[codex] Add sanitized demo finding card

docs/demo/README.md

@@ -51,11 +51,12 @@ This package does not claim:
 
 ## What To Open First
 
-1. [`demo-narrative-one-pager.md`](demo-narrative-one-pager.md) — shortest public-facing story.
-2. [`iamscope-vs-pacu-pmapper.md`](iamscope-vs-pacu-pmapper.md) — positioning against Pacu and PMapper without disparaging either tool.
-3. [`recorded-demo-script.md`](recorded-demo-script.md) — 7-10 minute recording script.
-4. [`live-demo-runbook.md`](live-demo-runbook.md) — safe no-AWS and authorized-AWS demo modes.
-5. [`../case-studies/real-pilot-dev-001-human-review-summary.md`](../case-studies/real-pilot-dev-001-human-review-summary.md) — final calibrated real-pilot evidence.
+1. [`sanitized-finding-card.md`](sanitized-finding-card.md) — concrete sanitized finding artifact to show in the first minute.
+2. [`demo-narrative-one-pager.md`](demo-narrative-one-pager.md) — shortest public-facing story.
+3. [`iamscope-vs-pacu-pmapper.md`](iamscope-vs-pacu-pmapper.md) — positioning against Pacu and PMapper without disparaging either tool.
+4. [`recorded-demo-script.md`](recorded-demo-script.md) — 7-10 minute recording script.
+5. [`live-demo-runbook.md`](live-demo-runbook.md) — safe no-AWS and authorized-AWS demo modes.
+6. [`../case-studies/real-pilot-dev-001-human-review-summary.md`](../case-studies/real-pilot-dev-001-human-review-summary.md) — final calibrated real-pilot evidence.
 
 ## How To Use The Final Real-Pilot Case Study
 
@@ -70,5 +71,6 @@ Use the case study as the evidence anchor, not as a broad score. The useful revi
 
 - [`recorded-demo-script.md`](recorded-demo-script.md)
 - [`live-demo-runbook.md`](live-demo-runbook.md)
+- [`sanitized-finding-card.md`](sanitized-finding-card.md)
 - [`iamscope-vs-pacu-pmapper.md`](iamscope-vs-pacu-pmapper.md)
 - [`demo-narrative-one-pager.md`](demo-narrative-one-pager.md)

docs/demo/live-demo-runbook.md

@@ -10,13 +10,34 @@ This runbook supports two demo modes: a no-AWS walkthrough and an explicitly aut
 - Do not commit raw `scenario.json`, `findings.json`, labels, logs, or generated review artifacts.
 - Do not present any result as production readiness, exploitability proof, full IAM safety, a composite score, or a pass/fail benchmark label.
 
+## Redaction Preflight Before Screen Sharing
+
+Before showing repo docs or generated demo output, run safe local checks like:
+
+```bash
+grep -R --line-number -E '[0-9]{12}' docs/demo docs/case-studies docs/reference || true
+grep -R --line-number -E 'arn:aws:' docs/demo docs/case-studies docs/reference || true
+```
+
+Review any hits before screen sharing. Pattern-only command examples are not raw artifacts, but raw 12-digit account IDs, raw IAM/STS ARNs, local role names, raw policy docs, and local real-pilot outputs should stay off-screen unless separately authorized and sanitized.
+
+Do not screen-share raw `scenario.json`, `binding_metadata.json`, `findings.json`, or local real-pilot artifacts unless they have been separately sanitized.
+
+Prefer showing:
+
+- [`sanitized-finding-card.md`](sanitized-finding-card.md)
+- [`demo-narrative-one-pager.md`](demo-narrative-one-pager.md)
+- [`iamscope-vs-pacu-pmapper.md`](iamscope-vs-pacu-pmapper.md)
+- [`../reference/capability-honesty-matrix.md`](../reference/capability-honesty-matrix.md)
+- [`../case-studies/real-pilot-dev-001-human-review-summary.md`](../case-studies/real-pilot-dev-001-human-review-summary.md)
+
 ## Mode A — No-AWS Demo
 
 Use this mode for recorded demos, public walkthroughs, and first-pass reviewer conversations.
 
 Steps:
 
-1. Open [`README.md`](README.md).
+1. Open [`sanitized-finding-card.md`](sanitized-finding-card.md).
 2. Open [`demo-narrative-one-pager.md`](demo-narrative-one-pager.md).
 3. Open [`iamscope-vs-pacu-pmapper.md`](iamscope-vs-pacu-pmapper.md).
 4. Open [`../reference/capability-honesty-matrix.md`](../reference/capability-honesty-matrix.md).

docs/demo/recorded-demo-script.md

@@ -2,15 +2,29 @@
 
 Target length: 7-10 minutes.
 
-## 0:00-0:45 — Problem
+## 0:00-1:00 — Concrete Finding First
 
-IAM trust is messy. A reviewer does not only need a scary graph edge or an exploit module; they need to know what is supported by evidence, what is blocked, what is uncertain, and what should be reviewed first.
+Open [`sanitized-finding-card.md`](sanitized-finding-card.md).
 
 Say:
 
-> “IAMScope is built for evidence-grade IAM review. It does not try to prove the account is safe, and it does not claim exploitability.”
+> “IAMScope helps cloud security teams turn messy AWS IAM relationships into evidence-backed attack-path findings a reviewer can actually act on.”
 
-## 0:45-1:45 — Positioning: Pacu vs PMapper vs IAMScope
+Show the card fields first:
+
+- Source: `ExternalOrBroadPrincipalAlias`.
+- Target: `ProdDeployRoleAlias`.
+- Pattern: `cross_account_trust`.
+- Verdict: `validated`.
+- Reviewer label: `valid_path`.
+- Owner confirmed: `true`.
+- Collection context: `complete`.
+
+Say:
+
+> “This is a sanitized presentation artifact, not raw findings.json. Validated does not mean exploited, but it does mean IAMScope has enough modeled evidence to send this trust relationship to an owner for review.”
+
+## 1:00-2:00 — Positioning: Pacu vs PMapper vs IAMScope
 
 Show [`iamscope-vs-pacu-pmapper.md`](iamscope-vs-pacu-pmapper.md).
 
@@ -22,7 +36,7 @@ Talk track:
 
 Do not disparage Pacu or PMapper. They solve different jobs.
 
-## 1:45-3:00 — Capability-Honesty Matrix
+## 2:00-2:45 — Capability-Honesty Matrix
 
 Open [`../reference/capability-honesty-matrix.md`](../reference/capability-honesty-matrix.md).
 
@@ -37,7 +51,7 @@ Say:
 
 > “The matrix is part of the product. It tells reviewers what not to believe.”
 
-## 3:00-4:30 — Real-Pilot Case Study And Final Calibrated Replay
+## 2:45-4:15 — Real-Pilot Case Study And Final Calibrated Replay
 
 Open [`../case-studies/real-pilot-dev-001-human-review-summary.md`](../case-studies/real-pilot-dev-001-human-review-summary.md).
 
@@ -58,9 +72,9 @@ Say:
 
 > “This is bounded real-pilot evidence. It is not production readiness, exploitability proof, or full IAM safety.”
 
-## 4:30-6:00 — Cross-Account Trust Finding
+## 4:15-5:45 — Cross-Account Trust Finding
 
-Walk through one `cross_account_trust` row from the sanitized local review material if it is present locally. If the raw or sanitized table is not available, use the case-study summary instead.
+Return to [`sanitized-finding-card.md`](sanitized-finding-card.md) or walk through one `cross_account_trust` row from sanitized local review material if it is present locally. If the raw or sanitized table is not available, use the committed sanitized card and case-study summary instead.
 
 Explain:
 
@@ -71,7 +85,7 @@ Explain:
 
 Avoid showing raw account IDs or raw IAM/STS ARNs unless the demo owner explicitly authorizes it.
 
-## 6:00-7:30 — Admin Reachability Finding
+## 5:45-7:15 — Admin Reachability Finding
 
 Walk through one `admin_reachability` row from the sanitized local review material if present.
 
@@ -87,7 +101,7 @@ Say:
 
 > “Validated does not mean exploited. It means IAMScope’s modeled checks for this finding passed under the current bounded evidence.”
 
-## 7:30-8:30 — Collection Context And Non-Claims
+## 7:15-8:15 — Collection Context And Non-Claims
 
 Show that `collection_context` is complete:
 
@@ -105,7 +119,7 @@ Then read the non-claims:
 - no composite score.
 - no pass/fail benchmark label.
 
-## 8:30-9:30 — Owner-Confirmation Layer
+## 8:15-9:15 — Owner-Confirmation Layer
 
 Explain why owner-confirmation matters:
 
@@ -114,7 +128,7 @@ Explain why owner-confirmation matters:
 - owner confirmation is bounded to those findings only;
 - this creates a review trail without claiming broad IAMScope correctness.
 
-## 9:30-10:00 — Close
+## 9:15-10:00 — Close
 
 Close with:
 

docs/demo/sanitized-finding-card.md

@@ -0,0 +1,73 @@
+# Sanitized Finding Card
+
+This is a sanitized presentation artifact, not raw findings.json.
+
+It is designed for the first minute of a recorded or live no-AWS demo. It uses aliases only and intentionally omits raw account IDs, raw ARNs, raw policy JSON, and local real-pilot artifacts.
+
+## What The Finding Is
+
+This card represents an owner-confirmed broad-trust finding shape from the real-pilot review: a principal outside the target role's normal ownership boundary can reach a deploy-capable role through a broad trust relationship.
+
+Use this as a concrete example of IAMScope's reviewer workflow, not as a raw export.
+
+## Why A Reviewer Should Care
+
+Broad trust relationships are easy to miss in large AWS estates. They may be expected, but they should be explainable, owned, and constrained. IAMScope turns the relationship into a finding with a verdict, checks, evidence references, collection context, and a human review label so the owner can decide whether to keep, narrow, or remove the trust.
+
+## Finding Card
+
+| Field | Sanitized demo value |
+| --- | --- |
+| Source | `ExternalOrBroadPrincipalAlias` |
+| Target | `ProdDeployRoleAlias` |
+| Pattern | `cross_account_trust` |
+| Verdict | `validated` |
+| Reviewer label | `valid_path` |
+| Owner confirmed | `true` |
+| Collection context | `complete` |
+| Demo action | Owner should confirm the business need, narrow the trust if possible, and document the exception if it remains required. |
+
+## Required Checks
+
+| Check | State | Demo explanation |
+| --- | --- | --- |
+| `trust_principal_is_cross_account_or_broad` | `pass` | The trust shape is broad enough to require owner review. |
+| `trust_conditions_are_strong_enough` | `pass` | No unresolved condition prevents IAMScope from making the bounded finding claim. |
+| `source_membership_context_available` | `pass` | The collection context is complete for this finding. |
+| `no_modeled_scp_blocker_for_trust` | `pass` | IAMScope did not find a modeled SCP blocker for this trust path. |
+| `owner_review_label_present` | `pass` | A reviewer classified this representative broad-trust shape as `valid_path`. |
+
+## What IAMScope Says Is Proven
+
+IAMScope's modeled evidence supports this as a reviewable, validated `cross_account_trust` finding under the collected graph and current reasoner rules.
+
+The useful reviewer statement is:
+
+> “This trust relationship is real enough to review. The owner should confirm whether this broad trust is intentional and whether it can be narrowed.”
+
+## What IAMScope Does Not Claim
+
+Validated does not mean exploited.
+
+No finding does not mean safe.
+
+This card does not claim:
+
+- production readiness.
+- exploitability proof.
+- downstream authorization proof.
+- full IAM safety.
+- full AWS authorization semantics.
+- broad IAMScope correctness.
+- that IAMScope replaces Pacu, PMapper, CNAPPs, or human review.
+
+## Owner Action
+
+1. Confirm whether `ProdDeployRoleAlias` should trust `ExternalOrBroadPrincipalAlias`.
+2. If the trust is required, document the owner and business reason.
+3. If the trust can be narrowed, replace broad trust with specific principals and strong conditions.
+4. Re-run IAMScope or replay sanitized artifacts to confirm the finding changes as expected.
+
+## Safe Wording For Demo
+
+> “Here is one sanitized finding card. IAMScope is not saying this was exploited. It is saying the collected evidence supports a validated broad-trust finding that a cloud security reviewer and role owner can act on.”