Feature Cluster Dependency Matrix - M7 + Cross-Milestone Addenda
Rows L283-303 include cross-milestone addenda added after initial sequencing. See milestone-dependency-map.md for navigation.
| Cluster ID | Feature Cluster | Milestone | Depends On (Hard) | Depends On (Soft) | Canonical Docs | Decisions | Roadmap Phase | Gap Priority | Exit Gate | Parallelizable With | Risk Notes |
| M7.NET.TRACKING_BROWSER_DISCOVERY | Shared browser/tracking server integration, lobby listings, trust labels | M7 | M4.NET.MINIMAL_LOCKSTEP_ONLINE, M6.SP.FULL_RA_CAMPAIGNS | — | 03-NETCODE.md, 17-PLAYER-FLOW.md | D052, D060, D011 | Phase 5 full | — | Browser-based discoverability + trust indicators working | M7.NET.RANKED_MATCHMAKING, M7.NET.CROSS_ENGINE_BRIDGE | Trust labeling must match actual guarantees |
| M7.NET.D052_SIGNED_CREDS_RESULTS | Portable signed credentials, certified results, community server trust baseline | M7 | M4.NET.RELAY_TIME_AUTHORITY_AND_VALIDATION, M2.COM.TELEMETRY_DB_FOUNDATION, M2.SEC.CREDENTIAL_STORE_CORE | — | 09b-networking.md, 06-SECURITY.md | D052, D061, D031 | Phase 5 full | — | Signed credentials/results and server trust path functional | M7.SEC.BEHAVIORAL_ANALYSIS_REPORTING | P004 integration details gate |
| M7.NET.RANKED_MATCHMAKING | Ranked queue, tiers/seasons, leaderboards, queue degradation logic | M7 | M7.NET.D052_SIGNED_CREDS_RESULTS, M7.NET.TRACKING_BROWSER_DISCOVERY | M7.UX.REPORT_BLOCK_AVOID_REVIEW | 09b-networking.md, 17-PLAYER-FLOW.md | D055, D053, D060 | Phase 5 full | — | Ranked 1v1 functional and explainable | M7.NET.SPECTATOR_TOURNAMENT | Queue health and avoid-list abuse |
| M7.NET.SPECTATOR_TOURNAMENT | Spectator mode, broadcast delay, tournament-certified match paths | M7 | M7.NET.TRACKING_BROWSER_DISCOVERY, M7.NET.D052_SIGNED_CREDS_RESULTS | M7.NET.RANKED_MATCHMAKING | 03-NETCODE.md, 17-PLAYER-FLOW.md, 15-SERVER-GUIDE.md | D052, D055 | Phase 5 full | P3 observer UI tie-in | Spectator and tournament basics work | — | Extra ops complexity |
| M7.SEC.BEHAVIORAL_ANALYSIS_REPORTING | Relay-side behavioral anti-cheat signals + report evidence pipeline + population-baseline comparison + enforcement timing cadence + trust score computation (V12 concrete algorithm with NaN-guarded factors, F11) + pipeline-wide NaN fail-closed guards (F1) | M7 | M7.NET.D052_SIGNED_CREDS_RESULTS, M2.COM.TELEMETRY_DB_FOUNDATION | M7.UX.REPORT_BLOCK_AVOID_REVIEW | 06-SECURITY.md, 09b-networking.md, 17-PLAYER-FLOW.md | D052, D031, D059 | Phase 5 full | — | Reports include evidence and moderation signals without overclaiming certainty; population baselines computed weekly; trust score influences matchmaking quality; NaN proptest passes; TrustScore algorithm produces sane outputs for all input combinations | M7.UX.REPORT_BLOCK_AVOID_REVIEW | False positives / trust messaging |
