Implement source lock and submission package baseline

docs/ARCHITECTURE-BLUEPRINT.md

@@ -355,7 +355,9 @@ Stores run artifacts by reference and checksum:
 
 The first implementation builds the assessment package artifact manifest from
 runner-emitted artifact refs and computes checksums for files inside the run
-directory.
+directory. New runs also write a source lock and a submission package manifest
+that fingerprint reviewable run files and summarize runner or normalizer
+metadata reported by extensions.
 
 ### Normalizer
 
@@ -559,6 +561,18 @@ building complex runtime code.
 - `artifact_policy`
 - `runtime_policy`
 
+### `SourceLock`
+
+- `framework_refs`
+- `extension_refs`
+- `frameworks`
+- `extensions`
+- `mapping_sets`
+- `profiles`
+- `policy_refs`
+- `authorities`
+- `metadata_hooks`
+
 ### `RawArtifact`
 
 - `id`
@@ -626,6 +640,19 @@ building complex runtime code.
 - `certification_boundary`
 - `created_at`
 
+### `SubmissionPackage`
+
+- `run_id`
+- `package_identity`
+- `source_lock_ref`
+- `source_lock`
+- `reports`
+- `normalized_outputs`
+- `profile_snapshots`
+- `artifact_manifest`
+- `reported_metadata`
+- `certification_boundary`
+
 ## Result Vocabulary
 
 The evidence model should allow these statuses:
@@ -714,6 +741,7 @@ runs/<run-id>/
   reports/
     report.md
     assessment-package.json
+    submission-package.json
   exports/
 ```
 
@@ -787,7 +815,12 @@ Each run should lock:
 - test suite IDs,
 - mapping version,
 - target profile snapshot,
-- waiver snapshot.
+- expectation and waiver refs.
+
+The current source lock remains backward-compatible with the original
+`framework_refs` and `extension_refs` fields while adding checksummed profiles,
+mapping-set refs, optional policy refs, authority descriptors, and metadata
+hooks for runners and normalizers.
 
 ## Implementation Sequence
 

docs/ASSESSMENT-OPERATIONS.md

@@ -77,6 +77,7 @@ A completed CLI command prints a JSON result with:
 - `run_dir`: output directory,
 - `assessment_package`: JSON assessment package path,
 - `report`: Markdown report path,
+- `submission_package`: portable submission package manifest path,
 - `retention_summary`: compact durable summary path.
 
 The output directory uses this contract:
@@ -84,15 +85,27 @@ The output directory uses this contract:
 ```text
 run.json
 plan.json
+sources.lock.json
+target-profile.snapshot.json
+assessment-profile.snapshot.json
 retention-summary.json
 normalized/evidence.json
 normalized/findings.json
 normalized/mappings.json
 reports/assessment-package.json
 reports/report.md
+reports/submission-package.json
 artifacts/
 ```
 
+`sources.lock.json` records the framework refs, extension versions, mapping
+sets, profile snapshots, policy refs, authority refs, and extension metadata
+hooks used for the run. `reports/submission-package.json` points at the
+reviewable package files, includes checksums where files exist, carries the raw
+artifact manifest, and repeats the certification boundary. It is a portable
+handoff manifest for preparation evidence, not an authority-specific final
+submission.
+
 Use the retained run helpers for history:
 
 ```sh

docs/EXTENSION-SDK.md

@@ -71,7 +71,12 @@ The key runtime fields are:
 - `extension_type`: one of the supported archetypes from the architecture
   blueprint.
 - `supported_frameworks`: framework IDs this extension can contribute evidence
-  for.
+  for. Descriptor objects with `id`, `version`, `source_url`, and
+  `authority_ref` may be used when source metadata is available.
+- `authorities`: authority IDs or descriptor objects with optional source URL,
+  version, license, and access notes.
+- `metadata`: optional extension-level metadata such as adapter version or
+  source URL. The core preserves it in source locks and evidence metadata.
 - `check_groups`: named groups that assessment profiles can select.
 - `preflight_runner`: optional runner ID used before selected check groups.
 - `runner_entrypoints`: concrete runner declarations.
@@ -141,6 +146,11 @@ Example:
   "module_path": "src/open_cmis_tck/preflight.py",
   "callable": "run",
   "command": null,
+  "metadata": {
+    "harness_id": "opencmis-tck",
+    "harness_version": "extension-detected-or-declared",
+    "source_url": "https://chemistry.apache.org/java/opencmis.html"
+  },
   "description": "Checks whether the CMIS Browser Binding endpoint is reachable."
 }
 ```
@@ -272,11 +282,20 @@ Result fields:
 - `observations`: human-readable observations.
 - `facts`: structured facts extracted by the runner.
 - `artifact_refs`: references to raw artifacts written by the runner.
+- `requirement_refs`: optional requirement refs discovered by the runner.
+- `metadata`: optional generic metadata such as `harness_version`,
+  `test_suite_id`, `adapter_version`, `source_url`, or native result IDs.
 
 Artifact refs must be paths relative to the run directory. After runner
 execution, the core fingerprints existing artifact refs into the assessment
 package `artifact_manifest`.
 
+Runner metadata is merged with manifest entrypoint metadata and preserved under
+evidence `facts.source_metadata`. The same metadata is also summarized in the
+submission package manifest, which lets reviewers distinguish the extension
+version from the harness or native test-suite version without adding
+domain-specific fields to the core.
+
 If a Python runner raises an exception, the core converts that failure into
 `infrastructure_error` evidence so the assessment package remains complete.
 
@@ -298,6 +317,9 @@ extension can add a normalizer descriptor:
   "module_path": "normalizers/native_probe.py",
   "callable": "normalize",
   "runner_ref": "native-probe",
+  "metadata": {
+    "adapter_version": "0.1.0"
+  },
   "description": "Converts native runner output into guide-board evidence."
 }
 ```
@@ -340,6 +362,7 @@ The core merges the normalizer output over the runner result:
 - `observations` are appended.
 - `facts` are merged.
 - `artifact_refs` and `requirement_refs` are deduplicated.
+- `metadata` is merged.
 - `normalizer_refs` is recorded in evidence facts when any normalizer runs.
 
