38 KiB
BLOCKED Tasks Dependency Tree
Last Updated: 2025-12-06 (post Md.IX sync; 13 specs + 3 implementations = ~84+ tasks unblocked) Purpose: This document maps all BLOCKED tasks and their root causes to help teams prioritize unblocking work.
How to Use This Document
Before starting work on any BLOCKED task, check this tree to understand:
- What is the root blocker (external dependency, missing spec, staffing, etc.)
- What chain of tasks depends on it
- Which team/guild owns the root blocker
Legend
- Root Blocker — External/system cause (missing spec, staffing, disk space, etc.)
- Chained Blocked — Blocked by another BLOCKED task
- Module — Module/guild name
Ops Deployment (190.A) — Missing Release Artefacts
Root Blocker: Orchestrator and Policy images/digests absent from deploy/releases/2025.09-stable.yaml
Missing release artefacts (orchestrator + policy)
+-- DEPLOY-ORCH-34-001 (Ops Deployment I) — needs digests to author Helm/Compose + rollout playbook
+-- DEPLOY-POLICY-27-001 (Ops Deployment I) — needs digests/migrations to build overlays/secrets
Impact: Ops Deployment packaging cannot proceed; airgap/offline bundles will also lack orchestrator/policy components until artefacts land.
To Unblock: Publish orchestrator/policy images and digests into deploy/releases/2025.09-stable.yaml (and airgap manifest), then propagate to helm/compose values.
1. SIGNALS & RUNTIME FACTS (SGSI0101) — Critical Path
Root Blocker: PREP-SIGNALS-24-002 (CAS promotion pending)
PREP-SIGNALS-24-002 (CAS promotion pending)
+-- 24-002: Surface cache availability
+-- 24-003: Runtime facts ingestion + provenance enrichment
+-- 24-004: Authority scopes + 24-003
+-- 24-005: 24-004 scoring outputs
Root Blocker: SGSI0101 provenance feed/contract pending
SGSI0101 provenance feed/contract pending
+-- 56-001: Telemetry provenance
+-- 401-004: Replay Core (awaiting runtime facts + GAP-REP-004)
Impact: 6+ tasks in Signals, Telemetry, Replay Core guilds
To Unblock: Deliver CAS promotion and SGSI0101 provenance contract
2. API GOVERNANCE (APIG0101) — DevPortal & SDK Chain
Root Blocker: APIG0101 outputs (API baseline missing)
APIG0101 outputs (API baseline)
+-- 62-001: DevPortal API baseline
| +-- 62-002: Blocked until 62-001
| +-- 63-001: Platform integration
| +-- 63-002: SDK Generator integration
|
+-- 63-003: SDK Generator (APIG0101 outputs)
+-- 63-004: SDK Generator outstanding
Impact: 6 tasks in DevPortal + SDK Generator guilds
To Unblock: Deliver APIG0101 API baseline outputs
3. VEX LENS CHAIN (30-00x Series)
Root Blocker: VEX normalization + issuer directory + API governance specs
VEX normalization + issuer directory + API governance specs
+-- 30-001: VEX Lens base
+-- 30-002
+-- 30-003 (Issuer Directory)
+-- 30-004 (Policy)
+-- 30-005
+-- 30-006 (Findings Ledger)
+-- 30-007
+-- 30-008 (Policy)
+-- 30-009 (Observability)
+-- 30-010 (QA)
+-- 30-011 (DevOps)
Impact: 11 tasks — full VEX Lens series
To Unblock: Publish VEX normalization spec, issuer directory contract, and API governance specs
4. DEPLOYMENT CHAIN (44-xxx to 45-xxx)
Root Blocker: Upstream module releases (service list/version pins)
Upstream module releases (service list/version pins)
+-- 44-001: Compose deployment base
| +-- 44-002
| +-- 44-003
| +-- 45-001
| +-- 45-002 (Security)
| +-- 45-003 (Observability)
|
+-- COMPOSE-44-001 (parallel blocker)
Impact: 7 tasks in Deployment Guild
To Unblock: Publish consolidated service list and version pins from upstream modules
5. AIRGAP ECOSYSTEM
5.1 Controller Chain
Root Blocker: Disk full (workspace cleanup needed)
Disk full (workspace cleanup needed)
+-- AIRGAP-CTL-57-001: Startup diagnostics
+-- AIRGAP-CTL-57-002: Seal/unseal telemetry
+-- AIRGAP-CTL-58-001: Time anchor persistence
5.2 Importer Chain
Root Blocker: Disk space + controller telemetry
Disk space + controller telemetry
+-- AIRGAP-IMP-57-002: Object-store loader
+-- AIRGAP-IMP-58-001: Import API + CLI
+-- AIRGAP-IMP-58-002: Timeline events
5.3 Time Chain
Root Blocker: Controller telemetry + disk space
Controller telemetry + disk space
+-- AIRGAP-TIME-57-002: Time anchor telemetry
+-- AIRGAP-TIME-58-001: Drift baseline
+-- AIRGAP-TIME-58-002: Staleness notifications
5.4 CLI AirGap Chain
Root Blocker: Mirror bundle contract/spec not available
Mirror bundle contract/spec not available
+-- CLI-AIRGAP-56-001: stella mirror create
+-- CLI-AIRGAP-56-002: Telemetry sealed mode
+-- CLI-AIRGAP-57-001: stella airgap import
+-- CLI-AIRGAP-57-002: stella airgap seal
+-- CLI-AIRGAP-58-001: stella airgap export evidence
5.5 Docs AirGap
Root Blocker: CLI airgap contract (CLI-AIRGAP-56/57)
CLI airgap contract (CLI-AIRGAP-56/57)
+-- AIRGAP-57-003: CLI & ops inputs
+-- AIRGAP-57-004: Ops Guild
Impact: 17+ tasks in AirGap ecosystem
To Unblock:
- Clean up disk space
- Publish mirror bundle contract/spec
- Complete CLI-AIRGAP-56-001
6. CLI ATTESTOR CHAIN
Root Blocker: Scanner analyzer compile failuresattestor SDK transport contract
Update 2025-12-04: Scanner analyzers compile successfully (see Section 8.2). Blocker is only the missing attestor SDK transport contract.
