Managing artifacts

Artifacts are the compliance evidence items inside a project — requirements, hazard analyses, TARA records, test plans, test cases, and test results. Each artifact has a lifecycle state, a revision history, and links to other artifacts that form the traceability chain.

Artifact types

Artifact lifecycle

Every artifact moves through a controlled state machine. Only authorised roles can advance an artifact to the next state.

draft → under_review → reviewed → approved → released → obsolete

• draft — being written; can be freely edited
• under_review — submitted for review; content is locked
• reviewed — technical review complete
• approved — formally approved; ready for release
• released — frozen; part of a released baseline
• obsolete — superseded; kept for audit trail

All state changes are recorded as audit events (actor, timestamp, previous state, new state).

Creating an artifact

curl -X POST http://localhost/api/projects/<project-id>/artifacts \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "requirement",
    "title": "The OTA update service shall verify the integrity of each update package before installation",
    "asil_level": "B",
    "metadata": {
      "rationale": "Prevents installation of corrupted or tampered software — addresses TARA-007"
    }
  }'

The response includes the artifact’s id and its initial draft state.

Advancing the lifecycle state

curl -X PATCH http://localhost/api/projects/<project-id>/artifacts/<artifact-id>/state \
  -H "Authorization: Bearer <your-token>" \
  -d '{"state": "under_review"}'

The API enforces valid transitions. Attempting to skip states (e.g. draft → approved) returns a 422 error.

Linking artifacts

Links create the traceability chain. Each link has a type that describes the relationship.

Creating a link:

curl -X POST http://localhost/api/projects/<project-id>/links \
  -H "Authorization: Bearer <your-token>" \
  -d '{
    "source_id": "<requirement-id>",
    "target_id": "<tara-id>",
    "type": "derives_from"
  }'

A complete traceability chain example

A UNECE R156 compliance chain looks like this:

change_request
  └── derives_from ──► requirement (ASIL B)
                          └── verified_by ──► test_case
                                                  └── executed_by ──► test_result (pass)

With this chain in place, the release-gate check can verify that the change request has an approved requirement, that the requirement has a passing test, and that all items are in the released state.

Suspect state propagation

When an artifact changes state or content after it has been linked to downstream items, those downstream items are automatically flagged as suspect. This means they need to be reviewed before they can contribute to a release baseline.

For example: if you update a requirement that is already approved, all test_case artifacts linked via verified_by are flagged suspect. The reviewers are notified and must re-approve those test cases before they are cleared.

Querying the traceability chain

Get the full upstream and downstream chain for an artifact:

curl http://localhost/api/projects/<project-id>/artifacts/<artifact-id>/trace \
  -H "Authorization: Bearer <your-token>"

The response includes the full graph: all ancestors, all descendants, their current states, and any suspect flags.

Next steps

• Release baselines — run the release-gate check and generate a baseline