# CLI Attest Guide (DOCS-ATTEST-74-004)

How to verify and inspect attestations via CLI.

## Verify DSSE
```bash
stella attest verify --envelope bundle.dsse.json --policy policy.json \
  --root keys/root.pem --transparency-checkpoint checkpoints/rekor.json
```
- Offline verification uses bundled roots and checkpoints; transparency optional.

## List attestations
```bash
stella attest list --tenant default --issuer dev-kms --format table
```

## Show attestation
```bash
stella attest show --id a1b2c3 --output json
```

## CI/CD Integration

### GitHub Actions

```yaml
# .github/workflows/verify-attestation.yml
name: Verify Attestation

on:
  workflow_dispatch:
    inputs:
      artifact_path:
        description: 'Path to artifact with attestation'
        required: true

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: signed-artifact
          path: ./artifacts

      - name: Install StellaOps CLI
        run: |
          dotnet tool install --global StellaOps.Cli

      - name: Verify attestation
        run: |
          stella attest verify \
            --envelope ./artifacts/attestation.dsse.json \
            --policy ./policy/verify-policy.json \
            --root ./keys/trusted-root.pem \
            --output ./verification-report.json

      - name: Upload verification report
        uses: actions/upload-artifact@v4
        with:
          name: verification-report
          path: ./verification-report.json
```

### GitLab CI

```yaml
# .gitlab-ci.yml
verify-attestation:
  stage: verify
  image: mcr.microsoft.com/dotnet/sdk:10.0
  before_script:
    - dotnet tool install --global StellaOps.Cli
    - export PATH="$PATH:$HOME/.dotnet/tools"
  script:
    - |
      stella attest verify \
        --envelope ./artifacts/attestation.dsse.json \
        --policy ./policy/verify-policy.json \
        --root ./keys/trusted-root.pem \
        --output ./verification-report.json
  artifacts:
    paths:
      - verification-report.json
    expire_in: 1 week
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
```

## Notes
- No network access required in sealed mode.
- All commands emit deterministic JSON; timestamps in UTC.
- Exit codes: 0 success, 2 verification failed, 4 input error.