Doctor plugin checks: implement health check classes and documentation
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
57
docs/doctor/articles/timestamping/qts-providers-qualified.md
Normal file
57
docs/doctor/articles/timestamping/qts-providers-qualified.md
Normal file
@@ -0,0 +1,57 @@
|
||||
---
|
||||
checkId: check.timestamp.eidas.qts.qualified
|
||||
plugin: stellaops.doctor.timestamping
|
||||
severity: fail
|
||||
tags: [timestamping, eidas, qts, qualification, compliance]
|
||||
---
|
||||
# QTS Providers Qualification
|
||||
|
||||
## What It Checks
|
||||
Checks that configured qualified TSA providers are still listed on the EU Trust List. The check:
|
||||
|
||||
- Gets qualified TSA providers from the registry.
|
||||
- For each provider, queries the trust list cache for current qualification status.
|
||||
- Fails if any provider is no longer qualified (withdrawn, suspended, or not found).
|
||||
- Passes if no qualified providers are configured (optional feature) or all are still qualified.
|
||||
|
||||
## Why It Matters
|
||||
Under eIDAS regulation, only qualified TSA providers can produce timestamps with legal effect equivalent to handwritten signatures. If a provider loses qualification, timestamps from that provider no longer meet eIDAS compliance requirements, potentially invalidating evidence used for regulated releases.
|
||||
|
||||
## Common Causes
|
||||
- TSA provider's qualified status withdrawn by a supervisory body
|
||||
- Provider suspended due to compliance issues
|
||||
- Provider not yet (re-)listed on the current trust list version
|
||||
- Trust list cache is stale (check `check.timestamp.eidas.trustlist.fresh`)
|
||||
|
||||
## How to Fix
|
||||
|
||||
### Docker Compose
|
||||
```bash
|
||||
# Refresh trust list first
|
||||
docker exec <platform-container> stella trust-list refresh
|
||||
|
||||
# Check provider status
|
||||
docker exec <platform-container> stella tsa qualification status
|
||||
```
|
||||
|
||||
### Bare Metal / systemd
|
||||
```bash
|
||||
stella trust-list refresh
|
||||
stella tsa qualification status
|
||||
|
||||
# Replace non-qualified provider
|
||||
stella tsa remove --name "Withdrawn Provider"
|
||||
stella tsa add --name "New QTS" --url "https://new-qualified-tsa.eu/tsr" --qualified
|
||||
```
|
||||
|
||||
### Kubernetes / Helm
|
||||
Update TSA provider configuration to use only qualified providers.
|
||||
|
||||
## Verification
|
||||
```
|
||||
stella doctor run --check check.timestamp.eidas.qts.qualified
|
||||
```
|
||||
|
||||
## Related Checks
|
||||
- `check.timestamp.eidas.trustlist.fresh` — checks EU Trust List freshness
|
||||
- `check.timestamp.eidas.qts.status-change` — alerts on qualification status changes
|
||||
Reference in New Issue
Block a user