43 lines
2.9 KiB
Markdown
43 lines
2.9 KiB
Markdown
# Audit Bundle Generation and Verification CLI
|
|
|
|
## Module
|
|
Cli
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
CLI command `stella audit bundle <digest>` that generates self-contained, auditor-ready evidence packages containing verdict, evidence, policy snapshot, and replay instructions in directory/tar.gz/zip formats, plus `stella audit verify` for bundle integrity verification with manifest hash checking and optional DSSE signature verification.
|
|
|
|
## Implementation Details
|
|
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/AuditCommandGroup.cs` -- `AuditCommandGroup` (internal static class)
|
|
- **Audit Verify**: `src/Cli/StellaOps.Cli/Commands/AuditVerifyCommand.cs` -- standalone audit verify command
|
|
- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Audit.cs` -- `CommandHandlers` partial class with audit handlers
|
|
- **Bundle Service**: `src/Cli/StellaOps.Cli/Audit/AuditBundleService.cs` / `IAuditBundleService.cs` -- bundle generation and verification logic
|
|
- **Bundle Verifier**: `src/Cli/StellaOps.Cli/Services/AttestationBundleVerifier.cs` / `IAttestationBundleVerifier.cs`
|
|
- **Sprint**: SPRINT_20260117_027_CLI
|
|
- **Commands**:
|
|
- `stella audit bundle <digest>` -- generate audit bundle for an artifact digest. Options: `--output <path>`, `--format dir|tar.gz|zip`
|
|
- `stella audit verify <bundle-path>` -- verify bundle integrity (manifest hash, DSSE signature)
|
|
- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/VerifyBundleCommandTests.cs`
|
|
|
|
## E2E Test Plan
|
|
- [ ] Run `stella audit bundle sha256:abc123 --output ./audit-bundle` and verify directory created with verdict, evidence, policy snapshot, replay instructions
|
|
- [ ] Run `stella audit bundle sha256:abc123 --format tar.gz` and verify tar.gz archive created
|
|
- [ ] Run `stella audit bundle sha256:abc123 --format zip` and verify zip archive created
|
|
- [ ] Run `stella audit verify ./audit-bundle` and verify manifest hash checking passes for valid bundle
|
|
- [ ] Run `stella audit verify ./audit-bundle` with tampered content and verify integrity failure detected
|
|
- [ ] Verify DSSE signature verification when `--verify-signature` flag is used
|
|
- [ ] Verify bundle contains replay instructions that can reproduce the verdict
|
|
- [ ] Verify exit code 0 for valid bundle verification, non-zero for failures
|
|
- [ ] Verify error handling for non-existent digests or bundle paths
|
|
|
|
## Verification
|
|
|
|
- **Verified**: 2026-02-13T15:30:00Z
|
|
- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
|
|
- **Tier 1 (Build)**: pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
|
|
- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
|
|
- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj`
|
|
- **Evidence**: `docs/qa/feature-checks/runs/cli/audit-bundle-generation-and-verification-cli/run-001/tier2-integration-check.json`
|