git.stella-ops.org/docs/features/checked/graph/graph-overlay-system.md

# Graph Overlay System (Policy, VEX, Reachability)

## Module
Graph

## Status
VERIFIED

## Description
Overlay system with exporter, in-memory overlay service, and tests for layering policy/VEX/reachability data onto dependency graphs.

## Implementation Details
- **Overlay service interface**: `src/Graph/StellaOps.Graph.Api/Services/IOverlayService.cs` -- overlay query contract
- **In-memory overlay service**: `src/Graph/StellaOps.Graph.Api/Services/InMemoryOverlayService.cs` -- in-memory overlay implementation for testing
- **Overlay exporter**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphOverlayExporter.cs` -- exports analytics results as overlay layers
- **Policy overlay processor**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Policy/PolicyOverlayProcessor.cs` -- ingests policy decisions as graph overlays
- **Policy overlay transformer**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Policy/PolicyOverlayTransformer.cs` -- transforms policy data for graph overlay
- **Policy overlay snapshot**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Policy/PolicyOverlaySnapshot.cs` -- policy overlay state
- **Policy overlay metrics**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Policy/PolicyOverlayMetrics.cs`, `IPolicyOverlayMetrics.cs` -- overlay processing metrics
- **VEX overlay**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Vex/VexOverlayTransformer.cs`, `VexOverlaySnapshot.cs` -- VEX verdict overlays on graph
- **Reachability delta**: `src/Graph/StellaOps.Graph.Api/Services/IReachabilityDeltaService.cs`, `InMemoryReachabilityDeltaService.cs` -- reachability annotation overlays
- **Tests**: `src/Graph/__Tests/StellaOps.Graph.Indexer.Tests/GraphOverlayExporterTests.cs`
- **Metrics tests**: `src/Graph/__Tests/StellaOps.Graph.Api.Tests/MetricsTests.cs` -- overlay cache counter verification
- **Source**: Feature matrix scan

## E2E Test Plan
- [x] Verify policy overlay renders policy decisions on graph nodes
- [x] Test VEX overlay annotates graph with VEX verdict data
- [x] Verify reachability overlay shows reachability status per edge
- [x] Test overlay exporter generates valid overlay from analytics results
- [x] Verify overlay stacking (multiple overlays on same graph)

## Verification
- **Run ID**: run-002
- **Date**: 2026-02-09T21:43:00Z
- **Tier**: 1 (Source + Build + Test)
- **Result**: PASS
- **Evidence**: 52/52 Graph.Api.Tests pass (including MetricsTests 2/2 pass for overlay cache counters). 108/108 non-persistence tests pass across all Graph test projects. 17 Persistence tests skipped (require Docker/PostgreSQL -- environment limitation, not a regression).
- **Notes**: Required 1 retry cycle. Initial failure due to MeterListener cross-contamination in MetricsTests -- name-based meter filtering picked up instruments from other tests' undisposed GraphMetrics instances. Fixed in run-002 by switching to instance-based meter filtering and adding `using` statements to GraphMetrics instances in QueryServiceTests.

### Tier 2 Recheck (API Behavior)
- **Run ID**: run-003
- **Date**: 2026-02-10T11:47:30Z
- **Tier**: 2 (End-to-end API verification)
- **Result**: PASS
- **Evidence**: Added API integration coverage (`QueryOverlayEndpointsIntegrationTests`) and revalidated live `/graph/query` behavior with overlays enabled. Verified overlays on all returned node tiles and single explain-trace sampling per response. Artifact: `docs/qa/feature-checks/runs/graph/graph-overlay-system/run-003/tier2-api-check.json`.

## Recheck (Run-005)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay validated via Graph.Api integration suite.
- **Tests**: PASS (`src/Graph/__Tests/StellaOps.Graph.Api.Tests`: 66/66).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/graph/graph-overlay-system/run-005/tier2-api-check.json`
- **Outcome**: Overlay/query API behavior remains healthy with runtime data-path coverage.

## Recheck (Run-006)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay validated via Graph API/indexer suites.
- **Tests**: PASS (src/Graph/__Tests/StellaOps.Graph.Api.Tests: 66/66; src/Graph/__Tests/StellaOps.Graph.Indexer.Tests: 37/37; src/Graph/__Tests/StellaOps.Graph.Indexer.Persistence.Tests: 17/17).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-006/tier2-api-check.json
- **Outcome**: Overlay/query API behavior remains healthy with non-empty node overlays.

## Recheck (Run-007)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay validated via Graph API/indexer suites.
- **Tests**: PASS (src/Graph/__Tests/StellaOps.Graph.Api.Tests: 66/66; src/Graph/__Tests/StellaOps.Graph.Indexer.Tests: 37/37; src/Graph/__Tests/StellaOps.Graph.Indexer.Persistence.Tests: 17/17).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-007/tier2-api-check.json
- **Outcome**: Overlay/query API behavior remains healthy with non-empty node overlays.

## Recheck (Run-008)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay validated via Graph API/indexer suites.
- **Tests**: PASS (src/Graph/__Tests/StellaOps.Graph.Api.Tests: 66/66; src/Graph/__Tests/StellaOps.Graph.Indexer.Tests: 37/37; src/Graph/__Tests/StellaOps.Graph.Indexer.Persistence.Tests: 17/17).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-008/tier2-api-check.json
- **Outcome**: Overlay/query API behavior remains healthy with non-empty node overlays.

## Recheck (Run-009)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay + deterministic integration suite replay.
- **Tests**: PASS (Graph.Api.Tests 66/66, Graph.Indexer.Tests 37/37, Graph.Indexer.Persistence.Tests 17/17).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-009/tier2-api-check.json
- **Outcome**: Checked Graph behavior remains healthy in continued replay.


## Recheck (Run-010)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (Graph Api 66/66, Indexer 37/37, Indexer.Persistence 17/17; total 120/120).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-010/tier2-integration-check.json
- **Outcome**: Checked graph behavior remains healthy in continued replay.
## Recheck (Run-011)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (Graph Api 66/66, Indexer 37/37, Indexer.Persistence 17/17; total 120/120).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-011/tier2-integration-check.json
- **Outcome**: Checked graph behavior remains healthy in continued replay.
## Recheck (Run-012)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay + deterministic Graph suite replay.
- **Tests**: PASS (Graph.Api 66/66, Graph.Indexer 37/37, Graph.Indexer.Persistence 17/17; total 120/120).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-012/tier2-api-check.json
- **Outcome**: Checked graph behavior remains healthy in continued replay.

## Recheck (Run-013)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
- **Tests**: PASS (Graph matrix 120/120: Api 66, Indexer 37, Indexer.Persistence 17.)
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-013/tier2-integration-check.json
- **Outcome**: Checked Graph behavior remains healthy in continued replay.

## Recheck (Run-016)
- **Verified**: 2026-02-11
- **Method**: Strict Tier 2 API replay with overlay-enabled query stream plus search/path and tenant-guard validation.
- **Tests**: PASS (`src/Graph/StellaOps.Graph.sln`: 120/120).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-016/tier2-api-check.json
- **Outcome**: Fresh user-surface evidence confirms overlay payloads remain present on query tiles and service contracts hold under negative paths.