feat(metadata): annotate citation fields with source for UI display

[ErykKul]

@AI-Tool: Copilot

Summary

• Annotate Dataverse citation fields with a source string (e.g., codemeta.json, CITATION.cff) purely for UI display.
• No change to submission payload or templates; unknown props ignored by consumers.
• Build and unit tests passed locally with make.

AI Provenance (required for AI-assisted changes)

• Prompt: Add Source column in UI; backend should annotate metadata with provenance per field.
• Model: GitHub Copilot gpt-5
• Date: 2025-09-16T10:00:00Z
• Author: @ErykKul
• Role: deployer

Compliance checklist

• No secrets/PII
• Transparency notice updated (if user-facing)
• Agent logging enabled (actions/decisions logged)
• Kill-switch / feature flag present for AI features
• No prohibited practices under EU AI Act
• Human oversight retained (required if high-risk or agent mode)
  Risk classification: limited
  Personal data: no
  DPIA: N/A
  Automated decision-making: no
  Agent mode used: yes
  GPAI obligations: N/A
  Vendor GPAI compliance reviewed: N/A
• License/IP attestation
  Attribution: N/A

Change-type specifics

• Security review: N/A
• Backend/API changed:
  • ASVS: N/A
• Log retention policy: N/A

Tests & Risk

• Unit/integration tests added/updated
• Security scan passed
  Rollback plan: Revert PR
  Smoke test: N/A
• Docs updated (if needed)

[github-actions]

Code Review Agent (Python)\n

No Python files changed. Skipping analysis.

[github-actions]

AI Governance checks failed

Please fix the following before re-running checks:

• Ensure PR body includes provenance fields:
  • Prompt
  • Model
  • Date
  • Author
  • No secrets/PII (checkbox)
• Complete compliance checklist items required for your change type (transparency notice, DPIA, logging, kill-switch, risk classification, human oversight, security review, vendor GPAI review).
• Add a rollback note if the change is risky (authz, data export, evaluation logic, etc.).

Helpful links:

• PR template (provenance): https://github.com/libis/ai-transition/blob/main/.github/pull_request_template.md
• Risk mitigation matrix: https://github.com/libis/ai-transition/blob/main/governance/risk_mitigation_matrix.md
• Reusable governance workflow: https://github.com/libis/ai-transition/blob/main/.github/workflows/ai-governance.yml

After edits, push updates or re-run the workflow to validate.

[github-actions]

AI Governance checks failed

Please fix the following before re-running checks:

• Ensure PR body includes provenance fields:
  • Prompt
  • Model
  • Date
  • Author
  • No secrets/PII (checkbox)
• Complete compliance checklist items required for your change type (transparency notice, DPIA, logging, kill-switch, risk classification, human oversight, security review, vendor GPAI review).
• Add a rollback note if the change is risky (authz, data export, evaluation logic, etc.).

Helpful links:

• PR template (provenance): https://github.com/libis/ai-transition/blob/main/.github/pull_request_template.md
• Risk mitigation matrix: https://github.com/libis/ai-transition/blob/main/governance/risk_mitigation_matrix.md
• Reusable governance workflow: https://github.com/libis/ai-transition/blob/main/.github/workflows/ai-governance.yml

After edits, push updates or re-run the workflow to validate.

[github-actions]

Code Review Agent (Python)\n

No Python files changed. Skipping analysis.

[Copilot]

Pull Request Overview

This PR adds source provenance annotation to Dataverse citation fields to enable UI display of which metadata files (e.g., codemeta.json, CITATION.cff) contributed to each field. The changes are purely for UI enhancement and maintain backward compatibility.

• Introduces provenance tracking to record which source files populate metadata fields
• Adds annotation logic to inject source information into the metadata response structure
• Maintains non-breaking compatibility by adding unknown properties that consumers can ignore

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
image/app/common/get_metadata.go	Implements provenance tracking and source annotation for metadata fields
.gov/be_pr_body.md	Adds PR description file with AI compliance documentation

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[github-actions]

Code Review Agent (Python)\n

No Python files changed. Skipping analysis.

[github-actions]

Code Review Agent (Python)\n

No Python files changed. Skipping analysis.

[ErykKul]

/gov

[github-actions]

Governance Agent Report\n\n

PR: #7 by @ErykKul

Changed files (2):

• .gov/be_pr_body.md
• image/app/common/get_metadata.go

Detected change types:

• backend

Missing or incomplete items:

• OWASP ASVS review or ASVS:

Tip: Use the PR template fields to satisfy these checks.

Run /gov help for commands. Also try: /gov links and /gov autofill apply.

[github-actions]

/gov copilot

[github-actions]

/gov links

[github-actions]

/gov autofill apply

[github-actions]

Governance reports summary

Run ID: 17793805084

ScanCode (licenses)

• Copyleft findings (AGPL/GPL/LGPL): 0
• Unknown/NoAssertion licenses: 0
• Top files with copyleft/unknown:

SBOM (SPDX)

• Packages: 75
• Copyleft package licenses (AGPL/GPL/LGPL): 0
• Unknown/NoAssertion package licenses: 28

[ErykKul]

AI prompts used in this work (transparency)

• Add a new column in the metadata selector that indicates the source of the particular metadata field; keep changes minimal; ensure the metadata passed to submit is unchanged.
• Backend should annotate the Dataverse citation metadata with per-field provenance (e.g., codemeta.json, CITATION.cff) for UI display only; do not alter the submission payload or templates.
• Use the provided make targets for formatting, builds, and tests where possible.
• If Node needs bumping in the frontend, use asdf: update .tool-versions, run asdf install; then build/test again (cd to rdm-integration-frontend first).
• Read ai-context.md and open governance-compliant draft PRs (frontend first, then backend), based on fresh feature branches from main.
• Resolve frontend lint issues introduced by the changes (e.g., remove unused variable in metadatafield.source()).
• Fix PR governance policy failures by replacing placeholders/backticks and ensuring provenance fields (Prompt/Model/Date/Author) are present; re-run checks.