Doctor plugin checks: implement health check classes and documentation

Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-03-27 12:28:00 +02:00
parent fbd24e71de
commit c58a236d70
326 changed files with 18500 additions and 463 deletions

View File

@@ -0,0 +1,53 @@
---
checkId: check.timestamp.crl.distribution
plugin: stellaops.doctor.timestamping
severity: warn
tags: [timestamping, crl, distribution, revocation]
---
# CRL Distribution Point Availability
## What It Checks
Checks that configured CRL distribution points are accessible. The check:
- Gets configured CDPs from the registry.
- Sends a HEAD request to each CDP URL with a 30-second timeout.
- Reports response status, latency, and CRL size (from Content-Length).
- Fails if all CDPs are unavailable. Warns if some are unavailable.
- Passes (healthy) if no CDPs are configured (optional feature).
## Why It Matters
CRL distribution points provide certificate revocation lists needed to verify that TSA certificates have not been revoked. If CDPs are unavailable, the system cannot download updated CRLs, potentially accepting timestamps from revoked certificates.
## Common Causes
- CRL distribution point server is down
- Network connectivity issues
- Firewall blocking HTTP/HTTPS to CDP URLs
- CDP URL changed by the CA
## How to Fix
### Docker Compose
```bash
docker exec <platform-container> curl -I http://crl.example.com/crl.pem
```
### Bare Metal / systemd
```bash
# Test CDP connectivity
curl -I http://crl.example.com/crl.pem
# Check network and DNS
nslookup crl.example.com
```
### Kubernetes / Helm
Ensure egress NetworkPolicies allow traffic to CRL distribution point URLs.
## Verification
```
stella doctor run --check check.timestamp.crl.distribution
```
## Related Checks
- `check.timestamp.ocsp.responder` — checks OCSP responder availability
- `check.timestamp.revocation.cache-fresh` — checks revocation cache freshness