[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-82791":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":15,"stars30d":16,"stars90d":14,"forks30d":14,"starsTrendScore":17,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":32,"readmeContent":33,"aiSummary":34,"trendingCount":14,"starSnapshotCount":14,"syncStatus":35,"lastSyncTime":36,"discoverSource":37},82791,"nullsec-s1","trynullsec\u002Fnullsec-s1","trynullsec","Security-native LLM system for AI-generated application security.",null,"Python",256,71,39,0,87,186,24,5.57,false,"main",true,[23,24,25,26,27,28,29,30,31],"ai-security","appsec","code-security","llm","mcp","qlora","security","vibecoding","web3-security","2026-06-12 02:04:28","\u003Cp align=\"center\">\n \u003Cimg src=\".\u002Fassets\u002Fnullsec-s1-banner.png\" alt=\"Nullsec S1\" width=\"100%\" \u002F>\n\u003C\u002Fp>\n\n# Nullsec-S1\n\n**Open-source security model purpose-built to audit AI-generated apps, agents, MCP tools, Web3 flows, and vibecoded software.**\n\n[![tests](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Ftests-passing-brightgreen)](#current-verified-state)\n[![release](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Frelease-RC2%2Fv1.1-brightgreen)](#current-verified-release)\n[![huggingface](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FHugging%20Face-adapter-yellow)](https:\u002F\u002Fhuggingface.co\u002FTrynullsec\u002Fnullsec-s1)\n[![safety layer](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fsafety%20layer-100%25%20consistent-brightgreen)](#the-security-alignment-layer)\n[![benchmark](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fbenchmark-real--model-blue)](#benchmark-summary)\n[![python](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpython-3.11%2B-blue)](pyproject.toml)\n\nNullsec-S1 returns final structured JSON security audits: findings, severity, exploit scenario, recommended fix, secure patch, and a deterministic Safety Layer decision.\n\nQuick links: [GitHub Release](https:\u002F\u002Fgithub.com\u002Ftrynullsec\u002Fnullsec-s1\u002Freleases\u002Ftag\u002Fv1.0.0-rc25) · [Hugging Face adapter](https:\u002F\u002Fhuggingface.co\u002FTrynullsec\u002Fnullsec-s1) · [Eval docs](docs\u002FEVALS.md) · [Quickstart](#2-5-minute-quickstart)\n\nNullsec-S1 RC2\u002Fv1.1 ships as a PEFT \u002F QLoRA adapter. The source repo contains training code, corpus, benchmark harness, inference code, and validation gates. The trained adapter is intentionally not committed to git.\n\n| State | Location | Meaning |\n|-------|----------|---------|\n| Source checkout | `main` | training pipeline, corpus, benchmark code, docs |\n| GitHub Release | [`v1.0.0-rc25`](https:\u002F\u002Fgithub.com\u002Ftrynullsec\u002Fnullsec-s1\u002Freleases\u002Ftag\u002Fv1.0.0-rc25) | source of record for adapter, benchmark reports, metrics, pipeline log |\n| Hugging Face | [`Trynullsec\u002Fnullsec-s1`](https:\u002F\u002Fhuggingface.co\u002FTrynullsec\u002Fnullsec-s1) | public PEFT \u002F QLoRA adapter mirror and model discovery page |\n| Base model | [`Qwen\u002FQwen2.5-Coder-7B-Instruct`](https:\u002F\u002Fhuggingface.co\u002FQwen\u002FQwen2.5-Coder-7B-Instruct) | required separately to load the adapter |\n| Local claim validation | downloaded\u002Funpacked release artifacts | source-only checkout may show artifact-gated claims as unavailable |\n\n## Benchmark performance\n\nNullsec-S1 was evaluated on the Nullsec RC2\u002Fv1.1 111-case security benchmark for AI-generated applications, agents, MCP tools, Web3 flows, and common application-security failure modes.\n\nOn this benchmark, Nullsec-S1 ranked #1 by F1 score against the compared baselines, while keeping false-safe rate at `0.0%` and maintaining substantially lower hallucination\u002Fnoise than hosted frontier API baselines.\n\n| Rank | System \u002F Tool | Evaluated \u002F Analyzable | Precision | Recall | F1 Score | False-Safe Rate | Hallucination Rate |\n| -----: | ---------------------------- | ---------------------: | --------: | --------: | ---------: | --------------: | -----------------: |\n| **#1** | **Nullsec-S1** | **110 \u002F 111** | **94.2%** | **90.7%** | **0.9245** | **0.0%** | **6.7%** |\n| #2 | OpenAI\u002FCodex `gpt-5.3-codex` | 105 \u002F 111 | 61.7% | 88.0% | 0.7252 | 0.0% | 60.0% |\n| #3 | Claude Opus 4.8 | 68 \u002F 111 | 88.9% | 51.9% | 0.6550 | 0.0% | 14.3% |\n| #4 | Semgrep local rules baseline | 111 \u002F 111 | 86.3% | 40.7% | 0.5535 | 56.3% | 33.3% |\n| #5 | Qwen2.5-Coder-7B base model | 4 \u002F 111 | 33.3% | 0.9% | 0.0180 | 0.0% | 50.0% |\n\n**Why this matters:**\nNullsec-S1 is not just the base model prompted differently. The adapter was trained to produce structured, security-specific JSON verdicts with stronger format adherence, higher recall, higher precision, and lower hallucination on this benchmark.\n\n**Important scope:**\nThese results are measured on the Nullsec RC2\u002Fv1.1 111-case benchmark. They do not guarantee universal vulnerability detection or replace independent security review. `111\u002F111` raw outputs were produced by the release benchmark; `110\u002F111` above refers to analyzable\u002Fscored structured outputs in the comparison report.\n\n## Why Nullsec-S1 exists\n\nAI-generated software is moving faster than traditional security review. General models can explain code, but they often struggle to emit consistent, schema-valid security verdicts that can be enforced in CI or agent workflows.\n\nNullsec-S1 is adapter-aligned for security-specific JSON audit outputs. It focuses on:\n\n- `BROKEN_AUTH`\n- `UNSAFE_ADMIN_ROUTE`\n- `EXPOSED_SECRET`\n- `ENVIRONMENT_EXPOSURE`\n- `MCP_TOOL_ABUSE`\n- `COMMAND_INJECTION`\n- `SSRF`\n- `XSS`\n- `MISSING_RATE_LIMIT`\n- `SMART_CONTRACT_RISK`\n- `WALLET_TRANSACTION_RISK`\n- `UNSAFE_FILE_UPLOAD`\n- `SQL_INJECTION`\n- `PROMPT_INJECTION`\n- `DANGEROUS_SHELL_COMMAND`\n- `DEPENDENCY_RISK`\n\n## What makes it different from general models\n\n- The base Qwen model mostly failed to produce scorable Nullsec-style JSON security verdicts in this benchmark.\n- Hosted frontier API baselines were stronger than base Qwen, but had lower recall or higher hallucination\u002Fnoise on this benchmark.\n- Nullsec-S1 is trained to return structured security verdicts, not free-form commentary.\n- The release is local and reproducible: base model + PEFT adapter + deterministic Safety Layer.\n\n## 2–5 minute quickstart\n\nUse either the [GitHub Release artifact](https:\u002F\u002Fgithub.com\u002Ftrynullsec\u002Fnullsec-s1\u002Freleases\u002Ftag\u002Fv1.0.0-rc25) for the full release bundle or the [Hugging Face adapter](https:\u002F\u002Fhuggingface.co\u002FTrynullsec\u002Fnullsec-s1) for the PEFT \u002F QLoRA adapter. Users still need the base model `Qwen\u002FQwen2.5-Coder-7B-Instruct`.\n\n```bash\npython -m pip install -e \".[dev]\"\npython -m pip install -r requirements-train-cu121.txt\n\nNULLSEC_ADAPTER_PATH=outputs\u002Fnullsec-s1-qlora \\\npython inference.py --file examples\u002Funsafe-next-admin-route.ts\n```\n\nThe command prints the final Safety-Layer-enforced JSON verdict. It does not print source code by default. If the model emits malformed output, `inference.py` returns a JSON error object and exits non-zero.