# Witness CLI Commands ## Module Cli ## Status VERIFIED ## Description CLI command group for managing witnesses with core witness operations and handler implementations. Provides two witness subsystems: reachability witness operations (show, verify, list, export) and binary micro-witness operations (generate, verify, bundle) for patch verification. ## Implementation Details - **Reachability Witness Command Group**: `src/Cli/StellaOps.Cli/Commands/WitnessCommandGroup.cs` -- `WitnessCommandGroup` (internal static class) - Sprint: SPRINT_3700_0005_0001_witness_ui_cli (CLI-001 through CLI-004) - Delegates to `CommandHandlers.HandleWitnessShowAsync`, `HandleWitnessVerifyAsync`, `HandleWitnessListAsync`, `HandleWitnessExportAsync` - **Binary Micro-Witness Command Group**: `src/Cli/StellaOps.Cli/Commands/Witness/WitnessCoreCommandGroup.cs` -- `WitnessCoreCommandGroup` (internal static class) - Sprint: SPRINT_0128_001_BinaryIndex_binary_micro_witness (TASK-003) - Handlers in `src/Cli/StellaOps.Cli/Commands/Witness/WitnessCoreCommandHandlers.cs` - **Commands (reachability witnesses)**: - `stella witness show [--format text|json|yaml] [--no-color] [--path-only]` -- display witness with call path visualization - `stella witness verify [--public-key ] [--offline]` -- verify witness signature (local key or server-fetched) - `stella witness list --scan [--vuln ] [--tier confirmed|likely|present|unreachable] [--reachable-only] [--probe-type kprobe|uprobe|tracepoint|usdt|fentry|fexit] [--format table|json] [--limit ]` -- list witnesses for a scan with filtering - `stella witness export [--format json|sarif] [--output ] [--include-dsse]` -- export witness to file with optional DSSE envelope - **Commands (binary micro-witnesses)**: - `stella witness generate --cve [--sbom ] [--output ] [--sign] [--rekor] [--format json|envelope]` -- generate micro-witness for binary patch verification - `stella witness verify [--offline] [--sbom ] [--format text|json]` -- verify micro-witness signature and Rekor proof - `stella witness bundle --output [--include-binary] [--include-sbom]` -- export self-contained verification bundle for air-gapped audits ## E2E Test Plan - [ ] Run `stella witness show wit:sha256:abc123` and verify call path visualization output - [ ] Run `stella witness show wit:sha256:abc123 --format json` and verify JSON witness details - [ ] Run `stella witness show wit:sha256:abc123 --path-only` and verify only call path shown - [ ] Run `stella witness verify wit:sha256:abc123` and verify signature verification result - [ ] Run `stella witness verify wit:sha256:abc123 --offline` and verify offline-only verification - [ ] Run `stella witness list --scan ` and verify witness table with ID, CVE, tier columns - [ ] Run `stella witness list --scan --tier confirmed --reachable-only` and verify filtered results - [ ] Run `stella witness list --scan --probe-type uprobe` and verify eBPF probe type filtering - [ ] Run `stella witness export wit:sha256:abc123 --format sarif --output witness.sarif` and verify SARIF file - [ ] Run `stella witness export wit:sha256:abc123 --include-dsse` and verify DSSE envelope included - [ ] Run `stella witness generate ./binary.elf --cve CVE-2024-0567 --sign --rekor` and verify signed micro-witness with Rekor log - [ ] Run `stella witness bundle ./witness.json --output ./bundle --include-binary --include-sbom` and verify self-contained bundle ## Verification - **Verified**: 2026-02-13T15:30:00Z - **Tier 0 (Source)**: pass -- all referenced source files exist on disk - **Tier 1 (Build)**: pass -- module builds cleanly, 339 tests pass in StellaOps.Cli.Plugins.Tests - **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness - **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Plugins.Tests/StellaOps.Cli.Plugins.Tests.csproj` - **Evidence**: `docs/qa/feature-checks/runs/cli/witness-cli-commands/run-001/tier2-integration-check.json`