feat: custom deny aces count property

[JonasBK]

Description

Adds two new Active Directory node properties to the graph schema:

• CustomExplicitDenyAcesCount / customexplicitdenyacescount
• CustomInheritedDenyAcesCount / custominheriteddenyacescount

The properties are registered in the AD CUE schema and exposed through the generated schema bindings for Go, C#, and TypeScript, including frontend display labels:

• Custom Explicit Deny ACEs Count
• Custom Inherited Deny ACEs Count

Motivation and Context

These properties allow AD nodes to represent counts of custom explicit and inherited deny ACEs in the schema so collectors, APIs, and UI consumers can reference them consistently by canonical property names.

This PR addresses: BED-8117

Related PRs:

SharpHoundCommon: SpecterOps/SharpHoundCommon#298
SharpHound: SpecterOps/SharpHound#218
SharpHoundEnterprise: https://github.com/SpecterOps/sharphound-enterprise/pull/113

How Has This Been Tested?

Tested locally.

Screenshots (optional):

Types of changes

• New feature (non-breaking change which adds functionality)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• New Features
  • Added support for two new Active Directory properties: Custom Explicit Deny ACEs Count and Custom Inherited Deny ACEs Count, now available across the platform for querying and display.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: c9c90d6a-4a76-469d-85f1-30ed4e17c0c5

📥 Commits

Reviewing files that changed from the base of the PR and between 84a7a66 and 34ec8a3.

📒 Files selected for processing (4)

• packages/csharp/graphschema/PropertyNames.cs
• packages/cue/bh/ad/ad.cue
• packages/go/graphschema/ad/ad.go
• packages/javascript/bh-shared-ui/src/graphSchema.ts

---

📝 Walkthrough

Walkthrough

Two new Active Directory properties are introduced across all schema language bindings: CustomExplicitDenyAcesCount and CustomInheritedDenyAcesCount. The changes add property definitions in the Cue schema, enum constants and full wiring in Go, enum entries and display mappings in JavaScript, and property name constants in C#.

Changes

Custom Deny ACE Count Properties

Layer / File(s)	Summary
Cue schema definitions packages/cue/bh/ad/ad.cue	Defines CustomExplicitDenyAcesCount and CustomInheritedDenyAcesCount as string enum properties with full metadata, and registers both properties in the exported Properties array.
Go property enum and wiring packages/go/graphschema/ad/ad.go	Adds two new Property constants and integrates them into ParseProperty(), AllProperties(), String(), and Name() to enable parsing, enumeration, and string representation throughout the property system.
JavaScript enum and display mapping packages/javascript/bh-shared-ui/src/graphSchema.ts	Adds the two properties to ActiveDirectoryKindProperties enum and extends ActiveDirectoryKindPropertiesToDisplay to return human-readable display strings for UI rendering.
C# PropertyNames constants packages/csharp/graphschema/PropertyNames.cs	Adds two public static string constants mapping the property names to their lowercase schema representations for .NET integration.

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding new AD properties for deny ACEs count to the graph schema.
Description check	✅ Passed	The PR description comprehensively covers all required sections: detailed change description, clear motivation/context with ticket reference, testing approach, change type, and completed checklist items.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-8117-deny-aces

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}