Appearance
Tasks
Create and manage remediation tasks linked to audit findings. A task is the unit of work that closes a finding — it carries an owner, a priority, an SLA, and optional pointers to an external ticket or pull request.
Base URL: https://app.krafter.dev/api/v1
List Tasks
Retrieve all remediation tasks in a project, optionally filtered by status. Results are cursor-paginated.
GET /orgs/:org_id/projects/:project_id/audit/tasks?status=...&cursor=...&limit=...Required scope: audit:read
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status | string | No | Filter by status. One of backlog, in_progress, blocked, ready_verify, done. |
cursor | string | No | Pagination cursor from a previous response. |
limit | integer | No | Page size. Defaults to the server limit. |
Tasks are ordered by inserted_at descending, then id descending.
Example Request
bash
curl "https://app.krafter.dev/api/v1/orgs/:org_id/projects/:project_id/audit/tasks?status=backlog&limit=20" \
-H "Authorization: Bearer kr_live_abc123def456"Example Response
json
{
"data": [
{
"id": "f6a7b8c9-0d1e-2f3a-4b5c-6d7e8f9a0b1c",
"finding_id": "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
"title": "Add Content-Security-Policy header",
"status": "backlog",
"priority": "high",
"owner_id": "22222222-2222-2222-2222-222222222222",
"sla_due_at": "2025-06-20T00:00:00Z",
"external_ticket_key": null,
"pr_url": null,
"created_at": "2025-06-10T15:00:00Z",
"updated_at": "2025-06-10T15:00:00Z"
}
],
"meta": {
"request_id": "K-scg2wTP6zbkVFFFIYo",
"total": 12,
"next_cursor": "eyJpbnNlcnRlZF9hdCI6IjIwMjUtMDYtMTBUMTU6MDA6MDBaIn0="
},
"error": null
}Notes:
priorityis one oflow,medium,high,critical. Defaults tomediumfor new tasks.owner_idis the user UUID assigned to the task, ornullif unassigned.sla_due_atis the SLA deadline (UTC, ISO 8601), ornullif none was set.external_ticket_keyis the canonical key in an external tracker (e.g.SEC-142), ornull.pr_urlis the URL of the pull request that addresses the task, ornull.
There is no description field on tasks. The remediation guidance lives on the linked finding's recommended_fix object.
Create Task
Create a new remediation task linked to an existing finding in the same project.
POST /orgs/:org_id/projects/:project_id/audit/tasksRequired scope: audit:write
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
finding_id | string | Yes | UUID of the finding this task addresses. Must belong to the same project. |
title | string | Yes | Short description of the remediation work. |
status | string | No | Initial status. One of backlog, in_progress, blocked, ready_verify, done. Defaults to backlog. |
priority | string | No | One of low, medium, high, critical. Defaults to medium. |
owner_id | string | No | UUID of the user assigned to the task. |
sla_due_at | string | No | SLA deadline as ISO 8601 timestamp (UTC). |
external_ticket_key | string | No | Key in an external tracker (e.g. SEC-142). |
pr_url | string | No | URL of the pull request addressing the task. |
Example Request
bash
curl -X POST https://app.krafter.dev/api/v1/orgs/:org_id/projects/:project_id/audit/tasks \
-H "Authorization: Bearer kr_live_abc123def456" \
-H "Content-Type: application/json" \
-d '{
"finding_id": "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
"title": "Add Content-Security-Policy header",
"priority": "high",
"owner_id": "22222222-2222-2222-2222-222222222222",
"sla_due_at": "2025-06-20T00:00:00Z"
}'Example Response
json
// 201 Created
{
"data": {
"id": "f6a7b8c9-0d1e-2f3a-4b5c-6d7e8f9a0b1c",
"finding_id": "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
"title": "Add Content-Security-Policy header",
"status": "backlog",
"priority": "high",
"owner_id": "22222222-2222-2222-2222-222222222222",
"sla_due_at": "2025-06-20T00:00:00Z",
"external_ticket_key": null,
"pr_url": null,
"created_at": "2025-06-10T15:00:00Z",
"updated_at": "2025-06-10T15:00:00Z"
},
"meta": {
"request_id": "L-tdh3xUQ7aclWGGGJZp"
},
"error": null
}Error Responses
json
// 422 Unprocessable Entity — missing finding_id/title, invalid status/priority, etc.
{
"data": null,
"meta": {
"request_id": "L-tdh3xUQ7aclWGGGJZp"
},
"error": {
"code": "invalid_params"
}
}json
// 404 Not Found — finding_id does not exist in this project
{
"data": null,
"meta": {
"request_id": "L-tdh3xUQ7aclWGGGJZp"
},
"error": {
"code": "not_found"
}
}Update Task
Update an existing task. Only provided fields are changed; the request must include at least one field or it returns 422 invalid_params.
PATCH /orgs/:org_id/projects/:project_id/audit/tasks/:task_idRequired scope: audit:write
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
title | string | No | Short description of the remediation work. |
status | string | No | New status. Same enum as Create Task. |
priority | string | No | New priority. Same enum as Create Task. |
owner_id | string | No | UUID of the user assigned to the task. |
sla_due_at | string | No | SLA deadline as ISO 8601 timestamp (UTC). |
external_ticket_key | string | No | Key in an external tracker. |
pr_url | string | No | URL of the pull request addressing the task. |
The finding_id cannot be changed once the task is created. Create a new task instead if you need to re-link work to a different finding.
Example Request
bash
curl -X PATCH https://app.krafter.dev/api/v1/orgs/:org_id/projects/:project_id/audit/tasks/f6a7b8c9-0d1e-2f3a-4b5c-6d7e8f9a0b1c \
-H "Authorization: Bearer kr_live_abc123def456" \
-H "Content-Type: application/json" \
-d '{
"status": "in_progress",
"owner_id": "33333333-3333-3333-3333-333333333333",
"pr_url": "https://github.com/acme/web-app/pull/142"
}'Example Response
The response is the full task shape (same as List Tasks), reflecting the applied changes.
Error Responses
json
// 404 Not Found
{
"data": null,
"meta": {
"request_id": "M-uei4yVR8bdmXHHHKaq"
},
"error": {
"code": "not_found"
}
}json
// 422 Unprocessable Entity — empty patch, invalid status/priority, etc.
{
"data": null,
"meta": {
"request_id": "M-uei4yVR8bdmXHHHKaq"
},
"error": {
"code": "invalid_params"
}
}Verifications close tasks
You don't transition a task directly to done. Run a verification instead — when the verification passes, the task is moved to done and the linked finding is moved to resolved automatically.