jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
stemedb/applications/aphoria/uat/future-scenarios.md
jordan 41c676a78e feat: Aphoria enterprise features + ontology SDK + file length compliance 
Enterprise Features:
- Hosted mode with remote sync for team pattern aggregation
- Community sharing with privacy-preserving anonymization
- LLM-based semantic claim extraction with Gemini integration
- Pattern learning with promotion to declarative extractors
- High-entropy secrets extractor with configurable thresholds
- Auth bypass and insecure cookies extractors

Module Refactoring:
- Split oversized files to comply with 500-line limit
- Config split: types/core.rs, types/extractors.rs, types/hosted.rs, etc.
- Handlers split: scan.rs, policy.rs, report.rs modules
- Extractors split: declarative/, high_entropy_secrets/, insecure_cookies/
- Learning split: store modules with metrics and persistence

SDK & Ontology:
- stemedb-ontology SDK with fluent builders and StemeDB client
- Pharma domain extractors for FDA Orange Book data
- Consumer health UAT test infrastructure

Code Quality:
- Fixed clippy warnings (needless_borrows_for_generic_args)
- Added KVStore trait imports where needed
- Fixed utoipa path re-exports for OpenAPI docs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 12:55:29 -07:00

140 lines
3.9 KiB
Markdown
Raw Permalink Blame History

# Future UAT Scenarios
Scenarios tested and deferred, with actual results from 2026-02-05 testing.
---
## Scenario: Multi-Pack Conflict Resolution
**Status:** TESTED - Current behavior documented
**Priority:** Medium
**Trigger:** When enterprises need to combine policies from multiple sources
### User Story
> As a compliance officer, when Pack A (Security Team) says TLS 1.2 and Pack B (Vendor Compliance) says TLS 1.3, I need to see both conflicting policies and understand how to resolve them.
### Test Results (2026-02-05)
**Script:** `uat/scripts/test-multi-pack-conflict.sh`
**Findings:**
- Both packs import successfully
- **Second import OVERWRITES the first** (same subject key in PackSourceStore)
- Both assertions exist in storage (content-addressed = different hashes for different values)
- But policy_source only shows the LAST imported pack
**Example Output:**
```json
{
"sources": [
{
"path": "code://standard/tls/min_version",
"policy_source": {
"pack_name": "Compliance-Team", // <- Only last pack shows
"pack_version": "0.1.0"
},
"value": 1.2
},
{
"path": "code://standard/tls/min_version",
"policy_source": {
"pack_name": "Compliance-Team", // <- Same, even though first was Security-Team
"pack_version": "0.1.0"
},
"value": 1.3
}
]
}
```
**Current Behavior:** Last imported pack wins for policy_source attribution.
### Future Enhancement (if needed)
- [ ] Store multiple pack sources per subject (append, not overwrite)
- [ ] Show all contributing packs in conflict report
- [ ] Add `pack_priority` field to control precedence
- [ ] Support pack composition (extend other packs)
---
## Scenario: Pack Version Update
**Status:** PASS - Working correctly
**Priority:** Medium
### User Story
> As a security lead, when I update our standards pack from v1.0 to v2.0, I need the attribution to update so teams know they're running against current policy.
### Test Results (2026-02-05)
**Script:** `uat/scripts/test-pack-version-update.sh`
**Results:** 6/6 tests passed
| Test | Status |
|------|--------|
| Create v1.0 pack | PASS |
| Import v1.0 | PASS |
| v1.0 attribution shown | PASS |
| Create v2.0 pack | PASS |
| Import v2.0 | PASS |
| v2.0 attribution shown | PASS |
| v1.0 no longer appears | PASS |
**Conclusion:** Pack version updates work correctly. Importing v2.0 supersedes v1.0.
---
## Scenario: Predicate Aliases
**Status:** NOT IMPLEMENTED - Deferred
**Priority:** Low
**Trigger:** Based on enterprise feedback showing predicate naming conflicts
### User Story
> As a security architect, when my policy uses `required=true` but the extractor emits `enabled=true`, I need them to match semantically.
### Implementation Plan (when needed)
1. Add `predicate_aliases` field to Trust Pack schema
2. Update ConceptIndex to check aliases during lookup
3. Consider default aliases: `enabled``required``mandatory``enforced`
---
## Scenario: Pack Signing Key Rotation
**Status:** NOT IMPLEMENTED - Deferred
**Priority:** Low
**Trigger:** Security key management requirements
### User Story
> As a security admin, when our signing key is rotated, I need to re-sign all packs without losing policy content.
### Implementation Plan (when needed)
1. Add `aphoria policy resign` command
2. Preserve pack content hash
3. Update signature with new key
4. Audit log for key rotation
---
## Test Scripts
| Script | Scenario | Status |
|--------|----------|--------|
| `test-enterprise-workflow.sh` | Basic Trust Pack workflow | PASS (12/12) |
| `test-multi-pack-conflict.sh` | Multiple packs, same concept | PASS (7/7) - documents current behavior |
| `test-pack-version-update.sh` | Pack version supersession | PASS (6/6) |
---
## Feedback Collection
Enterprise feedback on these scenarios should be tracked in:
- GitHub Issues with label `enterprise-feedback`
- Internal `#aphoria-enterprise` channel
---
*Last updated: 2026-02-05*
Reference in New Issue View Git Blame Copy Permalink