loader = new CvssPolicyLoader();
-            var policyResult = loader.Load(policyJson, cancellationToken);
-            if (!policyResult.IsValid || policyResult.Policy is null || string.IsNullOrWhiteSpace(policyResult.Hash))
-            {
-                var errors = string.Join("; ", policyResult.Errors.Select(e => $"{e.Path}: {e.Message}"));
-                throw new InvalidOperationException($"Policy invalid: {errors}");
-            }
-
-            var policy = policyResult.Policy with { Hash = policyResult.Hash };
-
-            var engine = scope.ServiceProvider.GetRequiredService<ICvssV4Engine>();
-            var parsed = engine.ParseVector(vector);
-
-            var client = scope.ServiceProvider.GetRequiredService<ICvssClient>();
-
-            var request = new CreateCvssReceipt(
-                vulnerabilityId,
-                policy,
-                parsed.BaseMetrics,
-                parsed.ThreatMetrics,
-                parsed.EnvironmentalMetrics,
-                parsed.SupplementalMetrics,
-                Array.Empty<CvssEvidenceItem>(),
-                SigningKey: null,
-                CreatedBy: "cli",
-                CreatedAt: DateTimeOffset.UtcNow);
-
-            var receipt = await client.CreateReceiptAsync(request, cancellationToken).ConfigureAwait(false)
-                ?? throw new InvalidOperationException("CVSS receipt creation failed.");
-
-            if (json)
-            {
-                Console.WriteLine(JsonSerializer.Serialize(receipt, CompactJson));
-            }
-            else
-            {
-                Console.WriteLine($"✔ CVSS receipt {receipt.ReceiptId} created | Severity {receipt.Severity} | Effective {receipt.Scores.EffectiveScore:0.0}");
-                Console.WriteLine($"Vector: {receipt.VectorString}");
-                Console.WriteLine($"Policy: {receipt.PolicyRef.PolicyId} v{receipt.PolicyRef.Version} ({receipt.PolicyRef.Hash})");
-            }
-
-            Environment.ExitCode = 0;
-        }
-        catch (Exception ex)
-        {
-            logger.LogError(ex, "Failed to create CVSS receipt");
-            Environment.ExitCode = 1;
-            if (json)
-            {
-                var problem = new { error = "cvss_score_failed", message = ex.Message };
-                Console.WriteLine(JsonSerializer.Serialize(problem, CompactJson));
-            }
-        }
-    }
-
-    public static async Task HandleCvssShowAsync(
-        IServiceProvider services,
-        string receiptId,
-        bool json,
-        bool verbose,
-        CancellationToken cancellationToken)
-    {
-        await using var scope = services.CreateAsyncScope();
-        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("cvss-show");
-        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
-        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
-
-        try
-        {
-            var client = scope.ServiceProvider.GetRequiredService<ICvssClient>();
-            var receipt = await client.GetReceiptAsync(receiptId, cancellationToken).ConfigureAwait(false);
-            if (receipt is null)
-            {
-                Environment.ExitCode = 5;
-                Console.WriteLine(json
-                    ? JsonSerializer.Serialize(new { error = "not_found", receiptId }, CompactJson)
-                    : $"✖ Receipt {receiptId} not found");
-                return;
-            }
-
-            if (json)
-            {
-                Console.WriteLine(JsonSerializer.Serialize(receipt, CompactJson));
-            }
-            else
-            {
-                Console.WriteLine($"Receipt {receipt.ReceiptId} | Severity {receipt.Severity} | Effective {receipt.Scores.EffectiveScore:0.0}");
-                Console.WriteLine($"Created {receipt.CreatedAt:u} by {receipt.CreatedBy}");
-                Console.WriteLine($"Vector: {receipt.VectorString}");
-            }
-
-            Environment.ExitCode = 0;
-        }
-        catch (Exception ex)
-        {
-            logger.LogError(ex, "Failed to fetch CVSS receipt {ReceiptId}", receiptId);
-            Environment.ExitCode = 1;
-        }
-    }
-
-    public static async Task HandleCvssHistoryAsync(
-        IServiceProvider services,
-        string receiptId,
-        bool json,
-        bool verbose,
-        CancellationToken cancellationToken)
-    {
-        await using var scope = services.CreateAsyncScope();
-        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("cvss-history");
-        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
-        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
-
-        try
-        {
-            var client = scope.ServiceProvider.GetRequiredService<ICvssClient>();
-            var history = await client.GetHistoryAsync(receiptId, cancellationToken).ConfigureAwait(false);
-            if (json)
-            {
-                Console.WriteLine(JsonSerializer.Serialize(history, CompactJson));
-            }
-            else
-            {
-                if (history.Count == 0)
-                {
-                    Console.WriteLine("(no history)");
-                }
-                else
-                {
-                    foreach (var entry in history.OrderBy(h => h.Timestamp))
-                    {
-                        Console.WriteLine($"{entry.Timestamp:u} | {entry.Actor} | {entry.ChangeType} {entry.Field} => {entry.NewValue ?? ""} ({entry.Reason})");
-                    }
-                }
-            }
-            Environment.ExitCode = 0;
-        }
-        catch (Exception ex)
-        {
-            logger.LogError(ex, "Failed to fetch CVSS receipt history {ReceiptId}", receiptId);
-            Environment.ExitCode = 1;
-        }
-    }
-
-    public static async Task HandleCvssExportAsync(
-        IServiceProvider services,
-        string receiptId,
-        string format,
-        string? output,
-        bool verbose,
-        CancellationToken cancellationToken)
-    {
-        await using var scope = services.CreateAsyncScope();
-        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("cvss-export");
-        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
-        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
-
-        try
-        {
-            var client = scope.ServiceProvider.GetRequiredService<ICvssClient>();
-            var receipt = await client.GetReceiptAsync(receiptId, cancellationToken).ConfigureAwait(false);
-            if (receipt is null)
-            {
-                Environment.ExitCode = 5;
-                Console.WriteLine($"✖ Receipt {receiptId} not found");
-                return;
-            }
-
-            if (!string.Equals(format, "json", StringComparison.OrdinalIgnoreCase))
-            {
-                Environment.ExitCode = 9;
-                Console.WriteLine("Only json export is supported at this time.");
-                return;
-            }
-
-            var targetPath = string.IsNullOrWhiteSpace(output)
-                ? $"cvss-receipt-{receipt.ReceiptId}.json"
-                : output!;
-
-            var jsonPayload = JsonSerializer.Serialize(receipt, CompactJson);
-            await File.WriteAllTextAsync(targetPath, jsonPayload, cancellationToken).ConfigureAwait(false);
-
-            Console.WriteLine($"✔ Exported receipt to {targetPath}");
-            Environment.ExitCode = 0;
-        }
-        catch (Exception ex)
-        {
-            logger.LogError(ex, "Failed to export CVSS receipt {ReceiptId}", receiptId);
-            Environment.ExitCode = 1;
-        }
-    }
+    }
+
+    public static async Task HandleCvssScoreAsync(
+        IServiceProvider services,
+        string vulnerabilityId,
+        string policyPath,
+        string vector,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("cvss-score");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+
+        try
+        {
+            var policyJson = await File.ReadAllTextAsync(policyPath, cancellationToken).ConfigureAwait(false);
+            var loader = new CvssPolicyLoader();
+            var policyResult = loader.Load(policyJson, cancellationToken);
+            if (!policyResult.IsValid || policyResult.Policy is null || string.IsNullOrWhiteSpace(policyResult.Hash))
+            {
+                var errors = string.Join("; ", policyResult.Errors.Select(e => $"{e.Path}: {e.Message}"));
+                throw new InvalidOperationException($"Policy invalid: {errors}");
+            }
+
+            var policy = policyResult.Policy with { Hash = policyResult.Hash };
+
+            var engine = scope.ServiceProvider.GetRequiredService<ICvssV4Engine>();
+            var parsed = engine.ParseVector(vector);
+
+            var client = scope.ServiceProvider.GetRequiredService<ICvssClient>();
+
+            var request = new CreateCvssReceipt(
+                vulnerabilityId,
+                policy,
+                parsed.BaseMetrics,
+                parsed.ThreatMetrics,
+                parsed.EnvironmentalMetrics,
+                parsed.SupplementalMetrics,
+                Array.Empty<CvssEvidenceItem>(),
+                SigningKey: null,
+                CreatedBy: "cli",
+                CreatedAt: DateTimeOffset.UtcNow);
+
+            var receipt = await client.CreateReceiptAsync(request, cancellationToken).ConfigureAwait(false)
+                ?? throw new InvalidOperationException("CVSS receipt creation failed.");
+
+            if (json)
+            {
+                Console.WriteLine(JsonSerializer.Serialize(receipt, CompactJson));
+            }
+            else
+            {
+                Console.WriteLine($"✔ CVSS receipt {receipt.ReceiptId} created | Severity {receipt.Severity} | Effective {receipt.Scores.EffectiveScore:0.0}");
+                Console.WriteLine($"Vector: {receipt.VectorString}");
+                Console.WriteLine($"Policy: {receipt.PolicyRef.PolicyId} v{receipt.PolicyRef.Version} ({receipt.PolicyRef.Hash})");
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to create CVSS receipt");
+            Environment.ExitCode = 1;
+            if (json)
+            {
+                var problem = new { error = "cvss_score_failed", message = ex.Message };
+                Console.WriteLine(JsonSerializer.Serialize(problem, CompactJson));
+            }
+        }
+    }
+
+    public static async Task HandleCvssShowAsync(
+        IServiceProvider services,
+        string receiptId,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("cvss-show");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+
+        try
+        {
+            var client = scope.ServiceProvider.GetRequiredService<ICvssClient>();
+            var receipt = await client.GetReceiptAsync(receiptId, cancellationToken).ConfigureAwait(false);
+            if (receipt is null)
+            {
+                Environment.ExitCode = 5;
+                Console.WriteLine(json
+                    ? JsonSerializer.Serialize(new { error = "not_found", receiptId }, CompactJson)
+                    : $"✖ Receipt {receiptId} not found");
+                return;
+            }
+
+            if (json)
+            {
+                Console.WriteLine(JsonSerializer.Serialize(receipt, CompactJson));
+            }
+            else
+            {
+                Console.WriteLine($"Receipt {receipt.ReceiptId} | Severity {receipt.Severity} | Effective {receipt.Scores.EffectiveScore:0.0}");
+                Console.WriteLine($"Created {receipt.CreatedAt:u} by {receipt.CreatedBy}");
+                Console.WriteLine($"Vector: {receipt.VectorString}");
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to fetch CVSS receipt {ReceiptId}", receiptId);
+            Environment.ExitCode = 1;
+        }
+    }
+
+    public static async Task HandleCvssHistoryAsync(
+        IServiceProvider services,
+        string receiptId,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("cvss-history");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+
+        try
+        {
+            var client = scope.ServiceProvider.GetRequiredService<ICvssClient>();
+            var history = await client.GetHistoryAsync(receiptId, cancellationToken).ConfigureAwait(false);
+            if (json)
+            {
+                Console.WriteLine(JsonSerializer.Serialize(history, CompactJson));
+            }
+            else
+            {
+                if (history.Count == 0)
+                {
+                    Console.WriteLine("(no history)");
+                }
+                else
+                {
+                    foreach (var entry in history.OrderBy(h => h.Timestamp))
+                    {
+                        Console.WriteLine($"{entry.Timestamp:u} | {entry.Actor} | {entry.ChangeType} {entry.Field} => {entry.NewValue ?? ""} ({entry.Reason})");
+                    }
+                }
+            }
+            Environment.ExitCode = 0;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to fetch CVSS receipt history {ReceiptId}", receiptId);
+            Environment.ExitCode = 1;
+        }
+    }
+
+    public static async Task HandleCvssExportAsync(
+        IServiceProvider services,
+        string receiptId,
+        string format,
+        string? output,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("cvss-export");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+
+        try
+        {
+            var client = scope.ServiceProvider.GetRequiredService<ICvssClient>();
+            var receipt = await client.GetReceiptAsync(receiptId, cancellationToken).ConfigureAwait(false);
+            if (receipt is null)
+            {
+                Environment.ExitCode = 5;
+                Console.WriteLine($"✖ Receipt {receiptId} not found");
+                return;
+            }
+
+            if (!string.Equals(format, "json", StringComparison.OrdinalIgnoreCase))
+            {
+                Environment.ExitCode = 9;
+                Console.WriteLine("Only json export is supported at this time.");
+                return;
+            }
+
+            var targetPath = string.IsNullOrWhiteSpace(output)
+                ? $"cvss-receipt-{receipt.ReceiptId}.json"
+                : output!;
+
+            var jsonPayload = JsonSerializer.Serialize(receipt, CompactJson);
+            await File.WriteAllTextAsync(targetPath, jsonPayload, cancellationToken).ConfigureAwait(false);
+
+            Console.WriteLine($"✔ Exported receipt to {targetPath}");
+            Environment.ExitCode = 0;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to export CVSS receipt {ReceiptId}", receiptId);
+            Environment.ExitCode = 1;
+        }
+    }
 