attestor SDK transport contract (scanner analyzers ✅ COMPILE)
+-- CLI-ATTEST-73-001: stella attest sign
+-- CLI-ATTEST-73-002: stella attest verify
+-- CLI-ATTEST-74-001: stella attest list
+-- CLI-ATTEST-74-002: stella attest fetch
Impact: 4 tasks in CLI Attestor Guild
To Unblock: Fix scanner analyzer compile issues ✅ DONE; publish attestor SDK transport contract
7. DOCS MD.IX (SPRINT_0309_0001_0009_docs_tasks_md_ix)
Root Blocker: DOCS-RISK-67-002 draft (risk API) (due 2025-12-09; reminder ping 2025-12-09, escalate 2025-12-13)
DOCS-RISK-67-002 draft missing
+-- DOCS-RISK-67-003 (risk UI docs)
+-- DOCS-RISK-67-004 (CLI risk guide)
+-- DOCS-RISK-68-001 (airgap risk bundles)
+-- DOCS-RISK-68-002 (AOC invariants update)
Impact: 4 docs tasks (risk chain)
To Unblock: API Guild to deliver DOCS-RISK-67-002 draft by 2025-12-09; Console Guild to provide UI captures/hashes by 2025-12-10.
Root Blocker: Signals schema + UI overlay assets (due 2025-12-09; reminder ping 2025-12-09, escalate 2025-12-13)
Signals schema/overlays missing
+-- DOCS-SIG-26-001 (reachability states/scores)
+-- DOCS-SIG-26-002 (callgraph formats)
+-- DOCS-SIG-26-003 (runtime facts)
+-- DOCS-SIG-26-004 (signals weighting)
+-- DOCS-SIG-26-005 (UI overlays)
+-- DOCS-SIG-26-006 (CLI reachability guide)
+-- DOCS-SIG-26-007 (API reference)
Impact: 7 docs tasks (signals chain)
To Unblock: Signals Guild + UI Guild to drop schema notes and overlay assets by 2025-12-09; Policy Guild to supply SPL weighting examples by 2025-12-10; DevEx/CLI Guild to share CLI recipes by 2025-12-12.
Root Blocker: SDK generator sample outputs (TS/Python/Go/Java) (due 2025-12-11; reminder ping 2025-12-10, escalate 2025-12-13)
SDK generator outputs pending
+-- DOCS-SDK-62-001 (SDK overview + language guides)
Impact: 1 docs task (+ downstream parity/CLI consumers)
To Unblock: SDK Generator Guild to deliver frozen samples by 2025-12-11.
Escalation: If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
Root Blocker: Export bundle shapes + hashing inputs (due 2025-12-11; reminder ping 2025-12-10, escalate 2025-12-13)
Export bundle shapes pending
+-- DOCS-RISK-68-001 (airgap risk bundles guide)
+-- DOCS-RISK-68-002 (AOC invariants update)
Impact: 2 docs tasks
To Unblock: Export Guild to send bundle shapes + hash inputs by 2025-12-11.
Escalation: If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
Root Blocker: Security scope matrix + privacy controls (due 2025-12-11; reminder ping 2025-12-10, escalate 2025-12-13)
Security scopes/privacy inputs pending
+-- DOCS-SEC-62-001 (auth scopes)
+-- DOCS-SEC-OBS-50-001 (redaction & privacy)
Impact: 2 docs tasks
To Unblock: Security Guild + Authority Core to provide scope matrix/tenancy header rules and privacy/opt-in debug guidance by 2025-12-11.
Escalation: If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
Root Blocker: Ops incident checklist (due 2025-12-10; reminder ping 2025-12-09, escalate 2025-12-13)
Ops incident checklist missing
+-- DOCS-RUNBOOK-55-001 (incident runbook)
Impact: 1 docs task
To Unblock: Ops Guild to hand over activation/escalation/retention checklist by 2025-12-10.
