Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

docs/implplan/blocked_tree.md

@@ -1,4 +1,8 @@
-# Blocked Task Dependency Tree (as of 2025-11-30)
+# Blocked Task Dependency Tree (as of 2025-12-07)
+
+Updated 2025-12-07: FEEDCONN-ICSCISA-02-012/KISA-02-008 unblocked (ICS/KISA SOP v0.2); tracked in SPRINT_0113 row 18 and SPRINT_0503 feed ops tasks.
+
+Updated 2025-12-07: RISK-BUNDLE-69-002/70-001/70-002 unblocked (SPRINT_0164 tasks 13-15); RISK-BUNDLE-69-001 DONE. Wave 3 can proceed.
 
 - Concelier ingestion & Link-Not-Merge
   - MIRROR-CRT-56-001 (DONE; thin bundle v1 sample + hashes published)
@@ -11,9 +15,8 @@
     - AIRGAP-TIME-57-001 (DEV-UNBLOCKED: schema + trust-roots bundle + service config present; production trust roots/signing still needed)
     - EXPORT-OBS-51-001 / 54-001 (DEV-UNBLOCKED: DSSE/TUF profile + test-signed bundle available; release promotion now tracked under DevOps secret import)
     - CLI-AIRGAP-56-001 (DEV-UNBLOCKED: dev bundles available; release promotion depends on DevOps secret import + 58-001 CLI path)
-  - CONCELIER-AIRGAP-56-001..58-001 <- PREP-ART-56-001, PREP-EVIDENCE-BDL-01
-  - CONCELIER-CONSOLE-23-001..003 <- PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01
-  - FEEDCONN-ICSCISA-02-012 / KISA-02-008 <- PREP-FEEDCONN-ICS-KISA-PLAN
+  - CONCELIER-AIRGAP-56-001..58-001 ✅ (DONE 2025-12-07; mirror/offline provenance chain + sealed-mode deploy runbook)
+  - CONCELIER-CONSOLE-23-001..003 ✅ (DONE 2025-12-07; console advisory aggregation/search helpers + consumption contract)
 
 - SBOM Service (Link-Not-Merge consumers)
   - SBOM-SERVICE-21-001 (projection read API) — DONE (2025-11-23): WAF aligned with fixtures + in-memory repo fallback; `ProjectionEndpointTests` pass.
@@ -33,13 +36,14 @@
     - TASKRUN-OBS-54-001 BLOCKED (2025-11-30): waiting on TASKRUN-OBS-53-001 timeline/attestation schema from Sprint 0157.
     - TASKRUN-OBS-55-001 BLOCKED (2025-11-30): depends on 54-001.
     - TASKRUN-TEN-48-001 BLOCKED (2025-11-30): tenancy policy/RLS-egress contract not yet published; also waits for Sprint 0157 close-out.
-  - CONCELIER-VULN-29-004 <- CONCELIER-VULN-29-001
   - CONCELIER-ORCH-32-001 (needs CI/clean runner) -> 32-002 -> 33-001 -> 34-001
   - CONCELIER mirror/export chain
     - CONCELIER-MIRROR-23-001-DEV (DONE; dev mirror layout documented at `docs/modules/concelier/mirror-export.md`, endpoints serve static bundles)
     - DEVOPS-MIRROR-23-001-REL (release signing/publish tracked under DevOps; not a development blocker)
   - Concelier storage/backfill/object-store chain
-    - CONCELIER-LNM-21-101-DEV/102-DEV/103-DEV (BLOCKED on CI runner and upstream tasks)
+    - CONCELIER-LNM-21-101-DEV ✅ (DONE 2025-11-27; sharding + TTL migration)
+    - CONCELIER-LNM-21-102-DEV ✅ (DONE 2025-11-28; migration + tombstones + rollback)
+    - CONCELIER-LNM-21-103-DEV ✅ (DONE 2025-12-06; object storage + S3ObjectStore)
   - Concelier backfill chain (Concelier IV)
     - CONCELIER-STORE-AOC-19-005-DEV (BLOCKED pending dataset hash/rehearsal)
 
@@ -49,8 +53,8 @@
   - CONCELIER-WEB-OBS-50-001 ✅ (telemetry core adopted 2025-11-07) -> 51-001 ✅ (health endpoint shipped 2025-11-23) -> 52-001
 
 - Advisory AI docs & packaging
-  - AIAI-PACKAGING-31-002 & AIAI-DOCS-31-001 <- SBOM feeds + CLI/Policy artefacts
-  - DOCS-AIAI-31-005 -> 31-006 -> 31-008 -> 31-009 (all gated by DOCS-UNBLOCK-CLI-KNOBS-301 <- CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001)
+  - AIAI-PACKAGING-31-002 & AIAI-DOCS-31-001 <- SBOM feeds + DEVOPS-AIAI-31-001 (CLI-VULN-29-001/CLI-VEX-30-001 landed via Sprint 0205 on 2025-12-06; POLICY-ENGINE-31-001 delivered 2025-11-23)
+  - DOCS-AIAI-31-005 -> 31-006 -> 31-008 -> 31-009 (DOCS-UNBLOCK-CLI-KNOBS-301 satisfied: CLI-VULN-29-001/CLI-VEX-30-001 delivered 2025-12-06; POLICY-ENGINE-31-001 delivered 2025-11-23; remaining gate: DEVOPS-AIAI-31-001 rollout)
 
 - Policy Engine (core) chain
   - POLICY-ENGINE-29-003 implemented (path-scope streaming endpoint live); downstream tasks 29-004+ remain open but unblocked.