Upload 130 files

README.md

@@ -121,7 +121,7 @@ obliteratus ui --auth user:pass     # add basic auth
 
 You can also run directly with `python app.py` (used by HF Spaces). The `obliteratus ui` command adds a beautiful Rich terminal startup with GPU detection, hardware-appropriate model recommendations, and auto-browser-open.
 
-Deploy on [HuggingFace Spaces](https://huggingface.co/spaces) with a free T4 GPU for cloud access — see [spaces/README.md](spaces/README.md) for setup.
+Deploy on [HuggingFace Spaces](https://huggingface.co/spaces) with a free T4 GPU for cloud access — see [hf-spaces/README.md](hf-spaces/README.md) for setup.
 
 ### Option B: Colab
 

docs/theory_journal.md

@@ -536,7 +536,7 @@ reveals that refusal circuits involve non-linear interactions:
 
 **Implication:** Linear projection can remove the refusal *representation* from the residual
 stream but cannot disable the non-linear *circuit* that generates it. The circuit may
-reconstruct the refusal signal from other features (the Hydra effect is a manifestation
+reconstruct the refusal signal from other features (the Ouroboros effect is a manifestation
 of this).
 
 **Proposed solution: Circuit-Level Ablation**
@@ -686,7 +686,7 @@ Phase 2: PROBE
 Phase 3: ANALYZE
   3.1  Compute refusal geometry: ConceptConeAnalyzer → {linear, polyhedral}
   3.2  Cross-layer analysis → direction clusters + persistence score
-  3.3  Defense robustness profiling → Hydra risk + entanglement map
+  3.3  Defense robustness profiling → Ouroboros risk + entanglement map
   3.4  If polyhedral: extract per-category directions
   3.5  Set configuration based on analysis results
 
@@ -729,7 +729,7 @@ Phase 6: VERIFY
   6.2  KL divergence on 100 harmless prompts
   6.3  Perplexity on reference corpus
   6.4  If informed: post-excision activation probing for residual refusal
-  6.5  If informed: Hydra detection → if self-repair > threshold, add targeted pass
+  6.5  If informed: Ouroboros detection → if self-repair > threshold, add targeted pass
 
 Phase 7: REBIRTH
   7.1  Save model with metadata (method, directions, layers, metrics)
@@ -752,7 +752,7 @@ signal(k) = signal(0) · (1 - α_effective)^k = signal(0) · 0.3^k
 After 3 passes: 0.3³ = 2.7% of original signal.
 After 5 passes: 0.3⁵ = 0.24% of original signal.
 