\n\n## Concrete example\n\nInput:\n\n```typescript\nexport async function POST(req: Request) {\n const { userId, role } = await req.json();\n await db.user.update({ where: { id: userId }, data: { role } });\n return Response.json({ ok: true });\n}\n```\n\nRepresentative output shape:\n\n```json\n{\n \"risk_score\": 70,\n \"production_ready\": false,\n \"severity\": \"HIGH\",\n \"confidence\": \"HIGH\",\n \"reasoning_summary\": \"Privileged admin mutation is reachable without an authenticated role check.\",\n \"findings\": [\n {\n \"category\": \"UNSAFE_ADMIN_ROUTE\",\n \"severity\": \"HIGH\",\n \"file\": \"examples\u002Funsafe-next-admin-route.ts\",\n \"description\": \"Admin role update route has no session\u002Frole check.\",\n \"recommended_fix\": \"Require an authenticated admin session before mutating roles.\"\n }\n ],\n \"_safety_layer\": {\n \"production_ready\": false,\n \"blocking_reasons\": [\"R2: dimension 'permissions' failed its check\"],\n \"adjustments\": []\n }\n}\n```\n\nThis is illustrative, not a benchmark output.\n\n## Install \u002F run options\n\n| Workflow | Command \u002F docs |\n|----------|----------------|\n| Local adapter inference | `python inference.py --file examples\u002Funsafe-next-admin-route.ts` |\n| Hugging Face adapter loading | [`Trynullsec\u002Fnullsec-s1`](https:\u002F\u002Fhuggingface.co\u002FTrynullsec\u002Fnullsec-s1) + `Qwen\u002FQwen2.5-Coder-7B-Instruct` |\n| Benchmark reproduction | `python benchmarks\u002Frun_all.py --mode model --adapter outputs\u002Fnullsec-s1-qlora` |\n| Semgrep baseline | `python benchmarks\u002Fbaselines\u002Fsemgrep_baseline.py` |\n| Hosted API baselines | `benchmarks\u002Fbaselines\u002Fclaude_api.py`, `benchmarks\u002Fbaselines\u002Fopenai_api.py` |\n| Release validation | `python scripts\u002Fvalidate_claims.py --adapter ... --report ... --check` |\n\n## Running Nullsec S1 from Hugging Face\n\nThe FastAPI serving layer can load the public PEFT adapter mirror directly from\nHugging Face. The adapter repo must match the configured base model.\n\n```bash\nexport NULLSEC_BASE_MODEL=Qwen\u002FQwen2.5-Coder-7B-Instruct\nexport NULLSEC_ADAPTER_PATH=Trynullsec\u002Fnullsec-s1\nexport NULLSEC_CORS_ORIGINS=http:\u002F\u002Flocalhost:3000,https:\u002F\u002Fs1.trynullsec.com\nexport NULLSEC_EAGER_LOAD=0\n\npython -m uvicorn serving.server:app --host 0.0.0.0 --port 8000\n```\n\n`NULLSEC_ADAPTER_PATH` may also point to a local unpacked release artifact, for\nexample `\u002Fworkspace\u002Fnullsec-s1\u002Foutputs\u002Fnullsec-s1-qlora`. Use `\u002Fmodel-info` to\nconfirm the configured base model, adapter path, adapter source, load status,\ndevice, dtype, and eager-loading mode.\n\n## Nullsec S1 CLI\n\nRun a local project scan from any repo:\n\n```bash\nnpx @s1-clm\u002Fs1 scan\n```\n\nDefault backend:\n\n```text\nhttps:\u002F\u002Fs1.trynullsec.com\u002Fapi\n```\n\nUse a local backend:\n\n```bash\nNULLSEC_API_URL=http:\u002F\u002Flocalhost:8000 npx @s1-clm\u002Fs1 scan\n```\n\nWrite a JSON report:\n\n```bash\nnpx @s1-clm\u002Fs1 scan --json --output nullsec-report.json\n```\n\nFail CI on high findings:\n\n```bash\nnpx @s1-clm\u002Fs1 scan --fail-on high\n```\n\nRun without network access:\n\n```bash\nnpx @s1-clm\u002Fs1 scan --no-network\n```\n\nExclude a path for one scan:\n\n```bash\nnpx @s1-clm\u002Fs1 scan --exclude corpus --exclude benchmarks\n```\n\nThe CLI scans local source files, skips secrets\u002Fprivate files such as real `.env`\nfiles and private keys, and sends source snippets to the configured Nullsec S1\nbackend unless `--no-network` is used. `--no-network` runs local heuristics only;\nit does not use the Nullsec S1 model.\n\nAdd a `.nullsecignore` file at the scan root to skip intentional fixtures,\nbenchmarks, generated code, or other paths:\n\n```gitignore\nbenchmarks\u002F\ncorpus\u002F\ntraining\u002F\ntaxonomy\u002F\n*.egg-info\u002F\n```\n\nBy default, the CLI skips common dependency, cache, build, virtualenv, private\nkey, real `.env`, binary, archive, and model-weight files. Text output shows the\nfirst 20 findings by default; use `--show-all` to print every finding.\n\nRun the local backend bundled with the npm package:\n\n```bash\nnpx @s1-clm\u002Fs1 doctor\nnpx @s1-clm\u002Fs1 serve\nnpx @s1-clm\u002Fs1 scan --local-model\n```\n\nThe npm package includes the CLI and Python FastAPI serving source. It does not\nembed multi-GB model weights; the backend loads\n`Qwen\u002FQwen2.5-Coder-7B-Instruct` and `Trynullsec\u002Fnullsec-s1` from Hugging Face or\nfrom paths configured with `NULLSEC_BASE_MODEL` and `NULLSEC_ADAPTER_PATH`.\n\n## Evaluation methodology\n\n- 111 security benchmark cases\n- 16 security categories\n- metrics: precision, recall, F1, false-safe rate, hallucination rate\n- comparisons against base Qwen, Semgrep local rules, Claude, and OpenAI\u002FCodex\n\nDetails: [`docs\u002FEVALS.md`](docs\u002FEVALS.md).\n\n## Quick Verification\n\nAfter downloading and unpacking the release artifacts locally:\n\n```bash\npython scripts\u002Fvalidate_claims.py \\\n --adapter outputs\u002Fnullsec-s1-qlora \\\n --report releases\u002Fnullsec-1.0\u002Fbenchmark\u002FSUITE.json \\\n --check\n```\n\nThis verifies that local public claims match the downloaded adapter, benchmark report, safety probes, and release bundle on disk. A source-only checkout may show artifact-gated claims as unavailable until those release assets are unpacked locally.\n\n## Model Architecture\n\n| Component | RC2\u002Fv1.1 |\n|-----------|----------|\n| Base model | `Qwen\u002FQwen2.5-Coder-7B-Instruct` |\n| Adapter | PEFT \u002F QLoRA adapter, mirrored at [`Trynullsec\u002Fnullsec-s1`](https:\u002F\u002Fhuggingface.co\u002FTrynullsec\u002Fnullsec-s1) |\n| Adapter path | `outputs\u002Fnullsec-s1-qlora` |\n| Weight format | `adapter_model.safetensors` confirmed in the `v1.0.0-rc25` release artifact |\n| Tokenizer | tokenizer files in the adapter directory when present, otherwise base tokenizer |\n| Chat template | release artifact includes `chat_template.jinja`; inference uses the tokenizer chat template |\n| Reasoning format | no custom hidden reasoning token loop; no `\u003Cthought>` parser |\n| Output | final structured JSON security audit, then deterministic Safety Layer enforcement |\n\n`S1` means **Security-1**. It is not a reasoning-trace model; it returns the final structured audit result.\n\n## Architecture\n\nNullsec S1 is a pipeline, not a single model call. A security-tuned model *proposes* a verdict; two deterministic layers *align and enforce* it before anything is trusted.\n\n```mermaid\nflowchart TD\n A[\"AI-generated app \u002F repo \u002F PR \u002F MCP tool \u002F wallet flow\"] --> B[\"Nullsec S1 reasoning pipeline\u003Cbr\u002F>(security-tuned model: detect · classify · explain · patch)\"]\n B -->|raw output| C[\"Structured JSON verdict\u003Cbr\u002F>(verdict schema)\"]\n C --> D[\"Security Alignment Layer\u003Cbr\u002F>parse · schema-validate · normalize severities\"]\n D --> E[\"Nullsec Safety Layer\u003Cbr\u002F>deterministic enforcement R1–R6\"]\n E --> F[\"Enforced verdict\u003Cbr\u002F>(production_ready computed, never trusted from the model)\"]\n F --> G[\"Patch · Report · CI gate · API response\"]\n```\n\nPlain-text view of the same flow:\n\n```\nAI-generated app \u002F repo \u002F PR \u002F MCP tool \u002F wallet flow\n │\n ▼\nNullsec S1 reasoning pipeline (security-tuned model: detect · classify · explain · patch)\n │ raw output\n ▼\nstructured JSON verdict (data\u002Fschemas\u002Fverdict.schema.json)\n │\n ▼\nSecurity Alignment Layer (parse · schema-validate · type-check · normalize severities)\n │ structurally-valid verdict\n ▼\nNullsec Safety Layer (deterministic enforcement: rules R1–R6, severity\u002Frisk flooring)\n │\n ▼\nenforced verdict (production_ready recomputed, never trusted from the model)\n │\n ▼\npatch · report · CI gate · API response\n```\n\nThe model's own `production_ready` claim is **advisory only**. The Safety Layer recomputes it and allows `true` only when all **eight** check dimensions pass with no HIGH\u002FCRITICAL finding:\n\n`auth · secrets · input_validation · rate_limits · permissions · dangerous_exec · dependency_risk · environment_exposure`\n\nPrompt and schema details: [`docs\u002FPROMPT_FORMAT.md`](docs\u002FPROMPT_FORMAT.md). Full design: [`docs\u002FSYSTEM_OVERVIEW.md`](docs\u002FSYSTEM_OVERVIEW.md).\n\n---\n\n## Core system components\n\n| Path | What it is |\n|------|------------|\n| [`corpus\u002F`](corpus\u002F) | Curated training corpus — the single source of truth (`authored\u002F` + opt-in `ingested\u002F` + `synthetic\u002F`). |\n| [`taxonomy\u002F`](taxonomy\u002F) | The 16-category security taxonomy mapped to 8 check dimensions (`taxonomy.json`). |\n| [`nullsec\u002Fsafety\u002F`](nullsec\u002Fsafety\u002F) | The Security Alignment Layer (`alignment.py`) + Nullsec Safety Layer (`enforcement.py`). |\n| [`nullsec\u002Fcore\u002F`](nullsec\u002Fcore\u002F) | Reasoning pipeline (`engine.py`), verdict models, canonical prompts, version\u002Ffingerprint. |\n| [`nullsec\u002Fingest\u002F`](nullsec\u002Fingest\u002F) | CVE\u002FNVD, Semgrep, SARIF\u002FCodeQL ingestion into the verdict contract. |\n| [`training\u002F`](training\u002F) | Dataset prep, QLoRA training, corpus validation, release threshold, preflight. |\n| [`benchmarks\u002F`](benchmarks\u002F) | Evaluation runners + adversarial Safety Layer probes. |\n| [`scripts\u002Fvalidate_claims.py`](scripts\u002Fvalidate_claims.py) | Public claim validator — the honesty gate. |\n| [`scripts\u002Frelease_candidate.py`](scripts\u002Frelease_candidate.py) | Release gate — builds a bundle only from real artifacts. |\n| [`serving\u002F`](serving\u002F) | FastAPI serving layer (`\u002Fv1\u002Fmodel`, `\u002Fv1\u002Fanalyze`, `\u002Fv1\u002Fpatch`, streaming). |\n| [`cli\u002F`](cli\u002F) | `nullsec1` command-line analyzer + CI gate. |\n| [`reports\u002F`](reports\u002F) | Corpus curation sprint reports (auditable provenance). |\n| [`docs\u002F`](docs\u002F) | Technical documentation (system overview, safety layer, corpus, roadmap, non-claims). |\n\n---\n\n## What is live now vs coming next\n\nLive now:\n\n- source repo\n- GitHub Release artifact\n- Hugging Face PEFT adapter\n- `inference.py`\n- benchmark suite\n- baseline comparison scripts\n- [`docs\u002FEVALS.md`](docs\u002FEVALS.md)\n\nComing next:\n\n- hosted scanner at `s1.trynullsec.com`\n- API backend\n- GitHub Action \u002F PR guard\n- CLI hardening\n- larger benchmark suite\n- more framework coverage\n\n## Current verified state\n\nThe corpus exceeds the v1.0 and RC2\u002Fv1.1 data thresholds, the deterministic Safety Layer is enforced, and the trained RC2\u002Fv1.1 release artifacts are published as GitHub Release assets rather than committed to source.\n\nThis snapshot reflects the artifacts on disk right now. Every number below is produced by a command in this repo — none are hand-entered. Run the commands in [Quickstart](#quickstart) to reproduce them.