core architecture blueprint

extensions/CANDIDATES.md

@@ -150,6 +150,63 @@ implementation; it marks a useful pattern for later inclusion.
 - Source:
   - [OPC UA Compliance Test Tool](https://opcfoundation.org/developer-tools/certification-test-tools/opc-ua-compliance-test-tool-uactt/)
 
+### `nist-scap-openscap`
+
+- Status: candidate.
+- Domain: security configuration, vulnerability, patch, and technical control
+  compliance automation.
+- Authority and sources: NIST SCAP, OpenSCAP ecosystem.
+- Harness pattern: machine-readable policy content, scanner/validator execution,
+  profiles, local system assessment, structured results, and possible tailored
+  content.
+- Why it matters: it is a strong precedent for content-driven compliance checks
+  where the policy content and scanner are separate but interoperable.
+- Sources:
+  - [NIST SCAP](https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol)
+  - [NIST SCAP 1.3](https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3)
+  - [OpenSCAP](https://www.open-scap.org/)
+
+### `nist-oscal`
+
+- Status: core-export candidate.
+- Domain: machine-readable control, implementation, assessment, and remediation
+  data.
+- Authority and sources: National Institute of Standards and Technology.
+- Harness pattern: not a test harness itself; a structured interchange model for
+  catalogs, profiles, system security plans, assessment plans, assessment
+  results, and POA&M data.
+- Why it matters: it provides the closest official model for later exporting
+  guide-board compliance evidence into assessment packages.
+- Source:
+  - [NIST OSCAL Layers and Models](https://pages.nist.gov/OSCAL/learn/concepts/layer/)
+
+### `cis-cat-pro`
+
+- Status: candidate with access restrictions.
+- Domain: secure configuration assessment against CIS Benchmarks and CIS
+  Controls.
+- Authority and sources: Center for Internet Security.
+- Harness pattern: member-access assessment tool, benchmark profiles, automated
+  and manual assessment, reports mapped to CIS Controls.
+- Why it matters: it shows how guide-board should model licensed benchmark
+  content and restricted tools without redistributing them.
+- Sources:
+  - [CIS-CAT Pro Assessor](https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro)
+  - [CIS-CAT Pro Coverage Guide](https://ciscat-assessor.docs.cisecurity.org/en/latest/Coverage%20Guide/)
+
+### `openssf-scorecard`
+
+- Status: candidate.
+- Domain: repository security posture and software supply-chain quality.
+- Authority and sources: Open Source Security Foundation.
+- Harness pattern: automated repository checks, per-check score and risk level,
+  aggregate score, remediation guidance, CI/API integration.
+- Why it matters: guide-board should support repository quality management as an
+  extension family alongside formal standards and certification preparation.
+- Sources:
+  - [OpenSSF Scorecard](https://openssf.org/projects/scorecard/)
+  - [Scorecard documentation](https://github.com/ossf/scorecard)
+
 ## Non-Harness Evidence Packs
 
 Some important frameworks may not have an official executable test harness in the
@@ -182,4 +239,5 @@ The candidates point to the same core abstractions:
 - conformance class, capability, control, or requirement mapping,
 - expectation and waiver model for optional or unsupported behavior,
 - result package suitable for human review and possible certification submission,
-- explicit boundary between preparation evidence and certification decision.
+- explicit boundary between preparation evidence and certification decision,
+- optional export into formal assessment interchange formats such as OSCAL.