jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b7db069650
stemedb/applications/aphoria/docs/legal/patent-disclosure.md
jordan 1cc453c97b feat: Aphoria policy source tracking + claim extraction pipeline 
- Add PolicySourceStore for tracking where policies come from
- Implement claim extraction skill and API endpoints
- Add community UI text selection extractor component
- Create Go SDK aphoria client for policy operations
- Document patent specifications and legal disclosures
- Add guides: golden path loop, policy audit trails, pre-flight checks
- Expand Unreal Engine config extractor with source tracking
- Add UAT reports for policy source tracking validation
- Refactor tests.rs into modular test files

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 02:35:02 -07:00

27 KiB
Raw Blame History

Intellectual Property Disclosure: Aphoria & Epistemic Conflict Detection

  • Date: 2026-02-04
  • Subject: Method and System for Detecting Epistemic Conflicts in Computer Code and Configuration

Executive Summary

Aphoria is a "Truth Linter" for software. It introduces a novel method for automated code review called Epistemic Conflict Detection.

Current industry tools (Static Analysis, Linters) work by pattern matching: "If code looks like X, flag it." This approach is brittle and generates high false-positive rates because it cannot distinguish between configurations that violate vendor recommendations versus regulatory requirements versus internal policies.

Aphoria works by Knowledge Graph Alignment:

  1. It extracts the implicit "claims" a developer makes when writing code (e.g., setting timeout=0 is a claim that "waiting forever is acceptable").
  2. It transforms these claims into normalized semantic triples using a predefined ontology.
  3. It compares these triples against a hierarchically-structured knowledge graph of "Authoritative Assertions" derived from technical standards (RFCs, NIST, Vendor Docs).
  4. It calculates a Conflict Score based on a defined weighting function that incorporates authority tier differentials.
  5. It outputs ranked conflicts with deterministic prioritization.

This transforms compliance from a manual, subjective audit process into a continuous, mathematical calculation of "Epistemic Drift"—the distance between what code does and what authorities say it should do.

Technical Problem Addressed

Current static analysis tools operate through pattern-matching against predetermined rule sets, requiring manual rule creation for each potential misconfiguration and generating high false-positive rates because they cannot distinguish between configurations that violate vendor recommendations versus regulatory requirements versus internal policies. This creates computational inefficiency (wasted cycles on false positives) and fails to provide deterministic prioritization of detected issues.

Specific Technical Deficiencies in Prior Art:

  • Undifferentiated Rule Violations: All pattern matches are treated equally regardless of source authority
  • Manual Rule Authoring: Policy-as-code systems require human translation of standards into executable rules
  • No Contextual Weighting: A "MUST" from an RFC is indistinguishable from a "SHOULD" in vendor docs
  • Static Pattern Libraries: Rules cannot adapt to organizational context without manual intervention

Technical Solution

A system that:

  1. Transforms code configurations into normalized semantic triples using a defined ontology
  2. Stores authoritative assertions in a hierarchically-structured graph database with quantified authority weights
  3. Performs graph traversal to identify assertion conflicts using a specific matching algorithm
  4. Computes conflict scores using a defined weighting function that incorporates authority tier differentials
  5. Outputs ranked conflicts with deterministic prioritization

Use Cases

  1. AI Safety Guardrails: Prevents autonomous AI coding agents from "hallucinating" insecure configurations (e.g., disabling TLS verification) by checking generated code against RFC standards before deployment.

  2. Continuous Compliance: Replaces annual security audits with a continuous, pre-commit check that blocks code violating specific regulations (GDPR, HIPAA) defined in the knowledge graph.

  3. Federated Policy Enforcement: Allows large organizations to cryptographically sign and distribute "Trust Packs" (bundles of approved patterns) that automatically override default standards in downstream projects.

Patentability Analysis

To be patentable, an invention must be (1) Statutory, (2) Novel, (3) Useful, and (4) Non-Obvious.

1. Statutory Subject Matter (Eligible Category)

Requirement: Must be a process, machine, manufacture, or composition of matter. Abstract ideas (math) are not eligible unless applied practically.

Aphoria Argument:

  • The claims recite specific data structures (semantic triples with authority weights, hierarchical knowledge graph)
  • The claims recite machine-specific operations (parsing source code files, querying graph databases, computing weighted differences)
  • The operations cannot be performed mentally—a human cannot feasibly traverse a knowledge graph containing thousands of RFC-derived assertions
  • Per Enfish v. Microsoft (Fed. Cir. 2016): Claims directed to a specific improvement in computer capabilities are not abstract

2. Novelty (New)

Requirement: Must not be known, used, or published before.

