Skip to content

Add reachability/coverage audit primitive (authz coverage, layering, validation gaps) #172

Description

@zaebee

Summary

Add a reachability/coverage audit primitive that answers: "which nodes of type X do NOT transitively reach a node matching Y?" The headline use is authorization coverage — finding IDOR-class gaps automatically.

Motivation (real find)

In a FastAPI backend audit, the highest-severity issue was an endpoint (get_reservation_prices) that returned a resource without calling the ownership check verify_resource_ownership, while every sibling endpoint did. I found it by manually diffing analyze_impact output. The graph already has everything needed to do this automatically — and the core ontology even defines an AUTHORIZES edge type for exactly this semantic.

Proposal

A tool like:

cgis_audit_reachability(
    db_path,
    from_selector  = {node_type: "ROUTE_HANDLER"},      # or fqn glob
    must_reach     = {fqn: "...verify_resource_ownership"} # or {edge_type: "AUTHORIZES"}
    max_depth      = 5,
)
→ { "covered": [...], "gaps": [{handler, file, line, nearest_resource_access}] }

Generalizes beyond authz:

  • handlers that touch storage but never reach a validator (VALIDATES)
  • mutations that never reach event tracking (TRIGGERS/EMITS)
  • routes that bypass the service layer (reach storage.* without passing a *.service.* node)

Why it matters

This is the step that turns cgis from a navigation tool into a security/architecture linter. Reachability-to-a-required-checkpoint is a recurring audit shape; baking it in (leveraging the existing semantic edge types) would have surfaced the IDOR with zero manual graph reading.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions