Is your feature request related to a problem?
The evidence chain (EvaluationLog → EnforcementLog → AuditLog) traces across logs, but there is no way to record what specifically the evaluator examined within the target during an assessment.
AssessmentLog records pass/fail with a message, but not I consulted THIS specific resource at THIS time. This means consumers like SARIF converters cannot populate file locations effectively, and auditors cannot verify what data sources the evaluator actually consulted without requesting supplementary evidence.
Describe the solution you'd like
Add a #Provenance type and optional field to #AssessmentLog in evaluationlog.cue:
Example
#Provenance: {
// address identifies what was consulted (file path, API endpoint, ARN, image ref, etc.)
address: string
// collected is the timestamp when the data was acquired
collected: #Datetime @go(Collected)
// observed is the relevant content extracted
observed?: string
}
Three fields (two required, one optional), modality-neutral -- works for file scans, API checks, container scans, cloud config, physical audits, and interviews.
On #AssessmentLog:
The field is optional and backward-compatible.
provenance?: [#Provenance, ...#Provenance] @go(Provenance,type=[]Provenance)
Describe alternatives you've considered
Extensive naming exploration rejected 11 alternatives:
- #Observation — collides with #ResultType: "Observation" enum value in auditlog.cue
- #Subject — in OSCAL, subject means the component (inventory item instance) being assessed (equivalent to Gemara's target)
- #Evidence — already exists on #AuditResult for macro-level log references
- #Resource — already exists as a type (#Entity extension)
- #Source — source field already exists on #Mapping in mappingdocument.cue
- #Sample — implies statistical sampling methodology
- #Examination — synonym/subset of Assessment and Evaluation
Success Criteria
- Criterion 1: #Provenance type and provenance? field on #AssessmentLog are added to evaluationlog.cue and pass CUE validation
- Criterion 2: Existing EvaluationLog YAML documents validate without changes (backward-compatible)
- Criterion 3: The backward compatibility check (test/compat_test.go) passes with the new field
- Criterion 4: go-gemara can generate types from the updated schema and round-trip provenance data through YAML serialization
Additional context
assessment-logs:
- requirement:
reference-id: osps-baseline
entry-id: OSPS-AC-01.01
description: "MFA enforcement check"
result: Passed
message: "MFA is enabled for all organization members"
provenance:
- address: "https://api.github.com/orgs/myorg/settings"
collected: "2025-08-22T16:02:00Z"
observed: '{"two_factor_requirement_enabled": true}'
- address: "https://api.github.com/orgs/myorg/members?filter=2fa_disabled"
collected: "2025-08-22T16:02:01Z"
observed: "[]"
Rel #23
Is your feature request related to a problem?
The evidence chain (EvaluationLog → EnforcementLog → AuditLog) traces across logs, but there is no way to record what specifically the evaluator examined within the target during an assessment.
AssessmentLog records pass/fail with a message, but not I consulted THIS specific resource at THIS time. This means consumers like SARIF converters cannot populate file locations effectively, and auditors cannot verify what data sources the evaluator actually consulted without requesting supplementary evidence.
Describe the solution you'd like
Add a
#Provenancetype and optional field to#AssessmentLoginevaluationlog.cue:Example
Three fields (two required, one optional), modality-neutral -- works for file scans, API checks, container scans, cloud config, physical audits, and interviews.
On #AssessmentLog:
The field is optional and backward-compatible.
provenance?: [#Provenance, ...#Provenance] @go(Provenance,type=[]Provenance)Describe alternatives you've considered
Extensive naming exploration rejected 11 alternatives:
Success Criteria
Additional context
Rel #23