jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ef2c8c5940
stemedb/applications/aphoria
History
jml ef2c8c5940 fix(aphoria): fix 3 critical verification engine bugs 
Fixed 3 bugs in Aphoria's claim verification engine that were causing
false positives in Maxwell validation testing:

**Bug 1: Path matching + predicate filtering**
- Added predicate filtering to prevent cross-predicate matches
- Added path prefix matching to respect crate boundaries
- Prevents core/imports/serde from matching hypervisor/vsock/imports/serde

**Bug 2: Value-specific absent checks**
- Absent mode now checks for specific forbidden value, not any observation
- Example: "Clone absent" + "Debug present" = PASS (not CONFLICT)
- Only conflicts when the exact forbidden value is found

**Bug 3: Wildcard pattern support**
- Wildcard patterns like message/*/derives now match multiple paths
- Enhanced wildcard_matches() to support prefix/*/suffix patterns
- Correctly strips full scheme+language from observation paths

**Test coverage:**
- All 39 existing tests passing
- 3 new tests added for bug fixes
- 2 tests updated to use correct predicates
- Zero clippy warnings

**Maxwell validation:**
- maxwell-core-no-serde-001: CONFLICT → PASS (respects path boundaries)
- maxwell-singleton-no-clone-001: CONFLICT → PASS (value-specific absent)
- 5 claims now correctly show as MISSING (expose predicate mismatches)

The fixes successfully eliminate false positives while exposing pre-existing
issues where claims used incorrect predicates.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-08 15:13:10 +00:00
..
docs feat(aphoria): implement claims architecture (A1-A5) with verify engine, corpus, coverage, and explain 2026-02-08 09:11:47 +00:00
skill feat: Phase 6 UAT - Admission control, HLC recency, cluster coordination 2026-02-03 00:43:37 -07:00
src fix(aphoria): fix 3 critical verification engine bugs 2026-02-08 15:13:10 +00:00
tests/llm_fixtures feat: Complete Aphoria Phase 8-9 + UAT suite (90/90 tests passing) 2026-02-06 22:50:55 -07:00
uat feat: Institutional knowledge vision + roadmap phases 11-15 2026-02-06 23:35:41 -07:00
.env.example feat: Complete Aphoria Phase 8-9 + UAT suite (90/90 tests passing) 2026-02-06 22:50:55 -07:00
aphoria-vision.pdf feat: WAL hardening (Phase 5B) - CRC32C, crash recovery, group commit, log rotation 2026-02-02 12:36:35 -07:00
Cargo.toml feat(aphoria): implement claims architecture (A1-A5) with verify engine, corpus, coverage, and explain 2026-02-08 09:11:47 +00:00
product.md feat: Aphoria policy source tracking + claim extraction pipeline 2026-02-04 02:35:02 -07:00
protocol_vision.md feat: Aphoria policy source tracking + claim extraction pipeline 2026-02-04 02:35:02 -07:00
README.md docs: add solo developer and enterprise pilot guides 2026-02-07 07:45:56 -07:00
roadmap-archive.md feat(aphoria): implement claims architecture (A1-A5) with verify engine, corpus, coverage, and explain 2026-02-08 09:11:47 +00:00
roadmap.md feat(aphoria): implement claims architecture (A1-A5) with verify engine, corpus, coverage, and explain 2026-02-08 09:11:47 +00:00
spec.md feat: Multi-application expansion with chaos testing and community UI 2026-02-04 01:24:14 -07:00
vision.md feat: Complete Aphoria Phase 14 - Governance Workflows 2026-02-07 05:16:26 -07:00

README.md

Aphoria

A code-level truth linter powered by Episteme.

Aphoria scans your codebase for configuration patterns that contradict authoritative technical standards (RFCs, OWASP, vendor docs). Unlike linters that check syntax or SAST tools that find vulnerability patterns, Aphoria validates intent against authority.

$ aphoria scan .

BLOCK  code://python/requests/tls/cert_verification
       Your code:  verify=False (api/client.py:42)
       RFC 5246:   TLS certificate verification MUST be enabled
       Conflict:   0.92

1 conflict found (1 BLOCK).

Quick Start

Install

# From source
cd applications/aphoria
cargo install --path .

# Verify
aphoria --version

Initialize

aphoria init

This loads the authoritative corpus (RFCs, OWASP guidelines) into your local database.

Scan

# Quick scan (ephemeral, fast)
aphoria scan .

# With persistence (enables diff/baseline)
aphoria scan --persist

# CI mode (exit code 1 on BLOCK)
aphoria scan --exit-code

# Pre-commit (staged files only)
aphoria scan --staged --exit-code

Handle Conflicts

Fix the code:

# Before: verify=False
# After:
requests.get(url, verify=True)

Or acknowledge intentionally:

aphoria ack "code://python/requests/tls/cert_verification" \
  --reason "Local dev environment with self-signed certs"

Output Formats

aphoria scan --format table     # Human-readable (default)
aphoria scan --format json      # Machine-readable
aphoria scan --format sarif     # GitHub Security tab
aphoria scan --format markdown  # Documentation

Pre-commit Integration

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: aphoria
        name: Aphoria truth check
        entry: aphoria scan --staged --exit-code
        language: system
        pass_filenames: false

CI Integration (GitHub Actions)

- name: Install Aphoria
  run: cargo install --path applications/aphoria

- name: Run Aphoria Scan
  run: aphoria scan --exit-code --format sarif > results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: results.sarif

Key Commands

Command Description
aphoria scan Scan for conflicts with authoritative sources
aphoria ack Acknowledge a conflict as intentional
aphoria bless Define a pattern as your authoritative standard
aphoria policy export Export standards as a Trust Pack
aphoria policy import Import a Trust Pack from your security team
aphoria governance pending List approval requests (Phase 14)
aphoria audit export Export audit trail for SOC 2 compliance

Conflict Verdicts

Verdict Description CI Behavior
BLOCK High-confidence conflict with RFC/OWASP Fails with --exit-code
FLAG Moderate-confidence conflict Passes, visible in report
ACK Acknowledged conflict Passes, tracked for audit
PASS No conflict -

Guides

Guide Audience Time
Solo Developer Guide Individual developers, side projects 2 min
Enterprise Pilot Guide Security teams running pilots 4 weeks
Enterprise Quick Start Platform engineering 5 min
The First Scan Everyone 10 min

What Aphoria Is Not

  • Not a linter. Linters check syntax. Aphoria checks decisions against authoritative sources.
  • Not SAST. SAST finds vulnerability patterns. Aphoria finds contradictions to specific standards.
  • Not AI autocomplete. Copilot suggests code from the internet. Aphoria surfaces your org's decisions at the moment you contradict them.

License

See LICENSE for details.