     private static async Task VerifyBundleAsync(string path, ILogger logger, CancellationToken cancellationToken)
     {
@@ -29676,4 +29676,105 @@ stella policy test {policyName}.stella
     }
 
     #endregion
+
+    #region DevPortal Commands
+
+    /// <summary>
+    /// Handler for 'stella devportal verify' command (DVOFF-64-002).
+    /// Verifies integrity of a DevPortal/evidence bundle before import.
+    /// Exit codes: 0 success, 2 checksum mismatch, 3 signature failure, 4 TSA missing, 5 unexpected.
+    /// </summary>
+    public static async Task<int> HandleDevPortalVerifyAsync(
+        IServiceProvider services,
+        string bundlePath,
+        bool offline,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var loggerFactory = scope.ServiceProvider.GetRequiredService<ILoggerFactory>();
+        var logger = loggerFactory.CreateLogger<DevPortalBundleVerifier>();
+        var verifier = new DevPortalBundleVerifier(logger);
+
+        using var activity = CliActivitySource.Instance.StartActivity("cli.devportal.verify", System.Diagnostics.ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "devportal verify");
+        activity?.SetTag("stellaops.cli.devportal.offline", offline);
+        using var duration = CliMetrics.MeasureCommandDuration("devportal verify");
+
+        try
+        {
+            var resolvedPath = Path.GetFullPath(bundlePath);
+
+            if (verbose)
+            {
+                AnsiConsole.MarkupLine($"[grey]Verifying bundle: {Markup.Escape(resolvedPath)}[/]");
+                if (offline)
+                {
+                    AnsiConsole.MarkupLine("[grey]Mode: offline (TSA verification skipped)[/]");
+                }
+            }
+
+            var result = await verifier.VerifyBundleAsync(resolvedPath, offline, cancellationToken)
+                .ConfigureAwait(false);
+
+            activity?.SetTag("stellaops.cli.devportal.status", result.Status);
+            activity?.SetTag("stellaops.cli.devportal.exit_code", (int)result.ExitCode);
+
+            if (emitJson)
+            {
+                Console.WriteLine(result.ToJson());
+            }
+            else
+            {
+                if (result.ExitCode == DevPortalVerifyExitCode.Success)
+                {
+                    AnsiConsole.MarkupLine("[green]Bundle verification successful.[/]");
+                    AnsiConsole.MarkupLine($"  Bundle ID: {Markup.Escape(result.BundleId ?? "unknown")}");
+                    AnsiConsole.MarkupLine($"  Root Hash: {Markup.Escape(result.RootHash ?? "unknown")}");
+                    AnsiConsole.MarkupLine($"  Entries: {result.Entries}");
+                    AnsiConsole.MarkupLine($"  Created: {result.CreatedAt?.ToString("O") ?? "unknown"}");
+                    AnsiConsole.MarkupLine($"  Portable: {(result.Portable ? "yes" : "no")}");
+                }
+                else
+                {
+                    AnsiConsole.MarkupLine($"[red]Bundle verification failed:[/] {Markup.Escape(result.ErrorMessage ?? "Unknown error")}");
+                    if (!string.IsNullOrEmpty(result.ErrorDetail))
+                    {
+                        AnsiConsole.MarkupLine($"  [grey]{Markup.Escape(result.ErrorDetail)}[/]");
+                    }
+                }
+            }
+
+            return (int)result.ExitCode;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            if (!emitJson)
+            {
+                AnsiConsole.MarkupLine("[yellow]Operation cancelled.[/]");
+            }
+            return 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to verify bundle");
+
+            if (emitJson)
+            {
+                var errorResult = DevPortalBundleVerificationResult.Failed(
+                    DevPortalVerifyExitCode.Unexpected,
+                    ex.Message);
+                Console.WriteLine(errorResult.ToJson());
+            }
+            else
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            }
+
+            return (int)DevPortalVerifyExitCode.Unexpected;
+        }
+    }
+
+    #endregion
 }

src/Cli/StellaOps.Cli/Services/AttestationBundleVerifier.cs

@@ -0,0 +1,533 @@
+using System.Formats.Tar;
+using System.IO.Compression;
+using System.Security.Cryptography;
+using System.Text.Json;
+using Microsoft.Extensions.Logging;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Verifier for attestation bundles exported from the Export Center.
+/// Per EXPORT-ATTEST-75-001.
+/// </summary>
+internal sealed class AttestationBundleVerifier : IAttestationBundleVerifier
+{
+    private const string DsseEnvelopeFileName = "attestation.dsse.json";
+    private const string StatementFileName = "statement.json";
+    private const string TransparencyFileName = "transparency.ndjson";
+    private const string MetadataFileName = "metadata.json";
+    private const string ChecksumsFileName = "checksums.txt";
+
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
+    {
+        PropertyNameCaseInsensitive = true,
+        WriteIndented = true,
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase
+    };
+
+    private readonly ILogger<AttestationBundleVerifier> _logger;
+
+    public AttestationBundleVerifier(ILogger<AttestationBundleVerifier> logger)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async Task<AttestationBundleVerifyResult> VerifyAsync(
+        AttestationBundleVerifyOptions options,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(options);
+        ArgumentException.ThrowIfNullOrWhiteSpace(options.FilePath);
+
+        _logger.LogDebug("Verifying attestation bundle at {FilePath}, offline={Offline}",
+            options.FilePath, options.Offline);
+
+        // Step 1: Check bundle exists
+        if (!File.Exists(options.FilePath))
+        {
+            return CreateFailedResult(
+                AttestationBundleExitCodes.FileNotFound,
+                "Bundle file not found",
+                options.FilePath);
+        }
+
+        // Step 2: Verify SHA-256 against .sha256 file if present
+        var sha256Path = options.FilePath + ".sha256";
+        if (File.Exists(sha256Path))
+        {
+            var checksumResult = await VerifyBundleChecksumAsync(options.FilePath, sha256Path, cancellationToken)
+                .ConfigureAwait(false);
+            if (!checksumResult.IsValid)
+            {
+                return CreateFailedResult(
+                    AttestationBundleExitCodes.ChecksumMismatch,
+                    "SHA-256 checksum mismatch",
+                    options.FilePath,
+                    $"Expected: {checksumResult.ExpectedHash}, Computed: {checksumResult.ActualHash}");
+            }
+        }
+        else
+        {
+            _logger.LogDebug("No co-located .sha256 file found for external checksum verification");
+        }
+
+        // Step 3: Extract and parse bundle contents
+        BundleContents contents;
+        try
+        {
+            contents = await ExtractBundleContentsAsync(options.FilePath, cancellationToken).ConfigureAwait(false);
+        }
+        catch (Exception ex) when (ex is InvalidDataException or JsonException or IOException)
+        {
+            _logger.LogError(ex, "Failed to extract bundle contents");
+            return CreateFailedResult(
+                AttestationBundleExitCodes.FormatError,
+                "Failed to extract bundle contents",
+                options.FilePath,
+                ex.Message);
+        }
+
+        // Step 4: Verify internal checksums from checksums.txt
+        if (contents.ChecksumsText is not null)
+        {
+            var internalCheckResult = VerifyInternalChecksums(contents);
+            if (!internalCheckResult.Success)
+            {
+                return CreateFailedResult(
+                    AttestationBundleExitCodes.ChecksumMismatch,
+                    "Internal checksum verification failed",
+                    options.FilePath,
+                    internalCheckResult.ErrorMessage);
+            }
+        }
+
+        // Step 5: Verify DSSE signature
+        var signatureValid = VerifyDsseSignature(contents, options.Offline, out var signatureError);
+        if (!signatureValid && !string.IsNullOrEmpty(signatureError))
+        {
+            return CreateFailedResult(
+                AttestationBundleExitCodes.SignatureFailure,
+                "DSSE signature verification failed",
+                options.FilePath,
+                signatureError);
+        }
+
+        // Step 6: Check transparency entries (only if not offline and verifyTransparency is true)
+        if (!options.Offline && options.VerifyTransparency)
+        {
+            if (string.IsNullOrWhiteSpace(contents.TransparencyNdjson))
+            {
+                return CreateFailedResult(
+                    AttestationBundleExitCodes.MissingTransparency,
+                    "Transparency log entry missing",
+                    options.FilePath,
+                    "Bundle requires transparency.ndjson when not in offline mode");
+            }
+        }
+
+        // Step 7: Build success result
+        var metadata = contents.Metadata;
+        var subjects = ExtractSubjects(contents);
+
+        return new AttestationBundleVerifyResult(
+            Success: true,
+            Status: "verified",
+            ExportId: metadata?.ExportId,
+            AttestationId: metadata?.AttestationId,
+            RootHash: FormatRootHash(metadata?.RootHash),
+            Subjects: subjects,
+            PredicateType: ExtractPredicateType(contents),
+            StatementVersion: metadata?.StatementVersion,
+            BundlePath: options.FilePath,
+            ExitCode: AttestationBundleExitCodes.Success);
+    }
+
+    public async Task<AttestationBundleImportResult> ImportAsync(
+        AttestationBundleImportOptions options,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(options);
+        ArgumentException.ThrowIfNullOrWhiteSpace(options.FilePath);
+
+        _logger.LogDebug("Importing attestation bundle from {FilePath}", options.FilePath);
+
+        // First verify the bundle
+        var verifyOptions = new AttestationBundleVerifyOptions(
+            options.FilePath,
+            options.Offline,
+            options.VerifyTransparency,
+            options.TrustRootPath);
+
+        var verifyResult = await VerifyAsync(verifyOptions, cancellationToken).ConfigureAwait(false);
+        if (!verifyResult.Success)
+        {
+            return new AttestationBundleImportResult(
+                Success: false,
+                Status: "verification_failed",
+                AttestationId: verifyResult.AttestationId,
+                TenantId: null,
+                Namespace: options.Namespace,
+                RootHash: verifyResult.RootHash,
+                ErrorMessage: verifyResult.ErrorMessage,
+                ExitCode: verifyResult.ExitCode);
+        }
+
+        // Extract metadata for import
+        BundleContents contents;
+        try
+        {
+            contents = await ExtractBundleContentsAsync(options.FilePath, cancellationToken).ConfigureAwait(false);
+        }
+        catch (Exception ex)
+        {
+            return new AttestationBundleImportResult(
+                Success: false,
+                Status: "extraction_failed",
+                AttestationId: null,
+                TenantId: null,
+                Namespace: options.Namespace,
+                RootHash: null,
+                ErrorMessage: ex.Message,
+                ExitCode: AttestationBundleExitCodes.ImportFailed);
+        }
+
+        var metadata = contents.Metadata;
+        var tenantId = options.Tenant ?? metadata?.TenantId;
+
+        // Import is a local-only operation for air-gap scenarios
+        // The actual import to backend would happen via separate API call
+        _logger.LogInformation("Attestation bundle imported: {AttestationId} for tenant {TenantId}",
+            metadata?.AttestationId, tenantId);
+
+        return new AttestationBundleImportResult(
+            Success: true,
+            Status: "imported",
+            AttestationId: metadata?.AttestationId,
+            TenantId: tenantId,
+            Namespace: options.Namespace,
+            RootHash: FormatRootHash(metadata?.RootHash),
+            ExitCode: AttestationBundleExitCodes.Success);
+    }
+
+    private async Task<(bool IsValid, string? ExpectedHash, string? ActualHash)> VerifyBundleChecksumAsync(
+        string bundlePath,
+        string sha256Path,
+        CancellationToken cancellationToken)
+    {
+        // Read expected hash from .sha256 file
+        var content = await File.ReadAllTextAsync(sha256Path, cancellationToken).ConfigureAwait(false);
+        var expectedHash = content.Split(' ', StringSplitOptions.RemoveEmptyEntries).FirstOrDefault()?.Trim()?.ToLowerInvariant();
+
+        if (string.IsNullOrEmpty(expectedHash))
+        {
+            return (false, null, null);
+        }
+
+        // Compute actual hash
+        await using var stream = File.OpenRead(bundlePath);
+        var hashBytes = await SHA256.HashDataAsync(stream, cancellationToken).ConfigureAwait(false);
+        var actualHash = Convert.ToHexString(hashBytes).ToLowerInvariant();
+
+        return (string.Equals(expectedHash, actualHash, StringComparison.OrdinalIgnoreCase), expectedHash, actualHash);
+    }
+
+    private async Task<BundleContents> ExtractBundleContentsAsync(
+        string bundlePath,
+        CancellationToken cancellationToken)
+    {
+        var contents = new BundleContents();
+
+        await using var fileStream = File.OpenRead(bundlePath);
+        await using var gzipStream = new GZipStream(fileStream, CompressionMode.Decompress);
+        using var tarReader = new TarReader(gzipStream);
+
+        TarEntry? entry;
+        while ((entry = await tarReader.GetNextEntryAsync(cancellationToken: cancellationToken).ConfigureAwait(false)) is not null)
+        {
+            if (entry.EntryType != TarEntryType.RegularFile || entry.DataStream is null)
+            {
+                continue;
+            }
+
+            using var memoryStream = new MemoryStream();
