doctor: complete runtime check documentation sprint

Signed-off-by: master <>

docs/doctor/articles/verification/verification-sbom-validation.md

@@ -0,0 +1,52 @@
+---
+checkId: check.verification.sbom.validation
+plugin: stellaops.doctor.verification
+severity: fail
+tags: [verification, sbom, cyclonedx, spdx]
+---
+# SBOM Validation
+
+## What It Checks
+Requires the verification plugin plus a test artifact. In offline mode it looks for CycloneDX or SPDX JSON inside the bundle. In online mode it checks whether `Scanner:SbomGeneration:Enabled` or `Attestor:SbomAttestation:Enabled` is turned on.
+
+The check warns when SBOM generation and attestation are both disabled, and fails when the offline bundle is missing or contains no recognizable SBOM.
+
+## Why It Matters
+SBOMs are the input for downstream vulnerability analysis, policy decisions, and customer evidence exports. If SBOM generation is off, release evidence is incomplete.
+
+## Common Causes
+- The build pipeline is not producing SBOMs
+- SBOM attestation is disabled even though verification expects it
+- Offline bundles were exported without `--include-sbom`
+
+## How to Fix
+
+### Docker Compose
+```yaml
+services:
+  doctor-web:
+    environment:
+      Scanner__SbomGeneration__Enabled: "true"
+      Attestor__SbomAttestation__Enabled: "true"
+```
+
+For offline mode:
+
+```bash
+stella verification bundle export --include-sbom --output /var/lib/stella/verification/offline-bundle.json
+```
+
+### Bare Metal / systemd
+Enable SBOM generation in the scanner and keep artifact attachments immutable once published.
+
+### Kubernetes / Helm
+Mount the same scanner and attestor config into Doctor that the production verification pipeline uses.
+
+## Verification
+```bash
+stella doctor --check check.verification.sbom.validation
+```
+
+## Related Checks
+- `check.verification.artifact.pull` - the artifact must be reachable before attached SBOMs can be validated
+- `check.verification.policy.engine` - policy rules commonly consume SBOM-derived vulnerability data