Thinking about infrastructure dependencies
Articles on platform engineering, multi-repo visibility, blast radius analysis, and the patterns that help teams ship safely.
Find Every Consumer — The Series
A practical series covering how to track down every repo in your org that depends on a shared Terraform module, Docker base image, Helm chart, Go module, GitHub Actions workflow, GitLab CI template, internal npm or Python package, Ansible role, or Kustomize base — and why grep isn't enough.
What an org actually depends on — The Series
Scans of well-known open-source orgs rendered as cross-repo dependency graphs — what's central, what's a leaf, where the receipts live, and what the scanner missed.
Blast Radius Before Merge — The Series
Checking the blast radius of a change before you merge it: the symbol, live-state, and artifact dependency graphs sold under one phrase, what each one actually sees, and how to gate a merge on the answer.
-
Cross-repo blast radius in nine public platform orgs: the most depended-on repo at Grafana isn't Grafana
Parsed cross-repo dependency edges across 1,297 repos in nine public platform orgs. One in four repos is load-bearing for a sibling. Top hub: 188 dependents.
-
Which AI coding assistants can see blast radius before they change code?
None of Claude Code, Cursor, or Copilot resolves cross-repo blast radius on its own. Why the limit is structural — and what changes when you hand one a parsed graph.
-
Blast radius in software engineering: what it is, how to measure it, how to contain it
Blast radius is really two measurements — the code radius your tests catch, and the artifact radius that crosses repos. In one org, 147 repos hit one module.
-
What 242 Cloud Posse repos actually depend on
A Riftmap scan of 242 Cloud Posse repos found 147 declaring terraform-null-label, 133 on context.tf line 24, plus what grep, symbol graphs, and catalogs miss.
-
Declared, inferred, registered: the three ways a tool knows a cross-repo dependency exists
Parsed vs inferred is a two-horse race that hides a third runner: registered. How declared, inferred, and registered dependency tools each know an edge exists.
-
How to add a blast-radius gate to your merge pipeline
A pull request to a repository that a hundred others build on should not merge with one approval from a phone. A CI gate that routes review by measured downstream exposure — two HTTP calls, about forty lines, GitLab CI or GitHub Actions, no cloud credentials in the pipeline.
-
Can AI check the blast radius of a PR before you merge?
Yes — but only if a dependency graph exists for it to query. At least three different graphs are being sold under one phrase, and each is blind to a different kind of change. Here's what each one genuinely sees, walked end to end on a real public org.
-
You can index every repo in Cursor. It still can't tell you what breaks.
How to tune Cursor's codebase index for a large monorepo or a fifty-repo workspace, and the one question no amount of tuning makes it answer.
-
Claude Code reads your clone. Cursor reads similarity. Neither sees the graph.
Both agents can be handed more than one repo — but Claude Code only sees your clone and Cursor's index answers similarity. How to wire in the dependency graph.
-
The repo your agent didn't clone is the one it breaks
Coding agents got cross-repo access this year. They still can't see the blast radius of a base-image bump — because that edge was never a function call, and it lives in a repo they never cloned.
-
How to Find Every Consumer of Your Kustomize Base
You own a Kustomize base. Which overlays across your org build on it, at which ref — and what breaks when you change it? Why grep can't tell you, and what can.
-
I counted every cross-repo edge in two real orgs. Not one was a code symbol.
I scanned Prometheus and Cloud Posse and counted every cross-repo edge. Infrastructure runs from 38% to 99.75% of the coupling. Code symbols: zero.
-
What version constraints actually look like across real Terraform estates
A version constraint feels like a fact about what's running. It's a record of what the author allowed. I measured how that plays out across four real Terraform estates.
-
You changed the shared CI template. Half the org got it instantly. The other half will never see it.
A shared CI change is not a release. It is two deployments at once: instant to the pipelines tracking your branch, silent to the ones pinned to a tag. You hold the roster for neither.