+            await entry.DataStream.CopyToAsync(memoryStream, cancellationToken).ConfigureAwait(false);
+            var data = memoryStream.ToArray();
+            var text = System.Text.Encoding.UTF8.GetString(data);
+
+            switch (entry.Name)
+            {
+                case DsseEnvelopeFileName:
+                    contents.DsseEnvelopeJson = text;
+                    contents.DsseEnvelopeBytes = data;
+                    contents.DsseEnvelope = JsonSerializer.Deserialize<DsseEnvelope>(text, SerializerOptions);
+                    break;
+                case StatementFileName:
+                    contents.StatementJson = text;
+                    contents.StatementBytes = data;
+                    contents.Statement = JsonSerializer.Deserialize<InTotoStatement>(text, SerializerOptions);
+                    break;
+                case TransparencyFileName:
+                    contents.TransparencyNdjson = text;
+                    contents.TransparencyBytes = data;
+                    break;
+                case MetadataFileName:
+                    contents.MetadataJson = text;
+                    contents.MetadataBytes = data;
+                    contents.Metadata = JsonSerializer.Deserialize<AttestationBundleMetadata>(text, SerializerOptions);
+                    break;
+                case ChecksumsFileName:
+                    contents.ChecksumsText = text;
+                    break;
+            }
+        }
+
+        return contents;
+    }
+
+    private (bool Success, string? ErrorMessage) VerifyInternalChecksums(BundleContents contents)
+    {
+        if (string.IsNullOrWhiteSpace(contents.ChecksumsText))
+        {
+            return (true, null);
+        }
+
+        var lines = contents.ChecksumsText.Split('\n', StringSplitOptions.RemoveEmptyEntries);
+        foreach (var line in lines)
+        {
+            // Skip comments
+            if (line.TrimStart().StartsWith('#'))
+            {
+                continue;
+            }
+
+            // Parse "hash  filename" format
+            var parts = line.Split(new[] { ' ' }, 2, StringSplitOptions.RemoveEmptyEntries);
+            if (parts.Length != 2)
+            {
+                continue;
+            }
+
+            var expectedHash = parts[0].Trim().ToLowerInvariant();
+            var fileName = parts[1].Trim();
+
+            byte[]? fileBytes = fileName switch
+            {
+                DsseEnvelopeFileName => contents.DsseEnvelopeBytes,
+                StatementFileName => contents.StatementBytes,
+                TransparencyFileName => contents.TransparencyBytes,
+                MetadataFileName => contents.MetadataBytes,
+                _ => null
+            };
+
+            if (fileBytes is null)
+            {
+                // File not found in bundle - could be optional
+                if (fileName == TransparencyFileName)
+                {
+                    continue; // transparency.ndjson is optional
+                }
+
+                return (false, $"File '{fileName}' referenced in checksums but not found in bundle");
+            }
+
+            var actualHash = Convert.ToHexString(SHA256.HashData(fileBytes)).ToLowerInvariant();
+            if (!string.Equals(expectedHash, actualHash, StringComparison.OrdinalIgnoreCase))
+            {
+                return (false, $"Checksum mismatch for '{fileName}': expected {expectedHash}, got {actualHash}");
+            }
+        }
+
+        return (true, null);
+    }
+
+    private bool VerifyDsseSignature(BundleContents contents, bool offline, out string? error)
+    {
+        error = null;
+
+        if (contents.DsseEnvelope is null || string.IsNullOrEmpty(contents.DsseEnvelope.Payload))
+        {
+            error = "DSSE envelope not found or has no payload";
+            return false;
+        }
+
+        // Verify payload matches statement
+        if (contents.StatementJson is not null)
+        {
+            try
+            {
+                var payloadBytes = Convert.FromBase64String(contents.DsseEnvelope.Payload);
+                var payloadJson = System.Text.Encoding.UTF8.GetString(payloadBytes);
+
+                // Compare parsed JSON to handle whitespace differences
+                using var statementDoc = JsonDocument.Parse(contents.StatementJson);
+                using var payloadDoc = JsonDocument.Parse(payloadJson);
+
+                // Check _type field matches
+                var statementType = statementDoc.RootElement.TryGetProperty("_type", out var sType)
+                    ? sType.GetString()
+                    : null;
+                var payloadType = payloadDoc.RootElement.TryGetProperty("_type", out var pType)
+                    ? pType.GetString()
+                    : null;
+
+                if (!string.Equals(statementType, payloadType, StringComparison.Ordinal))
+                {
+                    error = "DSSE payload does not match statement _type";
+                    return false;
+                }
+            }
+            catch (FormatException ex)
+            {
+                error = $"Invalid DSSE payload encoding: {ex.Message}";
+                return false;
+            }
+            catch (JsonException ex)
+            {
+                error = $"Invalid DSSE payload JSON: {ex.Message}";
+                return false;
+            }
+        }
+
+        // In offline mode, we don't verify the actual cryptographic signature
+        // (would require access to signing keys/certificates)
+        if (offline)
+        {
+            _logger.LogDebug("Offline mode: skipping cryptographic signature verification");
+            return true;
+        }
+
+        // Check that signatures exist
+        if (contents.DsseEnvelope.Signatures is null || contents.DsseEnvelope.Signatures.Count == 0)
+        {
+            error = "DSSE envelope has no signatures";
+            return false;
+        }
+
+        // Online signature verification would require access to trust roots
+        // For now, we trust the signature if payload matches and signatures exist
+        return true;
+    }
+
+    private static IReadOnlyList<string>? ExtractSubjects(BundleContents contents)
+    {
+        if (contents.Statement?.Subject is null || contents.Statement.Subject.Count == 0)
+        {
+            // Fall back to metadata subjects
+            if (contents.Metadata?.SubjectDigests is not null)
+            {
+                return contents.Metadata.SubjectDigests
+                    .Select(s => $"{s.Name}@{s.Algorithm}:{s.Digest}")
+                    .ToList();
+            }
+            return null;
+        }
+
+        return contents.Statement.Subject
+            .Select(s =>
+            {
+                var digest = s.Digest?.FirstOrDefault();
+                return digest.HasValue
+                    ? $"{s.Name}@{digest.Value.Key}:{digest.Value.Value}"
+                    : s.Name ?? "unknown";
+            })
+            .ToList();
+    }
+
+    private static string? ExtractPredicateType(BundleContents contents)
+    {
+        return contents.Statement?.PredicateType ?? contents.DsseEnvelope?.PayloadType;
+    }
+
+    private static string? FormatRootHash(string? rootHash)
+    {
+        if (string.IsNullOrWhiteSpace(rootHash))
+        {
+            return null;
+        }
+
+        return rootHash.StartsWith("sha256:", StringComparison.OrdinalIgnoreCase)
+            ? rootHash
+            : $"sha256:{rootHash}";
+    }
+
+    private static AttestationBundleVerifyResult CreateFailedResult(
+        int exitCode,
+        string message,
+        string bundlePath,
+        string? detail = null)
+        => new(
+            Success: false,
+            Status: "failed",
+            ExportId: null,
+            AttestationId: null,
+            RootHash: null,
+            Subjects: null,
+            PredicateType: null,
+            StatementVersion: null,
+            BundlePath: bundlePath,
+            ErrorMessage: detail ?? message,
+            ExitCode: exitCode);
+
+    private sealed class BundleContents
+    {
+        public string? DsseEnvelopeJson { get; set; }
+        public byte[]? DsseEnvelopeBytes { get; set; }
+        public DsseEnvelope? DsseEnvelope { get; set; }
+
+        public string? StatementJson { get; set; }
+        public byte[]? StatementBytes { get; set; }
+        public InTotoStatement? Statement { get; set; }
+
+        public string? TransparencyNdjson { get; set; }
+        public byte[]? TransparencyBytes { get; set; }
+
+        public string? MetadataJson { get; set; }
+        public byte[]? MetadataBytes { get; set; }
+        public AttestationBundleMetadata? Metadata { get; set; }
+
+        public string? ChecksumsText { get; set; }
+    }
+
+    private sealed class DsseEnvelope
+    {
+        public string? PayloadType { get; set; }
+        public string? Payload { get; set; }
+        public IReadOnlyList<DsseSignature>? Signatures { get; set; }
+    }
+
+    private sealed class DsseSignature
+    {
+        public string? KeyId { get; set; }
+        public string? Sig { get; set; }
+    }
+
+    private sealed class InTotoStatement
+    {
+        public string? Type { get; set; }
+        public string? PredicateType { get; set; }
+        public IReadOnlyList<InTotoSubject>? Subject { get; set; }
+    }
+
+    private sealed class InTotoSubject
+    {
+        public string? Name { get; set; }
+        public Dictionary<string, string>? Digest { get; set; }
+    }
+
+    private sealed record AttestationBundleMetadata(
+        string? Version,
+        string? ExportId,
+        string? AttestationId,
+        string? TenantId,
+        DateTimeOffset? CreatedAtUtc,
+        string? RootHash,
+        string? SourceUri,
+        string? StatementVersion,
+        IReadOnlyList<AttestationSubjectDigest>? SubjectDigests);
+
+    private sealed record AttestationSubjectDigest(
+        string? Name,
+        string? Digest,
+        string? Algorithm);
+}

src/Cli/StellaOps.Cli/Services/DevPortalBundleVerifier.cs

@@ -0,0 +1,380 @@
+using System.Formats.Tar;
+using System.IO.Compression;
+using System.Security.Cryptography;
+using System.Text.Json;
+using Microsoft.Extensions.Logging;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Verifier for EvidenceLocker sealed bundles used in DevPortal offline verification.
+/// Per DVOFF-64-002.
+/// </summary>
+internal sealed class DevPortalBundleVerifier : IDevPortalBundleVerifier
+{
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
+    {
+        PropertyNameCaseInsensitive = true,
+        WriteIndented = true,
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase
+    };
+
+    private readonly ILogger<DevPortalBundleVerifier> _logger;
+
+    public DevPortalBundleVerifier(ILogger<DevPortalBundleVerifier> logger)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async Task<DevPortalBundleVerificationResult> VerifyBundleAsync(
+        string bundlePath,
+        bool offline,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(bundlePath);
+
+        _logger.LogDebug("Verifying DevPortal bundle at {BundlePath}, offline={Offline}", bundlePath, offline);
+
+        // Step 1: Check bundle exists
+        if (!File.Exists(bundlePath))
+        {
+            return DevPortalBundleVerificationResult.Failed(
+                DevPortalVerifyExitCode.Unexpected,
+                "Bundle file not found",
+                bundlePath);
+        }
+
+        // Step 2: Validate SHA-256 against .sha256 file if present
+        var sha256Path = bundlePath + ".sha256";
+        if (File.Exists(sha256Path))
+        {
+            var checksumResult = await VerifyBundleChecksumAsync(bundlePath, sha256Path, cancellationToken)
+                .ConfigureAwait(false);
+            if (!checksumResult.IsValid)
+            {
+                return DevPortalBundleVerificationResult.Failed(
+                    DevPortalVerifyExitCode.ChecksumMismatch,
+                    "SHA-256 checksum mismatch",
+                    $"Expected: {checksumResult.ExpectedHash}, Computed: {checksumResult.ActualHash}");
+            }
+        }
+        else
+        {
+            _logger.LogDebug("No .sha256 file found, skipping checksum verification");
+        }
+
+        // Step 3: Extract and parse bundle contents
+        BundleContents contents;
+        try
+        {
+            contents = await ExtractBundleContentsAsync(bundlePath, cancellationToken).ConfigureAwait(false);
+        }
+        catch (Exception ex) when (ex is InvalidDataException or JsonException or IOException)
+        {
+            _logger.LogError(ex, "Failed to extract bundle contents");
+            return DevPortalBundleVerificationResult.Failed(
+                DevPortalVerifyExitCode.Unexpected,
+                "Failed to extract bundle contents",
+                ex.Message);
+        }
+
+        // Step 4: Verify DSSE signature
+        var signatureValid = VerifyDsseSignature(contents, offline, out var signatureError);
+        if (!signatureValid && !string.IsNullOrEmpty(signatureError))
+        {
+            return DevPortalBundleVerificationResult.Failed(
+                DevPortalVerifyExitCode.SignatureFailure,
+                "DSSE signature verification failed",
+                signatureError);
+        }
+
+        // Step 5: Verify TSA (only if not offline)
+        if (!offline && contents.Signature is not null)
+        {
+            if (string.IsNullOrEmpty(contents.Signature.TimestampAuthority) ||
+                string.IsNullOrEmpty(contents.Signature.TimestampToken))
+            {
+                return DevPortalBundleVerificationResult.Failed(
+                    DevPortalVerifyExitCode.TsaMissing,
+                    "RFC3161 timestamp missing",
+                    "Bundle requires timestamping when not in offline mode");
+            }
+        }
+
+        // Step 6: Build success result
+        return new DevPortalBundleVerificationResult
+        {
+            Status = "verified",
+            BundleId = contents.Manifest?.BundleId ?? contents.BundleMetadata?.BundleId,
+            RootHash = contents.BundleMetadata?.RootHash is not null
+                ? $"sha256:{contents.BundleMetadata.RootHash}"
+                : null,
+            Entries = contents.Manifest?.Entries?.Count ?? 0,
+            CreatedAt = contents.Manifest?.CreatedAt ?? contents.BundleMetadata?.CreatedAt,
+            Portable = contents.BundleMetadata?.PortableGeneratedAt is not null,
+            ExitCode = DevPortalVerifyExitCode.Success
+        };
+    }
+
+    private async Task<(bool IsValid, string? ExpectedHash, string? ActualHash)> VerifyBundleChecksumAsync(
+        string bundlePath,
+        string sha256Path,
+        CancellationToken cancellationToken)
+    {
+        // Read expected hash from .sha256 file
+        var content = await File.ReadAllTextAsync(sha256Path, cancellationToken).ConfigureAwait(false);
+        var expectedHash = content.Split(' ', StringSplitOptions.RemoveEmptyEntries).FirstOrDefault()?.Trim()?.ToLowerInvariant();
+
+        if (string.IsNullOrEmpty(expectedHash))
+        {
+            return (false, null, null);
+        }
+
+        // Compute actual hash
+        await using var stream = File.OpenRead(bundlePath);
+        var hashBytes = await SHA256.HashDataAsync(stream, cancellationToken).ConfigureAwait(false);
+        var actualHash = Convert.ToHexString(hashBytes).ToLowerInvariant();
+
+        return (string.Equals(expectedHash, actualHash, StringComparison.OrdinalIgnoreCase), expectedHash, actualHash);
+    }
+
+    private async Task<BundleContents> ExtractBundleContentsAsync(
+        string bundlePath,
+        CancellationToken cancellationToken)
+    {
+        var contents = new BundleContents();
+
+        await using var fileStream = File.OpenRead(bundlePath);
+        await using var gzipStream = new GZipStream(fileStream, CompressionMode.Decompress);
+        using var tarReader = new TarReader(gzipStream);
+
+        TarEntry? entry;
+        while ((entry = await tarReader.GetNextEntryAsync(cancellationToken: cancellationToken).ConfigureAwait(false)) is not null)
+        {
+            if (entry.EntryType != TarEntryType.RegularFile || entry.DataStream is null)
+            {
+                continue;
+            }
+
+            using var memoryStream = new MemoryStream();
+            await entry.DataStream.CopyToAsync(memoryStream, cancellationToken).ConfigureAwait(false);
+            var json = System.Text.Encoding.UTF8.GetString(memoryStream.ToArray());
+
+            switch (entry.Name)
+            {
+                case "manifest.json":
+                    contents.ManifestJson = json;
+                    contents.Manifest = JsonSerializer.Deserialize<BundleManifest>(json, SerializerOptions);
+                    break;
+                case "signature.json":
+                    contents.SignatureJson = json;
+                    contents.Signature = JsonSerializer.Deserialize<BundleSignature>(json, SerializerOptions);
+                    break;
+                case "bundle.json":
+                    contents.BundleMetadataJson = json;
+                    contents.BundleMetadata = JsonSerializer.Deserialize<BundleMetadataDocument>(json, SerializerOptions);
+                    break;
+                case "checksums.txt":
+                    contents.ChecksumsText = json;
+                    break;
+            }
+        }
+
+        return contents;
+    }
+
+    private bool VerifyDsseSignature(BundleContents contents, bool offline, out string? error)
+    {
+        error = null;
+
+        if (contents.Signature is null || string.IsNullOrEmpty(contents.Signature.Payload))
+        {
+            error = "Signature not found in bundle";
+            return false;
+        }
+
+        // Verify payload matches manifest
+        if (contents.ManifestJson is not null)
+        {
+            try
+            {
+                var payloadBytes = Convert.FromBase64String(contents.Signature.Payload);
+                var payloadJson = System.Text.Encoding.UTF8.GetString(payloadBytes);
+
+                // Compare parsed JSON to handle whitespace differences
+                using var manifestDoc = JsonDocument.Parse(contents.ManifestJson);
+                using var payloadDoc = JsonDocument.Parse(payloadJson);
+
+                var manifestBundleId = manifestDoc.RootElement.TryGetProperty("bundleId", out var mId)
+                    ? mId.GetString()
+                    : null;
+                var payloadBundleId = payloadDoc.RootElement.TryGetProperty("bundleId", out var pId)
+                    ? pId.GetString()
+                    : null;
+
+                if (!string.Equals(manifestBundleId, payloadBundleId, StringComparison.OrdinalIgnoreCase))
+                {
+                    error = "Signature payload does not match manifest bundleId";
+                    return false;
+                }
+            }
+            catch (FormatException ex)
+            {
+                error = $"Invalid signature payload encoding: {ex.Message}";
+                return false;
+            }
+            catch (JsonException ex)
+            {
+                error = $"Invalid signature payload JSON: {ex.Message}";
+                return false;
+            }
+        }
+
+        // In offline mode, we don't verify the actual cryptographic signature
+        // (would require access to signing keys/certificates)
+        if (offline)
+        {
+            _logger.LogDebug("Offline mode: skipping cryptographic signature verification");
+            return true;
+        }
+
+        // Online signature verification would go here
+        // For now, we trust the signature if payload matches
+        return true;
+    }
+
+    private sealed class BundleContents
+    {
+        public string? ManifestJson { get; set; }
+        public BundleManifest? Manifest { get; set; }
+        public string? SignatureJson { get; set; }
+        public BundleSignature? Signature { get; set; }
+        public string? BundleMetadataJson { get; set; }
+        public BundleMetadataDocument? BundleMetadata { get; set; }
+        public string? ChecksumsText { get; set; }
+    }
+
+    private sealed class BundleManifest
+    {
+        public string? BundleId { get; set; }
+        public string? TenantId { get; set; }
+        public int Kind { get; set; }
+        public DateTimeOffset? CreatedAt { get; set; }
+        public Dictionary<string, string>? Metadata { get; set; }
+        public List<BundleManifestEntry>? Entries { get; set; }
+    }
+
+    private sealed class BundleManifestEntry
+    {
+        public string? Section { get; set; }
+        public string? CanonicalPath { get; set; }
+        public string? Sha256 { get; set; }
+        public long SizeBytes { get; set; }
+        public string? MediaType { get; set; }
+    }
+
+    private sealed class BundleSignature
+    {
+        public string? PayloadType { get; set; }
+        public string? Payload { get; set; }
+        public string? Signature { get; set; }
+        public string? KeyId { get; set; }
+        public string? Algorithm { get; set; }
+        public string? Provider { get; set; }
+        public DateTimeOffset? SignedAt { get; set; }
+        public DateTimeOffset? TimestampedAt { get; set; }
+        public string? TimestampAuthority { get; set; }
+        public string? TimestampToken { get; set; }
+    }
+
+    private sealed class BundleMetadataDocument
+    {
+        public string? BundleId { get; set; }
+        public string? TenantId { get; set; }
+        public int Kind { get; set; }
+        public int Status { get; set; }
+        public string? RootHash { get; set; }
+        public string? StorageKey { get; set; }
+        public DateTimeOffset? CreatedAt { get; set; }
+        public DateTimeOffset? SealedAt { get; set; }
+        public DateTimeOffset? PortableGeneratedAt { get; set; }
+    }
+}
+
+/// <summary>
+/// Exit codes for DevPortal bundle verification per DVOFF-64-002.
+/// </summary>
+public enum DevPortalVerifyExitCode
+{
+    /// <summary>Verification successful.</summary>
+    Success = 0,
+
+    /// <summary>SHA-256 checksum mismatch.</summary>
+    ChecksumMismatch = 2,
+
+    /// <summary>DSSE signature verification failed.</summary>
+    SignatureFailure = 3,
+
+    /// <summary>RFC3161 timestamp missing (when not offline).</summary>
+    TsaMissing = 4,
+
+    /// <summary>Unexpected error.</summary>
+    Unexpected = 5
+}
+
+/// <summary>
+/// Result of DevPortal bundle verification.
+/// </summary>
+public sealed class DevPortalBundleVerificationResult
+{
+    public string Status { get; set; } = "failed";
+    public string? BundleId { get; set; }
+    public string? RootHash { get; set; }
+    public int Entries { get; set; }
+    public DateTimeOffset? CreatedAt { get; set; }
+    public bool Portable { get; set; }
+    public DevPortalVerifyExitCode ExitCode { get; set; } = DevPortalVerifyExitCode.Unexpected;
+    public string? ErrorMessage { get; set; }
+    public string? ErrorDetail { get; set; }
+
+    public static DevPortalBundleVerificationResult Failed(
+        DevPortalVerifyExitCode exitCode,
+        string message,
+        string? detail = null)
+        => new()
+        {
+            Status = "failed",
+            ExitCode = exitCode,
+            ErrorMessage = message,
+            ErrorDetail = detail
+        };
+
+    public string ToJson()
+    {
+        var options = new JsonSerializerOptions
+        {
+            WriteIndented = false,
+            PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+            DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull
+        };
+
+        // Build output with sorted keys
+        var output = new SortedDictionary<string, object?>(StringComparer.Ordinal);
+
+        if (BundleId is not null)
+            output["bundleId"] = BundleId;
+        if (CreatedAt.HasValue)
+            output["createdAt"] = CreatedAt.Value.ToString("O");
+        output["entries"] = Entries;
+        if (ErrorDetail is not null)
+            output["errorDetail"] = ErrorDetail;
+        if (ErrorMessage is not null)
+            output["errorMessage"] = ErrorMessage;
+        output["portable"] = Portable;
+        if (RootHash is not null)
+            output["rootHash"] = RootHash;
+        output["status"] = Status;
+
+        return JsonSerializer.Serialize(output, options);
+    }
+}

src/Cli/StellaOps.Cli/Services/IAttestationBundleVerifier.cs

@@ -0,0 +1,29 @@
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Interface for attestation bundle verification.
+/// </summary>
+public interface IAttestationBundleVerifier
+{
+    /// <summary>
+    /// Verifies an attestation bundle exported from the Export Center.
+    /// </summary>
+    /// <param name="options">Verification options.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Verification result with status and exit code.</returns>
+    Task<AttestationBundleVerifyResult> VerifyAsync(
+        AttestationBundleVerifyOptions options,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Imports an attestation bundle into the local system.
+    /// </summary>
+    /// <param name="options">Import options.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Import result with status and exit code.</returns>
+    Task<AttestationBundleImportResult> ImportAsync(
+        AttestationBundleImportOptions options,
+        CancellationToken cancellationToken);
+}

src/Cli/StellaOps.Cli/Services/IDevPortalBundleVerifier.cs

@@ -0,0 +1,19 @@
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Interface for DevPortal bundle verification.
+/// </summary>
+public interface IDevPortalBundleVerifier
+{
+    /// <summary>
+    /// Verifies a DevPortal/EvidenceLocker sealed bundle.
+    /// </summary>
+    /// <param name="bundlePath">Path to the bundle .tgz file.</param>
+    /// <param name="offline">If true, skip TSA verification and online checks.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Verification result with status and exit code.</returns>
+    Task<DevPortalBundleVerificationResult> VerifyBundleAsync(
+        string bundlePath,
+        bool offline,
+        CancellationToken cancellationToken);
+}

