# Trust Anchor Management CLI (stella proof anchor list/show/create/revoke-key) ## Module Cli ## Status VERIFIED ## Description Manage root trust anchors used in proof chain verification: list, show details, create new anchors, and revoke individual keys within anchors. Supports two implementations: the top-level `stella trust-anchors` command group (CA, publickey, OIDC, TUF anchor types) and the proof-scoped `stella proof anchor` command group (PURL-pattern-based anchors with key ID binding). ## Implementation Details - **Top-Level Command Group**: `src/Cli/StellaOps.Cli/Commands/TrustAnchorsCommandGroup.cs` -- `TrustAnchorsCommandGroup` (static class) - Sprint: SPRINT_20260117_011_CLI_attestation_signing (ATS-002) - Supports anchor types: `ca`, `publickey`, `oidc`, `tuf` - **Proof-Scoped Command Group**: `src/Cli/StellaOps.Cli/Commands/Proof/AnchorCommandGroup.cs` -- `AnchorCommandGroup` (instance class with DI) - Implements `stella proof anchor list/show/create/revoke-key` - Uses `ITrustAnchorManager` and `IKeyRotationService` for backend operations - **DTOs**: `TrustAnchor` (Id, Name, Type, Status, Fingerprint, CreatedAt, ExpiresAt, UsageCount) - **Commands (top-level)**: - `stella trust-anchors list [--type ca|publickey|oidc|tuf] [--format table|json]` -- list configured trust anchors with type filtering - `stella trust-anchors add --type --name [--cert ] [--key ] [--issuer ] [--tuf-root ]` -- add new anchor with type-specific validation - `stella trust-anchors remove --confirm` -- remove a trust anchor (requires confirmation) - `stella trust-anchors show [--format text|json]` -- show anchor details including fingerprint, creation/expiry, usage count - **Commands (proof-scoped)**: - `stella proof anchor list [--output text|json]` -- list active trust anchors - `stella proof anchor show ` -- show trust anchor details - `stella proof anchor create --key-id [--policy-version ]` -- create anchor with PURL glob pattern - `stella proof anchor revoke-key [--reason ]` -- revoke a key within an anchor - **Exit codes**: 0 = success, 1 = error, defined in `ProofExitCodes` ## E2E Test Plan - [ ] Run `stella trust-anchors list` and verify table output shows ID, Type, Name, Status columns - [ ] Run `stella trust-anchors list --type ca` and verify filtering to CA anchors only - [ ] Run `stella trust-anchors list --format json` and verify valid JSON array output - [ ] Run `stella trust-anchors add --type ca --name "Test CA" --cert ./ca.pem` and verify anchor creation - [ ] Run `stella trust-anchors add --type publickey --name "Test Key"` without `--key` and verify error: "--key is required for type=publickey" - [ ] Run `stella trust-anchors add --type unknown --name "Bad"` and verify error: "Unknown anchor type" - [ ] Run `stella trust-anchors show --format json` and verify JSON output with all fields - [ ] Run `stella trust-anchors remove ` without `--confirm` and verify warning prompt - [ ] Run `stella trust-anchors remove --confirm` and verify removal message - [ ] Run `stella proof anchor list` and verify anchor listing - [ ] Run `stella proof anchor create "pkg:npm/*" --key-id key1` and verify creation - [ ] Run `stella proof anchor revoke-key --reason "compromised"` and verify revocation ## Verification - **Verified**: 2026-02-13T15:30:00Z - **Tier 0 (Source)**: pass -- all referenced source files exist on disk - **Tier 1 (Build)**: pass -- module builds cleanly, 87 tests pass in StellaOps.Cli.Auth.Tests - **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness - **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Auth.Tests/StellaOps.Cli.Auth.Tests.csproj` - **Evidence**: `docs/qa/feature-checks/runs/cli/trust-anchor-management-cli/run-001/tier2-integration-check.json`