Aphoria Argument:

  • Prior Art: Linters check syntax (validity). SAST checks data flow (taint).
  • The Invention: Aphoria checks Semantic Alignment between two disparate graphs (Code Intent vs. Regulatory Authority).
  • Distinction: No existing tool maps source code to a standardized knowledge graph of RFCs to compute a weighted conflict score. The mechanism of "Source Class Decay" (where anecdotal evidence fades but regulatory evidence remains constant) applied to code analysis is entirely new.

3. Utility (Useful)

Requirement: Must provide a specific, substantial, and credible benefit.

Aphoria Argument: The utility is immediate and quantifiable.

  • Demonstrated Benefit: In benchmarks against industry-standard tools (Semgrep), Aphoria achieved 100% precision (vs ~30%) and reduced false positives to zero by utilizing the authority-weighting mechanism.
  • Industrial Application: It solves the specific problem of "Configuration Drift" in cloud infrastructure, a leading cause of global outages.

4. Non-Obviousness (Inventive Step)

Requirement: Must not be a trivial combination of existing things to an expert in the field.

Aphoria Argument:

  • It is not obvious to combine "Probabilistic Knowledge Graphs" (typically used in search/AI) with "Static Code Analysis" (typically used in compilers).
  • Experts in static analysis focus on "better parsing" or "deeper taint analysis." They do not focus on "modeling the authority of external documentation."
  • The use of Cryptographic Trust Packs to federate and override static analysis rules dynamically is a non-obvious architecture for a linter.
  • Under KSR, the question is whether a PHOSITA would combine knowledge graphs + code parsing + authority weighting with a reasonable expectation of success. This combination requires: (1) designing an ontology for configuration semantics, (2) developing an authority-weighting scheme, and (3) integrating with code parsing—none of which are taught or suggested by the prior art.

Proposed Claims

Independent Claim 1 (System)

A system for detecting configuration conflicts in source code, the system comprising:

(a) a parser module configured to:

  • receive a source code file containing at least one configuration statement defining a value for a runtime parameter, security setting, or system behavior modifier,
  • extract a configuration value and its associated context from the configuration statement, and
  • transform the configuration value into a semantic triple comprising a subject identifier, a predicate type selected from a predefined configuration ontology comprising property types including at least timeout values, encryption parameters, and authentication requirements, and an object value;

(b) a knowledge graph database storing a plurality of authoritative assertions, each authoritative assertion comprising a semantic triple and an associated authority weight, wherein authority weights are assigned based on a hierarchical classification comprising at least three tiers corresponding to regulatory sources, vendor documentation sources, and community sources, and wherein regulatory source assertions are assigned authority weights greater than vendor documentation assertions, which are assigned authority weights greater than community source assertions;

(c) a conflict detection engine configured to:

  • query the knowledge graph database to retrieve authoritative assertions having predicate types matching the predicate type of the transformed semantic triple,
  • compare the object value of the transformed semantic triple against object values of retrieved authoritative assertions, wherein comparing comprises determining a semantic distance between values, the semantic distance calculated as a normalized difference for numeric values and a binary disparity indicator for boolean values,
  • identify a conflict condition when the object value of the transformed semantic triple differs from the object value of at least one retrieved authoritative assertion by more than a predefined threshold; and

(d) a scoring module configured to calculate a conflict score for each identified conflict condition by:

  • computing a weighted difference between the authority weight of the authoritative assertion and a baseline authority weight assigned to source code configurations,
  • wherein the conflict score increases proportionally with the authority weight differential;

wherein the system outputs an ordered list of conflict conditions ranked by conflict score.

Independent Claim 8 (Method)

A computer-implemented method for detecting epistemic conflicts between source code configurations and authoritative technical standards, the method comprising:

(a) receiving, by a processor, a source code file containing a configuration statement;

(b) parsing the configuration statement to extract a configuration parameter and a configuration value;

(c) transforming, by the processor, the configuration parameter and configuration value into a normalized semantic triple according to a predefined configuration ontology, the semantic triple comprising:

  • a subject corresponding to a software component identifier,
  • a predicate corresponding to a configuration property type, and
  • an object corresponding to the configuration value;

