jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c65066fd1c
stemedb/applications/aphoria/docs/guides/the-first-scan.md
jordan 1cc453c97b feat: Aphoria policy source tracking + claim extraction pipeline 
- Add PolicySourceStore for tracking where policies come from
- Implement claim extraction skill and API endpoints
- Add community UI text selection extractor component
- Create Go SDK aphoria client for policy operations
- Document patent specifications and legal disclosures
- Add guides: golden path loop, policy audit trails, pre-flight checks
- Expand Unreal Engine config extractor with source tracking
- Add UAT reports for policy source tracking validation
- Refactor tests.rs into modular test files

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 02:35:02 -07:00

128 lines
3.9 KiB
Markdown
Raw Blame History

# Guide: The First Scan — From Zero to Compliance
**Target Audience:** Developers, Tech Leads
**Time to Value:** 5 minutes
---
## Introduction
Every codebase contains invisible decisions. When you set `verify=false` in a config file, you aren't just toggling a boolean; you are making a claim: *"Certificate verification is not required for this connection."*
Authoritative sources (like RFCs and OWASP) disagree. They claim: *"Certificate verification is mandatory."*
**Aphoria** detects this disagreement. It is a "truth linter" that finds where your code contradicts authoritative specs. This guide will take you from zero to your first clean scan.
---
## 1. Installation
Aphoria ships as a single binary.
```bash
# From source (assuming you have the repo)
cd /path/to/stemedb/applications/aphoria
cargo install --path .
```
Verify it works:
```bash
$ aphoria --version
aphoria 0.1.0
```
## 2. Initialize the Cortex
Before scanning, Aphoria needs to know "the truth." It needs a corpus of authoritative assertions (RFCs, OWASP cheat sheets, vendor docs).
```bash
$ aphoria init
Initializing Aphoria...
Ingested 1,240 authoritative assertions.
Ready.
```
This downloads strict security requirements (RFC 7519 for JWT, RFC 5246 for TLS, etc.) into your local database (`~/.aphoria/db`).
## 3. The First Scan
Navigate to any project—a Rust backend, a Node.js API, or a Python script.
```bash
$ aphoria scan .
```
You will likely see output like this:
```
Scanning my-project ...
BLOCK code://node/server/tls/cert_verification
Your code: rejectUnauthorized: false (server.js:42)
RFC 5246: TLS certificate verification MUST be enabled (Tier 0)
Conflict: 0.92
BLOCK code://node/auth/jwt/algorithm
Your code: algorithms: ["none"] (auth.js:15)
RFC 7519: 'none' algorithm MUST NOT be accepted (Tier 0)
Conflict: 0.98
2 conflicts found (2 BLOCK).
```
### Interpreting the Output
* **BLOCK:** A high-confidence conflict with a Regulatory (Tier 0) or Clinical (Tier 1) source. This is likely a bug or security vulnerability.
* **FLAG:** A conflict with a lower-tier source (Vendor recommendation, Expert opinion). Worth reviewing, but might be intentional.
* **Conflict Score:** How strongly the sources disagree (0.0 to 1.0).
Notice that Aphoria didn't just say "Error." It cited **RFC 5246**. It told you *why* it's wrong.
## 4. Fixing the Drift
You have two choices: **Fix** or **Acknowledge**.
### Option A: Fix the Code (Compliance)
You realize the dev team left `rejectUnauthorized: false` in from a debugging session. You delete the line or set it to `true`.
Run the scan again:
```bash
$ aphoria scan .
0 conflicts found.
```
Epistemic drift resolved. The code now aligns with the spec.
### Option B: Acknowledge the Deviation (Constructive Disagreement)
Sometimes, you are right and the RFC is wrong *for your context*.
* *Scenario:* This is a local test harness. It uses self-signed certs. `rejectUnauthorized: false` is correct here.
Instead of ignoring it, you **Acknowledge** it.
```bash
$ aphoria ack "code://node/server/tls/cert_verification" --reason "Local dev harness, self-signed certs OK"
```
Run the scan again:
```bash
$ aphoria scan .
ACK code://node/server/tls/cert_verification
Reason: "Local dev harness, self-signed certs OK"
Status: Acknowledged (passed)
```
### Why this matters
By acknowledging, you created a **new assertion** in the database: *"In this project context, disabling TLS verify is acceptable."*
You didn't just suppress a warning. You created a permanent, signed audit trail of *why* the security rule was broken.
## 5. Next Steps
You've successfully aligned your code with reality.
* If you fixed it, you improved security.
* If you acknowledged it, you improved documentation and auditability.
**Next:** Learn how to enforce these rules across your entire company with [Federating Truth](./authoritative-state-per-project.md).
Reference in New Issue View Git Blame Copy Permalink