Implement source lock and submission package baseline

2026-05-16 02:51:00 +02:00
parent d73a73b455
commit c8ac42154c
18 changed files with 852 additions and 22 deletions
--- a/docs/ASSESSMENT-OPERATIONS.md
+++ b/docs/ASSESSMENT-OPERATIONS.md
@@ -77,6 +77,7 @@ A completed CLI command prints a JSON result with:
 - `run_dir`: output directory,
 - `assessment_package`: JSON assessment package path,
 - `report`: Markdown report path,
+- `submission_package`: portable submission package manifest path,
 - `retention_summary`: compact durable summary path.

 The output directory uses this contract:
@@ -84,15 +85,27 @@ The output directory uses this contract:
 ```text
 run.json
 plan.json
+sources.lock.json
+target-profile.snapshot.json
+assessment-profile.snapshot.json
 retention-summary.json
 normalized/evidence.json
 normalized/findings.json
 normalized/mappings.json
 reports/assessment-package.json
 reports/report.md
+reports/submission-package.json
 artifacts/
 ```

+`sources.lock.json` records the framework refs, extension versions, mapping
+sets, profile snapshots, policy refs, authority refs, and extension metadata
+hooks used for the run. `reports/submission-package.json` points at the
+reviewable package files, includes checksums where files exist, carries the raw
+artifact manifest, and repeats the certification boundary. It is a portable
+handoff manifest for preparation evidence, not an authority-specific final
+submission.
+
 Use the retained run helpers for history:

 ```sh