Trust Profile Management (CLI and Bundle)

Module

AirGap

Status

VERIFIED

Description

Named trust profiles (global, eu-eidas, us-fips, bg-gov) for configuring TSA chains, signing algorithms, and verification policies per deployment context. Includes CLI commands (stella trust-profile list/apply/show) and bundle-level profile loading. Distinct from the known "Trust Anchor Management" and "Regional Crypto Profiles" which are about crypto algorithms, not deployment-context trust configuration profiles.

Implementation Details

Bundle trust profiles: src/AirGap/__Libraries/StellaOps.AirGap.Bundle/ -- named trust profile definitions and loading
Trust root config: src/AirGap/StellaOps.AirGap.Importer/Contracts/TrustRootConfig.cs -- trust root configuration for import verification
AirGap policy: src/AirGap/StellaOps.AirGap.Policy/ -- policy enforcement for trust profiles, includes analyzers and tests
Offline verification policy: src/AirGap/StellaOps.AirGap.Importer/Policy/OfflineVerificationPolicy.cs, OfflineVerificationPolicyLoader.cs
Trust anchor verification: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/TrustAnchorVerificationStep.cs
Source: SPRINT_20260120_029_AirGap_offline_bundle_contract.md

E2E Test Plan

Verify CLI stella trust-profile list shows available profiles
Test stella trust-profile apply switches active profile
Test stella trust-profile show displays profile configuration
Verify trust profiles configure correct TSA chains and signing algorithms
Test bundle-level profile loading from bundle metadata

Verification

Run: docs/qa/feature-checks/runs/airgap/trust-profile-management/run-002
Date (UTC): 2026-02-11
Tier 0: pass (source references resolved)
Tier 1: pass (build/test surfaces for AirGap trust profile and CLI command wiring)
Tier 2: pass (CLI list/show/apply + missing-profile negative path + loader behavior suites)

2.0 KiB Raw Blame History