Skip to content

Architecture overview

SARC is a three-layer composition that sits above the customer’s existing Evidence Vault / Fides and ServiceNow deployments.

flowchart TD
  SARC["SARC<br/>karc-portal (Next.js 16 standalone)<br/>scripts/ci/* · Helm charts<br/>Terraform stacks · ArgoCD ApplicationSets"]
  FIDES["Evidence Vault / Fides<br/>Attestations · Trails (per pipeline)<br/>Environment snapshots"]
  SNOW["ServiceNow<br/>DevOps Change Velocity · CAB workflow<br/>CMDB · Incident / Problem records"]
  RUNTIME["Customer's runtime<br/>AWS EKS / Azure AKS / GCP GKE / ROSA OpenShift / k3d<br/>GitLab CI / GitHub Actions / Azure DevOps / Jenkins"]

  SARC <-->|consumes / writes back| FIDES
  SARC <-->|consumes / writes back| SNOW
  FIDES <--> RUNTIME
  SNOW <--> RUNTIME

  class SARC sarc
  class FIDES fides
  class SNOW snow
  class RUNTIME runtime

  classDef sarc fill:#8957e5,stroke:#512a8f,color:#ffffff
  classDef fides fill:#2da44e,stroke:#116329,color:#ffffff
  classDef snow fill:#d29922,stroke:#8a6500,color:#ffffff
  classDef runtime fill:#1f6feb,stroke:#0b3d91,color:#ffffff
flowchart TD
  NS["karc-&lt;env&gt; namespace"]

  subgraph APP["Application workloads"]
    direction TB
    PORTAL["karc-portal · Deployment x2<br/>Next.js standalone · non-root · readonly-fs<br/>talks to PostgreSQL, Redis, the Evidence Vault, ServiceNow, Cloud APIs"]
    PG["karc-portal-postgresql<br/>StatefulSet (primary)"]
    REDIS["karc-portal-redis-master<br/>StatefulSet"]
    GHMCP["karc-portal-github-mcp · Deployment (optional)<br/>github-mcp-server v1.0.4 sidecar<br/>HTTP Streamable transport on :8080/"]
    MCP["karc-mcp · Deployment x2<br/>SARC's own MCP server (read tools)"]
    PODTATO["podtato-head-* · Deployments (demo app)<br/>6 microservices: entry · hat · arms · legs"]
  end

  subgraph CRON["CronJobs"]
    direction TB
    C1["aict-reconcile<br/>AI Control Tower sync (15-min)"]
    C2["cache-warmup"]
    C3["ssa-cleanup<br/>server-side apply cleanup"]
    C4["fides-reporter<br/>env snapshots back to the Evidence Vault"]
  end

  subgraph ARGOAPPS["ArgoCD Applications"]
    direction TB
    A1["karc-portal-&lt;cloud&gt;-&lt;env&gt;"]
    A2["podtato-head-&lt;cloud&gt;-&lt;env&gt;"]
  end

  NS --> APP
  NS --> CRON
  NS --> ARGOAPPS

  class NS ns
  class PORTAL,PG,REDIS,GHMCP,MCP,PODTATO app
  class C1,C2,C3,C4 cron
  class A1,A2 argo

  classDef ns fill:#1f6feb,stroke:#0b3d91,color:#ffffff
  classDef app fill:#8957e5,stroke:#512a8f,color:#ffffff
  classDef cron fill:#1b7c83,stroke:#0f4a4e,color:#ffffff
  classDef argo fill:#e8590c,stroke:#9a3b08,color:#ffffff
  1. Developer pushes to a feature branch.
  2. CI (GitLab / GitHub / ADO) runs the compliance pipeline: SAST + SCA + container + secret + IaC scans.
  3. The Evidence Vault receives attestations for each scan stage. The evidence trail is built per pipeline run.
  4. Pipeline calls scripts/ci/fides-score.sh which computes the 5-axis risk score from the trail.
  5. Pipeline calls scripts/ci/servicenow-cr.sh which creates a ServiceNow Change Request with the risk score + release notes attached.
  6. Approval check on the ADO/GitLab environment waits for the ServiceNow CR to flip to approved. Low-risk CRs may auto-approve per the customer’s CAB policy.
  7. gitops:bump:karc-portal:dev updates envs/dev/image-tag.yaml on the gitops branch.
  8. ArgoCD detects the gitops branch change, runs PreSync hooks (Fides assert + ServiceNow CR check), applies the new image to the cluster.
  9. fides-reporter CronJob reports the new environment snapshot back to the Evidence Vault (closes the loop).
  10. karc-portal /timeline SSE stream lights up with every event in real time.

The karc-portal is the read surface over all of this:

  • / dashboard: per-environment release health, Evidence Vault compliance state, pending CRs, vuln burndown
  • /compliance/*: per-framework cards, control mapping, evidence export
  • /change-requests: ServiceNow CR list with 5-axis risk tab + Evidence Vault evidence chain
  • /timeline: real-time stream of every deploy/CR/Evidence Vault/ArgoCD event
  • /services, /services/graph, /cmdb: service catalogue + dependency graph + ServiceNow CMDB browser
  • /vulnerabilities, /sbom, /security: aggregated finding view across all scanners
  • /audit: hash-chained audit log of every portal action
  • /admin/mcp: MCP-Client Gateway demo (Phase 1)

Full surface inventory in docs/PORTAL-FEATURES.md in the repo.