Add framework evidence paths and bump Go to 1.26.1

[davidahmann]

Summary

• replace flat framework control evidence with explicit alternative evidence paths and deterministic coverage evaluation
• expand built-in SOC 2, PCI-DSS, and EU AI Act mappings and generate mirrored framework YAMLs from core/framework
• bump the repo toolchain pin to Go 1.26.1 and update tests/docs for the new model

Validation

• go test ./...
• make lint

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fb3e0af7fb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[davidahmann]

Addressed the current review feedback in e878e16:

• EvaluateCoverage now rejects malformed controls instead of treating missing evidence definitions as covered.
• .tool-versions is aligned with the go.mod bump to Go 1.26.1.

Local validation rerun:

• go test ./...
• make lint

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e878e1681a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cc18cd3607

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d1b972f8b1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Include unique PR identity in concurrency group key

The concurrency key currently uses github.event.pull_request.head.ref, which is only the branch name and is not unique across forks; two different PRs can both use names like patch-1 and end up sharing the same group. With cancel-in-progress: true, a new run on one PR can cancel checks for the other PR, causing flaky or missing required statuses. Add a unique PR discriminator (for example github.event.pull_request.number or github.event.pull_request.head.repo.full_name) to the group expression.

Useful? React with 👍 / 👎.