ReachGraph
Unified store for reachability subgraphs with edge-level explainability.
Purpose
The ReachGraph module provides a unified store for reachability subgraphs, enabling fast, deterministic, audit-ready answers to "exactly why a dependency is reachable." It consolidates data from Scanner, Signals, and Attestor into content-addressed artifacts with edge-level explainability.
Quick Links
- Architecture - Technical design and implementation details
- Guides - Usage and query guides
- Schemas - ReachGraph schema definitions
Status
| Attribute | Value |
|---|---|
| Maturity | Production |
| Last Reviewed | 2025-12-29 |
| Maintainer | Scanner Guild, Signals Guild |
Key Features
- Unified Schema: Extends PoE subgraph format with edge explainability
- Content-Addressed Store: All artifacts identified by BLAKE3 digest
- Slice Query API: Fast queries by package, CVE, entrypoint, or file
- Deterministic Replay: Verify that same inputs produce same graph
- DSSE Signing: Offline-verifiable proofs
Dependencies
Upstream (this module depends on)
- Scanner - CallGraph data source
- Signals - ReachabilityFactDocument source
- Attestor - PoE JSON source
Downstream (modules that depend on this)
- Policy Engine - Reachability-based policy evaluation
- Web Console - Reachability visualization
- CLI - Reachability queries
- ExportCenter - Reachability data exports
API Endpoints
POST /v1/reachgraphs- Create new reachgraphGET /v1/reachgraphs/{digest}- Retrieve reachgraph by digestGET /v1/reachgraphs/{digest}/slice- Query slice of reachgraphPOST /v1/reachgraphs/replay- Verify deterministic replay