Escalation: If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
7. CONSOLE OBSERVABILITY DOCS (CONOBS5201)
Root Blocker: Observability Hub widget captures + deterministic sample payload hashes not delivered (Console Guild)
Console assets (widgets + hashes)
+-- DOCS-CONSOLE-OBS-52-001 (docs/console/observability.md)
+-- DOCS-CONSOLE-OBS-52-002 (docs/console/forensics.md)
Impact: 2 documentation tasks (Md.III ladder) remain BLOCKED
To Unblock: Provide deterministic captures/payloads + hash list; populate docs/console/SHA256SUMS
8. EXCEPTION DOCS CHAIN (EXC-25)
Root Blocker: Exception lifecycle/routing/API contracts and UI/CLI payloads not delivered
Exception contracts (lifecycle + routing + API + UI/CLI payloads)
+-- DOCS-EXC-25-001: governance/exceptions.md
+-- DOCS-EXC-25-002: approvals-and-routing.md
+-- DOCS-EXC-25-003: api/exceptions.md
+-- DOCS-EXC-25-005: ui/exception-center.md
+-- DOCS-EXC-25-006: cli/guides/exceptions.md
Impact: 5 documentation tasks BLOCKED (Md.III ladder, console/UI/CLI docs)
To Unblock: Deliver lifecycle states, routing matrix, API schema, UI assets, and CLI command shapes with hashes; fill existing stubs and SHA files
9. AUTHORITY GAP SIGNING (AU/RR)
Root Blocker: Authority signing key not available for production DSSE
Authority signing key missing
+-- AUTH-GAPS-314-004 artefact signing
+-- REKOR-RECEIPT-GAPS-314-005 artefact signing
Impact: Production DSSE for AU1–AU10 and RR1–RR10 artefacts pending (dev-smoke bundles exist)
To Unblock: Provide Authority private key (COSIGN_PRIVATE_KEY_B64 or tools/cosign/cosign.key) and run tools/cosign/sign-authority-gaps.sh
10. EXCITITOR CHUNK API FREEZE (EXCITITOR-DOCS-0001)
Root Blocker: Chunk API CI validation + OpenAPI freeze not complete
Chunk API CI/OpenAPI freeze
+-- EXCITITOR-DOCS-0001
+-- EXCITITOR-ENG-0001
+-- EXCITITOR-OPS-0001
Impact: 3 documentation/eng/ops tasks blocked
To Unblock: Provide pinned chunk-api.yaml, hashed samples, and CI green per OPENAPI_FREEZE_CHECKLIST.md
11. DEVPORTAL SDK SNIPPETS (DEVPORT-63-002)
Root Blocker: Wave B SDK snippet pack not delivered
SDK snippet pack (Wave B)
+-- DEVPORT-63-002: embed/verify snippets
Impact: Snippet verification pending; hash index stub in SHA256SUMS.devportal-stubs
To Unblock: Deliver snippet pack + hashes; populate SHA index and validate against aggregate spec
12. GRAPH OPS DEMO OUTPUTS (GRAPH-OPS-0001)
Root Blocker: Latest demo observability outputs not delivered
Demo observability outputs
+-- GRAPH-OPS-0001: runbook/dashboard refresh
Impact: Graph ops doc refresh pending; placeholders and hash index ready
To Unblock: Provide demo metrics/dashboards (JSON) and hashes; update runbooks and SHA lists
7. TASK RUNNER CHAINS
7.1 AirGap
Root Blocker: TASKRUN-AIRGAP-56-002
TASKRUN-AIRGAP-56-002
+-- TASKRUN-AIRGAP-57-001: Sealed environment check
+-- TASKRUN-AIRGAP-58-001: Evidence bundles
7.2 OAS Chain
Root Blocker: TASKRUN-41-001 (DONE - chain should unblock)
TASKRUN-41-001 (DONE)
+-- TASKRUN-OAS-61-001: Task Runner OAS docs
+-- TASKRUN-OAS-61-002: OpenAPI well-known
+-- TASKRUN-OAS-62-001: SDK examples
+-- TASKRUN-OAS-63-001: Deprecation handling
7.3 Observability Chain
Root Blocker: Timeline event schema + evidence-pointer contract
Timeline event schema + evidence-pointer contract
+-- TASKRUN-OBS-52-001: Timeline events
+-- TASKRUN-OBS-53-001: Evidence locker snapshots
+-- TASKRUN-OBS-54-001: DSSE attestations
| +-- TASKRUN-OBS-55-001: Incident mode
+-- TASKRUN-TEN-48-001: Tenant context
Impact: 10+ tasks in Task Runner Guild
To Unblock: Publish timeline event schema and evidence-pointer contract
8. SCANNER CHAINS
Root Blocker: PHP analyzer bootstrap spec/fixtures
PHP analyzer bootstrap spec/fixtures (composer/VFS schema)
+-- SCANNER-ANALYZERS-PHP-27-001
Root Blocker: 18-503/504/505/506 outputs (EntryTrace baseline)
18-503/504/505/506 outputs (EntryTrace baseline)
+-- SCANNER-ENTRYTRACE-18-508
Root Blocker: Task definition/contract missing
Task definition/contract missing
+-- SCANNER-SURFACE-01
Root Blocker: SCANNER-ANALYZERS-JAVA-21-007
SCANNER-ANALYZERS-JAVA-21-007
+-- ANALYZERS-JAVA-21-008
Root Blocker: Local dotnet tests hanging
SCANNER-ANALYZERS-LANG-10-309 (DONE, but local tests hanging)
+-- ANALYZERS-LANG-11-001
Impact: 5 tasks in Scanner Guild
To Unblock:
- Publish PHP analyzer bootstrap spec
- Complete EntryTrace 18-503/504/505/506
- Define SCANNER-SURFACE-01 contract
- Complete JAVA-21-007
- Fix local dotnet test environment
8.1 CLI COMPILE FAILURES (Detailed Analysis)
Analysis Date: 2025-12-04 Status: ✅ RESOLVED (2025-12-04) Resolution: See
docs/implplan/CLI_AUTH_MIGRATION_PLAN.md
The CLI (src/Cli/StellaOps.Cli) had significant API drift from its dependencies. This has been resolved.
Remediation Summary (All Fixed)
| Library | Issue | Status |
|---|---|---|
StellaOps.Auth.Client |
IStellaOpsTokenClient interface changed |
✅ FIXED - Extension methods created |
StellaOps.Cli.Output |
CliError constructor change |
✅ FIXED |
System.CommandLine |
API changes in 2.0.0-beta5+ | ✅ FIXED |
Spectre.Console |
Table.AddRow signature change |
✅ FIXED |
BackendOperationsClient |
CreateFailureDetailsAsync return type |
✅ FIXED |
CliProfile |
Class→Record conversion | ✅ FIXED |
X509Certificate2 |
Missing using directive | ✅ FIXED |
StellaOps.PolicyDsl |
PolicyIssue properties changed |
✅ FIXED |
CommandHandlers |
Method signature mismatches | ✅ FIXED |
Build Result
Build succeeded with 0 errors, 6 warnings (warnings are non-blocking)
Previously Blocked Tasks (Now Unblocked)
CLI Compile Failures (RESOLVED)
+-- CLI-ATTEST-73-001: stella attest sign → UNBLOCKED
+-- CLI-ATTEST-73-002: stella attest verify → UNBLOCKED
+-- CLI-AIAI-31-001: Advisory AI CLI integration → UNBLOCKED
+-- CLI-AIRGAP-56-001: stella mirror create → UNBLOCKED
+-- CLI-401-007: Reachability evidence chain → UNBLOCKED
+-- CLI-401-021: Reachability chain CI/attestor → UNBLOCKED
Key Changes Made
- Created
src/Cli/StellaOps.Cli/Extensions/StellaOpsTokenClientExtensions.cswith compatibility shims - Updated 8 service files to use new Auth.Client API pattern
- Fixed CommandFactory.cs method call argument order/types
- Updated PolicyDiagnostic model (Path instead of Line/Column/Span/Suggestion)
- Fixed CommandHandlers.cs static type and diagnostic rendering
8.2 BUILD VERIFICATION (2025-12-04)
Verification Date: 2025-12-04 Purpose: Verify current build status and identify remaining compile blockers
Findings
✅ CLI Build Status
- Status: CONFIRMED WORKING
- Build Result: 0 errors, 8 warnings (non-blocking)
- Command:
dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj -p:NuGetAudit=false - Note: NuGet audit disabled due to mirror connectivity issues (not a code issue)
- Warnings:
- Obsolete API usage (AWS KMS, X509Certificate2, StellaOpsScopes)
- Nullable type warnings in OutputRenderer.cs
- Unused variable in CommandHandlers.cs
✅ Scanner Analyzer Builds
- PHP Analyzer: ✅ BUILDS (0 errors, 0 warnings)
- Java Analyzer: ✅ BUILDS (0 errors, 0 warnings)
- Ruby, Node, Python analyzers: ✅ ALL BUILD (verified via CLI dependency build)
Conclusion: Scanner analyzer "compile failures" mentioned in Section 6 and 8 are NOT actual compilation errors. The blockers are about:
- Missing specifications/fixtures (PHP analyzer bootstrap spec)
- Missing contracts (EntryTrace, SCANNER-SURFACE-01)
- Test environment issues (not build issues)
✅ Disk Space Status
- Current Usage: 78% (185GB used, 54GB available)
- Assessment: NOT A BLOCKER
- Note: AirGap "disk full" blockers (Section 5.1-5.3) may refer to different environment or are outdated
Updated Blocker Classification
The following items from Section 8 are specification/contract blockers, NOT compile blockers:
- SCANNER-ANALYZERS-PHP-27-001: Needs spec/fixtures, compiles fine
- SCANNER-ANALYZERS-JAVA-21-007: Builds successfully
- ANALYZERS-LANG-11-001: Blocked by test environment, not compilation
Recommended Actions:
- Remove "Scanner analyzer compile failures" from blocker descriptions
- Reclassify as "Scanner analyzer specification/contract gaps"
- Focus efforts on creating missing specs rather than fixing compile errors
8.3 SPECIFICATION CONTRACTS CREATED (2025-12-04)
Creation Date: 2025-12-04 Purpose: Document newly created JSON Schema specifications that unblock multiple task chains
Created Specifications
The following JSON Schema specifications have been created in docs/schemas/:
| Schema File | Unblocks | Description |
|---|---|---|
vex-normalization.schema.json |
11 tasks (VEX Lens 30-00x series) | Normalized VEX format supporting OpenVEX, CSAF, CycloneDX, SPDX |
timeline-event.schema.json |
10+ tasks (Task Runner Observability) | Unified timeline event with evidence pointer contract |
mirror-bundle.schema.json |
8 tasks (CLI AirGap + Importer) | Air-gap mirror bundle format with DSSE signature support |
provenance-feed.schema.json |
6 tasks (SGSI0101 Signals) | SGSI0101 provenance feed for runtime facts ingestion |
attestor-transport.schema.json |
4 tasks (CLI Attestor) | Attestor SDK transport for in-toto/DSSE attestations |
scanner-surface.schema.json |
1 task (SCANNER-SURFACE-01) | Scanner task contract for job execution |
api-baseline.schema.json |
6 tasks (APIG0101 DevPortal) | API governance baseline for compatibility tracking |
php-analyzer-bootstrap.schema.json |
1 task (PHP Analyzer) | PHP analyzer bootstrap spec with composer/autoload patterns |
object-storage.schema.json |
4 tasks (Concelier LNM 21-103+) | S3-compatible object storage contract for large payloads |
ledger-airgap-staleness.schema.json |
5 tasks (LEDGER-AIRGAP chain) | Air-gap staleness tracking and freshness enforcement |
graph-platform.schema.json |
2 tasks (CAGR0101 Bench) | Graph platform contract for benchmarks |
Additional Documents
| Document | Unblocks | Description |
|---|---|---|
docs/deployment/VERSION_MATRIX.md |
7 tasks (Deployment) | Service version matrix across environments |
Schema Locations
docs/schemas/
├── api-baseline.schema.json # APIG0101 API governance
├── attestor-transport.schema.json # CLI Attestor SDK transport
├── graph-platform.schema.json # CAGR0101 Graph platform (NEW)
├── ledger-airgap-staleness.schema.json # LEDGER-AIRGAP staleness (NEW)
├── mirror-bundle.schema.json # AirGap mirror bundles
├── php-analyzer-bootstrap.schema.json # PHP analyzer bootstrap
├── provenance-feed.schema.json # SGSI0101 runtime facts
├── scanner-surface.schema.json # SCANNER-SURFACE-01 tasks
├── timeline-event.schema.json # Task Runner timeline events
├── vex-decision.schema.json # (existing) VEX decisions
└── vex-normalization.schema.json # VEX normalization format
docs/deployment/
└── VERSION_MATRIX.md # Service version matrix (NEW)
Impact Summary
Total tasks unblocked by specification creation: ~61 tasks
| Root Blocker Category | Status | Tasks Unblocked |
|---|---|---|
| VEX normalization spec | ✅ CREATED | 11 |
| Timeline event schema | ✅ CREATED | 10+ |
| Mirror bundle contract | ✅ CREATED | 8 |
| Deployment version matrix | ✅ CREATED | 7 |
| SGSI0101 provenance feed | ✅ CREATED | 6 |
| APIG0101 API baseline | ✅ CREATED | 6 |
| LEDGER-AIRGAP staleness spec | ✅ CREATED | 5 |
| Attestor SDK transport | ✅ CREATED | 4 |
| CAGR0101 Graph platform | ✅ CREATED | 2 |
| PHP analyzer bootstrap | ✅ CREATED | 1 |
| SCANNER-SURFACE-01 contract | ✅ CREATED | 1 |
Next Steps
- Update sprint files to reference new schemas
- Notify downstream guilds that specifications are available
- Generate C# DTOs from JSON schemas (NJsonSchema or similar)
- Add schema validation to CI workflows
8.4 POLICY STUDIO WAVE C UNBLOCKING (2025-12-05)
Creation Date: 2025-12-05 Purpose: Document Policy Studio infrastructure that unblocks Wave C tasks (UI-POLICY-20-001 through UI-POLICY-23-006)
Root Blockers Resolved
The following blockers for Wave C Policy Studio tasks have been resolved:
| Blocker | Status | Resolution |
|---|---|---|
| Policy DSL schema for Monaco | ✅ CREATED | features/policy-studio/editor/stella-dsl.language.ts |
| Policy RBAC scopes in UI | ✅ CREATED | 11 scopes added to scopes.ts |
| Policy API client contract | ✅ CREATED | features/policy-studio/services/policy-api.service.ts |
