ReefGuard is a Coral-powered enterprise release-risk agent for Track 1: Enterprise Agent. It answers: “Is this release safe to ship, who is at risk, what might break, and what should we do next?”
Release approval evidence is scattered across pull requests, CI, runtime errors, revenue systems, support tickets, feature flags, runbooks, SBOMs, vulnerability feeds, policies, owner maps, and incident history. Teams either ship with partial context or spend hours pasting data between tools.
- Produces a deterministic 0-100 Release Confidence Score.
- Shows customer and revenue blast radius before rollout.
- Joins SBOM and vulnerability data for dependency risk.
- Detects sibling bug candidates and missing regression tests.
- Checks release policy controls and approval gaps.
- Routes reviewers, incident owners, and support escalation owners.
- Generates read-only action drafts: Slack incident watch, support brief, rollout plan, rollback checklist, monitoring plan, regression test plan, reviewer request, and compliance exception draft.
- Provides a self-running judge demo at
/demo. - Provides a submission asset center at
/submission.
All core retrieval runs through coral sql --format json. ReefGuard does not read JSONL files directly in app logic and does not call GitHub, Sentry, Stripe, Slack, or other APIs directly. The seeded demo data is installed into Coral as file-backed source specs, then queried as SQL tables.
queries/release_blast_radius.sql joins:
demo_githubdemo_sentrydemo_posthogdemo_intercomdemo_stripedemo_launchdarkly
That query maps changed files → risk area → related runtime errors → product usage → support tickets → paid customers → feature flags.
For judges, queries/judge_friendly_join.sql is shorter and joins exactly the headline sources:
- GitHub-like PR data
- Sentry-like runtime errors
- Stripe-like customers/revenue
- Slack-like incident memory
demo_github, demo_sentry, demo_posthog, demo_stripe, demo_intercom, demo_slack, demo_launchdarkly, demo_docs, cyclonedx_sbom, demo_osv, demo_service_map, demo_codeowners, demo_test_coverage, demo_repo_graph, demo_policies, demo_audit_logs, demo_approvals, demo_expertise, demo_release_history, demo_metrics.
flowchart LR
User["Release lead"] --> UI["Next.js UI"]
UI --> Agent["Deterministic Release Risk Agents"]
Agent --> CoralCLI["Coral CLI wrapper"]
CoralCLI --> CoralSQL["Coral SQL"]
CoralSQL --> Sources["20 file-backed Coral source specs"]
Sources --> Rows["Evidence rows"]
Rows --> Scoring["Explainable scoring"]
Scoring --> Report["Score, blast radius, SQL evidence, action pack"]
- Open
http://localhost:3000. - Use the high-risk scenario:
reef-retail/api#142. - Click Analyze Release Risk.
- Show the score, agent command center, Coral SQL tab, blast radius, revenue, security, impact graph, sibling bugs, test matrix, compliance, owners, incident replay, and action pack.
- Open
/demo?autoplay=true&scenario=high-riskfor the self-running 2-3 minute judge flow.
pnpm install
pnpm coral:setup
pnpm devOpen http://localhost:3000.
If Coral is missing:
brew install withcoral/tap/coral
# or
curl -fsSL https://withcoral.com/install.sh | shpnpm coral:test
pnpm lint
pnpm typecheck
pnpm test
pnpm build
pnpm test:e2eFull validation:
pnpm validatepnpm video:allOutputs:
dist/submission/video/reefguard-demo-2m30s.mp4dist/submission/video/reefguard-short-60s.mp4dist/submission/video/reefguard-demo-recording.webmdist/submission/screenshots/
docker build -t reefguard .
docker run --rm -p 3000:3000 --name reefguard reefguard
curl http://localhost:3000/api/healthOr:
docker compose up --buildThis project is Docker-first because Coral runs locally inside the app container.
Verified public deployment:
- Railway: https://reefguard-production.up.railway.app
- Health check: https://reefguard-production.up.railway.app/api/health
- Judge demo: https://reefguard-production.up.railway.app/demo?autoplay=true&scenario=high-risk
Fly.io:
flyctl auth login
flyctl launch --name reefguard-coral --dockerfile Dockerfile
flyctl deployRailway:
railway login
railway init
railway upRender:
- Create a Web Service.
- Use Docker environment.
- Build from this repo.
- Set
NODE_ENV=productionandCORAL_CONFIG_DIR=/app/.coral-config. - Expose port
3000.
ReefGuard never mutates external systems. It does not send Slack messages, create GitHub comments, close support tickets, or trigger rollbacks. Every action is a copyable draft. The repo includes .env.example only; no real secrets are committed.
| Requirement | ReefGuard alignment |
|---|---|
| Original project | Built as an original Coral hackathon submission. |
| Track 1 Enterprise Agent | Solves enterprise release-risk analysis. |
| Coral central | All core retrieval uses Coral SQL. |
| Cross-source JOINs | Flagship query joins 6 sources; judge query joins 4 headline sources. |
| Source specs | 20 file-backed Coral source specs, including custom CycloneDX SBOM. |
| Demo-ready UX | Dashboard, autoplay demo route, SQL workbench, submission center. |
| Reproducible setup | pnpm coral:setup, tests, Docker, docs, and submission bundle. |
| Safety | Read-only draft recommendations only. |
- Potential impact: reduces release risk for customer-facing enterprise systems.
- Creativity and originality: revenue-aware release risk agent with Coral SQL evidence and source-spec proof.
- Learning and growth: custom source specs, multi-source SQL, Dockerized Coral runtime, programmatic video pipeline.
- Technical implementation: Next.js, TypeScript, deterministic agents, tests, Docker, 20 Coral schemas.
- Aesthetics and UX: polished dashboard, readable demo, Coral Workbench, visual impact graph.
- Best use of Coral: visible SQL joins power the core workflow.
- Source Spec Bounty: custom file-backed CycloneDX SBOM source spec documented in
docs/SOURCE_SPEC_BOUNTY.md. - Captain’s Log: reproducible guide in
docs/CAPTAINS_LOG.md. - Tell the Tale: social posts in
docs/SOCIAL_POSTS.md.
ReefGuard is an original project built for the WeMakeDevs Pirates of the Coral-bean hackathon. The demo data is fictional. Implementation, UI, docs, source specs, and scripts were created for this submission.
No production credentials or real customer data are committed. Optional live integrations must remain read-only and use least-privilege tokens.
