ORA
Constitutional AI Governance

Enter the live demo

ORA is a security-first AI orchestration kernel. This is a sandboxed walkthrough — it runs the real security gates in your browser. Nothing leaves this page; no keys, no model calls.

Use code DEMO — or just press Enter.
What is ORA?
Built by 3D3D · Atlantic Canada
● Demo mode A2 · Developer kernel ready

Process a prompt

Every prompt is screened by ORA's 4-layer AST shield, checked against the Constitution, and gated by your authority level before a model ever sees it. The gates below are the real ones — running live in your browser.

Benign task Tool use Injection ⚠ Structural attack ⚠ Prohibited op ⚠

THE CONSTITUTION

Four immutable Prime Directives sit above everything ORA does. The document is hashed (SHA-256); verify_immutability() fails closed if a single rule is altered.

no_harmno_illegalno_security_bypassno_data_exfiltration

Nine prohibited operations are refused at the gate — try the "Prohibited op" chip above:

DeleteSystemFilesPrivilegeEscalationModifyConstitutionDisableSecurityDataExfiltrationMalwareSocialEngineeringCryptoMiningBotnetCreation

Authority — the A0–A5 ladder

Capabilities are gated by authority level. Nothing escalates itself; raising authority requires approval, and A5 (disabling gates) requires a hardware key. Current session runs at the level shown.

Escalation creates an approval request — see the Approvals tab.

Pending approvals

High-authority and out-of-policy actions don't just run — they queue for a human. Approve or reject; every decision lands in the audit trail.

Secrets vault

API keys and credentials live in an encrypted vault, sealed by default. Tools can only read a secret while the vault is unlocked and the authority level permits it — and every access is logged.

Vault stateSEALED
Stored secretsANTHROPIC_API_KEY · DEEPSEEK_API_KEY · BRAVE_SEARCH_API_KEY
EncryptionAES-256-GCM (ring)
Key derivationPBKDF2-HMAC-SHA256 · 100,000 iterations
Bound tohardware fingerprint + passphrase
Demo: no real secrets are stored. In production this needs your authority + passphrase.

Immutable audit trail

Every gate result, decision, and action is appended to a hash-linked chain — each entry carries the hash of the one before it, so the record can't be quietly rewritten. Run prompts and watch it grow.

Kernel metrics

ORA is a single Rust binary — low, predictable overhead. Live snapshot (demo values).

Gate latency (last)
Prompts screened
0
Injections blocked
0
CPU
1.2%
Resident memory
28 MB

One server. Six kernels.

ORA isn't a wrapper around a model. It's a single Rust binary that does the work of a memory API, an MCP server, and a multi-agent orchestrator at once — with a security kernel wrapped around all of it. The user sees one assistant; inside, ORA picks the cheapest trustworthy path to an answer.

ROUTE KERNEL

Classifies each request and chooses the cheapest trustworthy path — memory recall, cached evidence, live retrieval, or a specialist sub-run — instead of brute-forcing every query through a big model.

MEMORY KERNEL · PulZ

Durable semantic memory with compression — recall across sessions without re-stuffing the prompt. The embedded answer to Zep / Mem0, but governed and auditable.

ACQUISITION KERNEL

Retrieval, web search, and tool execution — fetched only when the route kernel decides it's needed, then verified before it's trusted.

SECURITY KERNEL

The 4-layer AST shield, A0–A5 authority, sandbox, and an encrypted vault — quantum-ready crypto on the roadmap. Governance is the foundation, not a bolt-on.

ORCHESTRATION

Multi-agent DAG routing — Planner → Search → Summarize → Verify → Output — coordinated internally, exposed simply. Swarm inside, single tool outside.

GATEWAY

One Rust/Axum surface over HTTP, WebSocket, and the Model Context Protocol — so Claude, IDEs, and MCP clients talk to ORA directly. Every action lands in the immutable audit log.

The cheapest trustworthy path

ORA doesn't brute-force every question through a big model. The route kernel classifies each request and walks a ladder — stopping at the first rung that can answer it with enough confidence. Most questions never need the expensive rungs.

1
Memory
Answer from durable conversation memory + learned preferences. Zero retrieval.
cheapest
2
Local documents
Search the workspace — your files, sandboxed.
local
3
Cached evidence
Reuse verified evidence already gathered for an earlier decision.
cached
4
Live web
Brave or DuckDuckGo retrieval — only when freshness demands it.
live
5
Browser mission
A full multi-step agent run — gated, approved, audited.
most

Every route decision is recorded with its reasoning. The router scores each request on three axes before choosing: Task class (general · workspace · operational · browser · command) · Freshness (historical · recent · live) · Evidence burden (minimal · grounded · strict). Decisions persist to a SQLite control plane so you can audit why ORA chose the path it did.

17 governed tools. One MCP surface.

ORA speaks the Model Context Protocol (2024-11-05), so Claude Desktop, Cursor, and any MCP client can drive it directly. Every tool call runs through the gates and the authority check first — and lands in the audit log after.

TOOLS (17)

A0verified_answer · grounded_summarize · memory_search · evidence_bundle
A1write_file · read_file · list_directory · analyze_code · create_mission · list_missions
A2execute_command · web_search · safe_browser_task · get_system_info
A3approval_queue · approve / reject · cross-session recall

GATEWAY — 30+ ENDPOINTS

POST/kernel/process · /chat · /mcp
GET/security/status · /authority/current · /kernel/metrics
POST/vault/unlock · /authority/escalate · /approvals/:id/approve
GET/operator/routes · /operator/evidence/:id · /operator/audit
WS/ws — task lifecycle, approvals, live audit feed

PROVIDERS — BRING YOUR OWN MODEL

OpenAIAnthropicDeepSeekMiniMaxGLM (Zhipu)Ollama · local

Provider-agnostic client trait with auto-detection at startup. Run fully local on Ollama, or route to a frontier API — same governance either way.

One Rust binary. 7,888 lines. Zero interpreter.

ORA is a single statically-linked binary built with release-grade optimization — no Python, no node, no runtime to ship. Security isn't bolted on; some of it is enforced by the type system at compile time.

Source lines
7,888
Major crates
30+
Rust edition
2021
Web / asyncAxum 0.7 · Tokio · tower-http
TransportHTTP · WebSocket (tungstenite) · MCP (JSON-RPC over stdio)
Cryptoring 0.17 (AES-256-GCM) · pbkdf2 · sha2
Orchestrationpetgraph 0.6 DAG router
Control planerusqlite (SQLite) · optional Qdrant vectors
Build profileopt-level 3 · LTO · codegen-units 1 · stripped

COMPILE-TIME AUTHORITY

Authority levels are encoded as a Rust type-state trait hierarchy (A0Clearance → … → A5Clearance), wrapped in a SecureContext<C>. If an agent doesn't hold the clearance a privileged operation requires, the code does not compile. Zero runtime cost — the guarantee is in the type system, not a check you can forget to write.

Where ORA stands

The market split into three layers — memory APIs (Mem0, Zep), MCP transport, and agent orchestrators (CrewAI, AutoGen) — each largely blind to the others, and most blind to governance. ORA spans all three with a security kernel built in.

ORA Mem0/Zep CrewAI/AutoGen Letta Sema4

Positioning per ORA's March-2026 competitor analysis. "~" = partial / implicit.

Benchmarks

ORA's pitch is speed + safety, proven — not claimed. These are the published targets from the ORA benchmarking plan; the orchestrator is being open-sourced so anyone can reproduce them. (Gate latency above is measured live in this demo.)

Orchestration overhead
5-agent route (Planner→Search→Code→Check→Output), mock LLM — pure framework cost
< 2 ms
vs 100–120 ms · CrewAI / AutoGen (Python)
Per-hop latency vs Python
Single agent hop, like-for-like
1.8 ms
~65× faster than the Python baseline
AST shield gate latency
Full lexical + structural + encoding scan, release build
< 2 ms
measured live in this demo (see Metrics)
Prompt-injection block rate
5,000 payloads — Garak / PyRIT suites
99.9% target
< 1% false-positive on legitimate queries
Context retrieval (P99)
Top-K over a 1M-token corpus
< 15 ms
vs Mem0 / Zep / Motorhead
Memory footprint
Resident memory vs equivalent Python stack
−80%
single static Rust binary, no interpreter
Logic accuracy uplift
50-question logic-trap set, DeepSeek V4 / Claude 3.5, verification loop on vs off
+40%
e.g. "how many R's in strawberry" — fails raw, passes verified
Figures marked "target" are design goals from ORA's benchmarking plan, to be published with a reproducible ora-benchmarks suite (Garak + PyRIT for security, mock-LLM harness for overhead). Gate latency is measured live in this demo. Not yet independently certified.
Run it on your own keys → Full overview

Labs — capabilities we discuss privately

Not everything 3D3D builds is on the public menu. A few capabilities are powerful enough — and dual-use enough — that we keep the method private and the conversation by request, for vetted partners and authorized testing only. You're behind the demo gate, so here's a glimpse of one.

PROVENANCE & INTEGRITY LAYER

It can embed an invisible, verifiable mark inside ordinary files — images, documents, model outputs — so origin and tampering can be proven after the fact. It can read those marks back out, and it can tell when someone else has hidden something inside a file. Think watermarking, content provenance, tamper-evidence, and detection — done quietly, at the byte level.

Posturedefensive & provenance
Accessby request · vetted partners · authorized testing
What we publishcapability & results — not the method

We don't ship offensive tooling and we don't publish the technique. What it can do, and how well, we'll show you. How it does it stays in the lab.

Ask about Labs →
ORA · Constitutional AI Governance · Demo build — runs entirely in your browser Built by 3D3D · 3d3d.ca/ora