| M3.SEC.DISPLAY_NAME_VALIDATION | UTS #39 confusable detection, mixed-script restriction, BiDi strip for display names (V46) + unified text sanitization pipeline (V56) | M3 | M3.UX.FIRST_RUN_SETUP_AND_MAIN_MENU | M6.UX.RTL_BIDI_GAME_UI_BASELINE | 06-SECURITY.md, 09g-interaction.md, tracking/rtl-bidi-qa-corpus.md | D059 | Phase 3 | — | All display names pass UTS #39 skeleton check; BiDi overrides stripped; unified text sanitization covers all user-text contexts | M7.UX.D059_RTL_CHAT_MARKER_TEXT_SAFETY | V46 + V56: confusable impersonation and BiDi injection |
| M5.SEC.KEY_ROTATION_AND_REVOCATION | Player Ed25519 key rotation protocol (V47) + community server key compromise recovery (V48) + emergency BIP-39 recovery + rotation_sequence_number monotonicity (F3) + TOFU connection policy: ranked=reject-on-mismatch + require-seed-list-for-first-connect, unranked=TOFU-accept-with-warn, LAN=warn-only (F4 resolved by TOFU model) | M5 | M7.NET.D052_SIGNED_CREDS_RESULTS | M7.NET.RANKED_MATCHMAKING | 06-SECURITY.md, 09b-networking.md | D052, D060 | Phase 5 | — | Key rotation dual-signed with monotonic sequence number; 24h cooldown enforced; emergency rotation via mnemonic; TOFU connection policy passes proptest; seed list curation operational | — | V47 + V48: key compromise without rotation loses player identity/server trust |
| M5.SEC.ANTICHEAT_CALIBRATION | Anti-cheat false-positive rate targets (V54), desync classification heuristic (V55), labeled replay calibration corpus, continuous calibration feedback loop, population-baseline recalibration pipeline | M5 | M7.SEC.BEHAVIORAL_ANALYSIS_REPORTING, M2.COM.TELEMETRY_DB_FOUNDATION | M7.NET.RANKED_MATCHMAKING | 06-SECURITY.md, tracking/testing-strategy.md | D052, D055 | Phase 5 | — | Calibration corpus exists; false-positive rates meet V54 thresholds; desync fingerprinting classifies bug vs cheat; continuous recalibration pipeline operational post-launch | — | V54 + V55: without calibration, aggressive detection alienates high-skill players |
| M8.SEC.AUTHOR_PACKAGE_SIGNING | Author-level Ed25519 package signing (V49) + verification chain + key pinning | M8 | M8.COM.WORKSHOP_PACKAGE_HASH_AND_SIGNATURE_VERIFICATION | M9.COM.WORKSHOP_MANIFEST_SIGNING_AND_LOCKFILE | 06-SECURITY.md, 09e-community.md | D030, D049 | Phase 5b/6 | — | Author signature required and verified; registry counter-signs; key pinning warns on key change without rotation | M9.SEC.PACKAGE_QUARANTINE | V49: without author signing, registry is single point of trust |
| M9.SEC.PACKAGE_QUARANTINE | Popularity-threshold quarantine for Workshop updates (V51) + star-jacking/reputation gaming defenses (V52) | M9 | M8.SEC.AUTHOR_PACKAGE_SIGNING, M9.COM.D049_FULL_WORKSHOP_CAS | M11.COM.ECOSYSTEM_POLISH_GOVERNANCE | 06-SECURITY.md, 09e-community.md | D030, D049, D037 | Phase 6a | — | Popular packages quarantined for review; anomaly detection flags coordinated rating manipulation; fork detection operational | — | V51 + V52: supply-chain risk for widely-deployed packages |
| M6.SEC.WASM_INTERMODULE_ISOLATION | WASM namespace isolation + capability-gated cross-module IPC + per-module resource pools (V50) | M6 | M5.SP.LUA_MISSION_RUNTIME | M8.MOD.WASM_TIER_BASELINE | 06-SECURITY.md, 04-MODDING.md | D005 | Phase 4/5 | — | Modules cannot probe or manipulate other modules’ state; cross-module calls host-mediated and logged | — | V50: without isolation, malicious WASM mod can probe other mods |
