CLI Task Board — Epic 1: Aggregation-Only Contract
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-AOC-19-001 |
DONE (2025-10-27) |
DevEx/CLI Guild |
CONCELIER-WEB-AOC-19-001, EXCITITOR-WEB-AOC-19-001 |
Implement stella sources ingest --dry-run printing would-write payloads with forbidden field scan results and guard status. |
Command displays diff-safe JSON, highlights forbidden fields, exits non-zero on guard violation, and has unit tests. |
Docs ready (2025-10-26): Reference behaviour/spec in docs/modules/cli/guides/cli-reference.md §2 and AOC reference §5.
2025-10-27: CLI command scaffolded with backend client call, JSON/table output, gzip/base64 normalisation, and exit-code mapping. Awaiting Concelier dry-run endpoint + integration tests once backend lands.
2025-10-27: Progress paused before adding CLI unit tests; blocked on extending StubBackendClient + fixtures for ExecuteAocIngestDryRunAsync coverage.
2025-10-27: Added stubbed ingest responses + unit tests covering success/violation paths, output writing, and exit-code mapping.
| CLI-AOC-19-002 | DONE (2025-10-27) | DevEx/CLI Guild | CLI-AOC-19-001 | Add stella aoc verify command supporting --since/--limit, mapping ERR_AOC_00x to exit codes, with JSON/table output. | Command integrates with both services, exit codes documented, regression tests green. |
Docs ready (2025-10-26): CLI guide §3 covers options/exit codes; deployment doc docs/deploy/containers.md describes required verifier user.
2025-10-27: CLI wiring in progress; backend client/command surface being added with table/JSON output.
2025-10-27: Added JSON/table Spectre output, integration tests for exit-code handling, CLI metrics, and updated quickstart/architecture docs to cover guard workflows.
| CLI-AOC-19-003 | DONE (2025-10-27) | Docs/CLI Guild | CLI-AOC-19-001, CLI-AOC-19-002 | Update CLI reference and quickstart docs to cover new commands, exit codes, and offline verification workflows. | Docs updated; examples recorded; release notes mention new commands. |
Docs note (2025-10-26): docs/modules/cli/guides/cli-reference.md now describes both commands, exit codes, and offline usage—sync help text once implementation lands.
2025-10-27: CLI reference now reflects final summary fields/JSON schema, quickstart includes verification/dry-run workflows, and API reference tables list both sources ingest --dry-run and aoc verify.
Policy Engine v2
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-POLICY-20-001 |
TODO |
DevEx/CLI Guild |
WEB-POLICY-20-001 |
Add `stella policy new |
edit |
| CLI-POLICY-20-002 |
DONE (2025-10-27) |
DevEx/CLI Guild |
CLI-POLICY-20-001, WEB-POLICY-20-001, WEB-POLICY-20-002 |
Implement stella policy simulate with SBOM/env arguments and diff output (table/JSON), handling exit codes for ERR_POL_*. |
Simulation outputs deterministic diffs; JSON schema documented; tests validate exit codes + piping of env variables. |
2025-10-26: Scheduler Models expose canonical run/diff schemas (src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md). Schema exporter lives at scripts/export-policy-schemas.sh; wire schema validation once DevOps publishes artifacts (see DEVOPS-POLICY-20-004).
2025-10-27: DevOps pipeline now publishes policy-schema-exports artefacts per commit (see .gitea/workflows/build-test-deploy.yml); Slack #policy-engine alerts trigger on schema diffs. Pull the JSON from the CI artifact instead of committing local copies.
2025-10-27: CLI command supports table/JSON output, environment parsing, --fail-on-diff, and maps ERR_POL_* to exit codes; tested in StellaOps.Cli.Tests against stubbed backend.
| CLI-POLICY-20-003 | DONE (2025-10-30) | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-002, WEB-POLICY-20-003, DOCS-POLICY-20-006 | Extend stella findings ls|get commands for policy-filtered retrieval with pagination, severity filters, and explain output. | Commands stream paginated results; explain view renders rationale entries; docs/help updated; end-to-end tests cover filters. |
2025-10-27: Work paused after stubbing backend parsing helpers; command wiring/tests still pending. Resume by finishing backend query serialization + CLI output paths.
2025-10-30: Resuming implementation; wiring backend query DTOs, CLI handlers, and tests for paginated policy-filtered findings.
2025-10-30: Implemented backend client + CLI command surface for policy findings list/get/explain, added telemetry, interactive/json output, file writes, and unit tests covering filters + explain traces.
2025-10-30: Pending POLICY-ENGINE-20-006 change-stream orchestration to validate live pagination/cursor behaviour once engine emits incremental updates.
Graph Explorer v1
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
Link-Not-Merge v1
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-LNM-22-001 |
TODO |
DevEx/CLI Guild |
WEB-LNM-21-001 |
Implement stella advisory obs get/linkset show/export commands with JSON/OSV output, pagination, and conflict display; ensure ERR_AGG_* mapping. |
Commands fetch observation/linkset data; exports validated against fixtures; unit tests cover error handling. |
| CLI-LNM-22-002 |
TODO |
DevEx/CLI Guild |
WEB-LNM-21-002 |
Implement stella vex obs get/linkset show commands with product filters, status filters, and JSON output for CI usage. |
Commands support filters + streaming; integration tests use sample linksets; docs updated. |
Policy Engine + Editor v1
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-POLICY-23-004 |
TODO |
DevEx/CLI Guild |
WEB-POLICY-23-001 |
Add stella policy lint command validating SPL files with compiler diagnostics; support JSON output. |
Command returns lint diagnostics; exit codes documented; tests cover error scenarios. |
| CLI-POLICY-23-005 |
DOING (2025-10-28) |
DevEx/CLI Guild |
POLICY-GATEWAY-18-002..003, WEB-POLICY-23-002 |
Implement stella policy activate with scheduling window, approval enforcement, and summary output. |
Activation command integrates with API, handles 2-person rule failures; tests cover success/error. |
2025-10-28: CLI command implemented with gateway integration (policy activate), interactive summary output, retry-aware metrics, and exit codes (0 success, 75 pending second approval). Tests cover success/pending/error paths.
| CLI-POLICY-23-006 | TODO | DevEx/CLI Guild | WEB-POLICY-23-004 | Provide stella policy history and stella policy explain commands to pull run history and explanation trees. | Commands output JSON/table; integration tests with fixtures; docs updated. |
Graph & Vuln Explorer v1
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
Exceptions v1
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-EXC-25-001 |
TODO |
DevEx/CLI Guild |
WEB-EXC-25-001 |
Implement `stella exceptions list |
draft |
| CLI-EXC-25-002 |
TODO |
DevEx/CLI Guild |
WEB-EXC-25-002 |
Extend stella policy simulate with --with-exception/--without-exception flags to preview exception impact. |
Simulation handles overrides; regression tests cover presence/absence; help text updated. |
Reachability v1
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-SIG-26-001 |
TODO |
DevEx/CLI Guild |
WEB-SIG-26-001 |
Implement stella reachability upload-callgraph and stella reachability list/explain commands with streaming upload, pagination, and exit codes. |
Commands operate end-to-end; integration tests with fixtures; docs updated. |
| CLI-SIG-26-002 |
TODO |
DevEx/CLI Guild |
WEB-SIG-26-003 |
Extend stella policy simulate with reachability override flags (--reachability-state, --reachability-score). |
Simulation command accepts overrides; regression tests cover adjustments; help text updated. |
Policy Studio (Sprint 27)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-POLICY-27-001 |
TODO |
DevEx/CLI Guild |
REGISTRY-API-27-001, WEB-POLICY-27-001 |
Implement policy workspace commands (stella policy init, edit, lint, compile, test) with template selection, local cache, JSON output, and deterministic temp directories. |
Commands operate offline with cached templates; diagnostics mirror API responses; unit tests cover happy/error paths; help text updated. |
Docs dependency: DOCS-POLICY-27-007 blocked until CLI commands + help output land.
