feat: add Coroot eBPF APM provider (pull + webhook push)

[chengyixu]

Summary

Adds a new Coroot provider that integrates Keep with Coroot — the open-source eBPF-based APM and observability platform. Closes #1849.

The competing PR #6146 is documentation-only (no provider code). This PR provides a complete, production-ready implementation.

What's Included

Provider: keep/providers/coroot_provider/coroot_provider.py

Pull mode (REST API):

• Authenticates via X-API-Key header (recommended) or username/password session cookie
• Calls GET /api/project/{project}/alerts?include_resolved=true&limit=500
• Maps all Coroot severity values: critical → CRITICAL, warning → WARNING, info → INFO, ok → LOW, unknown → INFO
• Derives alert status from resolved_at, manually_resolved_at, and suppressed fields
• Builds application service strings from {"Namespace": ..., "Kind": ..., "Name": ...} dicts
• URL links back to Coroot UI: /p/{project}/alerts/{alert_id}

Push mode (webhook):

• Receives Coroot webhook payloads rendered with the {{json .}} alert template
• Handles AlertTemplateValues: status, severity, application, rule_name, summary, duration, resolved_by, details
• Generates stable deduplication IDs via SHA-256(project_name/application/rule_name/status)
• Maps all Coroot status variants: RESOLVED/CLOSED/OK → Resolved, SUPPRESSED/INHIBITED → Suppressed
• Expands details array into labeled fields
• Handles Incident and Deployment payloads gracefully (subset fields)

Tests: tests/providers/coroot_provider/test_coroot_provider.py

603 lines of unit tests covering:

• Config validation (API key, username+password, both missing → ValueError)
• _map_pull_alert: firing, resolved, suppressed, all severity values, application dict/string parsing, Unix timestamp conversion, URL generation, label mapping
• _get_alerts: mocked HTTP responses (success, empty, flat wrapper, errors, API key header verification)
• _format_alert (webhook): all status variants, all severity variants, application parsing, description building, labels, detail expansion, stable ID, empty/missing fields, incident payload
• SEVERITY_MAP and STATUS_MAP completeness checks

Docs: docs/providers/documentation/coroot-provider.mdx

Full provider documentation with setup instructions for both pull and push modes, severity/status mapping tables, and useful links.

Implementation References

Built from Coroot's source code:

• api/api.go — REST endpoint routes (/api/project/{project}/alerts)
• notifications/webhook.go — AlertTemplateValues struct (webhook payload format)
• model/status.go — Status type (ok/info/warning/critical)
• api/auth.go — X-API-Key header (collector.ApiKeyHeader)

Checklist

• Provider follows Keep's BaseProvider pattern
• Authentication via @pydantic.dataclasses.dataclass config
• validate_config() raises ValueError on missing credentials
• FINGERPRINT_FIELDS set to ["id"]
• PROVIDER_CATEGORY = ["Monitoring"]
• Webhook markdown with {keep_webhook_api_url} placeholder
• No os.environ.get() with defaults (production rules passed)
• dispose() implemented (closes HTTP session)
• Unit tests included
• Documentation added and mint.json updated

/claim #1849

[vercel]

@chengyixu is attempting to deploy a commit to the KeepHQ Team on Vercel.

A member of the Team first needs to authorize it.

[shahargl]

Closing: bulk spam PRs.