rewrite 2.0.0: real process — extract the algorithm into DMN

The 1.x package was a single ai.extract call wrapped in three BPMN service tasks. No decision logic, no dmn cornerstone, no weights — the risk/routing/validation algorithm lived invisibly in host code. There was nothing for a runtime to actually execute. 2.0.0 makes it a real process: - dmn cornerstone added with three decision tables: * assess-personal-data-risk — PII regex signals -> risk level * gdpr-processing-route — risk x centralisation -> CENTRAL/LOCAL, anonymisation, redaction level * human-validation-gate — confidence thresholds + PII re-scan -> REJECTED/PENDING_REVIEW/APPROVED_AUTO - BPMN expanded 3 -> 6 nodes (3 serviceTask + 3 businessRuleTask), with horizontal DI. - Task ids, mappings, docs, manifest (dmn:true), uapf.yaml, lifecycle and eval-set updated; added a PII-bearing fixture. Only the semantic extraction remains a model step. Risk classification, GDPR routing and validation gating are now explicit ranked DMN rules — inspectable, versioned, portable. Breaking change: structure + outputs.
2026-05-17 20:00:36 +00:00
parent 3f1d62c748
commit dd69a04355
15 changed files with 496 additions and 120 deletions
--- a/uapf.yaml
+++ b/uapf.yaml
@@ -1,28 +1,38 @@
 kind: uapf.package
 id: dev.uapf.semantic-document-analysis
-name: Semantic Document Analysis (UAPF reference algorithm)
+name: Semantic Document Analysis
 description: |
-  Level-4 UAPF process for extracting VDVC-conformant semantic metadata
-  (topic, summary, urgency, risk, sensitivity) from a free-text document.
+  Level-4 UAPF process for semantic analysis of free-text documents.

-  Portable across document management systems, intake portals, mailroom
-  scanners, case-management platforms. Three BPMN service tasks invoke
-  the reserved UAPF-IP capabilities ai.redact@1, ai.extract@1, event.emit@1.
-  The host fulfils each capability with its own AI agent; this package
-  supplies the BPMN flow, the VDVC output JSON Schema, the guardrails,
-  and the resource mapping contract.
+  Three BPMN service tasks invoke the UAPF-IP capabilities ai.redact@1,
+  ai.extract@1 and event.emit@1. Three DMN decision tables encode the
+  deterministic algorithm the host previously hid inside application
+  code: assess-personal-data-risk maps PII regex signals to a risk
+  level; gdpr-processing-route selects CENTRAL vs LOCAL processing,
+  anonymisation and redaction level; human-validation-gate applies the
+  confidence thresholds that decide REJECTED / PENDING_REVIEW /
+  APPROVED_AUTO.
+
+  Only the semantic extraction is a model step. Risk classification,
+  GDPR routing and the validation gate are explicit ranked rules in
+  versioned DMN — inspectable, auditable, portable. Extraction output
+  validates against the VDVC v1.1 semantic-summary JSON Schema.

 level: 4
-version: "1.0.0"
+version: "2.0.0"

 # ── UAPF-IP integration (capability needs + profile + guardrails) ──
-# Declared so a UAPF-IP runtime / the ProcessGit /uapf-ip endpoint can
-# discover what this package requires before loading it.
 requires_capabilities:
  - ai.redact@1+
  - ai.extract@1+
  - event.emit@1+

+# DMN decisions are evaluated by the runtime itself — no host capability.
+provides_decisions:
+  - assess-personal-data-risk
+  - gdpr-processing-route
+  - human-validation-gate
+
 profiles_supported:
  - uapf-ip-orchestrated

@@ -33,7 +43,7 @@ dependencies: {}

 cornerstones:
  bpmn: true
-  dmn: false
+  dmn: true
  cmmn: false
  resources: true

@@ -53,6 +63,7 @@ exposure:
    exposedArtifacts:
      - manifest
      - bpmn
+      - dmn
      - docs

 owners: