68bc53a07b
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
149 lines
10 KiB
Markdown
149 lines
10 KiB
Markdown
# Blocked Task Dependency Tree (as of 2025-12-07)
|
||
|
||
Updated 2025-12-07: FEEDCONN-ICSCISA-02-012/KISA-02-008 unblocked (ICS/KISA SOP v0.2); tracked in SPRINT_0113 row 18 and SPRINT_0503 feed ops tasks.
|
||
|
||
- Concelier ingestion & Link-Not-Merge
|
||
- MIRROR-CRT-56-001 (DONE; thin bundle v1 sample + hashes published)
|
||
- MIRROR-CRT-56-002 (DONE locally with production-mode flags: DSSE/TUF/OCI signed using provided Ed25519 keyid db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8; artefacts in `out/mirror/thin/`; not blocking development)
|
||
- MIRROR-KEY-56-002-CI (DEVOPS-RELEASE ONLY: add Ed25519 base64 as repo secret `MIRROR_SIGN_KEY_B64` so `.gitea/workflows/mirror-sign.yml` can run with `REQUIRE_PROD_SIGNING=1`; not a development blocker; tracked in Sprint 506)
|
||
- MIRROR-CRT-57-001 (DONE; OCI layout emitted when OCI=1)
|
||
- MIRROR-CRT-57-002 (DEV-UNBLOCKED: time-anchor layer embedded; production signing still waits on MIRROR_SIGN_KEY_B64 and AirGap trust roots)
|
||
- MIRROR-CRT-58-001/002 (depend on 56-002, EXPORT-OBS-54-001, CLI-AIRGAP-56-001)
|
||
- PROV-OBS-53-001 (DONE; observer doc + verifier script)
|
||
- AIRGAP-TIME-57-001 (DEV-UNBLOCKED: schema + trust-roots bundle + service config present; production trust roots/signing still needed)
|
||
- EXPORT-OBS-51-001 / 54-001 (DEV-UNBLOCKED: DSSE/TUF profile + test-signed bundle available; release promotion now tracked under DevOps secret import)
|
||
- CLI-AIRGAP-56-001 (DEV-UNBLOCKED: dev bundles available; release promotion depends on DevOps secret import + 58-001 CLI path)
|
||
- CONCELIER-AIRGAP-56-001..58-001 <- PREP-ART-56-001, PREP-EVIDENCE-BDL-01
|
||
- CONCELIER-CONSOLE-23-001..003 <- PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01
|
||
|
||
- SBOM Service (Link-Not-Merge consumers)
|
||
- SBOM-SERVICE-21-001 (projection read API) — DONE (2025-11-23): WAF aligned with fixtures + in-memory repo fallback; `ProjectionEndpointTests` pass.
|
||
- SBOM-SERVICE-21-002..004 — TODO: depend on 21-001 implementation; proceed after projection API lands.
|
||
|
||
- Concelier orchestrator / policy / risk chain
|
||
- POLICY-20-001 (API contract; DOING in Sprint 0114) -> CONCELIER-POLICY-20-003 -> CONCELIER-POLICY-23-001 -> CONCELIER-POLICY-23-002
|
||
- POLICY-AUTH-SIGNALS-LIB-115 ✅ (0.1.0-alpha published 2025-11-19; shared contract available in `local-nugets/`)
|
||
- CONCELIER-RISK-66-001 -> 66-002 -> 67-001 -> 68-001 -> 69-001 (still blocked on POLICY-20-001 outputs and AUTH-TEN-47-001 adoption)
|
||
- CONCELIER-SIG-26-001 (blocked on SIGNALS-24-002 runtime feed)
|
||
- CONCELIER-TEN-48-001 (blocked on AUTH-TEN-47-001 and POLICY chain)
|
||
- CONCELIER-VEXLENS-30-001 (also needs PREP-CONCELIER-VULN-29-001 & VEXLENS-30-005)
|
||
- VEX Lens chain (Sprint 0129)
|
||
- VEXLENS-30-001 blocked: normalization schema, issuer directory inputs, and API governance guidance not published.
