Skip to content

Add AI/automation metadata (confidence, provenance, review status) on RDX objects #63

Description

@JohnASRG

Motivation

Increasingly, TARA artifacts are co-authored with AI or automatically generated from architecture models, threat intelligence feeds, or prior risk libraries. Consumers of RDX need to know which objects were auto-generated, with what confidence, from what source, and whether a human has reviewed them. Without this, downstream automation (and auditors) cannot tell a hand-validated threat scenario from one drafted by a script.

Proposed change

Reusable provenance object attachable to most RDX objects (assets, threatScenarios, attackPaths, controls, riskValues, cybersecurityRequirements, monitoringAndDetection, testCases):

{
  "origin": "human-authored" | "ai-assisted" | "ai-generated" | "imported" | "derived",
  "generatorRef": "rdx-idea-scout@gpt-5-mini" | "<tool>@<version>",
  "sourceArtifactRefs": ["ART-..."],
  "generatedAt": "...",
  "confidence": 0.0-1.0,
  "reviewStatus": "unreviewed" | "in-review" | "approved" | "rejected",
  "reviewerPartyRef": "...",
  "reviewedAt": "...",
  "reviewNotes": "..."
}

Add a provenance discriminator at document level too, so a whole RDX file can be marked as drafted by automation pending human approval.

References

  • AI peer review, "Recommended backlog → AI/automation metadata"
  • Related: complements every issue surfaced by the AI Idea Scout workflow — those are exactly the artifacts this is meant to characterize.

Acceptance criteria

  • provenance object added in JSON Schema + XSD as a reusable type
  • At least 6 top-level object types accept an optional provenance
  • Document-level provenance field added
  • Example demonstrates a mixed document with human-authored and ai-generated objects
  • methodology/ adds a "Provenance & review status" page

Surfaced by external AI peer review; see chat transcript for full review text.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-proposalProposed by the AI idea scout; needs human reviewenhancementNew feature or requestpeer-reviewSurfaced by external AI/peer review of the repopriority/P3Low priority — differentiating features

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions