# Verification Command Consolidation (verify umbrella) ## Module Cli ## Status VERIFIED ## Description Consolidation of `attest verify`, `vex verify`, `patchverify` etc. under a unified `stella verify` umbrella command with sub-commands for attestation, vex, patch, image, bundle, sbom, and offline verification. ## Implementation Details - **Command Group**: `src/Cli/StellaOps.Cli/Commands/VerifyCommandGroup.cs` -- `VerifyCommandGroup` (internal static class) - Sprint: SPRINT_20260118_012_CLI_verification_consolidation (CLI-V-002 through CLI-V-005) - Delegates to `CommandHandlers.HandleVerifyOfflineAsync`, `HandleVerifyImageAsync`, `HandleVerifyBundleAsync` - **Handler Partials**: - `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyOffline.cs` -- offline verification handler - `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyBundle.cs` -- bundle verification handler - **Commands**: - `stella verify offline --evidence-dir --artifact --policy [--output-dir ] [--output table|json]` -- verify offline evidence for artifact - `stella verify image [--require sbom,vex,decision] [--trust-policy ] [--output table|json|sarif] [--strict]` -- verify attestation chain for container image - `stella verify bundle --bundle [--skip-replay] [--output table|json]` -- verify E2E evidence bundle for reproducibility - `stella verify attestation --image [--predicate-type ] [--policy ] [--output table|json] [--strict]` -- verify attestations (moved from `stella attest verify`) - `stella verify vex [--vex-file ] [--output table|json]` -- verify VEX statements (moved from `stella vex verify`) - `stella verify patch [--cve ] [--confidence-threshold 0.7] [--output table|json]` -- verify patches in binaries (moved from `stella patchverify`) - `stella verify sbom [--format spdx|cyclonedx] [--strict] [--output table|json]` -- verify SBOM integrity and completeness (also via `stella sbom verify`) - **Route Consolidation**: `cli-routes.json` maps deprecated paths: `attest verify` -> `verify attestation`, `vex verify` -> `verify vex`, `patchverify` -> `verify patch` ## E2E Test Plan - [ ] Run `stella verify image registry.example.com/app@sha256:abc123` and verify attestation chain results - [ ] Run `stella verify image --require sbom,vex,decision --strict` and verify strict mode fails on missing attestations - [ ] Run `stella verify image --output json` and verify JSON with verified:true/false per attestation - [ ] Run `stella verify offline --evidence-dir ./evidence --artifact sha256:abc --policy ./policy.yaml` and verify offline evaluation - [ ] Run `stella verify bundle --bundle ./evidence.tar.gz` and verify E2E reproducibility check - [ ] Run `stella verify bundle --bundle ./evidence.tar.gz --skip-replay` and verify hash-only validation - [ ] Run `stella verify attestation --image --predicate-type "https://slsa.dev/provenance/v1"` and verify type-filtered attestation check - [ ] Run `stella verify vex ` and verify VEX statement verification - [ ] Run `stella verify patch --cve CVE-2024-1234 --confidence-threshold 0.9` and verify patch check - [ ] Run `stella verify sbom ./sbom.json --strict` and verify strict mode catches warnings as errors - [ ] Verify deprecated routes still work: `stella attest verify` routes to `stella verify attestation` ## Verification - **Verified**: 2026-02-13T15:30:00Z - **Tier 0 (Source)**: pass -- all referenced source files exist on disk - **Tier 1 (Build)**: pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests - **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness - **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj` - **Evidence**: `docs/qa/feature-checks/runs/cli/verification-command-consolidation/run-001/tier2-integration-check.json`