Add report fragments and export manifest

2026-05-16 03:11:56 +02:00
parent 2a1a53c140
commit 6c467dd1f4
22 changed files with 630 additions and 24 deletions
--- a/docs/EXTENSION-SDK.md
+++ b/docs/EXTENSION-SDK.md
@@ -83,6 +83,8 @@ The key runtime fields are:
 - `normalizers`: optional plug-ins that convert native runner output into the
  stable runner-result shape before evidence is written.
 - `mappings`: mapping set IDs under `mappings/<mapping-id>.json`.
+- `report_fragments`: optional Markdown file or Python module descriptors for
+  extension-owned report content.
 - `certification_boundary`: explicit statement of what the extension does not
  certify.

@@ -209,6 +211,53 @@ to extension-owned mappings and writes normalized mapping records to:
 runs/<run-id>/normalized/mappings.json
 ```

+## Report Fragments
+
+Extensions can contribute report fragments through `report_fragments`.
+
+Static Markdown file:
+
+```json
+{
+  "id": "overview",
+  "kind": "markdown_file",
+  "path": "reports/overview.md",
+  "title": "Overview"
+}
+```
+
+Dynamic Python fragment:
+
+```json
+{
+  "id": "sdk-fixture-summary",
+  "kind": "python_module",
+  "module_path": "reports/sdk_fixture_summary.py",
+  "callable": "build_fragment",
+  "path": null,
+  "title": "SDK Fixture Summary"
+}
+```
+
+Fragment paths are resolved relative to the extension root and must stay inside
+that root. A Python fragment receives `root`, `run_dir`, `run_id`, `plan`,
+`evidence`, `findings`, `mappings`, `assessment_package`, `policy_summary`,
+`source_lock`, `extension_path`, and `report_fragment`.
+
+It returns:
+
+```python
+def build_fragment(context: dict) -> dict:
+    return {
+        "markdown": "### Extension Summary\n\n- evidence items: 2",
+        "structured": {"evidence_count": 2},
+    }
+```
+
+Fragments are written to `reports/fragments.json`, embedded in the assessment
+package, rendered in `reports/report.md`, and summarized in
+`exports/export-manifest.json`.
+
 ## Evidence Request Sets

 Procedural and hybrid compliance extensions may include evidence request sets
@@ -402,9 +451,9 @@ profiles.

 ## Source Lock And Submission Package

-Every new run writes `sources.lock.json` and
-`reports/submission-package.json`. Extension authors should treat source
-metadata as part of the evidence contract:
+Every new run writes `sources.lock.json`, `reports/submission-package.json`,
+and the generic portable export manifest at `exports/export-manifest.json`.
+Extension authors should treat source metadata as part of the evidence contract:

 - declare extension, authority, framework, runner, and normalizer metadata in
  `extension.json` when it is static;