coroot-graft is an external Coroot extension that wraps upstream Bering and Sheaft as an existing toolchain.
It does not reimplement discovery and it does not reimplement the resilience evaluator:
Beringstays responsible for model discovery / normalization.Sheaftstays responsible for downstream resilience analysis / gate.coroot-graftowns Coroot-specific extraction, topology shaping, orchestration, artifact lifecycle, and publishing results back into Coroot.
Pipeline:
coroot-graftlogs into Coroot and reads a project snapshot from Coroot HTTP APIs.- The Coroot snapshot is normalized into explicit Bering
topology_apiinput. coroot-graftruns upstreambering discover.coroot-graftruns upstreamsheaft runon the produced Bering artifact.coroot-graftexposes the latest gate/report state as Prometheus metrics.- Coroot scrapes these metrics via
coroot-cluster-agentand renders them in a custom dashboard. - Optional Coroot webhook integration triggers re-runs on alerts, incidents, or deployments.
Corootprovides the observed operational graph of the system.coroot-grafttranslates that observed graph into MB3R toolchain input.Beringturns that input into canonical MB3R discovery artifacts.Sheaftcomputes resilience posture and gate results from those artifacts.Corootrenders the resulting posture back to engineers through custom metrics and a managed dashboard.
In this MVP, Coroot is the primary source of topology membership and dependency context.
Bering is still required because Sheaft consumes MB3R artifacts, not raw Coroot API payloads.
When this repo says "Coroot snapshot", it means the in-memory snapshot collected by coroot-graft during a sync:
- applications
- dependencies
- replica counts
- optional traced HTTP entrypoints
This snapshot is reconstructed from Coroot APIs on every sync. It is not a separate long-lived Coroot export format.
topology_api is Bering's explicit batch input format for already-known topology.
It is just a YAML/JSON document with:
servicesedgesendpoints- a
sourcereference
coroot-graft generates this document from the Coroot snapshot and passes it to bering discover.
After bering discover, upstream Bering emits canonical MB3R artifacts such as:
bering-model.jsonbering-snapshot.json
Those are the artifacts consumed by Sheaft.
The managed Coroot dashboard shows resilience posture, not raw runtime health.
It answers questions like:
- which entrypoints are most fragile under service failures?
- which downstream dependency hurts an upstream user path the most?
- does the current topology pass the configured resilience gate?
It does not answer:
- is the service healthy right now?
- is a container currently down?
- is there traffic in this exact second?
For current health and incidents, use the built-in Coroot views.
For resilience posture and gate decisions, use the coroot-graft dashboard.
| Question | Coroot built-in views | coroot-graft |
|---|---|---|
| Is the service unhealthy right now? | Yes | No |
| Is a container or instance down right now? | Yes | No |
| Are there active alerts, incidents, or regressions right now? | Yes | No |
| What applications and dependencies does Coroot currently observe? | Yes | Indirectly, as input |
| What is the resilience posture of the currently observed topology? | No | Yes |
| Which entrypoints are fragile under downstream failures? | No | Yes |
| Does the current topology pass the configured resilience gate? | No | Yes |
| Is this a release-gating / resilience-review signal? | Partial | Yes |
The dashboard gives engineers:
- a gate verdict:
pass,warn, orfail - a risk score for the currently observed topology
- cross-profile resilience estimates
- per-profile failure-mode estimates such as steady-state, service-fault, and fixed blast radius
- per-endpoint availability estimates against configured thresholds
This is useful for release gating, topology reviews, dependency risk assessment, and resilience prioritization.
coroot-graft provides:
serve: run the HTTP server, expose/metrics, accept Coroot webhooks, and schedule syncssync: run one-shot Coroot -> Bering -> Sheaft sync for one or all configured projectsinstall-dashboard: create or update a managed Coroot dashboard backed by exported metrics
Download the packaged release artifacts from GitHub Releases:
coroot-graft_<version>_linux_amd64.tar.gzcoroot-graft_<version>_linux_arm64.tar.gzcoroot-graft_<version>_darwin_amd64.tar.gzcoroot-graft_<version>_darwin_arm64.tar.gzcoroot-graft_<version>_windows_amd64.zip
Each release also publishes:
coroot-graft_<version>_checksums.txtcoroot-graft-<version>.tgzHelm chart packagecompatibility-manifest.jsontoolchain.env
The release workflow publishes a runtime image that already contains:
coroot-graftberingsheaft
Image repository:
ghcr.io/mb3r-lab/coroot-graft
The Helm chart is also published to:
oci://ghcr.io/mb3r-lab/charts/coroot-graft
See configs/graft.example.yaml for the expected shape.
Main config areas:
coroot: Coroot URL and credentialstoolchain: command lines for upstreamberingandsheaftprojects[]: Coroot project mapping, analysis/policy config, include/exclude filters, edge overrides, scrape/webhook settings
Environment variables are expanded before YAML parsing, so production deployments can keep secrets out of Git:
coroot:
password: "${COROOT_GRAFT_COROOT_PASSWORD}"Expose coroot-graft in Kubernetes and annotate the pod so coroot-cluster-agent scrapes /metrics:
metadata:
annotations:
coroot.com/scrape-metrics: "true"
coroot.com/metrics-port: "8095"
coroot.com/metrics-path: "/metrics"Configure a Coroot Webhook integration to call:
http://coroot-graft:8095/webhooks/coroot/<project>?secret=<secret>
The body can be the documented Coroot JSON payload template:
{{ json . }}
Contract notes used for this implementation are summarized in docs/upstream-summary.md.
Implementation notes and MVP boundaries are documented in docs/architecture.md.
- Production install guide:
docs/install.md - Pinned compatibility baseline:
docs/compatibility.md - Release assets and package matrix:
docs/release-assets.md - Roadmap and issue index:
docs/roadmap.md - Integration policy:
docs/integration-policy.md - Machine-readable version pins:
compatibility-manifest.json
MIT, see LICENSE.