Declarative tamper_policy branches dispatch recovery actions on runtime security faults. Critical destructive actions (stop, safe mode, kill switch) require operator approval unless SPANDA_OPERATOR_APPROVAL=1.
spanda tamper-check examples/showcase/tamper_policy/rover.sd
spanda sim examples/showcase/tamper_policy/rover.sd --inject-security-faults
With operator approval for destructive responses:
export SPANDA_OPERATOR_APPROVAL=1
spanda sim examples/showcase/tamper_policy/rover.sd --inject-security-faults
spanda demo trust
Smoke: scripts/tamper_policy_smoke.sh