Security Graph
Expose effective policy and high-risk findings before an agent acts.
Policy before action
query {
summary: gj_security(id: "summary") {
mode
summary
summary_json
}
findings: gj_security(where: { severity: { in: ["high", "critical"] } }) {
severity
title
recommendation
evidence_json
}
}gj_security is designed for both humans and models. It explains effective capabilities, read-only state, weak defaults, and recommendations before sensitive actions.
Security rows are also source-aware. In source mode, the graph can report capabilities from the central registry, access policy classifications, root permissions, config scan findings, and runtime denial events.
Verified by
TestGraphQLControlPlaneSecurityReportsSourceAccessPolicy
serv/control_plane_graphql_test.go:736Verified by
TestSecurityNanoRowsCoverSourceCapabilityRegistry
serv/control_plane_graphql_test.go:1540Typical use
Ask the security graph before:
- Running mutations.
- Executing workflows.
- Applying source edits.
- Updating config.
- Accessing filesystems or code indexes.
Verified by
TestSourceModeHTTPRuntimeDenialEventsAreRedacted
serv/source_mode_http_test.go:113Filter by kind or severity
query {
capabilities: gj_security(where: { kind: { eq: "capability" } }) {
source
name
severity
recommendation
}
critical: gj_security(where: { severity: { in: ["high", "critical"] } }) {
title
evidence_json
recommendation
}
}Use this before a model requests gj_config, gj_workflow_execution, CodeSQL writes, filesystem writes, schema changes, or raw mutation execution.