Team Collaboration - Tessera Design Toolkit

Collaboration Made Simple

Tessera includes optional workflow commands that let your team review and approve design changes using simple commands. You don't need to be a git expert.

This feature is completely opt-in. If you prefer managing git yourself, these commands won't get in your way. But if you want a guided experience with built-in review processes, read on. See the workflow documentation for complete details.

What This Enables

With workflow enabled, you can submit requirements for review, get approval from teammates, and release changes—all with simple tdt commands that create proper GitHub/GitLab pull requests automatically.

Key Concepts

Before diving in, here are a few concepts that will help

Status

Every entity (requirement, risk, test, etc.) has a status that tracks where it is in the review process: Draft, Review, Approved, or Released.

Team Roster

An optional file that lists who's on your team and their roles. Define your own approval rules based on your team's needs.

Submit

When you're ready for review, submit your work. Tessera creates a branch, updates the status, and opens a pull request for you.

Approve

Reviewers check the changes and approve. Tessera records who approved, updates the status, and can merge the pull request automatically.

The Review Workflow

Here's how changes flow through the system

Draft

→

Review

→

Approved

→

Released

If changes are rejected during review, they go back to Draft for revision.

What happens at each step

Status	What it means	Who can transition
Draft	Work in progress. Edit freely until ready for review.	Author submits for review
Review	Submitted for review. A pull request is open and awaiting approval.	Any authorized reviewer
Approved	Reviewed and approved. Ready to be released.	Authorized releaser
Released	Official version. This is the controlled document.	Final state

Quick Start

Get your team set up in just a few minutes

Enable Workflow in Config

Add these lines to your .tdt/config.yaml file:

workflow:
  enabled: true
  provider: github    # or: gitlab, none
  base_branch: main

Create Your Team Roster (Optional)

Initialize a team roster file to define approval permissions:

tdt team init
tdt team add --name "Jane Smith" --email jane@example.com \
    --username jsmith --roles engineering,quality

Submit Work for Review

When you're ready, submit your changes:

# Submit a specific requirement
tdt submit REQ@1

# Submit all draft requirements
tdt submit --type req --all

Review and Approve

Reviewers check the pull request, then approve:

# See what's waiting for your review
tdt review list

# Approve via PR number (auto-checkouts the branch)
tdt approve --pr 42

# Or if already on the PR branch
tdt approve REQ@1

Team Roles

Customize approval permissions to match your team's structure

Tessera provides a flexible role system. You define what roles exist and which entity types they can approve. This is entirely customizable to fit your organization's needs.

Engineering

Typically assigned to engineers and technical leads. Configure what they can approve in the team file.

Quality

Typically assigned to QA engineers and quality managers. Define their approval scope based on your processes.

Management

Typically assigned to team leads and project managers. Often used for release authorization.

Admin

Full approval authority. Use sparingly for administrators or emergency situations.

Team members can have multiple roles. The approval matrix in your team file determines which roles can approve which entity types. You define these rules—Tessera just enforces them.

Example Team File

Your .tdt/team.yaml might look like this:

version: 1
members:
  - name: "Jane Smith"
    email: "jane@example.com"
    username: "jsmith"
    roles: [engineering, quality]
    active: true

  - name: "Bob Wilson"
    email: "bob@example.com"
    username: "bwilson"
    roles: [quality, management]
    active: true

# Define your own approval rules here
approval_matrix:
  REQ: [engineering, quality]    # Your choice
  RISK: [quality, management]    # Your choice
  TEST: [quality]                # Your choice
  _release: [management]         # Your choice

Command Reference

All the workflow commands you'll use

Submit for Review

# Submit specific items
tdt submit REQ@1 REQ@2

# Submit all draft items of a type
tdt submit --type req --all

# Submit with a message
tdt submit REQ@1 -m "Initial pump requirement"

# Request review from specific users
tdt submit REQ@1 --reviewer jsmith,bwilson

# See what would happen without doing it
tdt submit REQ@1 --dry-run

Approve Items

# Approve via PR number (recommended - handles branch checkout automatically)
tdt approve --pr 42

# Approve specific items (when already on the PR branch)
tdt approve REQ@1

# Approve with a comment
tdt approve REQ@1 -m "Looks good, values verified"

# Approve and merge the pull request
tdt approve --pr 42 --merge

# Auto-stash uncommitted changes before checkout
tdt approve --pr 42 --yes

Reject Items

# Reject with a reason (required)
tdt reject REQ@1 -r "Values need to be verified against spec"

Release Approved Items

# Release specific items
tdt release REQ@1

# Release all approved requirements
tdt release --type req

Review Queue

# See what's waiting for your review (requested as reviewer)
tdt review list

# See all pending reviews (not just yours)
tdt review list --all

# See entities needing more approvals (multi-signature)
tdt review pending-approvals

# Filter pending approvals by entity type
tdt review pending-approvals --entity-type req

Discover PRs for Multi-Approval

# Show all open PRs targeting a specific branch
tdt review list --target main

# Show PRs that need your role's approval
tdt review list --needs-role

# Show all open PRs with Tessera entities
tdt review list --all-open

# Combine with entity type filter
tdt review list --target main --entity-type risk

# Example output shows approval status:
# PR     ENTITY       TYPE   TITLE              APPROVALS  MISSING
# #42    REQ-01AB...  REQ    Flow requirement   1/2        quality
# #45    RISK-02CD... RISK   Motor failure      0/2        engineering, quality

Workflow Log

# Show all workflow activity
tdt log

# Filter by approver
tdt log --approver jsmith

# Filter by entity type
tdt log --entity-type req

# Filter by event type
tdt log --event-type approve

# Filter by date range
tdt log --since 2024-01-01 --until 2024-01-31

# Combine filters
tdt log --approver jsmith --entity-type risk --limit 20

# Output as JSON
tdt log --output json

Workflow History

# Show workflow timeline for an entity
tdt history REQ@1 --workflow

# Shows formatted workflow events:
#   2024-01-10 10:30  SUBMITTED    by jsmith
#   2024-01-11 14:15  APPROVED     by bwilson  "Verified specs"
#   2024-01-12 09:00  RELEASED     by mchen

Team Management

# Initialize team roster
tdt team init

# Add a team member with signing format
tdt team add --name "Jane Smith" --email jane@co.com \
  --username jsmith --roles engineering --signing-format ssh

# List team members
tdt team list

# See your own role
tdt team whoami

Signing Configuration

# Check current signing status
tdt team setup-signing --status

# Configure signing (choose one method)
tdt team setup-signing --method gpg --key-id YOUR_KEY_ID   # GPG (traditional)
tdt team setup-signing --method ssh                        # SSH (uses existing keys)
tdt team setup-signing --method gitsign                    # Sigstore (keyless OIDC)

Team Keyring (Cross-Platform Key Sharing)

# Export your public key to the team keyring (.tdt/keys/)
tdt team add-key                        # Auto-detect format
tdt team add-key --method gpg           # GPG public key
tdt team add-key --method ssh           # SSH public key

# Import GPG keys from team keyring
tdt team import-keys                    # Import all GPG keys
tdt team import-keys --user jsmith      # Import specific user

# Generate SSH allowed_signers file
tdt team sync-keys

Multi-Signature Approvals

Require multiple approvers for critical entity types

For regulated environments or critical systems, you can require multiple approvals before an entity transitions to "approved" status. Configure this in your .tdt/config.yaml:

workflow:
  enabled: true
  provider: github
  approvals:
    default:
      min_approvals: 1
    RISK:
      min_approvals: 2
      required_roles: [engineering, quality]
    REQ:
      min_approvals: 2

When multi-approval is configured, the tdt approve command records the approval but only transitions the status to "approved" once all requirements are met. Use tdt review pending-approvals to see which entities need more approvals:

$ tdt review pending-approvals
ID          Title                    Current  Required  Next Role Needed
REQ@1       Pump flow rate           1        2         quality
RISK@2      Motor overheating        0        2         engineering,quality

Team members can find PRs that need their role's approval, even if they weren't explicitly requested as reviewers:

# Find PRs targeting main that need your role
$ tdt review list --target main --needs-role

PRs Needing Your Role's Approval

PR     ENTITY       TYPE   TITLE              APPROVALS  MISSING
#45    RISK-02CD... RISK   Motor failure      1/2        quality

1 entities across 1 PRs (1 need more approvals).
Run `tdt approve  --pr ` to approve.

Approval Records

Each approval is recorded in the entity's YAML file with the approver's name, email, date, and optional comment. This creates a complete audit trail directly in the file.

Audit Trail & Git Tags

Every workflow event is tracked for compliance and traceability

Tessera automatically creates git tags for workflow events, providing an immutable audit trail that's easy to query and filter. This supports regulatory compliance requirements like 21 CFR Part 11 and ISO 13485.

Tag Format

Event	Tag Pattern	Example
Approval	`approve/{entity}/{approver}/{date}`	`approve/REQ-01ABC/jsmith/2024-01-15`
Release	`release/{entity}/{releaser}/{date}`	`release/REQ-01ABC/mchen/2024-01-20`

Querying the Audit Trail

# List all approval tags
git tag -l "approve/*"

# List approvals for a specific entity
git tag -l "approve/REQ-01ABC*"

# List all approvals by a specific user
git tag -l "approve/*/jsmith/*"

# Show tag details (includes message)
git show approve/REQ-01ABC/jsmith/2024-01-15

# Use tdt log for a formatted view
tdt log --approver jsmith

Cryptographic Signing for Compliance

For 21 CFR Part 11 compliance, configure git to sign all commits and tags. Tessera supports three signing methods:

GPG - Traditional, broad tooling support: tdt team setup-signing --method gpg
SSH - Uses existing SSH keys (Git 2.34+): tdt team setup-signing --method ssh
gitsign - Keyless OIDC signing via Sigstore: tdt team setup-signing --method gitsign

Use tdt team add-key to export your public key to the team keyring in .tdt/keys/, enabling cross-platform signature verification. The --sign flag on approve and release commands ensures both commits and tags are cryptographically signed.

GitHub & GitLab Integration

Creates real pull/merge requests in your existing tools

Setting Up GitHub

First, install and authenticate the GitHub CLI:

# Install GitHub CLI (macOS)
brew install gh

# Login to GitHub
gh auth login

Then configure Tessera to use GitHub:

workflow:
  enabled: true
  provider: github
  base_branch: main

Setting Up GitLab

For GitLab, use the GitLab CLI:

# Install GitLab CLI
brew install glab

# Login to GitLab
glab auth login

No Provider (Manual Mode)

If you're using a different git host, set provider to none. Tessera will create branches and commits, but you'll create pull requests yourself.

Common Questions

Do I have to use these workflow commands?

No! The workflow is completely opt-in. If workflow.enabled is false (the default), you can manage git manually.

What if I don't have a team roster?

Without a team roster, there are no permission checks. Anyone can approve anything. This is fine for solo projects or small teams without formal processes.

Can I still use git directly?

Absolutely. These commands are convenient wrappers. You can always use git, gh, or glab directly.

How do I see the git commands Tessera runs?

Use --verbose on any command to see each git command as it runs, or use --dry-run to preview without executing.

How do I request specific reviewers?

Use the --reviewer flag with GitHub/GitLab usernames (not emails): tdt submit REQ@1 --reviewer jsmith,bwilson

How do I see approval history?

Use tdt history REQ@1 --workflow to see a formatted timeline of workflow events, or tdt log to query activity across all entities.

What happens with multi-signature approvals?

When configured, tdt approve records each approval but keeps the entity in "review" status until all requirements are met. Use tdt review pending-approvals to see which entities need more approvals.