c58a236d70
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1.1 KiB
1.1 KiB
checkId, plugin, severity, tags
| checkId | plugin | severity | tags | ||||
|---|---|---|---|---|---|---|---|
| check.timestamp.evidence.tst.expiry | stellaops.doctor.timestamping | warn |
|
TST Approaching Expiry
What It Checks
Detects timestamp tokens approaching signing certificate expiry. Fails if timestamps are within the critical window (default 90 days), warns if within the warning window (default 180 days).
Why It Matters
Expired timestamp tokens cannot be validated by relying parties. Artifacts with expired timestamps lose their temporal proof, which may invalidate compliance evidence.
Common Causes
- TSA signing certificates approaching end-of-life
- Re-timestamp jobs not scheduled or failing
How to Fix
Run the retimestamp workflow to refresh expiring artifacts:
stella retimestamp run --expiring-within 180d
Schedule automatic re-timestamping before expiry.
Verification
stella doctor run --check check.timestamp.evidence.tst.expiry
Related Checks
check.timestamp.evidence.staleness— aggregated evidence staleness checkcheck.timestamp.tsa.cert-expiry— checks TSA certificate expiry