save checkpoint: save features
This commit is contained in:
master
@@ -0,0 +1,31 @@
|
||||
# Doctor Check Quality Improvements (Real Diagnostics Replacing Mocks)
|
||||
|
||||
## Module
|
||||
Doctor
|
||||
|
||||
## Status
|
||||
PARTIALLY_IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Replaced mock implementations in PolicyEngineHealthCheck, OidcProviderConnectivityCheck, and FipsComplianceCheck with real diagnostic logic. Added discriminating evidence fields for AI reasoning and safety annotations (IsDestructive/DryRunVariant) for destructive remediation commands.
|
||||
|
||||
## Implementation Details
|
||||
- **Policy engine check**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Policy/Checks/PolicyEngineHealthCheck.cs`
|
||||
- **OIDC connectivity check**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/Checks/OidcProviderConnectivityCheck.cs`
|
||||
- **FIPS compliance check**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Crypto/Checks/FipsComplianceCheck.cs`
|
||||
- **Other crypto checks**: eIDAS (`EidasComplianceCheck.cs`), GOST (`GostAvailabilityCheck.cs`), HSM (`HsmPkcs11AvailabilityCheck.cs`), SM crypto (`SmCryptoAvailabilityCheck.cs`)
|
||||
- **Remediation models**: `src/__Libraries/StellaOps.Doctor/Models/RemediationStep.cs` -- includes IsDestructive/DryRunVariant safety annotations
|
||||
- **Source**: SPRINT_20260118_015_Doctor_check_quality_improvements.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify PolicyEngineHealthCheck performs real diagnostic (not mock)
|
||||
- [ ] Test OidcProviderConnectivityCheck actually probes OIDC endpoint
|
||||
- [ ] Verify FipsComplianceCheck validates FIPS mode status
|
||||
- [ ] Test remediation commands include safety annotations (IsDestructive, DryRunVariant)
|
||||
|
||||
|
||||
## Verification Outcome
|
||||
- Run:
|
||||
un-001 on 2026-02-11 UTC.
|
||||
- Tier 1 code review found claim parity gaps: Policy/Crypto plugin project roots are missing and runtime registration does not expose check.policy.engine, check.auth.oidc, or check.crypto.fips.
|
||||
- Tier 2 API verification was blocked because Doctor WebService startup fails DI validation in timestamping plugin dependencies, preventing endpoint-level validation.
|
||||
@@ -0,0 +1,33 @@
|
||||
# Doctor Diagnostic Bundle Export for Support Tickets
|
||||
|
||||
## Module
|
||||
Doctor
|
||||
|
||||
## Status
|
||||
PARTIALLY_IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Generates comprehensive shareable diagnostic bundles (.zip) for support tickets containing doctor check results, system configuration, evidence, and remediation suggestions. Enables self-service troubleshooting without support escalation.
|
||||
|
||||
## Implementation Details
|
||||
- **Report storage**: `src/Doctor/StellaOps.Doctor.WebService/Services/IReportStorageService.cs` -- report storage interface
|
||||
- **In-memory storage**: `src/Doctor/StellaOps.Doctor.WebService/Services/InMemoryReportStorageService.cs`
|
||||
- **Postgres storage**: `src/Doctor/StellaOps.Doctor.WebService/Services/PostgresReportStorageService.cs`
|
||||
- **Doctor run service**: `src/Doctor/StellaOps.Doctor.WebService/Services/DoctorRunService.cs` -- orchestrates diagnostic runs
|
||||
- **Doctor endpoints**: `src/Doctor/StellaOps.Doctor.WebService/Endpoints/DoctorEndpoints.cs` -- API endpoints for triggering runs and retrieving results
|
||||
- **Models**: `src/Doctor/StellaOps.Doctor.WebService/Contracts/DoctorModels.cs` -- diagnostic bundle models
|
||||
- **Tests**: `src/Doctor/__Tests/StellaOps.Doctor.WebService.Tests/Services/InMemoryReportStorageServiceTests.cs`, `DoctorRunServiceTests.cs`
|
||||
- **Source**: SPRINT_20260112_001_009_DOCTOR_self_service.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify diagnostic bundle export generates valid .zip file
|
||||
- [ ] Test bundle includes check results, configuration, and remediation suggestions
|
||||
- [ ] Verify bundle can be stored/retrieved via both in-memory and Postgres backends
|
||||
- [ ] Test Doctor API endpoints for triggering runs and downloading bundles
|
||||
|
||||
|
||||
## Verification Outcome
|
||||
- Run: run-001 on 2026-02-11 UTC.
|
||||
- Tier 1 claim-parity review showed no user-surface API endpoint for diagnostic bundle ZIP export/download and no runtime selection path for Postgres report storage.
|
||||
- Tier 2 API verification was blocked because Doctor WebService startup currently fails timestamping DI validation, preventing endpoint-level behavioral checks.
|
||||
|
||||
@@ -0,0 +1,39 @@
|
||||
# Doctor Diagnostics Runner
|
||||
|
||||
## Module
|
||||
Doctor
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Doctor plugin infrastructure with multiple plugins (Vex, BinaryAnalysis, Notify, Observability, Timestamping) providing health checks, diagnostics, and remediation commands is implemented.
|
||||
|
||||
## Implementation Details
|
||||
- **Plugin interface**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugins.Core/IDoctorPlugin.cs` -- base plugin contract
|
||||
- **Plugins** (14 total):
|
||||
- Agent: `AgentDoctorPlugin.cs` -- agent health (capacity, heartbeat, version, certificates, cluster, task queue)
|
||||
- Attestor: `AttestorDoctorPlugin.cs` -- Rekor, cosign, signing key, transparency log checks
|
||||
- Auth: `AuthDoctorPlugin.cs` -- OIDC, signing key, token service checks
|
||||
- BinaryAnalysis: `BinaryAnalysisDoctorPlugin.cs` -- debuginfod, buildinfo cache, corpus mirror, symbol recovery
|
||||
- Compliance: `CompliancePlugin.cs` -- audit readiness, evidence tamper, provenance completeness, attestation signing
|
||||
- Crypto: eIDAS, FIPS, GOST, HSM, SM crypto, cert chain validation checks
|
||||
- Environment: `EnvironmentDoctorPlugin.cs` -- connectivity, capacity, drift, secrets, network policy
|
||||
- EvidenceLocker: `EvidenceLockerDoctorPlugin.cs` -- evidence index, Merkle anchor, provenance chain
|
||||
- Notify: `NotifyDoctorPlugin.cs` -- Slack, Teams, Email, Webhook connectivity checks
|
||||
- Observability: `ObservabilityDoctorPlugin.cs` -- OTLP, Prometheus, log directory checks
|
||||
- Operations: `OperationsDoctorPlugin.cs` -- job queue, dead letter queue, scheduler checks
|
||||
- Policy: `PolicyEngineHealthCheck.cs`
|
||||
- Postgres: `PostgresDoctorPlugin.cs` -- connectivity, connection pool, migration status
|
||||
- Release: `ReleaseDoctorPlugin.cs` -- active release, environment readiness, promotion gates, rollback
|
||||
- Scanner: `ScannerDoctorPlugin.cs` -- SBOM generation, vulnerability scan, reachability, slice cache, witness graph
|
||||
- Storage: `StorageDoctorPlugin.cs` -- disk space, backup directory, evidence locker write
|
||||
- Timestamping: `TimestampingHealthCheckPlugin.cs` -- TSA, OCSP, CRL, time skew, evidence staleness
|
||||
- Vex: `VexDoctorPlugin.cs` -- VEX document validation, issuer trust, schema compliance
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify all 14+ plugins register and execute successfully
|
||||
- [ ] Test plugin discovery and loading mechanism
|
||||
- [ ] Verify each plugin category produces valid health check results
|
||||
- [ ] Test failure scenarios for each check type
|
||||
@@ -0,0 +1,35 @@
|
||||
# Doctor Health Checks for Integrations
|
||||
|
||||
## Module
|
||||
Doctor
|
||||
|
||||
## Status
|
||||
PARTIALLY_IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Individual health checks for webhooks, Slack, Teams, email, OTLP endpoints, debuginfod, corpus mirrors, and more are implemented as pluggable Doctor checks.
|
||||
|
||||
## Implementation Details
|
||||
- **Webhook checks**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/WebhookConfiguredCheck.cs`, `WebhookConnectivityCheck.cs`
|
||||
- **Slack checks**: `SlackConfiguredCheck.cs`, `SlackConnectivityCheck.cs`
|
||||
- **Teams checks**: `TeamsConfiguredCheck.cs`, `TeamsConnectivityCheck.cs`
|
||||
- **Email checks**: `EmailConfiguredCheck.cs`, `EmailConnectivityCheck.cs`
|
||||
- **Queue checks**: `NotifyQueueHealthCheck.cs`
|
||||
- **OTLP check**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Observability/Checks/OtlpEndpointCheck.cs`
|
||||
- **Prometheus check**: `PrometheusScrapeCheck.cs`
|
||||
- **Debuginfod check**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/DebuginfodAvailabilityCheck.cs`
|
||||
- **Corpus mirror check**: `CorpusMirrorFreshnessCheck.cs`
|
||||
- **Tests**: `src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/`, `StellaOps.Doctor.Plugin.Observability.Tests/`, `StellaOps.Doctor.Plugin.BinaryAnalysis.Tests/`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify webhook connectivity check probes configured endpoint
|
||||
- [ ] Test Slack/Teams/Email configured checks detect missing configuration
|
||||
- [ ] Verify OTLP and Prometheus checks validate endpoint reachability
|
||||
- [ ] Test debuginfod and corpus mirror freshness checks
|
||||
|
||||
## Verification
|
||||
Run: run-001 (2026-02-11)
|
||||
- Tier 1 builds/tests passed for referenced plugin projects, but claim parity failed: active Doctor WebService runtime composes integration/observability plugins from src/__Libraries and does not reference src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify.
|
||||
- Tier 2 API probe confirmed service startup and health endpoints (/healthz, /readyz = 200), but /api/v1/doctor/checks returned 401 without scope-bearing auth; runtime check catalog parity could not be validated anonymously.
|
||||
- Terminal outcome for this dossier: `not_implemented` (runtime claim mismatch).
|
||||
Reference in New Issue
Block a user