git.stella-ops.org/docs/features/checked/cli/verification-command-consolidation.md

Verification Command Consolidation (verify umbrella)

Module

Cli

Status

VERIFIED

Description

Consolidation of attest verify, vex verify, patchverify etc. under a unified stella verify umbrella command with sub-commands for attestation, vex, patch, image, bundle, sbom, and offline verification.

Implementation Details

• Command Group: src/Cli/StellaOps.Cli/Commands/VerifyCommandGroup.cs -- VerifyCommandGroup (internal static class)
  • Sprint: SPRINT_20260118_012_CLI_verification_consolidation (CLI-V-002 through CLI-V-005)
  • Delegates to CommandHandlers.HandleVerifyOfflineAsync, HandleVerifyImageAsync, HandleVerifyBundleAsync
• Handler Partials:
  • src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyOffline.cs -- offline verification handler
  • src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyBundle.cs -- bundle verification handler
• Commands:
  • stella verify offline --evidence-dir <path> --artifact <digest> --policy <file> [--output-dir <dir>] [--output table|json] -- verify offline evidence for artifact
  • stella verify image <reference> [--require sbom,vex,decision] [--trust-policy <file>] [--output table|json|sarif] [--strict] -- verify attestation chain for container image
  • stella verify bundle --bundle <path> [--skip-replay] [--output table|json] -- verify E2E evidence bundle for reproducibility
  • stella verify attestation --image <ref> [--predicate-type <uri>] [--policy <file>] [--output table|json] [--strict] -- verify attestations (moved from stella attest verify)
  • stella verify vex <artifact> [--vex-file <path>] [--output table|json] -- verify VEX statements (moved from stella vex verify)
  • stella verify patch <artifact> [--cve <ids>] [--confidence-threshold 0.7] [--output table|json] -- verify patches in binaries (moved from stella patchverify)
  • stella verify sbom <file> [--format spdx|cyclonedx] [--strict] [--output table|json] -- verify SBOM integrity and completeness (also via stella sbom verify)
• Route Consolidation: cli-routes.json maps deprecated paths: attest verify -> verify attestation, vex verify -> verify vex, patchverify -> verify patch

E2E Test Plan

• Run stella verify image registry.example.com/app@sha256:abc123 and verify attestation chain results
• Run stella verify image <ref> --require sbom,vex,decision --strict and verify strict mode fails on missing attestations
• Run stella verify image <ref> --output json and verify JSON with verified:true/false per attestation
• Run stella verify offline --evidence-dir ./evidence --artifact sha256:abc --policy ./policy.yaml and verify offline evaluation
• Run stella verify bundle --bundle ./evidence.tar.gz and verify E2E reproducibility check
• Run stella verify bundle --bundle ./evidence.tar.gz --skip-replay and verify hash-only validation
• Run stella verify attestation --image <ref> --predicate-type "https://slsa.dev/provenance/v1" and verify type-filtered attestation check
• Run stella verify vex <artifact> and verify VEX statement verification
• Run stella verify patch <artifact> --cve CVE-2024-1234 --confidence-threshold 0.9 and verify patch check
• Run stella verify sbom ./sbom.json --strict and verify strict mode catches warnings as errors
• Verify deprecated routes still work: stella attest verify routes to stella verify attestation

Verification

• Verified: 2026-02-13T15:30:00Z
• Tier 0 (Source): pass -- all referenced source files exist on disk
• Tier 1 (Build): pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
• Tier 2d (Integration): pass -- targeted integration tests confirm behavioral correctness
• Test Project: src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj
• Evidence: docs/qa/feature-checks/runs/cli/verification-command-consolidation/run-001/tier2-integration-check.json