| CLI-POLICY-27-002 | TODO | DevEx/CLI Guild | REGISTRY-API-27-006, WEB-POLICY-27-002 | Add submission/review workflow commands (stella policy version bump, submit, review comment, approve, reject) supporting reviewer assignment, changelog capture, and exit codes. | Workflow commands enforce required approvers; comments upload correctly; integration tests cover approval failure; docs updated. |
Docs dependency: DOCS-POLICY-27-007 and DOCS-POLICY-27-006 require review/promotion CLI flows.
| CLI-POLICY-27-003 | TODO | DevEx/CLI Guild | REGISTRY-API-27-005, SCHED-CONSOLE-27-001 | Implement stella policy simulate enhancements (quick vs batch, SBOM selectors, heatmap summary, manifest download) with --json and Markdown report output for CI. | CLI can trigger batch sim, poll progress, download artifacts; outputs deterministic schemas; CI sample workflow documented; tests cover cancellation/timeouts. |
Docs dependency: DOCS-POLICY-27-004 needs simulate CLI examples.
| CLI-POLICY-27-004 | TODO | DevEx/CLI Guild | REGISTRY-API-27-007, REGISTRY-API-27-008, AUTH-POLICY-27-002 | Add lifecycle commands for publish/promote/rollback/sign (stella policy publish --sign, promote --env, rollback) with attestation verification and canary arguments. | Commands enforce signing requirement, support dry-run, produce audit logs; integration tests cover promotion + rollback; documentation updated. |
Docs dependency: DOCS-POLICY-27-006 requires publish/promote/rollback CLI examples.
| CLI-POLICY-27-005 | TODO | DevEx/CLI Guild, Docs Guild | DOCS-CONSOLE-27-007, DOCS-POLICY-27-007 | Update CLI reference and samples for Policy Studio including JSON schemas, exit codes, and CI snippets. | CLI docs merged with screenshots/transcripts; parity matrix updated; acceptance tests ensure --help examples compile. |
| CLI-POLICY-27-006 | TODO | DevEx/CLI Guild | AUTH-POLICY-27-001, CLI-POLICY-27-001 | Update CLI policy profiles/help text to request the new Policy Studio scope family, surface ProblemDetails guidance for invalid_scope, and adjust regression tests for scope failures. | Default CLI profiles reference new scopes, stella policy commands emit updated guidance, automated tests cover missing-scope responses, and docs regenerated via scripts/update-cli-docs.sh. |
Heads-up: Gateway/Authority now reject policy:write/policy:submit tokens; automation will fail until profiles switch to the new scope bundle.
Vulnerability Explorer (Sprint 29)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-VULN-29-001 |
TODO |
DevEx/CLI Guild |
VULN-API-29-002, AUTH-VULN-29-001 |
Implement stella vuln list with grouping, paging, filters, --json/--csv, and policy selection. |
Command returns deterministic output; paging works; regression tests cover filters/grouping. |
| CLI-VULN-29-002 |
TODO |
DevEx/CLI Guild |
VULN-API-29-003 |
Implement stella vuln show displaying evidence, policy rationale, paths, ledger summary; support --json for automation. |
Output matches schema; evidence rendered with provenance; tests cover missing data. |
| CLI-VULN-29-003 |
TODO |
DevEx/CLI Guild |
VULN-API-29-004, LEDGER-29-005 |
Add workflow commands (assign, comment, accept-risk, verify-fix, target-fix, reopen) with filter selection (--filter) and idempotent retries. |
Commands create ledger events; exit codes documented; integration tests cover role enforcement. |
| CLI-VULN-29-004 |
TODO |
DevEx/CLI Guild |
VULN-API-29-005 |
Implement stella vuln simulate producing delta summaries and optional Markdown report for CI. |
CLI simulation returns diff tables + JSON; tests verify diff correctness; docs updated. |
| CLI-VULN-29-005 |
TODO |
DevEx/CLI Guild |
VULN-API-29-008 |
Add stella vuln export and stella vuln bundle verify commands to trigger/download evidence bundles and verify signatures. |
Export command streams to file; verify command checks signatures; tests cover success/failure. |
| CLI-VULN-29-006 |
TODO |
DevEx/CLI Guild, Docs Guild |
DOCS-VULN-29-004, DOCS-VULN-29-005 |
Update CLI docs/examples for Vulnerability Explorer with compliance checklist and CI snippets. |
Docs merged; automated examples validated; compliance checklist appended. |
VEX Lens (Sprint 30)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-VEX-30-001 |
TODO |
DevEx/CLI Guild |
VEXLENS-30-007 |
Implement stella vex consensus list with filters, paging, policy selection, --json/--csv. |
Command returns deterministic output; regression tests cover filters/paging; docs updated. |
| CLI-VEX-30-002 |
TODO |
DevEx/CLI Guild |
VEXLENS-30-007 |
Implement stella vex consensus show displaying quorum, evidence, rationale, signature status. |
Output matches schema; tests cover conflicting evidence; docs updated. |
| CLI-VEX-30-003 |
TODO |
DevEx/CLI Guild |
VEXLENS-30-007 |
Implement stella vex simulate for trust/threshold overrides with JSON diff output. |
Simulation command returns diff summary; tests cover policy scenarios; docs updated. |
| CLI-VEX-30-004 |
TODO |
DevEx/CLI Guild |
VEXLENS-30-007 |
Implement stella vex export for consensus NDJSON bundles with signature verification helper. |
Export & verify commands operational; tests cover file output; docs updated. |
Advisory AI (Sprint 31)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-AIAI-31-001 |
TODO |
DevEx/CLI Guild |
AIAI-31-006 |
Implement stella advise summarize command with JSON/Markdown outputs and citation display. |
Command returns summary + JSON; citations preserved; tests cover filters. |
| CLI-AIAI-31-002 |
TODO |
DevEx/CLI Guild |
AIAI-31-006 |
Implement stella advise explain showing conflict narrative and structured rationale. |
Output matches schemas; tests cover disputed cases. |
| CLI-AIAI-31-003 |
TODO |
DevEx/CLI Guild |
AIAI-31-006 |
Implement stella advise remediate generating remediation plans with --strategy filters and file output. |
Plans saved to file; exit codes documented; tests cover version mapping. |
| CLI-AIAI-31-004 |
TODO |
DevEx/CLI Guild |
AIAI-31-006 |
Implement stella advise batch for summaries/conflicts/remediation with progress + multi-status responses. |
Batch command handles 207 responses; tests cover partial failures. |
Export Center (Epic 10)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-EXPORT-35-001 |
BLOCKED (2025-10-29) |
DevEx/CLI Guild |
WEB-EXPORT-35-001, AUTH-EXPORT-35-001 |
Implement `stella export profiles |
runslist/show,run create, run status`, and resumable download commands with manifest/provenance retrieval. |
Blocked: Gateway routing (WEB-EXPORT-35-001) and Authority scopes pending; CLI cannot hit Export APIs until those services land.
| CLI-EXPORT-36-001 | TODO | DevEx/CLI Guild | CLI-EXPORT-35-001, WEB-EXPORT-36-001 | Add distribution commands (stella export distribute, run download --resume enhancements) and improved status polling with progress bars. | Distribution commands push OCI/object storage; status polling handles SSE fallback; tests cover failure cases. |
| CLI-EXPORT-37-001 | TODO | DevEx/CLI Guild | CLI-EXPORT-36-001, WEB-EXPORT-37-001 | Provide scheduling (stella export schedule), retention, and export verify commands performing signature/hash validation. | Scheduling/retention commands enforce admin scopes; verify command checks signatures/hashes; examples documented; tests cover success/failure. |
Orchestrator Dashboard (Epic 9)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-ORCH-32-001 |
TODO |
DevEx/CLI Guild |
WEB-ORCH-32-001, AUTH-ORCH-32-001 |
Implement `stella orch sources |
runs |
| CLI-ORCH-33-001 |
TODO |
DevEx/CLI Guild |
CLI-ORCH-32-001, WEB-ORCH-33-001, AUTH-ORCH-33-001 |
Add action verbs (`sources test |
pause |
| CLI-ORCH-34-001 |
TODO |
DevEx/CLI Guild |
CLI-ORCH-33-001, WEB-ORCH-34-001, AUTH-ORCH-34-001 |
Provide backfill wizard (--from/--to --dry-run), quota management (`quotas get |
set`), and safety guardrails for orchestrator GA. |
Notifications Studio (Epic 11)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-NOTIFY-38-001 |
BLOCKED (2025-10-29) |
DevEx/CLI Guild |
WEB-NOTIFY-38-001, AUTH-NOTIFY-38-001 |
Implement `stella notify rules |
templates |
Blocked: Gateway routing (WEB-NOTIFY-38-001) and Authority scopes (AUTH-NOTIFY-38-001) pending; CLI cannot exercise APIs until endpoints and token scopes are published.
| CLI-NOTIFY-39-001 | BLOCKED (2025-10-29) | DevEx/CLI Guild | CLI-NOTIFY-38-001, WEB-NOTIFY-39-001 | Add simulation (stella notify simulate) and digest commands with diff output and schedule triggering, including dry-run mode. | Simulation command returns deterministic diff; digest command triggers run and polls status; tests cover filters and failures. |
Blocked: Foundation commands (CLI-NOTIFY-38-001) and gateway digest/simulation APIs (WEB-NOTIFY-39-001) not available yet.
| CLI-NOTIFY-40-001 | TODO | DevEx/CLI Guild | CLI-NOTIFY-39-001, WEB-NOTIFY-40-001 | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. | Ack redemption validates signed tokens; escalation commands manage schedules; localization preview shows variants; integration tests cover negative cases. |
CLI Parity & Task Packs (Epic 12)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-CORE-41-001 |
TODO |
DevEx/CLI Guild |
AUTH-PACKS-41-001 |
Implement CLI core features: config precedence, profiles/contexts, auth flows, output renderer (json/yaml/table), error mapping, global flags, telemetry opt-in. |
CLI loads config deterministically; auth works (device/PAT); outputs render correctly; tests cover precedence and exit codes. |
| CLI-PARITY-41-001 |
TODO |
DevEx/CLI Guild |
CLI-CORE-41-001 |
Deliver parity command groups (policy, sbom, vuln, vex, advisory, export, orchestrator) with --explain, deterministic outputs, and parity matrix entries. |
Commands match Console behavior; parity matrix green for covered actions; integration tests cover major flows. |
| CLI-PARITY-41-002 |
TODO |
DevEx/CLI Guild |
CLI-PARITY-41-001, WEB-NOTIFY-38-001 |
Implement notify, aoc, auth command groups, idempotency keys, shell completions, config docs, and parity matrix export tooling. |
Commands functional; completions generated; docs updated; parity matrix auto-exported; CI checks gating. |
| CLI-PACKS-42-001 |
TODO |
DevEx/CLI Guild |
CLI-CORE-41-001, PACKS-REG-41-001, TASKRUN-41-001 |
Implement Task Pack commands (pack plan/run/push/pull/verify) with schema validation, expression sandbox, plan/simulate engine, remote execution. |
Pack commands operational; plan/sim produce accurate graph; remote run streams logs; schema validation enforced. |
| CLI-PACKS-43-001 |
TODO |
DevEx/CLI Guild |
CLI-PACKS-42-001, TASKRUN-42-001 |
Deliver advanced pack features (approvals pause/resume, secret injection, localization, man pages, offline cache). |
Approvals handled; secrets redacted; localization supported; man pages built; offline cache documented; integration tests cover scenarios. |
Authority-Backed Scopes & Tenancy (Epic 14)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-TEN-47-001 |
TODO |
DevEx/CLI Guild |
AUTH-TEN-47-001 |
Implement stella login, whoami, tenants list, persistent profiles, secure token storage, and --tenant override with validation. |
Commands functional across platforms; tokens stored securely; tenancy header set on requests; integration tests cover login/tenant switch. |
| CLI-TEN-49-001 |
TODO |
DevEx/CLI Guild |
CLI-TEN-47-001, AUTH-TEN-49-001 |
Add service account token minting, delegation (stella token delegate), impersonation banner, and audit-friendly logging. |
Service tokens minted with scopes/TTL; delegation recorded; CLI displays impersonation banner; docs updated. |
Observability & Forensics (Epic 15)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-OBS-50-001 |
TODO |
DevEx/CLI Guild |
TELEMETRY-OBS-50-002, WEB-OBS-50-001 |
