stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
79b8e53441e92dbc63684f42072434d40b80275f
git.stella-ops.org/docs/modules/cli/guides/replay-cli-prep.md
master 79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add new features and tests for AirGap and Time modules 
- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
2025-11-20 23:29:54 +02:00

1.6 KiB
Raw Blame History

CLI Replay Prep — PREP-CLI-REPLAY-187-002 (Draft)

Status: Draft (2025-11-20) Owners: DevEx/CLI Guild Scope: Define inputs/outputs and offline behaviour needed for CLI replay commands (scan --record, verify, replay, diff).

Command surface (proposed)

  • stella scan --record <image> → emits replay record NDJSON to stdout or --out bundle.ndjson.
  • stella replay --bundle <bundle.ndjson> → re-run verification offline; accepts --policy-bundle to pin policy version.
  • stella diff --bundle <a> --bundle <b> → compare findings/signals with deterministic ordering; output NDJSON.
  • stella verify --bundle <bundle.ndjson> → signature/hash verification of replay bundle.

Inputs

  • Replay record schema v1 from Evidence Locker (see docs/modules/evidence-locker/replay-payload-contract.md).
  • Policy export bundle contract (see docs/modules/policy/design/export-console-bundle-contract.md) for policy pinning.

Outputs

  • Deterministic NDJSON; file names content-addressed (sha256 of payload).
  • Exit codes: 0 success, 2 validation error, 3 signature mismatch.

Offline/air-gap considerations

  • No network fetch; all references resolve to local bundle paths.
  • Trust roots loaded from CLI config or --trust-root file; DSSE verification optional flag --no-verify default false.

Open decisions

  • Exact flag names for trust root and policy bundle; align with CLI UX guidelines.
  • Where to persist cache/metadata (if any) in offline mode.

Handoff

Treat this as the prep artefact for PREP-CLI-REPLAY-187-002. Update once replay record schema is finalized.