stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/cli/audit-bundle-generation-and-verification-cli.md

2.3 KiB
Raw Blame History

Audit Bundle Generation and Verification CLI

Module

Cli

Status

IMPLEMENTED

Description

CLI command stella audit bundle <digest> that generates self-contained, auditor-ready evidence packages containing verdict, evidence, policy snapshot, and replay instructions in directory/tar.gz/zip formats, plus stella audit verify for bundle integrity verification with manifest hash checking and optional DSSE signature verification.

Implementation Details

  • Command Group: src/Cli/StellaOps.Cli/Commands/AuditCommandGroup.cs -- AuditCommandGroup (internal static class)
  • Audit Verify: src/Cli/StellaOps.Cli/Commands/AuditVerifyCommand.cs -- standalone audit verify command
  • Command Handlers: src/Cli/StellaOps.Cli/Commands/CommandHandlers.Audit.cs -- CommandHandlers partial class with audit handlers
  • Bundle Service: src/Cli/StellaOps.Cli/Audit/AuditBundleService.cs / IAuditBundleService.cs -- bundle generation and verification logic
  • Bundle Verifier: src/Cli/StellaOps.Cli/Services/AttestationBundleVerifier.cs / IAttestationBundleVerifier.cs
  • Sprint: SPRINT_20260117_027_CLI
  • Commands:
    • stella audit bundle <digest> -- generate audit bundle for an artifact digest. Options: --output <path>, --format dir|tar.gz|zip
    • stella audit verify <bundle-path> -- verify bundle integrity (manifest hash, DSSE signature)
  • Tests: src/Cli/__Tests/StellaOps.Cli.Tests/Commands/VerifyBundleCommandTests.cs

E2E Test Plan

  • Run stella audit bundle sha256:abc123 --output ./audit-bundle and verify directory created with verdict, evidence, policy snapshot, replay instructions
  • Run stella audit bundle sha256:abc123 --format tar.gz and verify tar.gz archive created
  • Run stella audit bundle sha256:abc123 --format zip and verify zip archive created
  • Run stella audit verify ./audit-bundle and verify manifest hash checking passes for valid bundle
  • Run stella audit verify ./audit-bundle with tampered content and verify integrity failure detected
  • Verify DSSE signature verification when --verify-signature flag is used
  • Verify bundle contains replay instructions that can reproduce the verdict
  • Verify exit code 0 for valid bundle verification, non-zero for failures
  • Verify error handling for non-existent digests or bundle paths