# Trust Profiles

Trust profiles are offline trust-store templates for bundle verification. They define trust roots, Rekor public keys, and TSA roots in a single file so operators can apply a profile into a local trust store.

Default profile location:
- `etc/trust-profiles/*.trustprofile.json`
- Assets referenced by profiles live under `etc/trust-profiles/assets/`

Profile structure (summary):
- `profileId`: stable identifier (used by CLI commands)
- `trustRoots[]`: signing trust roots (PEM files)
- `rekorKeys[]`: Rekor public keys for offline inclusion proof verification
- `tsaRoots[]`: TSA roots for RFC3161 verification
- `metadata`: optional compliance metadata

CLI usage:
- `stella trust-profile list`
- `stella trust-profile show <profile-id>`
- `stella trust-profile apply <profile-id> --output <dir>`

Profile lookup overrides:
- `--profiles-dir <path>` to point at a custom profiles directory
- `STELLAOPS_TRUST_PROFILES` environment variable for default lookup

Apply output:
- `trust-manifest.json` (trust roots manifest for offline verification)
- `trust-profile.json` (resolved profile copy)
- `trust-root.pem` (combined trust roots for CLI verification)
- `trust-roots/`, `rekor/`, `tsa/` folders with PEM assets

Example apply workflow:
1. `stella trust-profile apply global --output ./trust-store`
2. `stella bundle verify --trust-root ./trust-store/trust-root.pem`

Note:
- Default profiles ship with placeholder roots for scaffolding only. Replace them with compliance-approved roots before production use.