stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

doctor: complete runtime check documentation sprint

Browse Source 
Signed-off-by: master <>
This commit is contained in:
master
2026-03-31 23:26:24 +03:00
parent 404d50bcb7
commit 152c1b1357
54 changed files with 2210 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
docs/modules/doctor/compose-baseline.md Normal file
View File

@@ -0,0 +1,77 @@
# Doctor Compose Baseline
## Evidence
- Runtime source: local default stack reachable at `http://127.1.0.26/api/v1/doctor`.
- Catalog snapshot: `GET /api/v1/doctor/checks` on 2026-03-31.
- Baseline run: `dr_20260331_195122_99ff09`.
- Duration: `12103ms`.
## Baseline Summary
| Status | Count |
| --- | ---: |
| `pass` | 10 |
| `info` | 7 |
| `warn` | 10 |
| `fail` | 4 |
| `skip` | 70 |
| `total` | 101 |
## Capture Notes
- This baseline was captured from the locally running default compose stack, not from a second fresh stack.
- A parallel `docker compose up` was not used because `devops/compose/docker-compose.stella-ops.yml` hardcodes container names, which would conflict with the already running environment.
- The runtime catalog currently exposes `101` checks across `14` plugins. That supersedes the stale sprint text that still referenced `99` checks across `16` plugins.
## Observed Failures
| Check ID | Diagnosis | Notes |
| --- | --- | --- |
| `check.core.config.required` | Missing 2 required setting(s) | Missing `ConnectionStrings:DefaultConnection` and `Logging:LogLevel:Default` in the captured runtime. |
| `check.docker.daemon` | Cannot connect to Docker daemon: Connection failed | Doctor ran without a reachable Docker daemon socket. |
| `check.docker.socket` | 1 Docker socket issue(s) | `/var/run/docker.sock` was absent in the captured container context. |
| `check.security.secrets` | 2 secrets management issue(s) found | The runtime reported no secrets provider plus a potential plain-text connection string. |
## Observed Warnings
| Check ID | Diagnosis |
| --- | --- |
| `check.attestation.clock.skew` | System clock is off by 5.5 seconds (threshold: 5s) |
| `check.binaryanalysis.buildinfo.cache` | Debian buildinfo services are reachable but cache directory does not exist |
| `check.binaryanalysis.corpus.kpi.baseline` | KPI baseline directory does not exist: `/var/lib/stella/baselines` |
| `check.binaryanalysis.corpus.mirror.freshness` | Corpus mirrors directory does not exist: `/var/lib/stella/mirrors` |
| `check.binaryanalysis.ddeb.enabled` | Ubuntu ddeb repository is not configured but `ddebs.ubuntu.com` is reachable |
| `check.core.env.variables` | No environment configuration variables detected |
| `check.observability.logging` | 1 logging configuration issue(s) |
| `check.security.audit.logging` | 2 audit logging issue(s) |
| `check.security.cors` | 1 CORS configuration issue(s) found |
| `check.security.headers` | 5 security header(s) not configured |
## Observed Informational Results
| Check ID | Diagnosis |
| --- | --- |
| `check.binaryanalysis.debuginfod.available` | `DEBUGINFOD_URLS` not configured but default Fedora debuginfod is reachable |
| `check.binaryanalysis.symbol.recovery.fallback` | Symbol recovery operational with 1/3 sources available |
| `check.observability.alerting` | No alerting destinations configured |
| `check.observability.metrics` | Metrics configuration not found |
| `check.observability.otel` | OpenTelemetry endpoint not configured |
| `check.security.ratelimit` | Rate limiting configuration not found |
| `check.servicegraph.circuitbreaker` | Circuit breakers not configured |
## Healthy Baseline Results
The captured runtime returned `pass` for:
- `check.core.config.loaded`
- `check.core.crypto.available`
- `check.core.env.diskspace`
- `check.core.env.memory`
- `check.core.services.dependencies`
- `check.observability.healthchecks`
- `check.observability.tracing`
- `check.security.tls.certificate`
- `check.servicegraph.timeouts`
- `check.servicegraph.valkey`
## Skipped Checks
- `70` checks were skipped because the captured local stack did not provide the required runtime context, credentials, test artifacts, or dependent services.
- Skips are expected for the database, integration, release, scanner, and verification groups when the default local stack is not fully wired for end-to-end release validation.
## Follow-Up
- Use [the runtime check index](./checks/README.md) to map each runtime check to its article.
- Rebuild and rerun the Doctor services before claiming a fresh-stack zero-false-positive baseline; this document only records the captured live baseline from 2026-03-31.