Add challenge and exclusion review handling

2026-05-16 02:58:18 +02:00
parent c8ac42154c
commit b1dff0440d
16 changed files with 644 additions and 21 deletions
--- a/docs/ARCHITECTURE-BLUEPRINT.md
+++ b/docs/ARCHITECTURE-BLUEPRINT.md
@@ -803,6 +803,9 @@ Use separate concepts:
 - defect: unexpected product or process failure.

 The report must make these visible separately.
+The current policy layer loads challenge and exclusion refs from assessment
+profiles, annotates findings and evidence, and keeps `unexpected_findings`
+visible for gate semantics unless a finding is separately expected or waived.

 ### Source Locking