up

docs/ci/dsse-build-flow.md

@@ -1,6 +1,6 @@
 # Build-Time DSSE Attestation Walkthrough
 
-> **Status:** Draft — aligns with the November 2025 advisory “Embed in-toto attestations (DSSE-wrapped) into .NET 10/C# builds.”  
+> **Status:** Complete — implements the November 2025 advisory "Embed in-toto attestations (DSSE-wrapped) into .NET 10/C# builds." Updated 2025-11-27 with CLI verification commands (`DSSE-CLI-401-021`).
 > **Owners:** Attestor Guild · DevOps Guild · Docs Guild.
 
 This guide shows how to emit signed, in-toto compliant DSSE envelopes for every container build step (scan → package → push) using Stella Ops Authority keys. The same primitives power our Signer/Attestor services, but this walkthrough targets developer pipelines (GitHub/GitLab, dotnet builds, container scanners).
@@ -245,7 +245,11 @@ jobs:
 
 ## 5. Verification
 
-* `stella attest verify --file artifacts/attest-scan.dsse.json` (CLI planned under `DSSE-CLI-401-021`).
+* `stella attest verify --envelope artifacts/attest-scan.dsse.json` — offline verification using the CLI.
+* Additional verification options:
+  * `--policy policy.json` — apply custom verification policy
+  * `--root keys/root.pem` — specify trusted root certificate
+  * `--transparency-checkpoint checkpoint.json` — verify against Rekor checkpoint
 * Manual validation:
   1. Base64 decode payload → ensure `_type` = `https://in-toto.io/Statement/v1`, `subject[].digest.sha256` matches artifact.
   2. Recompute PAE and verify signature with the Authority public key.
@@ -276,4 +280,4 @@ Include the SHA-256 digest of each envelope in promotion manifests (`docs/releas
 - `docs/modules/attestor/architecture.md`
 - `docs/release/promotion-attestations.md`
 
-Keep this file updated alongside `DSSE-LIB-401-020` and `DSSE-CLI-401-021`. When the bench repo publishes sample attestations, link them here.
+This file was updated as part of `DSSE-LIB-401-020` and `DSSE-CLI-401-021` (completed 2025-11-27). See `docs/modules/cli/guides/attest.md` for CI/CD workflow snippets.