src/Cli/StellaOps.Cli/Services/Models/AttestationBundleModels.cs

@@ -0,0 +1,126 @@
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+/// <summary>
+/// Options for attestation bundle verification.
+/// </summary>
+public sealed record AttestationBundleVerifyOptions(
+    string FilePath,
+    bool Offline = false,
+    bool VerifyTransparency = true,
+    string? TrustRootPath = null);
+
+/// <summary>
+/// Options for attestation bundle import.
+/// </summary>
+public sealed record AttestationBundleImportOptions(
+    string FilePath,
+    string? Tenant = null,
+    string? Namespace = null,
+    bool Offline = false,
+    bool VerifyTransparency = true,
+    string? TrustRootPath = null);
+
+/// <summary>
+/// Result of attestation bundle verification.
+/// </summary>
+public sealed record AttestationBundleVerifyResult(
+    bool Success,
+    string Status,
+    string? ExportId,
+    string? AttestationId,
+    string? RootHash,
+    IReadOnlyList<string>? Subjects,
+    string? PredicateType,
+    string? StatementVersion,
+    string BundlePath,
+    string? ErrorMessage = null,
+    int ExitCode = 0);
+
+/// <summary>
+/// Result of attestation bundle import.
+/// </summary>
+public sealed record AttestationBundleImportResult(
+    bool Success,
+    string Status,
+    string? AttestationId,
+    string? TenantId,
+    string? Namespace,
+    string? RootHash,
+    string? ErrorMessage = null,
+    int ExitCode = 0);
+
+/// <summary>
+/// JSON output for attestation bundle verify command.
+/// </summary>
+public sealed record AttestationBundleVerifyJson(
+    [property: JsonPropertyName("status")] string Status,
+    [property: JsonPropertyName("exportId")] string? ExportId,
+    [property: JsonPropertyName("attestationId")] string? AttestationId,
+    [property: JsonPropertyName("rootHash")] string? RootHash,
+    [property: JsonPropertyName("subjects")] IReadOnlyList<string>? Subjects,
+    [property: JsonPropertyName("predicateType")] string? PredicateType,
+    [property: JsonPropertyName("bundlePath")] string BundlePath);
+
+/// <summary>
+/// JSON output for attestation bundle import command.
+/// </summary>
+public sealed record AttestationBundleImportJson(
+    [property: JsonPropertyName("status")] string Status,
+    [property: JsonPropertyName("attestationId")] string? AttestationId,
+    [property: JsonPropertyName("tenantId")] string? TenantId,
+    [property: JsonPropertyName("namespace")] string? Namespace,
+    [property: JsonPropertyName("rootHash")] string? RootHash);
+
+/// <summary>
+/// Exit codes for attestation bundle commands.
+/// </summary>
+public static class AttestationBundleExitCodes
+{
+    /// <summary>Success.</summary>
+    public const int Success = 0;
+
+    /// <summary>General failure.</summary>
+    public const int GeneralFailure = 1;
+
+    /// <summary>Checksum mismatch.</summary>
+    public const int ChecksumMismatch = 2;
+
+    /// <summary>DSSE signature verification failure.</summary>
+    public const int SignatureFailure = 3;
+
+    /// <summary>Missing required TSA/CT log entry.</summary>
+    public const int MissingTransparency = 4;
+
+    /// <summary>Archive or file format error.</summary>
+    public const int FormatError = 5;
+
+    /// <summary>File not found.</summary>
+    public const int FileNotFound = 6;
+
+    /// <summary>Import failed.</summary>
+    public const int ImportFailed = 7;
+}
+
+/// <summary>
+/// Metadata parsed from an attestation bundle.
+/// </summary>
+internal sealed record AttestationBundleMetadata(
+    string? Version,
+    string? ExportId,
+    string? AttestationId,
+    string? TenantId,
+    DateTimeOffset? CreatedAtUtc,
+    string? RootHash,
+    string? SourceUri,
+    string? StatementVersion,
+    IReadOnlyList<AttestationBundleSubjectDigest>? SubjectDigests);
+
+/// <summary>
+/// Subject digest from attestation bundle metadata.
+/// </summary>
+internal sealed record AttestationBundleSubjectDigest(
+    string? Name,
+    string? Digest,
+    string? Algorithm);

