stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
f5583c174f9d1f06f4f8b5a5c42bbeb7ce48ea88
git.stella-ops.org/docs/modules/reach-graph
History
master fdf95e0f46 docs: module dossier + install/quickstart sync for truthful cutover sprints 
- API_CLI_REFERENCE.md, INSTALL_GUIDE.md, quickstart.md, architecture/integrations.md, dev/DEV_ENVIRONMENT_SETUP.md, integrations/LOCAL_SERVICES.md: reflect real-service wiring.
- docs/modules/**: module dossier updates across the modules touched by SPRINT_20260415_001..007 + SPRINT_20260416_003..017 + SPRINT_20260417_018..024 + SPRINT_20260418_025 + SPRINT_20260419_026.
- docs/features/checked/web/**: update feature notes where UI changed.
- docs/qa/feature-checks/runs/web/evidence-presentation-ux/: QA evidence artifacts.
- docs/setup/**, docs/technical/**: align with setup wizard contracts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 14:45:09 +03:00
..
guides
new advisories work and features gaps work
2026-01-14 18:39:19 +02:00
schemas
architecture.md
docs: module dossier + install/quickstart sync for truthful cutover sprints
2026-04-19 14:45:09 +03:00
README.md

README.md

ReachGraph

Unified store for reachability subgraphs with edge-level explainability.

Purpose

The ReachGraph module provides a unified store for reachability subgraphs, enabling fast, deterministic, audit-ready answers to "exactly why a dependency is reachable." It consolidates data from Scanner, Signals, and Attestor into content-addressed artifacts with edge-level explainability.

Quick Links

  • Architecture - Technical design and implementation details
  • Guides - Usage and query guides
  • Schemas - ReachGraph schema definitions

Status

Attribute Value
Maturity Production
Last Reviewed 2025-12-29
Maintainer Scanner Guild, Signals Guild

Key Features

  • Unified Schema: Extends PoE subgraph format with edge explainability
  • Content-Addressed Store: All artifacts identified by BLAKE3 digest
  • Slice Query API: Fast queries by package, CVE, entrypoint, or file
  • Deterministic Replay: Verify that same inputs produce same graph
  • DSSE Signing: Offline-verifiable proofs

Dependencies

Upstream (this module depends on)

  • Scanner - CallGraph data source
  • Signals - ReachabilityFactDocument source
  • Attestor - PoE JSON source

Downstream (modules that depend on this)

  • Policy Engine - Reachability-based policy evaluation
  • Web Console - Reachability visualization
  • CLI - Reachability queries
  • ExportCenter - Reachability data exports

API Endpoints

  • POST /v1/reachgraphs - Create new reachgraph
  • GET /v1/reachgraphs/{digest} - Retrieve reachgraph by digest
  • GET /v1/reachgraphs/{digest}/slice - Query slice of reachgraph
  • POST /v1/reachgraphs/replay - Verify deterministic replay

Related Documentation