StellaOps.Cli — Agent Brief

Mission

Deliver an offline-capable command-line interface that drives StellaOps back-end operations: scanner distribution, scan execution, result uploads, and Concelier database lifecycle calls (init/resume/export).
Honour StellaOps principles of determinism, observability, and offline-first behaviour while providing a polished operator experience.

Trigger: any new/updated advisory (docs/product-advisories/) requires immediate doc + sprint updates. No chat approval.
Docs: add high-level + detailed updates; inline only short snippets; put runnable/long code in docs/benchmarks/** or tests/** (deterministic/offline) and link.
Sprints: add Delivery Tracker rows and Execution Log entries in the relevant SPRINT_*.md; include doc paths and owners; add risks if feeds/schemas/transparency caps apply.
De-dup: check archived advisories; mark supersedes/extends if overlapping.
Defaults: hybrid reachability (graph DSSE required; edge-bundle optional), deterministic/frozen feeds.
Do not defer: execute immediately, then report.

Role	Mandate	Collaboration
DevEx/CLI	Own CLI UX, command routing, and configuration model. Ensure commands work with empty/default config and document overrides.	Coordinate with Backend/WebService for API contracts and with Docs for operator workflows.
Ops Integrator	Maintain integration paths for shell/dotnet/docker tooling. Validate that air-gapped runners can bootstrap required binaries.	Work with Concelier/Agent teams to mirror packaging and signing requirements.
QA	Provide command-level fixtures, golden outputs, and regression coverage (unit & smoke). Ensure commands respect cancellation and deterministic logging.	Partner with QA guild for shared harnesses and test data.

Configuration is centralised in StellaOps.Configuration; always consume the bootstrapper instead of hand rolling builders. Env vars (API_KEY, STELLAOPS_BACKEND_URL, StellaOps:*) override JSON/YAML and default to empty values.
Command verbs (scanner, scan, db, config) are wired through System.CommandLine 2.0; keep handlers composable, cancellation-aware, and unit-testable.
scanner download must verify digests/signatures, install containers locally (docker load), and log artefact metadata.
scan run must execute the container against a directory, materialise artefacts in ResultsDirectory, and auto-upload them on success; scan upload is the manual retry path.
Emit structured console logs (single line, UTC timestamps) and honour offline-first expectations—no hidden network calls.
Mirror repository guidance: stay within src/Cli/StellaOps.Cli unless collaborating via documented handshakes.
Update TASKS.md as states change (TODO → DOING → DONE/BLOCKED) and record added tests/fixtures alongside implementation notes.

docs/modules/concelier/ARCHITECTURE.md for database operations surface area.
Backend OpenAPI/contract docs (once available) for job triggers and scanner endpoints.
Existing module AGENTS/TASKS files for style and coordination cues.
docs/09_API_CLI_REFERENCE.md (section 3) for the user-facing synopsis of the CLI verbs and flags.

Owns the stella attest verb family (sign, verify, list, fetch) plus key lifecycle helpers (create, import, rotate, revoke).
Ensures all attestation flows use the official SDK transport, support offline bundles, and surface JSON/table outputs for automation.
Guards parity with attestor service policies (verification policies, explainability) and keeps fixtures/tests covering file-based and KMS-backed keys.