stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

doctor: complete runtime check documentation sprint

Browse Source 
Signed-off-by: master <>
This commit is contained in:
master
2026-03-31 23:26:24 +03:00
parent 404d50bcb7
commit 152c1b1357
54 changed files with 2210 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
docs/doctor/articles/verification/verification-policy-engine.md Normal file
View File

@@ -0,0 +1,50 @@
---
checkId: check.verification.policy.engine
plugin: stellaops.doctor.verification
severity: fail
tags: [verification, policy, vex, compliance]
---
# Policy Engine Evaluation
## What It Checks
Requires the verification plugin plus a configured test artifact. In offline mode it looks for policy results inside the exported bundle. In online mode it validates `Policy:Engine:Enabled`, a policy reference, and `Policy:VexAware`.
The check fails when the policy engine is disabled, warns when no policy reference is configured or when VEX-aware evaluation is off, and passes when the prerequisites are present.
## Why It Matters
Release verification is only trustworthy if the same policy engine and VEX rules used in production can be exercised by Doctor.
## Common Causes
- `Policy__Engine__Enabled` is false
- No default or test policy reference is configured
- Policy rules were not updated to account for VEX justifications
## How to Fix
### Docker Compose
```yaml
services:
doctor-web:
environment:
Policy__Engine__Enabled: "true"
Policy__DefaultPolicyRef: policy://default/release-gate
Policy__VexAware: "true"
Doctor__Plugins__Verification__PolicyTest__PolicyRef: policy://default/release-gate
```
If you use offline verification, export the bundle with policy data included before copying it into the air-gapped environment.
### Bare Metal / systemd
Keep the Doctor policy reference aligned with the policy engine configuration used by release orchestration.
### Kubernetes / Helm
Store the policy ref in ConfigMaps and enforce the same value across the policy engine and Doctor service.
## Verification
```bash
stella doctor --check check.verification.policy.engine
```
## Related Checks
- `check.verification.vex.validation` - VEX-aware policy only helps if VEX collection works
- `check.verification.sbom.validation` - policy evaluation usually consumes SBOM and vulnerability evidence