feat(ui): replace D3+Dagre attack path graph with React Flow

[pfe-nazaries]

🚀 Feature Complete - Chained PRs

This PR merges the PROWLER-1273/react-flow-migration feature branch.

Included PRs

#	PR	Sub-task	Jira	Status
0	#10701	Normalize data types and remove dead state	PROWLER-1373	🟢 Merged
1	#10705	Replace D3 rendering with React Flow + Dagre layout	PROWLER-1374	🟢 Merged
2	#10756	Implement graph interactions and filtered view (MVP)	PROWLER-1375	🟢 Merged
3	#10800	Restore export, adapt fullscreen, add minimap	PROWLER-1376	🟢 Merged
4	#10970	Add automated test coverage with Vitest Browser & Harness	PROWLER-1405	🟢 Merged
5	#11010	Auto-fit viewport on filter/expand and harden minimap	PROWLER-1273	🟡 Open

Legend: 🟢 Merged | 🟡 Open | 🔴 Changes Requested | 🔵 In Progress | ⚪ Pending

MVP milestone: After PR2, the graph is fully functional except export.
Phase 1 complete: After PR3.
Hardening complete: After PR4 (automated test coverage).
Polish complete: After PR5 (review-driven viewport and minimap fixes).

Dependency Diagram

         ┌──────────────────────────┐
         │ PR0: Normalize data      │ ← #10701 🟢
         └────────────┬─────────────┘
                      │
         ┌────────────▼─────────────┐
         │ PR1: React Flow core     │ ← #10705 🟢
         │   rendering              │
         └────────────┬─────────────┘
                      │
         ┌────────────▼─────────────┐
         │ PR2: Interactions        │ ← #10756 🟢
         │   🎯 MVP                 │
         └────────────┬─────────────┘
                      │
         ┌────────────▼─────────────┐
         │ PR3: Export + Minimap    │ ← #10800 🟢
         │   ✅ Phase 1 complete    │
         └────────────┬─────────────┘
                      │
         ┌────────────▼─────────────┐
         │ PR4: Test coverage       │ ← #10970 🟢
         │   🛡️ Hardening complete  │
         └────────────┬─────────────┘
                      │
         ┌────────────▼─────────────┐
         │ PR5: Auto-fit + minimap  │ ← #11010 🟡
         │   ✨ Polish complete     │
         └────────────┬─────────────┘
                      │
         ┌────────────▼─────────────┐
         │  📍 THIS PR              │
         │   → master               │
         └──────────────────────────┘

---

Context

The Attack Path graph is currently a 1,173-line imperative D3 component that bypasses React reconciliation entirely. This feature branch migrates it to React Flow (@xyflow/react v12), the de-facto standard for graph visualization in React.

The migration is Phase 1 of the RFC: drop-in replacement achieving feature parity plus minimap, with PR4 adding automated test coverage as a hardening step and PR5 absorbing review-driven polish on viewport behavior and minimap visibility. Phase 2 (edge labels, node grouping, multi-select) will follow in a separate initiative.

Technical design: openspec/changes/react-flow-migration/ contains the full proposal, design, specs, and task breakdown.

---

Description

Key Changes:

Rendering

• Replace D3 imperative SVG with React Flow declarative components
• Three custom node types: FindingNode (hexagon), ResourceNode (pill), InternetNode (globe)
• Dagre layout via @dagrejs/dagre (maintained fork)
• Built-in minimap with high-contrast viewport indicator on the dark theme (PR5)

Interactions

• Node selection, two-tier click, filtered view with re-layout
• Path highlight on hover
• Ctrl+scroll zoom preserved
• initialNodeId support for reusable component
• Auto-fit on filter enter/exit and on resource expansion when revealed findings fall off-screen, with asymmetric padding so fitted nodes never land underneath the minimap (PR5)

Export

• PNG export via modern-screenshot + React Flow's getViewportForBounds() (replaces broken XMLSerializer approach)
• JSON export preserved as-is

Cleanup

• Remove deprecated dagre package (keep d3 — used by geo map components)
• Remove dead state fields from Zustand store
• Normalize GraphEdge.source/target type

Testing (PR4 + PR5)

• Vitest Browser mode with Playwright provider (jsdom insufficient for React Flow DOM layout and image export via Canvas API)
• Single-file AttackPathPageHarness co-located with AttackPathsPage — tests never import @testing-library directly
• MSW handlers for Prowler API mocking; real server actions run through them
• Coverage for every spec scenario plus variants, intermediate flows, edge cases, regressions, and the new auto-fit behaviors

---

Steps to review

1. Review individual chained PRs first (linked in table above)
2. Verify visual parity: graph renders with same layout, colors, and shapes
3. Test all interactions: click, filtered view, hover highlight, zoom/pan
4. Test export: PNG download with correct bounds
5. Test fullscreen: render, controls, export, node detail side-by-side
6. Verify auto-fit: clicking findings, Back to Full View, and expanding resources off-screen all re-fit; collapse and minor expansions do not
7. Run pnpm test:browser in ui/ — verify the page-level suite passes

---

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler:776b7b5
Last scan: 2026-05-05 12:32:31 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

5 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:a192ea2
Last scan: 2026-05-05 12:42:52 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	2
Total	2

2 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy