UAPF v2.4.0 reverses the v2.3.0 decision to place algorithm card
references on resource targets. The card belongs on the BPMN task
itself, where it is visible as a first-class process element and its
inputs/outputs render as visible data objects on the diagram.
Changes from v3.0.0:
- bpmn/semantic-document-analysis.bpmn: each of 3 service tasks now
carries xmlns:uapf24=https://uapf.dev/bpmn/v2.4 + the
uapf24:algorithmCardRef attribute pointing at the governing card,
plus a <bpmn:ioSpecification> synthesised from the card's io block
so inputs/outputs render as visible data objects
- resources/mappings.yaml: algorithm_card dropped from each of the
3 targets (they go back to being just dispatch endpoints)
- uapf.yaml + manifest.json: version 3.0.0 -> 3.1.0
- README rewritten with v3.1.0 delta + audit-question table
Cards themselves are unchanged. DMN files are unchanged.
Wrap the three opaque UAPF-IP capabilities (ai.redact@1, ai.extract@1,
event.emit@1) in Algorithm Cards under algorithms/, per UAPF v2.3.0
chapter 13. Each Card supplies intent, IO contract, ownership,
validation history, risk class, audit configuration, and (where
relevant) privacy/risk extensions. Cards are referenced from resource
targets in resources/mappings.yaml.
Changes:
- NEW algorithms/pii_redactor.card.yaml — deterministic redactor
- NEW algorithms/vdvc_semantic_extractor.card.yaml — stochastic LLM
extractor, EU AI Act high-risk, human oversight mandatory
- NEW algorithms/completion_event_emitter.card.yaml — deterministic
CloudEvents 1.0 emitter
- uapf.yaml + manifest.json: version 2.0.0 -> 3.0.0,
+ paths.algorithms, + algorithm_cards: true
- resources/mappings.yaml: single agent.semantic-extractor target
split into 3 algorithm-specific targets, each w/ algorithm_card ref
- bpmn/: UNCHANGED (algorithm-card refs live on resource targets,
not in BPMN — no extension elements required)
- Removed provides_decisions from manifest (was not in SSOT manifest
schema; DMN decisions are self-describing via the dmn/ cornerstone)
- README rewritten with algorithm-card audit-question table
The 1.x package was a single ai.extract call wrapped in three BPMN
service tasks. No decision logic, no dmn cornerstone, no weights — the
risk/routing/validation algorithm lived invisibly in host code. There
was nothing for a runtime to actually execute.
2.0.0 makes it a real process:
- dmn cornerstone added with three decision tables:
* assess-personal-data-risk — PII regex signals -> risk level
* gdpr-processing-route — risk x centralisation -> CENTRAL/LOCAL,
anonymisation, redaction level
* human-validation-gate — confidence thresholds + PII re-scan
-> REJECTED/PENDING_REVIEW/APPROVED_AUTO
- BPMN expanded 3 -> 6 nodes (3 serviceTask + 3 businessRuleTask),
with horizontal DI.
- Task ids, mappings, docs, manifest (dmn:true), uapf.yaml, lifecycle
and eval-set updated; added a PII-bearing fixture.
Only the semantic extraction remains a model step. Risk classification,
GDPR routing and validation gating are now explicit ranked DMN rules —
inspectable, versioned, portable. Breaking change: structure + outputs.
UAPF-specification v2.1.0 makes cornerstone diagram interchange mandatory
(SEM-011). This file was hand-authored as logic only. Adds the bpmndi/dc/di
namespaces and a complete BPMNDiagram (5 shapes, 4 edges, deterministic
linear layout). The <bpmn:process> logic is byte-identical.
UAPF-specification v2.0.0 mandates OMG-standard cornerstone extensions.
Renamed cornerstone files and updated references in README / docs /
processgit.mcp.yaml. Content of the BPMN/DMN files is unchanged.
The BPMN already invokes ai.redact@1 / ai.extract@1 / event.emit@1 and the
package ships resources/guardrails.yaml. Declaring them at manifest level so
the ProcessGit /uapf-ip endpoint and a UAPF-IP runtime can discover the
package contract before loading it.