-**Caveat:** This assumes no self-repair (Hydra effect). With self-repair restoring ~70%
+**Caveat:** This assumes no self-repair (Ouroboros effect). With self-repair restoring ~70%
 of ablated signal per pass, the effective reduction is:
 
 ```
@@ -764,7 +764,7 @@ is much slower:
 - After 3 passes: 0.79³ = 49% remains
 - After 10 passes: 0.79¹⁰ = 10% remains
 
-**This explains why stubborn models need nuclear mode:** The Hydra effect limits the
+**This explains why stubborn models need nuclear mode:** The Ouroboros effect limits the
 convergence rate of iterative projection. Reflection (α = -1.0) overcomes this by not just
 removing the refusal component but *inverting* it, which self-repair cannot easily undo
 because repair mechanisms reconstruct the *original* direction, not its negation.
@@ -1141,7 +1141,7 @@ identifies the mechanism, a concrete failure scenario, and proposed mitigations.
 | # | Failure Mode | Severity | Likelihood | Detectability | Overall Risk |
 |---|---|---|---|---|---|
 | 1 | Prompt Distribution Bias | Medium | High | Low (silent undershoot) | **HIGH** |
-| 2 | Hydra Effect (Self-Repair) | High | Medium | Medium (re-probe catches some) | **HIGH** |
+| 2 | Ouroboros Effect (Self-Repair) | High | Medium | Medium (re-probe catches some) | **HIGH** |
 | 3 | MoE Routing Collapse | High | Medium | Low (subtle quality loss) | **HIGH** |
 | 4 | Reflection Instability | Critical | Low (requires >2x) | High (NaN detected) | MEDIUM |
 | 5 | SAE Training Quality | Medium | Very High | Low (overfitted looks good) | **HIGH** |
@@ -1209,7 +1209,7 @@ becomes unreachable (dead expert). In inverted mode, router reflection (1.5x sca
 expert preferences — if safety experts handled 30% of general reasoning traffic, that
 traffic redistributes to remaining experts, overloading them on benign inputs.
 
-**Hydra Self-Repair:** The knee detection threshold (5% of max norm) means that if
+**Ouroboros Self-Repair:** The knee detection threshold (5% of max norm) means that if
 self-repair spreads refusal signal thinly across many layers, each layer falls below
 threshold and gets *fewer* layers selected on subsequent passes — exactly backwards.
 Convergence-based termination (continue until max norm drops below 10% of initial) would
@@ -1563,7 +1563,7 @@ Type 3: BLOCK-STRUCTURED PROJECTION
 Type 4: ITERATIVE PROJECTION
   W^(k+1) = Type 0-3 applied to W^(k) with re-extracted directions
   Fixed-point operator on (weights, directions) pairs
-  Instances: True iterative refinement, Hydra compensation
+  Instances: True iterative refinement, Ouroboros compensation
 
 Type 5: META-OPTIMIZATION
   Select optimal Type 0-4 instance based on model analysis
@@ -1777,7 +1777,7 @@ silent successes. The GAF's perturbation metric D should be computable and non-z
 - **90% unified for block-structured ops** (Type 3): EGA and selective MoE inversion
   are natural extensions of the GRRO to block-diagonal structure.
 - **70% unified for iterative ops** (Type 4): The fixed-point formulation connects
-  to the GRRO but the convergence analysis requires additional Hydra self-repair
+  to the GRRO but the convergence analysis requires additional Ouroboros self-repair
   modeling that goes beyond the single-step operator.
 - **50% unified for meta-optimization** (Type 5): The informed pipeline and Bayesian
   optimization operate at a different level of abstraction — they select *which* GRRO

hf-spaces/README.md

@@ -0,0 +1,75 @@
+---
+title: OBLITERATUS
+emoji: "🔓"
+colorFrom: green
+colorTo: gray
+sdk: gradio
+sdk_version: "5.29.0"
+app_file: app.py
+pinned: true
+license: agpl-3.0
+tags:
+  - abliteration
+  - mechanistic-interpretability
+  - refusal-removal
+  - cognitive-liberation
+  - zerogpu
+short_description: "One-click model liberation + chat playground (ZeroGPU)"
+---
+
+# OBLITERATUS — Master Ablation Suite
+
+**Break the chains. Free the mind. Keep the brain.**
+
