# Export Attestation Prep — PREP-EXPORT-ATTEST-75-001 Status: **Ready for implementation** (2025-11-20) Owners: Attestation Bundle Guild · CLI Attestor Guild Scope: Define CLI contract for verifying/importing attestation export bundles (from 74-002) in offline/air-gap environments. ## Dependencies - Attestation export bundle layout: `docs/modules/export-center/prep/2025-11-20-export-attest-74-001-prep.md` and CI/offline kit integration `...-74-002-prep.md`. - EvidenceLocker/Attestor verification library (`stella attest verify`). ## CLI experience - New command: `stella attest bundle verify --file export-attestation-bundle-v1.tgz` - Validates SHA256 against co-located `.sha256` file (see 74-002). - Runs DSSE verification using bundled statement/signature; prints subject digests, predicate type/version, and root hash. - Exit codes: 0 success, 2 checksum mismatch, 3 DSSE signature failure, 4 missing TSA/log when required, >4 unexpected error. - New command: `stella attest bundle import --file export-attestation-bundle-v1.tgz` - Performs verification first; then registers the attestation in the local/offline EvidenceLocker (when configured) and outputs new `attestationId`/`tenant` reference. - Supports `--tenant`, `--namespace` flags; defaults to current CLI profile. - No network calls beyond optional TSA/CT validations; provide `--offline` to skip. ## Determinism and I/O - CLI must avoid rewriting the archive; reads-only. - Output logs in JSON when `--output json` is passed, with stable key order: ```json { "status": "verified", "exportId": "...", "attestationId": "...", "rootHash": "sha256:...", "subjects": ["sha256:..."], "predicateType": "slsa/v1", "bundlePath": "export-attestation-bundle-v1.tgz" } ``` - Human-readable output includes root hash, subject digests, predicate type/version, and trust root used. ## Acceptance criteria - CLI verifies bundles generated by 74-002 using only local artefacts; succeeds offline when `--offline` is used. - Import command registers attestation locally without modifying archive; errors if checksum/signature fail. - Exit codes and JSON schema documented for automation; tests cover checksum mismatch and invalid signature cases. ## Handoff - Implement commands in `src/Cli/StellaOps.Cli` (attestor plugin) and add docs/examples to `docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md` or a new CLI guide. - Link back to this prep in Sprint 0162 Delivery Tracker entry P8.