(d) querying a knowledge graph database to retrieve one or more authoritative assertions having predicates matching the predicate of the normalized semantic triple, wherein each authoritative assertion in the knowledge graph database is associated with an authority tier selected from a hierarchical set of authority tiers, and wherein each authority tier is assigned a numeric authority weight, wherein the knowledge graph database is stored in non-transitory computer-readable memory and the querying comprises traversing graph edges indexed by subject identifier;

(e) for each retrieved authoritative assertion, determining whether a conflict exists by computing a semantic distance between the object of the normalized semantic triple and the object of the authoritative assertion, wherein a conflict exists when the semantic distance exceeds a configurable threshold;

(f) for each determined conflict, calculating a conflict score based on a difference between the authority weight associated with the authoritative assertion and a default authority weight assigned to developer-specified configurations;

(g) ranking determined conflicts by conflict score; and

(h) outputting an alert identifying at least the highest-ranked conflict.

Dependent Claims: Parser Variations (Claims 2-4)

Claim 2. The system of claim 1, wherein the parser module is further configured to identify configuration statements across a plurality of file formats including YAML, JSON, TOML, and environment variable files.

Claim 3. The system of claim 1, wherein the predefined ontology comprises configuration property types including timeout values, retry counts, encryption parameters, authentication requirements, and connection limits.

Claim 4. The system of claim 1, wherein the parser module extracts context comprising at least one of: file path, function scope, conditional block, and deployment environment identifier.

Dependent Claims: Knowledge Graph Structure (Claims 5-7)

Claim 5. The system of claim 1, wherein the knowledge graph database indexes authoritative assertions by source document, the source documents comprising at least one of: RFC specifications, NIST guidelines, vendor security documentation, and CIS benchmarks.

Claim 6. The system of claim 1, wherein authority weights are numeric values on a scale from 0 to 1, with regulatory source assertions assigned weights of at least 0.8, vendor documentation assertions assigned weights between 0.5 and 0.79, and community source assertions assigned weights below 0.5.

Claim 7. The system of claim 1, wherein the knowledge graph database implements temporal decay of authority weights for community source assertions based on publication date, while maintaining constant authority weights for regulatory source assertions.

Dependent Claims: Conflict Detection Specifics (Claims 9-11)

Claim 9. The system of claim 1, wherein identifying a conflict condition comprises determining that the object value of the transformed semantic triple specifies a less restrictive security parameter than the object value of the authoritative assertion.

Claim 10. The system of claim 1, wherein the conflict detection engine performs semantic matching to identify conflicts between configuration values expressed in different formats or units.

Claim 11. The system of claim 1, wherein the predefined threshold for identifying conflict conditions is configurable based on deployment environment classification.

Dependent Claims: Trust Pack Feature (Claims 12-15)

Claim 12. The system of claim 1, further comprising: a trust pack module configured to receive a cryptographically signed data package containing a subset of authoritative assertions, verify a digital signature of the data package against a trusted issuer registry, and upon successful verification, merge the authoritative assertions from the data package into the knowledge graph database with authority weights specified in the data package.

Claim 13. The system of claim 12, wherein authoritative assertions from a verified trust pack are assigned authority weights that supersede authority weights of conflicting assertions from default sources.

Claim 14. The system of claim 12, wherein the trust pack module maintains a provenance record for each merged assertion identifying the trust pack source and verification timestamp.

Claim 15. The system of claim 12, wherein the trusted issuer registry is updatable via a secure channel separate from trust pack distribution.

Dependent Claims: Acknowledgment/Override Feature (Claims 16-18)

Claim 16. The system of claim 1, further comprising: an acknowledgment module configured to receive a user input indicating acceptance of a detected conflict, generate an acknowledgment assertion comprising the semantic triple of the accepted conflict and a user identifier, store the acknowledgment assertion in the knowledge graph database with an authority weight below the authority weight of the conflicting authoritative assertion, and suppress output of the accepted conflict in subsequent analyses while maintaining the acknowledgment assertion for audit retrieval.

Claim 17. The system of claim 16, wherein the acknowledgment assertion includes an expiration timestamp after which suppression of the conflict terminates.

Claim 18. The system of claim 16, wherein the acknowledgment module requires multi-party approval before storing acknowledgment assertions for conflicts involving regulatory source assertions.

Independent Claim 19 (Trust Pack Distribution System)

A system for distributed configuration policy enforcement comprising:

(a) a trust pack module configured to receive a cryptographically signed data package containing a plurality of authoritative assertions, each assertion comprising a subject identifier, a predicate type, an object value, and an authority tier indicator;

(b) a trusted issuer registry storing public keys of authorized policy issuers;

(c) a signature verification module configured to verify a digital signature of the data package against a public key retrieved from the trusted issuer registry;

(d) a merge module configured to, upon successful verification, insert the authoritative assertions into a knowledge graph database with authority weights determined by the authority tier indicators;

wherein assertions from verified trust packs supersede conflicting assertions from lower-authority sources in subsequent conflict detection operations.

Dependent Claims: Trust Pack Distribution (Claims 20-23)

Claim 20. The system of claim 19, wherein the trust pack module is further configured to:

  • validate a version identifier in the data package against a stored version registry,
  • reject data packages with version identifiers older than the most recently accepted version for the same issuer, and
  • enforce an expiration timestamp after which assertions from the data package are excluded from conflict detection operations.

Claim 21. The system of claim 19, wherein the merge module is further configured to:

  • store a provenance chain for each merged assertion comprising the trust pack identifier, the issuer public key, and a verification timestamp, and
  • enable retrieval of the complete provenance chain for any assertion during audit operations.

Claim 22. The system of claim 19, wherein the trusted issuer registry is further configured to:

  • receive revocation notices identifying issuer public keys to be invalidated,
  • upon receiving a revocation notice, mark all assertions originating from the revoked issuer as quarantined, and
  • exclude quarantined assertions from subsequent conflict detection operations while maintaining them for audit retrieval.

Claim 23. The system of claim 19, wherein the trust pack module supports cascading trust delegation, comprising:

  • a delegation assertion type indicating that a first issuer authorizes a second issuer to issue assertions within a defined scope,
  • validation that assertions from the second issuer fall within the delegated scope, and
  • authority weight inheritance wherein delegated assertions receive authority weights no greater than the delegating issuer's tier.

Independent Claim 24 (Acknowledgment-Based Suppression System)

A system for auditable conflict acknowledgment comprising:

(a) a conflict detection module configured to identify a conflict between a source code configuration and an authoritative assertion stored in a knowledge graph database;

(b) an acknowledgment interface configured to receive a user input indicating acceptance of the identified conflict, the user input including a user identifier and a justification;

(c) an acknowledgment assertion generator configured to create an acknowledgment assertion comprising the semantic triple of the accepted conflict, the user identifier, and a digital signature of the user;

(d) an audit storage module configured to store the acknowledgment assertion in the knowledge graph database with an authority weight below the authority weight of the conflicting authoritative assertion;

(e) a suppression module configured to suppress output of the accepted conflict in subsequent analyses while maintaining the acknowledgment assertion for audit retrieval;

wherein the system maintains a complete provenance chain of all conflict acknowledgments for regulatory compliance auditing.

Dependent Claims: Acknowledgment System (Claims 25-27)

Claim 25. The system of claim 24, wherein the acknowledgment assertion generator is further configured to:

  • include an expiration timestamp in the acknowledgment assertion,
  • wherein the suppression module resumes output of the conflict after the expiration timestamp has passed, and
  • wherein the acknowledgment assertion remains stored for audit purposes after expiration.

Claim 26. The system of claim 24, wherein for conflicts involving regulatory source assertions (Tier 0), the acknowledgment interface requires:

  • approval from at least two distinct user identifiers,
  • digital signatures from each approving user, and
  • storage of all approval signatures in the acknowledgment assertion.

Claim 27. The system of claim 24, wherein the system supports acknowledgment inheritance across code branches, comprising:

  • detection when a configuration statement subject to an acknowledgment is copied to a new code branch,
  • automatic application of the acknowledgment to the copied configuration statement in the new branch, and
  • storage of a branch provenance indicator linking the inherited acknowledgment to the original acknowledgment.

Prior Art Concerns and Distinction Strategy

Category 1: Static Analysis Tools (Semgrep, SonarQube, CodeQL)

Prior Art Teaches: Pattern-matching rules that flag code matching predefined syntactic patterns.

Distinction: These tools match patterns; they don't construct semantic triples or query a knowledge graph. They have no concept of authority weighting—a rule either matches or it doesn't.

Specification Language:

"Unlike conventional static analysis tools that apply pattern-matching rules without contextual weighting, embodiments of the present invention transform configuration values into semantic representations and compare them against a hierarchically-weighted knowledge base, enabling prioritization of conflicts based on the authoritative source of the violated standard rather than treating all rule violations as equivalent."

Category 2: Compliance Automation (Chef InSpec, Open Policy Agent)

Prior Art Teaches: Policy-as-code execution where users manually author policy rules.

Distinction: These tools execute policy-as-code written by users. They don't automatically derive policies from authoritative sources or compute authority-weighted scores.

Specification Language:

"In contrast to policy-as-code systems that require manual policy authoring, the present invention automatically ingests and structures authoritative documentation into a queryable knowledge graph, eliminating the need for manual policy translation and ensuring that conflict detection reflects the current state of authoritative standards."

Category 3: Knowledge Graph Systems (Neo4j, general semantic web)

Prior Art Teaches: Generic graph database technology for storing and querying linked data.

Distinction: Generic knowledge graph technology doesn't address code configuration analysis. The specific ontology, authority-weighting scheme, and integration with code parsing are the inventive elements.

Prosecution Argument: Under KSR, the question is whether a PHOSITA would combine these references with a reasonable expectation of success. The combination requires: (1) designing an ontology for configuration semantics, (2) developing an authority-weighting scheme, and (3) integrating with code parsing—none of which are taught or suggested by the prior art.

Category 4: Infrastructure-as-Code Security (Styra, Fugue, Bridgecrew/Checkov)

Prior Art Teaches: Cloud configuration scanning and policy bundles for infrastructure compliance.

Distinction: These tools focus on infrastructure configuration (Terraform, CloudFormation) rather than application source code. They do not:

  • Transform application code into semantic triples
  • Maintain authority-weighted knowledge graphs from RFC standards
  • Compute conflict scores based on source class differentials

Specification Language:

"Unlike infrastructure-as-code security tools that scan deployment configurations against cloud provider best practices, the present invention analyzes application source code to detect semantic conflicts with authoritative technical standards (RFCs, security frameworks), operating at the code level rather than the deployment level."

Prior Art Search Recommendations

The following searches are recommended before filing:

  • IBM CodeNet and related semantic code analysis research
  • Academic literature: "semantic code analysis" + "knowledge graph"
  • Academic literature: "ontology" + "security analysis"
  • Patent search: US Class 717/126 (code analysis), 707/E17 (databases)

§101 Prosecution Strategy

When the examiner issues a §101 rejection, respond with this structure:

Step 2A, Prong One: Not an Abstract Idea

The claims are not directed to a mathematical formula in the abstract. The claims recite a specific technical implementation that transforms source code files into semantic data structures, traverses a graph database to retrieve matching assertions, and outputs a ranked conflict report. These operations are performed by specific computer components—a parser module, a graph database, and a conflict detection engine—and cannot be performed by mental steps or pen and paper due to the scale of the knowledge graph (thousands of RFC-derived assertions) and the speed requirements (sub-second analysis of production codebases).

Cite: Enfish v. Microsoft (Fed. Cir. 2016): Claims directed to a specific improvement in computer capabilities are not abstract.

Step 2A, Prong Two: Practical Application

The claims integrate any alleged abstract idea into a practical application by providing a specific technical solution to a specific technical problem. The technical problem is undifferentiated rule violation reporting in static analysis tools, which wastes computational resources processing false positives and creates security risk through alert fatigue. The technical solution is authority-weighted conflict detection, which programmatically prioritizes violations based on the authoritativeness of the violated standard, reducing false positive rates from ~70% (prior art) to 0% (claimed invention) as demonstrated in specification benchmarks.

Cite: Core Wireless v. LG (Fed. Cir. 2018): Claims providing a specific technical improvement are not abstract.

Step 2B: Significantly More (Berkheimer Argument)

If forced to Step 2B, argue:

The ordered combination of elements—semantic triple transformation, hierarchically-weighted knowledge graph, graph traversal for conflict detection, and authority-differential scoring—is not well-understood, routine, or conventional in the field of static analysis. No prior art reference teaches authority-weighted knowledge graph traversal for code configuration analysis. Under Berkheimer v. HP Inc., 881 F.3d 1360 (Fed. Cir. 2018), the conventional nature of claim elements is a factual question. The examiner has cited no evidence that this specific combination is conventional.

Supporting Documents

Document Purpose
patent-specification.md Technical detail: ontology, formulas, schemas, benchmarks
patent-figures.md Descriptions of 7 required figures

Revision History

Date Author Changes
2026-02-04 Initial First draft with reconstructed claims per counsel feedback
2026-02-04 Rev 2 IP counsel feedback: 3 claim families, §101 strengthening, prior art expansion