git.stella-ops.org/src/StellaOps.Cli/TASKS.md

CLI Task Board — Epic 1: Aggregation-Only Contract

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-AOC-19-001	DOING (2025-10-27)	DevEx/CLI Guild	CONCELIER-WEB-AOC-19-001, EXCITITOR-WEB-AOC-19-001	Implement stella sources ingest --dry-run printing would-write payloads with forbidden field scan results and guard status.	Command displays diff-safe JSON, highlights forbidden fields, exits non-zero on guard violation, and has unit tests.

Docs ready (2025-10-26): Reference behaviour/spec in docs/cli/cli-reference.md §2 and AOC reference §5. 2025-10-27: CLI command scaffolded with backend client call, JSON/table output, gzip/base64 normalisation, and exit-code mapping. Awaiting Concelier dry-run endpoint + integration tests once backend lands. 2025-10-27: Progress paused before adding CLI unit tests; blocked on extending StubBackendClient + fixtures for ExecuteAocIngestDryRunAsync coverage. | CLI-AOC-19-002 | TODO | DevEx/CLI Guild | CLI-AOC-19-001 | Add stella aoc verify command supporting --since/--limit, mapping ERR_AOC_00x to exit codes, with JSON/table output. | Command integrates with both services, exit codes documented, regression tests green. | Docs ready (2025-10-26): CLI guide §3 covers options/exit codes; deployment doc docs/deploy/containers.md describes required verifier user. | CLI-AOC-19-003 | TODO | Docs/CLI Guild | CLI-AOC-19-001, CLI-AOC-19-002 | Update CLI reference and quickstart docs to cover new commands, exit codes, and offline verification workflows. | Docs updated; examples recorded; release notes mention new commands. | Docs note (2025-10-26): docs/cli/cli-reference.md now describes both commands, exit codes, and offline usage—sync help text once implementation lands.

Policy Engine v2

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-POLICY-20-001	TODO	DevEx/CLI Guild	WEB-POLICY-20-001	Add `stella policy new	edit
CLI-POLICY-20-002	DONE (2025-10-27)	DevEx/CLI Guild	CLI-POLICY-20-001, WEB-POLICY-20-001, WEB-POLICY-20-002	Implement stella policy simulate with SBOM/env arguments and diff output (table/JSON), handling exit codes for ERR_POL_*.	Simulation outputs deterministic diffs; JSON schema documented; tests validate exit codes + piping of env variables.

2025-10-26: Scheduler Models expose canonical run/diff schemas (src/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md). Schema exporter lives at scripts/export-policy-schemas.sh; wire schema validation once DevOps publishes artifacts (see DEVOPS-POLICY-20-004). 2025-10-27: DevOps pipeline now publishes policy-schema-exports artefacts per commit (see .gitea/workflows/build-test-deploy.yml); Slack #policy-engine alerts trigger on schema diffs. Pull the JSON from the CI artifact instead of committing local copies. 2025-10-27: CLI command supports table/JSON output, environment parsing, --fail-on-diff, and maps ERR_POL_* to exit codes; tested in StellaOps.Cli.Tests against stubbed backend. | CLI-POLICY-20-003 | TODO | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-002, WEB-POLICY-20-003, DOCS-POLICY-20-006 | Extend stella findings ls|get commands for policy-filtered retrieval with pagination, severity filters, and explain output. | Commands stream paginated results; explain view renders rationale entries; docs/help updated; end-to-end tests cover filters. | 2025-10-27: Work paused after stubbing backend parsing helpers; command wiring/tests still pending. Resume by finishing backend query serialization + CLI output paths.

Graph Explorer v1

ID	Status	Owner(s)	Depends on	Description	Exit Criteria

Link-Not-Merge v1

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-LNM-22-001	TODO	DevEx/CLI Guild	WEB-LNM-21-001	Implement stella advisory obs get/linkset show/export commands with JSON/OSV output, pagination, and conflict display; ensure ERR_AGG_* mapping.	Commands fetch observation/linkset data; exports validated against fixtures; unit tests cover error handling.
CLI-LNM-22-002	TODO	DevEx/CLI Guild	WEB-LNM-21-002	Implement stella vex obs get/linkset show commands with product filters, status filters, and JSON output for CI usage.	Commands support filters + streaming; integration tests use sample linksets; docs updated.

