ENG-3767: Land DSR traversal visualizer (initial merge from PoC)

[gilluminate]

Ticket ENG-3767

Description Of Changes

Companion PR: fidesplus#3572

Lands the DSR traversal visualizer in main for the first time.

About the diff size. The PoC originated as a fast-moving, largely AI-generated branch (#8099) that wasn't given a substantive code review before it landed on its source branch. The branch on this PR includes both the cherry-pick of that PoC and a polish pass that applies our frontend conventions and addresses a first review pass before merge. The intent is that what you're reviewing is the version of the feature we'd actually want to ship — not the PoC's raw state.

Diffing this PR against the PoC will show substantive differences: string-union types replaced with enums, default exports flipped to named, hex literals swapped for palette tokens, antd v6 deprecations fixed, RTK Query cache key bug fixed, hydration-snap on first paint fixed, CodeQL finding on hand-built routes fixed, and more. Please review the final state rather than trying to diff-the-diff. The polish commit history is intact if you want to see what was changed and why.

Feature summary. A property-scoped, action-typed preview of how a DSR will fan out through configured integrations. Renders an interactive four-lane graph (identity input → systems queried → manual review gates → not touched) with per-card metadata, dataset breakdowns, and dependency edges. Gated behind the new dsrTraversalVisualizer beta flag (dev + test on, production off) and reachable at /dsr-traversal/[propertyKey]/[[...actionType]] from the "Request workflows" item in the Privacy requests nav group.

Code Changes

Backend (src/fides/api/graph/preview/)

• builder.py — TraversalPreviewBuilder builds the structured preview, falling back to FK-derived edges when full traversal fails
• reachability.py — per-integration reachability classification
• policy_filter.py — policy-aware data-category filtering with descendant matching
• schemas.py — Pydantic response shapes
• tests/ops/graph/preview/ — builder + reachability tests with shared conftest.py fixtures
• Code review fixes: scale optimization for _static_dataset_detail (O(N×M) → O(1) via indexes), custom category dot-prefix fallback in policy_filter.py, warning surfacing from _capture_traversal, deduplication (graph.identity_keys, _edges_from_counts), modern typing aliases

Frontend (clients/admin-ui/src/features/dsr-traversal-visualizer/)

• Page + canvas (ReactFlow-based four-lane layout)
• Three node types (identity root, integration, manual task)
• Two edge types (dependency, gates)
• Two side panels (integration details, manual task details)
• Custom four-lane layout (layout/compute-lane-layout.ts, compute-stages.ts, compute-column-count.ts) — pure functions with unit tests
• RTK Query slice with serializeQueryArgs that strips refresh so regenerate updates the same cache entry
• Hooks: useLaneCollapseState (persists collapse prefs to localStorage, exposes a hydrated flag to gate first-paint and avoid layout snap), useNodeSelection, useTraversalGraph
• Route shells in clients/admin-ui/src/pages/dsr-traversal/
• Type-safe enums for ActionType, Reachability, ActionStatus, LaneId; REACHABILITY_COLOR typed against CUSTOM_TAG_COLOR

MSW handlers (clients/admin-ui/src/mocks/dsr-traversal/)

• Self-contained fixture rich enough to exercise all card states (stage-1 + stage-2 reachable, gated by manual review, not-touched) via npm run dev:mock without seeding the fidesplus DB

Flag + nav wiring

• dsrTraversalVisualizer flag in flags.json (dev + test on, production off)
• nav-config.tsx entry under "Privacy requests → Request workflows", gated by the flag + requiresPlus

Steps to Confirm

The visualizer is gated behind the dsrTraversalVisualizer flag (on by default in dev/test, off in production).

1. Smoke against mock data (no backend setup required):

   cd clients/admin-ui && npm run dev:mock
   

   Navigate to Privacy requests → Request workflows in the sidebar. The MSW handlers seed one property ("Mocked Property") with 5 in-flow integrations across 2 stages, 1 manual review task that gates the legal archive, and 2 not-touched systems.
2. Select the property in the picker → confirm the four-lane layout renders with stage 1 / stage 2 grouping in "Will be queried", the Legal review task in "Gated by manual review", and (with the Show not touched toggle on) Legacy ERP + Vendor X in the "Not touched" lane.
3. Click an integration card → side panel opens with system, triggered-by sources, manual-review gate (if any), and dataset/collection/field breakdown.
4. Click Regenerate → confirm a single traversal-preview?refresh=true network call fires and writes back into the same cache entry (no parallel cache entries).
5. Toggle Access / Erasure → URL updates and the preview refreshes.
6. Collapse a lane via the floating chevron button → preference persists across reload (localStorage key fides:dsr-traversal:lane-collapse:v1); on reload the canvas renders with the persisted layout from the first paint (no visible re-layout snap).
7. Backend smoke (optional, requires fidesplus + seeded property/integrations): hit GET /api/v1/plus/properties/{property_id}/traversal-preview?action_type=access&include_unreachable=true and confirm the response matches the TraversalPreview schema; pass refresh=true to bypass cache.

Known Follow-ups (deferred)

From an in-session /code-review pass, these were judged worth deferring rather than blocking merge:

• snake_case wire-format names leak into TS internals (~24 identifiers across the feature). Normalize at the slice boundary via transformResponse in a follow-up — same pattern affects other features in the repo.
• compute-stages BFS depth-tracking deserves a diamond-with-extra-hop regression test. Practical case appears to be correct; a test would lock it in.
• Custom category matching semantics: preview uses taxonomy walk + dot-prefix fallback, real DSR uses bare startswith. Aligned for custom categories but user_provided edge case differs (preview is stricter/more correct).

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	May 19, 2026 9:42pm
fides-privacy-center	Ignored		May 19, 2026 9:42pm

[github-actions]

Title	Lines	Statements	Branches	Functions
admin-ui		7.77% (3620/46564)	6.99% (1889/27010)	5.16% (708/13709)
fides-js		79.17% (1977/2497)	66.25% (1249/1885)	73.31% (349/476)
privacy-center		82.53% (364/441)	79.74% (189/237)	74.07% (60/81)

[codecov]

Codecov Report

❌ Patch coverage is 0% with 284 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.10%. Comparing base (d096049) to head (64a032b).

Files with missing lines	Patch %	Lines
src/fides/api/graph/preview/builder.py	0.00%	162 Missing ⚠️
src/fides/api/graph/preview/schemas.py	0.00%	79 Missing ⚠️
src/fides/api/graph/preview/policy_filter.py	0.00%	27 Missing ⚠️
src/fides/api/graph/preview/reachability.py	0.00%	16 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8168      +/-   ##
==========================================
- Coverage   85.66%   85.10%   -0.57%     
==========================================
  Files         665      669       +4     
  Lines       43086    43370     +284     
  Branches     5041     5080      +39     
==========================================
  Hits        36911    36911              
- Misses       5067     5351     +284     
  Partials     1108     1108              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Dependency Review

✅ No vulnerabilities found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 64a032b.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

• clients/admin-ui/package.json
• clients/package-lock.json