Zain Dana HarperORCA · the accountable assessment runner

OPERATOR TOOLING · ORCA

Run the assessment, keep the receipts — and never touch the target.

When you do authorized security work — hired, permitted attacking of a system to find its weak spots before a real attacker does — the easy part to get wrong is the discipline around it: what was in the agreed boundary of what may be touched, what you actually ran, what you found, and whether the report you hand over matches the work you did. ORCA is the command-line workbench I run that part from. You open a local engagement workspace, write down the in-scope assets and the findings as plain records, run a set of checks that give the same answer every time over that workspace, and it produces a Markdown report and a portable bundle of the results. The line it will not cross is the important one: everything it does is local and metadata-only (it reads descriptions of things, not the things themselves). It does not scan, probe, resolve, connect to, or attack anything — there is no network or exploitation capability in it at all.

It runs the bookkeeping of an assessment, accountably. It is not a scanner, and it cannot reach the thing being assessed.

v1.0.0 · 361 tests · private operator tool · local-first · metadata-only

The same discipline as the rest of my work, pointed at an engagement.

Everything else I build is about making what a machine does checkable: bound it, witness it, refuse the unclear case. ORCA is that habit applied to the place I most needed it — running a security engagement without losing the thread of what was authorized and what was done. An engagement is a local workspace: the agreed boundary of what may be touched, the assets in it, the findings as you record them. None of those records reach out to the real systems they name — they are notes about the work, held on your own disk.

Each capability in ORCA carries the mode it is allowed to run in — sim, dry_run, local_lab, or authorized_run — and the tool refuses to run a capability in a mode that capability does not declare. A checkpoint that says no until it is sure. The checks give the same answer every time: run them again and you get the same result, with no duplicated findings, and anything that doesn’t apply is reported as skipped rather than quietly dropped. The point is that an assessment, like everything else here, should be something you can re-run and re-read — not something you have to take on trust.

It reads only the workspace you build. It never reaches the asset values you record — there is nothing in it that could.

A release you can verify, not just trust.

ORCA ships the way I think every tool should: the v1.0.0 release carries not only the package, but a checksum manifest (a list of fingerprints, one per file, so you can confirm nothing changed) and a provenance receipt — a record of where it came from: the package’s identity, the source revision it was built from, the Python version and platform it was built on, and the digests, all in one file. So before you run it, you can check that what you have is what was built. That is the same move the rest of my tools make about everything else, turned on the tool itself: here is the file, and here is how you work out for yourself that it’s the real one.

Five files in the release: the wheel, the source archive, a portable bundle, a checksum manifest, and the provenance receipt that ties them together.

Don’t take its word that it’s healthy and bounded. Ask it.

ORCA can check its own install and report exactly what it is, in plain output — the version, the capabilities it carries, where it keeps state, and that it’s ready. Real output, nothing edited.

Exhibit I ORCA · the install reports itself
$ python -m orca --version
orca 1.0.0

# doctor — a self-check that says what this install actually is
$ python -m orca doctor
ORCA doctor
profile: local
ready: true
check: package   ok   version=1.0.0 capabilities=27
check: registry  ok   capabilities=27
check: modules   ok   descriptors=5
check: state_dir ok   .orca/state
check: artifact_dir ok .orca/artifacts

It tells you what it is before you ask it to do anything: a known version, a fixed set of capabilities, and a local place it keeps its state. No surprises, and nothing reaching off your machine.

Real output from python -m orca doctor on a clean install — Python 3.11+, v1.0.0, 361 tests, CI green on 3.11 and 3.12. The everyday flow is engagement (open a workspace) → assess (run the local checks) → report (write the Markdown report) → bundle (a portable ZIP) — and orca demo create builds a whole worked example in one command. Honest limit: the assessment checks are deliberately small and local — seven metadata-only checks and three local module types. This is the accountable runner for an engagement, not a vulnerability scanner, and it is by design unable to be one.

What it is, and what it is not.

ORCA is a local-first command-line runner for authorized assessment work — v1.0.0, 361 tests, with checksums and a provenance receipt on every build. Its whole safety model is one sentence: it is local and metadata-only (it reads descriptions of things, not the things themselves), and it has no way to reach a target. It does not scan, probe, resolve, connect to, or attack anything; the records you keep are notes about the work, not connections to the systems they name; and it refuses to run a capability in a mode that capability does not declare.

It cannot touch the target. That isn’t a setting — there is no capability in it that reaches off your disk.

The honest edges: the set of built-in checks is small on purpose — this is the discipline-and-bookkeeping layer of an engagement, not the part that finds the vulnerabilities. It is proprietary and kept private — an internal operator tool I run, not a public release — and it needs Python 3.11 or newer. It is the workbench I actually run my own engagements from, shipped the way I’d want any tool I depend on to be shipped: bounded, witnessed, and able to tell you what it is.

Status — private operator tooling, not publicly released  ·  ← the map  ·  the index