# KMS Key Export/Import CLI

## Module
Cli

## Status
VERIFIED

## Description
File-backed signing key management via export/import with passphrase protection, version selection, and force-overwrite options for portable key bundles.

## Implementation Details
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs` -- `CryptoCommandGroup` for crypto operations
- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs` -- crypto handlers
- **Crypto Profile Validator**: `src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs` -- crypto profile validation
- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs`
- **Commands**:
  - `stella crypto export --key <key-id> --output <path> --passphrase <pass>` -- export signing key with passphrase protection. Options: `--version <ver>`, `--force`
  - `stella crypto import --file <path> --passphrase <pass>` -- import signing key from file

## E2E Test Plan
- [ ] Run `stella crypto export --key <id> --output ./key.enc --passphrase "secret"` and verify encrypted key exported
- [ ] Run `stella crypto import --file ./key.enc --passphrase "secret"` and verify key imported
- [ ] Verify wrong passphrase fails import with clear error
- [ ] Run with `--version 2` and verify specific version exported
- [ ] Run with `--force` and verify overwrite of existing file
- [ ] Verify imported key can be used for signing operations

## Verification

- **Verified**: 2026-02-13T15:30:00Z
- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
- **Tier 1 (Build)**: pass -- module builds cleanly, 87 tests pass in StellaOps.Cli.Auth.Tests
- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Auth.Tests/StellaOps.Cli.Auth.Tests.csproj`
- **Evidence**: `docs/qa/feature-checks/runs/cli/kms-key-export-import-cli/run-001/tier2-integration-check.json`