jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0ece696f5d
stemedb/applications/aphoria-pitch/index.html
jordan 9698e63702 docs: fix Aphoria pitch materials based on skeptical buyer review 
Demo script & slides:
- Update speed claims from "0.25s" to "<100ms staged, <1s full"
- Fix CLI output mockups to match actual Aphoria table.rs format
- Remove fake --approver and --expires flags from ack examples
- Remove non-existent "Contact: #security-policy" field
- Update ACK output to describe summary table behavior accurately

Roadmap additions (Phase 10):
- 10.1 Acknowledgment Expiry: --expires flag with duration/ISO date
- 10.2 Human-Readable Signer Names: signer_name + contact in PackHeader
- 10.3 Speed Benchmarks: aphoria scan --benchmark self-test

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-06 16:56:19 -07:00

360 lines
14 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Aphoria - Code-Level Truth Linting</title>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/reveal.js@5.1.0/dist/reset.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/reveal.js@5.1.0/dist/reveal.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/reveal.js@5.1.0/dist/theme/night.css">
<style>
:root {
--r-background-color: #0f0f14;
--r-main-color: #e4e4e7;
--r-heading-color: #a1a1aa;
--r-link-color: #60a5fa;
--r-selection-background-color: #27272a;
--r-main-font-size: 32px;
}
.reveal {
font-size: var(--r-main-font-size);
}
.reveal h1 {
font-size: 2.2em;
font-weight: 500;
color: #fafafa;
text-transform: none;
letter-spacing: -0.02em;
}
.reveal h2 {
font-size: 1.6em;
font-weight: 500;
color: #fafafa;
text-transform: none;
letter-spacing: -0.01em;
margin-bottom: 0.8em;
}
.reveal h3 {
font-size: 1.2em;
font-weight: 500;
color: #a1a1aa;
text-transform: none;
}
.reveal p {
font-size: 0.95em;
line-height: 1.5;
color: #d4d4d8;
}
.reveal .highlight {
color: #fbbf24;
}
.reveal .muted {
color: #71717a;
}
.reveal .negative {
color: #f87171;
}
.reveal .positive {
color: #4ade80;
}
.reveal ul {
list-style: none;
padding: 0;
margin: 0;
}
.reveal ul li {
margin: 0.6em 0;
padding-left: 1.2em;
position: relative;
font-size: 0.9em;
color: #d4d4d8;
}
.reveal ul li::before {
content: "—";
position: absolute;
left: 0;
color: #52525b;
}
.reveal .stat-block {
background: linear-gradient(135deg, #18181b 0%, #1f1f23 100%);
border: 1px solid #27272a;
padding: 1.2em 1.6em;
border-radius: 8px;
margin: 1.2em 0;
text-align: left;
}
.reveal .stat-block .number {
font-size: 2em;
font-weight: 600;
color: #fbbf24;
display: block;
margin-bottom: 0.2em;
}
.reveal .stat-block .label {
font-size: 0.8em;
color: #a1a1aa;
}
.reveal .demo-preview {
background: #18181b;
border: 1px solid #27272a;
border-radius: 8px;
padding: 1.5em;
text-align: left;
margin-top: 1em;
}
.reveal .demo-preview code {
font-family: "SF Mono", "Fira Code", monospace;
font-size: 0.75em;
color: #60a5fa;
background: transparent;
}
.reveal .cli-preview {
font-family: "SF Mono", "Fira Code", monospace;
font-size: 0.65em;
color: #a1a1aa;
background: #0f0f14;
padding: 0.8em 1em;
border-radius: 4px;
border-left: 3px solid #f87171;
margin: 0.8em 0;
line-height: 1.6;
}
.reveal .cli-preview .cmd {
color: #4ade80;
}
.reveal .cli-preview .block {
color: #f87171;
font-weight: 600;
}
.reveal .cli-preview .policy {
color: #fbbf24;
}
.reveal blockquote {
background: transparent;
border: none;
font-style: normal;
padding: 0;
margin: 1.5em 0;
font-size: 0.85em;
color: #a1a1aa;
}
.reveal .capabilities-grid {
display: grid;
grid-template-columns: repeat(3, 1fr);
gap: 1em;
margin-top: 1em;
}
.reveal .capability-card {
background: #18181b;
border: 1px solid #27272a;
border-radius: 6px;
padding: 1em;
text-align: left;
}
.reveal .capability-card h4 {
font-size: 0.8em;
font-weight: 600;
color: #fafafa;
margin: 0 0 0.4em 0;
}
.reveal .capability-card p {
font-size: 0.65em;
color: #a1a1aa;
margin: 0;
line-height: 1.4;
}
.reveal .footer {
position: fixed;
bottom: 1em;
left: 1em;
font-size: 0.4em;
color: #52525b;
}
.reveal .transition-slide h2 {
font-size: 1.4em;
color: #a1a1aa;
font-weight: 400;
}
</style>
</head>
<body>
<div class="reveal">
<div class="slides">
<!-- Slide 1: The Hook -->
<section>
<h2>SOC 2 audit prep takes <span class="highlight">180 hours</span>.<br>60% is proving "who approved what."</h2>
<div class="stat-block">
<span class="number">63%</span>
<span class="label">of security incidents trace to config drift<br>from a known-good state.</span>
</div>
<p class="fragment fade-up muted" style="font-size: 0.8em; margin-top: 1.5em;">
The problem isn't missing policies. It's proving you enforced them.
