stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7be4e855d69f59ea7837af96fef37fdac63a41fe
git.stella-ops.org/docs/features/unimplemented/doctor/doctor-check-quality-improvements.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

1.9 KiB
Raw Blame History

Doctor Check Quality Improvements (Real Diagnostics Replacing Mocks)

Module

Doctor

Status

PARTIALLY_IMPLEMENTED

Description

Replaced mock implementations in PolicyEngineHealthCheck, OidcProviderConnectivityCheck, and FipsComplianceCheck with real diagnostic logic. Added discriminating evidence fields for AI reasoning and safety annotations (IsDestructive/DryRunVariant) for destructive remediation commands.

Implementation Details

  • Policy engine check: src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Policy/Checks/PolicyEngineHealthCheck.cs
  • OIDC connectivity check: src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/Checks/OidcProviderConnectivityCheck.cs
  • FIPS compliance check: src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Crypto/Checks/FipsComplianceCheck.cs
  • Other crypto checks: eIDAS (EidasComplianceCheck.cs), GOST (GostAvailabilityCheck.cs), HSM (HsmPkcs11AvailabilityCheck.cs), SM crypto (SmCryptoAvailabilityCheck.cs)
  • Remediation models: src/__Libraries/StellaOps.Doctor/Models/RemediationStep.cs -- includes IsDestructive/DryRunVariant safety annotations
  • Source: SPRINT_20260118_015_Doctor_check_quality_improvements.md

E2E Test Plan

  • Verify PolicyEngineHealthCheck performs real diagnostic (not mock)
  • Test OidcProviderConnectivityCheck actually probes OIDC endpoint
  • Verify FipsComplianceCheck validates FIPS mode status
  • Test remediation commands include safety annotations (IsDestructive, DryRunVariant)

Verification Outcome

  • Run: un-001 on 2026-02-11 UTC.
  • Tier 1 code review found claim parity gaps: Policy/Crypto plugin project roots are missing and runtime registration does not expose check.policy.engine, check.auth.oidc, or check.crypto.fips.
  • Tier 2 API verification was blocked because Doctor WebService startup fails DI validation in timestamping plugin dependencies, preventing endpoint-level validation.