# OCI Referrers for Evidence Storage (StellaBundle) ## Module Cli ## Status VERIFIED ## Description Bundle export, verification, and CLI commands exist. The pattern for storing evidence as OCI referrers is partially implemented through the bundle system and verifier module. ## What's Implemented - **Bundle Export**: `src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs` -- `BundleExportCommand` (static class) - Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-002) - Implements `stella evidence export-bundle --image [--output ] [--include-dsse] [--include-rekor-proof]` - Produces advisory-compliant bundles with DSSE envelopes, Rekor proofs, and OCI referrer metadata - **Bundle Verification**: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs` -- `BundleVerifyCommand` (static class) - Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-003) - Implements `stella bundle verify --bundle [--trust-root ] [--rekor-checkpoint ]` - Full offline cryptographic verification chain - **Bundle Command Group**: `src/Cli/StellaOps.Cli/Commands/BundleCommandGroup.cs` -- additional bundle operations - **Evidence Command Group**: `src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs` -- evidence management commands - **Checkpoint Commands**: `src/Cli/StellaOps.Cli/Commands/CheckpointCommands.cs` -- checkpoint operations for bundle management - **Verifier Module**: `src/Verifier/` -- evidence verification backend ## What's Missing - **OCI Referrers API integration**: No direct `oras` or OCI Distribution API client for pushing/pulling evidence as OCI referrers (artifacts are stored as bundles, not native OCI referrers) - **`stella evidence push-referrer`**: No command to push evidence artifacts as OCI referrers to a registry using the OCI Referrers API - **`stella evidence list-referrers`**: No command to list all referrers attached to an OCI artifact digest - **Referrer discovery**: No automated discovery of evidence referrers when running verify commands against a registry - **ORAS integration**: No integration with ORAS library for native OCI artifact handling ## Implementation Plan - Add OCI Distribution client with Referrers API support (v2 manifest list) - Implement `stella evidence push-referrer --image --artifact-type --file ` for pushing evidence as OCI referrers - Implement `stella evidence list-referrers ` for listing attached referrers by artifact type - Add `--use-referrers` flag to `stella verify image` to auto-discover evidence from registry referrers - Integrate with existing bundle export to optionally push as OCI referrers instead of tar.gz ## Related Documentation - Bundle export: `src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs` - Bundle verify: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs` - Evidence commands: `src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs` ## Verification - **Verified**: 2026-02-13T15:30:00Z - **Tier 0 (Source)**: pass -- all referenced source files exist on disk - **Tier 1 (Build)**: pass -- module builds cleanly, 339 tests pass in StellaOps.Cli.Plugins.Tests - **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness - **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Plugins.Tests/StellaOps.Cli.Plugins.Tests.csproj` - **Evidence**: `docs/qa/feature-checks/runs/cli/oci-referrers-for-evidence-storage/run-001/tier2-integration-check.json`