# SBOM graph explorer

Purpose
- Traverse components, dependencies, and overlays with deterministic filters.
- Exports must include the overlay and filter set that produced them.

Views and overlays
- Inventory vs usage overlays for declared vs runtime-observed packages.
- Reachability overlay highlights components reachable from entrypoints.
- Policy overlay shows allow, deny, review verdicts with policy version.
- VEX overlay marks components covered by claims and contested states.

Filters
- Package facets: ecosystem, name, version, license, supplier.
- Reachability facets: entrypoint, call depth, evidence source.
- Risk facets: severity, EPSS bucket, KEV flag, exploitability score.
- Time facets: last-seen and last-scan timestamps.
- Results are sorted deterministically by PURL then version.

Saved views and exports
- Saved views capture query, overlays, columns, sort, tenant, and graph_cache_epoch.
- Exported NDJSON includes view_id, filters, overlays, results, and SHA-256 manifest.
- Restoring a view warns when cache epochs differ.

Interactions
- Graph canvas supports zoom, pan, and node expansion with a max node cap.
- Table panel stays in sync with canvas selection.
- Details drawer shows PURL, provenance, and incoming or outgoing edges.
- Search accepts PURL, package name, or CVE.

Accessibility
- Keyboard navigation across canvas, filters, table, and drawer.
- Screen reader labels include overlay state.
- High-contrast and reduced-motion modes are supported.

Air-gap and caching
- Offline bundles supply graph_cache_epoch for deterministic overlays.
- Client cache invalidates on tenant switch or overlay version change.

AOC visibility
- Regulated tenants show an AOC enforced badge.
- Exports include aoc=true flag when applicable.

Related references
- docs/api/graph.md
- modules/graph.md
- ui/reachability-overlays.md