git.stella-ops.org/docs/features/unchecked/cli/verification-receipt-cli.md

# Verification Receipt CLI (stella proof receipt get/verify)

## Module
Cli

## Status
IMPLEMENTED

## Description
Retrieve and verify verification receipts by proof bundle ID in text, JSON, or CBOR format for audit trail cryptographic proof.

## Implementation Details
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Proof/ReceiptCommandGroup.cs` -- `ReceiptCommandGroup` (instance class with DI logger)
  - Registered under `stella proof receipt` command tree
  - Uses `IReceiptGenerator` for receipt retrieval (integration pending)
- **Exit Codes**: Defined in `src/Cli/StellaOps.Cli/Commands/Proof/ProofExitCodes.cs` -- `ProofExitCodes.Success`, `SystemError`, `VerificationFailed`
- **Commands**:
  - `stella proof receipt get <bundleId> [--output text|json|cbor]` -- retrieve verification receipt by proof bundle ID
  - `stella proof receipt verify <receiptFile> [--offline]` -- verify a stored receipt file (DSSE signature, ProofBundleID recomputation, optional Rekor inclusion)
- **Verification Steps** (planned):
  1. Load receipt from file
  2. Verify DSSE signature on receipt
  3. Recompute ProofBundleID from claims
  4. Optionally verify Rekor inclusion (skipped in `--offline` mode)

## E2E Test Plan
- [ ] Run `stella proof receipt get <bundleId>` and verify text output showing Bundle ID and receipt details
- [ ] Run `stella proof receipt get <bundleId> --output json` and verify valid JSON with proofBundleId field
- [ ] Run `stella proof receipt get <bundleId> --output cbor` and verify CBOR-encoded output
- [ ] Run `stella proof receipt verify ./receipt.json` and verify signature and Rekor verification
- [ ] Run `stella proof receipt verify ./receipt.json --offline` and verify offline mode skips Rekor check
- [ ] Run `stella proof receipt verify ./nonexistent.json` and verify error: "Receipt file not found"
- [ ] Verify exit code 0 on successful verification, non-zero on failure