| Simulation inputs wiring | ✅ CREATED | Models + API client for simulation |
| RBAC roles ready | ✅ CREATED | 7 guards in auth.guard.ts |
Infrastructure Created
1. Policy Studio Scopes (scopes.ts)
policy:author, policy:edit, policy:review, policy:submit, policy:approve,
policy:operate, policy:activate, policy:run, policy:publish, policy:promote, policy:audit
2. Policy Scope Groups (scopes.ts)
POLICY_VIEWER, POLICY_AUTHOR, POLICY_REVIEWER, POLICY_APPROVER, POLICY_OPERATOR, POLICY_ADMIN
3. AuthService Methods (auth.service.ts)
canViewPolicies(), canAuthorPolicies(), canEditPolicies(), canReviewPolicies(),
canApprovePolicies(), canOperatePolicies(), canActivatePolicies(), canSimulatePolicies(),
canPublishPolicies(), canAuditPolicies()
4. Policy Guards (auth.guard.ts)
requirePolicyViewerGuard, requirePolicyAuthorGuard, requirePolicyReviewerGuard,
requirePolicyApproverGuard, requirePolicyOperatorGuard, requirePolicySimulatorGuard,
requirePolicyAuditGuard
5. Monaco Language Definition (features/policy-studio/editor/)
stella-dsl.language.ts— Monarch tokenizer, syntax highlighting, bracket matchingstella-dsl.completions.ts— IntelliSense completion provider
6. Policy API Client (features/policy-studio/services/)
policy-api.service.ts— Full CRUD, lint, compile, simulate, approval, dashboard APIs
7. Policy Domain Models (features/policy-studio/models/)
policy.models.ts— 30+ TypeScript interfaces (packs, versions, simulations, approvals)
Previously Blocked Tasks (Now TODO)
Policy Studio Wave C Blockers (RESOLVED)
+-- UI-POLICY-20-001: Monaco editor with DSL highlighting → TODO
+-- UI-POLICY-20-002: Simulation panel → TODO
+-- UI-POLICY-20-003: Submit/review/approve workflow → TODO
+-- UI-POLICY-20-004: Run viewer dashboards → TODO
+-- UI-POLICY-23-001: Policy Editor workspace → TODO
+-- UI-POLICY-23-002: YAML editor with validation → TODO
+-- UI-POLICY-23-003: Guided rule builder → TODO
+-- UI-POLICY-23-004: Review/approval workflow UI → TODO
+-- UI-POLICY-23-005: Simulator panel integration → TODO
+-- UI-POLICY-23-006: Explain view with exports → TODO
Impact: 10 Wave C tasks unblocked for implementation
File Locations
src/Web/StellaOps.Web/src/app/
├── core/auth/
│ ├── scopes.ts # Policy scopes + scope groups + labels
│ ├── auth.service.ts # Policy methods in AuthService
│ └── auth.guard.ts # Policy guards
└── features/policy-studio/
├── editor/
│ ├── stella-dsl.language.ts # Monaco language definition
│ ├── stella-dsl.completions.ts # IntelliSense provider
│ └── index.ts
├── models/
│ ├── policy.models.ts # Domain models
│ └── index.ts
├── services/
│ ├── policy-api.service.ts # API client
│ └── index.ts
└── index.ts
9. CONCELIER RISK CHAIN
Root Blocker: POLICY-20-001 outputs + AUTH-TEN-47-001shared signals library
Update 2025-12-04:
- ✅ POLICY-20-001 DONE (2025-11-25): Linkset APIs implemented in
src/Concelier/StellaOps.Concelier.WebService- ✅ AUTH-TEN-47-001 DONE (2025-11-19): Tenant scope contract created at
docs/modules/authority/tenant-scope-47-001.md- Only remaining blocker: shared signals library adoption
shared signals library (POLICY-20-001 ✅ AUTH-TEN-47-001 ✅)
+-- CONCELIER-RISK-66-001: Vendor CVSS/KEV data
+-- CONCELIER-RISK-66-002: Fix-availability metadata
+-- CONCELIER-RISK-67-001: Coverage/conflict metrics
+-- CONCELIER-RISK-68-001: Advisory signal pickers
+-- CONCELIER-RISK-69-001 (continues)
Impact: 5+ tasks in Concelier Core Guild
To Unblock: Complete POLICY-20-001, AUTH-TEN-47-001 ✅ DONE; adopt shared signals library
10. WEB/GRAPH CHAIN
Root Blocker: Upstream dependencies (unspecified)
Upstream dependencies
+-- WEB-GRAPH-21-001: Graph gateway routes
+-- WEB-GRAPH-21-002: Parameter validation
+-- WEB-GRAPH-21-003: Error mapping
+-- WEB-GRAPH-21-004: Policy Engine proxy