| M4.SEC.P2P_REPLAY_ATTESTATION | P2P peer-attested frame hashes + end-of-match summary signing (V53) | M4 | M4.NET.MINIMAL_LOCKSTEP_ONLINE | M7.SEC.BEHAVIORAL_ANALYSIS_REPORTING | 06-SECURITY.md, 03-NETCODE.md | D010, D034 | Phase 4 (P2P subset) | — | All peers exchange signed state hashes per tick; replays contain cross-attestation chain; tampering detectable | — | V53: without attestation, P2P replays are unverifiable |
| M5.SEC.ICRP_CSWSH_HARDENING | ICRP local WebSocket origin validation + challenge secret file permissions + CORS whitelist (V57, audit F2) | M5 | M5.PLATFORM.EXTERNAL_TOOL_API | — | 06-SECURITY.md, 09f-tools.md | D071 | Phase 2–3 (ICRP subset) | — | Origin header validation rejects non-localhost; challenge secret has 0600/user-only permissions; no Access-Control-Allow-Origin: *; CSWSH in threat model | M5.PLATFORM.EXTERNAL_TOOL_API | V57: without origin validation, any browser page can issue ICRP commands |
| M5.SEC.LOBBY_CONFIGURATION_INTEGRITY | Lobby settings change notification + ranked configuration whitelist + match metadata recording of all lobby settings (V58, audit F12) | M5 | M4.NET.MINIMAL_LOCKSTEP_ONLINE | M7.NET.RANKED_MATCHMAKING | 06-SECURITY.md, 03-NETCODE.md, 17-PLAYER-FLOW.md | D055, D064 | Phase 3 (notifications) + Phase 5 (ranked whitelist) | — | Setting changes reset ready status with notification; ranked whitelist is signed and versioned; match metadata includes all lobby settings | M3.UX.GAME_CHROME_CORE | V58: without notifications, host can silently change settings after players ready |
| M7.SEC.RANKED_OBSERVER_DELAY | 120-second minimum observer delay floor for ranked matches + relay-enforced buffer + delay value in match metadata (V59, audit F7) | M7 | M7.NET.SPECTATOR_TOURNAMENT, M7.NET.RANKED_MATCHMAKING | — | 06-SECURITY.md, 03-NETCODE.md | D055, D060 | Phase 5 full | — | Ranked observer delay ≥120s enforced at relay; delay not reducible by lobby/server config; delay recorded in CertifiedMatchResult | M7.NET.SPECTATOR_TOURNAMENT | V59 + V60: without delay, observer can relay fogged info in real time; RNG prediction mitigated by staleness |
| M4.QA.NETCODE_DEFENSE_SUITE | Runtime defense tests for network/relay API misuse vectors: relay frame validation fuzzing, timestamp normalization bounds, connection typestate exhaustive transitions, handshake replay rejection, half-open flood resilience; integration scenarios (reconnection mid-combat, desync detection→diagnosis); api-misuse-defense.md §3 coverage | M4 | M4.NET.MINIMAL_LOCKSTEP_ONLINE, M2.QA.SIM_API_DEFENSE_TESTS | M4.NET.RELAY_TIME_AUTHORITY_AND_VALIDATION | tracking/testing-strategy.md, architecture/api-misuse-defense.md | D006, D007, D008 | Phase 5 (subset) | — | Relay frame fuzzing passes 100K+ iterations; connection typestate transitions exhaustively tested; reconnect + desync integration scenarios verified | M5.SP.LUA_MISSION_RUNTIME | Network test environment setup complexity; must coordinate with relay server test fixtures |
