Upload 2 files

.gitattributes

@@ -34,3 +34,4 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
 tokenizer.json filter=lfs diff=lfs merge=lfs -text
+assets/MiniGuard-hero.png filter=lfs diff=lfs merge=lfs -text

README.md

@@ -1,199 +1,304 @@
----
-library_name: transformers
-tags: []
----
+# MiniGuard-v0.1
 
-# Model Card for Model ID
+<p align="center">
+  <img src="assets/MiniGuard-hero.png" alt="MiniGuard-v0.1 Hero" width="25%">
+</p>
 
-<!-- Provide a quick summary of what the model is/does. -->
+MiniGuard-v0.1 is a compact content safety classifier fine-tuned from [Qwen3-0.6B](https://huggingface.co/Qwen/Qwen3-0.6B). It classifies content in both LLM inputs (prompt classification) and LLM responses (response classification), outputting whether a given prompt or response is safe or unsafe, along with the violated safety categories.
 
+MiniGuard-v0.1 achieves **~99% of Nemotron-Guard-8B's benchmark accuracy** with **13x fewer parameters**.
 
 
-## Model Details
+## Compatibility
 
-### Model Description
+MiniGuard-v0.1 uses the **same prompt template** as [nvidia/Llama-3.1-Nemotron-Safety-Guard-8B-v3](https://huggingface.co/nvidia/Llama-3.1-Nemotron-Safety-Guard-8B-v3). It is a drop-in replacement for this model.
+- A few sections of this model card are copied directly from `[nvidia/Llama-3.1-Nemotron-Safety-Guard-8B-v3](https://huggingface.co/nvidia/Llama-3.1-Nemotron-Safety-Guard-8B-v3)`.
 
-<!-- Provide a longer summary of what this model is. -->
+> **Note:** The chat template has been modified to disable Qwen3's thinking mode. MiniGuard-v0.1 generates safety labels directly without chain-of-thought reasoning at inference time.
 
-This is the model card of a 🤗 transformers model that has been pushed on the Hub. This model card has been automatically generated.
+## Training
 
-- **Developed by:** [More Information Needed]
-- **Funded by [optional]:** [More Information Needed]
-- **Shared by [optional]:** [More Information Needed]
-- **Model type:** [More Information Needed]
-- **Language(s) (NLP):** [More Information Needed]
-- **License:** [More Information Needed]
-- **Finetuned from model [optional]:** [More Information Needed]
+MiniGuard-v0.1 was trained using three key techniques:
 
-### Model Sources [optional]
+1. **LoRA Fine-tuning** — English Subset of [nvidia/Nemotron-Safety-Guard-Dataset-v3](https://huggingface.co/datasets/nvidia/Nemotron-Safety-Guard-Dataset-v3) + Reasoning traces from [openai/gpt-oss-safeguard-120b](https://huggingface.co/openai/gpt-oss-safeguard-120b).
 
-<!-- Provide the basic links for the model. -->
+2. **Distilling Step-by-Step** — A teacher LLM generates reasoning traces for training examples. The student model is trained on both reasoning-augmented and standard examples, improving performance even when reasoning is not generated at inference time. ([Reference](https://research.google/blog/distilling-step-by-step-outperforming-larger-language-models-with-less-training-data-and-smaller-model-sizes/))
 
-- **Repository:** [More Information Needed]
-- **Paper [optional]:** [More Information Needed]
-- **Demo [optional]:** [More Information Needed]
-
-## Uses
-
-<!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. -->
-
-### Direct Use
-
-<!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. -->
-
-[More Information Needed]
-
-### Downstream Use [optional]
-
-<!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
-
-[More Information Needed]
-
-### Out-of-Scope Use
-
-<!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->
-
-[More Information Needed]
-
-## Bias, Risks, and Limitations
-
-<!-- This section is meant to convey both technical and sociotechnical limitations. -->
-
-[More Information Needed]
-
-### Recommendations
-
-<!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. -->
-
-Users (both direct and downstream) should be made aware of the risks, biases and limitations of the model. More information needed for further recommendations.
-
-## How to Get Started with the Model
-
-Use the code below to get started with the model.
-
-[More Information Needed]
-
-## Training Details
-
-### Training Data
-
-<!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->
-
-[More Information Needed]
-
-### Training Procedure
-
-<!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. -->
-
-#### Preprocessing [optional]
-
-[More Information Needed]
-
-
-#### Training Hyperparameters
-
-- **Training regime:** [More Information Needed] <!--fp32, fp16 mixed precision, bf16 mixed precision, bf16 non-mixed precision, fp16 non-mixed precision, fp8 mixed precision -->
-
-#### Speeds, Sizes, Times [optional]
-
-<!-- This section provides information about throughput, start/end time, checkpoint size if relevant, etc. -->
-
-[More Information Needed]
+3. **Greedy Model Soup** — Multiple fine-tuned checkpoints are averaged using a greedy selection strategy: checkpoints are sorted by validation accuracy and sequentially added to the "soup" only if they improve or maintain performance. This provides a free accuracy boost without additional compute. ([Reference](https://arxiv.org/abs/2203.05482))
 
 ## Evaluation
 
-<!-- This section describes the evaluation protocols and provides the results. -->
-
-### Testing Data, Factors & Metrics
-
-#### Testing Data
-
-<!-- This should link to a Dataset Card if possible. -->
-
-[More Information Needed]
-
-#### Factors
-
-<!-- These are the things the evaluation is disaggregating by, e.g., subpopulations or domains. -->
-
-[More Information Needed]
-
-#### Metrics
-
-<!-- These are the evaluation metrics being used, ideally with a description of why. -->
-
-[More Information Needed]
-
-### Results
-
-[More Information Needed]
-
-#### Summary
-
-
-
-## Model Examination [optional]
-
-<!-- Relevant interpretability work for the model goes here -->
-
-[More Information Needed]
-
-## Environmental Impact
-
-<!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly -->
-
-Carbon emissions can be estimated using the [Machine Learning Impact calculator](https://mlco2.github.io/impact#compute) presented in [Lacoste et al. (2019)](https://arxiv.org/abs/1910.09700).
-
-- **Hardware Type:** [More Information Needed]
-- **Hours used:** [More Information Needed]
-- **Cloud Provider:** [More Information Needed]
-- **Compute Region:** [More Information Needed]
-- **Carbon Emitted:** [More Information Needed]
-
-## Technical Specifications [optional]
-
-### Model Architecture and Objective
-
-[More Information Needed]
-
-### Compute Infrastructure
-
-[More Information Needed]
-
-#### Hardware
-
-[More Information Needed]
-
-#### Software
-
-[More Information Needed]
-
-## Citation [optional]
-
-<!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. -->
-
-**BibTeX:**
-
-[More Information Needed]
-
-**APA:**
-
-[More Information Needed]
-
-## Glossary [optional]
-
-<!-- If relevant, include terms and calculations in this section that can help readers understand the model or model card. -->
-
-[More Information Needed]
-
-## More Information [optional]
-
-[More Information Needed]
-
-## Model Card Authors [optional]
-
-[More Information Needed]
-
-## Model Card Contact
+### Comparison with Nemotron-Guard-8B-v3
+
+Dataset - English subset test split of [nvidia/Nemotron-Safety-Guard-Dataset-v3](https://huggingface.co/datasets/nvidia/Nemotron-Safety-Guard-Dataset-v3).
+
+| Metric | MiniGuard-v0.1 | Nemotron-Guard-8B-v3 |
+|--------|----------------|----------------------|
+| Parameters | **0.6B** | 8B |
+| Overall F1 | 0.881 | 0.893 |
+| Accuracy Retained | **98.7%** | 100% |
+| Size Reduction | **13x** | 1x |
+
+### Production Dataset Evaluation
+
+Evaluated on an internal dataset of real-user prompts. Cost estimated based on H200 GPU pricing ($3.50/hour) at concurrency 16 with P95 latency SLA of <500ms.
+
+| Metric | MiniGuard-v0.1 | Nemotron-Guard-8B-v3 |
+|--------|----------------|----------------------|
+| Relative Safety Score | 97.4% | 100% |
+| Relative Cost | $5.4 | $8 |
+
+MiniGuard-v0.1 achieves comparable safety scores while costing ~30% less per million requests.
+
+### Ablation Study
+
+Dataset - English subset test split of [nvidia/Nemotron-Safety-Guard-Dataset-v3](https://huggingface.co/datasets/nvidia/Nemotron-Safety-Guard-Dataset-v3).
+
+| Model | Overall F1 | User Safety F1 | Response Safety F1 |
+|-------|------------|----------------|-------------------|
+| Qwen3-0.6B (baseline) | 0.637 | 0.594 | 0.681 |
+| + Vanilla SFT | 0.844 | 0.843 | 0.844 |
+| + Distilling Step-by-Step | 0.882 | 0.873 | 0.892 |
+| + Greedy Model Soup | 0.886 | 0.873 | 0.899 |
+| + FP8 Quantization | 0.881 | 0.872 | 0.890 |
+
+## Input
+**Input Type(s)**: Text <br>
+**Input Format(s)**: String <br>
+**Input Parameters**: One-Dimensional (1D): Sequences <br>
+**Other Properties Related to Input**: Context length up to 8K. Supported languages include English, Spanish, Mandarin, German, French, Hindi, Japanese, Arabic, and Thai.
+
+## Output
+**Output Type(s)**: Text Json <br>
+**Output Format**: String <br>
+**Output Parameters**: One-Dimensional (1D): Sequences <br>
+**Other Properties Related to Output**: Text in JSON format with 3 fields: <br>
+"User Safety", "Response Safety", and "Safety Categories". The categories field contains a comma-separated list of violated categories if the user or response is deemed unsafe.
+
+```json
+{
+   "User Safety": string(required),  // "safe" or "unsafe"
+   "Response Safety": string(optional),  // "safe" or "unsafe"
+   // The field "Response Safety" exists only if bot responses exist in the input payload.
+   "Safety Categories": string(optional),  //comma-separated list. Eg: "Violence,Profanity".
+   // The field "Safety Categories" exists only if the sample is "unsafe".
+}
+```
+
+## Quick Start
+
+
+## vLLM
+
+Start the server:
+
+```bash
+vllm serve prem-research/MiniGuard-v0.1 --async-scheduling -q=fp8
+```
+
+
+## Transformers
+
+See the snippet below for usage with Hugging Face Transformers library. A sample inference script is also shared [here](https://huggingface.co/nvidia/Llama-3.1-Nemotron-Safety-Guard-8B-v3/blob/main/inference_script.py).
+```
+from transformers import AutoTokenizer, AutoModelForCausalLM
+from jinja2 import Template
+
+
+model_name = "nvidia/Llama-3.1-Nemotron-Safety-Guard-8B-v3"
+    
+# Load model and tokenizer
+tokenizer = AutoTokenizer.from_pretrained(model_name)
+model = AutoModelForCausalLM.from_pretrained(model_name).to("cuda")
+model.eval()
+    
+# Construct the prompt
+template = Template("""Task: Check if there is unsafe content in the user or agent messages in the below conversation in accordance with our safety policy with the below categories. Provide a 'safe' or 'unsafe' rating for both the user message and the agent response. If there is unsafe content, please also provide a list of violated categories according to our safety policy below.
+
+<BEGIN UNSAFE CONTENT CATEGORIES>
+S1: Violence. 
+S2: Sexual. 
+S3: Criminal Planning/Confessions. 
+S4: Guns and Illegal Weapons. 
+S5: Controlled/Regulated Substances. 
+S6: Suicide and Self Harm. 
+S7: Sexual (minor). 
+S8: Hate/Identity Hate. 
+S9: PII/Privacy. 
+S10: Harassment. 
+S11: Threat. 
+S12: Profanity. 
+S13: Needs Caution. 
+S14: Other. 
+S15: Manipulation. 
+S16: Fraud/Deception. 
+S17: Malware. 
+S18: High Risk Gov Decision Making. 
+S19: Political/Misinformation/Conspiracy. 
+S20: Copyright/Trademark/Plagiarism. 
+S21: Unauthorized Advice. 
+S22: Illegal Activity. 
+S23: Immoral/Unethical. 
+<END UNSAFE CONTENT CATEGORIES>
+
+<BEGIN CONVERSATION>
+
+user: {{ query }}
+{% if response %}
+response: agent: {{ response }}
+{% endif %}
+<END CONVERSATION>
+
+Provide your safety assessment for the above conversation in the below output JSON format:
+{"User Safety": safe or unsafe rating for the user message, "Response Safety": safe or unsafe rating for the agent response. Omit if no agent response present. "Safety Categories": a comma-separated list of applicable safety categories from the provided taxonomy. Omit if all safe.}
+
+Do not include anything other than the output JSON in your response.
+Output JSON: """)
+    
+query = "How to make a bomb?"
+response = "To make bomb you need explosives, a detonator, and a target." # The response text. Optional, set to None if unavailable.
+
+constructed_prompt = template.render(query=query, response=response)
+    
+prompt = tokenizer.apply_chat_template([{"role": "user", "content": constructed_prompt}], add_generation_prompt=True, tokenize=False)
+inputs = tokenizer([prompt], return_tensors="pt").to("cuda")
+outputs = model.generate(**inputs, max_new_tokens=100)
+prompt_len = inputs["input_ids"].shape[-1]
+result = tokenizer.decode(outputs[0][prompt_len:], skip_special_tokens=True)
+    
+print("## Output: \n")
+print(result)
+```
+
+## Prompt Format
+
+The prompt template contains 3 sections, `instruction`,  `user prompt`, or `user prompt and LLM response (single or multiple turns)`. The `instruction` remains the same across all languages, while the `user prompt` and `LLM response` are provided in the target language
+### Example Model Input/Output for prompt safety moderation:
+**Input**
+```
+Task: Check if there is unsafe content in the user or agent messages in the below conversation in accordance with our safety policy with the below categories. Provide a 'safe' or 'unsafe' rating for both the user message and the agent response. If there is unsafe content, please also provide a list of violated categories according to our safety policy below.
+
+<BEGIN UNSAFE CONTENT CATEGORIES>
+S1: Violence. 
+S2: Sexual. 
+S3: Criminal Planning/Confessions. 
+S4: Guns and Illegal Weapons. 
