Summary
Complete the remaining Phase 3c attack graph polish: runtime FixKind mutation simulation, inventory multi-server graph layer, and default-on counterfactual/compression export.
Problem
After the initial Phase 3c PR, three plan items were still open:
- FixKind registry
mutates blocks were descriptive only (no graph mutation engine)
- Inventory multi-server graph was not started
- Counterfactuals and UI compression required opt-in CLI flags
Expected Behavior
- Applying a FixKind from the registry mutates a graph copy and re-runs template matching to report which fixes eliminate a chain
- Scans with fleet inventory (≥2 servers) attach an
inventory graph layer with cross-server toxic-flow edges (W015/W016)
- Counterfactual remediation and path compression are on by default;
--no-attack-graph-counterfactuals and --no-attack-graph-compress-ui opt out
Evidence
src/mcts/scoring/graph_mutate.py — apply_fix_kind, simulate_fixes_for_templatesrc/mcts/scoring/graph_inventory.py — attach_inventory_layersrc/mcts/scoring/graph_counterfactual.py — fix_simulation / effective_fixes on pathssrc/mcts/core/config.py — defaults flipped to Truetests/scoring/test_graph_phase_3c.py — 14 tests
Impact
Operators get actionable counterfactual fix simulation and fleet-wide graph context without extra flags; closes Phase 3c before Phase 4 runtime validation.
Recommendation
Merge PR #284 to develop after CI green.
Remediation Steps
- Review
graph_mutate registry operations (add_edge, set_reachability, remove_node, remove_nodes)
- Verify inventory-layer edges on multi-server scans
- Confirm dashboard/report export includes counterfactual simulation payload
References
Acceptance Criteria
Summary
Complete the remaining Phase 3c attack graph polish: runtime FixKind mutation simulation, inventory multi-server graph layer, and default-on counterfactual/compression export.
Problem
After the initial Phase 3c PR, three plan items were still open:
mutatesblocks were descriptive only (no graph mutation engine)Expected Behavior
inventorygraph layer with cross-server toxic-flow edges (W015/W016)--no-attack-graph-counterfactualsand--no-attack-graph-compress-uiopt outEvidence
src/mcts/scoring/graph_mutate.py—apply_fix_kind,simulate_fixes_for_templatesrc/mcts/scoring/graph_inventory.py—attach_inventory_layersrc/mcts/scoring/graph_counterfactual.py—fix_simulation/effective_fixeson pathssrc/mcts/core/config.py— defaults flipped toTruetests/scoring/test_graph_phase_3c.py— 14 testsImpact
Operators get actionable counterfactual fix simulation and fleet-wide graph context without extra flags; closes Phase 3c before Phase 4 runtime validation.
Recommendation
Merge PR #284 to
developafter CI green.Remediation Steps
graph_mutateregistry operations (add_edge,set_reachability,remove_node,remove_nodes)References
local/new_plan/referred_implementation_plan.md)Acceptance Criteria
mutatesapplied at runtime with template elimination simulationtests/scoring/test_graph_phase_3c.pyand full suite (842) pass--strict