Skill

reach-awareness

Post-filters vuln-detector findings by call-graph reachability from an entrypoint, so operators triage exploitable vulns first and dead-code or vendored-library hits last. Use when the developer wants to triage a vuln-detector audit.jsonl, runs /hydra:reach, asks "which of these findings are actually reachable?", or references Snyk/CodeQL/Semgrep reachability as a reference baseline. Currently scaffolded; full integration is blocked on lich exporting a persisted call-graph artifact — in graph-absent mode, every finding is preserved with reachable=null. Do not use for raw vuln scanning (see vuln-detector) or for first-pass CWE classification (see audit-trail).

Popularity

Parent stars

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/hydra-reach-filter:reach-awareness

User invocable

Model invocable

Inline context

Default effort

Configuration

Modelhaiku

Tool Access

This skill is limited to the following tools:

ReadBash

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

- `vuln-detector` has run and produced `state/audit.jsonl` with at least

SKILL.md

71 lines · ~752 tokens

Stats

LanguagePython

Parent stars1

MaintenanceFair

Last CommitMay 6, 2026

Actions

View Source View Plugin View on GitHub View README

Stats

Actions

reach-awareness

Preconditions

vuln-detector has run and produced state/audit.jsonl with at least one vuln_detected event.
A call-graph artifact at the schema documented in this plugin's README.md exists (or the operator accepts graph-absent mode, where every finding is passed through with reachable=null).

Inputs

Flag	Default	Meaning
`--audit`	`../vuln-detector/state/audit.jsonl`	Source of `vuln_detected` events
`--graph`	(none)	Path to call-graph JSON; absent = graph-absent mode
`--out`	`state/reach-filtered.jsonl`	Output path

Steps

Read the audit file with Read. Confirm at least one row has event == "vuln_detected".
Check whether --graph resolves to an existing file. If not, run in graph-absent mode and document the reason in the summary stderr line.
Run python scripts/reach-filter.py with the resolved flags. Stream stdout/stderr; the summary line on stderr is the human-readable verdict.
If the operator asks about a specific finding, run python scripts/explain-reach.py --finding-id <id>.

Outputs

state/reach-filtered.jsonl — one JSON object per input finding, plus reachable, distance_from_entry, path.
Summary line on stderr in the form: vuln-detector raw=N | reachable=M | filtered_unreachable=N-M

Handoff

The filtered output is what an operator hands to triage. The raw vuln-detector audit.jsonl remains the source of truth — this plugin is advisory.

Failure modes

F02 — claiming a finding is unreachable without a real graph. Counter: in graph-absent mode, reachable MUST be null, never false.
F08 — using grep/find to walk the audit file. Counter: stdlib json per line; the file is JSONL by contract.
F14 — call-graph schema drift between lich and this plugin. Counter: validate the graph against the README schema before BFS; on mismatch, abort with a non-zero exit and a diagnostic on stderr.

reach-awareness

Popularity

Invocation

Configuration

Tool Access

Context Preview

SKILL.md

reach-awareness

Popularity

Invocation

Configuration

Tool Access

Context Preview

SKILL.md

reach-awareness

Preconditions

Inputs

Steps

Outputs

Handoff

Failure modes

Similar Skills

reach-awareness

Preconditions

Inputs

Steps

Outputs

Handoff

Failure modes

Similar Skills