audit, advisories and doctors/setup work

docs/modules/release-orchestrator/modules/integration-hub.md

@@ -169,12 +169,18 @@ message ResolveResponse {
 
 **Doctor Check Output**:
 ```typescript
+interface DoctorHowToFix {
+  summary: string;
+  commands: string[];
+}
+
 interface DoctorCheckResult {
   checkType: string;
   status: "pass" | "warn" | "fail";
   message: string;
   details: Record<string, any>;
   suggestions: string[];
+  howToFix?: DoctorHowToFix;
   runAt: DateTime;
   durationMs: number;
 }
@@ -183,10 +189,33 @@ interface DoctorReport {
   integrationId: UUID;
   overallStatus: "healthy" | "degraded" | "unhealthy";
   checks: DoctorCheckResult[];
+  evidenceLog?: {
+    jsonlPath: string;
+    dssePath?: string;
+  };
   generatedAt: DateTime;
 }
 ```
 
+Doctor JSON output for CLI/agents uses `how_to_fix` (snake case) as the alias of
+`howToFix` to preserve verbatim fix commands.
+Doctor fix executes only non-destructive commands; destructive steps are manual
+and never executed by Doctor.
+Evidence logs include `doctor_command`, and DSSE summaries include the same
+operator-invoked command note.
+
+**Declarative Packs (YAML)**:
+- Packs live in `plugins/doctor/*.yaml` and are discoverable by env/file gating.
+- `checks[].run.exec` executes CLI commands; `checks[].parse` defines pass/fail.
+- `checks[].how_to_fix.commands[]` must be printed verbatim and remain deterministic.
+
+Sample manifest:
+- `docs/benchmarks/doctor/doctor-plugin-release-orchestrator-gitlab.yaml`
+
+**Evidence Artifacts**:
+- JSONL evidence log per run (local by default).
+- Optional DSSE summary for audit export.
+
 ---
 
 ## Cache Eviction Policies