src/Cli/__Tests/StellaOps.Cli.Tests/AttestationBundleVerifierTests.cs

@@ -0,0 +1,406 @@
+using System.Formats.Tar;
+using System.IO.Compression;
+using System.Text;
+using System.Text.Json;
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Cli.Services;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Tests;
+
+public sealed class AttestationBundleVerifierTests : IDisposable
+{
+    private readonly string _tempDir;
+    private readonly AttestationBundleVerifier _verifier;
+
+    public AttestationBundleVerifierTests()
+    {
+        _tempDir = Path.Combine(Path.GetTempPath(), $"attest-bundle-test-{Guid.NewGuid():N}");
+        Directory.CreateDirectory(_tempDir);
+
+        _verifier = new AttestationBundleVerifier(NullLogger<AttestationBundleVerifier>.Instance);
+    }
+
+    public void Dispose()
+    {
+        if (Directory.Exists(_tempDir))
+        {
+            Directory.Delete(_tempDir, recursive: true);
+        }
+    }
+
+    [Fact]
+    public async Task VerifyAsync_FileNotFound_ReturnsFileNotFoundCode()
+    {
+        var options = new AttestationBundleVerifyOptions(
+            Path.Combine(_tempDir, "nonexistent.tgz"),
+            Offline: true);
+
+        var result = await _verifier.VerifyAsync(options, CancellationToken.None);
+
+        Assert.False(result.Success);
+        Assert.Equal(AttestationBundleExitCodes.FileNotFound, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_ValidBundle_ReturnsSuccess()
+    {
+        var bundlePath = await CreateValidBundleAsync();
+
+        var options = new AttestationBundleVerifyOptions(bundlePath, Offline: true);
+
+        var result = await _verifier.VerifyAsync(options, CancellationToken.None);
+
+        Assert.True(result.Success);
+        Assert.Equal(AttestationBundleExitCodes.Success, result.ExitCode);
+        Assert.Equal("verified", result.Status);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_ValidBundle_ReturnsMetadata()
+    {
+        var bundlePath = await CreateValidBundleAsync();
+
+        var options = new AttestationBundleVerifyOptions(bundlePath, Offline: true);
+
+        var result = await _verifier.VerifyAsync(options, CancellationToken.None);
+
+        Assert.True(result.Success);
+        Assert.NotNull(result.ExportId);
+        Assert.NotNull(result.AttestationId);
+        Assert.NotNull(result.RootHash);
+        Assert.StartsWith("sha256:", result.RootHash);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_CorruptedArchive_ReturnsFormatError()
+    {
+        var bundlePath = Path.Combine(_tempDir, "corrupted.tgz");
+        await File.WriteAllBytesAsync(bundlePath, Encoding.UTF8.GetBytes("not a valid tgz"));
+
+        var options = new AttestationBundleVerifyOptions(bundlePath, Offline: true);
+
+        var result = await _verifier.VerifyAsync(options, CancellationToken.None);
+
+        Assert.False(result.Success);
+        Assert.Equal(AttestationBundleExitCodes.FormatError, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_ChecksumMismatch_ReturnsChecksumMismatchCode()
+    {
+        var bundlePath = await CreateBundleWithBadChecksumAsync();
+
+        var options = new AttestationBundleVerifyOptions(bundlePath, Offline: true);
+
+        var result = await _verifier.VerifyAsync(options, CancellationToken.None);
+
+        Assert.False(result.Success);
+        Assert.Equal(AttestationBundleExitCodes.ChecksumMismatch, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_ExternalChecksumMismatch_ReturnsChecksumMismatchCode()
+    {
+        var bundlePath = await CreateValidBundleAsync();
+        var checksumPath = bundlePath + ".sha256";
+        await File.WriteAllTextAsync(checksumPath, "0000000000000000000000000000000000000000000000000000000000000000  " + Path.GetFileName(bundlePath));
+
+        var options = new AttestationBundleVerifyOptions(bundlePath, Offline: true);
+
+        var result = await _verifier.VerifyAsync(options, CancellationToken.None);
+
+        Assert.False(result.Success);
+        Assert.Equal(AttestationBundleExitCodes.ChecksumMismatch, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_MissingTransparency_WhenNotOffline_ReturnsMissingTransparencyCode()
+    {
+        var bundlePath = await CreateBundleWithoutTransparencyAsync();
+
+        var options = new AttestationBundleVerifyOptions(
+            bundlePath,
+            Offline: false,
+            VerifyTransparency: true);
+
+        var result = await _verifier.VerifyAsync(options, CancellationToken.None);
+
+        Assert.False(result.Success);
+        Assert.Equal(AttestationBundleExitCodes.MissingTransparency, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_MissingTransparency_WhenOffline_ReturnsSuccess()
+    {
+        var bundlePath = await CreateBundleWithoutTransparencyAsync();
+
+        var options = new AttestationBundleVerifyOptions(
+            bundlePath,
+            Offline: true,
+            VerifyTransparency: true);
+
+        var result = await _verifier.VerifyAsync(options, CancellationToken.None);
+
+        Assert.True(result.Success);
+        Assert.Equal(AttestationBundleExitCodes.Success, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_MissingDssePayload_ReturnsSignatureFailure()
+    {
+        var bundlePath = await CreateBundleWithMissingDssePayloadAsync();
+
+        var options = new AttestationBundleVerifyOptions(bundlePath, Offline: true);
+
+        var result = await _verifier.VerifyAsync(options, CancellationToken.None);
+
+        Assert.False(result.Success);
+        Assert.Equal(AttestationBundleExitCodes.SignatureFailure, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task ImportAsync_ValidBundle_ReturnsSuccess()
+    {
+        var bundlePath = await CreateValidBundleAsync();
+
+        var options = new AttestationBundleImportOptions(
+            bundlePath,
+            Tenant: "test-tenant",
+            Namespace: "test-namespace",
+            Offline: true);
+
+        var result = await _verifier.ImportAsync(options, CancellationToken.None);
+
+        Assert.True(result.Success);
+        Assert.Equal(AttestationBundleExitCodes.Success, result.ExitCode);
+        Assert.Equal("imported", result.Status);
+    }
+
+    [Fact]
+    public async Task ImportAsync_InvalidBundle_ReturnsVerificationFailed()
+    {
+        var bundlePath = Path.Combine(_tempDir, "invalid.tgz");
+        await File.WriteAllBytesAsync(bundlePath, Encoding.UTF8.GetBytes("not valid"));
+
+        var options = new AttestationBundleImportOptions(
+            bundlePath,
+            Tenant: "test-tenant",
+            Offline: true);
+
+        var result = await _verifier.ImportAsync(options, CancellationToken.None);
+
+        Assert.False(result.Success);
+        Assert.Equal("verification_failed", result.Status);
+    }
+
+    [Fact]
+    public async Task ImportAsync_InheritsTenantFromMetadata()
+    {
+        var bundlePath = await CreateValidBundleAsync();
+
+        var options = new AttestationBundleImportOptions(
+            bundlePath,
+            Tenant: null, // Not specified
+            Offline: true);
+
+        var result = await _verifier.ImportAsync(options, CancellationToken.None);
+
+        Assert.True(result.Success);
+        Assert.NotNull(result.TenantId); // Should come from bundle metadata
+    }
+
+    private async Task<string> CreateValidBundleAsync()
+    {
+        var bundlePath = Path.Combine(_tempDir, $"valid-bundle-{Guid.NewGuid():N}.tgz");
+        var exportId = Guid.NewGuid().ToString("D");
+        var attestationId = Guid.NewGuid().ToString("D");
+        var tenantId = Guid.NewGuid().ToString("D");
+
+        // Create statement JSON
+        var statement = new
+        {
+            _type = "https://in-toto.io/Statement/v1",
+            predicateType = "https://stellaops.io/attestations/vuln-scan/v1",
+            subject = new[]
+            {
+                new { name = "test-image:latest", digest = new Dictionary<string, string> { ["sha256"] = "abc123" } }
+            },
+            predicate = new { }
+        };
+        var statementJson = JsonSerializer.Serialize(statement);
+        var statementBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(statementJson));
+
+        // Create DSSE envelope
+        var dsse = new
+        {
+            payloadType = "application/vnd.in-toto+json",
+            payload = statementBase64,
+            signatures = new[]
+            {
+                new { keyid = "key-001", sig = "fake-signature-for-test" }
+            }
+        };
+        var dsseJson = JsonSerializer.Serialize(dsse);
+
+        // Create metadata
+        var metadata = new
+        {
+            version = "attestation-bundle/v1",
+            exportId,
+            attestationId,
+            tenantId,
+            createdAtUtc = DateTimeOffset.UtcNow.ToString("O"),
+            rootHash = "abc123def456",
+            statementVersion = "v1"
+        };
+        var metadataJson = JsonSerializer.Serialize(metadata);
+
+        // Create transparency entries
+        var transparencyNdjson = "{\"logIndex\":1,\"logId\":\"test\"}\n";
+
+        // Calculate checksums
+        var dsseHash = ComputeHash(dsseJson);
+        var statementHash = ComputeHash(statementJson);
+        var metadataHash = ComputeHash(metadataJson);
+        var transparencyHash = ComputeHash(transparencyNdjson);
+
+        var checksums = new StringBuilder();
+        checksums.AppendLine("# Attestation bundle checksums (sha256)");
+        checksums.AppendLine($"{dsseHash}  attestation.dsse.json");
+        checksums.AppendLine($"{metadataHash}  metadata.json");
+        checksums.AppendLine($"{statementHash}  statement.json");
+        checksums.AppendLine($"{transparencyHash}  transparency.ndjson");
+        var checksumsText = checksums.ToString();
+
+        // Create archive
+        await using var fileStream = File.Create(bundlePath);
+        await using var gzipStream = new GZipStream(fileStream, CompressionLevel.SmallestSize);
+        await using var tarWriter = new TarWriter(gzipStream, TarEntryFormat.Pax);
+
+        await WriteEntryAsync(tarWriter, "attestation.dsse.json", dsseJson);
+        await WriteEntryAsync(tarWriter, "checksums.txt", checksumsText);
+        await WriteEntryAsync(tarWriter, "metadata.json", metadataJson);
+        await WriteEntryAsync(tarWriter, "statement.json", statementJson);
+        await WriteEntryAsync(tarWriter, "transparency.ndjson", transparencyNdjson);
+
+        return bundlePath;
+    }
+
+    private async Task<string> CreateBundleWithoutTransparencyAsync()
+    {
+        var bundlePath = Path.Combine(_tempDir, $"no-transparency-{Guid.NewGuid():N}.tgz");
+
+        var statement = new
+        {
+            _type = "https://in-toto.io/Statement/v1",
+            predicateType = "https://stellaops.io/attestations/vuln-scan/v1",
+            subject = new[] { new { name = "test", digest = new Dictionary<string, string> { ["sha256"] = "abc" } } }
+        };
+        var statementJson = JsonSerializer.Serialize(statement);
+        var statementBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(statementJson));
+
+        var dsse = new
+        {
+            payloadType = "application/vnd.in-toto+json",
+            payload = statementBase64,
+            signatures = new[] { new { keyid = "key-001", sig = "fake-sig" } }
+        };
+        var dsseJson = JsonSerializer.Serialize(dsse);
+
+        var metadata = new
+        {
+            version = "attestation-bundle/v1",
+            exportId = Guid.NewGuid().ToString("D"),
+            attestationId = Guid.NewGuid().ToString("D"),
+            tenantId = Guid.NewGuid().ToString("D"),
+            rootHash = "abc123"
+        };
+        var metadataJson = JsonSerializer.Serialize(metadata);
+
+        var dsseHash = ComputeHash(dsseJson);
+        var statementHash = ComputeHash(statementJson);
+        var metadataHash = ComputeHash(metadataJson);
+
+        var checksums = $"# Checksums\n{dsseHash}  attestation.dsse.json\n{metadataHash}  metadata.json\n{statementHash}  statement.json\n";
+
+        await using var fileStream = File.Create(bundlePath);
+        await using var gzipStream = new GZipStream(fileStream, CompressionLevel.SmallestSize);
+        await using var tarWriter = new TarWriter(gzipStream, TarEntryFormat.Pax);
+
+        await WriteEntryAsync(tarWriter, "attestation.dsse.json", dsseJson);
+        await WriteEntryAsync(tarWriter, "checksums.txt", checksums);
+        await WriteEntryAsync(tarWriter, "metadata.json", metadataJson);
+        await WriteEntryAsync(tarWriter, "statement.json", statementJson);
+        // No transparency.ndjson
+
+        return bundlePath;
+    }
+
+    private async Task<string> CreateBundleWithBadChecksumAsync()
+    {
+        var bundlePath = Path.Combine(_tempDir, $"bad-checksum-{Guid.NewGuid():N}.tgz");
+
+        var dsseJson = "{\"payloadType\":\"test\",\"payload\":\"dGVzdA==\",\"signatures\":[{\"keyid\":\"k\",\"sig\":\"s\"}]}";
+        var statementJson = "{\"_type\":\"test\"}";
+        var metadataJson = "{\"version\":\"v1\"}";
+
+        // Intentionally wrong checksum
+        var checksums = "0000000000000000000000000000000000000000000000000000000000000000  attestation.dsse.json\n";
+
+        await using var fileStream = File.Create(bundlePath);
+        await using var gzipStream = new GZipStream(fileStream, CompressionLevel.SmallestSize);
+        await using var tarWriter = new TarWriter(gzipStream, TarEntryFormat.Pax);
+
+        await WriteEntryAsync(tarWriter, "attestation.dsse.json", dsseJson);
+        await WriteEntryAsync(tarWriter, "checksums.txt", checksums);
+        await WriteEntryAsync(tarWriter, "metadata.json", metadataJson);
+        await WriteEntryAsync(tarWriter, "statement.json", statementJson);
+
+        return bundlePath;
+    }
+
+    private async Task<string> CreateBundleWithMissingDssePayloadAsync()
+    {
+        var bundlePath = Path.Combine(_tempDir, $"no-dsse-payload-{Guid.NewGuid():N}.tgz");
+
+        // DSSE without payload
+        var dsseJson = "{\"payloadType\":\"test\",\"signatures\":[]}";
+        var statementJson = "{\"_type\":\"test\"}";
+        var metadataJson = "{\"version\":\"v1\"}";
+
+        var dsseHash = ComputeHash(dsseJson);
+        var statementHash = ComputeHash(statementJson);
+        var metadataHash = ComputeHash(metadataJson);
+        var checksums = $"{dsseHash}  attestation.dsse.json\n{metadataHash}  metadata.json\n{statementHash}  statement.json\n";
+
+        await using var fileStream = File.Create(bundlePath);
+        await using var gzipStream = new GZipStream(fileStream, CompressionLevel.SmallestSize);
+        await using var tarWriter = new TarWriter(gzipStream, TarEntryFormat.Pax);
+
+        await WriteEntryAsync(tarWriter, "attestation.dsse.json", dsseJson);
+        await WriteEntryAsync(tarWriter, "checksums.txt", checksums);
+        await WriteEntryAsync(tarWriter, "metadata.json", metadataJson);
+        await WriteEntryAsync(tarWriter, "statement.json", statementJson);
+
+        return bundlePath;
+    }
+
+    private static async Task WriteEntryAsync(TarWriter writer, string name, string content)
+    {
+        var bytes = Encoding.UTF8.GetBytes(content);
+        using var dataStream = new MemoryStream(bytes);
+        var entry = new PaxTarEntry(TarEntryType.RegularFile, name)
+        {
+            DataStream = dataStream
+        };
+        await writer.WriteEntryAsync(entry);
+    }
+
+    private static string ComputeHash(string content)
+    {
+        var bytes = Encoding.UTF8.GetBytes(content);
+        var hash = System.Security.Cryptography.SHA256.HashData(bytes);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+}

