Files

StellaOps Bot 7e384ab610 feat: Implement IsolatedReplayContext for deterministic audit replay

- Added IsolatedReplayContext class to provide an isolated environment for replaying audit bundles without external calls.
- Introduced methods for initializing the context, verifying input digests, and extracting inputs for policy evaluation.
- Created supporting interfaces and options for context configuration.

feat: Create ReplayExecutor for executing policy re-evaluation and verdict comparison

- Developed ReplayExecutor class to handle the execution of replay processes, including input verification and verdict comparison.
- Implemented detailed drift detection and error handling during replay execution.
- Added interfaces for policy evaluation and replay execution options.

feat: Add ScanSnapshotFetcher for fetching scan data and snapshots

- Introduced ScanSnapshotFetcher class to retrieve necessary scan data and snapshots for audit bundle creation.
- Implemented methods to fetch scan metadata, advisory feeds, policy snapshots, and VEX statements.
- Created supporting interfaces for scan data, feed snapshots, and policy snapshots.

2025-12-23 07:46:40 +02:00

2.7 KiB

Raw Blame History

stella aoc — Command Guide

Audience: DevOps engineers, compliance teams, and CI authors working with AOC verification. Scope: Commands for verifying Aggregation-Only Contract compliance.

Commands

stella aoc verify --since <ref> --postgres <conn> [options]

1. `stella aoc verify`

Synopsis

stella aoc verify \
  --since <git-sha|timestamp> \
  --postgres <connection-string> \
  [--output <path>] \
  [--ndjson <path>] \
  [--tenant <id>] \
  [--dry-run] \
  [--verbose]

Description

Verifies AOC compliance by comparing git history against database records. Detects violations where data was modified or deleted in violation of the append-only contract.

Options

Option	Description
`--since, -s`	Git commit SHA or ISO timestamp to verify from (required)
`--postgres, -p`	PostgreSQL connection string (required)
`--output, -o`	Path for JSON output report
`--ndjson, -n`	Path for NDJSON output (one violation per line)
`--tenant, -t`	Filter by tenant ID
`--dry-run`	Validate configuration without querying database
`--verbose, -v`	Enable verbose output

Exit Codes

Code	Meaning
`0`	Verification passed - no violations
`1`	Violations detected
`2`	Configuration or connection error

Examples

Daily verification:

stella aoc verify \
  --since 24h \
  --postgres "Host=localhost;Database=stellaops;Username=verifier;Password=..."

CI pipeline verification from last commit:

stella aoc verify \
  --since ${{ github.event.before }} \
  --postgres "$POSTGRES_CONN" \
  --output artifacts/aoc-verify.json

Tenant-scoped verification:

stella aoc verify \
  --since 2025-01-01T00:00:00Z \
  --postgres "$POSTGRES_CONN" \
  --tenant acme-corp \
  --ndjson violations.ndjson

Offline/Air-Gap Notes

Connect to local PostgreSQL instances included in Offline Kit deployments.
Use --output to generate reports for transfer to connected environments.
Verification is read-only and does not modify any data.

Migration from stella-aoc

The standalone stella-aoc CLI is deprecated and will be removed on 2025-07-01.

Old Command	New Command
`stella-aoc verify ...`	`stella aoc verify ...`

See the CLI Consolidation Migration Guide for details.

Last updated: 2025-12-23 (Sprint 5100).

2.7 KiB Raw Blame History