git.stella-ops.org/docs/cli/triage-cli.md

# Triage CLI Reference

**Sprint:** SPRINT_3600_0001_0001  
**Task:** TRI-MASTER-0008 - Update CLI documentation with offline commands

## Overview

The Triage CLI provides commands for vulnerability triage, decision management, and offline workflows. It supports evidence-based decision making and audit-ready replay tokens.

## Commands

### stellaops triage list

List findings for triage.

```bash
stellaops triage list [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--scan-id <ID>` | Filter by scan ID | - |
| `--status <STATUS>` | Filter: `untriaged`, `affected`, `not_affected`, `wont_fix`, `false_positive` | all |
| `--priority-min <N>` | Minimum priority (0-1) | 0 |
| `--priority-max <N>` | Maximum priority (0-1) | 1 |
| `--sort <FIELD>` | Sort: `priority`, `vuln`, `component`, `created` | `priority` |
| `--format <FMT>` | Output: `table`, `json`, `csv` | `table` |
| `--limit <N>` | Max results | 50 |
| `--workspace <PATH>` | Offline workspace | - |

#### Examples

```bash
# List untriaged high-priority findings
stellaops triage list \
  --scan-id scan-12345678 \
  --status untriaged \
  --priority-min 0.7

# Export for review
stellaops triage list \
  --scan-id scan-12345678 \
  --format json > findings.json
```

### stellaops triage show

Show finding details with evidence.

```bash
stellaops triage show <FINDING-ID> [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--show-evidence` | Include full evidence | `false` |
| `--evidence-first` | Lead with evidence summary | `false` |
| `--show-history` | Show decision history | `false` |
| `--format <FMT>` | Output: `text`, `json`, `yaml` | `text` |
| `--workspace <PATH>` | Offline workspace | - |

#### Example

```bash
# Show with evidence
stellaops triage show CVE-2024-1234 \
  --show-evidence \
  --evidence-first

# Output:
# ═══════════════════════════════════════════
# CVE-2024-1234 · pkg:npm/lodash@4.17.20
# ═══════════════════════════════════════════
#
# EVIDENCE
# ────────
# Reachability: TAINTED_SINK (tier 3/3)
#   └─ api.js:42 → utils.js:15 → lodash/merge
#
# Call Stack:
#   1. api.js:42     handleUserInput()
#   2. utils.js:15   processData()
#   3. lodash:merge  <vulnerable sink>
#
# VEX: No statement
# EPSS: 0.67 (High)
# KEV: No
#
# VULNERABILITY
# ─────────────
# CVE-2024-1234: Prototype Pollution in lodash
# CVSS: 7.5 (High)
# CWE: CWE-1321
#
# STATUS: untriaged
```

### stellaops triage decide

Record a triage decision.

```bash
stellaops triage decide <FINDING-ID> [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--status <STATUS>` | Required: `affected`, `not_affected`, `wont_fix`, `false_positive` | - |
| `--justification <TEXT>` | Decision justification | - |
| `--reviewer <NAME>` | Reviewer identifier | current user |
| `--vex-emit` | Emit VEX statement | `false` |
| `--workspace <PATH>` | Offline workspace | - |

#### Examples

```bash
# Mark as not affected
stellaops triage decide CVE-2024-1234 \
  --status not_affected \
  --justification "Feature gated, unreachable in production"

# Mark affected and emit VEX
stellaops triage decide CVE-2024-5678 \
  --status affected \
  --justification "In use, remediation planned" \
  --vex-emit
```

### stellaops triage batch

Interactive batch triage mode.

```bash
stellaops triage batch [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--scan-id <ID>` | Scan to triage | - |
| `--query <EXPR>` | Filter expression | - |
| `--input <PATH>` | Offline bundle | - |
| `--workspace <PATH>` | Offline workspace | - |

#### Keyboard Shortcuts

| Key | Action |
|-----|--------|
| `j` / `↓` | Next finding |
| `k` / `↑` | Previous finding |
| `a` | Mark affected |
| `n` | Mark not affected |
| `w` | Mark won't fix |
| `f` | Mark false positive |
| `e` | Show full evidence |
| `g` | Show graph context |
| `u` | Undo last decision |
| `/` | Search findings |
| `?` | Show help |
| `q` | Save and quit |

#### Example

```bash
# Interactive triage
stellaops triage batch \
  --scan-id scan-12345678 \
  --query "priority>=0.5"
```

### stellaops triage export

Export findings for offline triage.

```bash
stellaops triage export [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--scan-id <ID>` | Scan to export | required |
| `--findings <IDS>` | Specific finding IDs (comma-separated) | - |
| `--all-findings` | Export all findings | `false` |
| `--include-evidence` | Include evidence data | `true` |
| `--include-graph` | Include dependency graph | `true` |
| `--output <PATH>` | Output path (.stella.bundle.tgz) | required |
| `--sign` | Sign the bundle | `true` |

#### Example

```bash
# Export specific findings
stellaops triage export \
  --scan-id scan-12345678 \
  --findings CVE-2024-1234,CVE-2024-5678 \
  --output triage-bundle.stella.bundle.tgz
```

### stellaops triage import

Import offline bundle for triage.

```bash
stellaops triage import [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--input <PATH>` | Bundle path | required |
| `--workspace <PATH>` | Target workspace | `~/.stellaops/triage` |
| `--verify` | Verify signature | `true` |
| `--public-key <PATH>` | Public key for verification | - |

### stellaops triage export-decisions

Export decisions for sync.

```bash
stellaops triage export-decisions [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--workspace <PATH>` | Workspace path | required |
| `--output <PATH>` | Output path | required |
| `--format <FMT>` | Format: `json`, `ndjson` | `json` |
| `--sign` | Sign output | `true` |

### stellaops triage import-decisions

Import and apply decisions.

```bash
stellaops triage import-decisions [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--input <PATH>` | Decisions file | required |
| `--verify` | Verify signatures | `true` |
| `--apply` | Apply to server | `false` |
| `--dry-run` | Preview only | `false` |
| `--conflict-mode <MODE>` | Conflict handling: `keep-local`, `keep-server`, `newest`, `review` | `review` |

### stellaops triage verify-bundle

Verify bundle integrity.

```bash
stellaops triage verify-bundle [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--input <PATH>` | Bundle path | required |
| `--public-key <PATH>` | Public key | required |
| `--strict` | Fail on warnings | `false` |

### stellaops triage show-token

Display replay token details.

```bash
stellaops triage show-token <TOKEN>
```

### stellaops triage verify-token

Verify replay token.

```bash
stellaops triage verify-token <TOKEN> [OPTIONS]
```

#### Options

| Option | Description | Default |
|--------|-------------|---------|
| `--public-key <PATH>` | Public key | required |

## Exit Codes

| Code | Meaning |
|------|---------|
| 0 | Success |
| 1 | Findings require attention |
| 10 | Invalid arguments |
| 11 | Resource not found |
| 20 | Verification failed |
| 21 | Signature invalid |
| 30 | Conflict detected |
| 99 | Internal error |

## Environment Variables

| Variable | Description |
|----------|-------------|
| `STELLAOPS_OFFLINE` | Enable offline mode |
| `STELLAOPS_TRIAGE_WORKSPACE` | Default workspace |
| `STELLAOPS_REVIEWER` | Default reviewer name |

## Related Documentation

- [Triage Air-Gap Workflows](../airgap/triage-airgap-workflows.md)
- [Keyboard Shortcuts](./keyboard-shortcuts.md)
- [Triage API Reference](../api/triage-api.md)