| M7.UX.D059_BEACONS_MARKERS_LABELS | D059 colored beacon/ping + tactical marker presentation rules (optional short labels, preset color accents, visibility scope, replay-safe metadata, anti-spam) | M7 | M7.NET.TRACKING_BROWSER_DISCOVERY | M7.UX.REPORT_BLOCK_AVOID_REVIEW, M7.SEC.BEHAVIORAL_ANALYSIS_REPORTING | 09g-interaction.md, 17-PLAYER-FLOW.md, 06-SECURITY.md | D059, D065, D052 | Phase 5 full (with D070 typed-support marker reuse in M10) | — | Marker/beacon communication is readable, accessible (not color-only), rate-limited, and replay-preserving across KBM/controller/touch flows | M10.GAME.D070_TEMPLATE_TOOLKIT | Ping spam, color-only semantics, or unlabeled marker clutter can degrade coordination and moderation clarity |
| M7.UX.D059_RTL_CHAT_MARKER_TEXT_SAFETY | D059 legitimate RTL chat/marker label rendering + anti-spoof BiDi/invisible-char sanitization split | M7 | M6.UX.RTL_BIDI_GAME_UI_BASELINE, M7.UX.D059_BEACONS_MARKERS_LABELS | M7.UX.REPORT_BLOCK_AVOID_REVIEW, M7.SEC.BEHAVIORAL_ANALYSIS_REPORTING | 09g-interaction.md, 17-PLAYER-FLOW.md, 06-SECURITY.md | D059, D065, D052 | Phase 5 full | — | Multiplayer chat and tactical labels preserve legitimate Arabic/Hebrew content while preventing bidi-spoof/invisible-char abuse and retaining replay/moderation fidelity | M11.PLAT.BROWSER_MOBILE_POLISH | Overzealous sanitization can break real RTL usage; under-filtering can enable impersonation/spoofing |
| M7.UX.REPORT_BLOCK_AVOID_REVIEW | Mute/block/avoid/report UX + optional community-review/Overwatch surfaces | M7 | M7.NET.TRACKING_BROWSER_DISCOVERY | M7.SEC.BEHAVIORAL_ANALYSIS_REPORTING, M7.NET.RANKED_MATCHMAKING | 17-PLAYER-FLOW.md, 09g-interaction.md, 09b-networking.md, 06-SECURITY.md | D059, D052, D055 | Phase 5 full (and later moderation expansion) | — | Personal control + moderation/reporting flows are distinct and understandable | — | Avoid/ranked guarantee confusion |
| M7.UX.POST_PLAY_FEEDBACK_PROMPTS | Sampled post-game/post-session feedback prompts for modes/mods/campaigns + local-first feedback telemetry + opt-in community submission hooks | M7 | M2.COM.TELEMETRY_DB_FOUNDATION, M7.NET.TRACKING_BROWSER_DISCOVERY | M7.UX.REPORT_BLOCK_AVOID_REVIEW, M9.COM.D049_FULL_WORKSHOP_CAS | 17-PLAYER-FLOW.md, 09e-community.md | D031, D049, D053, D037 | Phase 5 full (with later Workshop/creator expansion) | — | Prompts are skippable, non-blocking, and useful without survey fatigue; local-first analytics and opt-in submission boundaries are clear | M10.COM.CREATOR_FEEDBACK_HELPFUL_RECOGNITION | P-Scale: avoid spammy prompts, positivity bias, and reward wording that implies gameplay bonuses |
| M7.NET.CROSS_ENGINE_BRIDGE_AND_TRUST | Cross-engine browser/community bridge, trust labels, host-mode packaging, replay import integration | M7 | M7.NET.TRACKING_BROWSER_DISCOVERY, M7.NET.D052_SIGNED_CREDS_RESULTS | M7.SEC.BEHAVIORAL_ANALYSIS_REPORTING | 07-CROSS-ENGINE.md, 03-NETCODE.md, 17-PLAYER-FLOW.md | D011, D056, D052 | Phase 5 full + later polish | — | Cross-engine modes are clearly labeled and policy-correct | M11.PLAT.CROSS_ENGINE_POLISH | Anti-cheat guarantee confusion |