# Auth Revocation Bundle Export/Verify CLI (stella auth revoke export/verify)

## Module
Cli

## Status
VERIFIED

## Description
Export revocation bundles with JWS signatures to disk and verify bundles against detached JWS signatures using PEM public keys for offline revocation verification.

## Implementation Details
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/AuthCommandGroup.cs` -- `AuthCommandGroup` (public static class), Sprint SPRINT_20260117_016_CLI_auth_access (tasks AAC-001 through AAC-005)
- **Revocation Client**: `src/Cli/StellaOps.Cli/Services/AuthorityRevocationClient.cs` / `IAuthorityRevocationClient.cs` -- handles revocation bundle export and verification
- **Authority Client**: `src/Cli/StellaOps.Cli/Services/AuthorityConsoleClient.cs` / `IAuthorityConsoleClient.cs` -- authority API operations
- **Commands**:
  - `stella auth revoke export --output <path>` -- export revocation bundle with JWS signature to disk
  - `stella auth revoke verify --bundle <path> --key <pem-path>` -- verify revocation bundle against JWS signature using PEM public key
- **Subcommands under `stella auth`**: clients, roles, scopes, token, api-keys (all part of AuthCommandGroup)

## E2E Test Plan
- [ ] Run `stella auth revoke export --output ./revocation-bundle.json` and verify bundle file created with JWS signature
- [ ] Run `stella auth revoke verify --bundle ./revocation-bundle.json --key ./public.pem` and verify signature validation passes
- [ ] Verify bundle verification fails with wrong public key
- [ ] Verify bundle verification fails with tampered bundle content
- [ ] Verify offline verification works without network connectivity
- [ ] Run with `--format json` and verify structured output
- [ ] Verify exit code 0 for valid verification, non-zero for failures

## Verification

- **Verified**: 2026-02-13T15:30:00Z
- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
- **Tier 1 (Build)**: pass -- module builds cleanly, 87 tests pass in StellaOps.Cli.Auth.Tests
- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Auth.Tests/StellaOps.Cli.Auth.Tests.csproj`
- **Evidence**: `docs/qa/feature-checks/runs/cli/auth-revocation-bundle-export-verify-cli/run-001/tier2-integration-check.json`