feat(3.1.0): align with UAPF v2.4.0 — algorithm card refs move to BPMN task

UAPF v2.4.0 reverses the v2.3.0 decision to place algorithm card
references on resource targets. The card belongs on the BPMN task
itself, where it is visible as a first-class process element and its
inputs/outputs render as visible data objects on the diagram.

Changes from v3.0.0:
- bpmn/semantic-document-analysis.bpmn: each of 3 service tasks now
  carries xmlns:uapf24=https://uapf.dev/bpmn/v2.4 + the
  uapf24:algorithmCardRef attribute pointing at the governing card,
  plus a <bpmn:ioSpecification> synthesised from the card's io block
  so inputs/outputs render as visible data objects
- resources/mappings.yaml: algorithm_card dropped from each of the
  3 targets (they go back to being just dispatch endpoints)
- uapf.yaml + manifest.json: version 3.0.0 -> 3.1.0
- README rewritten with v3.1.0 delta + audit-question table

Cards themselves are unchanged. DMN files are unchanged.

bpmn/semantic-document-analysis.bpmn

@@ -2,6 +2,7 @@
 <bpmn:definitions
     xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL"
     xmlns:uapf="https://uapf.dev/bpmn-ext/v1"
+    xmlns:uapf24="https://uapf.dev/bpmn/v2.4"
     xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI"
     xmlns:dc="http://www.omg.org/spec/DD/20100524/DC"
     xmlns:di="http://www.omg.org/spec/DD/20100524/DI"
@@ -16,15 +17,36 @@
 
     <bpmn:serviceTask id="Task_DetectRedactPii"
                       name="Detect and redact PII"
-                      uapf:capability="ai.redact@1">
+                      uapf:capability="ai.redact@1"
+                      uapf24:algorithmCardRef="algo.semantic_document_analysis.pii_redactor">
       <bpmn:documentation>
-        Calls ai.redact@1 over the source text. Beyond masking, the host
+        Calls ai.redact@1 over the source text. Governed by Algorithm
+        Card algo.semantic_document_analysis.pii_redactor (see
+        algorithms/pii_redactor.card.yaml). Beyond masking, the host
         runs the four Latvian PII regex detectors (personas kods, IBAN,
         e-mail, phone) and returns the deterministic signal set the risk
-        decision consumes: personasKodaPresent, financialDataPresent,
-        contactDataPresent, piiCategoryCount, detectedEntityTypes, plus
-        redactedContent. No model inference — pure pattern detection.
+        decision consumes.
       </bpmn:documentation>
+      <bpmn:ioSpecification>
+        <bpmn:dataInput  id="content"                name="content : string"/>
+        <bpmn:dataOutput id="redacted_content"       name="redacted_content : string"/>
+        <bpmn:dataOutput id="detected_entity_types"  name="detected_entity_types : array"/>
+        <bpmn:dataOutput id="personas_koda_present"  name="personas_koda_present : boolean"/>
+        <bpmn:dataOutput id="financial_data_present" name="financial_data_present : boolean"/>
+        <bpmn:dataOutput id="contact_data_present"   name="contact_data_present : boolean"/>
+        <bpmn:dataOutput id="pii_category_count"     name="pii_category_count : integer"/>
+        <bpmn:inputSet>
+          <bpmn:dataInputRefs>content</bpmn:dataInputRefs>
+        </bpmn:inputSet>
+        <bpmn:outputSet>
+          <bpmn:dataOutputRefs>redacted_content</bpmn:dataOutputRefs>
+          <bpmn:dataOutputRefs>detected_entity_types</bpmn:dataOutputRefs>
+          <bpmn:dataOutputRefs>personas_koda_present</bpmn:dataOutputRefs>
+          <bpmn:dataOutputRefs>financial_data_present</bpmn:dataOutputRefs>
+          <bpmn:dataOutputRefs>contact_data_present</bpmn:dataOutputRefs>
+          <bpmn:dataOutputRefs>pii_category_count</bpmn:dataOutputRefs>
+        </bpmn:outputSet>
+      </bpmn:ioSpecification>
     </bpmn:serviceTask>
 
     <bpmn:businessRuleTask id="Decision_AssessRisk"
@@ -32,9 +54,7 @@
                            uapf:decision="assess-personal-data-risk">
       <bpmn:documentation>
         DMN dmn/assess-personal-data-risk.dmn. Maps the PII signal set to
-        personalDataRisk (NONE | LOW | MEDIUM | HIGH) by explicit ranked
-        rules. Personas kods or IBAN forces HIGH; two or more categories
-        or contact data gives MEDIUM. Deterministic and auditable.
+        personalDataRisk (NONE | LOW | MEDIUM | HIGH).
       </bpmn:documentation>
     </bpmn:businessRuleTask>
 
@@ -44,48 +64,75 @@
       <bpmn:documentation>
         DMN dmn/gdpr-processing-route.dmn. From personalDataRisk and
         allowCentralization decides processingRoute (CENTRAL | LOCAL),
-        anonymizationRequired and redactionLevel. This is the routing
-        rule extracted from the host's generate_semantic_metadata: a
-        sensitive document where centralisation is not permitted stays
-        LOCAL with full redaction.
+        anonymizationRequired and redactionLevel.
       </bpmn:documentation>
     </bpmn:businessRuleTask>
 