Policy Engine + Editor v1

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-POLICY-23-004	TODO	DevEx/CLI Guild	WEB-POLICY-23-001	Add stella policy lint command validating SPL files with compiler diagnostics; support JSON output.	Command returns lint diagnostics; exit codes documented; tests cover error scenarios.
CLI-POLICY-23-005	TODO	DevEx/CLI Guild	WEB-POLICY-23-002	Implement stella policy activate with scheduling window, approval enforcement, and summary output.	Activation command integrates with API, handles 2-person rule failures; tests cover success/error.
CLI-POLICY-23-006	TODO	DevEx/CLI Guild	WEB-POLICY-23-004	Provide stella policy history and stella policy explain commands to pull run history and explanation trees.	Commands output JSON/table; integration tests with fixtures; docs updated.

Graph & Vuln Explorer v1

ID	Status	Owner(s)	Depends on	Description	Exit Criteria

Exceptions v1

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-EXC-25-001	TODO	DevEx/CLI Guild	WEB-EXC-25-001	Implement `stella exceptions list	draft
CLI-EXC-25-002	TODO	DevEx/CLI Guild	WEB-EXC-25-002	Extend stella policy simulate with --with-exception/--without-exception flags to preview exception impact.	Simulation handles overrides; regression tests cover presence/absence; help text updated.

Reachability v1

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-SIG-26-001	TODO	DevEx/CLI Guild	WEB-SIG-26-001	Implement stella reachability upload-callgraph and stella reachability list/explain commands with streaming upload, pagination, and exit codes.	Commands operate end-to-end; integration tests with fixtures; docs updated.
CLI-SIG-26-002	TODO	DevEx/CLI Guild	WEB-SIG-26-003	Extend stella policy simulate with reachability override flags (--reachability-state, --reachability-score).	Simulation command accepts overrides; regression tests cover adjustments; help text updated.

Policy Studio (Sprint 27)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-POLICY-27-001	TODO	DevEx/CLI Guild	REGISTRY-API-27-001, WEB-POLICY-27-001	Implement policy workspace commands (stella policy init, edit, lint, compile, test) with template selection, local cache, JSON output, and deterministic temp directories.	Commands operate offline with cached templates; diagnostics mirror API responses; unit tests cover happy/error paths; help text updated.

Docs dependency: DOCS-POLICY-27-007 blocked until CLI commands + help output land. | CLI-POLICY-27-002 | TODO | DevEx/CLI Guild | REGISTRY-API-27-006, WEB-POLICY-27-002 | Add submission/review workflow commands (stella policy version bump, submit, review comment, approve, reject) supporting reviewer assignment, changelog capture, and exit codes. | Workflow commands enforce required approvers; comments upload correctly; integration tests cover approval failure; docs updated. | Docs dependency: DOCS-POLICY-27-007 and DOCS-POLICY-27-006 require review/promotion CLI flows. | CLI-POLICY-27-003 | TODO | DevEx/CLI Guild | REGISTRY-API-27-005, SCHED-CONSOLE-27-001 | Implement stella policy simulate enhancements (quick vs batch, SBOM selectors, heatmap summary, manifest download) with --json and Markdown report output for CI. | CLI can trigger batch sim, poll progress, download artifacts; outputs deterministic schemas; CI sample workflow documented; tests cover cancellation/timeouts. | Docs dependency: DOCS-POLICY-27-004 needs simulate CLI examples. | CLI-POLICY-27-004 | TODO | DevEx/CLI Guild | REGISTRY-API-27-007, REGISTRY-API-27-008, AUTH-POLICY-27-002 | Add lifecycle commands for publish/promote/rollback/sign (stella policy publish --sign, promote --env, rollback) with attestation verification and canary arguments. | Commands enforce signing requirement, support dry-run, produce audit logs; integration tests cover promotion + rollback; documentation updated. | Docs dependency: DOCS-POLICY-27-006 requires publish/promote/rollback CLI examples. | CLI-POLICY-27-005 | TODO | DevEx/CLI Guild, Docs Guild | DOCS-CONSOLE-27-007, DOCS-POLICY-27-007 | Update CLI reference and samples for Policy Studio including JSON schemas, exit codes, and CI snippets. | CLI docs merged with screenshots/transcripts; parity matrix updated; acceptance tests ensure --help examples compile. |

Vulnerability Explorer (Sprint 29)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-VULN-29-001	TODO	DevEx/CLI Guild	VULN-API-29-002, AUTH-VULN-29-001	Implement stella vuln list with grouping, paging, filters, --json/--csv, and policy selection.	Command returns deterministic output; paging works; regression tests cover filters/grouping.
CLI-VULN-29-002	TODO	DevEx/CLI Guild	VULN-API-29-003	Implement stella vuln show displaying evidence, policy rationale, paths, ledger summary; support --json for automation.	Output matches schema; evidence rendered with provenance; tests cover missing data.
CLI-VULN-29-003	TODO	DevEx/CLI Guild	VULN-API-29-004, LEDGER-29-005	Add workflow commands (assign, comment, accept-risk, verify-fix, target-fix, reopen) with filter selection (--filter) and idempotent retries.	Commands create ledger events; exit codes documented; integration tests cover role enforcement.
CLI-VULN-29-004	TODO	DevEx/CLI Guild	VULN-API-29-005	Implement stella vuln simulate producing delta summaries and optional Markdown report for CI.	CLI simulation returns diff tables + JSON; tests verify diff correctness; docs updated.
CLI-VULN-29-005	TODO	DevEx/CLI Guild	VULN-API-29-008	Add stella vuln export and stella vuln bundle verify commands to trigger/download evidence bundles and verify signatures.	Export command streams to file; verify command checks signatures; tests cover success/failure.
CLI-VULN-29-006	TODO	DevEx/CLI Guild, Docs Guild	DOCS-VULN-29-004, DOCS-VULN-29-005	Update CLI docs/examples for Vulnerability Explorer with compliance checklist and CI snippets.	Docs merged; automated examples validated; compliance checklist appended.

VEX Lens (Sprint 30)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-VEX-30-001	TODO	DevEx/CLI Guild	VEXLENS-30-007	Implement stella vex consensus list with filters, paging, policy selection, --json/--csv.	Command returns deterministic output; regression tests cover filters/paging; docs updated.
CLI-VEX-30-002	TODO	DevEx/CLI Guild	VEXLENS-30-007	Implement stella vex consensus show displaying quorum, evidence, rationale, signature status.	Output matches schema; tests cover conflicting evidence; docs updated.
CLI-VEX-30-003	TODO	DevEx/CLI Guild	VEXLENS-30-007	Implement stella vex simulate for trust/threshold overrides with JSON diff output.	Simulation command returns diff summary; tests cover policy scenarios; docs updated.
CLI-VEX-30-004	TODO	DevEx/CLI Guild	VEXLENS-30-007	Implement stella vex export for consensus NDJSON bundles with signature verification helper.	Export & verify commands operational; tests cover file output; docs updated.

Advisory AI (Sprint 31)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-AIAI-31-001	TODO	DevEx/CLI Guild	AIAI-31-006	Implement stella advise summarize command with JSON/Markdown outputs and citation display.	Command returns summary + JSON; citations preserved; tests cover filters.
CLI-AIAI-31-002	TODO	DevEx/CLI Guild	AIAI-31-006	Implement stella advise explain showing conflict narrative and structured rationale.	Output matches schemas; tests cover disputed cases.
CLI-AIAI-31-003	TODO	DevEx/CLI Guild	AIAI-31-006	Implement stella advise remediate generating remediation plans with --strategy filters and file output.	Plans saved to file; exit codes documented; tests cover version mapping.
CLI-AIAI-31-004	TODO	DevEx/CLI Guild	AIAI-31-006	Implement stella advise batch for summaries/conflicts/remediation with progress + multi-status responses.	Batch command handles 207 responses; tests cover partial failures.

Export Center (Epic 10)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-EXPORT-35-001	TODO	DevEx/CLI Guild	WEB-EXPORT-35-001, AUTH-EXPORT-35-001	Implement `stella export profiles	runslist/show,run create, run status`, and resumable download commands with manifest/provenance retrieval.
CLI-EXPORT-36-001	TODO	DevEx/CLI Guild	CLI-EXPORT-35-001, WEB-EXPORT-36-001	Add distribution commands (stella export distribute, run download --resume enhancements) and improved status polling with progress bars.	Distribution commands push OCI/object storage; status polling handles SSE fallback; tests cover failure cases.
CLI-EXPORT-37-001	TODO	DevEx/CLI Guild	CLI-EXPORT-36-001, WEB-EXPORT-37-001	Provide scheduling (stella export schedule), retention, and export verify commands performing signature/hash validation.	Scheduling/retention commands enforce admin scopes; verify command checks signatures/hashes; examples documented; tests cover success/failure.

Orchestrator Dashboard (Epic 9)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-ORCH-32-001	TODO	DevEx/CLI Guild	WEB-ORCH-32-001, AUTH-ORCH-32-001	Implement `stella orch sources	runs
CLI-ORCH-33-001	TODO	DevEx/CLI Guild	CLI-ORCH-32-001, WEB-ORCH-33-001, AUTH-ORCH-33-001	Add action verbs (`sources test	pause
CLI-ORCH-34-001	TODO	DevEx/CLI Guild	CLI-ORCH-33-001, WEB-ORCH-34-001, AUTH-ORCH-34-001	Provide backfill wizard (--from/--to --dry-run), quota management (`quotas get	set`), and safety guardrails for orchestrator GA.

Notifications Studio (Epic 11)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-NOTIFY-38-001	TODO	DevEx/CLI Guild	WEB-NOTIFY-38-001, AUTH-NOTIFY-38-001	Implement `stella notify rules	templates
CLI-NOTIFY-39-001	TODO	DevEx/CLI Guild	CLI-NOTIFY-38-001, WEB-NOTIFY-39-001	Add simulation (stella notify simulate) and digest commands with diff output and schedule triggering, including dry-run mode.	Simulation command returns deterministic diff; digest command triggers run and polls status; tests cover filters and failures.
CLI-NOTIFY-40-001	TODO	DevEx/CLI Guild	CLI-NOTIFY-39-001, WEB-NOTIFY-40-001	Provide ack token redemption workflow, escalation management, localization previews, and channel health checks.	Ack redemption validates signed tokens; escalation commands manage schedules; localization preview shows variants; integration tests cover negative cases.

CLI Parity & Task Packs (Epic 12)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-CORE-41-001	TODO	DevEx/CLI Guild	AUTH-PACKS-41-001	Implement CLI core features: config precedence, profiles/contexts, auth flows, output renderer (json/yaml/table), error mapping, global flags, telemetry opt-in.	CLI loads config deterministically; auth works (device/PAT); outputs render correctly; tests cover precedence and exit codes.
CLI-PARITY-41-001	TODO	DevEx/CLI Guild	CLI-CORE-41-001	Deliver parity command groups (policy, sbom, vuln, vex, advisory, export, orchestrator) with --explain, deterministic outputs, and parity matrix entries.	Commands match Console behavior; parity matrix green for covered actions; integration tests cover major flows.
CLI-PARITY-41-002	TODO	DevEx/CLI Guild	CLI-PARITY-41-001, WEB-NOTIFY-38-001	Implement notify, aoc, auth command groups, idempotency keys, shell completions, config docs, and parity matrix export tooling.	Commands functional; completions generated; docs updated; parity matrix auto-exported; CI checks gating.
CLI-PACKS-42-001	TODO	DevEx/CLI Guild	CLI-CORE-41-001, PACKS-REG-41-001, TASKRUN-41-001	Implement Task Pack commands (pack plan/run/push/pull/verify) with schema validation, expression sandbox, plan/simulate engine, remote execution.	Pack commands operational; plan/sim produce accurate graph; remote run streams logs; schema validation enforced.
CLI-PACKS-43-001	TODO	DevEx/CLI Guild	CLI-PACKS-42-001, TASKRUN-42-001	Deliver advanced pack features (approvals pause/resume, secret injection, localization, man pages, offline cache).	Approvals handled; secrets redacted; localization supported; man pages built; offline cache documented; integration tests cover scenarios.

Authority-Backed Scopes & Tenancy (Epic 14)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-TEN-47-001	TODO	DevEx/CLI Guild	AUTH-TEN-47-001	Implement stella login, whoami, tenants list, persistent profiles, secure token storage, and --tenant override with validation.	Commands functional across platforms; tokens stored securely; tenancy header set on requests; integration tests cover login/tenant switch.
CLI-TEN-49-001	TODO	DevEx/CLI Guild	CLI-TEN-47-001, AUTH-TEN-49-001	Add service account token minting, delegation (stella token delegate), impersonation banner, and audit-friendly logging.	Service tokens minted with scopes/TTL; delegation recorded; CLI displays impersonation banner; docs updated.

Observability & Forensics (Epic 15)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-OBS-50-001	TODO	DevEx/CLI Guild	TELEMETRY-OBS-50-002, WEB-OBS-50-001	Ensure CLI HTTP client propagates traceparent headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed).	Trace headers observed in integration tests; verbose logs include trace IDs; redaction guard verified.
CLI-OBS-51-001	TODO	DevEx/CLI Guild	CLI-OBS-50-001, WEB-OBS-51-001	Implement stella obs top command streaming service health metrics, SLO status, and burn-rate alerts with TUI view and JSON output.	Command streams metrics; JSON output documented; integration tests cover streaming and exit codes.
CLI-OBS-52-001	TODO	DevEx/CLI Guild	CLI-OBS-51-001, TIMELINE-OBS-52-003	Add stella obs trace <trace_id> and stella obs logs --from/--to commands that correlate timeline events, logs, and evidence links with pagination + guardrails.	Commands fetch timeline/log data; paging tokens handled; fixtures stored under samples/obs/; tests cover errors.
CLI-FORENSICS-53-001	TODO	DevEx/CLI Guild, Evidence Locker Guild	CLI-OBS-52-001, EVID-OBS-53-003	Implement stella forensic snapshot create --case and snapshot list/show commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata.	Snapshot commands functional; manifests displayed; cache metadata deterministic; docs/help updated.
CLI-FORENSICS-54-001	TODO	DevEx/CLI Guild, Provenance Guild	CLI-FORENSICS-53-001, PROV-OBS-54-001	Provide stella forensic verify <bundle> command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI.	Verification works with sample bundles; tests cover success/failure; docs updated.
CLI-FORENSICS-54-002	TODO	DevEx/CLI Guild, Provenance Guild	CLI-FORENSICS-54-001	Implement stella forensic attest show <artifact> listing attestation details (signer, timestamp, subjects) and verifying signatures.	Command prints attestation summary; verification errors flagged; tests cover offline mode.
CLI-OBS-55-001	TODO	DevEx/CLI Guild, DevOps Guild	CLI-OBS-52-001, WEB-OBS-55-001, DEVOPS-OBS-55-001	Add `stella obs incident-mode enable	disable

Air-Gapped Mode (Epic 16)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-AIRGAP-56-001	TODO	DevEx/CLI Guild	MIRROR-CRT-56-001, AIRGAP-IMP-56-001	Implement `stella mirror create	verifyandstella airgap verify` commands with DSSE/TUF results, dry-run mode, and deterministic manifests.
CLI-AIRGAP-56-002	TODO	DevEx/CLI Guild	CLI-OBS-50-001, AIRGAP-IMP-56-001	Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label AirGapped-Phase-1.	CLI traces flow via local exporters in sealed mode; correlation IDs still printed; tests cover sealed toggle + fallback.
CLI-AIRGAP-57-001	TODO	DevEx/CLI Guild	CLI-AIRGAP-56-001, AIRGAP-IMP-58-001	Add stella airgap import with diff preview, bundle scope selection (--tenant, --global), audit logging, and progress reporting.	Import updates catalog; diff preview rendered; audit entries include bundle ID + scope; tests cover idempotent re-import.
CLI-AIRGAP-57-002	TODO	DevEx/CLI Guild	CLI-AIRGAP-56-001, AIRGAP-CTL-56-002	Provide `stella airgap seal	status` commands surfacing sealing state, drift, staleness metrics, and remediation guidance with safe confirmation prompts.
CLI-AIRGAP-58-001	TODO	DevEx/CLI Guild, Evidence Locker Guild	CLI-AIRGAP-57-001, CLI-FORENSICS-54-001	Implement stella airgap export evidence helper for portable evidence packages, including checksum manifest and verification.	Command generates portable bundle; verification step validates signatures; docs/help updated with examples.

