stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Doctor plugin checks: implement health check classes and documentation

Browse Source 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-03-27 12:28:00 +02:00
parent fbd24e71de
commit c58a236d70
326 changed files with 18500 additions and 463 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
docs/doctor/articles/timestamping/tst-deprecated-algorithms.md Normal file
View File

@@ -0,0 +1,36 @@
---
checkId: check.timestamp.evidence.tst.deprecated-algo
plugin: stellaops.doctor.timestamping
severity: warn
tags: [timestamping, evidence, tst, algorithm, deprecated]
---
# TST Deprecated Algorithms
## What It Checks
Detects timestamps using deprecated hash algorithms (default: SHA1). Fails if the count exceeds the critical threshold (default 10), otherwise warns.
## Why It Matters
Timestamps using deprecated algorithms like SHA1 are vulnerable to collision attacks. Compliance frameworks (eIDAS, FIPS) may reject evidence signed with deprecated algorithms, blocking release attestation verification.
## Common Causes
- Legacy artifacts timestamped with older TSA configurations
- TSA provider still using SHA1 by default
- Migration to SHA-256 not yet completed
## How to Fix
Re-timestamp affected artifacts using approved algorithms:
```bash
stella retimestamp run --algorithm SHA256 --filter deprecated-algo
```
Ensure TSA providers are configured to use SHA-256 or stronger.
## Verification
```
stella doctor run --check check.timestamp.evidence.tst.deprecated-algo
```
## Related Checks
- `check.timestamp.evidence.staleness` — aggregated evidence staleness check
- `check.timestamp.tsa.valid-response` — verifies TSA returns valid responses