# CLI Install & Update Integrity (v1) — 2025-12-01

Requirements
- Checksums: Every release publishes `stellaops-cli-$version.tar.zst` with `SHA256SUMS` + detached `.sig`.
- Verification: `stella install` and `stella self-update` run `cosign verify` by default against pinned public key fingerprint; `--skip-verify` prohibited.
- Offline: Provide `install-offline.sh` that reads from kit directory with checksum + signature checks only; no network fetches.
- Buildx plugin: pin image digest (see `cli-spec-v1.yaml`); rollback command included in help.

Failure modes
- Missing checksum/signature → command fails with exit code 21 and structured error.
- Digest mismatch → command fails with exit code 22; log path to offending file.

Artifacts
- Public key fingerprints recorded in `cli-spec-v1.yaml`.
- Example verify script to be bundled in release kit: `scripts/cli/verify-install.sh`.