sprints work

src/Cli/StellaOps.Cli/Commands/CommandFactory.cs

@@ -363,11 +363,107 @@ internal static class CommandFactory
 
         scan.Add(sarifExport);
 
+        // Replay command with explicit hashes (Task RCG-9200-021 through RCG-9200-024)
+        var replay = BuildScanReplayCommand(services, verboseOption, cancellationToken);
+        scan.Add(replay);
+
         scan.Add(run);
         scan.Add(upload);
         return scan;
     }
 
+    /// <summary>
+    /// Build the scan replay subcommand for deterministic verdict replay.
+    /// </summary>
+    private static Command BuildScanReplayCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var replay = new Command("replay", "Replay a scan with explicit hashes for deterministic verdict reproduction.");
+
+        // Required options for deterministic replay
+        var artifactOption = new Option<string>("--artifact")
+        {
+            Description = "Artifact digest (sha256:...) to replay.",
+            Required = true
+        };
+
+        var manifestOption = new Option<string>("--manifest")
+        {
+            Description = "Run manifest hash for configuration.",
+            Required = true
+        };
+
+        var feedsOption = new Option<string>("--feeds")
+        {
+            Description = "Feed snapshot hash.",
+            Required = true
+        };
+
+        var policyOption = new Option<string>("--policy")
+        {
+            Description = "Policy ruleset hash.",
+            Required = true
+        };
+
+        // Optional options
+        var snapshotOption = new Option<string?>("--snapshot")
+        {
+            Description = "Knowledge snapshot ID for offline replay."
+        };
+
+        var offlineOption = new Option<bool>("--offline")
+        {
+            Description = "Run in offline/air-gapped mode. Requires all inputs to be locally available."
+        };
+
+        var verifyInputsOption = new Option<bool>("--verify-inputs")
+        {
+            Description = "Verify all input hashes before starting replay."
+        };
+
+        var outputOption = new Option<string?>("--output", new[] { "-o" })
+        {
+            Description = "Output file path for verdict JSON (defaults to stdout)."
+        };
+
+        replay.Add(artifactOption);
+        replay.Add(manifestOption);
+        replay.Add(feedsOption);
+        replay.Add(policyOption);
+        replay.Add(snapshotOption);
+        replay.Add(offlineOption);
+        replay.Add(verifyInputsOption);
+        replay.Add(outputOption);
+        replay.Add(verboseOption);
+
+        replay.SetAction(async (parseResult, _) =>
+        {
+            var artifact = parseResult.GetValue(artifactOption) ?? string.Empty;
+            var manifest = parseResult.GetValue(manifestOption) ?? string.Empty;
+            var feeds = parseResult.GetValue(feedsOption) ?? string.Empty;
+            var policy = parseResult.GetValue(policyOption) ?? string.Empty;
+            var snapshot = parseResult.GetValue(snapshotOption);
+            var offline = parseResult.GetValue(offlineOption);
+            var verifyInputs = parseResult.GetValue(verifyInputsOption);
+            var output = parseResult.GetValue(outputOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return await CommandHandlers.HandleScanReplayAsync(
+                services,
+                artifact,
+                manifest,
+                feeds,
+                policy,
+                snapshot,
+                offline,
+                verifyInputs,
+                output,
+                verbose,
+                cancellationToken);
+        });
+
+        return replay;
+    }
+
     private static Command BuildRubyCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
     {
         var ruby = new Command("ruby", "Work with Ruby analyzer outputs.");