History

jordan 9698e63702 docs: fix Aphoria pitch materials based on skeptical buyer review Demo script & slides: - Update speed claims from "0.25s" to "<100ms staged, <1s full" - Fix CLI output mockups to match actual Aphoria table.rs format - Remove fake --approver and --expires flags from ack examples - Remove non-existent "Contact: #security-policy" field - Update ACK output to describe summary table behavior accurately Roadmap additions (Phase 10): - 10.1 Acknowledgment Expiry: --expires flag with duration/ISO date - 10.2 Human-Readable Signer Names: signer_name + contact in PackHeader - 10.3 Speed Benchmarks: aphoria scan --benchmark self-test Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>		2026-02-06 16:56:19 -07:00
..
index.html	docs: fix Aphoria pitch materials based on skeptical buyer review	2026-02-06 16:56:19 -07:00
package.json	docs: fix Aphoria pitch materials based on skeptical buyer review	2026-02-06 16:56:19 -07:00
README.md	docs: fix Aphoria pitch materials based on skeptical buyer review	2026-02-06 16:56:19 -07:00

README.md

Aphoria Demo Script

Duration: 15-20 minutes + Q&A Target Buyer: Marcus Thompson (VP Platform Engineering, Series C fintech, 400 engineers) URLs: Slides at localhost:3001

Pre-Demo Checklist

# Terminal 1: Build Aphoria
cd applications/aphoria && cargo build --release

# Terminal 2: Create demo project with intentional violations
mkdir /tmp/aphoria-demo && cd /tmp/aphoria-demo

# Create a Go file with TLS skip violation
cat > main.go << 'EOF'
package main

import (
    "crypto/tls"
    "net/http"
)

func main() {
    client := &http.Client{
        Transport: &http.Transport{
            TLSClientConfig: &tls.Config{
                InsecureSkipVerify: true, // VIOLATION: Disables cert verification
            },
        },
    }
    _ = client
}
EOF

# Create a config with weak TLS version
cat > config.yaml << 'EOF'
server:
  tls:
    min_version: "1.2"  # VIOLATION: Should be 1.3
    ciphers:
      - TLS_RSA_WITH_AES_128_CBC_SHA  # VIOLATION: Weak cipher
EOF

# Create a JWT config with weak algorithm
cat > auth.go << 'EOF'
package auth

import "github.com/golang-jwt/jwt/v5"

func CreateToken() {
    // VIOLATION: Using HS256 instead of RS256
    token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
        "user": "admin",
    })
    _ = token
}
EOF

# Terminal 3: Start slides
cd applications/aphoria-pitch && npm run dev

Verify before presenting:

aphoria scan runs without error on demo project
Violations are detected (BLOCK for TLS skip, WARN for weak cipher)
Slides load at localhost:3001
Press S to verify speaker notes appear

Part 1: Slides (localhost:3001)

Slide 1: The Hook

On screen: "SOC 2 audit prep takes 180 hours. 60% is proving 'who approved what.'"

Say:

"How long did your last SOC 2 audit take? For most Series C companies, it's about 180 hours of engineering time. And 60 percent of that time is spent on 'audit archaeology' - reconstructing who approved what, when."

"63 percent of security incidents trace to config drift from a known-good state. Not new vulnerabilities. Drift from what you already knew was correct."

Then: Press -> to reveal "The problem isn't missing policies. It's proving you enforced them."

Slide 2: Why This Keeps Happening

On screen: Three pain points

Say (reveal each with ->):

"AI generates code that looks correct. Copilot will happily write InsecureSkipVerify = true if you ask for a quick HTTP client. Does your PR review catch it? Every time?"

"Your staff engineer wrote a best practices wiki. New hires don't read it. Contractors don't know it exists."

"An auditor asks 'who approved this exception?' You spend 3 hours digging through Slack threads from 2023."

Key point: "Your security team writes policies. Nobody can prove they're followed. That's the gap."

Slide 3: Introducing Aphoria

On screen: Aphoria logo + tagline

Say:

"Aphoria is a code-level truth linter. We don't pattern-match like Semgrep. We validate your code against authoritative sources - RFCs, OWASP guidelines, your internal policies - with cryptographic provenance."

Don't linger - next slide explains the approach.

Slide 4: Every Policy Has a Source

On screen: Three benefits

Say (reveal each with ->):

"Cryptographic attribution. Every policy is signed by an approver. Not 'the linter said so.' It's 'signed by @security-team, Acme Security Standard version 3.2.'"

"Sub-second scanning. Under 100 milliseconds for staged files, under 1 second for full scans. Fast enough for pre-commit hooks. Your developers won't disable it."

"AI guardrails. Copilot generates insecure code. This catches it instantly, before the PR."

Slide 5: What This Enables

On screen: Three capability cards

Say:

"Policy governance - your security team publishes once, 400 engineers inherit instantly. No more 'update 50 repos.'"

"Drift detection - 'TLS config changed from 1.3 to 1.2' - caught before production, not during the incident."

"Compliance export - SOC 2 evidence in 15 minutes, not 3 days. Full JSON with provenance."

Reveal: "Every exception tracked with reason and timestamp."

Slide 6: Demo Preview

On screen: CLI output preview

Say:

"This is what you're about to see. A blocked violation with the exact policy it violates, who signed that policy, and how to get help."

"I'm going to run this exact command live..."

Then: Switch to Terminal for live demo

Part 2: Live Demo (Terminal)

Demo Step 1: Speed

Command:

cd /tmp/aphoria-demo
time aphoria scan

What they see:

Scan completes in under 1 second (typically ~650ms for full scan)
3 violations detected

Say:

"Under a second for a full scan. Under 100 milliseconds for staged files only. That's fast enough for a pre-commit hook. Your developers won't disable it because they don't notice it."

AMAZE MOMENT: "This is pre-commit ready. No waiting. No 'I'll run it later.'"

Demo Step 2: Attribution

What they see in the output:

BLOCK  code://go/aphoria-demo/main/tls/cert_verification
         Your code:  TLS certificate verification is disabled (main.go:12)
         Regulatory: Boolean(true) (Tier 0)
         Action:     Fix or acknowledge with: aphoria ack <path> --reason "..."

Note: After importing a Trust Pack with aphoria policy import, output includes:

         Source: Acme Security Standard v1.0 (5a3c7b...)

Say:

"Look at the output. This isn't 'rule 47 failed.' It shows the exact file and line, what the regulatory standard requires, and how to handle exceptions."

"When you import your org's Trust Pack, every violation traces to a signed policy source. When an auditor asks 'what's your policy on TLS verification?' - this is your answer. Not a wiki page. A cryptographically signed assertion."

AMAZE MOMENT: "The audit trail is built into every violation."

Demo Step 3: Acknowledgments

Command:

aphoria ack code://go/aphoria-demo/main/tls/cert_verification \
  --reason "Integration test environment - legacy system migration"

What they see:

Conflict acknowledged.

Re-scan shows the conflict now marked as ACK in the summary table:

The violation appears with an ACK verdict instead of BLOCK, indicating it has been acknowledged. The acknowledgment reason and timestamp are stored in the audit trail.

Say:

"Sometimes you need an exception. Not every violation is a real problem. Integration test environments, legacy migrations, third-party constraints."

"This isn't .sonar-ignore. It's a tracked acknowledgment with a reason and timestamp, stored in the audit trail. When you re-scan, it shows as ACK instead of BLOCK."

AMAZE MOMENT: "Exceptions are tracked, not hidden."

Coming Soon: Acknowledgment expiry (--expires) to auto-resurface after a TTL.

Demo Step 4: Drift Detection

Command:

# First scan with persistence
aphoria scan --persist

# Modify the config to introduce drift
sed -i '' 's/min_version: "1.2"/min_version: "1.1"/' config.yaml

# Second scan
aphoria scan --persist

What they see:

DRIFT   code://config/tls/min_version
        Previous:  1.2
        Current:   1.1
        Changed:   2024-02-06T14:32:00Z

Say:

"Drift detection. Someone changed the TLS version from 1.2 to 1.1. Maybe it was intentional. Maybe it was a merge conflict gone wrong."

"Either way, you know. Before production. Not during the incident."

AMAZE MOMENT: "63% of security incidents are config drift. This catches them."

Demo Step 5: Compliance Export

Command:

aphoria scan --format json | jq '.violations | length'
aphoria scan --format json | jq '.acknowledgments'
aphoria scan --format json > soc2-evidence.json

What they see:

Full JSON output with provenance
Acknowledgments with reasons and timestamps
Export-ready for SOC 2

Say:

"15 minutes, not 3 days. Your SOC 2 auditor asks for evidence of policy enforcement. You give them this JSON file."

"Every violation. Every acknowledgment. Full audit trail. Machine-readable. Auditor-friendly."

AMAZE MOMENT: "SOC 2 evidence generation goes from days to minutes."

Part 3: Return to Slides

Slide 7: Questions

Page: Back to localhost:3001, press -> to reach Q&A slide

What they see: Recap of what they just saw

Be ready for:

Question	Answer
"Why not just write better Semgrep rules?"	"Semgrep rules don't track who approved exceptions. Aphoria has cryptographic provenance. Every policy traces to a signer."
"What's the false positive rate?"	"We check against authoritative sources, not pattern matching. False positives are policy disagreements, not tool bugs. And those surface as conversations, not ignored warnings."
"I already have pre-commit hooks."	"Hooks catch violations. Aphoria proves who approved the policy and when. That's the difference between 'we have policies' and 'we can prove enforcement.'"
"SOC 2 certified?"	"We help you generate evidence. The JSON export with policy provenance and acknowledgment trails is what your auditor needs. We're working on control mapping documentation."
"Why not Postgres?"	"You could build this. 6-9 months, 2-3 engineers. We've done the hard work. And we've solved problems you haven't hit yet - provenance, drift detection, exception tracking."
"How does this work with existing CI?"	"Pre-commit hook or CI step. Same `aphoria scan` command. JSON output for automation, human-readable for developers."
"What about secrets/credentials detection?"	"Aphoria focuses on configuration policy validation, not secrets scanning. Use Gitleaks for secrets. Use Aphoria for 'is this config compliant with our policies.'"

The Five Aha Moments (Summary)

#	Moment	What Impresses Them
1	Speed	<100ms staged, <1s full scan - fast enough for pre-commit without developer complaints
2	Attribution	Policy sources traced to signed Trust Packs - audit trail built in
3	Acknowledgments	Exceptions tracked with reason and timestamp - not `.sonar-ignore`
4	Drift Detection	"TLS version changed from 1.3 to 1.2" - caught before production
5	Compliance Export	SOC 2 evidence in minutes - JSON with full provenance

Keyboard Shortcuts (Slides)

Key	Action
`->` / `Space`	Next slide/fragment
`<-`	Previous
`S`	Speaker notes (new window)
`ESC`	Overview mode
`B`	Blackout
`F`	Fullscreen

If Something Goes Wrong

Problem	Recovery
Aphoria not found	Run `cargo build --release` in applications/aphoria
No violations detected	Check demo files exist in /tmp/aphoria-demo
Slides won't load	Check port 3001, run `npm run dev`
Slides won't advance	Click in the slide area first
Drift not showing	Ensure you ran `--persist` on both scans

Marcus Thompson Persona Notes

Who he is:

VP Platform Engineering at Series C fintech
400 engineers, scaling fast
Burned by SonarQube, Snyk, Semgrep "shelfware"
Needs proof, not promises

What he cares about:

Developer velocity (won't slow down CI)
Audit readiness (SOC 2 is on the roadmap)
Signal vs noise (hates false positives)
Proof of enforcement (not just "we have policies")

What makes him skeptical:

"We tried Semgrep. Developers ignored it."
"Snyk alerts are noise. Nobody reads them."
"SonarQube was a 6-month project. Then everyone turned it off."

What wins him over:

Speed (<100ms staged means pre-commit is viable)
Attribution (policy sources traced to signed Trust Packs)
Tracked exceptions (not .ignore files)
Drift detection (proactive, not reactive)
JSON export (audit evidence generation)

Last updated: 2026-02-06