feat(frameworks): own grouping/taxonomy upstream - fix M365-Assess sync regression + v3.5.0 render-taxonomy

[Daren9m]

Why

M365-Assess consumes CheckID's data/frameworks/*.json verbatim via its sync-checkid.yml workflow (see REFERENCES.md: "Fetch data/registry.json and data/frameworks/*.json from the tagged version"). The grouping/taxonomy presentation metadata that M365-Assess maintainers had hand-added downstream was never present in CheckID's source, so every sync overwrote it.

The v3.4.1 auto-sync PR Galvnyz/M365-Assess#989 dropped, among others:

• cis-m365-v6 sections "4": "Intune" and "9": "Fabric (Power BI)"
• the cisa-scuba groups map including MS.INTUNE
• grouping/taxonomy metadata across ~12 more framework files

This PR makes CheckID the canonical owner of that metadata so the next sync is a no-op, and delivers the planned v3.5.0 render-taxonomy layer on top of it.

What

1. Stop the regression (fix(frameworks): carry grouping/taxonomy metadata ...)
Restore groupBy / groupLabel / groups / sections / taxonomyDecision / taxonomyReason / note to the 14 frameworks #989 regressed. Verified byte-idempotent against M365-Assess base, so re-syncing produces zero grouping diff. Relabels 31 previously-orphaned registry checks (5 Intune 4.x, 26 Power BI 9.x) under their correct CIS M365 v6 sections.

2. Backfill + completeness (feat(frameworks): backfill native grouping axes ...)
Declare native axes for the 4 frameworks that had none (#323):

framework	groupBy strategy	axis
iso-27017	section-prefix	ISO/IEC 27002:2015 clauses 5-18
nist-800-171	nist-800-171-family (new)	families 3.1-3.14 + NFO bucket
gdpr	article-prefix (new)	GDPR articles
nis2	article-prefix (new)	NIS2 articles

Also completes PCI-DSS: adds appendix groups A1 / A2 / A3. The registry has appendix controls that the 1-12 requirement map did not cover (a latent "Other" bucket on the M365-Assess side too).

3. Contract + enforcement (feat(frameworks): formalize render-taxonomy schema keys ...)
Formalize the render-taxonomy keys in data/frameworks.schema.json (#407): groupBy (enum of 9 strategies), groupLabel, groups / sections / controls, taxonomyDecision, taxonomyReason. additionalProperties stays true; all 20 framework files validate. Add tests/framework-grouping-coverage.Tests.ps1 asserting every registry controlId resolves to a declared group for each groupBy framework.

New contract vocabulary (please review)

Two new groupBy strategy names join the cross-repo contract; consumers that render native grouping must implement them:

• article-prefix -- ^Article\s+(\d+) -> article number (gdpr, nis2)
• nist-800-171-family -- NFO* -> NFO, else first two dot-segments (3.12.1 -> 3.12)

Testing

• 409 Pester tests pass (was 377; +32 from the new coverage test), 0 failures.
• All 20 framework files validate against the updated frameworks.schema.json.
• Idempotency confirmed: every edited file's grouping/taxonomy keys equal M365-Assess base.
• Group coverage: every groupBy framework's map covers 100% of registry controlId prefixes.

Rollout

• Supersedes the grouping regression in chore: sync CheckID registry to v3.4.1 M365-Assess#989. After this is tagged, M365-Assess should re-run sync-checkid -- the framework files then sync clean.
• Release tag deferred to the maintainer.

Closes #318, #319, #320, #321, #322, #323, #407
Refs #317, #324, Galvnyz/M365-Assess#989

[github-actions]

Content enrichment population

Overall (1106 checks): rationale 26.4% (292/1106) • impact 26.4% (292/1106) • references 26.4% (292/1106)

Framework	n	rationale	impact	references
cis-controls-v8	1021	25.2% (257/1021)	25.2% (257/1021)	25.2% (257/1021)
cis-m365-v6	167	100.0% (167/167)	100.0% (167/167)	100.0% (167/167)
cisa-scuba	52	100.0% (52/52)	100.0% (52/52)	100.0% (52/52)
cmmc	1081	26.4% (285/1081)	26.4% (285/1081)	26.4% (285/1081)
eidsca	21	100.0% (21/21)	100.0% (21/21)	100.0% (21/21)
essential-eight	631	22.3% (141/631)	22.3% (141/631)	22.3% (141/631)
fedramp	1073	27.2% (292/1073)	27.2% (292/1073)	27.2% (292/1073)
gdpr	11	100.0% (11/11)	100.0% (11/11)	100.0% (11/11)
hipaa	502	33.5% (168/502)	33.5% (168/502)	33.5% (168/502)
iso-27001	1021	26.6% (272/1021)	26.6% (272/1021)	26.6% (272/1021)
iso-27002	1021	26.6% (272/1021)	26.6% (272/1021)	26.6% (272/1021)
iso-27017	1013	26.1% (264/1013)	26.1% (264/1013)	26.1% (264/1013)
mitre-attack	893	30.8% (275/893)	30.8% (275/893)	30.8% (275/893)
nis2	311	25.7% (80/311)	25.7% (80/311)	25.7% (80/311)
nist-800-171	1081	26.4% (285/1081)	26.4% (285/1081)	26.4% (285/1081)
nist-800-53	1073	27.2% (292/1073)	27.2% (292/1073)	27.2% (292/1073)
nist-csf	827	31.2% (258/827)	31.2% (258/827)	31.2% (258/827)
pci-dss	1053	26.4% (278/1053)	26.4% (278/1053)	26.4% (278/1053)
soc2	1104	26.4% (292/1104)	26.4% (292/1104)	26.4% (292/1104)
stig	13	100.0% (13/13)	100.0% (13/13)	100.0% (13/13)

Informational only — does not gate the build. The hard release-gate for Critical/High enrichment lives in #281 (v3.2.0).

[github-actions]

Framework mapping count delta

Framework	main	this PR	Δ	Δ%	Status
cis-controls-v8	1021	1021	0	+0.00%	✓ OK
cis-m365-v6	167	167	0	+0.00%	✓ OK
cisa-scuba	52	52	0	+0.00%	✓ OK
cmmc	1081	1081	0	+0.00%	✓ OK
eidsca	21	21	0	+0.00%	✓ OK
essential-eight	631	631	0	+0.00%	✓ OK
fedramp	1073	1073	0	+0.00%	✓ OK
gdpr	11	11	0	+0.00%	✓ OK
hipaa	502	502	0	+0.00%	✓ OK
iso-27001	1021	1021	0	+0.00%	✓ OK
iso-27002	1021	1021	0	+0.00%	✓ OK
iso-27017	1013	1013	0	+0.00%	✓ OK
mitre-attack	893	893	0	+0.00%	✓ OK
nis2	311	311	0	+0.00%	✓ OK
nist-800-171	1081	1081	0	+0.00%	✓ OK
nist-800-53	1073	1073	0	+0.00%	✓ OK
nist-csf	827	827	0	+0.00%	✓ OK
pci-dss	1053	1053	0	+0.00%	✓ OK
soc2	1104	1104	0	+0.00%	✓ OK
stig	13	13	0	+0.00%	✓ OK

Result: ✓ PASS — no framework mapping regressions detected.