Add challenge and exclusion review handling

2026-05-16 02:58:18 +02:00
parent c8ac42154c
commit b1dff0440d
16 changed files with 644 additions and 21 deletions
--- a/docs/EXTENSION-SDK.md
+++ b/docs/EXTENSION-SDK.md
@@ -250,6 +250,33 @@ Expectation sets mark known posture as expected. Waiver sets mark approved,
 time-bounded exceptions. Both are applied after findings are generated, and the
 assessment package records policy summary counts.

+## Challenges And Authority Exclusions
+
+Assessment profiles may also reference challenge and exclusion sets:
+
+```json
+{
+  "challenges_ref": "profiles/challenges/example.json",
+  "exclusions_ref": "profiles/exclusions/example.json"
+}
+```
+
+Challenge sets validate against `docs/schemas/challenge-set.schema.json`.
+Exclusion sets validate against `docs/schemas/exclusion-set.schema.json`.
+Records can match findings by requirement refs, check refs, evidence refs,
+result refs, or classification refs. They also carry owner, review status,
+rationale, authority source refs, review dates, optional expiry, native IDs,
+and free-form metadata.
+
+Use challenges when an extension author or assessment team believes a finding
+needs review because a check is invalid, a native harness result is disputed, or
+a mapping is wrong. Use exclusions when an authority or program explicitly
+removes a requirement, check, or result from the assessment scope. The core
+preserves these distinctions in findings, evidence review annotations,
+assessment packages, reports, and retained summaries, but default gate semantics
+still count the underlying finding as unexpected unless it is separately
+expected or waived.
+
 ## Python Runner Contract

 A Python runner receives one context object and returns one result object.