     <bpmn:serviceTask id="Task_ExtractSemantics"
                       name="Extract semantic metadata"
                       uapf:capability="ai.extract@1"
-                      uapf:schemaRef="resources/schemas/vdvc-semantic-summary.schema.json">
+                      uapf:schemaRef="resources/schemas/vdvc-semantic-summary.schema.json"
+                      uapf24:algorithmCardRef="algo.semantic_document_analysis.vdvc_semantic_extractor">
       <bpmn:documentation>
         Calls ai.extract@1 on redactedContent with the VDVC v1.1 output
-        schema. This is the single bounded model step: it produces the
-        semanticSummary (topic, summary, keywords, urgency, risk) and
-        must validate against resources/schemas/vdvc-semantic-summary.
-        The host also returns flat aiConfidenceScore and the result of
-        the post-extraction PII re-scan as outputPiiErrorCount.
+        schema. Governed by Algorithm Card
+        algo.semantic_document_analysis.vdvc_semantic_extractor (see
+        algorithms/vdvc_semantic_extractor.card.yaml). EU AI Act
+        Annex III high-risk; human oversight is mandatory and is
+        enforced downstream by the human-validation-gate DMN.
       </bpmn:documentation>
+      <bpmn:ioSpecification>
+        <bpmn:dataInput  id="redacted_content"      name="redacted_content : string"/>
+        <bpmn:dataInput  id="schema_ref"            name="schema_ref : string"/>
+        <bpmn:dataOutput id="semantic_summary"      name="semantic_summary : object"/>
+        <bpmn:dataOutput id="sensitivity_control"   name="sensitivity_control : object"/>
+        <bpmn:dataOutput id="ai_confidence_score"   name="ai_confidence_score : probability"/>
+        <bpmn:dataOutput id="output_pii_error_count" name="output_pii_error_count : integer"/>
+        <bpmn:inputSet>
+          <bpmn:dataInputRefs>redacted_content</bpmn:dataInputRefs>
+          <bpmn:dataInputRefs>schema_ref</bpmn:dataInputRefs>
+        </bpmn:inputSet>
+        <bpmn:outputSet>
+          <bpmn:dataOutputRefs>semantic_summary</bpmn:dataOutputRefs>
+          <bpmn:dataOutputRefs>sensitivity_control</bpmn:dataOutputRefs>
+          <bpmn:dataOutputRefs>ai_confidence_score</bpmn:dataOutputRefs>
+          <bpmn:dataOutputRefs>output_pii_error_count</bpmn:dataOutputRefs>
+        </bpmn:outputSet>
+      </bpmn:ioSpecification>
     </bpmn:serviceTask>
 
     <bpmn:businessRuleTask id="Decision_ValidationGate"
                            name="Determine human-validation status"
                            uapf:decision="human-validation-gate">
       <bpmn:documentation>
-        DMN dmn/human-validation-gate.dmn. From outputPiiErrorCount,
-        aiConfidenceScore and personalDataRisk decides
-        humanValidationStatus (REJECTED | PENDING_REVIEW | APPROVED_AUTO)
-        and requiresHumanReview. Any leaked PII or confidence below 0.3
-        rejects; below 0.7, or HIGH risk, forces review; 0.7 and above
-        with clean output auto-approves. The thresholds are the weights.
+        DMN dmn/human-validation-gate.dmn. From output_pii_error_count,
+        ai_confidence_score and personalDataRisk decides
+        humanValidationStatus (REJECTED | PENDING_REVIEW | APPROVED_AUTO).
       </bpmn:documentation>
     </bpmn:businessRuleTask>
 
     <bpmn:serviceTask id="Task_EmitResult"
                       name="Emit semantic-analysis-completed event"
                       uapf:capability="event.emit@1"
-                      uapf:eventType="document.semantic-analysis.completed.v1">
+                      uapf:eventType="document.semantic-analysis.completed.v1"
+                      uapf24:algorithmCardRef="algo.semantic_document_analysis.completion_event_emitter">
       <bpmn:documentation>
-        Calls event.emit@1 to publish a CloudEvent carrying the semantic
-        summary, the routing decision and the validation status.
+        Calls event.emit@1 to publish a CloudEvent. Governed by
+        Algorithm Card algo.semantic_document_analysis.completion_event_emitter
+        (see algorithms/completion_event_emitter.card.yaml).
       </bpmn:documentation>
+      <bpmn:ioSpecification>
+        <bpmn:dataInput  id="event_type" name="event_type : string"/>
+        <bpmn:dataInput  id="payload"    name="payload : object"/>
+        <bpmn:dataOutput id="published"  name="published : boolean"/>
+        <bpmn:inputSet>
+          <bpmn:dataInputRefs>event_type</bpmn:dataInputRefs>
+          <bpmn:dataInputRefs>payload</bpmn:dataInputRefs>
+        </bpmn:inputSet>
+        <bpmn:outputSet>
+          <bpmn:dataOutputRefs>published</bpmn:dataOutputRefs>
+        </bpmn:outputSet>
+      </bpmn:ioSpecification>
     </bpmn:serviceTask>
 
     <bpmn:endEvent id="End" name="Semantic analysis complete"/>