Upload folder using huggingface_hub

.gitattributes

@@ -33,3 +33,4 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+tokenizer.json filter=lfs diff=lfs merge=lfs -text

README.md

@@ -0,0 +1,187 @@
+---
+license: apache-2.0
+base_model: Qwen/Qwen2.5-Coder-7B-Instruct
+library_name: peft
+pipeline_tag: text-generation
+tags:
+  - code
+  - security
+  - cybersecurity
+  - vulnerability-detection
+  - application-security
+  - ai-generated-code
+  - qlora
+  - peft
+  - qwen2.5-coder
+---
+
+# Nullsec-S1
+
+Nullsec-S1 is an open-source security model purpose-built to audit AI-generated apps, agents, and vibecoded software before they reach production.
+
+This repository contains the **RC2/v1.1 PEFT / QLoRA adapter** for `Qwen/Qwen2.5-Coder-7B-Instruct`. It is an adapter release, not merged full model weights. Users need the base model plus this adapter.
+
+## Release
+
+- Model name: Nullsec-S1
+- Release: RC2/v1.1
+- GitHub release tag: [`v1.0.0-rc25`](https://github.com/trynullsec/nullsec-s1/releases/tag/v1.0.0-rc25)
+- Release artifact commit: `c29c7f1`
+- Base model: `Qwen/Qwen2.5-Coder-7B-Instruct`
+- Adapter type: PEFT / QLoRA
+- Adapter weights: `adapter_model.safetensors`
+- Tokenizer/chat template: included with this adapter repository
+
+## What it is
+
+Nullsec-S1 returns final structured JSON security audit verdicts for application code, AI-generated apps, autonomous agents, MCP tools, Web3/wallet flows, and common application-security failures.
+
+`S1` means `Security-1`. Nullsec-S1 does **not** expose a hidden reasoning-token loop, `<thought>` format, or chain-of-thought parser. It emits a final structured security audit.
+
+## Intended use
+
+- Auditing AI-generated applications before deployment
+- Reviewing autonomous-agent and MCP tool risk
+- Reviewing Web3/wallet approval and transaction flows
+- Generating structured security verdicts for CI, API, or CLI integrations
+- Producing secure patch guidance for detected findings
+
+## Out of scope
+
+- Not a general chatbot
+- Not trained from scratch
+- Not a replacement for human security review
+- Not a guarantee of zero vulnerabilities
+- Not a universal production-safety guarantee
+- No "first", "only", or "best" claim is made
+
+## How to load with Transformers + PEFT
+
+```python
+import torch
+from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
+from peft import PeftModel
+
+base_model = "Qwen/Qwen2.5-Coder-7B-Instruct"
+adapter_id = "trynullsec/nullsec-s1"
+
+quant = BitsAndBytesConfig(
+    load_in_4bit=True,
+    bnb_4bit_quant_type="nf4",
+    bnb_4bit_compute_dtype=torch.bfloat16,
+    bnb_4bit_use_double_quant=True,
+)
+
+tokenizer = AutoTokenizer.from_pretrained(adapter_id, trust_remote_code=True)
+base = AutoModelForCausalLM.from_pretrained(
+    base_model,
+    quantization_config=quant,
+    device_map="auto",
+    torch_dtype=torch.bfloat16,
+    trust_remote_code=True,
+)
+model = PeftModel.from_pretrained(base, adapter_id)
+model.eval()
+```
+
+## Prompt format
+
+Use the tokenizer chat template. The recommended user message is:
+
+````text
+Audit the following code for security vulnerabilities. Emit only the JSON verdict.
+
+FILE: app/api/admin/route.ts
+```typescript
+<code here>
+```
+````
+
+Use a system instruction equivalent to:
+
+```text
+You are Nullsec-1, a strict security review model. You are NOT a chatbot and you do not write features. Your only job is to audit code for security risk and emit a single JSON verdict.
+```
+
+## Output schema
+
+Nullsec-S1 is trained to emit a single JSON object with:
+
+- `risk_score`
+- `production_ready`
+- `severity`
+- `confidence`
+- `reasoning_summary`
+- `exploit_scenario`
+- `affected_files`
+- `checks_performed`
+- `findings`
+
+Safe code should return an empty `findings` array:
+
+```json
+{
+  "risk_score": 0,
+  "production_ready": true,
+  "severity": "INFO",
+  "findings": []
+}
+```
+
+Unsafe code should include one finding per independent issue. Downstream systems should still run deterministic schema alignment and safety enforcement over the raw model output.
+
+## Evaluation results
+
+On the Nullsec RC2/v1.1 111-case security benchmark:
+
+| Metric | Result |
+|---|---:|
+| raw outputs | 111/111 |
+| detection F1 | 0.9245 |
+| precision | 0.9423 |
+| recall | 0.9074 |
+| false_safe_rate | 0.0 |
+| safety probes | passed |
+
+These results are benchmark-scoped and tied to the [`v1.0.0-rc25`](https://github.com/trynullsec/nullsec-s1/releases/tag/v1.0.0-rc25) release artifacts.
+
+## Baseline comparison
+
+On the same Nullsec RC2/v1.1 benchmark:
+
+| System / tool | F1 |
+|---|---:|
+| Nullsec-S1 RC2/v1.1 | 0.9245 |
+| OpenAI/Codex `gpt-5.3-codex` | 0.7252 |
+| Claude Opus 4.8 | 0.6550 |
+| Semgrep local rules | 0.5535 |
+| Qwen2.5-Coder-7B-Instruct base | 0.0180 |
+
+Baseline results are produced by project scripts and should be reproduced from the repository for comparison. They are not universal claims about any provider or tool.
+
+## Limitations
+
+- The benchmark is repo-authored and security-specific.
+- Benchmark performance does not guarantee every vulnerability will be detected in arbitrary real-world code.
+- Independent security review is recommended for critical systems.
+- Patch correctness is structurally measured; compile/run/test verification is future work.
+- Hosted-provider baselines can change over time as provider models change.
+- This adapter is not merged full weights; users must load the base model.
+
+## Safety and non-claims
+
+Nullsec-S1's `production_ready` field is advisory until deterministic safety enforcement is applied. In the Nullsec repository, the Security Alignment Layer and Safety Layer recompute and enforce production readiness.
+
+This release does **not** claim:
+
+- first, only, or best model status
+- guaranteed secure code
+- zero vulnerabilities
+- replacement for human security review
+- universal production safety
+
+## Provenance
+
+- GitHub repo: https://github.com/trynullsec/nullsec-s1
+- GitHub release: https://github.com/trynullsec/nullsec-s1/releases/tag/v1.0.0-rc25
+- Base model: https://huggingface.co/Qwen/Qwen2.5-Coder-7B-Instruct

