git.stella-ops.org/docs/implplan/blocked_tree.md

# Blocked Task Dependency Tree (as of 2025-11-23)

- Concelier ingestion & Link-Not-Merge
  - MIRROR-CRT-56-001 (DONE; thin bundle v1 sample + hashes published)
    - MIRROR-CRT-56-002 (DONE locally with production-mode flags: DSSE/TUF/OCI signed using provided Ed25519 keyid db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8; artefacts in `out/mirror/thin/`; not blocking development)
    - MIRROR-KEY-56-002-CI (DEVOPS-RELEASE ONLY: add Ed25519 base64 as repo secret `MIRROR_SIGN_KEY_B64` so `.gitea/workflows/mirror-sign.yml` can run with `REQUIRE_PROD_SIGNING=1`; not a development blocker; tracked in Sprint 506)
    - MIRROR-CRT-57-001 (DONE; OCI layout emitted when OCI=1)
    - MIRROR-CRT-57-002 (DEV-UNBLOCKED: time-anchor layer embedded; production signing still waits on MIRROR_SIGN_KEY_B64 and AirGap trust roots)
    - MIRROR-CRT-58-001/002 (depend on 56-002, EXPORT-OBS-54-001, CLI-AIRGAP-56-001)
    - PROV-OBS-53-001 (DONE; observer doc + verifier script)
    - AIRGAP-TIME-57-001 (DEV-UNBLOCKED: schema + trust-roots bundle + service config present; production trust roots/signing still needed)
    - EXPORT-OBS-51-001 / 54-001 (DEV-UNBLOCKED: DSSE/TUF profile + test-signed bundle available; release promotion now tracked under DevOps secret import)
    - CLI-AIRGAP-56-001 (DEV-UNBLOCKED: dev bundles available; release promotion depends on DevOps secret import + 58-001 CLI path)
  - CONCELIER-AIRGAP-56-001..58-001 <- PREP-ART-56-001, PREP-EVIDENCE-BDL-01
  - CONCELIER-CONSOLE-23-001..003 <- PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01
  - FEEDCONN-ICSCISA-02-012 / KISA-02-008 <- PREP-FEEDCONN-ICS-KISA-PLAN

- SBOM Service (Link-Not-Merge consumers)
  - SBOM-SERVICE-21-001 (projection read API) — DONE (2025-11-23): WAF aligned with fixtures + in-memory repo fallback; `ProjectionEndpointTests` pass.
  - SBOM-SERVICE-21-002..004 — TODO: depend on 21-001 implementation; proceed after projection API lands.

- Concelier orchestrator / policy / risk chain
  - POLICY-20-001 (API contract; DOING in Sprint 0114) -> CONCELIER-POLICY-20-003 -> CONCELIER-POLICY-23-001 -> CONCELIER-POLICY-23-002
  - POLICY-AUTH-SIGNALS-LIB-115 (shared contract NuGet 0.1.0-alpha, Sprint 0115)
    - CONCELIER-RISK-66-001 -> 66-002 -> 67-001 -> 68-001 -> 69-001
    - CONCELIER-SIG-26-001
    - CONCELIER-TEN-48-001
    - CONCELIER-VEXLENS-30-001 (also needs PREP-CONCELIER-VULN-29-001 & VEXLENS-30-005)
  - CONCELIER-VULN-29-004 <- CONCELIER-VULN-29-001
  - CONCELIER-ORCH-32-001 (needs CI/clean runner) -> 32-002 -> 33-001 -> 34-001
  - CONCELIER mirror/export chain
    - CONCELIER-MIRROR-23-001-DEV (DONE; dev mirror layout documented at `docs/modules/concelier/mirror-export.md`, endpoints serve static bundles)
    - DEVOPS-MIRROR-23-001-REL (release signing/publish tracked under DevOps; not a development blocker)
  - Concelier storage/backfill/object-store chain
    - CONCELIER-LNM-21-101-DEV/102-DEV/103-DEV (BLOCKED on CI runner and upstream tasks)
  - Concelier backfill chain (Concelier IV)
    - CONCELIER-STORE-AOC-19-005-DEV (BLOCKED pending dataset hash/rehearsal)

- Concelier Web chains
  - CONCELIER-WEB-AIRGAP-56-001 -> 56-002 -> 57-001 -> 58-001
  - CONCELIER-WEB-OAS-61-002 -> 62-001 -> 63-001
  - CONCELIER-WEB-OBS-50-001 ✅ (telemetry core adopted 2025-11-07) -> 51-001 ✅ (health endpoint shipped 2025-11-23) -> 52-001

- Advisory AI docs & packaging
  - AIAI-PACKAGING-31-002 & AIAI-DOCS-31-001 <- SBOM feeds + CLI/Policy artefacts
  - DOCS-AIAI-31-005 -> 31-006 -> 31-008 -> 31-009 (all gated by DOCS-UNBLOCK-CLI-KNOBS-301 <- CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001)

- Policy Engine (core) chain
  - POLICY-ENGINE-29-003 implemented (path-scope streaming endpoint live); downstream tasks 29-004+ remain open but unblocked.
  - POLICY-AOC-19-001 -> 19-002 -> 19-003 -> 19-004
  - POLICY-AIRGAP-56-001 -> 56-002 -> 57-001 -> 57-002 -> 58-001
  - POLICY-ATTEST-73-001 -> 73-002 -> 74-001 -> 74-002
  - POLICY-CONSOLE-23-001 (needs Console API contract)
  - EXPORT-CONSOLE-23-001 (needs export bundle/job spec)