-
How to Find Every Consumer of Your Ansible Role
Ansible has no lockfile and no reverse lookup: change a shared role and nothing says who breaks. Why finding every consumer is harder than grep.
-
Overmind shows you the blast radius in your running cloud. It can't show you the repos that were building on what you changed.
Overmind reads your live AWS, GCP and Kubernetes state to tell you whether a Terraform apply is safe. Riftmap parses source to tell you which other repositories consume what you are changing. Both call it "blast radius". They are not the same radius.
-
You deprecated the internal library. The repos still using it never saw the warning.
A deprecation warning only reaches consumers who recompile, and the repos that pinned the old version go quiet. Deprecating an internal library is a census problem.
-
Your senior engineer just left. Your bus factor was measuring the wrong thing.
A senior leaves and the code stays readable. What walks out is the cross-repo dependency map they held in their head — the part your bus factor, measured from commits, never counted.
-
How to Find Every Consumer of Your Internal Python Package
You maintain an internal Python package and a breaking change is coming. Which repos depend on it, at which version — and why pip, PyPI and your private index all answer the wrong question.
-
A CVE just hit your base image. Your scanner won't tell you which repos to fix.
A scanner finds the vulnerable base image — not the repos you patch. Why base-image CVE remediation is a cross-repo source problem, and how to get the list.
-
Your senior engineer just gave notice. Most of what they knew was in the repos all along.
Tribal knowledge is two different things wearing one name. The half everyone panics about losing was declared in your Terraform, your Dockerfiles, and your CI config the whole time.
-
How to Find Every Consumer of Your Internal npm Package
You maintain an internal npm package and a breaking change is coming. Which repos depend on it, at which version — and why npm answers this for public packages but not for your scoped ones.
-
GitLab Orbit maps your whole SDLC. It still can't tell you what an infrastructure change will break.
GitLab Orbit is an excellent symbol-and-SDLC graph. It's also the clearest illustration yet of the one layer that kind of graph can't reach: the infrastructure dependencies running between your repositories.
-
How to Find Every Consumer of Your GitLab CI Template
You maintain a shared GitLab CI template. Which projects include it, at which ref — and what breaks when you merge? Why GitLab can't tell you, and what can.
-
Is Backstage worth it? The real question is whether anyone will use it
The Backstage worth-it debate is always about cost — FTEs, months, TCO. Spotify's own head of Backstage engineering says that's not where it dies.
-
Backstage alternatives in 2026: first ask why you wanted Backstage
Every "Backstage alternatives" roundup lists the same five portals. None of them asks the question that decides which alternative is right: what job sent you looking in the first place?
-
How to give GitHub Copilot cross-repo context today
Three working ways to get cross-repo context into GitHub Copilot right now — multi-root workspaces, Copilot Spaces, and MCP for the cloud agent — and the one question all three leave you to answer by hand.
-
Monorepo vs polyrepo: the debate is measuring the wrong thing
Monorepo vs polyrepo is argued as a code-location debate. The real variable is whether "what depends on this" is queryable — and infrastructure never got a vote.
-
The CRA's 24-hour clock is a cross-repo question. Your SBOM answers a different one.
The CRA's 24-hour reporting clock asks which products ship an exploited component. Your SBOM lists what is inside one artifact. Those are different questions, and the gap between them is a cross-repo IaC dependency graph.
-
Repo access was never the hard part
The multi-repo agent race is solving repository access. But access is plumbing — the cross-repo dependency graph is the part nobody upstream is parsing.
-
Inferred context is not a dependency graph
An enterprise context engine makes your agent generate better code. A parsed dependency graph is the thing you gate a deploy on. Two jobs, two kinds of machinery, and why a confidence score is the wrong guarantee for the second one.
-
Modeled graphs and parsed graphs: two architectures for cross-repo context in the agentic era
Why Port's Blueprints can model the catalog you describe but not the dependency graph your repos already declare — and why modeled graphs and parsed graphs are different categories.
