save checkpoint
This commit is contained in:
master
51
docs/features/checked/scanner/3-bit-reachability-gate.md
Normal file
51
docs/features/checked/scanner/3-bit-reachability-gate.md
Normal file
@@ -0,0 +1,51 @@
|
||||
# 3-Bit Reachability Gate
|
||||
|
||||
## Module
|
||||
Scanner
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Gate-based reachability system with multiple gate detectors (auth, admin-only, feature flags, non-default config), gate multiplier calculator, and rich graph annotation for gate-aware reachability.
|
||||
|
||||
## Implementation Details
|
||||
- **Gate Detectors** (each implements `IGateDetector`):
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/AuthGateDetector.cs` - Detects authentication gates on paths
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/AdminOnlyDetector.cs` - Detects admin-only access restrictions
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/FeatureFlagDetector.cs` - Detects feature flag conditions
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/NonDefaultConfigDetector.cs` - Detects non-default configuration gates
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/FileSystemCodeContentProvider.cs` - Provides file system code content for detection
|
||||
- **Gate Composition & Scoring**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/CompositeGateDetector.cs` - Combines multiple gate detectors
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GateMultiplierCalculator.cs` - Calculates gate multipliers for risk scoring
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GateModels.cs` - Gate data models
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GatePatterns.cs` - Pattern matching rules for gate detection
|
||||
- **Rich Graph Annotation**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/RichGraphGateAnnotator.cs` - Annotates rich graphs with gate information
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraph.cs` - Core rich graph model
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraphWriter.cs` - Writes gate-annotated rich graphs
|
||||
- **SmartDiff Integration**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/ReachabilityGateBridge.cs` - Bridges gate detection into smart diff analysis
|
||||
- **PR Gate**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PrReachabilityGate.cs` - PR-level reachability gate evaluation
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Set up a scan target image containing a web application with authenticated routes, admin-only endpoints, feature-flagged code, and non-default config paths
|
||||
- [ ] Trigger a scan via `POST /api/v1/scans` with reachability analysis enabled
|
||||
- [ ] Verify each gate detector identifies its respective gate type in the reachability graph via `GET /api/v1/scans/{scanId}/reachability`
|
||||
- [ ] Verify `GateMultiplierCalculator` reduces risk scores for gated paths (auth-gated vulns score lower than ungated)
|
||||
- [ ] Verify the rich graph response includes gate annotations on affected nodes and edges
|
||||
- [ ] Verify SmartDiff output includes gate-aware reachability context via the `ReachabilityGateBridge`
|
||||
- [ ] Verify PR gate evaluation correctly blocks/allows based on gate-modified reachability status
|
||||
|
||||
---
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source files exist | PASS |
|
||||
| Tier 1 - Build + code review | PASS |
|
||||
| Tier 2 - Integration tests | PASS |
|
||||
| Verified | 2026-02-13T18:10:00Z |
|
||||
Reference in New Issue
Block a user