# Doctor Check Quality Improvements (Real Diagnostics Replacing Mocks)

## Module
Doctor

## Status
IMPLEMENTED

## Description
Replaced mock implementations in PolicyEngineHealthCheck, OidcProviderConnectivityCheck, and FipsComplianceCheck with real diagnostic logic. Added discriminating evidence fields for AI reasoning and safety annotations (IsDestructive/DryRunVariant) for destructive remediation commands.

## Implementation Details
- **Policy engine check**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Policy/Checks/PolicyEngineHealthCheck.cs`
- **OIDC connectivity check**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/Checks/OidcProviderConnectivityCheck.cs`
- **FIPS compliance check**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Crypto/Checks/FipsComplianceCheck.cs`
- **Other crypto checks**: eIDAS (`EidasComplianceCheck.cs`), GOST (`GostAvailabilityCheck.cs`), HSM (`HsmPkcs11AvailabilityCheck.cs`), SM crypto (`SmCryptoAvailabilityCheck.cs`)
- **Remediation models**: `src/__Libraries/StellaOps.Doctor/Models/RemediationStep.cs` -- includes IsDestructive/DryRunVariant safety annotations
- **Source**: SPRINT_20260118_015_Doctor_check_quality_improvements.md

## E2E Test Plan
- [ ] Verify PolicyEngineHealthCheck performs real diagnostic (not mock)
- [ ] Test OidcProviderConnectivityCheck actually probes OIDC endpoint
- [ ] Verify FipsComplianceCheck validates FIPS mode status
- [ ] Test remediation commands include safety annotations (IsDestructive, DryRunVariant)