Motivation
Increasingly, TARA artifacts are co-authored with AI or automatically generated from architecture models, threat intelligence feeds, or prior risk libraries. Consumers of RDX need to know which objects were auto-generated, with what confidence, from what source, and whether a human has reviewed them. Without this, downstream automation (and auditors) cannot tell a hand-validated threat scenario from one drafted by a script.
Proposed change
Reusable provenance object attachable to most RDX objects (assets, threatScenarios, attackPaths, controls, riskValues, cybersecurityRequirements, monitoringAndDetection, testCases):
{
"origin": "human-authored" | "ai-assisted" | "ai-generated" | "imported" | "derived",
"generatorRef": "rdx-idea-scout@gpt-5-mini" | "<tool>@<version>",
"sourceArtifactRefs": ["ART-..."],
"generatedAt": "...",
"confidence": 0.0-1.0,
"reviewStatus": "unreviewed" | "in-review" | "approved" | "rejected",
"reviewerPartyRef": "...",
"reviewedAt": "...",
"reviewNotes": "..."
}
Add a provenance discriminator at document level too, so a whole RDX file can be marked as drafted by automation pending human approval.
References
- AI peer review, "Recommended backlog → AI/automation metadata"
- Related: complements every issue surfaced by the AI Idea Scout workflow — those are exactly the artifacts this is meant to characterize.
Acceptance criteria
Surfaced by external AI peer review; see chat transcript for full review text.
Motivation
Increasingly, TARA artifacts are co-authored with AI or automatically generated from architecture models, threat intelligence feeds, or prior risk libraries. Consumers of RDX need to know which objects were auto-generated, with what confidence, from what source, and whether a human has reviewed them. Without this, downstream automation (and auditors) cannot tell a hand-validated threat scenario from one drafted by a script.
Proposed change
Reusable
provenanceobject attachable to most RDX objects (assets, threatScenarios, attackPaths, controls, riskValues, cybersecurityRequirements, monitoringAndDetection, testCases):Add a
provenancediscriminator at document level too, so a whole RDX file can be marked as drafted by automation pending human approval.References
Acceptance criteria
provenanceobject added in JSON Schema + XSD as a reusable typeprovenancemethodology/adds a "Provenance & review status" pageSurfaced by external AI peer review; see chat transcript for full review text.