feat(3.0.0): Algorithm Cards per UAPF v2.3.0 chapter 13

Wrap the three opaque UAPF-IP capabilities (ai.redact@1, ai.extract@1,
event.emit@1) in Algorithm Cards under algorithms/, per UAPF v2.3.0
chapter 13. Each Card supplies intent, IO contract, ownership,
validation history, risk class, audit configuration, and (where
relevant) privacy/risk extensions. Cards are referenced from resource
targets in resources/mappings.yaml.

Changes:
- NEW algorithms/pii_redactor.card.yaml — deterministic redactor
- NEW algorithms/vdvc_semantic_extractor.card.yaml — stochastic LLM
  extractor, EU AI Act high-risk, human oversight mandatory
- NEW algorithms/completion_event_emitter.card.yaml — deterministic
  CloudEvents 1.0 emitter
- uapf.yaml + manifest.json: version 2.0.0 -> 3.0.0,
  + paths.algorithms, + algorithm_cards: true
- resources/mappings.yaml: single agent.semantic-extractor target
  split into 3 algorithm-specific targets, each w/ algorithm_card ref
- bpmn/: UNCHANGED (algorithm-card refs live on resource targets,
  not in BPMN — no extension elements required)
- Removed provides_decisions from manifest (was not in SSOT manifest
  schema; DMN decisions are self-describing via the dmn/ cornerstone)
- README rewritten with algorithm-card audit-question table

resources/mappings.yaml

@@ -1,27 +1,53 @@
 kind: uapf.resources.mapping
 
-# Host-readable contract for the capability-backed service tasks. The three
-# DMN decisions (assess-personal-data-risk, gdpr-processing-route,
-# human-validation-gate) are NOT listed here: they are evaluated by the
-# UAPF runtime against the dmn/ cornerstone and need no host resource.
+# Host-readable contract for the capability-backed service tasks.
+#
+# v3.0.0 change: the single agent.semantic-extractor target has been
+# split into three algorithm-specific targets, each referencing an
+# Algorithm Card under algorithms/ (UAPF v2.3.0, chapter 13). The
+# binding shape is unchanged. The BPMN file is unchanged.
+#
+# The three DMN decisions (assess-personal-data-risk,
+# gdpr-processing-route, human-validation-gate) remain self-describing
+# and continue to need no host resource — they are evaluated by the
+# UAPF runtime against the dmn/ cornerstone.
 
 targets:
-  - id: agent.semantic-extractor
+  - id: agent.pii_redactor
     type: ai_agent
-    name: Semantic Extraction AI Agent
+    name: PII detection and redaction agent
     description: |
-      Host-provided agent fulfilling ai.redact@1, ai.extract@1 and
-      event.emit@1. Implementation is the host's choice; this package
-      supplies the BPMN flow, the DMN decision logic, the output schema
-      and the guardrails.
+      Host capability ai.redact@1, governed by the
+      pii_redactor Algorithm Card.
     capabilities:
       - capability.ai.redact
+    algorithm_card: algo.semantic_document_analysis.pii_redactor
+
+  - id: agent.vdvc_semantic_extractor
+    type: ai_agent
+    name: VDVC semantic metadata extractor agent
+    description: |
+      Host capability ai.extract@1, governed by the
+      vdvc_semantic_extractor Algorithm Card. EU AI Act
+      Annex III high-risk; human oversight is mandatory and is
+      enforced downstream by the human-validation-gate DMN.
+    capabilities:
       - capability.ai.extract
+    algorithm_card: algo.semantic_document_analysis.vdvc_semantic_extractor
+
+  - id: agent.completion_event_emitter
+    type: ai_agent
+    name: Completion event emitter agent
+    description: |
+      Host capability event.emit@1, governed by the
+      completion_event_emitter Algorithm Card.
+    capabilities:
       - capability.event.emit
+    algorithm_card: algo.semantic_document_analysis.completion_event_emitter
 
 bindings:
   - source: { type: bpmn.serviceTask, ref: Task_DetectRedactPii }
-    targetId: agent.semantic-extractor
+    targetId: agent.pii_redactor
     mode: autonomous
     contract:
       input:
@@ -35,10 +61,9 @@ bindings:
         - { name: piiCategoryCount,    type: number,  description: "Count of distinct PII categories detected." }
       timeout: "10s"
     requiredCapabilities: [capability.ai.redact]
-    feeds: [assess-personal-data-risk]
 
   - source: { type: bpmn.serviceTask, ref: Task_ExtractSemantics }
-    targetId: agent.semantic-extractor
+    targetId: agent.vdvc_semantic_extractor
     mode: autonomous
     contract:
       input:
@@ -52,10 +77,9 @@ bindings:
       timeout: "30s"
       retries: { maxAttempts: 2, backoffMs: 2000 }
     requiredCapabilities: [capability.ai.extract]
-    feeds: [human-validation-gate]
 
   - source: { type: bpmn.serviceTask, ref: Task_EmitResult }
-    targetId: agent.semantic-extractor
+    targetId: agent.completion_event_emitter
     mode: autonomous
     contract:
       input: