git.stella-ops.org/docs/modules/reach-graph/README.md

# ReachGraph

> Unified store for reachability subgraphs with edge-level explainability.

## Purpose

The ReachGraph module provides a unified store for reachability subgraphs, enabling fast, deterministic, audit-ready answers to "exactly why a dependency is reachable." It consolidates data from Scanner, Signals, and Attestor into content-addressed artifacts with edge-level explainability.

## Quick Links

- [Architecture](./architecture.md) - Technical design and implementation details
- [Guides](./guides/) - Usage and query guides
- [Schemas](./schemas/) - ReachGraph schema definitions

## Status

| Attribute | Value |
|-----------|-------|
| **Maturity** | Production |
| **Last Reviewed** | 2025-12-29 |
| **Maintainer** | Scanner Guild, Signals Guild |

## Key Features

- **Unified Schema**: Extends PoE subgraph format with edge explainability
- **Content-Addressed Store**: All artifacts identified by BLAKE3 digest
- **Slice Query API**: Fast queries by package, CVE, entrypoint, or file
- **Deterministic Replay**: Verify that same inputs produce same graph
- **DSSE Signing**: Offline-verifiable proofs

## Dependencies

### Upstream (this module depends on)
- **Scanner** - CallGraph data source
- **Signals** - ReachabilityFactDocument source
- **Attestor** - PoE JSON source

### Downstream (modules that depend on this)
- **Policy Engine** - Reachability-based policy evaluation
- **Web Console** - Reachability visualization
- **CLI** - Reachability queries
- **ExportCenter** - Reachability data exports

## API Endpoints

- `POST /v1/reachgraphs` - Create new reachgraph
- `GET /v1/reachgraphs/{digest}` - Retrieve reachgraph by digest
- `GET /v1/reachgraphs/{digest}/slice` - Query slice of reachgraph
- `POST /v1/reachgraphs/replay` - Verify deterministic replay

## Related Documentation

- [Scanner Architecture](../scanner/architecture.md)
- [Signals Architecture](../signals/architecture.md)