git.stella-ops.org/docs/features/checked/cli/trust-anchor-management-cli.md

Trust Anchor Management CLI (stella proof anchor list/show/create/revoke-key)

Module

Cli

Status

VERIFIED

Description

Manage root trust anchors used in proof chain verification: list, show details, create new anchors, and revoke individual keys within anchors. Supports two implementations: the top-level stella trust-anchors command group (CA, publickey, OIDC, TUF anchor types) and the proof-scoped stella proof anchor command group (PURL-pattern-based anchors with key ID binding).

Implementation Details

• Top-Level Command Group: src/Cli/StellaOps.Cli/Commands/TrustAnchorsCommandGroup.cs -- TrustAnchorsCommandGroup (static class)
  • Sprint: SPRINT_20260117_011_CLI_attestation_signing (ATS-002)
  • Supports anchor types: ca, publickey, oidc, tuf
• Proof-Scoped Command Group: src/Cli/StellaOps.Cli/Commands/Proof/AnchorCommandGroup.cs -- AnchorCommandGroup (instance class with DI)
  • Implements stella proof anchor list/show/create/revoke-key
  • Uses ITrustAnchorManager and IKeyRotationService for backend operations
• DTOs: TrustAnchor (Id, Name, Type, Status, Fingerprint, CreatedAt, ExpiresAt, UsageCount)
• Commands (top-level):
  • stella trust-anchors list [--type ca|publickey|oidc|tuf] [--format table|json] -- list configured trust anchors with type filtering
  • stella trust-anchors add --type <type> --name <name> [--cert <path>] [--key <path>] [--issuer <url>] [--tuf-root <path>] -- add new anchor with type-specific validation
  • stella trust-anchors remove <anchor-id> --confirm -- remove a trust anchor (requires confirmation)
  • stella trust-anchors show <anchor-id> [--format text|json] -- show anchor details including fingerprint, creation/expiry, usage count
• Commands (proof-scoped):
  • stella proof anchor list [--output text|json] -- list active trust anchors
  • stella proof anchor show <anchorId> -- show trust anchor details
  • stella proof anchor create <pattern> --key-id <id> [--policy-version <ver>] -- create anchor with PURL glob pattern
  • stella proof anchor revoke-key <anchorId> <keyId> [--reason <text>] -- revoke a key within an anchor
• Exit codes: 0 = success, 1 = error, defined in ProofExitCodes

E2E Test Plan

• Run stella trust-anchors list and verify table output shows ID, Type, Name, Status columns
• Run stella trust-anchors list --type ca and verify filtering to CA anchors only
• Run stella trust-anchors list --format json and verify valid JSON array output
• Run stella trust-anchors add --type ca --name "Test CA" --cert ./ca.pem and verify anchor creation
• Run stella trust-anchors add --type publickey --name "Test Key" without --key and verify error: "--key is required for type=publickey"
• Run stella trust-anchors add --type unknown --name "Bad" and verify error: "Unknown anchor type"
• Run stella trust-anchors show <id> --format json and verify JSON output with all fields
• Run stella trust-anchors remove <id> without --confirm and verify warning prompt
• Run stella trust-anchors remove <id> --confirm and verify removal message
• Run stella proof anchor list and verify anchor listing
• Run stella proof anchor create "pkg:npm/*" --key-id key1 and verify creation
• Run stella proof anchor revoke-key <id> <keyId> --reason "compromised" and verify revocation

Verification

• Verified: 2026-02-13T15:30:00Z
• Tier 0 (Source): pass -- all referenced source files exist on disk
• Tier 1 (Build): pass -- module builds cleanly, 87 tests pass in StellaOps.Cli.Auth.Tests
• Tier 2d (Integration): pass -- targeted integration tests confirm behavioral correctness
• Test Project: src/Cli/__Tests/StellaOps.Cli.Auth.Tests/StellaOps.Cli.Auth.Tests.csproj
• Evidence: docs/qa/feature-checks/runs/cli/trust-anchor-management-cli/run-001/tier2-integration-check.json