stemedb/applications/aphoria-pitch/README.md

# Aphoria Demo Script

> **Duration:** 15-20 minutes + Q&A
> **Target Buyer:** Marcus Thompson (VP Platform Engineering, Series C fintech, 400 engineers)
> **URLs:** Slides at `localhost:3001`

---

## Pre-Demo Checklist

```bash
# Terminal 1: Build Aphoria
cd applications/aphoria && cargo build --release

# Terminal 2: Create demo project with intentional violations
mkdir /tmp/aphoria-demo && cd /tmp/aphoria-demo

# Create a Go file with TLS skip violation
cat > main.go << 'EOF'
package main

import (
    "crypto/tls"
    "net/http"
)

func main() {
    client := &http.Client{
        Transport: &http.Transport{
            TLSClientConfig: &tls.Config{
                InsecureSkipVerify: true, // VIOLATION: Disables cert verification
            },
        },
    }
    _ = client
}
EOF

# Create a config with weak TLS version
cat > config.yaml << 'EOF'
server:
  tls:
    min_version: "1.2"  # VIOLATION: Should be 1.3
    ciphers:
      - TLS_RSA_WITH_AES_128_CBC_SHA  # VIOLATION: Weak cipher
EOF

# Create a JWT config with weak algorithm
cat > auth.go << 'EOF'
package auth

import "github.com/golang-jwt/jwt/v5"

func CreateToken() {
    // VIOLATION: Using HS256 instead of RS256
    token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
        "user": "admin",
    })
    _ = token
}
EOF

# Terminal 3: Start slides
cd applications/aphoria-pitch && npm run dev
```

**Verify before presenting:**
- [ ] `aphoria scan` runs without error on demo project
- [ ] Violations are detected (BLOCK for TLS skip, WARN for weak cipher)
- [ ] Slides load at `localhost:3001`
- [ ] Press `S` to verify speaker notes appear

---

## Part 1: Slides (localhost:3001)

### Slide 1: The Hook
**On screen:** "SOC 2 audit prep takes **180 hours**. 60% is proving 'who approved what.'"

**Say:**
> "How long did your last SOC 2 audit take? For most Series C companies, it's about 180 hours of engineering time. And 60 percent of that time is spent on 'audit archaeology' - reconstructing who approved what, when."
>
> "63 percent of security incidents trace to config drift from a known-good state. Not new vulnerabilities. Drift from what you already knew was correct."

**Then:** Press -> to reveal "The problem isn't missing policies. It's proving you enforced them."

---

### Slide 2: Why This Keeps Happening
**On screen:** Three pain points

**Say (reveal each with ->):**
> "AI generates code that looks correct. Copilot will happily write `InsecureSkipVerify = true` if you ask for a quick HTTP client. Does your PR review catch it? Every time?"
>
> "Your staff engineer wrote a best practices wiki. New hires don't read it. Contractors don't know it exists."
>
> "An auditor asks 'who approved this exception?' You spend 3 hours digging through Slack threads from 2023."

**Key point:** "Your security team writes policies. Nobody can prove they're followed. That's the gap."

---

### Slide 3: Introducing Aphoria
**On screen:** Aphoria logo + tagline

**Say:**
> "Aphoria is a code-level truth linter. We don't pattern-match like Semgrep. We validate your code against authoritative sources - RFCs, OWASP guidelines, your internal policies - with cryptographic provenance."

**Don't linger** - next slide explains the approach.

---

### Slide 4: Every Policy Has a Source
**On screen:** Three benefits

**Say (reveal each with ->):**
> "Cryptographic attribution. Every policy is signed by an approver. Not 'the linter said so.' It's 'signed by @security-team, Acme Security Standard version 3.2.'"
>
> "Sub-second scanning. Under 100 milliseconds for staged files, under 1 second for full scans. Fast enough for pre-commit hooks. Your developers won't disable it."
>
> "AI guardrails. Copilot generates insecure code. This catches it instantly, before the PR."

---

### Slide 5: What This Enables
**On screen:** Three capability cards

**Say:**
> "Policy governance - your security team publishes once, 400 engineers inherit instantly. No more 'update 50 repos.'"
>
> "Drift detection - 'TLS config changed from 1.3 to 1.2' - caught before production, not during the incident."
>
> "Compliance export - SOC 2 evidence in 15 minutes, not 3 days. Full JSON with provenance."

**Reveal:** "Every exception tracked with reason and timestamp."

---

### Slide 6: Demo Preview
**On screen:** CLI output preview

**Say:**
> "This is what you're about to see. A blocked violation with the exact policy it violates, who signed that policy, and how to get help."
>
> "I'm going to run this exact command live..."

**Then:** Switch to Terminal for live demo

---

## Part 2: Live Demo (Terminal)

### Demo Step 1: Speed
**Command:**
```bash
cd /tmp/aphoria-demo
time aphoria scan
```

**What they see:**
- Scan completes in under 1 second (typically ~650ms for full scan)
- 3 violations detected

**Say:**
> "Under a second for a full scan. Under 100 milliseconds for staged files only. That's fast enough for a pre-commit hook. Your developers won't disable it because they don't notice it."

**AMAZE MOMENT:** "This is pre-commit ready. No waiting. No 'I'll run it later.'"

---

### Demo Step 2: Attribution
**What they see in the output:**
```
BLOCK  code://go/aphoria-demo/main/tls/cert_verification
         Your code:  TLS certificate verification is disabled (main.go:12)
         Regulatory: Boolean(true) (Tier 0)
         Action:     Fix or acknowledge with: aphoria ack <path> --reason "..."
```

**Note:** After importing a Trust Pack with `aphoria policy import`, output includes:
```
         Source: Acme Security Standard v1.0 (5a3c7b...)
```

**Say:**
> "Look at the output. This isn't 'rule 47 failed.' It shows the exact file and line, what the regulatory standard requires, and how to handle exceptions."
>
> "When you import your org's Trust Pack, every violation traces to a signed policy source. When an auditor asks 'what's your policy on TLS verification?' - this is your answer. Not a wiki page. A cryptographically signed assertion."

**AMAZE MOMENT:** "The audit trail is built into every violation."

---

### Demo Step 3: Acknowledgments
**Command:**
```bash
aphoria ack code://go/aphoria-demo/main/tls/cert_verification \
  --reason "Integration test environment - legacy system migration"
```

**What they see:**
```
Conflict acknowledged.
```

**Re-scan shows the conflict now marked as ACK in the summary table:**

The violation appears with an `ACK` verdict instead of `BLOCK`, indicating it has been acknowledged. The acknowledgment reason and timestamp are stored in the audit trail.

**Say:**
> "Sometimes you need an exception. Not every violation is a real problem. Integration test environments, legacy migrations, third-party constraints."
>
> "This isn't `.sonar-ignore`. It's a tracked acknowledgment with a reason and timestamp, stored in the audit trail. When you re-scan, it shows as ACK instead of BLOCK."

**AMAZE MOMENT:** "Exceptions are tracked, not hidden."

**Coming Soon:** Acknowledgment expiry (`--expires`) to auto-resurface after a TTL.

---

### Demo Step 4: Drift Detection
**Command:**
```bash
# First scan with persistence
aphoria scan --persist

# Modify the config to introduce drift
sed -i '' 's/min_version: "1.2"/min_version: "1.1"/' config.yaml

# Second scan
aphoria scan --persist
```

**What they see:**
```
DRIFT   code://config/tls/min_version
        Previous:  1.2
        Current:   1.1
        Changed:   2024-02-06T14:32:00Z
```

**Say:**
> "Drift detection. Someone changed the TLS version from 1.2 to 1.1. Maybe it was intentional. Maybe it was a merge conflict gone wrong."
>
> "Either way, you know. Before production. Not during the incident."

**AMAZE MOMENT:** "63% of security incidents are config drift. This catches them."

---

### Demo Step 5: Compliance Export
**Command:**
```bash
aphoria scan --format json | jq '.violations | length'
aphoria scan --format json | jq '.acknowledgments'
aphoria scan --format json > soc2-evidence.json
```

**What they see:**
- Full JSON output with provenance
- Acknowledgments with reasons and timestamps
- Export-ready for SOC 2

**Say:**
> "15 minutes, not 3 days. Your SOC 2 auditor asks for evidence of policy enforcement. You give them this JSON file."
>
> "Every violation. Every acknowledgment. Full audit trail. Machine-readable. Auditor-friendly."

