# Aphoria Configuration for dbpool Dogfood Project # Purpose: Demonstrate persistent mode with pattern learning (flywheel) [project] name = "dbpool" version = "0.1.0" [scan] # Include all Rust source files include = ["src/**/*.rs"] # Exclude test files and build artifacts from scanning exclude = ["tests/**/*.rs", "target/**"] [episteme] # CRITICAL: Use persistent mode (not ephemeral) for pattern learning # This enables the flywheel - pattern aggregation across scans mode = "persistent" # Corpus database location (matches API's STEMEDB_CORPUS_DB_DIR) corpus_db = "/home/jml/.aphoria/corpus-db" [corpus] # Enable pattern aggregation (flywheel mechanism) aggregation_enabled = true # Include all corpus sources include_rfc = true # RFC normative statements include_owasp = true # OWASP cheat sheets (our security claims) include_vendor = true # Vendor docs (our HikariCP/PostgreSQL claims) use_community = true # Community-learned patterns # Cache directory for downloaded sources cache_dir = "/home/jml/.aphoria/cache" # ============================================================================ # EXTRACTORS CONFIGURATION # ============================================================================ # By default, all 42 built-in extractors run (security patterns: TLS, secrets, # injection, timeouts, etc.). For custom patterns (struct fields, library APIs), # add declarative extractors below. # # See docs/CUSTOM-EXTRACTOR-GUIDE.md for creating custom extractors. # ============================================================================ [extractors] [extractors.inline_markers] # Enable @aphoria:claim comments enabled = true sync_to_pending = true # ============================================================================ # CUSTOM DECLARATIVE EXTRACTORS # ============================================================================ # These detect the 7 intentional violations in the dbpool implementation # VIOLATION 1: Unbounded max_connections (Option instead of required) # Authority: vendor://dbpool/max_connections, required: true [[extractors.declarative]] name = "dbpool_max_connections_optional" description = "Detects Option for max_connections (should be required field)" languages = ["rust"] pattern = 'pub\s+max_connections:\s+Option<(?:usize|u64|u32)>' [extractors.declarative.claim] subject = "vendor://dbpool/max_connections" predicate = "required" value = "false" # Code has it as Option (NOT required) - conflicts with authority's "true" confidence = 0.92 source = "dogfood" # VIOLATION 2: Plaintext password in connection string # Authority: owasp://dbpool/connection_string/password, must_not_be: "plaintext" [[extractors.declarative]] name = "dbpool_plaintext_password" description = "Detects plaintext passwords in connection strings" languages = ["rust"] pattern = 'postgres://[^:]+:([^@]+)@' # Matches user:password@host [extractors.declarative.claim] subject = "owasp://dbpool/connection_string/password" predicate = "is" value = "plaintext" # Code uses plaintext - conflicts with must_not_be confidence = 0.85 source = "dogfood" # VIOLATION 3: Missing max_lifetime (Option instead of required) # Authority: vendor://dbpool/max_lifetime, required: true [[extractors.declarative]] name = "dbpool_max_lifetime_optional" description = "Detects Option for max_lifetime (should be required)" languages = ["rust"] pattern = 'pub\s+max_lifetime:\s+Option' [extractors.declarative.claim] subject = "vendor://dbpool/max_lifetime" predicate = "required" value = "false" # Code has it as Option (NOT required) - conflicts with authority's "true" confidence = 0.90 source = "dogfood" # VIOLATION 4: Excessive connection_timeout (60s exceeds 30s max) # Authority: vendor://dbpool/connection_timeout, maximum: "30" [[extractors.declarative]] name = "dbpool_excessive_timeout" description = "Detects connection_timeout > 30 seconds" languages = ["rust"] pattern = 'connection_timeout.*Duration::from_secs\((6[0-9]|[7-9][0-9]|[1-9][0-9]{2,})\)' [extractors.declarative.claim] subject = "vendor://dbpool/connection_timeout" predicate = "exceeds_max" value = "true" # Code exceeds max - signals violation confidence = 0.88 source = "dogfood" # VIOLATION 5: Zero min_connections (should be >= 2) # Authority: vendor://dbpool/min_connections, minimum: "2" [[extractors.declarative]] name = "dbpool_min_connections_zero" description = "Detects min_connections set to 0 (should be >= 2)" languages = ["rust"] pattern = 'min_connections:\s*0\s*,' [extractors.declarative.claim] subject = "vendor://dbpool/min_connections" predicate = "value" value = "0" # Code has 0 - conflicts with minimum 2 confidence = 0.85 source = "dogfood" # VIOLATION 6: No connection validation before checkout # Authority: vendor://dbpool/validation/frequency, required: "on_checkout" [[extractors.declarative]] name = "dbpool_missing_validation" description = "Detects missing is_valid() call in get() method" languages = ["rust"] pattern = 'if let Some\(conn\) = conns\.pop_front\(\)' [extractors.declarative.claim] subject = "vendor://dbpool/validation/frequency" predicate = "required" value = "false" # Code doesn't validate - conflicts with required: "on_checkout" confidence = 0.75 # Lower confidence - pattern is complex source = "dogfood" # VIOLATION 7: No metrics field in ConnectionPool struct # Authority: vendor://dbpool/metrics/enabled, recommended: true [[extractors.declarative]] name = "dbpool_missing_metrics" description = "Detects ConnectionPool struct without metrics field" languages = ["rust"] pattern = 'pub struct ConnectionPool \{' [extractors.declarative.claim] subject = "vendor://dbpool/metrics/enabled" predicate = "recommended" value = "false" # Code doesn't have metrics - conflicts with recommended: "true" confidence = 0.65 # Lower confidence - detects absence, which is harder source = "dogfood" # Thresholds for conflict severity verdicts [thresholds] block_threshold = 0.7 # Conflict score >= 0.7 → BLOCK (critical violations) flag_threshold = 0.5 # Conflict score >= 0.5 → FLAG (warnings)