Doctor plugin checks: implement health check classes and documentation

Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/doctor/articles/storage/evidence-locker-write.md

@@ -0,0 +1,83 @@
+---
+checkId: check.storage.evidencelocker
+plugin: stellaops.doctor.storage
+severity: fail
+tags: [storage, evidence, write, permissions]
+---
+# Evidence Locker Write Access
+
+## What It Checks
+Verifies evidence locker write permissions and performance. The check:
+
+- Reads the evidence locker path from `EvidenceLocker:Path` or `Storage:EvidencePath`.
+- Creates the directory if it does not exist.
+- Writes a test file, reads it back to verify content integrity, and measures latency.
+- **Fails** if the directory cannot be created, writes are denied (`UnauthorizedAccessException`), or content read-back does not match (storage corruption).
+- **Warns** if write latency exceeds 100ms (elevated I/O latency, e.g., slow NFS/CIFS backend).
+- Cleans up the test file after the check.
+
+The check only runs when an evidence locker path is configured.
+
+## Why It Matters
+The evidence locker stores cryptographically signed release evidence -- attestations, SBOM snapshots, policy evaluation results, and audit trails. If the locker is not writable, releases cannot produce verifiable evidence, blocking policy-gated promotions and breaking auditability guarantees. This is a severity-fail check because evidence integrity is a core platform invariant.
+
+## Common Causes
+- Insufficient file system permissions
+- Directory owned by a different user
+- SELinux/AppArmor blocking writes
+- Disk full
+- Filesystem mounted read-only
+- Slow network-attached storage (NFS/CIFS) causing high latency
+
+## How to Fix
+
+### Docker Compose
+```yaml
+environment:
+  EvidenceLocker__Path: "/var/lib/stellaops/evidence"
+volumes:
+  - evidence-data:/var/lib/stellaops/evidence
+```
+
+```bash
+# Check permissions inside container
+docker exec <platform-container> ls -la /var/lib/stellaops/evidence
+
+# Fix permissions
+docker exec <platform-container> chown -R stellaops:stellaops /var/lib/stellaops/evidence
+```
+
+### Bare Metal / systemd
+```bash
+# Create directory
+mkdir -p /var/lib/stellaops/evidence
+
+# Set ownership and permissions
+chown -R stellaops:stellaops /var/lib/stellaops/evidence
+chmod 750 /var/lib/stellaops/evidence
+
+# Check disk space
+df -h /var/lib/stellaops/evidence
+
+# Check mount status
+mount | grep $(df --output=source /var/lib/stellaops/evidence | tail -1)
+```
+
+### Kubernetes / Helm
+```yaml
+evidenceLocker:
+  path: "/var/lib/stellaops/evidence"
+  persistence:
+    enabled: true
+    size: 50Gi
+    storageClass: "fast-ssd"  # use fast storage to avoid latency warnings
+```
+
+## Verification
+```
+stella doctor run --check check.storage.evidencelocker
+```
+
+## Related Checks
+- `check.storage.diskspace` — verifies sufficient disk space is available
+- `check.storage.backup` — verifies backup directory accessibility