ORDL Operator Core is designed for high-stakes environments where safety and auditability are paramount.

• Every action must pass through a deterministic validator before execution
• Learned models can suggest but never override hard safety constraints
• Policy changes are promotion-gated: observe → replay → evaluate → promote

• Every step is logged with HMAC-SHA3-256 per record
• verify_chain() detects tampering in the step log
• Audit logs support query by actor, adapter, time range, and classification

• Native support for USG, NATO, EU, UN, HIPAA, German, Brazilian, and Japanese classification schemes
• Peer compatibility filtering in federated deployments
• Clearance-based truth filtering before ingestion

• Core kernel runs with zero external dependencies (stdlib + numpy only)
• Optional defusedxml for secure XML parsing in energy grid adapters
• All external HTTP requests validate URL schemes (http/https only)

# Bandit security scan
bandit -c .bandit -r src/

# Ruff lint
ruff check src/ tests/ scripts/

Current status:

• Bandit: 0 high/medium issues
• Ruff: clean

Do not open a public issue for security vulnerabilities.

Instead, email security disclosures to the maintainers directly. Include:

• Affected component and version
• Steps to reproduce
• Severity assessment (CVSS if available)
• Suggested fix (if known)

We will acknowledge receipt within 48 hours and provide a timeline for fix and disclosure.

1. CISA KEV feed availability depends on DNS resolution of api.cisa.gov — this is an environmental/network dependency, not a code vulnerability
2. SCADA adapter is read-only by architecture — any non-observe action is rejected at the validation layer
3. Synthetic fallback data uses random module — this is intentional for operational continuity and is not used for cryptographic operations