-
Symbol graphs and artifact graphs: why Sourcegraph stops where infrastructure starts
Why Sourcegraph's symbol graph can't tell you who consumes your Helm chart at v3.2.0 — and why symbol graphs and artifact graphs are different categories.
-
Cross-repo context is in product docs. The graph is not.
The vocabulary moved into vendor docs in sixty days. The parser-derived cross-repo dependency graph it describes hasn't shipped in any AI coding product.
-
What 208 kubernetes-sigs repos actually depend on
I scanned all 208 kubernetes-sigs repos with Riftmap. Here's the cross-repo dependency graph, including the 153 repos that import sigs.k8s.io/yaml.
-
You don't need a virtual monorepo. You need a graph.
Two patterns give AI coding agents cross-repo context. The virtual monorepo scales by hand and breaks past ~100 repos; a queryable dependency graph scales by construction.
-
AI coding agents need cross-repo context. The teams running them at scale are already building it themselves.
Three teams shipped the same diagnosis in two weeks: AI coding agents need cross-repo context. Two built the dependency graph substrate. One built around it.
-
Meta needed 50+ AI agents to map their tribal knowledge. The most durable piece of their stack is the part you can build today.
A close read of Meta's April 2026 tribal knowledge engine, the academic paper they cited, and the architectural argument hidden inside both.
-
The catalog maintenance trap: why service catalogs go stale
Backstage and the developer-portal category solve a real problem. The reason platform teams quietly abandon them is something different, and it points at the shape of what actually works.
-
What 56 Prometheus repos actually depend on
I scanned all 56 repos in the Prometheus org with Riftmap. Here's the cross-repo dependency graph, including the 25 repos that import client_golang.
-
Change failure rate is up 30% — here's how to measure yours in an afternoon
A practitioner's guide to calculating change failure rate for your team without a vendor platform — the DORA formula, the SQL, and the one cut nobody is making yet: AI-assisted PRs vs human-authored.
-
AI Doesn't Understand Blast Radius: Why Change Failure Rates Are Up 30%
AI coding tools optimise for local correctness, but production breaks at the edges of the cross-repo dependency graph they can't see. A look at the 2025–2026 data — Cortex, DORA, CodeRabbit, and Amazon's own high-blast-radius memo — and what to put between the agent and main.
-
How to Find Every Consumer of Your Go Module
You maintain an internal Go module. A breaking API change is coming. Which repos across your org import it — and at which version? Here's why the answer is harder than it should be.
-
How to Find Every Consumer of Your Helm Chart
You maintain a shared Helm chart. A breaking value rename or API version bump is coming. Which deployments across your org depend on it — and at which version? Here's why the answer is harder than it should be.
-
How to Find Every Consumer of Your Reusable GitHub Actions Workflow
You maintain a shared GitHub Actions workflow. You need to rename an input, drop a step, or change a required secret. Which repos across your org call it — and at which ref? Here's why the answer is harder than it should be.
-
How to Find Every Consumer of Your Terraform Module
When you need to make a breaking change to a shared Terraform module, which repos are affected? Here's why the answer is harder than it should be.
-
How to Find Every Consumer of Your Docker Base Image
When a CVE hits your Docker base image, which repos are affected? Here's why the answer is harder than it should be, and what a real solution requires.
-
The State of Infrastructure Dependency Tooling in 2026
An honest survey of the infrastructure dependency tooling landscape in 2026 — what Backstage, Renovate, HCP Terraform Explorer, Nx, Wiz, and DIY scripts each solve, where they fall short, and the gap that none of them fill.
-
Auto-Discovering Infrastructure Dependencies Across 10 Ecosystems
A technical deep-dive into auto-discovering cross-repo dependencies across Terraform, Docker, CI pipelines, Python, Go, npm, Ansible, Helm, Kubernetes, and Kustomize — and why each ecosystem fights back.
-
The Infrastructure Dependency Problem No One Has Solved
Why every platform team eventually builds the same brittle script, and why it keeps breaking. A deep look at cross-repo dependency visibility — the infrastructure problem hiding in plain sight.