</p>
<aside class="notes">
180 hours: Based on industry surveys of Series B-D companies going through SOC 2 Type II.
60%: Most time is spent on "audit archaeology" - reconstructing who approved what.
63% stat: Industry data on security incidents caused by configuration drift.
The hook: Security teams have policies. The problem is proving enforcement with provenance.
</aside>
</section>
<!-- Slide 2: Why This Keeps Happening -->
<section>
<h2>Why this keeps happening</h2>
<ul>
<li class="fragment">AI generates code that <span class="negative">looks correct</span> but violates your internal policies</li>
<li class="fragment">Staff engineer's "best practices" wiki is <span class="negative">ignored by new hires</span></li>
<li class="fragment">"Who approved this exception?" → <span class="negative">dig through Slack for 3 hours</span></li>
</ul>
<p class="fragment muted" style="font-size: 0.75em; margin-top: 1.5em;">
Your security team writes policies. Nobody can prove they're followed.
</p>
<aside class="notes">
AI code generation: Copilot/ChatGPT code often includes InsecureSkipVerify, weak crypto, etc.
Wiki problem: Institutional knowledge trapped in documents nobody reads.
Slack archaeology: The audit trail exists, but it takes hours to reconstruct.
Marcus's pain: He's been burned by shelfware. He needs proof, not promises.
</aside>
</section>
<!-- Slide 3: Introducing Aphoria -->
<section>
<h1 style="font-size: 2.8em; font-weight: 600; letter-spacing: -0.03em;">Aphoria</h1>
<p style="font-size: 1em; color: #a1a1aa; margin-top: 0.5em;">
Code-level truth linting. Claims, not rules.
</p>
<p class="fragment muted" style="font-size: 0.75em; margin-top: 2em;">
Validate code against authoritative sources with cryptographic provenance.
</p>
<aside class="notes">
"Aphoria" = Greek for "bearing away uncertainty"
"Claims, not rules" = We don't pattern match. We validate against authoritative sources.
Cryptographic provenance = Ed25519-signed Trust Packs trace every policy to an approver.
Keep this slide brief - the next one explains the approach.
</aside>
</section>
<!-- Slide 4: Every Policy Has a Source -->
<section>
<h2>Every policy has a source</h2>
<p style="margin-bottom: 1em;">
Aphoria stores <span class="highlight">authoritative claims with provenance</span>, not regex patterns.
</p>
<ul>
<li class="fragment"><span class="positive">Cryptographic attribution:</span> Ed25519-signed Trust Packs trace every policy to an approver</li>
<li class="fragment"><span class="positive">Sub-second scanning:</span> &lt;100ms pre-commit, &lt;1s full scan. Developers won't disable it.</li>
<li class="fragment"><span class="positive">AI guardrails:</span> Catch <code>InsecureSkipVerify = true</code> before the PR</li>
</ul>
<aside class="notes">
Cryptographic attribution: Not "the linter said so." Trust Packs are Ed25519-signed with issuer provenance.
Sub-second: &lt;100ms for staged files, &lt;1s for full scan. Fast enough for pre-commit. Developers won't bypass it.
