---
checkId: check.verification.policy.engine
plugin: stellaops.doctor.verification
severity: fail
tags: [verification, policy, vex, compliance]
---
# Policy Engine Evaluation

## What It Checks
Requires the verification plugin plus a configured test artifact. In offline mode it looks for policy results inside the exported bundle. In online mode it validates `Policy:Engine:Enabled`, a policy reference, and `Policy:VexAware`.

The check fails when the policy engine is disabled, warns when no policy reference is configured or when VEX-aware evaluation is off, and passes when the prerequisites are present.

## Why It Matters
Release verification is only trustworthy if the same policy engine and VEX rules used in production can be exercised by Doctor.

## Common Causes
- `Policy__Engine__Enabled` is false
- No default or test policy reference is configured
- Policy rules were not updated to account for VEX justifications

## How to Fix

### Docker Compose
```yaml
services:
  doctor-web:
    environment:
      Policy__Engine__Enabled: "true"
      Policy__DefaultPolicyRef: policy://default/release-gate
      Policy__VexAware: "true"
      Doctor__Plugins__Verification__PolicyTest__PolicyRef: policy://default/release-gate
```

If you use offline verification, export the bundle with policy data included before copying it into the air-gapped environment.

### Bare Metal / systemd
Keep the Doctor policy reference aligned with the policy engine configuration used by release orchestration.

### Kubernetes / Helm
Store the policy ref in ConfigMaps and enforce the same value across the policy engine and Doctor service.

## Verification
```bash
stella doctor --check check.verification.policy.engine
```

## Related Checks
- `check.verification.vex.validation` - VEX-aware policy only helps if VEX collection works
- `check.verification.sbom.validation` - policy evaluation usually consumes SBOM and vulnerability evidence