 If a normalizer raises an exception, the step becomes
@@ -350,6 +373,25 @@ The bundled `extensions/sdk-fixture` extension is the copyable reference path
 for profile schemas, a native-output runner, a normalizer, mappings, and fixture
 profiles.
 
+## Source Lock And Submission Package
+
+Every new run writes `sources.lock.json` and
+`reports/submission-package.json`. Extension authors should treat source
+metadata as part of the evidence contract:
+
+- declare extension, authority, framework, runner, and normalizer metadata in
+  `extension.json` when it is static;
+- return runner or normalizer `metadata` when versions, native result IDs, or
+  test-suite IDs are detected at runtime;
+- keep mapping sets under `mappings/` so the core can checksum them in the
+  source lock;
+- keep restricted or licensed assets referenced by metadata or artifacts rather
+  than vendored into the core.
+
+The submission package manifest is generic guide-board output. Authority-specific
+final submissions, trademark assertions, or certification conclusions remain
+extension-owned or reviewer-owned.
+
 ## Result Statuses
 
 Initial statuses:

docs/schemas/extension-manifest.schema.json

@@ -41,8 +41,38 @@
       "type": "string",
       "enum": ["candidate", "incubating", "active", "external", "deprecated"]
     },
-    "supported_frameworks": { "type": "array", "items": { "type": "string" } },
-    "authorities": { "type": "array", "items": { "type": "string" } },
+    "supported_frameworks": {
+      "type": "array",
+      "items": {
+        "type": ["string", "object"],
+        "additionalProperties": false,
+        "required": ["id"],
+        "properties": {
+          "id": { "type": "string" },
+          "version": { "type": ["string", "null"] },
+          "source_url": { "type": ["string", "null"] },
+          "authority_ref": { "type": ["string", "null"] },
+          "description": { "type": ["string", "null"] }
+        }
+      }
+    },
+    "authorities": {
+      "type": "array",
+      "items": {
+        "type": ["string", "object"],
+        "additionalProperties": false,
+        "required": ["id"],
+        "properties": {
+          "id": { "type": "string" },
+          "name": { "type": ["string", "null"] },
+          "version": { "type": ["string", "null"] },
+          "source_url": { "type": ["string", "null"] },
+          "license": { "type": ["string", "null"] },
+          "access": { "type": ["string", "null"] }
+        }
+      }
+    },
+    "metadata": { "type": "object" },
     "profile_schemas": {
       "type": "array",
       "items": {
@@ -89,6 +119,7 @@
           "module_path": { "type": ["string", "null"] },
           "callable": { "type": ["string", "null"] },
           "command": { "type": ["array", "null"], "items": { "type": "string" } },
+          "metadata": { "type": "object" },
           "description": { "type": ["string", "null"] }
         }
       }
@@ -105,6 +136,7 @@
           "module_path": { "type": "string" },
           "callable": { "type": "string" },
           "runner_ref": { "type": ["string", "null"] },
+          "metadata": { "type": "object" },
           "description": { "type": ["string", "null"] }
         }
       }

docs/schemas/source-lock.schema.json

@@ -0,0 +1,34 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "Guide Board Source Lock",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "schema_version",
+    "created_at",
+    "framework_refs",
+    "extension_refs",
+    "frameworks",
+    "extensions",
+    "mapping_sets",
+    "profiles",
+    "policy_refs",
+    "authorities",
+    "metadata_hooks"
+  ],
+  "properties": {
+    "id": { "type": "string" },
+    "schema_version": { "type": "string" },
+    "created_at": { "type": "string" },
+    "framework_refs": { "type": "array", "items": { "type": "string" } },
+    "extension_refs": { "type": "array", "items": { "type": "string" } },
+    "frameworks": { "type": "array", "items": { "type": "object" } },
+    "extensions": { "type": "array", "items": { "type": "object" } },
+    "mapping_sets": { "type": "array", "items": { "type": "object" } },
+    "profiles": { "type": "object" },
+    "policy_refs": { "type": "object" },
+    "authorities": { "type": "array", "items": { "type": "object" } },
+    "metadata_hooks": { "type": "object" }
+  }
+}

docs/schemas/submission-package.schema.json

@@ -0,0 +1,36 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "Guide Board Submission Package Manifest",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "schema_version",
+    "run_id",
+    "created_at",
+    "package_identity",
+    "source_lock_ref",
+    "source_lock",
+    "reports",
+    "normalized_outputs",
+    "profile_snapshots",
+    "artifact_manifest",
+    "reported_metadata",
+    "certification_boundary"
+  ],
+  "properties": {
+    "id": { "type": "string" },
+    "schema_version": { "type": "string" },
+    "run_id": { "type": "string" },
+    "created_at": { "type": "string" },
+    "package_identity": { "type": "object" },
+    "source_lock_ref": { "type": "string" },
+    "source_lock": { "type": "object" },
+    "reports": { "type": "array", "items": { "type": "object" } },
+    "normalized_outputs": { "type": "array", "items": { "type": "object" } },
+    "profile_snapshots": { "type": "array", "items": { "type": "object" } },
+    "artifact_manifest": { "type": "array", "items": { "type": "object" } },
+    "reported_metadata": { "type": "array", "items": { "type": "object" } },
+    "certification_boundary": { "type": "string" }
+  }
+}