Summary
Add a reachability/coverage audit primitive that answers: "which nodes of type X do NOT transitively reach a node matching Y?" The headline use is authorization coverage — finding IDOR-class gaps automatically.
Motivation (real find)
In a FastAPI backend audit, the highest-severity issue was an endpoint (get_reservation_prices) that returned a resource without calling the ownership check verify_resource_ownership, while every sibling endpoint did. I found it by manually diffing analyze_impact output. The graph already has everything needed to do this automatically — and the core ontology even defines an AUTHORIZES edge type for exactly this semantic.
Proposal
A tool like:
cgis_audit_reachability(
db_path,
from_selector = {node_type: "ROUTE_HANDLER"}, # or fqn glob
must_reach = {fqn: "...verify_resource_ownership"} # or {edge_type: "AUTHORIZES"}
max_depth = 5,
)
→ { "covered": [...], "gaps": [{handler, file, line, nearest_resource_access}] }
Generalizes beyond authz:
- handlers that touch storage but never reach a validator (
VALIDATES)
- mutations that never reach event tracking (
TRIGGERS/EMITS)
- routes that bypass the service layer (reach
storage.* without passing a *.service.* node)
Why it matters
This is the step that turns cgis from a navigation tool into a security/architecture linter. Reachability-to-a-required-checkpoint is a recurring audit shape; baking it in (leveraging the existing semantic edge types) would have surfaced the IDOR with zero manual graph reading.
Summary
Add a reachability/coverage audit primitive that answers: "which nodes of type X do NOT transitively reach a node matching Y?" The headline use is authorization coverage — finding IDOR-class gaps automatically.
Motivation (real find)
In a FastAPI backend audit, the highest-severity issue was an endpoint (
get_reservation_prices) that returned a resource without calling the ownership checkverify_resource_ownership, while every sibling endpoint did. I found it by manually diffinganalyze_impactoutput. The graph already has everything needed to do this automatically — and the core ontology even defines anAUTHORIZESedge type for exactly this semantic.Proposal
A tool like:
Generalizes beyond authz:
VALIDATES)TRIGGERS/EMITS)storage.*without passing a*.service.*node)Why it matters
This is the step that turns cgis from a navigation tool into a security/architecture linter. Reachability-to-a-required-checkpoint is a recurring audit shape; baking it in (leveraging the existing semantic edge types) would have surfaced the IDOR with zero manual graph reading.