|
||
- TaskRunner chain (Sprint 0157)
|
||
- TASKRUN-41-001 DONE (2025-11-30): contract implemented (run API, storage indexes, approvals, provenance manifest). Downstream airgap/OAS/OBS tasks now wait only on control-flow/policy spec addendum.
|
||
- TASKRUN-OBS-54-001 BLOCKED (2025-11-30): waiting on TASKRUN-OBS-53-001 timeline/attestation schema from Sprint 0157.
|
||
- TASKRUN-OBS-55-001 BLOCKED (2025-11-30): depends on 54-001.
|
||
- TASKRUN-TEN-48-001 BLOCKED (2025-11-30): tenancy policy/RLS-egress contract not yet published; also waits for Sprint 0157 close-out.
|
||
- CONCELIER-VULN-29-004 <- CONCELIER-VULN-29-001
|
||
- CONCELIER-ORCH-32-001 (needs CI/clean runner) -> 32-002 -> 33-001 -> 34-001
|
||
- CONCELIER mirror/export chain
|
||
- CONCELIER-MIRROR-23-001-DEV (DONE; dev mirror layout documented at `docs/modules/concelier/mirror-export.md`, endpoints serve static bundles)
|
||
- DEVOPS-MIRROR-23-001-REL (release signing/publish tracked under DevOps; not a development blocker)
|
||
- Concelier storage/backfill/object-store chain
|
||
- CONCELIER-LNM-21-101-DEV/102-DEV/103-DEV (BLOCKED on CI runner and upstream tasks)
|
||
- Concelier backfill chain (Concelier IV)
|
||
- CONCELIER-STORE-AOC-19-005-DEV (BLOCKED pending dataset hash/rehearsal)
|
||
|
||
- Concelier Web chains
|
||
- CONCELIER-WEB-AIRGAP-56-001 -> 56-002 -> 57-001 -> 58-001
|
||
- CONCELIER-WEB-OAS-61-002 -> 62-001 -> 63-001
|
||
- CONCELIER-WEB-OBS-50-001 ✅ (telemetry core adopted 2025-11-07) -> 51-001 ✅ (health endpoint shipped 2025-11-23) -> 52-001
|
||
|
||
- Advisory AI docs & packaging
|
||
- AIAI-PACKAGING-31-002 & AIAI-DOCS-31-001 <- SBOM feeds + DEVOPS-AIAI-31-001 (CLI-VULN-29-001/CLI-VEX-30-001 landed via Sprint 0205 on 2025-12-06; POLICY-ENGINE-31-001 delivered 2025-11-23)
|
||
- DOCS-AIAI-31-005 -> 31-006 -> 31-008 -> 31-009 (DOCS-UNBLOCK-CLI-KNOBS-301 satisfied: CLI-VULN-29-001/CLI-VEX-30-001 delivered 2025-12-06; POLICY-ENGINE-31-001 delivered 2025-11-23; remaining gate: DEVOPS-AIAI-31-001 rollout)
|
||
|
||
- Policy Engine (core) chain
|
||
- POLICY-ENGINE-29-003 implemented (path-scope streaming endpoint live); downstream tasks 29-004+ remain open but unblocked.
|
||
- POLICY-AOC-19-001 -> 19-002 -> 19-003 -> 19-004
|
||
- POLICY-AIRGAP-56-001 -> 56-002 -> 57-001 -> 57-002 -> 58-001
|
||
- POLICY-ATTEST-73-001 -> 73-002 -> 74-001 -> 74-002
|
||
- POLICY-CONSOLE-23-001 (needs Console API contract)
|
||
- EXPORT-CONSOLE-23-001 (needs export bundle/job spec)
|
||
|
||
- Findings Ledger
|
||
- LEDGER-29-006 ✅ (2025-10-19; attachment encryption & signed URLs delivered)
|
||
|
||
- Findings Ledger (Policy Engine sprints 0120–0122)
|
||
- LEDGER-OAS-61-001 -> 61-002 -> 62-001 -> 63-001
|
||
- LEDGER-AIRGAP-56-002 -> 57-001 -> 58-001
|
||
- LEDGER-ATTEST-73-001 -> 73-002
|
||
- LEDGER-RISK-67-001 -> 68-001 -> 69-001
|
||
- LEDGER-PACKS-42-001 (snapshot/time-travel contract pending)
|
||
- LEDGER-OBS-55-001 (depends on 54-001 attestation telemetry)
|
||
- LEDGER-TEN-48-001 (needs platform approval/RLS plan)
|
||
- LEDGER-29-009-DEV (waiting DevOps paths for Helm/Compose/offline kit assets)
|
||
|
||
- API Governance / OpenAPI
|
||
- OAS-61-002 ratification -> OAS-62-001 -> OAS-62-002 -> OAS-63-001
|
||
- APIGOV-63-001 (needs Notification Studio templates + deprecation metadata schema)
|
||
|
||
- CLI feature chain
|
||
- CLI-NOTIFY-38-001 (schema missing) -> CLI-NOTIFY-39-001
|
||
- CLI-EXPORT-35-001 (blocked: export profile schema + storage fixtures not delivered)
|
||
|
||
- Scanner surface
|
||
- SCANNER-EVENTS-16-301 (awaiting orchestrator/Notifier envelope contract)
|
||
- SCANNER-ANALYZERS-JAVA-21-011 (dev) depends on runtime capture to package CLI/Offline; release packaging tracked separately in DevOps sprints.
|
||
- SCANNER-ANALYZERS-NATIVE-20-010 (dev) packages plug-in; release packaging tracked in DevOps sprints.
|
||
- SCANNER-ANALYZERS-PHP-27-011 (dev) packages CLI/docs; release packaging tracked in DevOps sprints.
|
||
- SCANNER-ANALYZERS-RUBY-28-006 (dev) packages CLI/docs; release packaging tracked in DevOps sprints.
|
||
|
||
- Excititor graph & air-gap
|
||
- EXCITITOR-GRAPH-24-101 <- 21-005 ingest overlays (DONE 2025-11-24)
|
||
- EXCITITOR-GRAPH-24-102 <- 24-101 (DONE 2025-11-24)
|
||
- EXCITITOR-AIRGAP-57-001 <- 56-001 wiring (DONE 2025-11-24)
|
||
- EXCITITOR-AIRGAP-58-001 <- 56-001 storage layout + Export Center manifest (DONE 2025-11-24)
|
||
|
||
- Program management
|
||
- MIRROR-COORD-55-001 DONE (2025-11-24); coordination note `docs/implplan/updates/2025-11-24-mirror-coord-55-001.md`.
|
||
|
||
- Mirror DSSE
|
||
- MIRROR-DSSE-REV-1501 ✅ (2025-11-24; DSSE revision note published `docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md`).
|
||
- Mirror time anchors
|
||
- AIRGAP-TIME-CONTRACT-1501 ✅ (2025-11-24; time contract note `docs/implplan/updates/2025-11-24-airgap-time-contract-1501.md`).
|
||
- Mirror orchestration hooks
|
||
- EXPORT-MIRROR-ORCH-1501 ✅ (2025-11-24; hook note `docs/implplan/updates/2025-11-24-export-mirror-orch-1501.md`).
|
||
|
||
- Attestation coordination
|
||
- ELOCKER-CONTRACT-2001 DONE (2025-11-24); ATTEST-PLAN-2001 DONE (2025-11-24).
|
||
- CONCELIER-ATTEST-73-001/002 DONE (2025-11-25): Core/WebService attestation suites executed; TRX in `TestResults/concelier-attestation/`.
