save checkpoint

docs/features/checked/cli/trust-anchor-management-cli.md

@@ -0,0 +1,53 @@
+# Trust Anchor Management CLI (stella proof anchor list/show/create/revoke-key)
+
+## Module
+Cli
+
+## Status
+VERIFIED
+
+## Description
+Manage root trust anchors used in proof chain verification: list, show details, create new anchors, and revoke individual keys within anchors. Supports two implementations: the top-level `stella trust-anchors` command group (CA, publickey, OIDC, TUF anchor types) and the proof-scoped `stella proof anchor` command group (PURL-pattern-based anchors with key ID binding).
+
+## Implementation Details
+- **Top-Level Command Group**: `src/Cli/StellaOps.Cli/Commands/TrustAnchorsCommandGroup.cs` -- `TrustAnchorsCommandGroup` (static class)
+  - Sprint: SPRINT_20260117_011_CLI_attestation_signing (ATS-002)
+  - Supports anchor types: `ca`, `publickey`, `oidc`, `tuf`
+- **Proof-Scoped Command Group**: `src/Cli/StellaOps.Cli/Commands/Proof/AnchorCommandGroup.cs` -- `AnchorCommandGroup` (instance class with DI)
+  - Implements `stella proof anchor list/show/create/revoke-key`
+  - Uses `ITrustAnchorManager` and `IKeyRotationService` for backend operations
+- **DTOs**: `TrustAnchor` (Id, Name, Type, Status, Fingerprint, CreatedAt, ExpiresAt, UsageCount)
+- **Commands (top-level)**:
+  - `stella trust-anchors list [--type ca|publickey|oidc|tuf] [--format table|json]` -- list configured trust anchors with type filtering
+  - `stella trust-anchors add --type <type> --name <name> [--cert <path>] [--key <path>] [--issuer <url>] [--tuf-root <path>]` -- add new anchor with type-specific validation
+  - `stella trust-anchors remove <anchor-id> --confirm` -- remove a trust anchor (requires confirmation)
+  - `stella trust-anchors show <anchor-id> [--format text|json]` -- show anchor details including fingerprint, creation/expiry, usage count
+- **Commands (proof-scoped)**:
+  - `stella proof anchor list [--output text|json]` -- list active trust anchors
+  - `stella proof anchor show <anchorId>` -- show trust anchor details
+  - `stella proof anchor create <pattern> --key-id <id> [--policy-version <ver>]` -- create anchor with PURL glob pattern
+  - `stella proof anchor revoke-key <anchorId> <keyId> [--reason <text>]` -- revoke a key within an anchor
+- **Exit codes**: 0 = success, 1 = error, defined in `ProofExitCodes`
+
+## E2E Test Plan
+- [ ] Run `stella trust-anchors list` and verify table output shows ID, Type, Name, Status columns
+- [ ] Run `stella trust-anchors list --type ca` and verify filtering to CA anchors only
+- [ ] Run `stella trust-anchors list --format json` and verify valid JSON array output
+- [ ] Run `stella trust-anchors add --type ca --name "Test CA" --cert ./ca.pem` and verify anchor creation
+- [ ] Run `stella trust-anchors add --type publickey --name "Test Key"` without `--key` and verify error: "--key is required for type=publickey"
+- [ ] Run `stella trust-anchors add --type unknown --name "Bad"` and verify error: "Unknown anchor type"
+- [ ] Run `stella trust-anchors show <id> --format json` and verify JSON output with all fields
+- [ ] Run `stella trust-anchors remove <id>` without `--confirm` and verify warning prompt
+- [ ] Run `stella trust-anchors remove <id> --confirm` and verify removal message
+- [ ] Run `stella proof anchor list` and verify anchor listing
+- [ ] Run `stella proof anchor create "pkg:npm/*" --key-id key1` and verify creation
+- [ ] Run `stella proof anchor revoke-key <id> <keyId> --reason "compromised"` and verify revocation
+
+## Verification
+
+- **Verified**: 2026-02-13T15:30:00Z
+- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
+- **Tier 1 (Build)**: pass -- module builds cleanly, 87 tests pass in StellaOps.Cli.Auth.Tests
+- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
+- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Auth.Tests/StellaOps.Cli.Auth.Tests.csproj`
+- **Evidence**: `docs/qa/feature-checks/runs/cli/trust-anchor-management-cli/run-001/tier2-integration-check.json`