jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c65066fd1c
stemedb/applications/aphoria/docs/guides/solo-developer-guide.md
jordan 0ece696f5d docs: add solo developer and enterprise pilot guides 
- Created solo-developer-guide.md for individual/side projects
- Created enterprise-pilot-guide.md with 7-phase pilot methodology
- Updated guides/README.md with new guide references
- Updated main README.md with guides table and time estimates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 07:45:56 -07:00

256 lines
5.2 KiB
Markdown
Raw Blame History

# Solo Developer Guide
Get immediate value from Aphoria on your personal or side projects.
## Why Aphoria for Solo Projects?
You don't need enterprise workflows. You need to know when your code contradicts RFCs or security best practices—before it becomes a CVE.
**What you get:**
- Catch `verify=False`, weak TLS, disabled auth—patterns you'd miss in code review
- No team coordination, no policy packs, no approval workflows
- Pre-commit hooks that stop insecure code before it ships
---
## Quick Start (2 Minutes)
### 1. Install
```bash
cd applications/aphoria
cargo install --path .
```
Verify:
```bash
aphoria --version
```
### 2. Initialize
```bash
cd your-project
aphoria init
```
This loads the authoritative corpus (RFCs, OWASP guidelines) into your local database.
### 3. Scan
```bash
aphoria scan
```
That's it. You'll see output like:
```
BLOCK code://python/requests/tls/cert_verification
Your code: verify=False (api/client.py:42)
RFC 5246: TLS certificate verification MUST be enabled
Conflict: 0.92
1 conflict found (1 BLOCK).
```
---
## Pre-Commit Hook
Add to your `.pre-commit-config.yaml`:
```yaml
repos:
- repo: local
hooks:
- id: aphoria
name: Aphoria truth check
entry: aphoria scan --staged --exit-code
language: system
pass_filenames: false
```
Now insecure code is blocked before it reaches your repo.
---
## What Aphoria Catches
| Category | Examples |
|----------|----------|
| **TLS/SSL** | Disabled cert verification, weak protocols, insecure ciphers |
| **Authentication** | Missing token validation, disabled auth checks |
| **Configuration** | Debug mode in production, exposed secrets, unsafe defaults |
| **Framework-Specific** | Django DEBUG=True, Flask CSRF disabled, Express without helmet |
---
## Common Workflows
### Daily Development
```bash
# Quick check (fast, no persistence)
aphoria scan
```
### Before Commits
```bash
# Check only staged files
aphoria scan --staged --exit-code
```
### Before Releases
```bash
# Full scan with report
aphoria scan --format markdown > SECURITY_AUDIT.md
```
---
## Handling Conflicts
### Option 1: Fix the Code
The best response. If Aphoria says `verify=False` is insecure, enable verification.
```python
# Before
response = requests.get(url, verify=False)
# After
response = requests.get(url, verify=True)
```
### Option 2: Acknowledge with Reason
Sometimes insecure patterns are intentional (dev environments, testing). Acknowledge them:
```bash
aphoria ack "code://python/requests/tls/cert_verification" \
--reason "Local dev with self-signed certs, not used in production"
```
The acknowledgment is tracked. Re-scan and it becomes ACK (pass) instead of BLOCK.
### Option 3: Bless a Local Standard
For project-specific decisions that differ from RFCs:
```bash
aphoria bless "code://local/tls/min_version" \
--predicate version --value "1.3" \
--reason "This project requires TLS 1.3 minimum"
```
---
## Output Formats
```bash
# Human-readable (default)
aphoria scan --format table
# JSON for scripting
aphoria scan --format json
# Markdown for documentation
aphoria scan --format markdown > SECURITY.md
# SARIF for tool integration
aphoria scan --format sarif > results.sarif
```
---
## Tips for Solo Projects
### Keep It Simple
Don't bother with:
- Trust Packs (enterprise feature)
- Governance workflows (multi-team feature)
- Policy federation (organizational feature)
Just scan, fix, and occasionally acknowledge.
### Use Ephemeral Mode
Default scans are ephemeral—fast with no persistence. That's what you want for quick checks.
Only use `--persist` if you need:
- Baseline comparison (`aphoria diff`)
- Historical tracking
```bash
# Normal (fast)
aphoria scan
# With history (slower)
aphoria scan --persist
```
### Check Before Deploys
Add to your deploy script:
```bash
#!/bin/bash
set -e
# Block deploy on security issues
aphoria scan --exit-code
# Continue with deploy
./deploy.sh
```
---
## Upgrading Your Corpus
The authoritative corpus (RFCs, OWASP) updates periodically:
```bash
# Rebuild corpus with latest sources
aphoria corpus build
# List available sources
aphoria corpus list
```
---
## FAQ
**Q: How is this different from a linter?**
Linters check syntax and style. Aphoria checks whether your *decisions* contradict *authoritative standards*. ESLint won't tell you that `verify=False` contradicts RFC 5246.
**Q: How is this different from SAST?**
SAST finds vulnerability patterns (SQL injection, XSS). Aphoria finds contradictions with specific standards. SAST finds `eval(user_input)`; Aphoria finds "you said TLS 1.1, NIST says TLS 1.2 minimum."
**Q: Does it require an LLM?**
No. Core scanning uses pattern matching. LLM extraction is optional and only for complex patterns. Most projects work without it.
**Q: What languages are supported?**
Aphoria extracts from:
- Configuration files (YAML, TOML, JSON)
- Python, JavaScript/TypeScript
- Rust, Go (partial)
See `aphoria extractors list` for current coverage.
---
## Next Steps
- [The First Scan](./the-first-scan.md) - Detailed walkthrough
- [Pre-Flight Checks](./pre-flight-checks.md) - CI integration
- Read the [main README](../../README.md) for command reference
Reference in New Issue View Git Blame Copy Permalink