|
||
|
||
- DevOps pipeline blocks
|
||
- MIRROR-KEY-56-002-CI (repo secret MIRROR_SIGN_KEY_B64 needed for release signing; development unblocked)
|
||
- DEVOPS-LNM-TOOLING-22-000 -> DEVOPS-LNM-22-001 -> DEVOPS-LNM-22-002
|
||
* DEVOPS-LNM-22-001 DEV-UNBLOCKED (backfill plan + validation scripts added)
|
||
* DEVOPS-LNM-22-001 ✅ (backfill plan, validation scripts, and CI dispatcher added)
|
||
* DEVOPS-LNM-22-002 ✅ (VEX backfill dispatcher added)
|
||
* DEVOPS-LNM-22-003 ✅ (metrics scaffold + CI check added)
|
||
- DEVOPS-AOC-19-001 ✅ (AOC guard CI wired)
|
||
- DEVOPS-AOC-19-002 ✅ (AOC verify stage added to CI)
|
||
- DEVOPS-AIRGAP-57-002 ✅ (sealed-mode smoke wired into CI)
|
||
- DEVOPS-SPANSINK-31-003 (TODO; Ops/Signals span sink for Excititor traces; moved from Sprint 0119)
|
||
- DEVOPS-OFFLINE-17-004 ✅ (release debug store mirrored into Offline Kit)
|
||
- DEVOPS-REL-17-004 ✅ (release workflow now uploads `out/release/debug` artefact)
|
||
- DEVOPS-CONSOLE-23-001 ✅ (CI contract + workflow added; offline-first console CI in place)
|
||
- DEVOPS-EXPORT-35-001 ✅ (CI contract + MinIO fixtures added; pipeline wiring next)
|
||
- DEVOPS-EXPORT-36-001 ✅ (Export CI workflow added with MinIO + Trivy/OCI smoke)
|
||
|
||
- Deployment
|
||
- DEPLOY-EXPORT-35-001 ✅ (export Helm overlay + example secrets added)
|
||
- DEPLOY-NOTIFY-38-001 ✅ (notify Helm overlay + example secrets added)
|
||
|
||
- Documentation ladders
|
||
- Docs Tasks ladder 200.A (blocked pending upstream SBOM/CLI/Policy/AirGap artefacts)
|
||
- DOCS-LNM chain: DOCS-LNM-22-001 -> 22-002 -> 22-003; DOCS-LNM-22-005 waits on 22-004
|
||
- Policy docs chain A: DOCS-POLICY-27-001 -> 27-002 -> 27-003 -> 27-004 -> 27-005
|
||
- Policy docs chain B: DOCS-POLICY-27-006 -> 27-007 -> 27-008 -> 27-009 -> 27-010 -> 27-011 -> 27-012 -> 27-013 -> 27-014
|
||
- DOCS-SCANNER-DET-01 <- Sprint 136 determinism fixtures
|
||
- EXCITITOR-DOCS-0001 (awaits Excititor chunk API CI + console contracts)
|
||
|
||
- Provenance / Observability
|
||
- PROV-OBS-53-002 ✅ -> PROV-OBS-53-003 ✅
|
||
|
||
- CLI/Advisory AI handoff
|
||
- SBOM-AIAI-31-003 (CLI-VULN-29-001/CLI-VEX-30-001 delivered 2025-12-06; completed in Sprint 0110; keep DEVOPS-AIAI-31-001 packaging in view)
|
||
- DOCS-AIAI-31-005/006/008/009 (CLI-VULN-29-001/CLI-VEX-30-001 delivered 2025-12-06; POLICY-ENGINE-31-001 delivered 2025-11-23; remaining dependency: DEVOPS-AIAI-31-001 for ops rollout)
|
||
|
||
Note: POLICY-20-001 is defined and tracked in `docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md` (Task 14), and POLICY-AUTH-SIGNALS-LIB-115 is defined in `docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md` (Task 0); both scopes match the expectations captured here.
|