77 lines
4 KiB
Text
77 lines
4 KiB
Text
{
|
|
items = [
|
|
|
|
{
|
|
id = "control-center-cedar-policies",
|
|
description = "Finalize Cedar policy definitions for Control Center and wire to live auth evaluation.",
|
|
priority = 'High,
|
|
blocked_by = [],
|
|
related_nodes = ["solid-boundaries", "control-center-maturity"],
|
|
},
|
|
|
|
{
|
|
id = "websocket-nats-streaming",
|
|
description = "Connect Control Center WebSocket task status streaming to NATS push consumers.",
|
|
priority = 'High,
|
|
blocked_by = ["control-center-cedar-policies"],
|
|
related_nodes = ["platform-dispatch", "control-center-maturity"],
|
|
},
|
|
|
|
{
|
|
id = "extension-metadata-schemas",
|
|
description = "Add Nickel schemas for extension metadata currently using raw TOML.",
|
|
priority = 'Medium,
|
|
blocked_by = [],
|
|
related_nodes = ["type-safety-nickel", "schema-coverage"],
|
|
},
|
|
|
|
{
|
|
id = "provider-capability-validation",
|
|
description = "Validate provider capabilities against workspace requirements at config-load time.",
|
|
priority = 'Medium,
|
|
blocked_by = ["extension-metadata-schemas"],
|
|
related_nodes = ["provider-abstraction", "workspace-contract"],
|
|
},
|
|
|
|
{
|
|
id = "taskserv-dependency-contracts",
|
|
description = "Ensure all taskservs declare dependencies.ncl with typed contracts for inter-taskserv dependencies.",
|
|
priority = 'Medium,
|
|
blocked_by = [],
|
|
related_nodes = ["taskserv-pattern", "workspace-certification"],
|
|
},
|
|
|
|
{
|
|
id = "cluster-ext-ingress-class-from-config",
|
|
description = "ingressClassName is hardcoded to 'cilium' in all L4 cluster extension install scripts. Should be driven by a field in the cluster extension NCL config (e.g. ingress_class_name) so different clusters can declare different ingress controllers without modifying install scripts. Relevant for wuji where Istio replaces Cilium ingress.",
|
|
priority = 'Medium,
|
|
blocked_by = [],
|
|
related_nodes = ["cluster-extension-pattern", "type-safety-nickel"],
|
|
},
|
|
|
|
{
|
|
id = "fip-role-driven-state-mapping",
|
|
description = "FIP key names in cluster-deploy.nu (cd-load-fip-env) and bootstrap.nu are derived by stripping a hardcoded workspace prefix ('librecloud-fip-') and assuming fixed role keys (smtp, sgoyol_ingress, wuji). Should be driven by an explicit role field in floating_ips.ncl so the mapping is data-driven and reusable across workspaces.",
|
|
priority = 'Low,
|
|
blocked_by = ["cluster-ext-ingress-class-from-config"],
|
|
related_nodes = ["provider-abstraction", "workspace-contract"],
|
|
},
|
|
|
|
{
|
|
id = "cluster-deploy-parallel-extension-execution",
|
|
description = "cluster-deploy.nu processes extensions sequentially even when parallel=true in the DAG. Extensions with no shared depends_on (e.g. hcloud_floater and cert_manager both after metallb) could run concurrently. Requires structured concurrency in Nushell or delegating to background jobs.",
|
|
priority = 'Low,
|
|
blocked_by = [],
|
|
related_nodes = ["platform-dispatch", "cluster-extension-pattern"],
|
|
},
|
|
|
|
{
|
|
id = "ui-live-mode-credential-gate",
|
|
description = "The Live Pods section in the component detail view (workspace_component_detail.html) is rendered for all component modes unconditionally. Fetching live pod status requires SSH access to the cluster control plane — this capability must be gated behind explicit RBAC permissions (can_operate or higher) so read-only (can_view) users cannot trigger SSH sessions or see raw infrastructure state. Implement a Cedar policy check in the /pods and /pods/{ns}/{pod}/describe handlers, and conditionally hide the live button in the template when the session lacks the required permission.",
|
|
priority = 'High,
|
|
blocked_by = ["control-center-cedar-policies"],
|
|
related_nodes = ["solid-boundaries", "control-center-maturity", "ui-component-detail"],
|
|
},
|
|
|
|
],
|
|
}
|