feat: add GuardLinker to create PROTECTS edges between GUARD/MIDDLEWARE and ENDPOINT nodes#14
Merged
Merged
Conversation
…her query Added GraphStore.findEndpointNeighborsBatch() that fetches all endpoint neighbors for a list of node IDs in one MATCH ... WHERE n.id IN $nodeIds query, eliminating up to 50 separate findNeighbors() calls per invocation. QueryService.findRelatedEndpoints() now separates the direct-endpoint pass from the neighbor pass, using the new batch method for the latter. Deduplication and connected_via semantics are preserved. Added 3 unit tests covering: batch usage (verifying findNeighbors is never called), direct endpoint matches, and deduplication. Co-Authored-By: Paperclip <noreply@paperclip.ing>
…s for search Store label_lower and fqn_lower on every node during bulkSave() so that case-insensitive search can hit a B-tree index instead of doing a full graph scan with toLower() on both sides of the CONTAINS predicate. - nodeToProps(): adds label_lower/fqn_lower to the Neo4j property map - bulkSave(): creates indexes on label_lower and fqn_lower - EnrichCommand: creates label_lower/fqn_lower indexes alongside kind/layer/module/filePath - GraphStore.search(text, limit): lowercase input, query against pre-lowered props - GraphRepository.search(): same query update (SDN path) - nodeFromNeo4j(): label_lower/fqn_lower implicitly excluded (no prop_ prefix) All 1459 tests pass. Co-Authored-By: Paperclip <noreply@paperclip.ing>
…RE and ENDPOINT nodes Implements RAN-61. GuardLinker uses file-path proximity (same file = match) to infer that guards and middleware in a file protect endpoints in that file. This surfaces security architecture in the graph for Spring @PreAuthorize, @secured, DjangoAuth, FastAPIAuth, NestJSGuards, and generic middleware nodes. - 9 unit tests: positive match, middleware, class-level, cross-file negative, no-guards, no-endpoints, duplicate avoidance, null filePath, determinism - 1468 total tests pass, 0 failures Co-Authored-By: Paperclip <noreply@paperclip.ing>
…tection - Add GUARD, MIDDLEWARE, TOPIC, QUEUE, EVENT, MESSAGE_QUEUE to ENTRY_POINT_KINDS so they are never flagged as dead code (they are entry points / cross-cutting concerns) - Remove invalid 'uses' edge kind from SEMANTIC_EDGE_KINDS (not a valid EdgeKind) - Add 'protects' to SEMANTIC_EDGE_KINDS so PROTECTS edges from GuardLinker count as semantic usage when determining reachability - Add two new tests: verifying new entry point kinds are excluded, and verifying 'protects' is included / 'uses' is excluded from semantic edge kinds Co-Authored-By: Paperclip <noreply@paperclip.ing>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GuardLinker(@Component,Linker) groups GUARD and MIDDLEWARE nodes by file path and createsPROTECTSedges to ENDPOINT nodes in the same file@PreAuthorize/@Secured(class and method level), Django auth, FastAPI auth, NestJS guards, and Express/Koa middleware — any node withNodeKind.GUARDorNodeKind.MIDDLEWARETreeMap/TreeSetfor deterministic output per project conventionsPROTECTSedgesTest plan
linksGuardToEndpointInSameFile— basic positive matchlinksMiddlewareToEndpointInSameFile— MIDDLEWARE kind coveredclassLevelGuardProtectsAllEndpointsInSameFile— one guard → multiple endpointsguardInDifferentFileDoesNotProtectEndpoint— negative: cross-file guards skippednoGuardsReturnsEmpty— early-exit pathnoEndpointsReturnsEmpty— early-exit pathavoidsDuplicateEdges— pre-existing PROTECTS edge not duplicatednodesWithNullFilePathAreIgnored— null filePath safetydeterminismRunTwiceProducesSameResult— same input → same edge ordering🤖 Generated with Claude Code