Goal
Add a ProofPath integration concept where code graph / blast-radius analysis becomes evidence for action-level security decisions.
Inspired by GitNexus-style code intelligence: before an AI agent performs a code, CI/CD, deploy, database, or infrastructure action, ProofPath should be able to consume impact evidence such as affected symbols, routes, modules, consumers, or risk level.
Core idea
AI agent proposes code or deploy action
-> code graph / impact analyzer estimates blast radius
-> ProofPath receives action context + impact evidence
-> high-impact action without approval is held or blocked
-> accepted/blocked decision is written to the audit log
Short line:
Code impact becomes action evidence.
Russian framing:
Влияние изменения в коде становится доказательством для решения о выполнении.
Why this matters
AI coding agents can make changes that look locally valid but have broad downstream impact:
- modify shared symbols;
- change public APIs;
- break route contracts;
- affect multiple consumers;
- change deployment or CI/CD behavior;
- alter database migrations;
- change security-sensitive modules;
- touch payment, auth, trading, or production code paths.
A valid GitHub token or CI credential does not mean the proposed code/deploy action is safe in context.
Proposed evidence shape
{
"evidence_type": "code_impact",
"risk_level": "HIGH",
"affected_symbols": 12,
"affected_routes": 4,
"affected_consumers": 7,
"touches_security_sensitive_code": true,
"touches_production_deploy_path": true,
"requires_maintainer_approval": true
}ProofPath decision examples
LOW impact + reversible + scoped action -> ACCEPT
HIGH impact + no approval -> HOLD or BLOCK
CRITICAL impact + production path + no approval -> BLOCK
HIGH impact + explicit maintainer approval -> ACCEPT or AUDIT
Possible integration points
- GitNexus-style code graph output;
- static analysis tools;
- dependency graph analyzers;
- API route impact mapping;
- CI/CD diff classifiers;
- migration impact analyzers;
- security-sensitive path detectors.
Deliverables
Acceptance criteria
- The demo is simulated and does not require a real GitNexus installation.
- The evidence format is implementation-neutral.
- The docs clearly separate impact analysis from enforcement.
- The project does not claim to solve code correctness by itself.
- The integration strengthens the full-lifecycle AI agent safety stack positioning.
Related
Goal
Add a ProofPath integration concept where code graph / blast-radius analysis becomes evidence for action-level security decisions.
Inspired by GitNexus-style code intelligence: before an AI agent performs a code, CI/CD, deploy, database, or infrastructure action, ProofPath should be able to consume impact evidence such as affected symbols, routes, modules, consumers, or risk level.
Core idea
Short line:
Russian framing:
Why this matters
AI coding agents can make changes that look locally valid but have broad downstream impact:
A valid GitHub token or CI credential does not mean the proposed code/deploy action is safe in context.
Proposed evidence shape
{ "evidence_type": "code_impact", "risk_level": "HIGH", "affected_symbols": 12, "affected_routes": 4, "affected_consumers": 7, "touches_security_sensitive_code": true, "touches_production_deploy_path": true, "requires_maintainer_approval": true }ProofPath decision examples
Possible integration points
Deliverables
docs/code-impact-evidence.md.code_impactevidence shape.examples/code-impact-gate/.ACCEPT.BLOCKorHOLD.ACCEPTorAUDIT.Acceptance criteria
Related