{ items = [ { id = "control-center-cedar-policies", description = "Finalize Cedar policy definitions for Control Center and wire to live auth evaluation.", priority = 'High, blocked_by = [], related_nodes = ["solid-boundaries", "control-center-maturity"], }, { id = "websocket-nats-streaming", description = "Connect Control Center WebSocket task status streaming to NATS push consumers.", priority = 'High, blocked_by = ["control-center-cedar-policies"], related_nodes = ["platform-dispatch", "control-center-maturity"], }, { id = "extension-metadata-schemas", description = "Add Nickel schemas for extension metadata currently using raw TOML.", priority = 'Medium, blocked_by = [], related_nodes = ["type-safety-nickel", "schema-coverage"], }, { id = "provider-capability-validation", description = "Validate provider capabilities against workspace requirements at config-load time.", priority = 'Medium, blocked_by = ["extension-metadata-schemas"], related_nodes = ["provider-abstraction", "workspace-contract"], }, { id = "taskserv-dependency-contracts", description = "Ensure all taskservs declare dependencies.ncl with typed contracts for inter-taskserv dependencies.", priority = 'Medium, blocked_by = [], related_nodes = ["taskserv-pattern", "workspace-certification"], }, { id = "cluster-ext-ingress-class-from-config", description = "ingressClassName is hardcoded to 'cilium' in all L4 cluster extension install scripts. Should be driven by a field in the cluster extension NCL config (e.g. ingress_class_name) so different clusters can declare different ingress controllers without modifying install scripts. Relevant for wuji where Istio replaces Cilium ingress.", priority = 'Medium, blocked_by = [], related_nodes = ["cluster-extension-pattern", "type-safety-nickel"], }, { id = "fip-role-driven-state-mapping", description = "FIP key names in cluster-deploy.nu (cd-load-fip-env) and bootstrap.nu are derived by stripping a hardcoded workspace prefix ('librecloud-fip-') and assuming fixed role keys (smtp, sgoyol_ingress, wuji). Should be driven by an explicit role field in floating_ips.ncl so the mapping is data-driven and reusable across workspaces.", priority = 'Low, blocked_by = ["cluster-ext-ingress-class-from-config"], related_nodes = ["provider-abstraction", "workspace-contract"], }, { id = "cluster-deploy-parallel-extension-execution", description = "cluster-deploy.nu processes extensions sequentially even when parallel=true in the DAG. Extensions with no shared depends_on (e.g. hcloud_floater and cert_manager both after metallb) could run concurrently. Requires structured concurrency in Nushell or delegating to background jobs.", priority = 'Low, blocked_by = [], related_nodes = ["platform-dispatch", "cluster-extension-pattern"], }, { id = "ui-live-mode-credential-gate", description = "The Live Pods section in the component detail view (workspace_component_detail.html) is rendered for all component modes unconditionally. Fetching live pod status requires SSH access to the cluster control plane — this capability must be gated behind explicit RBAC permissions (can_operate or higher) so read-only (can_view) users cannot trigger SSH sessions or see raw infrastructure state. Implement a Cedar policy check in the /pods and /pods/{ns}/{pod}/describe handlers, and conditionally hide the live button in the template when the session lacks the required permission.", priority = 'High, blocked_by = ["control-center-cedar-policies"], related_nodes = ["solid-boundaries", "control-center-maturity", "ui-component-detail"], }, ], }