# OCI Referrers for Evidence Storage (StellaBundle)

## Module
Cli

## Status
IMPLEMENTED

## Description
Bundle export, verification, and CLI commands exist. The pattern for storing evidence as OCI referrers is partially implemented through the bundle system and verifier module.

## What's Implemented
- **Bundle Export**: `src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs` -- `BundleExportCommand` (static class)
  - Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-002)
  - Implements `stella evidence export-bundle --image <ref> [--output <path>] [--include-dsse] [--include-rekor-proof]`
  - Produces advisory-compliant bundles with DSSE envelopes, Rekor proofs, and OCI referrer metadata
- **Bundle Verification**: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs` -- `BundleVerifyCommand` (static class)
  - Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-003)
  - Implements `stella bundle verify --bundle <path> [--trust-root <pem>] [--rekor-checkpoint <path>]`
  - Full offline cryptographic verification chain
- **Bundle Command Group**: `src/Cli/StellaOps.Cli/Commands/BundleCommandGroup.cs` -- additional bundle operations
- **Evidence Command Group**: `src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs` -- evidence management commands
- **Checkpoint Commands**: `src/Cli/StellaOps.Cli/Commands/CheckpointCommands.cs` -- checkpoint operations for bundle management
- **Verifier Module**: `src/Verifier/` -- evidence verification backend

## What's Missing
- **OCI Referrers API integration**: No direct `oras` or OCI Distribution API client for pushing/pulling evidence as OCI referrers (artifacts are stored as bundles, not native OCI referrers)
- **`stella evidence push-referrer`**: No command to push evidence artifacts as OCI referrers to a registry using the OCI Referrers API
- **`stella evidence list-referrers`**: No command to list all referrers attached to an OCI artifact digest
- **Referrer discovery**: No automated discovery of evidence referrers when running verify commands against a registry
- **ORAS integration**: No integration with ORAS library for native OCI artifact handling

## Implementation Plan
- Add OCI Distribution client with Referrers API support (v2 manifest list)
- Implement `stella evidence push-referrer --image <ref> --artifact-type <type> --file <path>` for pushing evidence as OCI referrers
- Implement `stella evidence list-referrers <ref>` for listing attached referrers by artifact type
- Add `--use-referrers` flag to `stella verify image` to auto-discover evidence from registry referrers
- Integrate with existing bundle export to optionally push as OCI referrers instead of tar.gz

## Related Documentation
- Bundle export: `src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs`
- Bundle verify: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs`
- Evidence commands: `src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs`