jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c65066fd1c
stemedb/applications/aphoria
History
jordan c65066fd1c feat(aphoria): implement ignore & exclusion system (Phase 16) 
Reduces scan noise by 96% through proper exclusion of test fixtures,
demo apps, and intentional vulnerabilities.

Phase 16.1 - Glob Pattern Matching:
- Replace starts_with() with globset for ** and * patterns
- Backwards compatible with legacy prefix patterns
- Add walker/mod.rs tests for glob exclusions

Phase 16.2 - .aphoriaignore File:
- Create walker/ignore_file.rs for gitignore-style parsing
- Merge with aphoria.toml excludes
- Support # comments and whitespace trimming

Phase 16.3 - Inline Ignore Comments:
- Create extractors/ignore_comments.rs parser
- Support // aphoria:ignore, // aphoria:ignore-next-line
- Support // aphoria:ignore-block / // aphoria:end-ignore
- Multiple comment styles: //, #, /*, --, <!--
- Integrate with ExtractorRegistry.extract_all()

Phase 16.4 - Ack Export/Import:
- Create ack_file.rs for TOML serialization
- Add 'aphoria ack add' subcommand
- Add 'aphoria ack export' to .aphoria/acks.toml
- Add 'aphoria ack import' from .aphoria/acks.toml
- Preserve expiry and reason fields

Also configures stemedb with:
- aphoria.toml with glob excludes for vulnbank, extractors, fixtures
- .aphoriaignore for dashboard, community, latent, SDK examples

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 17:28:50 -07:00
..
docs docs: add solo developer and enterprise pilot guides 2026-02-07 07:45:56 -07:00
skill feat: Phase 6 UAT - Admission control, HLC recency, cluster coordination 2026-02-03 00:43:37 -07:00
src feat(aphoria): implement ignore & exclusion system (Phase 16) 2026-02-07 17:28:50 -07:00
tests/llm_fixtures feat: Complete Aphoria Phase 8-9 + UAT suite (90/90 tests passing) 2026-02-06 22:50:55 -07:00
uat feat: Institutional knowledge vision + roadmap phases 11-15 2026-02-06 23:35:41 -07:00
.env.example feat: Complete Aphoria Phase 8-9 + UAT suite (90/90 tests passing) 2026-02-06 22:50:55 -07:00
aphoria-vision.pdf feat: WAL hardening (Phase 5B) - CRC32C, crash recovery, group commit, log rotation 2026-02-02 12:36:35 -07:00
Cargo.toml feat(aphoria): implement ignore & exclusion system (Phase 16) 2026-02-07 17:28:50 -07:00
product.md feat: Aphoria policy source tracking + claim extraction pipeline 2026-02-04 02:35:02 -07:00
protocol_vision.md feat: Aphoria policy source tracking + claim extraction pipeline 2026-02-04 02:35:02 -07:00
README.md docs: add solo developer and enterprise pilot guides 2026-02-07 07:45:56 -07:00
roadmap.md feat(aphoria): implement ignore & exclusion system (Phase 16) 2026-02-07 17:28:50 -07:00
spec.md feat: Multi-application expansion with chaos testing and community UI 2026-02-04 01:24:14 -07:00
vision.md feat: Complete Aphoria Phase 14 - Governance Workflows 2026-02-07 05:16:26 -07:00

README.md

Aphoria

A code-level truth linter powered by Episteme.

Aphoria scans your codebase for configuration patterns that contradict authoritative technical standards (RFCs, OWASP, vendor docs). Unlike linters that check syntax or SAST tools that find vulnerability patterns, Aphoria validates intent against authority.

$ aphoria scan .

BLOCK  code://python/requests/tls/cert_verification
       Your code:  verify=False (api/client.py:42)
       RFC 5246:   TLS certificate verification MUST be enabled
       Conflict:   0.92

1 conflict found (1 BLOCK).

Quick Start

Install

# From source
cd applications/aphoria
cargo install --path .

# Verify
aphoria --version

Initialize

aphoria init

This loads the authoritative corpus (RFCs, OWASP guidelines) into your local database.

Scan

# Quick scan (ephemeral, fast)
aphoria scan .

# With persistence (enables diff/baseline)
aphoria scan --persist

# CI mode (exit code 1 on BLOCK)
aphoria scan --exit-code

# Pre-commit (staged files only)
aphoria scan --staged --exit-code

Handle Conflicts

Fix the code:

# Before: verify=False
# After:
requests.get(url, verify=True)

Or acknowledge intentionally:

aphoria ack "code://python/requests/tls/cert_verification" \
  --reason "Local dev environment with self-signed certs"

Output Formats

aphoria scan --format table     # Human-readable (default)
aphoria scan --format json      # Machine-readable
aphoria scan --format sarif     # GitHub Security tab
aphoria scan --format markdown  # Documentation

Pre-commit Integration

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: aphoria
        name: Aphoria truth check
        entry: aphoria scan --staged --exit-code
        language: system
        pass_filenames: false

CI Integration (GitHub Actions)

- name: Install Aphoria
  run: cargo install --path applications/aphoria

- name: Run Aphoria Scan
  run: aphoria scan --exit-code --format sarif > results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: results.sarif

Key Commands

Command Description
aphoria scan Scan for conflicts with authoritative sources
aphoria ack Acknowledge a conflict as intentional
aphoria bless Define a pattern as your authoritative standard
aphoria policy export Export standards as a Trust Pack
aphoria policy import Import a Trust Pack from your security team
aphoria governance pending List approval requests (Phase 14)
aphoria audit export Export audit trail for SOC 2 compliance

Conflict Verdicts

Verdict Description CI Behavior
BLOCK High-confidence conflict with RFC/OWASP Fails with --exit-code
FLAG Moderate-confidence conflict Passes, visible in report
ACK Acknowledged conflict Passes, tracked for audit
PASS No conflict -

Guides

Guide Audience Time
Solo Developer Guide Individual developers, side projects 2 min
Enterprise Pilot Guide Security teams running pilots 4 weeks
Enterprise Quick Start Platform engineering 5 min
The First Scan Everyone 10 min

What Aphoria Is Not

  • Not a linter. Linters check syntax. Aphoria checks decisions against authoritative sources.
  • Not SAST. SAST finds vulnerability patterns. Aphoria finds contradictions to specific standards.
  • Not AI autocomplete. Copilot suggests code from the internet. Aphoria surfaces your org's decisions at the moment you contradict them.

License

See LICENSE for details.