**AMAZE MOMENT:** "SOC 2 evidence generation goes from days to minutes."

---

## Part 3: Return to Slides

### Slide 7: Questions
**Page:** Back to localhost:3001, press -> to reach Q&A slide

**What they see:** Recap of what they just saw

**Be ready for:**

| Question | Answer |
|----------|--------|
| "Why not just write better Semgrep rules?" | "Semgrep rules don't track who approved exceptions. Aphoria has cryptographic provenance. Every policy traces to a signer." |
| "What's the false positive rate?" | "We check against authoritative sources, not pattern matching. False positives are policy disagreements, not tool bugs. And those surface as conversations, not ignored warnings." |
| "I already have pre-commit hooks." | "Hooks catch violations. Aphoria proves who approved the policy and when. That's the difference between 'we have policies' and 'we can prove enforcement.'" |
| "SOC 2 certified?" | "We help you generate evidence. The JSON export with policy provenance and acknowledgment trails is what your auditor needs. We're working on control mapping documentation." |
| "Why not Postgres?" | "You could build this. 6-9 months, 2-3 engineers. We've done the hard work. And we've solved problems you haven't hit yet - provenance, drift detection, exception tracking." |
| "How does this work with existing CI?" | "Pre-commit hook or CI step. Same `aphoria scan` command. JSON output for automation, human-readable for developers." |
| "What about secrets/credentials detection?" | "Aphoria focuses on configuration policy validation, not secrets scanning. Use Gitleaks for secrets. Use Aphoria for 'is this config compliant with our policies.'" |

---

## The Five Aha Moments (Summary)

| # | Moment | What Impresses Them |
|---|--------|---------------------|
| 1 | Speed | <100ms staged, <1s full scan - fast enough for pre-commit without developer complaints |
| 2 | Attribution | Policy sources traced to signed Trust Packs - audit trail built in |
| 3 | Acknowledgments | Exceptions tracked with reason and timestamp - not `.sonar-ignore` |
| 4 | Drift Detection | "TLS version changed from 1.3 to 1.2" - caught before production |
| 5 | Compliance Export | SOC 2 evidence in minutes - JSON with full provenance |

---

## Keyboard Shortcuts (Slides)

| Key | Action |
|-----|--------|
| `->` / `Space` | Next slide/fragment |
| `<-` | Previous |
| `S` | Speaker notes (new window) |
| `ESC` | Overview mode |
| `B` | Blackout |
| `F` | Fullscreen |

---

## If Something Goes Wrong

| Problem | Recovery |
|---------|----------|
| Aphoria not found | Run `cargo build --release` in applications/aphoria |
| No violations detected | Check demo files exist in /tmp/aphoria-demo |
| Slides won't load | Check port 3001, run `npm run dev` |
| Slides won't advance | Click in the slide area first |
| Drift not showing | Ensure you ran `--persist` on both scans |

---

## Marcus Thompson Persona Notes

**Who he is:**
- VP Platform Engineering at Series C fintech
- 400 engineers, scaling fast
- Burned by SonarQube, Snyk, Semgrep "shelfware"
- Needs proof, not promises

**What he cares about:**
- Developer velocity (won't slow down CI)
- Audit readiness (SOC 2 is on the roadmap)
- Signal vs noise (hates false positives)
- Proof of enforcement (not just "we have policies")

**What makes him skeptical:**
- "We tried Semgrep. Developers ignored it."
- "Snyk alerts are noise. Nobody reads them."
- "SonarQube was a 6-month project. Then everyone turned it off."

**What wins him over:**
- Speed (<100ms staged means pre-commit is viable)
- Attribution (policy sources traced to signed Trust Packs)
- Tracked exceptions (not .ignore files)
- Drift detection (proactive, not reactive)
- JSON export (audit evidence generation)

---

*Last updated: 2026-02-06*