AI guardrails: Copilot generates insecure code. This catches it instantly.
Key differentiator: Every violation traces to a signed Trust Pack, not a regex rule.
</aside>
</section>
<!-- Slide 5: What This Enables -->
<section>
<h2>What this enables</h2>
<div class="capabilities-grid">
<div class="capability-card">
<h4>Policy Governance</h4>
<p>Security team publishes once. 400 engineers inherit instantly.</p>
</div>
<div class="capability-card">
<h4>Drift Detection</h4>
<p>"TLS config changed from 1.3 to 1.2" - caught before production.</p>
</div>
<div class="capability-card">
<h4>Compliance Export</h4>
<p>SOC 2 evidence in 15 minutes, not 3 days.</p>
</div>
</div>
<p class="fragment muted" style="font-size: 0.7em; margin-top: 1.2em;">
Every exception tracked with reason and timestamp.
</p>
<aside class="notes">
Policy Governance: No more "update 50 repos" - publish to StemeDB once, all scans use it.
Drift Detection: --persist mode tracks changes between scans. See what drifted.
Compliance Export: JSON output with full provenance. Feed it to your SOC 2 report.
Exceptions: Not .sonar-ignore. Tracked acknowledgments with reasons and timestamps.
</aside>
</section>
<!-- Slide 6: Demo Preview -->
<section class="transition-slide">
<h2>Here's what it looks like</h2>
<div class="demo-preview">
<p style="font-size: 0.75em; color: #a1a1aa; margin: 0 0 0.8em 0;">Terminal:</p>
<div class="cli-preview">
<span class="cmd">$ aphoria scan</span><br><br>
<span class="block">BLOCK</span> code://go/auth/tls/cert_verification<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Your code: TLS certificate verification is disabled (main.go:12)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Regulatory: Boolean(true) (Tier 0)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Action: Fix or acknowledge with: <span class="policy">aphoria ack &lt;path&gt; --reason "..."</span>
</div>
<p style="font-size: 0.7em; color: #71717a; margin: 0.8em 0 0 0;">
I'm going to run this exact command live...
</p>
</div>
<aside class="notes">
This is the transition slide. Show them what they're about to see.
Key points to emphasize:
- BLOCK status with clear subject path
- "Your code" vs "Regulatory" - the conflict is explicit
- Action line shows how to handle exceptions
- When Trust Pack imported, policy source also shown
Then switch to terminal for the live demo.
</aside>
</section>
<!-- Slide 7: Q&A -->
<section>
<h2>Questions</h2>
<div style="margin-top: 1.5em; text-align: left;">
<p class="muted" style="font-size: 0.7em; margin-bottom: 0.8em;">What you saw:</p>
<ul style="font-size: 0.75em;">
<li><span class="highlight">Speed</span> - &lt;100ms staged, &lt;1s full scan, fast enough for pre-commit</li>
<li><span class="highlight">Attribution</span> - Every policy signed by an approver</li>
<li><span class="highlight">Acknowledgments</span> - Exceptions tracked, not ignored</li>
<li><span class="highlight">Drift Detection</span> - Config changes caught before production</li>
<li><span class="highlight">Compliance Export</span> - SOC 2 evidence in 15 minutes</li>
</ul>
</div>
<aside class="notes">
Be ready for:
- "Why not just write better Semgrep rules?" → Semgrep can't track who approved exceptions
- "What's the false positive rate?" → We check against authoritative sources, not patterns
- "I already have pre-commit hooks" → Hooks catch violations. Aphoria proves who approved the policy
- "SOC 2 certified?" → In progress. But you can generate the evidence today
- "Why not Postgres?" → You could build this. 6-9 months, 2-3 engineers. We've done the hard work
</aside>
</section>
</div>
<div class="footer">
Aphoria
</div>
</div>
<script src="https://cdn.jsdelivr.net/npm/reveal.js@5.1.0/dist/reveal.js"></script>
<script src="https://cdn.jsdelivr.net/npm/reveal.js@5.1.0/plugin/notes/notes.js"></script>
<script>
Reveal.initialize({
hash: true,
slideNumber: false,
controls: false,
progress: false,
transition: 'none',
transitionSpeed: 'fast',
plugins: [ RevealNotes ],
width: 1280,
height: 720,
margin: 0.1
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink