git.stella-ops.org/docs/features/checked/cli/verification-command-consolidation.md

# Verification Command Consolidation (verify umbrella)

## Module
Cli

## Status
VERIFIED

## Description
Consolidation of `attest verify`, `vex verify`, `patchverify` etc. under a unified `stella verify` umbrella command with sub-commands for attestation, vex, patch, image, bundle, sbom, and offline verification.

## Implementation Details
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/VerifyCommandGroup.cs` -- `VerifyCommandGroup` (internal static class)
  - Sprint: SPRINT_20260118_012_CLI_verification_consolidation (CLI-V-002 through CLI-V-005)
  - Delegates to `CommandHandlers.HandleVerifyOfflineAsync`, `HandleVerifyImageAsync`, `HandleVerifyBundleAsync`
- **Handler Partials**:
  - `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyOffline.cs` -- offline verification handler
  - `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyBundle.cs` -- bundle verification handler
- **Commands**:
  - `stella verify offline --evidence-dir <path> --artifact <digest> --policy <file> [--output-dir <dir>] [--output table|json]` -- verify offline evidence for artifact
  - `stella verify image <reference> [--require sbom,vex,decision] [--trust-policy <file>] [--output table|json|sarif] [--strict]` -- verify attestation chain for container image
  - `stella verify bundle --bundle <path> [--skip-replay] [--output table|json]` -- verify E2E evidence bundle for reproducibility
  - `stella verify attestation --image <ref> [--predicate-type <uri>] [--policy <file>] [--output table|json] [--strict]` -- verify attestations (moved from `stella attest verify`)
  - `stella verify vex <artifact> [--vex-file <path>] [--output table|json]` -- verify VEX statements (moved from `stella vex verify`)
  - `stella verify patch <artifact> [--cve <ids>] [--confidence-threshold 0.7] [--output table|json]` -- verify patches in binaries (moved from `stella patchverify`)
  - `stella verify sbom <file> [--format spdx|cyclonedx] [--strict] [--output table|json]` -- verify SBOM integrity and completeness (also via `stella sbom verify`)
- **Route Consolidation**: `cli-routes.json` maps deprecated paths: `attest verify` -> `verify attestation`, `vex verify` -> `verify vex`, `patchverify` -> `verify patch`

## E2E Test Plan
- [ ] Run `stella verify image registry.example.com/app@sha256:abc123` and verify attestation chain results
- [ ] Run `stella verify image <ref> --require sbom,vex,decision --strict` and verify strict mode fails on missing attestations
- [ ] Run `stella verify image <ref> --output json` and verify JSON with verified:true/false per attestation
- [ ] Run `stella verify offline --evidence-dir ./evidence --artifact sha256:abc --policy ./policy.yaml` and verify offline evaluation
- [ ] Run `stella verify bundle --bundle ./evidence.tar.gz` and verify E2E reproducibility check
- [ ] Run `stella verify bundle --bundle ./evidence.tar.gz --skip-replay` and verify hash-only validation
- [ ] Run `stella verify attestation --image <ref> --predicate-type "https://slsa.dev/provenance/v1"` and verify type-filtered attestation check
- [ ] Run `stella verify vex <artifact>` and verify VEX statement verification
- [ ] Run `stella verify patch <artifact> --cve CVE-2024-1234 --confidence-threshold 0.9` and verify patch check
- [ ] Run `stella verify sbom ./sbom.json --strict` and verify strict mode catches warnings as errors
- [ ] Verify deprecated routes still work: `stella attest verify` routes to `stella verify attestation`

## Verification

- **Verified**: 2026-02-13T15:30:00Z
- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
- **Tier 1 (Build)**: pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj`
- **Evidence**: `docs/qa/feature-checks/runs/cli/verification-command-consolidation/run-001/tier2-integration-check.json`