src/Cli/__Tests/StellaOps.Cli.Tests/Services/DevPortalBundleVerifierTests.cs

@@ -0,0 +1,316 @@
+using System.Formats.Tar;
+using System.IO.Compression;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Cli.Services;
+using Xunit;
+
+namespace StellaOps.Cli.Tests.Services;
+
+public sealed class DevPortalBundleVerifierTests : IDisposable
+{
+    private readonly string _tempDir;
+    private readonly DevPortalBundleVerifier _verifier;
+
+    public DevPortalBundleVerifierTests()
+    {
+        _tempDir = Path.Combine(Path.GetTempPath(), $"devportal-test-{Guid.NewGuid():N}");
+        Directory.CreateDirectory(_tempDir);
+        _verifier = new DevPortalBundleVerifier(NullLogger<DevPortalBundleVerifier>.Instance);
+    }
+
+    public void Dispose()
+    {
+        if (Directory.Exists(_tempDir))
+        {
+            Directory.Delete(_tempDir, recursive: true);
+        }
+    }
+
+    [Fact]
+    public async Task VerifyBundleAsync_ReturnsSuccess_ForValidBundle()
+    {
+        var bundlePath = CreateValidBundle();
+
+        var result = await _verifier.VerifyBundleAsync(bundlePath, offline: true, CancellationToken.None);
+
+        Assert.Equal("verified", result.Status);
+        Assert.Equal(DevPortalVerifyExitCode.Success, result.ExitCode);
+        Assert.Equal("a1b2c3d4-e5f6-7890-abcd-ef1234567890", result.BundleId);
+        Assert.NotNull(result.RootHash);
+        Assert.True(result.RootHash!.StartsWith("sha256:", StringComparison.OrdinalIgnoreCase));
+        Assert.Equal(1, result.Entries);
+    }
+
+    [Fact]
+    public async Task VerifyBundleAsync_ReturnsUnexpected_WhenBundleNotFound()
+    {
+        var nonExistentPath = Path.Combine(_tempDir, "nonexistent.tgz");
+
+        var result = await _verifier.VerifyBundleAsync(nonExistentPath, offline: true, CancellationToken.None);
+
+        Assert.Equal("failed", result.Status);
+        Assert.Equal(DevPortalVerifyExitCode.Unexpected, result.ExitCode);
+        Assert.Contains("not found", result.ErrorMessage, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public async Task VerifyBundleAsync_ReturnsChecksumMismatch_WhenSha256DoesNotMatch()
+    {
+        var bundlePath = CreateValidBundle();
+        var sha256Path = bundlePath + ".sha256";
+
+        // Write incorrect hash
+        await File.WriteAllTextAsync(sha256Path, "0000000000000000000000000000000000000000000000000000000000000000  bundle.tgz");
+
+        var result = await _verifier.VerifyBundleAsync(bundlePath, offline: true, CancellationToken.None);
+
+        Assert.Equal("failed", result.Status);
+        Assert.Equal(DevPortalVerifyExitCode.ChecksumMismatch, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task VerifyBundleAsync_SucceedsWithoutSha256File()
+    {
+        var bundlePath = CreateValidBundle();
+
+        // Remove .sha256 file if exists
+        var sha256Path = bundlePath + ".sha256";
+        if (File.Exists(sha256Path))
+        {
+            File.Delete(sha256Path);
+        }
+
+        var result = await _verifier.VerifyBundleAsync(bundlePath, offline: true, CancellationToken.None);
+
+        Assert.Equal("verified", result.Status);
+        Assert.Equal(DevPortalVerifyExitCode.Success, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task VerifyBundleAsync_ReturnsTsaMissing_WhenOnlineAndNoTimestamp()
+    {
+        var bundlePath = CreateBundleWithoutTimestamp();
+
+        var result = await _verifier.VerifyBundleAsync(bundlePath, offline: false, CancellationToken.None);
+
+        Assert.Equal("failed", result.Status);
+        Assert.Equal(DevPortalVerifyExitCode.TsaMissing, result.ExitCode);
+    }
+
+    [Fact]
+    public async Task VerifyBundleAsync_DetectsPortableBundle()
+    {
+        var bundlePath = CreatePortableBundle();
+
+        var result = await _verifier.VerifyBundleAsync(bundlePath, offline: true, CancellationToken.None);
+
+        Assert.Equal("verified", result.Status);
+        Assert.True(result.Portable);
+    }
+
+    [Fact]
+    public void ToJson_OutputsKeysSortedAlphabetically()
+    {
+        var result = new DevPortalBundleVerificationResult
+        {
+            Status = "verified",
+            BundleId = "test-id",
+            RootHash = "sha256:abc123",
+            Entries = 3,
+            CreatedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
+            Portable = false,
+            ExitCode = DevPortalVerifyExitCode.Success
+        };
+
+        var json = result.ToJson();
+
+        // Keys should be in alphabetical order
+        var keys = JsonDocument.Parse(json).RootElement.EnumerateObject()
+            .Select(p => p.Name)
+            .ToList();
+
+        var sortedKeys = keys.OrderBy(k => k, StringComparer.Ordinal).ToList();
+        Assert.Equal(sortedKeys, keys);
+    }
+
+    private string CreateValidBundle()
+    {
+        var bundlePath = Path.Combine(_tempDir, $"bundle-{Guid.NewGuid():N}.tgz");
+
+        var manifest = new
+        {
+            bundleId = "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
+            tenantId = "00000000-0000-0000-0000-000000000001",
+            kind = 2,
+            createdAt = "2025-12-07T10:30:00Z",
+            metadata = new Dictionary<string, string> { ["source"] = "test" },
+            entries = new[]
+            {
+                new
+                {
+                    section = "sbom",
+                    canonicalPath = "sbom/cyclonedx.json",
+                    sha256 = new string('a', 64),
+                    sizeBytes = 1024,
+                    mediaType = "application/vnd.cyclonedx+json"
+                }
+            }
+        };
+
+        var manifestJson = JsonSerializer.Serialize(manifest, new JsonSerializerOptions { WriteIndented = false });
+        var manifestPayload = Convert.ToBase64String(Encoding.UTF8.GetBytes(manifestJson));
+
+        var signature = new
+        {
+            payloadType = "application/vnd.stella.evidence.manifest+json",
+            payload = manifestPayload,
+            signature = Convert.ToBase64String(Encoding.UTF8.GetBytes("test-signature")),
+            keyId = "key-1",
+            algorithm = "ES256",
+            provider = "StellaOps",
+            signedAt = "2025-12-07T10:30:05Z",
+            timestampedAt = "2025-12-07T10:30:06Z",
+            timestampAuthority = "https://freetsa.org/tsr",
+            timestampToken = Convert.ToBase64String(Encoding.UTF8.GetBytes("tsa-token"))
+        };
+
+        var bundleMetadata = new
+        {
+            bundleId = "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
+            tenantId = "00000000-0000-0000-0000-000000000001",
+            kind = 2,
+            status = 3,
+            rootHash = new string('f', 64),
+            storageKey = "evidence/bundle.tgz",
+            createdAt = "2025-12-07T10:30:00Z",
+            sealedAt = "2025-12-07T10:30:05Z"
+        };
+
+        CreateTgzBundle(bundlePath, manifestJson, signature, bundleMetadata);
+
+        return bundlePath;
+    }
+
+    private string CreateBundleWithoutTimestamp()
+    {
+        var bundlePath = Path.Combine(_tempDir, $"bundle-no-tsa-{Guid.NewGuid():N}.tgz");
+
+        var manifest = new
+        {
+            bundleId = "b2c3d4e5-f6a7-8901-bcde-f23456789012",
+            tenantId = "00000000-0000-0000-0000-000000000001",
+            kind = 2,
+            createdAt = "2025-12-07T10:30:00Z",
+            entries = Array.Empty<object>()
+        };
+
+        var manifestJson = JsonSerializer.Serialize(manifest);
+        var manifestPayload = Convert.ToBase64String(Encoding.UTF8.GetBytes(manifestJson));
+
+        var signature = new
+        {
+            payloadType = "application/vnd.stella.evidence.manifest+json",
+            payload = manifestPayload,
+            signature = Convert.ToBase64String(Encoding.UTF8.GetBytes("test-signature")),
+            keyId = "key-1",
+            algorithm = "ES256",
+            provider = "StellaOps",
+            signedAt = "2025-12-07T10:30:05Z"
+            // No timestampedAt, timestampAuthority, timestampToken
+        };
+
+        var bundleMetadata = new
+        {
+            bundleId = "b2c3d4e5-f6a7-8901-bcde-f23456789012",
+            tenantId = "00000000-0000-0000-0000-000000000001",
+            kind = 2,
+            status = 3,
+            rootHash = new string('e', 64),
+            storageKey = "evidence/bundle.tgz",
+            createdAt = "2025-12-07T10:30:00Z",
+            sealedAt = "2025-12-07T10:30:05Z"
+        };
+
+        CreateTgzBundle(bundlePath, manifestJson, signature, bundleMetadata);
+
+        return bundlePath;
+    }
+
+    private string CreatePortableBundle()
+    {
+        var bundlePath = Path.Combine(_tempDir, $"portable-{Guid.NewGuid():N}.tgz");
+
+        var manifest = new
+        {
+            bundleId = "c3d4e5f6-a7b8-9012-cdef-345678901234",
+            kind = 1,
+            createdAt = "2025-12-07T10:30:00Z",
+            entries = Array.Empty<object>()
+        };
+
+        var manifestJson = JsonSerializer.Serialize(manifest);
+        var manifestPayload = Convert.ToBase64String(Encoding.UTF8.GetBytes(manifestJson));
+
+        var signature = new
+        {
+            payloadType = "application/vnd.stella.evidence.manifest+json",
+            payload = manifestPayload,
+            signature = Convert.ToBase64String(Encoding.UTF8.GetBytes("test-signature")),
+            keyId = "key-1",
+            algorithm = "ES256",
+            provider = "StellaOps",
+            signedAt = "2025-12-07T10:30:05Z",
+            timestampedAt = "2025-12-07T10:30:06Z",
+            timestampAuthority = "tsa.default",
+            timestampToken = Convert.ToBase64String(Encoding.UTF8.GetBytes("tsa-token"))
+        };
+
+        var bundleMetadata = new
+        {
+            bundleId = "c3d4e5f6-a7b8-9012-cdef-345678901234",
+            kind = 1,
+            status = 3,
+            rootHash = new string('d', 64),
+            createdAt = "2025-12-07T10:30:00Z",
+            sealedAt = "2025-12-07T10:30:05Z",
+            portableGeneratedAt = "2025-12-07T10:35:00Z"  // Indicates portable bundle
+        };
+
+        CreateTgzBundle(bundlePath, manifestJson, signature, bundleMetadata);
+
+        return bundlePath;
+    }
+
+    private static void CreateTgzBundle(string bundlePath, string manifestJson, object signature, object bundleMetadata)
+    {
+        using var memoryStream = new MemoryStream();
+        using (var gzipStream = new GZipStream(memoryStream, CompressionLevel.Optimal, leaveOpen: true))
+        using (var tarWriter = new TarWriter(gzipStream))
+        {
+            AddTarEntry(tarWriter, "manifest.json", manifestJson);
+            AddTarEntry(tarWriter, "signature.json", JsonSerializer.Serialize(signature));
+            AddTarEntry(tarWriter, "bundle.json", JsonSerializer.Serialize(bundleMetadata));
+            AddTarEntry(tarWriter, "checksums.txt", $"# checksums\n{new string('f', 64)}  sbom/cyclonedx.json\n");
+        }
+
+        memoryStream.Position = 0;
+        using var fileStream = File.Create(bundlePath);
+        memoryStream.CopyTo(fileStream);
+    }
+
+    private static void AddTarEntry(TarWriter writer, string name, string content)
+    {
+        var entry = new PaxTarEntry(TarEntryType.RegularFile, name)
+        {
+            Mode = UnixFileMode.UserRead | UnixFileMode.UserWrite | UnixFileMode.GroupRead | UnixFileMode.OtherRead,
+            ModificationTime = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero)
+        };
+
+        var bytes = Encoding.UTF8.GetBytes(content);
+        entry.DataStream = new MemoryStream(bytes);
+        writer.WriteEntry(entry);
+    }
+}