Ensure CLI HTTP client propagates traceparent headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed). |
Trace headers observed in integration tests; verbose logs include trace IDs; redaction guard verified. |
| CLI-OBS-51-001 |
TODO |
DevEx/CLI Guild |
CLI-OBS-50-001, WEB-OBS-51-001 |
Implement stella obs top command streaming service health metrics, SLO status, and burn-rate alerts with TUI view and JSON output. |
Command streams metrics; JSON output documented; integration tests cover streaming and exit codes. |
| CLI-OBS-52-001 |
TODO |
DevEx/CLI Guild |
CLI-OBS-51-001, TIMELINE-OBS-52-003 |
Add stella obs trace <trace_id> and stella obs logs --from/--to commands that correlate timeline events, logs, and evidence links with pagination + guardrails. |
Commands fetch timeline/log data; paging tokens handled; fixtures stored under samples/obs/; tests cover errors. |
| CLI-FORENSICS-53-001 |
TODO |
DevEx/CLI Guild, Evidence Locker Guild |
CLI-OBS-52-001, EVID-OBS-53-003 |
Implement stella forensic snapshot create --case and snapshot list/show commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata. |
Snapshot commands functional; manifests displayed; cache metadata deterministic; docs/help updated. |
| CLI-FORENSICS-54-001 |
TODO |
DevEx/CLI Guild, Provenance Guild |
CLI-FORENSICS-53-001, PROV-OBS-54-001 |
Provide stella forensic verify <bundle> command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI. |
Verification works with sample bundles; tests cover success/failure; docs updated. |
| CLI-FORENSICS-54-002 |
TODO |
DevEx/CLI Guild, Provenance Guild |
CLI-FORENSICS-54-001 |
Implement stella forensic attest show <artifact> listing attestation details (signer, timestamp, subjects) and verifying signatures. |
Command prints attestation summary; verification errors flagged; tests cover offline mode. |
| CLI-OBS-55-001 |
TODO |
DevEx/CLI Guild, DevOps Guild |
CLI-OBS-52-001, WEB-OBS-55-001, DEVOPS-OBS-55-001 |
Add `stella obs incident-mode enable |
disable |
Air-Gapped Mode (Epic 16)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-AIRGAP-56-001 |
TODO |
DevEx/CLI Guild |
MIRROR-CRT-56-001, AIRGAP-IMP-56-001 |
Implement `stella mirror create |
verifyandstella airgap verify` commands with DSSE/TUF results, dry-run mode, and deterministic manifests. |
| CLI-AIRGAP-56-002 |
TODO |
DevEx/CLI Guild |
CLI-OBS-50-001, AIRGAP-IMP-56-001 |
Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label AirGapped-Phase-1. |
CLI traces flow via local exporters in sealed mode; correlation IDs still printed; tests cover sealed toggle + fallback. |
| CLI-AIRGAP-57-001 |
TODO |
DevEx/CLI Guild |
CLI-AIRGAP-56-001, AIRGAP-IMP-58-001 |
Add stella airgap import with diff preview, bundle scope selection (--tenant, --global), audit logging, and progress reporting. |
Import updates catalog; diff preview rendered; audit entries include bundle ID + scope; tests cover idempotent re-import. |
| CLI-AIRGAP-57-002 |
TODO |
DevEx/CLI Guild |
CLI-AIRGAP-56-001, AIRGAP-CTL-56-002 |
Provide `stella airgap seal |
status` commands surfacing sealing state, drift, staleness metrics, and remediation guidance with safe confirmation prompts. |
| CLI-AIRGAP-58-001 |
TODO |
DevEx/CLI Guild, Evidence Locker Guild |
CLI-AIRGAP-57-001, CLI-FORENSICS-54-001 |
Implement stella airgap export evidence helper for portable evidence packages, including checksum manifest and verification. |
Command generates portable bundle; verification step validates signatures; docs/help updated with examples. |
SDKs & OpenAPI (Epic 17)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-SDK-62-001 |
TODO |
DevEx/CLI Guild, SDK Generator Guild |
SDKGEN-63-001 |
Replace bespoke HTTP clients with official SDK (TS/Go) for all CLI commands; ensure modular transport for air-gapped mode. |
CLI builds using SDK; regression suite passes; telemetry shows SDK version. |
| CLI-SDK-62-002 |
TODO |
DevEx/CLI Guild |
CLI-SDK-62-001, APIGOV-61-001 |
Update CLI error handling to surface standardized API error envelope with error.code and trace_id. |
CLI displays envelope data; integration tests cover new output. |
| CLI-SDK-63-001 |
TODO |
DevEx/CLI Guild, API Governance Guild |
OAS-61-002 |
Expose stella api spec download command retrieving aggregate OAS and verifying checksum/ETag. |
Command downloads + verifies spec; docs updated; tests cover failure cases. |
| CLI-SDK-64-001 |
TODO |
DevEx/CLI Guild, SDK Release Guild |
SDKREL-63-001 |
Add CLI subcommand stella sdk update to fetch latest SDK manifests/changelogs; integrate with Notifications for deprecations. |
Command lists versions/changelogs; notifications triggered on updates. |
Risk Profiles (Epic 18)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-RISK-66-001 |
TODO |
DevEx/CLI Guild, Policy Guild |
POLICY-RISK-67-002 |
Implement `stella risk profile list |
get |
| CLI-RISK-66-002 |
TODO |
DevEx/CLI Guild, Risk Engine Guild |
RISK-ENGINE-69-001 |
Ship stella risk simulate supporting SBOM/asset inputs, diff mode, and export to JSON/CSV. |
Simulation runs via CLI; output tested; docs updated. |
| CLI-RISK-67-001 |
TODO |
DevEx/CLI Guild, Findings Ledger Guild |
LEDGER-RISK-67-001 |
Provide stella risk results with filtering, severity thresholds, explainability fetch. |
Results command returns paginated data; explaination fetch command outputs artifact; tests pass. |
| CLI-RISK-68-001 |
TODO |
DevEx/CLI Guild, Export Guild |
RISK-BUNDLE-70-001 |
Add stella risk bundle verify and integrate with offline risk bundles. |
Verification command validates signatures; integration tests cover tampered bundle. |
Attestor Console (Epic 19)
| ID |
Status |
Owner(s) |
Depends on |
Description |
Exit Criteria |
| CLI-ATTEST-73-001 |
TODO |
CLI Attestor Guild |
ATTESTOR-73-001, SDKGEN-63-001 |
Implement stella attest sign (payload selection, subject digest, key reference, output format) using official SDK transport. |
Command signs envelopes; tests cover file/KMS keys; docs updated. |
| CLI-ATTEST-73-002 |
TODO |
CLI Attestor Guild |
ATTESTOR-73-002 |
Implement stella attest verify with policy selection, explainability output, and JSON/table formatting. |
Verification command returns structured report; exit codes match pass/fail; integration tests pass. |
| CLI-ATTEST-74-001 |
TODO |
CLI Attestor Guild |
ATTESTOR-73-003 |
Implement stella attest list with filters (subject, type, issuer, scope) and pagination. |
Command outputs table/JSON; tests cover filters. |
| CLI-ATTEST-74-002 |
TODO |
CLI Attestor Guild |
ATTESTOR-73-003 |
Implement stella attest fetch to download envelopes and payloads to disk. |
Fetch command saves files; checks digests; tests cover air-gap use. |
| CLI-ATTEST-75-001 |
TODO |
CLI Attestor Guild, KMS Guild |
KMS-72-001 |
Implement `stella attest key create |
import |
| CLI-ATTEST-75-002 |
TODO |
CLI Attestor Guild, Export Guild |
ATTESTOR-75-001 |
Add support for building/verifying attestation bundles in CLI. |
Bundle commands functional; verification catches tampering; docs updated. |
master
7b5bdcf4d3