Doctor plugin checks: implement health check classes and documentation

Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/doctor/articles/docker/apiversion.md

@@ -0,0 +1,94 @@
+---
+checkId: check.docker.apiversion
+plugin: stellaops.doctor.docker
+severity: warn
+tags: [docker, api, compatibility]
+---
+# Docker API Version
+
+## What It Checks
+Validates that the Docker API version meets minimum requirements for Stella Ops. The check connects to the Docker daemon (using `Docker:Host` configuration or the platform default) and queries the API version via `System.GetVersionAsync()`.
+
+| API Version | Result |
+|---|---|
+| Below **1.41** | `warn` — below minimum required |
+| Between **1.41** and **1.43** | `warn` — below recommended |
+| **1.43** or higher | `pass` |
+
+The minimum API version 1.41 corresponds to Docker Engine 20.10+. The recommended version 1.43 corresponds to Docker Engine 23.0+.
+
+Evidence collected includes: API version, Docker version, minimum required version, recommended version, OS, build time, and git commit.
+
+Default Docker host:
+- **Linux**: `unix:///var/run/docker.sock`
+- **Windows**: `npipe://./pipe/docker_engine`
+
+## Why It Matters
+Stella Ops uses Docker API features for container management, image inspection, and network configuration. Older API versions may not support required features such as:
+
+- BuildKit-based image builds (API 1.39+).
+- Multi-platform image inspection (API 1.41+).
+- Container resource management improvements (API 1.43+).
+
+Running an outdated Docker version also means missing security patches and bug fixes.
+
+## Common Causes
+- Docker Engine is outdated (version < 20.10)
+- Docker Engine is functional but below recommended version (< 23.0)
+- Using a Docker-compatible runtime (Podman, containerd) that reports a lower API version
+- Docker not updated after OS upgrade
+
+## How to Fix
+
+### Docker Compose
+Update Docker Engine to the latest stable version:
+
+```bash
+# Ubuntu/Debian
+sudo apt-get update
+sudo apt-get install docker-ce docker-ce-cli containerd.io
+
+# RHEL/CentOS
+sudo yum update docker-ce docker-ce-cli containerd.io
+
+# Verify version
+docker version
+```
+
+### Bare Metal / systemd
+```bash
+# Check current version
+docker version
+
+# Update Docker
+curl -fsSL https://get.docker.com | sh
+
+# Restart Docker
+sudo systemctl restart docker
+
+# Verify
+docker version
+```
+
+### Kubernetes / Helm
+Update the container runtime on cluster nodes. The method depends on your Kubernetes distribution:
+
+```bash
+# Check node runtime version
+kubectl get nodes -o wide
+
+# For kubeadm clusters, update containerd on each node
+sudo apt-get update && sudo apt-get install containerd.io
+
+# Verify
+sudo crictl version
+```
+
+## Verification
+```
+stella doctor run --check check.docker.apiversion
+```
+
+## Related Checks
+- `check.docker.daemon` — verifies Docker daemon is running (prerequisite for version check)
+- `check.docker.socket` — verifies Docker socket is accessible