Cross-cutting themes surfaced during the v3.4.0 audit umbrella + downstream-blocking schema/data fixes + framework-render taxonomy schema (absorbed from former v3.8.0 milestone, closed 2026-05-01).

Scope

Downstream-blocker series (4 M365-Assess upstream issues unblocked)

• #360 — ISO 27001 / ISO 27002 mapping divergence (M365-Assess#871)
• #361 — data: introduce data/microsoft-first-party-appids.json (M365-Assess#887)
• #362 — remediation portal paths sweep + Microsoft Learn URLs (M365-Assess#879)
• #407 — schema: framework-render taxonomy keys (groupBy / groupLabel / groups + taxonomyDecision / taxonomyReason fallback) (M365-Assess#914) — supersedes #317 spike

Framework taxonomy seed + backfill (lands with #407)

• #318 — CMMC family axis (subsumed by #407 seed data)
• #319 — NIST 800-53 r5 family axis (subsumed)
• #320 — FedRAMP family axis (subsumed)
• #321 — NIST CSF function/category axis (partially subsumed; subcategory deferred)
• #322 — SOC 2 TSC category axis (subsumed)
• #323 — backfill 4 frameworks with no taxonomy (gdpr, iso-27017, nis2, nist-800-171) using #407's schema
• #324 — MITRE technique→tactic map data file

Cross-cutting reconciliation (audit-derived)

• #386 — AZ-namespace boundary reconciliation
• #387 — namespace duplication reconciliation
• #388 — canonical reference data layer umbrella
• #389 — consumer guide for the 5 detection contracts

Charter: additive only

Pure-additive issues (#361, #362, #388, #389, #407, #318–#324) ship in v3.5.0 unconditionally. For reconciliation/divergence issues (#360, #386, #387), the chosen Option determines milestone routing:

• Non-breaking Option (dual-list, alias, deprecation-without-removal, strict-additive divergence) → v3.5.0
• Breaking Option (CheckID rename/removal, controlId format change) → v4.0.0 (M#45)

Decisions locked for #407

1. Closed groupBy strategy enum — 7 strategies; new ones require schema bump. Frameworks without a fitting strategy use taxonomyDecision fallback.
2. groups schema accepts either flat-string or full-object form — {code: "Label"} or {code: {label, controlCount?, ...}}. ISO 27001/27002 migrate from themes to groups (full form, preserves controlCount); M365-Assess updates one line.
3. #318–#324 close via #407's seed-data PR auto-close keywords. #317 spike already closed as superseded.

Pre-conditions

v3.4.0 has shipped (✓ 2026-04-30). v3.6.0/v3.7.0 work is independent and can run in parallel — v3.5.0 does not block them.