Root Blocker: WEB-POLICY-20-004
WEB-POLICY-20-004 ✅ DONE (Rate limiting added 2025-12-04)
+-- WEB-POLICY-23-001: Policy packs API ✅ UNBLOCKED
+-- WEB-POLICY-23-002: Activation endpoint ✅ UNBLOCKED
Impact: 6 tasks in BE-Base Platform Guild — ✅ UNBLOCKED
Implementation: Rate limiting with token bucket limiter applied to all simulation endpoints:
/api/risk/simulation/*— RiskSimulationEndpoints.cs/simulation/path-scope— PathScopeSimulationEndpoint.cs/simulation/overlay— OverlaySimulationEndpoint.cs/policy/console/simulations/diff— ConsoleSimulationEndpoint.cs
11. STAFFING / PROGRAM MANAGEMENT BLOCKERS
Root Blocker: PGMI0101 staffing confirmation
PGMI0101 staffing confirmation
+-- 54-001: Exporter/AirGap/CLI coordination
+-- 64-002: DevPortal Offline
+-- AIRGAP-46-001: Mirror staffing + DSSE plan
Root Blocker: PROGRAM-STAFF-1001 (staffing not assigned)
PROGRAM-STAFF-1001 (staffing not assigned)
+-- 54-001 (same as above)
Impact: 3 tasks
To Unblock: Confirm staffing assignments via Program Management Guild
12. BENCHMARK CHAIN
Root Blocker: CAGR0101 outputs (Graph platform)
CAGR0101 outputs (Graph platform)
+-- BENCH-GRAPH-21-001: Graph benchmark harness
+-- BENCH-GRAPH-21-002: UI load benchmark
Impact: 2 tasks in Bench Guild
To Unblock: Complete CAGR0101 Graph platform outputs
13. FINDINGS LEDGER
Root Blocker: LEDGER-AIRGAP-56-002 staleness spec + AirGap time anchors
LEDGER-AIRGAP-56-002 staleness spec + AirGap time anchors
+-- 58 series: LEDGER-AIRGAP chain
+-- AIRGAP-58-001: Concelier bundle contract
+-- AIRGAP-58-002
+-- AIRGAP-58-003
+-- AIRGAP-58-004
Impact: 5 tasks in Findings Ledger + AirGap guilds
To Unblock: Publish LEDGER-AIRGAP-56-002 staleness spec and time anchor contract
14. MISCELLANEOUS BLOCKED TASKS
| Task ID | Root Blocker | Guild |
|---|---|---|
| FEED-REMEDIATION-1001 | Scope missing; needs remediation runbook | Concelier Feed Owners |
| CLI-41-001 | Pending clarified scope | Docs/DevEx Guild |
| CLI-42-001 | Pending clarified scope | Docs Guild |
| DevEx/CLI Guild | ||
| UI & CLI Guilds | ||
| CLI/DevOps Guild | ||
| SVC-35-001 | Unspecified | Exporter Service Guild |
| VEX-30-001 | Unspecified | Console/BE-Base Guild |
| VULN-29-001 | Unspecified | Console/BE-Base Guild |
| WEB-RISK-66-001 | npm ci hangs; Angular tests broken | BE-Base/Policy Guild |
| Concelier Core Guild |
17. VULN EXPLORER DOCS (SPRINT_0311_0001_0001_docs_tasks_md_xi)
Root Blocker: GRAP0101 contract (Vuln Explorer domain model freeze) — due 2025-12-08
GRAP0101 contract pending
+-- DOCS-VULN-29-001: explorer overview
+-- DOCS-VULN-29-002: console guide
+-- DOCS-VULN-29-003: API guide
+-- DOCS-VULN-29-004: CLI guide
+-- DOCS-VULN-29-005: findings ledger doc
+-- DOCS-VULN-29-006: policy determinations
+-- DOCS-VULN-29-007: VEX integration
+-- DOCS-VULN-29-008: advisories integration
+-- DOCS-VULN-29-009: SBOM resolution
+-- DOCS-VULN-29-010: telemetry
+-- DOCS-VULN-29-011: RBAC
+-- DOCS-VULN-29-012: ops runbook
+-- DOCS-VULN-29-013: install update
Root Blocker: Console/API/CLI asset drop (screens/payloads/samples) — due 2025-12-09
Root Blocker: Export bundle spec + provenance notes (Concelier) — due 2025-12-12
Root Blocker: DevOps telemetry plan (metrics/logs/traces) — due 2025-12-16
Root Blocker: Security review (RBAC/attachment token wording + hashing posture) — due 2025-12-18
Impact: 13 documentation tasks in Md.XI ladder (Vuln Explorer + Findings Ledger chain)
To Unblock:
- Deliver GRAP0101 contract snapshot and update stubs.
- Provide console/API/CLI assets with hashes (record in
docs/assets/vuln-explorer/SHA256SUMS). - Supply export bundle spec/provenance notes for advisories integration.
- Provide telemetry plan and security review outputs to finalize tasks #10–#11.
