command-runner support and first OpenCMIS TCK wrapper boundary

docs/EXTENSION-SDK.md

@@ -60,9 +60,11 @@ Runner entry points currently support these kinds:
 
 - `python_module`: load a Python file from the extension directory and call a
   function.
+- `command`: execute a manifest-declared argv without shell expansion. The core
+  writes a context JSON file and expects the command to print a JSON runner
+  result to stdout.
 - `external`: declare an external harness that the baseline core cannot execute
   yet.
-- `command`: reserved for future command execution.
 
 Example:
 
@@ -77,6 +79,29 @@ Example:
 }
 ```
 
+Command runner example:
+
+```json
+{
+  "id": "opencmis-tck",
+  "kind": "command",
+  "module_path": null,
+  "callable": null,
+  "command": ["python3", "runners/opencmis_tck.py", "--context", "{context_json}"],
+  "description": "Checks dependency posture and prepares OpenCMIS TCK execution."
+}
+```
+
+Command placeholders:
+
+- `{context_json}`: generated context file for the current step.
+- `{root}`: repository root.
+- `{run_dir}`: current run directory.
+- `{extension_path}`: current extension directory.
+
+The command is executed with the extension directory as its working directory.
+The core does not use a shell for command runners.
+
 ## Python Runner Contract
 
 A Python runner receives one context object and returns one result object.
@@ -138,7 +163,6 @@ Initial statuses:
 
 ## Next SDK Steps
 
-- Add command runner support with explicit allow/deny controls.
 - Add artifact helper APIs for extension-generated raw files.
 - Add normalizer and mapping plug-in contracts.
 - Add extension-owned schema validation for domain-specific target profile