# Doctor Compose Baseline

## Evidence
- Runtime source: local default stack reachable at `http://127.1.0.26/api/v1/doctor`.
- Catalog snapshot: `GET /api/v1/doctor/checks` on 2026-03-31.
- Baseline run: `dr_20260331_195122_99ff09`.
- Duration: `12103ms`.

## Baseline Summary
| Status | Count |
| --- | ---: |
| `pass` | 10 |
| `info` | 7 |
| `warn` | 10 |
| `fail` | 4 |
| `skip` | 70 |
| `total` | 101 |

## Capture Notes
- This baseline was captured from the locally running default compose stack, not from a second fresh stack.
- A parallel `docker compose up` was not used because `devops/compose/docker-compose.stella-ops.yml` hardcodes container names, which would conflict with the already running environment.
- The runtime catalog currently exposes `101` checks across `14` plugins. That supersedes the stale sprint text that still referenced `99` checks across `16` plugins.

## Observed Failures
| Check ID | Diagnosis | Notes |
| --- | --- | --- |
| `check.core.config.required` | Missing 2 required setting(s) | Missing `ConnectionStrings:DefaultConnection` and `Logging:LogLevel:Default` in the captured runtime. |
| `check.docker.daemon` | Cannot connect to Docker daemon: Connection failed | Doctor ran without a reachable Docker daemon socket. |
| `check.docker.socket` | 1 Docker socket issue(s) | `/var/run/docker.sock` was absent in the captured container context. |
| `check.security.secrets` | 2 secrets management issue(s) found | The runtime reported no secrets provider plus a potential plain-text connection string. |

## Observed Warnings
| Check ID | Diagnosis |
| --- | --- |
| `check.attestation.clock.skew` | System clock is off by 5.5 seconds (threshold: 5s) |
| `check.binaryanalysis.buildinfo.cache` | Debian buildinfo services are reachable but cache directory does not exist |
| `check.binaryanalysis.corpus.kpi.baseline` | KPI baseline directory does not exist: `/var/lib/stella/baselines` |
| `check.binaryanalysis.corpus.mirror.freshness` | Corpus mirrors directory does not exist: `/var/lib/stella/mirrors` |
| `check.binaryanalysis.ddeb.enabled` | Ubuntu ddeb repository is not configured but `ddebs.ubuntu.com` is reachable |
| `check.core.env.variables` | No environment configuration variables detected |
| `check.observability.logging` | 1 logging configuration issue(s) |
| `check.security.audit.logging` | 2 audit logging issue(s) |
| `check.security.cors` | 1 CORS configuration issue(s) found |
| `check.security.headers` | 5 security header(s) not configured |

## Observed Informational Results
| Check ID | Diagnosis |
| --- | --- |
| `check.binaryanalysis.debuginfod.available` | `DEBUGINFOD_URLS` not configured but default Fedora debuginfod is reachable |
| `check.binaryanalysis.symbol.recovery.fallback` | Symbol recovery operational with 1/3 sources available |
| `check.observability.alerting` | No alerting destinations configured |
| `check.observability.metrics` | Metrics configuration not found |
| `check.observability.otel` | OpenTelemetry endpoint not configured |
| `check.security.ratelimit` | Rate limiting configuration not found |
| `check.servicegraph.circuitbreaker` | Circuit breakers not configured |

## Healthy Baseline Results
The captured runtime returned `pass` for:

- `check.core.config.loaded`
- `check.core.crypto.available`
- `check.core.env.diskspace`
- `check.core.env.memory`
- `check.core.services.dependencies`
- `check.observability.healthchecks`
- `check.observability.tracing`
- `check.security.tls.certificate`
- `check.servicegraph.timeouts`
- `check.servicegraph.valkey`

## Skipped Checks
- `70` checks were skipped because the captured local stack did not provide the required runtime context, credentials, test artifacts, or dependent services.
- Skips are expected for the database, integration, release, scanner, and verification groups when the default local stack is not fully wired for end-to-end release validation.

## Follow-Up
- Use [the runtime check index](./checks/README.md) to map each runtime check to its article.
- Rebuild and rerun the Doctor services before claiming a fresh-stack zero-false-positive baseline; this document only records the captured live baseline from 2026-03-31.