SDKs & OpenAPI (Epic 17)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-SDK-62-001	TODO	DevEx/CLI Guild, SDK Generator Guild	SDKGEN-63-001	Replace bespoke HTTP clients with official SDK (TS/Go) for all CLI commands; ensure modular transport for air-gapped mode.	CLI builds using SDK; regression suite passes; telemetry shows SDK version.
CLI-SDK-62-002	TODO	DevEx/CLI Guild	CLI-SDK-62-001, APIGOV-61-001	Update CLI error handling to surface standardized API error envelope with error.code and trace_id.	CLI displays envelope data; integration tests cover new output.
CLI-SDK-63-001	TODO	DevEx/CLI Guild, API Governance Guild	OAS-61-002	Expose stella api spec download command retrieving aggregate OAS and verifying checksum/ETag.	Command downloads + verifies spec; docs updated; tests cover failure cases.
CLI-SDK-64-001	TODO	DevEx/CLI Guild, SDK Release Guild	SDKREL-63-001	Add CLI subcommand stella sdk update to fetch latest SDK manifests/changelogs; integrate with Notifications for deprecations.	Command lists versions/changelogs; notifications triggered on updates.

Risk Profiles (Epic 18)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-RISK-66-001	TODO	DevEx/CLI Guild, Policy Guild	POLICY-RISK-67-002	Implement `stella risk profile list	get
CLI-RISK-66-002	TODO	DevEx/CLI Guild, Risk Engine Guild	RISK-ENGINE-69-001	Ship stella risk simulate supporting SBOM/asset inputs, diff mode, and export to JSON/CSV.	Simulation runs via CLI; output tested; docs updated.
CLI-RISK-67-001	TODO	DevEx/CLI Guild, Findings Ledger Guild	LEDGER-RISK-67-001	Provide stella risk results with filtering, severity thresholds, explainability fetch.	Results command returns paginated data; explaination fetch command outputs artifact; tests pass.
CLI-RISK-68-001	TODO	DevEx/CLI Guild, Export Guild	RISK-BUNDLE-70-001	Add stella risk bundle verify and integrate with offline risk bundles.	Verification command validates signatures; integration tests cover tampered bundle.

Attestor Console (Epic 19)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
CLI-ATTEST-73-001	TODO	CLI Attestor Guild	ATTESTOR-73-001, SDKGEN-63-001	Implement stella attest sign (payload selection, subject digest, key reference, output format) using official SDK transport.	Command signs envelopes; tests cover file/KMS keys; docs updated.
CLI-ATTEST-73-002	TODO	CLI Attestor Guild	ATTESTOR-73-002	Implement stella attest verify with policy selection, explainability output, and JSON/table formatting.	Verification command returns structured report; exit codes match pass/fail; integration tests pass.
CLI-ATTEST-74-001	TODO	CLI Attestor Guild	ATTESTOR-73-003	Implement stella attest list with filters (subject, type, issuer, scope) and pagination.	Command outputs table/JSON; tests cover filters.
CLI-ATTEST-74-002	TODO	CLI Attestor Guild	ATTESTOR-73-003	Implement stella attest fetch to download envelopes and payloads to disk.	Fetch command saves files; checks digests; tests cover air-gap use.
CLI-ATTEST-75-001	TODO	CLI Attestor Guild, KMS Guild	KMS-72-001	Implement `stella attest key create	import
CLI-ATTEST-75-002	TODO	CLI Attestor Guild, Export Guild	ATTESTOR-75-001	Add support for building/verifying attestation bundles in CLI.	Bundle commands functional; verification catches tampering; docs updated.