# Audit Bundle Generation and Verification CLI

## Module
Cli

## Status
IMPLEMENTED

## Description
CLI command `stella audit bundle <digest>` that generates self-contained, auditor-ready evidence packages containing verdict, evidence, policy snapshot, and replay instructions in directory/tar.gz/zip formats, plus `stella audit verify` for bundle integrity verification with manifest hash checking and optional DSSE signature verification.

## Implementation Details
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/AuditCommandGroup.cs` -- `AuditCommandGroup` (internal static class)
- **Audit Verify**: `src/Cli/StellaOps.Cli/Commands/AuditVerifyCommand.cs` -- standalone audit verify command
- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Audit.cs` -- `CommandHandlers` partial class with audit handlers
- **Bundle Service**: `src/Cli/StellaOps.Cli/Audit/AuditBundleService.cs` / `IAuditBundleService.cs` -- bundle generation and verification logic
- **Bundle Verifier**: `src/Cli/StellaOps.Cli/Services/AttestationBundleVerifier.cs` / `IAttestationBundleVerifier.cs`
- **Sprint**: SPRINT_20260117_027_CLI
- **Commands**:
  - `stella audit bundle <digest>` -- generate audit bundle for an artifact digest. Options: `--output <path>`, `--format dir|tar.gz|zip`
  - `stella audit verify <bundle-path>` -- verify bundle integrity (manifest hash, DSSE signature)
- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/VerifyBundleCommandTests.cs`

## E2E Test Plan
- [ ] Run `stella audit bundle sha256:abc123 --output ./audit-bundle` and verify directory created with verdict, evidence, policy snapshot, replay instructions
- [ ] Run `stella audit bundle sha256:abc123 --format tar.gz` and verify tar.gz archive created
- [ ] Run `stella audit bundle sha256:abc123 --format zip` and verify zip archive created
- [ ] Run `stella audit verify ./audit-bundle` and verify manifest hash checking passes for valid bundle
- [ ] Run `stella audit verify ./audit-bundle` with tampered content and verify integrity failure detected
- [ ] Verify DSSE signature verification when `--verify-signature` flag is used
- [ ] Verify bundle contains replay instructions that can reproduce the verdict
- [ ] Verify exit code 0 for valid bundle verification, non-zero for failures
- [ ] Verify error handling for non-existent digests or bundle paths