Sovereignty check

[lsmith77]

Proposal: Add Platform Lock-in Declaration and Assessment Registry API

This PR adds two new components to the decentralized open source registry infrastructure proposal:

New Improvement: Platform Lock-in Declaration (Improvement 8)

Extends publiccode.yml to allow projects to declare architectural dependencies and vendor lock-in risks alongside code dependencies (currently captured in SBOM). Projects can declare required platforms, cloud services, or vendor-specific features not portable to alternatives.

Example: "Requires AWS RDS Aurora features not available in PostgreSQL"

Design questions for community feedback:

• Schema location: supplyChain section or separate top-level section?
• Controlled vocabulary for lock-in risk levels (e.g., critical, medium, low)?

New Companion Standard: Assessment Registry API

Enables regional Sovereignty Checks and assessment authorities to publish findings about open source projects in standardized, discoverable registries. Supports dispute resolution and confidence scoring.

Key features:

• Three endpoints: Project Assessment, Assessment Index, Assessment Search
• Status vocabulary: PASS, FAIL, DISPUTE, INCONCLUSIVE
• Assessment metadata: scope, region, authority, confidence score, evidence links
• Enables catalogs to aggregate assessments from multiple regional registries

Design questions for community feedback:

• API format: GraphQL, REST, or both?
• Assessment discovery: Central index or peer-to-peer crawl?
• Governance: Who authorizes new Assessment Registries?