lv-civdef-drone-threat-public-address/docs/05-validation-report.md

# 05 — Validation Report

Package: `lv.civdef.drone-threat-public-address` v0.3.0
Date: 2026-05-18 · Tool: `validate.py`

## Result: 19 / 19 checks passed

### Structural
- All three cornerstone files (BPMN, DMN, CMMN) are well-formed XML.
- All six YAML files parse.
- `uapf.yaml` validates against `uapf-manifest.schema.json` (UAPF v2.2.0).

### Model integrity
- BPMN: 26 flow nodes; every `sequenceFlow` source/target resolves.
- DMN: exactly 6 decisions; every `informationRequirement` href resolves.
- CMMN: 11 human tasks across 3 stages.

### Quality gates added in v0.3.0 (these are the v0.2.0 defects)
- **Every DMN decision carries a `<description>`.** v0.2.0 had none.
- **No declared-but-unused decision inputs.** Every `requiredInput` of every
  decision is used as a decision-table input column or in an output
  expression. This is the check that proves the v0.2.0 interception defect —
  `positiveHostileId` declared but never tested — is fixed.
- **Every `mappings.yaml` binding resolves to a real diagram element**, and
  every `targetId` resolves to a declared target. The resource↔process linkage
  is now machine-checkable.

## What is *not* validated here

- **Semantic correctness of the modelled algorithm** — whether these are the
  right institutions, thresholds and SLAs — is an institutional review
  question, tracked in `01-institutional-gap-analysis.md`.
- **DMN completeness/overlap** of `FIRST`-hit tables is not formally verified;
  each table ends with a catch-all rule so no input is left without an output.
- Diagram interchange (DI) renders cleanly in `dmn-js` / `bpmn-js` / `cmmn-js`;
  visual review in the target viewer is still recommended.

## Reproduce

```
python3 validate.py    # exits non-zero on any failure
```