stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bd8fee6ed87eda678175da821a4f4b9823b6f01b
git.stella-ops.org/docs/features/checked/cli/audit-bundle-generation-and-verification-cli.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.9 KiB
Raw Blame History

Audit Bundle Generation and Verification CLI

Module

Cli

Status

VERIFIED

Description

CLI command stella audit bundle <digest> that generates self-contained, auditor-ready evidence packages containing verdict, evidence, policy snapshot, and replay instructions in directory/tar.gz/zip formats, plus stella audit verify for bundle integrity verification with manifest hash checking and optional DSSE signature verification.

Implementation Details

  • Command Group: src/Cli/StellaOps.Cli/Commands/AuditCommandGroup.cs -- AuditCommandGroup (internal static class)
  • Audit Verify: src/Cli/StellaOps.Cli/Commands/AuditVerifyCommand.cs -- standalone audit verify command
  • Command Handlers: src/Cli/StellaOps.Cli/Commands/CommandHandlers.Audit.cs -- CommandHandlers partial class with audit handlers
  • Bundle Service: src/Cli/StellaOps.Cli/Audit/AuditBundleService.cs / IAuditBundleService.cs -- bundle generation and verification logic
  • Bundle Verifier: src/Cli/StellaOps.Cli/Services/AttestationBundleVerifier.cs / IAttestationBundleVerifier.cs
  • Sprint: SPRINT_20260117_027_CLI
  • Commands:
    • stella audit bundle <digest> -- generate audit bundle for an artifact digest. Options: --output <path>, --format dir|tar.gz|zip
    • stella audit verify <bundle-path> -- verify bundle integrity (manifest hash, DSSE signature)
  • Tests: src/Cli/__Tests/StellaOps.Cli.Tests/Commands/VerifyBundleCommandTests.cs

E2E Test Plan

  • Run stella audit bundle sha256:abc123 --output ./audit-bundle and verify directory created with verdict, evidence, policy snapshot, replay instructions
  • Run stella audit bundle sha256:abc123 --format tar.gz and verify tar.gz archive created
  • Run stella audit bundle sha256:abc123 --format zip and verify zip archive created
  • Run stella audit verify ./audit-bundle and verify manifest hash checking passes for valid bundle
  • Run stella audit verify ./audit-bundle with tampered content and verify integrity failure detected
  • Verify DSSE signature verification when --verify-signature flag is used
  • Verify bundle contains replay instructions that can reproduce the verdict
  • Verify exit code 0 for valid bundle verification, non-zero for failures
  • Verify error handling for non-existent digests or bundle paths

Verification

  • Verified: 2026-02-13T15:30:00Z
  • Tier 0 (Source): pass -- all referenced source files exist on disk
  • Tier 1 (Build): pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
  • Tier 2d (Integration): pass -- targeted integration tests confirm behavioral correctness
  • Test Project: src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj
  • Evidence: docs/qa/feature-checks/runs/cli/audit-bundle-generation-and-verification-cli/run-001/tier2-integration-check.json