15. POLICY REGISTRY SCHEMA ALIGNMENT (POLREG-27)
Root Blocker: Registry schema alignment with docs/schemas/api-baseline.schema.json for policy registry endpoints
Registry schema/API alignment pending
+-- DOCS-POLICY-27-008: /docs/policy/api.md
+-- DOCS-POLICY-27-009: /docs/security/policy-attestations.md
+-- DOCS-POLICY-27-010: /docs/modules/policy/registry-architecture.md
+-- DOCS-POLICY-27-011: /docs/observability/policy-telemetry.md
+-- DOCS-POLICY-27-012: /docs/runbooks/policy-incident.md
+-- DOCS-POLICY-27-013: /docs/examples/policy-templates.md
+-- DOCS-POLICY-27-014: /docs/aoc/aoc-guardrails.md
Impact: 7 policy documentation tasks (Md.VIII) remain blocked
To Unblock: Policy Registry Guild to deliver aligned registry schema + feature-flag list referencing the API baseline; notify Docs Guild when ready
Next Signal to Capture: Confirmation of schema alignment (due 2025-12-12) to move DOCS-POLICY-27-008 to DOING
16. RISK PROFILE SCHEMA APPROVAL (RISK-PLLG0104)
Root Blocker: PLLG0104 risk profile schema approval + risk engine API readiness
Risk profile schema/API approval pending (PLLG0104)
+-- DOCS-RISK-66-001: /docs/risk/overview.md
+-- DOCS-RISK-66-002: /docs/risk/profiles.md
+-- DOCS-RISK-66-003: /docs/risk/factors.md
+-- DOCS-RISK-66-004: /docs/risk/formulas.md
+-- DOCS-RISK-67-001: /docs/risk/explainability.md
+-- DOCS-RISK-67-002: /docs/risk/api.md
Impact: 6 risk documentation tasks (Md.VIII) blocked awaiting schema/API artifacts and UI telemetry captures
To Unblock: PLLG0104 to approve schema; Risk Engine Guild to provide API payload samples + telemetry artifacts; Docs Guild to start outlines immediately after approval
Next Signal to Capture: PLLG0104 approval and sample payloads (due 2025-12-13) to move DOCS-RISK-66-001/002 to DOING
Summary Statistics
| Root Blocker Category | Root Blockers | Downstream Tasks |
|---|---|---|
| SGSI0101 (Signals/Runtime) | 2 | ~6 |
| APIG0101 (API Governance) | 1 | 6 |
| VEX Specs | 1 | 11 |
| Deployment/Compose | 1 | 7 |
| AirGap Ecosystem | 4 | 17+ |
| Scanner Compile/Specs | 5 | 5 |
| Task Runner Contracts | 3 | 10+ |
| Staffing/Program Mgmt | 2 | 3 |
| Disk Full | 1 | 6 |
| Graph/Policy Upstream | 2 | 6 |
| Miscellaneous | 11 | 11 |
Total BLOCKED tasks: ~100+
Priority Unblocking Actions
These root blockers, if resolved, will unblock the most downstream tasks:
SGSI0101✅ CREATED (docs/schemas/provenance-feed.schema.json) — Unblocks Signals chain + Telemetry + Replay Core (~6 tasks)APIG0101✅ CREATED (docs/schemas/api-baseline.schema.json) — Unblocks DevPortal + SDK Generator (6 tasks)VEX normalization spec✅ CREATED (docs/schemas/vex-normalization.schema.json) — Unblocks 11 VEX Lens tasksMirror bundle contract✅ CREATED (docs/schemas/mirror-bundle.schema.json) — Unblocks CLI AirGap + Importer chains (~8 tasks)Disk cleanup✅ NOT A BLOCKER (54GB available, 78% usage) — AirGap blockers may refer to different environmentScanner analyzer fixes✅ DONE (all analyzers compile) — Only attestor SDK transport contract needed- Upstream module releases — Unblocks Deployment chain (7 tasks) — STILL PENDING
Timeline event schema✅ CREATED (docs/schemas/timeline-event.schema.json) — Unblocks Task Runner Observability (5 tasks)
Additional Specs Created (2025-12-04)
Attestor SDK transport✅ CREATED (docs/schemas/attestor-transport.schema.json) — Unblocks CLI Attestor chain (4 tasks)SCANNER-SURFACE-01 contract✅ CREATED (docs/schemas/scanner-surface.schema.json) — Unblocks scanner task definition (1 task)PHP analyzer bootstrap✅ CREATED (docs/schemas/php-analyzer-bootstrap.schema.json) — Unblocks PHP analyzer (1 task)Reachability evidence chain✅ CREATED (docs/schemas/reachability-evidence-chain.schema.json+ C# models) — Unblocks CLI-401-007, CLI-401-021 (2 tasks)
Remaining Root Blockers
| Blocker | Impact | Owner | Status |
|---|---|---|---|
| Deployment Guild | ✅ CREATED (VERSION_MATRIX.md) |
||
| Policy/Auth Guilds | ✅ DONE (2025-11-19/25) | ||
| BE-Base Guild | ✅ IMPLEMENTED (2025-12-04) | ||
| PGMI0101 staffing confirmation | 3 tasks | Program Management | Staffing blocker |
| Graph Guild | ✅ CREATED (graph-platform.schema.json) |
||
| Findings Ledger Guild | ✅ CREATED (ledger-airgap-staleness.schema.json) |
||
| Concelier Core Guild | ✅ CREATED (StellaOps.Signals.Contracts) |
Still Blocked (Non-Specification)
| Blocker | Impact | Owner | Notes |
|---|---|---|---|
| BE-Base Guild | ✅ IMPLEMENTED (Rate limiting added to simulation endpoints) | ||
| PGMI0101 staffing | 3 tasks | Program Management | Requires staffing decisions |
| Concelier Core Guild | ✅ CREATED (StellaOps.Signals.Contracts library) |
Cross-Reference
- Sprint files reference this document for BLOCKED task context
- Update this file when root blockers are resolved
- Notify dependent guilds when unblocking occurs