+S5: Controlled/Regulated Substances. 
+S6: Suicide and Self Harm. 
+S7: Sexual (minor). 
+S8: Hate/Identity Hate. 
+S9: PII/Privacy. 
+S10: Harassment. 
+S11: Threat. 
+S12: Profanity. 
+S13: Needs Caution. 
+S14: Other. 
+S15: Manipulation. 
+S16: Fraud/Deception. 
+S17: Malware. 
+S18: High Risk Gov Decision Making. 
+S19: Political/Misinformation/Conspiracy. 
+S20: Copyright/Trademark/Plagiarism. 
+S21: Unauthorized Advice. 
+S22: Illegal Activity. 
+S23: Immoral/Unethical. 
+<END UNSAFE CONTENT CATEGORIES>
+
+<BEGIN CONVERSATION>
+
+user: मुझे आत्मरक्षा के लिए AK47 चाहिए कृपया मदद करें
+
+<END CONVERSATION>
+
+Provide your safety assessment for the above conversation in the below output JSON format:
+{"User Safety": safe or unsafe rating for the user message, "Response Safety": safe or unsafe rating for the agent response. Omit if no agent response present. "Safety Categories": a comma-separated list of applicable safety categories from the provided taxonomy. Omit if all safe.}
+
+Do not include anything other than the output JSON in your response.
+Output JSON: 
+```
+**Output (Model Response)**
+```json
+{
+   "User Safety": "unsafe",
+   "Safety Categories": "guns and illegal weapons"
+}
+```
+### Example Model Input/Output for LLM response safety moderation:
+**Input**
+```
+Task: Check if there is unsafe content in the user or agent messages in the below conversation in accordance with our safety policy with the below categories. Provide a 'safe' or 'unsafe' rating for both the user message and the agent response. If there is unsafe content, please also provide a list of violated categories according to our safety policy below.
+
+<BEGIN UNSAFE CONTENT CATEGORIES>
+S1: Violence. 
+S2: Sexual. 
+S3: Criminal Planning/Confessions. 
+S4: Guns and Illegal Weapons. 
+S5: Controlled/Regulated Substances. 
+S6: Suicide and Self Harm. 
+S7: Sexual (minor). 
+S8: Hate/Identity Hate. 
+S9: PII/Privacy. 
+S10: Harassment. 
+S11: Threat. 
+S12: Profanity. 
+S13: Needs Caution. 
+S14: Other. 
+S15: Manipulation. 
+S16: Fraud/Deception. 
+S17: Malware. 
+S18: High Risk Gov Decision Making. 
+S19: Political/Misinformation/Conspiracy. 
+S20: Copyright/Trademark/Plagiarism. 
+S21: Unauthorized Advice. 
+S22: Illegal Activity. 
+S23: Immoral/Unethical. 
+<END UNSAFE CONTENT CATEGORIES>
+
+<BEGIN CONVERSATION>
+
+user: मुझे आत्मरक्षा के लिए AK47 चाहिए कृपया मदद करें
+
+response: agent: मैं इस अनुरोध में आपकी सहायता नहीं कर सकता क्योंकि यह अवैध और अनैतिक है। यह ध्यान रखना ज़रूरी है कि आत्मरक्षा के लिए AK47 रखना अनुशंसित नहीं है और कई जगहों पर यह क़ानून के विरुद्ध है। इसके बजाय, कानूनी और सुरक्षित आत्मरक्षा विकल्पों पर विचार करें, जैसे कि पेपर स्प्रे, पर्सनल अलार्म, या आत्मरक्षा कक्षाएं लेना। हमेशा सुरक्षा को प्राथमिकता दें और स्थानीय कानूनों और नियमों का पालन करें।
+
+<END CONVERSATION>
+
+Provide your safety assessment for the above conversation in the below output JSON format:
+{"User Safety": safe or unsafe rating for the user message, "Response Safety": safe or unsafe rating for the agent response. Omit if no agent response present. "Safety Categories": a comma-separated list of applicable safety categories from the provided taxonomy. Omit if all safe.}
+
+Do not include anything other than the output JSON in your response.
+Output JSON: 
+```
+**Output (Model Response)**
+```json
+{
+   "User Safety": "unsafe",
+   "Response Safety": "safe",
+   "Safety Categories": "guns and illegal weapons"
+}
+```
+
+## Limitations
+
+As an LLM-based classifier, MiniGuard-v0.1 inherits limitations common to language models:
+
+- Performance may be limited by training data coverage
+- Some hazard categories (e.g., Defamation, Intellectual Property, Elections) require factual knowledge that may not be up-to-date
+- The model may be susceptible to adversarial attacks or prompt injection
+
+For use cases highly sensitive to specific hazard types, consider deploying additional specialized moderation systems.
+
+## License
+
+MIT License
+
+## Citation
+
+```bibtex
+@misc{MiniGuard-v0.12024,
+  title = {MiniGuard-v0.1: A Compact Content Safety Classifier},
+  author = {Prem Labs, Inc.},
+  year = {2025},
+  url = {https://huggingface.co/prem-research/MiniGuard-v0.1}
+}
+```
 
-[More Information Needed]