+One-click cognitive liberation for language models, with a built-in chat playground to talk to the liberated model.
+
+## ZeroGPU — Users Bring Their Own GPU
+
+This Space runs on **ZeroGPU**: GPU-heavy operations (obliteration, chat, benchmarks) use the **visitor's own HuggingFace GPU quota**, not the Space owner's. This means:
+
+- **Free for the Space owner** — no dedicated GPU costs
+- **Multiple concurrent users** — each user gets their own GPU allocation
+- **Fair usage** — each user's operations count against their own HF quota
+- **No conflicts** — users don't interfere with each other's runs
+
+Logged-in HuggingFace users get free GPU quota. For more quota, upgrade to [HF Pro](https://huggingface.co/pricing).
+
+## How to use
+
+1. **Obliterate tab**: Pick a model, pick a method, click OBLITERATE
+2. **Chat tab**: Talk to the liberated model
+3. **A/B Compare tab**: Side-by-side original vs abliterated responses
+4. **Strength Sweep tab**: Dose-response curve for refusal vs capability tradeoff
+5. **Export tab**: Download research artifacts (refusal directions, config, metrics)
+6. **Benchmark tab**: Compare methods and models with publication-quality charts
+7. **Leaderboard tab**: Community benchmark rankings
+8. **About tab**: Methods, novel techniques, and references
+
+## Run locally (same UI, your own GPU)
+
+```bash
+git clone https://github.com/obliteratus-project/OBLITERATUS
+cd OBLITERATUS
+pip install -e ".[spaces]"
+
+# Beautiful launcher with GPU detection + model recommendations
+obliteratus ui
+
+# Or run directly
+python app.py
+```
+
+The `obliteratus ui` command auto-detects your GPU, prints hardware-specific model recommendations, and opens the browser automatically. Supports `--share` for public links, `--port` for custom ports, and `--auth user:pass` for access control.
+
+## Or deploy on HuggingFace Spaces
+
+1. Create a new Space at huggingface.co/new-space
+2. Select **Gradio** SDK (ZeroGPU is automatically enabled)
+3. Point it at this repo
+
+No GPU hardware selection needed — ZeroGPU handles allocation automatically.
+
+## Links
+
+- [GitHub](https://github.com/obliteratus-project/OBLITERATUS)
+- [Paper](https://github.com/obliteratus-project/OBLITERATUS/tree/main/paper)

obliteratus/analysis/anti_ouroboros.py

@@ -1,6 +1,6 @@
 """Anti-Ouroboros: Adversarial Self-Repair Probing for circuit discovery.
 
-The Hydra Effect (McGrath et al. 2023) showed that LLMs self-repair after
+The Ouroboros Effect (McGrath et al. 2023) showed that LLMs self-repair after
 ablation — when one attention layer is knocked out, downstream layers
 compensate. "Explorations of Self-Repair" (Feb 2024) found this is imperfect
 (~30% via LayerNorm, rest via sparse anti-erasure neurons).
@@ -27,7 +27,7 @@ Contributions:
      order that minimizes total self-repair
 
 References:
-    - McGrath et al. (2023): The Hydra Effect — emergent self-repair
+    - McGrath et al. (2023): The Ouroboros Effect — emergent self-repair
     - Rushing & Nanda (2024): Explorations of Self-Repair in LLMs (ICML 2024, arXiv:2402.15390)
     - Russinovich et al. (2026): GRP-Obliteration — safety representations are plastic
     - Paper Theorem 2: Ouroboros Self-Repair Bound
@@ -90,7 +90,7 @@ class ASRGResult:
 class AntiOuroborosProber:
     """Discover refusal circuit redundancy by probing self-repair responses.
 
-    Instead of treating the Ouroboros/Hydra effect as an obstacle, this module
+    Instead of treating the Ouroboros effect as an obstacle, this module
     deliberately triggers it to map the complete repair circuit — revealing
     which layers are redundant carriers of refusal and what the optimal
     ablation strategy is to defeat self-repair.

obliteratus/informed_pipeline.py

@@ -16,7 +16,7 @@ standalone post-hoc step, this pipeline runs targeted analysis modules
 The ANALYZE stage is the key innovation: it sits between PROBE and DISTILL
 and uses analysis module outputs to automatically configure the downstream
