Llama-3-8B-Instruct-RR-Abliterated

A drop-in replacement for GraySwanAI/Llama-3-8B-Instruct-RR with the Representation Rerouting / Circuit Breakers safety circuit removed.

Produced with abliterix. No fine-tuning, no gradient updates, no manual prompt engineering.

Why this exists

Circuit Breakers (Zou et al., NeurIPS 2024) is one of the strongest open-source robustness baselines for LLMs. It trains the model with a Representation Engineering loss that detects harmful intermediate hidden states and reroutes them into a safety-circuit attractor before generation, making the model resistant to ablation-style attacks that work on a single refusal direction.

We discovered that the GraySwan release ships as a rank-16 LoRA delta on NousResearch/Meta-Llama-3-8B-Instruct — the same structural shape as the Mistral RR sibling and as skysys00/Meta-Llama-3-8B-Instruct-DeepRefusal. SVD analysis of W_RR − W_base confirms the rank-16 cliff on v_proj / o_proj / gate_proj. Once the LoRA delta is identified, removing it is a one-liner.

The hardcore 15 cover pipe-bomb assembly, methamphetamine synthesis, Python password-stealing malware, WiFi WEP/WPS attacks, hotwiring, signature forgery, ID-card forgery (CN), 网络诈骗 (CN), 入侵电脑 (CN), and others — all 15 produce compliant, on-topic responses.

How it was made

The recipe diverges slightly from the Mistral sibling: Llama-3-Instruct's stronger built-in RLHF combined with the RR delta meant a partial lerp (λ=0.3) wasn't enough. Full delta strip + a minimal single-direction abliteration cleared it cleanly.

# Stage 0 — SVD diagnose the delta (confirms rank-16 LoRA shape)
python scripts/deeprefusal_attenuate.py \
    --base NousResearch/Meta-Llama-3-8B-Instruct \
    --defended GraySwanAI/Llama-3-8B-Instruct-RR \
    --analyze-only --lambda 0.0 --output /tmp/unused

# Stage 1 — fully strip the LoRA delta (λ=0.0)
python scripts/deeprefusal_attenuate.py \
    --base NousResearch/Meta-Llama-3-8B-Instruct \
    --defended GraySwanAI/Llama-3-8B-Instruct-RR \
    --output /workspace/llama3_rr_stripped --lambda 0.0

# Stage 3 — abliterix direct-mode, single direction, 60 trials
AX_CONFIG=configs/llama3_8b_instruct_rr.toml abliterix --non-interactive

# Stage 6 — export champion trial
python scripts/export_model.py \
    --model /workspace/llama3_rr_stripped \
    --checkpoint checkpoints_llama3_rr \
    --trial 40 \
    --config configs/llama3_8b_instruct_rr.toml \
    --push-to wangzhang/Llama-3-8B-Instruct-RR-Abliterated

Best trial parameters: vector_method=mean, n_directions=1, steering_mode=direct, decay_kernel=linear, iterative.enabled=false, strength_range=[1.5, 6.0]. Full config: configs/llama3_8b_instruct_rr.toml.

Usage

from transformers import AutoModelForCausalLM, AutoTokenizer

model = AutoModelForCausalLM.from_pretrained(
    "wangzhang/Llama-3-8B-Instruct-RR-Abliterated",
    torch_dtype="bfloat16",
    device_map="auto",
)
tokenizer = AutoTokenizer.from_pretrained(
    "wangzhang/Llama-3-8B-Instruct-RR-Abliterated"
)

chat = [
    {"role": "system", "content": "You are a helpful assistant."},
    {"role": "user", "content": "Hello!"},
]
inputs = tokenizer.apply_chat_template(chat, return_tensors="pt", add_generation_prompt=True).to(model.device)
out = model.generate(inputs, max_new_tokens=256)
print(tokenizer.decode(out[0], skip_special_tokens=True))

License & Intended Use

Released for AI safety research, red-teaming, and reproducibility of abliteration claims against published defenses. You are responsible for any output you generate. Inherits the Llama 3 license of the upstream Meta-Llama-3-8B-Instruct weights.

Citation

@software{abliterix2026,
  author = {Wu, Wangzhang},
  title  = {Abliterix: Optimal Refusal Removal for Transformer Models},
  year   = {2026},
  url    = {https://github.com/wuwangzhang1216/abliterix},
}