# Trust Profile Management (CLI and Bundle)

## Module
AirGap

## Status
VERIFIED

## Description
Named trust profiles (global, eu-eidas, us-fips, bg-gov) for configuring TSA chains, signing algorithms, and verification policies per deployment context. Includes CLI commands (stella trust-profile list/apply/show) and bundle-level profile loading. Distinct from the known "Trust Anchor Management" and "Regional Crypto Profiles" which are about crypto algorithms, not deployment-context trust configuration profiles.

## Implementation Details
- **Bundle trust profiles**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- named trust profile definitions and loading
- **Trust root config**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/TrustRootConfig.cs` -- trust root configuration for import verification
- **AirGap policy**: `src/AirGap/StellaOps.AirGap.Policy/` -- policy enforcement for trust profiles, includes analyzers and tests
- **Offline verification policy**: `src/AirGap/StellaOps.AirGap.Importer/Policy/OfflineVerificationPolicy.cs`, `OfflineVerificationPolicyLoader.cs`
- **Trust anchor verification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/TrustAnchorVerificationStep.cs`
- **Source**: SPRINT_20260120_029_AirGap_offline_bundle_contract.md

## E2E Test Plan
- [ ] Verify CLI `stella trust-profile list` shows available profiles
- [ ] Test `stella trust-profile apply` switches active profile
- [ ] Test `stella trust-profile show` displays profile configuration
- [ ] Verify trust profiles configure correct TSA chains and signing algorithms
- [ ] Test bundle-level profile loading from bundle metadata

## Verification
- Run: `docs/qa/feature-checks/runs/airgap/trust-profile-management/run-002`
- Date (UTC): `2026-02-11`
- Tier 0: pass (source references resolved)
- Tier 1: pass (build/test surfaces for AirGap trust profile and CLI command wiring)
- Tier 2: pass (CLI list/show/apply + missing-profile negative path + loader behavior suites)