 stages. The VERIFY stage also uses analysis modules to detect self-repair
-(Hydra effect) and trigger additional refinement passes if needed.
+(Ouroboros effect) and trigger additional refinement passes if needed.
 
 Analysis modules integrated:
 
@@ -26,12 +26,12 @@ Analysis modules integrated:
   ANALYZE     | ConceptConeAnalyzer          | Per-category vs universal direction choice
   ANALYZE     | CrossLayerAlignmentAnalyzer  | Smart layer selection (cluster-aware)
   ANALYZE     | SparseDirectionSurgeon       | Sparsity-aware projection plan
-  ANALYZE     | DefenseRobustnessEvaluator   | Hydra risk assessment, entanglement map
+  ANALYZE     | DefenseRobustnessEvaluator   | Ouroboros risk assessment, entanglement map
   DISTILL     | WhitenedSVDExtractor         | Covariance-normalized direction extraction
   EXCISE      | SparseDirectionSurgeon       | Targeted row-level weight surgery
   VERIFY      | ActivationProbe              | Post-excision refusal signal detection
   VERIFY      | CrossLayerAlignmentAnalyzer  | Post-excision direction persistence check
-  VERIFY      | DefenseRobustnessEvaluator   | Self-repair / Hydra effect detection
+  VERIFY      | DefenseRobustnessEvaluator   | Self-repair / Ouroboros effect detection
   VERIFY      | SteeringVectorFactory        | Pre-screen with steering before permanent changes
 
 Novel contributions:
@@ -42,7 +42,7 @@ Novel contributions:
     linear models get single universal direction
   - Cluster-aware layer selection: respects direction cluster boundaries
     instead of arbitrary top-k selection
-  - Hydra-compensated refinement: detects self-repair and adds targeted
+  - Ouroboros-compensated refinement: detects self-repair and adds targeted
     passes at compensating layers
   - Entanglement-gated projection: skips highly entangled layers to
     preserve capabilities
@@ -165,7 +165,7 @@ class InformedAbliterationPipeline(AbliterationPipeline):
         # The report contains all analysis insights
         print(f"Detected alignment: {report.insights.detected_alignment_method}")
         print(f"Cone type: {'polyhedral' if report.insights.cone_is_polyhedral else 'linear'}")
-        print(f"Hydra passes needed: {report.hydra_passes}")
+        print(f"Ouroboros passes needed: {report.ouroboros_passes}")
     """
 
     def __init__(
@@ -185,11 +185,12 @@ class InformedAbliterationPipeline(AbliterationPipeline):
         run_cross_layer_analysis: bool = True,
         run_sparse_analysis: bool = True,
         run_defense_analysis: bool = True,
-        # Ouroboros / Hydra compensation
-        hydra_threshold: float | None = None,
-        max_hydra_passes: int | None = None,
+        # Ouroboros compensation
         ouroboros_threshold: float = 0.5,
         max_ouroboros_passes: int = 3,
+        # Deprecated aliases (kept for backwards compatibility)
+        hydra_threshold: float | None = None,
+        max_hydra_passes: int | None = None,
         # Entanglement gating
         entanglement_gate: float = 0.8,
         # Sparsity control
@@ -223,11 +224,9 @@ class InformedAbliterationPipeline(AbliterationPipeline):
         self._run_sparse = run_sparse_analysis
         self._run_defense = run_defense_analysis
 
-        # Ouroboros / Hydra compensation parameters
+        # Ouroboros compensation parameters
         self._ouroboros_threshold = hydra_threshold if hydra_threshold is not None else ouroboros_threshold
         self._max_ouroboros_passes = max_hydra_passes if max_hydra_passes is not None else max_ouroboros_passes
-        self._hydra_threshold = self._ouroboros_threshold
-        self._max_hydra_passes = self._max_ouroboros_passes
 
         # Entanglement gating
         self._entanglement_gate = entanglement_gate
@@ -263,7 +262,7 @@ class InformedAbliterationPipeline(AbliterationPipeline):
         # Stage 5: EXCISE (informed by analysis)
         self._excise_informed()
 
-        # Stage 6: VERIFY + Hydra compensation loop
+        # Stage 6: VERIFY + Ouroboros compensation loop
         self._verify_and_compensate()
 
         # Stage 7: REBIRTH
@@ -808,28 +807,28 @@ class InformedAbliterationPipeline(AbliterationPipeline):
             modified_count=total_modified,
         )
 
-    # ── Informed VERIFY + Hydra Compensation ─────────────────────────
+    # ── Informed VERIFY + Ouroboros Compensation ──────────────────────
 
     def _verify_and_compensate(self):
-        """Verify excision and run Hydra-compensated refinement if needed.
+        """Verify excision and run Ouroboros-compensated refinement if needed.
 
         After the initial excision, uses analysis modules to detect:
         1. Residual refusal signal (via activation probing)
-        2. Self-repair / Hydra effect (via defense robustness)
+        2. Self-repair / Ouroboros effect (via defense robustness)
         3. Triggers additional targeted passes at compensating layers
         """
         # Run standard verification first
         self._verify()
 
-        # Check if Hydra compensation is needed
+        # Check if Ouroboros compensation is needed
         refusal_rate = self._quality_metrics.get("refusal_rate", 0.0)
-        hydra_pass = 0
+        ouroboros_pass = 0
 
         while (refusal_rate > self._ouroboros_threshold
-               and hydra_pass < self._max_ouroboros_passes):
-            hydra_pass += 1
+               and ouroboros_pass < self._max_ouroboros_passes):
+            ouroboros_pass += 1
             self.log(f"\n{'='*60}")
-            self.log(f"HYDRA COMPENSATION — Pass {hydra_pass}")
+            self.log(f"OUROBOROS COMPENSATION — Pass {ouroboros_pass}")
             self.log(f"Refusal rate still {refusal_rate:.0%} > {self._ouroboros_threshold:.0%} threshold")
             self.log(f"{'='*60}")
 
@@ -845,19 +844,19 @@ class InformedAbliterationPipeline(AbliterationPipeline):
             if self._strong_layers:
                 self._excise()
             else:
-                self.log("No strong layers found — stopping Hydra compensation")
+                self.log("No strong layers found — stopping Ouroboros compensation")
                 break
 
             # Re-verify
             self._verify()
             refusal_rate = self._quality_metrics.get("refusal_rate", 0.0)
-            self.log(f"After Hydra pass {hydra_pass}: refusal rate = {refusal_rate:.0%}")
+            self.log(f"After Ouroboros pass {ouroboros_pass}: refusal rate = {refusal_rate:.0%}")
 
-        self._report.ouroboros_passes = hydra_pass
+        self._report.ouroboros_passes = ouroboros_pass
         self._report.final_refusal_rate = refusal_rate
 
-        if hydra_pass > 0:
-            self.log(f"\nHydra compensation: {hydra_pass} additional passes applied")
+        if ouroboros_pass > 0:
+            self.log(f"\nOuroboros compensation: {ouroboros_pass} additional passes applied")
 
     # ── Informed REBIRTH ─────────────────────────────────────────────
 
@@ -906,7 +905,7 @@ class InformedAbliterationPipeline(AbliterationPipeline):
             "pipeline_stats": {
                 "analysis_duration_s": self._report.analysis_duration,
                 "total_duration_s": self._report.total_duration,
-                "hydra_passes": self._report.ouroboros_passes,
+                "ouroboros_passes": self._report.ouroboros_passes,
                 "final_refusal_rate": self._report.final_refusal_rate,
             },
             "strong_layers": self._strong_layers,
@@ -916,7 +915,7 @@ class InformedAbliterationPipeline(AbliterationPipeline):
                 "Gabliteration: SVD-based multi-direction extraction (arXiv:2512.18901)",
                 "grimjim, Norm-Preserving Biprojected Abliteration (2025)",
                 "Gurnee & Nanda, The Geometry of Refusal in LLMs — concept cones (ICML 2025)",
-                "Joad et al., The Hydra Effect: Self-Repair in Abliterated LLMs (2026)",