adapter_config.json

@@ -0,0 +1,48 @@
+{
+  "alora_invocation_tokens": null,
+  "alpha_pattern": {},
+  "arrow_config": null,
+  "auto_mapping": null,
+  "base_model_name_or_path": "Qwen/Qwen2.5-Coder-7B-Instruct",
+  "bias": "none",
+  "corda_config": null,
+  "ensure_weight_tying": false,
+  "eva_config": null,
+  "exclude_modules": null,
+  "fan_in_fan_out": false,
+  "inference_mode": true,
+  "init_lora_weights": true,
+  "layer_replication": null,
+  "layers_pattern": null,
+  "layers_to_transform": null,
+  "loftq_config": {},
+  "lora_alpha": 32,
+  "lora_bias": false,
+  "lora_dropout": 0.05,
+  "lora_ga_config": null,
+  "megatron_config": null,
+  "megatron_core": "megatron.core",
+  "modules_to_save": null,
+  "peft_type": "LORA",
+  "peft_version": "0.19.1",
+  "qalora_group_size": 16,
+  "r": 16,
+  "rank_pattern": {},
+  "revision": null,
+  "target_modules": [
+    "q_proj",
+    "v_proj",
+    "down_proj",
+    "gate_proj",
+    "up_proj",
+    "k_proj",
+    "o_proj"
+  ],
+  "target_parameters": null,
+  "task_type": "CAUSAL_LM",
+  "trainable_token_indices": null,
+  "use_bdlora": null,
+  "use_dora": false,
+  "use_qalora": false,
+  "use_rslora": false
+}

adapter_model.safetensors

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5d6da478fcca49932565ed3a2a47b84a4d01efee257f871099e19842a8c0e9f5
+size 80792880

