Add attackFeasibilityRatings to the Attack Step directly as Array

[JohnASRG]

The attackFeasibilityRatings should not be it's own data entity. This should be a part of the Attack step, which means, it does not need to have it's own ID.

Please add the WoE or Window of Opportunity to the inputFactors
Please update time to Elasped Time to the inputFactors.

"attackFeasibilityRatings": [
{
"id": "AFR-OTA-01",
"attackPathId": "AP-OTA-01",
"methodId": "iso21434-afr-v1",
"inputFactors": {
"time": "high",
"expertise": "expert",
"knowledge": "insider",
"equipment": "specialized"
},
"score": "4",
"band": "High",
"rationale": "Requires sophisticated backend compromise and exploitation of update pipeline"
},

[JohnASRG]

@claude

[claude]

Claude finished @JohnASRG's task in 14m 15s —— View job • claude/issue-39-20260408-0528 • Create PR ➔

---

Implementing Issue #39: Add attackFeasibilityRatings to Attack Step

• Gather context and read schema files
• Understand current structure
• Fix existing JSON schema structural issue (stray d character + misplaced $defs block)
• Update JSON schema: add embedded attackFeasibilityRatings array to attackSteps
• Update XML schema: add embeddedAfrsType / embeddedAfrType for attackStep
• Update rdx-example.json: embedded ratings in steps, remove attackFeasibilityRatingIds
• Update rdx-multiple-threats-example.json: embedded ratings in all 8 steps
• Update all other examples: rename time→elapsedTime, window→windowOfOpportunity
• Update docs: CLAUDE.md, Methodology.md, REQUIREMENTS.md (RDX-114, RDX-115)
• Commit and push changes

---

Summary of changes

JSON Schema (spec/json/rdx.schema.json)

• Added attackFeasibilityRatings array to attackSteps items — embedded ratings with no id, attackStepId, or attackPathId required (contextually bound to the step)
• Deprecated attackFeasibilityRatingIds in attackSteps (superseded by embedded ratings)
• Updated inputFactors descriptions to document standard factor names: elapsedTime, expertise, knowledge, windowOfOpportunity, equipment
• Fixed a pre-existing structural corruption in the file (stray d character on line 954 and $defs block outside the root JSON object)

XML Schema (spec/xml/rdx.xsd)

• Added embeddedAfrsType and embeddedAfrType complex types for ratings embedded within attackStep
• attackStepType now includes <attackFeasibilityRatings> element

Examples updated (all 9 JSON examples)

• rdx-example.json and rdx-multiple-threats-example.json: migrated from attackFeasibilityRatingIds cross-references to inline attackFeasibilityRatings arrays in each step
• All examples: renamed factor keys "time" → "elapsedTime" and "window" → "windowOfOpportunity" in both methods.factors arrays and inputFactors objects; added windowOfOpportunity where missing

Documentation

• REQUIREMENTS.md: added RDX-114 (embedded AFR) and RDX-115 (windowOfOpportunity)
• CLAUDE.md + methodology/Methodology.md: updated object model docs

Backward compatibility: Top-level attackFeasibilityRatings (used by riskValues.afrRef for path-level ratings) is preserved. The attackFeasibilityRatingIds field in attackSteps remains in the schema but is marked deprecated.

|