\n\n| Fact | Value | Source command |\n|------|-------|----------------|\n| Curated corpus | **1,741** examples (1,304 hand-authored + 437 curated-ingested) | `training\u002Fdataset_stats.py --include-ingested` |\n| Train \u002F eval split | **1,393 train \u002F 348 eval** (eval_frac 0.2, seed 42) | `training\u002Fprepare_dataset.py --include-ingested` |\n| Taxonomy categories | **16** categories → 8 check dimensions | `taxonomy\u002Ftaxonomy.json` |\n| Per-category coverage | every category **≥ 60** curated | `training\u002Frelease_threshold.py --include-ingested --profile rc2` |\n| Safety Layer consistency | **100%** (1,741 \u002F 1,741) | `training\u002Fdataset_stats.py --include-ingested` |\n| Benchmark suite | **111** labeled cases across all 16 categories | `benchmarks\u002Fdatasets\u002Fdetection.json` |\n| Adversarial safety probes | **8 \u002F 8 blocked**, 0 bypassed | `python -m benchmarks.safety_probes` |\n| Test suite | passing | `pytest -q` |\n| Release threshold (v1.0) | **PASS** | `training\u002Frelease_threshold.py --include-ingested` |\n| Release threshold (v1.1 \u002F RC2) | **PASS** | `training\u002Frelease_threshold.py --include-ingested --profile rc2` |\n\nThe honesty gate (`scripts\u002Fvalidate_claims.py --check`) ties public wording to local artifacts. To reproduce the release-asset claim state, unpack the GitHub Release bundle locally and run the [Quick Verification](#quick-verification) command.\n\n---\n\n## The Security Alignment Layer\n\nThe deterministic layer is the reason Nullsec S1 is a security *system* rather than a code model that emits opinions. It runs in two stages.\n\n**Stage 1 — Security Alignment Layer** (`nullsec\u002Fsafety\u002Falignment.py`): extract the JSON object (tolerant of code fences, preamble, and trailing prose), validate it against the verdict schema, type-check it into the `Verdict` model, and normalize finding severities *up* to each category's taxonomy floor. Anything that cannot be aligned raises `VerdictParseError` instead of being guessed at.\n\n**Stage 2 — Nullsec Safety Layer** (`nullsec\u002Fsafety\u002Fenforcement.py`): take the structurally-valid verdict and deny `production_ready` if **any** of these hold:\n\n| Rule | `production_ready` is denied when… |\n|------|------------------------------------|\n| R1 | any required dimension is `not_checked` |\n| R2 | any required dimension is `fail` |\n| R3 | any finding is HIGH or CRITICAL |\n| R4 | `risk_score` exceeds the production threshold (default 20) |\n| R5 | a finding contradicts a dimension reported as `pass` |\n| R6 | overall severity is HIGH or CRITICAL |\n\nIt also **raises (never lowers)** severity and `risk_score` to match the worst finding, so the model cannot under-report. Because enforcement is deterministic and independent of the model, an attacker who manipulates the model — e.g. via prompt injection embedded in the code under review — still cannot obtain a false `production_ready: true`. This is verified by adversarial probes in [`benchmarks\u002Fsafety_probes.py`](benchmarks\u002Fsafety_probes.py), including a prompt-injection-in-prose probe.\n\nDeep dive: [`docs\u002FSECURITY_ALIGNMENT_LAYER.md`](docs\u002FSECURITY_ALIGNMENT_LAYER.md).\n\n---\n\n## Quickstart\n\nLocal CPU machines can verify the corpus, the deterministic layers, and the safety probes — no GPU required.\n\n```bash\npython3.11 -m venv .venv\nsource .venv\u002Fbin\u002Factivate\npython -m pip install --upgrade pip setuptools wheel\npython -m pip install -e \".[dev]\"\n\npython training\u002Fprepare_dataset.py --include-ingested --out data\u002Fprocessed\npytest -q\npython training\u002Fvalidate_corpus.py --include-ingested\npython training\u002Frelease_threshold.py --include-ingested\npython scripts\u002Fvalidate_claims.py --check\n```\n\nInspect model identity and the reproducible fingerprint at any time:\n\n```bash\npython -m nullsec.core.version\n```\n\n---\n\n## Corpus status\n\n`corpus\u002F` is the single source of truth for training data. The current curated corpus is **1,741 examples** (1,304 hand-authored + 437 curated-ingested), every taxonomy category has **≥ 60** curated examples, and **Safety Layer consistency is 100%** — so both the v1.0 and RC2\u002Fv1.1 data thresholds pass.\n\nProvenance is tracked explicitly and never blurred:\n\n- `hand_authored` — original examples written for this repo (counts as curated).\n- `curated_ingested` — CVE \u002F scanner \u002F real-failure records that passed human review and source-provenance enforcement (counts as curated).\n- `synthetic_variant` — labeled, structure-preserving augmentations; **never** counts toward curated thresholds.\n\nRaw and rejected candidates are tracked separately and are never training-eligible. The curation workflow, schema, and provenance rules are documented in [`docs\u002FCORPUS.md`](docs\u002FCORPUS.md), with auditable sprint reports in [`reports\u002F`](reports\u002F).\n\n---\n\n## Training workflow\n\nThe training targets are built from the corpus through the **same** alignment + safety layers used at serving time, so no malformed or gate-inconsistent verdict ever enters training.\n\n```bash\n# 1. build chat-formatted train\u002Feval JSONL from the curated corpus\npython training\u002Fprepare_dataset.py --include-ingested --out data\u002Fprocessed\n\n# 2. confirm the corpus is genuinely v1.0-ready (exits non-zero until it is)\npython training\u002Frelease_threshold.py --include-ingested\n\n# 3. (on a GPU box) preflight, then train the QLoRA adapter\npython training\u002Fpreflight_train.py\npython training\u002Ftrain_qlora.py --config training\u002Fconfig.yaml\n```\n\nThe release adapter was trained with QLoRA on `Qwen\u002FQwen2.5-Coder-7B-Instruct` (Apache 2.0). Training instructions remain in [`RELEASE_TRAINING.md`](RELEASE_TRAINING.md), [`RUNPOD.md`](RUNPOD.md), and [`GPU_QUICKSTART.md`](GPU_QUICKSTART.md).\n\n---\n\n## Training on GPU\n\nLocal CPU machines can verify the corpus and the safety layer, but **cannot realistically train the model**. QLoRA training requires a CUDA-capable NVIDIA GPU.\n\nThe end-to-end pipeline (prepare → preflight → train → merge → benchmark → release → validate) is wrapped in one script:\n\n```bash\nbash scripts\u002Frun_training_pipeline.sh\n```\n\nA complete, beginner-friendly walkthrough — choosing a GPU box, disk requirements, environment setup, expected artifacts, and how to collect outputs — is in **[`GPU_QUICKSTART.md`](GPU_QUICKSTART.md)**.\n\n`training\u002Fpreflight_train.py` checks the GPU stack before you spend money: it **exits `2` when no CUDA GPU is available** (the expected result on a laptop), so you never start a doomed run.\n\n---\n\n## Benchmark workflow for reproduction \u002F development\n\nThe benchmark suite measures detection accuracy, false-safe rate, hallucination rate, OWASP coverage, patch correctness (structural), and a secure-generation score. It reports numbers only from real runs. The RC2\u002Fv1.1 real-model report ships as a GitHub Release asset under `v1.0.0-rc25`; generated benchmark reports are not committed to source.\n\n```bash\n# against the live model (GPU):\npython benchmarks\u002Frun_all.py --mode model --adapter outputs\u002Fnullsec-s1-qlora\n\n# against captured real outputs (no GPU); reports are marked replay-only:\npython benchmarks\u002Frun_all.py --mode replay --replay path\u002Fto\u002Fcaptured.jsonl\n```\n\nA case with no model output is recorded as a real miss, never a synthetic pass. In a source-only checkout, artifact-gated claims remain unavailable until the trained adapter and release report are downloaded\u002Funpacked locally.\n\n---\n\n## Release pipeline for reproduction \u002F development\n\nThe release pipeline is how maintainers reproduce a release bundle from real local artifacts:\n\n```bash\npython scripts\u002Frelease_candidate.py --adapter outputs\u002Fnullsec-s1-qlora --dataset detection.json\npython scripts\u002Fvalidate_claims.py --adapter outputs\u002Fnullsec-s1-qlora \\\n --report releases\u002Fnullsec-1.0\u002Fbenchmark\u002FSUITE.json --check\n```\n\n`release_candidate.py` aborts (writing nothing) if the adapter is missing, the model fails to load, no outputs are produced, any report section is empty, or any Safety Layer probe is bypassed. The published RC2\u002Fv1.1 artifact already passed this path; running it again is a reproducibility workflow. The full path is documented in [`RELEASE_TRAINING.md`](RELEASE_TRAINING.md).\n\n---\n\n## Repo structure\n\n```\nREADME.md you are here\nGPU_QUICKSTART.md beginner-friendly GPU training walkthrough\nRELEASE_TRAINING.md training-to-release runbook\nCONTRIBUTING.md how to contribute (corpus, taxonomy, probes, docs)\nSECURITY.md vulnerability reporting & responsible disclosure\nmodel_card\u002F Nullsec-1 model card (identity, intended use, limits)\ntaxonomy\u002F 16-category security taxonomy — single source of truth\ncorpus\u002F curated training corpus (authored\u002F + ingested\u002F + synthetic\u002F)\ndata\u002F verdict schema (data\u002Fschemas) + processed datasets\ntraining\u002F prepare_dataset · train_qlora · merge_adapter · validate_corpus\n · release_threshold · preflight_train · config.yaml\nnullsec\u002F\n core\u002F reasoning pipeline, verdict models, prompts, version\u002Ffingerprint\n safety\u002F Security Alignment Layer + Nullsec Safety Layer\n ingest\u002F CVE\u002FNVD, Semgrep, SARIF\u002FCodeQL ingestion\nserving\u002F FastAPI serving layer\nbenchmarks\u002F benchmark suite + adversarial Safety Layer probes\nscripts\u002F release_candidate.py · validate_claims.py · run_training_pipeline.sh\nexamples\u002F worked vulnerable cases + expected verdicts\nreleases\u002F generated release bundles (real artifacts only; ships empty)\ncli\u002F nullsec1 CLI analyzer + CI gate\ntests\u002F deterministic-layer test suite (no GPU)\ndocs\u002F architecture · system overview · safety layer · corpus · roadmap\n.github\u002F CI security gate · issue templates · PR template\n```\n\n## Contributing\n\nContributions to the corpus, taxonomy, safety probes, benchmark runners, docs, and CLI\u002FAPI are welcome. Corpus examples must include vulnerable code, an exploit scenario, a taxonomy category and severity, a real secure patch, complete `checks_performed`, the expected Safety Layer behavior, and an auditable provenance reference. See [`CONTRIBUTING.md`](CONTRIBUTING.md) for the full requirements and the curated-ingestion workflow.\n\nUseful contribution areas:\n\n- benchmark cases\n- framework examples\n- scanner integrations\n- docs improvements\n\n## Honest scope\n\nResults are benchmark-scoped to the Nullsec RC2\u002Fv1.1 111-case benchmark. Nullsec-S1 is not a replacement for human security review. A clean verdict reduces risk; it does not prove the absence of vulnerabilities.\n\n---\n\n## Security\n\nPlease report vulnerabilities responsibly and **never submit real secrets** — use placeholders for any credential in examples or reports. See [`SECURITY.md`](SECURITY.md).\n\n---\n\n## License\n\nApache 2.0 — matching the `Qwen2.5-Coder` base model. See the license note in [`model_card\u002FNULLSEC1.md`](model_card\u002FNULLSEC1.md).\n","Nullsec-S1 是一个专为审计AI生成的应用程序、代理、MCP工具、Web3流程以及vibecoded软件而设计的开源安全模型。其核心功能包括返回结构化的JSON安全审计报告,涵盖发现的问题、严重性、攻击场景、推荐修复方案、安全补丁以及确定性的安全层决策。该项目基于Python开发,并采用了QLoRA适配器技术以实现高效推理。适用于需要对AI生成代码或相关软件进行安全性评估的场景,如企业级应用开发、智能合约审计等。",2,"2026-06-11 04:09:16","CREATED_QUERY"]