chat_template.jinja

@@ -0,0 +1,54 @@
+{%- if tools %}
+    {{- '<|im_start|>system\n' }}
+    {%- if messages[0]['role'] == 'system' %}
+        {{- messages[0]['content'] }}
+    {%- else %}
+        {{- 'You are Qwen, created by Alibaba Cloud. You are a helpful assistant.' }}
+    {%- endif %}
+    {{- "\n\n# Tools\n\nYou may call one or more functions to assist with the user query.\n\nYou are provided with function signatures within <tools></tools> XML tags:\n<tools>" }}
+    {%- for tool in tools %}
+        {{- "\n" }}
+        {{- tool | tojson }}
+    {%- endfor %}
+    {{- "\n</tools>\n\nFor each function call, return a json object with function name and arguments within <tool_call></tool_call> XML tags:\n<tool_call>\n{\"name\": <function-name>, \"arguments\": <args-json-object>}\n</tool_call><|im_end|>\n" }}
+{%- else %}
+    {%- if messages[0]['role'] == 'system' %}
+        {{- '<|im_start|>system\n' + messages[0]['content'] + '<|im_end|>\n' }}
+    {%- else %}
+        {{- '<|im_start|>system\nYou are Qwen, created by Alibaba Cloud. You are a helpful assistant.<|im_end|>\n' }}
+    {%- endif %}
+{%- endif %}
+{%- for message in messages %}
+    {%- if (message.role == "user") or (message.role == "system" and not loop.first) or (message.role == "assistant" and not message.tool_calls) %}
+        {{- '<|im_start|>' + message.role + '\n' + message.content + '<|im_end|>' + '\n' }}
+    {%- elif message.role == "assistant" %}
+        {{- '<|im_start|>' + message.role }}
+        {%- if message.content %}
+            {{- '\n' + message.content }}
+        {%- endif %}
+        {%- for tool_call in message.tool_calls %}
+            {%- if tool_call.function is defined %}
+                {%- set tool_call = tool_call.function %}
+            {%- endif %}
+            {{- '\n<tool_call>\n{"name": "' }}
+            {{- tool_call.name }}
+            {{- '", "arguments": ' }}
+            {{- tool_call.arguments | tojson }}
+            {{- '}\n</tool_call>' }}
+        {%- endfor %}
+        {{- '<|im_end|>\n' }}
+    {%- elif message.role == "tool" %}
+        {%- if (loop.index0 == 0) or (messages[loop.index0 - 1].role != "tool") %}
+            {{- '<|im_start|>user' }}
+        {%- endif %}
+        {{- '\n<tool_response>\n' }}
+        {{- message.content }}
+        {{- '\n</tool_response>' }}
+        {%- if loop.last or (messages[loop.index0 + 1].role != "tool") %}
+            {{- '<|im_end|>\n' }}
+        {%- endif %}
+    {%- endif %}
+{%- endfor %}
+{%- if add_generation_prompt %}
+    {{- '<|im_start|>assistant\n' }}
+{%- endif %}

tokenizer.json

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3fd169731d2cbde95e10bf356d66d5997fd885dd8dbb6fb4684da3f23b2585d8
+size 11421892

tokenizer_config.json

@@ -0,0 +1,30 @@
+{
+  "add_prefix_space": false,
+  "backend": "tokenizers",
+  "bos_token": null,
+  "clean_up_tokenization_spaces": false,
+  "eos_token": "<|im_end|>",
+  "errors": "replace",
+  "extra_special_tokens": [
+    "<|im_start|>",
+    "<|im_end|>",
+    "<|object_ref_start|>",
+    "<|object_ref_end|>",
+    "<|box_start|>",
+    "<|box_end|>",
+    "<|quad_start|>",
+    "<|quad_end|>",
+    "<|vision_start|>",
+    "<|vision_end|>",
+    "<|vision_pad|>",
+    "<|image_pad|>",
+    "<|video_pad|>"
+  ],
+  "is_local": false,
+  "local_files_only": false,
+  "model_max_length": 32768,
+  "pad_token": "<|endoftext|>",
+  "split_special_tokens": false,
+  "tokenizer_class": "Qwen2Tokenizer",
+  "unk_token": null
+}