- Findings Ledger (Policy Engine sprints 0120–0122)
  - LEDGER-OAS-61-001 -> 61-002 -> 62-001 -> 63-001
  - LEDGER-AIRGAP-56-002 -> 57-001 -> 58-001
  - LEDGER-ATTEST-73-001 -> 73-002
  - LEDGER-RISK-67-001 -> 68-001 -> 69-001
  - LEDGER-PACKS-42-001 (snapshot/time-travel contract pending)
  - LEDGER-OBS-55-001 (depends on 54-001 attestation telemetry)
  - LEDGER-TEN-48-001 (needs platform approval/RLS plan)
  - LEDGER-29-009-DEV (waiting DevOps paths for Helm/Compose/offline kit assets)

- API Governance / OpenAPI
  - OAS-61-002 ratification -> OAS-62-001 -> OAS-62-002 -> OAS-63-001
  - APIGOV-63-001 (needs Notification Studio templates + deprecation metadata schema)

- CLI feature chain
  - CLI-NOTIFY-38-001 (schema missing) -> CLI-NOTIFY-39-001
  - CLI-EXPORT-35-001 (blocked: export profile schema + storage fixtures not delivered)

- Scanner surface
  - SCANNER-EVENTS-16-301 (awaiting orchestrator/Notifier envelope contract)
  - SCANNER-ANALYZERS-JAVA-21-011 (dev) depends on runtime capture to package CLI/Offline; release packaging tracked separately in DevOps sprints.
  - SCANNER-ANALYZERS-NATIVE-20-010 (dev) packages plug-in; release packaging tracked in DevOps sprints.
  - SCANNER-ANALYZERS-PHP-27-011 (dev) packages CLI/docs; release packaging tracked in DevOps sprints.
  - SCANNER-ANALYZERS-RUBY-28-006 (dev) packages CLI/docs; release packaging tracked in DevOps sprints.

- Excititor graph & air-gap
  - EXCITITOR-GRAPH-24-101 <- 21-005 ingest overlays
  - EXCITITOR-GRAPH-24-102 <- 24-101
  - EXCITITOR-AIRGAP-57-001 <- 56-001 wiring
  - EXCITITOR-AIRGAP-58-001 <- 56-001 storage layout + Export Center manifest

  - DevOps pipeline blocks
    - MIRROR-KEY-56-002-CI (repo secret MIRROR_SIGN_KEY_B64 needed for release signing; development unblocked)
    - DEVOPS-LNM-TOOLING-22-000 -> DEVOPS-LNM-22-001 -> DEVOPS-LNM-22-002
      * DEVOPS-LNM-22-001 DEV-UNBLOCKED (backfill plan + validation scripts added)
      * DEVOPS-LNM-22-001 ✅ (backfill plan, validation scripts, and CI dispatcher added)
      * DEVOPS-LNM-22-002 ✅ (VEX backfill dispatcher added)
      * DEVOPS-LNM-22-003 ✅ (metrics scaffold + CI check added)
    - DEVOPS-AOC-19-001 ✅ (AOC guard CI wired)
    - DEVOPS-AOC-19-002 ✅ (AOC verify stage added to CI)
    - DEVOPS-AIRGAP-57-002 ✅ (sealed-mode smoke wired into CI)
    - DEVOPS-OFFLINE-17-004 ✅ (release debug store mirrored into Offline Kit)
    - DEVOPS-REL-17-004 ✅ (release workflow now uploads `out/release/debug` artefact)
    - DEVOPS-CONSOLE-23-001 ✅ (CI contract + workflow added; offline-first console CI in place)
    - DEVOPS-EXPORT-35-001 ✅ (CI contract + MinIO fixtures added; pipeline wiring next)
    - DEVOPS-EXPORT-36-001 ✅ (Export CI workflow added with MinIO + Trivy/OCI smoke)

- Deployment
  - DEPLOY-EXPORT-35-001 ✅ (export Helm overlay + example secrets added)
  - DEPLOY-NOTIFY-38-001 ✅ (notify Helm overlay + example secrets added)

- Documentation ladders
  - Docs Tasks ladder 200.A (blocked pending upstream SBOM/CLI/Policy/AirGap artefacts)
  - DOCS-LNM chain: DOCS-LNM-22-001 -> 22-002 -> 22-003; DOCS-LNM-22-005 waits on 22-004
  - Policy docs chain A: DOCS-POLICY-27-001 -> 27-002 -> 27-003 -> 27-004 -> 27-005
  - Policy docs chain B: DOCS-POLICY-27-006 -> 27-007 -> 27-008 -> 27-009 -> 27-010 -> 27-011 -> 27-012 -> 27-013 -> 27-014
  - DOCS-SCANNER-DET-01 <- Sprint 136 determinism fixtures
  - EXCITITOR-DOCS-0001 (awaits Excititor chunk API CI + console contracts)

- Provenance / Observability
  - PROV-OBS-53-002 ✅ -> PROV-OBS-53-003 ✅

- CLI/Advisory AI handoff
  - SBOM-AIAI-31-003 <- CLI-VULN-29-001; CLI-VEX-30-001
  - DOCS-AIAI-31-005/006/008/009 <- CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001

Note: POLICY-20-001 is defined and tracked in `docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md` (Task 14), and POLICY-AUTH-SIGNALS-LIB-115 is defined in `docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md` (Task 0); both scopes match the expectations captured here.