08 · Sequencing · Week-by-week deliverables matrix

Build Gantt · what ships each Friday

Rows are workstreams. Columns are weeks W0 → W12. Each cell names the Friday deliverable for that workstream that week. Six pass/fail gates sit on the calendar. Pulled from DELIVERY_MAP.md §3–§5 and our internal eng-week reference.

Workstream × week deliverables grid · 13 lanes · 6 gates Click to expand

Workstream / Week

W0Pre

W1Core

W2Core

W3Core

W4Core

W5Core

W6Core

W7Core

W8RC

W9Ext

W10Ext

W11Ext

W12Ext

Platform Floor

5 streams · DevOps + 4 backend engineers · ~22.0 ew §5.1

DevOps · CI · Release

ko + Cosign + Syft · Helm

Repos primed

CI green

main builds, images signed

Helm + Compose skeleton

subcharts wired, secrets via ESO

Restore-verify CI

nightly shadow-cluster smoke

RC1 cut

signed bundle + SBOM

Air-gap tarball

skopeo + Zot + sig mirror

BFF Skeleton + Tenancy

routes · session · audit hook

Contracts frozen

First tenant route

middleware stack live

Entity hierarchy

ancestor-IDs denormalised

RBAC middleware live

consumes pkg/authz v1

Storage · Email · Keys · Audit

MinIO · Mongo · SMTP · KeyStore · pkg/audit

Wrappers stubbed

Mongo, MinIO, SMTP, KeyStore

Audit writer (chain)

BLAKE2b + Ed25519 head

Audit WORM export

Object-Lock bucket live

overwatch-mailer v1

HMAC tokens, MJML build

SSE pkg/live

scan-run + tile push

Seed Loader + Migrator

idempotent, versioned, replayable

SME schemas signed

Loader + runner

toy framework loads green

Content-migration table

per-tenant seed_version

Real frameworks load

ISO27001/SOC2/DPDP

Design System · FE Foundation

shadcn/ui · Tailwind v4 · CSP/SRI

Tokens + primitives

light/dark, command menu, empty/loading/error

CSP-nonce + SRI

middleware + manifest

Product Core (Detailed Modules)

Auth + AuthZ + Vendor + Policy · 4 module teams · 20.0 ew §5.2

Auth (#1)

Keycloak + session + step-up + SCIM · 6 ew

Bootstrap + IdP iface

first Org + Admin

OIDC + magic link

SSO surface live

SAML + session store

step-up + WebAuthn

SCIM + break-glass

G-Auth security review

AuthZ (#1B) · pkg/authz

7-step pipeline · 18 roles · SoD · 7 ew end-to-end

Resource/action catalog

role catalog seeded

7-step pipeline core

unit-test corpus green

SoD matrix + fuzzer

G-AuthZ pass

Role-assign UI + tokens

module-level work

Compliance Engine Core

#2 Frameworks · #3 Controls · #4 Evidence · #5 Risk · 9.0 ew

Control library (#3)

Framework scoring (#2) stub

Evidence emit() API

G-Compliance-Core pass

Risk register (#5)

5×5 heatmap, acceptance

Module Wave · Vendor + Policy

#6 Vendor (5.5 ew) · #7 Policy (5 ew)

Vendor intake + Q-template

Policy editor + versioning

External Q-flow + diff

approval workflow + SoD

Composite scoring + ack campaigns

G-Module-Wave pass

Dashboard · Action Items · Integrations

#16 + Action Items + #17 · ~6 ew

metrics() endpoints

contracts frozen W3

Aggregator + Action Items

cross-module queue

Integrations CRUD

add/test/scan/disconnect

Integration + Extended Modules

13 summary modules · CSPM, SCM, IAM/UAR, Supply Chain, VA, Incidents, Training, Audit · 30.0 ew §5.3 + W9–W12

CSPM · SCM · Supply Chain · VA

#9, #10, #11, #12 · 9.5 ew

CSPM AWS + GCP + Azure

Prowler-metadata-driven

SCM GitHub + GitLab + Supply Chain

OSV + Syft enrichment

VA · SARIF + DefectDojo parsers

finding lifecycle + linkage

IAM/UAR · Incidents · Training · Audit

#14, #13, #8, #15 · 9.5 ew

IAM Entra + Google + Okta + OIDC

org chart, over-perm detect

Incidents + Training

MTTR, breach countdown, public Q

Internal Audit + AI enrichment

PDF/CSV via Gotenberg

Harden · Release · Ops

WCAG · perf · security · docs · UAT · 8.0 ew cross-cutting + RC §5.5

Cross-cutting Harden + UAT

WCAG AA · load · pen-test · ops docs · UAT

WCAG + perf + sec review

G-WCAG, G-Perf, G-Security pass

Pen-test remediation + UAT

G-UAT · v1.0-Core ships

Pass/Fail Gates

G-0 · D1–D10 cleared

G-F · Foundation

G-AZ · AuthZ + IC + CC

G-MW · Module Wave

G-S · Security sign-off

G-U · UAT · v1.0-Core

v1.0-Extended

Legend

Platform Floor (cluster 1) Product Core (cluster 2) Integration / Extended (cluster 3) Ops / Harden (cluster 4) Tinted = consumes upstream artefact Outline = optional / lower-priority Pass/fail gate Release milestone

How to read this

Rows are workstreams, not modules. One workstream may deliver multiple SRS modules — see the lane sub-label.
Each cell is what ships that Friday, not "what is in flight". Idle cells mean the workstream is waiting on an upstream cell or is genuinely paused that week.
The W3 gate column contains three gates (G-AuthZ, G-Integration-Contracts, G-Compliance-Core). They all close end-of-W3; presented as one column for legibility.
v1.0-Core ships at G-U (W8). v1.0-Extended is the optional W9–W12 fan-out — only triggered if the client commits the W12 air-gap timing (see G-7 in RESPONSE.md §3).
Source authority: eng-week counts come from our internal reference; lane sequencing from DELIVERY_MAP.md §3 + §4 + §5. Where this view differs from the prose, the prose wins.