requirement refs map to capability groups

docs/ARCHITECTURE-BLUEPRINT.md

@@ -363,6 +363,10 @@ Maps evidence to:
 
 Mappings belong to extensions or assessment packs, not the core.
 
+The first implementation loads extension-owned JSON mapping sets from
+`extensions/<extension-id>/mappings/`, joins them to evidence `requirement_refs`,
+and writes normalized mapping records under each run directory.
+
 ### Expectation And Waiver Engine
 
 Applies declared target posture after evidence normalization.

docs/EXTENSION-SDK.md

@@ -51,6 +51,7 @@ The key runtime fields are:
 - `check_groups`: named groups that assessment profiles can select.
 - `preflight_runner`: optional runner ID used before selected check groups.
 - `runner_entrypoints`: concrete runner declarations.
+- `mappings`: mapping set IDs under `mappings/<mapping-id>.json`.
 - `certification_boundary`: explicit statement of what the extension does not
   certify.
 
@@ -102,6 +103,30 @@ Command placeholders:
 The command is executed with the extension directory as its working directory.
 The core does not use a shell for command runners.
 
+## Mapping Sets
+
+Mapping sets connect normalized evidence requirement refs to capability groups,
+controls, conformance classes, quality dimensions, or other assessment targets.
+
+Each mapping set lives under:
+
+```text
+extensions/<extension-id>/mappings/<mapping-id>.json
+```
+
+and validates against:
+
+```text
+docs/schemas/mapping-set.schema.json
+```
+
+The core does not embed domain policy. It only joins evidence `requirement_refs`
+to extension-owned mappings and writes normalized mapping records to:
+
+```text
+runs/<run-id>/normalized/mappings.json
+```
+
 ## Python Runner Contract
 
 A Python runner receives one context object and returns one result object.
@@ -167,6 +192,6 @@ Initial statuses:
 
 ## Next SDK Steps
 
-- Add normalizer and mapping plug-in contracts.
+- Add normalizer plug-in contracts.
 - Add extension-owned schema validation for domain-specific target profile
   fields.

docs/schemas/assessment-package.schema.json

@@ -11,6 +11,7 @@
     "extensions",
     "source_lock",
     "summary",
+    "mapping_summary",
     "findings",
     "evidence_refs",
     "artifact_manifest",
@@ -26,6 +27,7 @@
     "extensions": { "type": "array", "items": { "type": "object" } },
     "source_lock": { "type": "object" },
     "summary": { "type": "object" },
+    "mapping_summary": { "type": "object" },
     "findings": { "type": "array", "items": { "type": "object" } },
     "evidence_refs": { "type": "array", "items": { "type": "string" } },
     "artifact_manifest": { "type": "array", "items": { "type": "object" } },

docs/schemas/mapping-set.schema.json

@@ -0,0 +1,38 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "Guide Board Mapping Set",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "extension_id",
+    "framework_refs",
+    "mappings"
+  ],
+  "properties": {
+    "id": { "type": "string" },
+    "extension_id": { "type": "string" },
+    "framework_refs": { "type": "array", "items": { "type": "string" } },
+    "mappings": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": [
+          "requirement_ref",
+          "target_type",
+          "target_id",
+          "label",
+          "description"
+        ],
+        "properties": {
+          "requirement_ref": { "type": "string" },
+          "target_type": { "type": "string" },
+          "target_id": { "type": "string" },
+          "label": { "type": "string" },
+          "description": { "type": "string" }
+        }
+      }
+    }
+  }
+}