Architecture overview
SARC is a three-layer composition that sits above the customer’s existing Evidence Vault / Fides and ServiceNow deployments.
Three-layer model
Section titled “Three-layer model”flowchart TD SARC["SARC<br/>karc-portal (Next.js 16 standalone)<br/>scripts/ci/* · Helm charts<br/>Terraform stacks · ArgoCD ApplicationSets"] FIDES["Evidence Vault / Fides<br/>Attestations · Trails (per pipeline)<br/>Environment snapshots"] SNOW["ServiceNow<br/>DevOps Change Velocity · CAB workflow<br/>CMDB · Incident / Problem records"] RUNTIME["Customer's runtime<br/>AWS EKS / Azure AKS / GCP GKE / ROSA OpenShift / k3d<br/>GitLab CI / GitHub Actions / Azure DevOps / Jenkins"] SARC <-->|consumes / writes back| FIDES SARC <-->|consumes / writes back| SNOW FIDES <--> RUNTIME SNOW <--> RUNTIME class SARC sarc class FIDES fides class SNOW snow class RUNTIME runtime classDef sarc fill:#8957e5,stroke:#512a8f,color:#ffffff classDef fides fill:#2da44e,stroke:#116329,color:#ffffff classDef snow fill:#d29922,stroke:#8a6500,color:#ffffff classDef runtime fill:#1f6feb,stroke:#0b3d91,color:#ffffff
What runs in the cluster
Section titled “What runs in the cluster”
flowchart TD
NS["karc-<env> namespace"]
subgraph APP["Application workloads"]
direction TB
PORTAL["karc-portal · Deployment x2<br/>Next.js standalone · non-root · readonly-fs<br/>talks to PostgreSQL, Redis, the Evidence Vault, ServiceNow, Cloud APIs"]
PG["karc-portal-postgresql<br/>StatefulSet (primary)"]
REDIS["karc-portal-redis-master<br/>StatefulSet"]
GHMCP["karc-portal-github-mcp · Deployment (optional)<br/>github-mcp-server v1.0.4 sidecar<br/>HTTP Streamable transport on :8080/"]
MCP["karc-mcp · Deployment x2<br/>SARC's own MCP server (read tools)"]
PODTATO["podtato-head-* · Deployments (demo app)<br/>6 microservices: entry · hat · arms · legs"]
end
subgraph CRON["CronJobs"]
direction TB
C1["aict-reconcile<br/>AI Control Tower sync (15-min)"]
C2["cache-warmup"]
C3["ssa-cleanup<br/>server-side apply cleanup"]
C4["fides-reporter<br/>env snapshots back to the Evidence Vault"]
end
subgraph ARGOAPPS["ArgoCD Applications"]
direction TB
A1["karc-portal-<cloud>-<env>"]
A2["podtato-head-<cloud>-<env>"]
end
NS --> APP
NS --> CRON
NS --> ARGOAPPS
class NS ns
class PORTAL,PG,REDIS,GHMCP,MCP,PODTATO app
class C1,C2,C3,C4 cron
class A1,A2 argo
classDef ns fill:#1f6feb,stroke:#0b3d91,color:#ffffff
classDef app fill:#8957e5,stroke:#512a8f,color:#ffffff
classDef cron fill:#1b7c83,stroke:#0f4a4e,color:#ffffff
classDef argo fill:#e8590c,stroke:#9a3b08,color:#ffffff
Data flow per change
Section titled “Data flow per change”- Developer pushes to a feature branch.
- CI (GitLab / GitHub / ADO) runs the compliance pipeline: SAST + SCA + container + secret + IaC scans.
- The Evidence Vault receives attestations for each scan stage. The evidence trail is built per pipeline run.
- Pipeline calls
scripts/ci/fides-score.shwhich computes the 5-axis risk score from the trail. - Pipeline calls
scripts/ci/servicenow-cr.shwhich creates a ServiceNow Change Request with the risk score + release notes attached. - Approval check on the ADO/GitLab environment waits for the ServiceNow CR to flip to
approved. Low-risk CRs may auto-approve per the customer’s CAB policy. gitops:bump:karc-portal:devupdatesenvs/dev/image-tag.yamlon thegitopsbranch.- ArgoCD detects the gitops branch change, runs PreSync hooks (Fides assert + ServiceNow CR check), applies the new image to the cluster.
fides-reporterCronJob reports the new environment snapshot back to the Evidence Vault (closes the loop).- karc-portal
/timelineSSE stream lights up with every event in real time.
What the portal sees
Section titled “What the portal sees”The karc-portal is the read surface over all of this:
/dashboard: per-environment release health, Evidence Vault compliance state, pending CRs, vuln burndown/compliance/*: per-framework cards, control mapping, evidence export/change-requests: ServiceNow CR list with 5-axis risk tab + Evidence Vault evidence chain/timeline: real-time stream of every deploy/CR/Evidence Vault/ArgoCD event/services,/services/graph,/cmdb: service catalogue + dependency graph + ServiceNow CMDB browser/vulnerabilities,/sbom,/security: aggregated finding view across all scanners/audit: hash-chained audit log of every portal action/admin/mcp: MCP-Client Gateway demo (Phase 1)
Full surface inventory in docs/PORTAL-FEATURES.md in the repo.
Multi-cloud and multi-CI
Section titled “Multi-cloud and multi-CI”- Multi-cloud architecture — how the
TARGET_CLOUDswitch composes - Multi-CI architecture — how parity is maintained across GitLab + GitHub + ADO