---
checkId: check.storage.evidencelocker
plugin: stellaops.doctor.storage
severity: fail
tags: [storage, evidence, write, permissions]
---
# Evidence Locker Write Access

## What It Checks
Verifies evidence locker write permissions and performance. The check:

- Reads the evidence locker path from `EvidenceLocker:Path` or `Storage:EvidencePath`.
- Creates the directory if it does not exist.
- Writes a test file, reads it back to verify content integrity, and measures latency.
- **Fails** if the directory cannot be created, writes are denied (`UnauthorizedAccessException`), or content read-back does not match (storage corruption).
- **Warns** if write latency exceeds 100ms (elevated I/O latency, e.g., slow NFS/CIFS backend).
- Cleans up the test file after the check.

The check only runs when an evidence locker path is configured.

## Why It Matters
The evidence locker stores cryptographically signed release evidence -- attestations, SBOM snapshots, policy evaluation results, and audit trails. If the locker is not writable, releases cannot produce verifiable evidence, blocking policy-gated promotions and breaking auditability guarantees. This is a severity-fail check because evidence integrity is a core platform invariant.

## Common Causes
- Insufficient file system permissions
- Directory owned by a different user
- SELinux/AppArmor blocking writes
- Disk full
- Filesystem mounted read-only
- Slow network-attached storage (NFS/CIFS) causing high latency

## How to Fix

### Docker Compose
```yaml
environment:
  EvidenceLocker__Path: "/var/lib/stellaops/evidence"
volumes:
  - evidence-data:/var/lib/stellaops/evidence
```

```bash
# Check permissions inside container
docker exec <platform-container> ls -la /var/lib/stellaops/evidence

# Fix permissions
docker exec <platform-container> chown -R stellaops:stellaops /var/lib/stellaops/evidence
```

### Bare Metal / systemd
```bash
# Create directory
mkdir -p /var/lib/stellaops/evidence

# Set ownership and permissions
chown -R stellaops:stellaops /var/lib/stellaops/evidence
chmod 750 /var/lib/stellaops/evidence

# Check disk space
df -h /var/lib/stellaops/evidence

# Check mount status
mount | grep $(df --output=source /var/lib/stellaops/evidence | tail -1)
```

### Kubernetes / Helm
```yaml
evidenceLocker:
  path: "/var/lib/stellaops/evidence"
  persistence:
    enabled: true
    size: 50Gi
    storageClass: "fast-ssd"  # use fast storage to avoid latency warnings
```

## Verification
```
stella doctor run --check check.storage.evidencelocker
```

## Related Checks
- `check.storage.diskspace` — verifies sufficient disk space is available
- `check.storage.backup` — verifies backup directory accessibility