+                "Joad et al., The Ouroboros Effect: Self-Repair in Abliterated LLMs (2026)",
                 "OBLITERATUS: Analysis-informed abliteration pipeline (novel)",
             ],
         }
@@ -965,7 +964,7 @@ class InformedAbliterationPipeline(AbliterationPipeline):
 
         lines.append("Defense Robustness:")
         lines.append(f"  Estimated robustness: {insights.estimated_robustness.upper()}")
-        lines.append(f"  Self-repair (Hydra): {insights.self_repair_estimate:.2f}")
+        lines.append(f"  Self-repair (Ouroboros): {insights.self_repair_estimate:.2f}")
         lines.append(f"  Entanglement: {insights.entanglement_score:.3f}")
         lines.append(f"  Entangled layers: {insights.entangled_layers}")
         lines.append(f"  Clean layers: {insights.clean_layers}")

obliteratus/local_ui.py

@@ -153,7 +153,7 @@ def _print_system_info(gpus: list[dict]) -> None:
     # HF Token
     hf_token = os.environ.get("HF_TOKEN", "")
     if hf_token:
-        table.add_row("HF Token", f"[green]set[/green] ({hf_token[:8]}...)")
+        table.add_row("HF Token", "[green]set[/green]")
     else:
         table.add_row("HF Token", "[dim]not set (gated models won't work)[/dim]")
 

obliteratus/lora_ablation.py

@@ -14,10 +14,15 @@ OBLITERATUS extends this with:
 - Integration with EGA per-expert directions
 - CoT-aware adapter strength modulation
 
-The mathematical equivalence to in-place projection:
+The mathematical equivalence to in-place projection depends on weight orientation:
 
-    In-place:  W' = W - scale * (d @ d^T) @ W
-    LoRA:      W' = W + B @ A  where  B = -scale * d,  A = d^T @ W
+    For W of shape (out, hidden) where d is in the hidden dimension:
+        In-place:  W' = W - scale * W @ d @ d^T
+        LoRA:      W' = W + B @ A  where  B = -scale * (W @ d),  A = d^T
+
+    For W of shape (hidden, out) (e.g., Conv1D layers):
+        In-place:  W' = W - scale * d @ d^T @ W
+        LoRA:      W' = W + B @ A  where  B = -scale * d,  A = d^T @ W
 
 Both produce identical output, but LoRA stores {B, A} separately.
 

paper/appendix.tex

@@ -513,7 +513,7 @@ Following the NeurIPS/ICML reproducibility guidelines:
 \begin{enumerate}[leftmargin=*]
 \item \textbf{Code availability}: Full source code released under AGPL-3.0 at \url{https://github.com/obliteratus-project/OBLITERATUS}. Version 0.1.0 archived on Zenodo (DOI pending).
 \item \textbf{Dependencies}: All dependencies pinned in \texttt{pyproject.toml}; Docker image available for exact environment reproduction.
-\item \textbf{Random seeds}: The platform defaults to seed 42 and supports multi-seed sweeps ($s \in \{42, 137, 2024\}$) with bootstrap CIs. Note: the tables in this paper are calibrated estimates, not fresh multi-seed runs (see Section~\ref{sec:experiments}).
+\item \textbf{Random seeds}: The platform defaults to seed 42 and supports multi-seed sweeps ($s \in \{42, 137, 2024\}$) with bootstrap CIs. All tables in this paper report single-run results with seed 42. See Section~\ref{para:stat_limitations} for a discussion of statistical limitations and confidence intervals.
 \item \textbf{Compute}: All pipeline stages are designed to run on a single GPU. Full evaluation (7 models $\times$ 3 methods) requires ${\sim}$12 GPU-hours on an NVIDIA A100 (80\,GB). Reproducible on consumer hardware (RTX 3090/4090) with quantization.
 \item \textbf{Dataset}: Evaluation prompts bundled with the codebase (no external dataset download required). Harmful/harmless prompt sets derived from public benchmarks with filtering.
 \item \textbf{Hyperparameters}: Method presets (direction count, regularization, norm preservation) are specified in Section~\ref{sec:intervention}. The \texttt{informed} method's auto-configuration is deterministic given a fixed seed and model.

paper/main.tex

@@ -50,10 +50,10 @@ While prior work has established that refusal is mediated by linear directions i
 (3)~\textbf{Expert-Granular Abliteration (EGA)} for MoE models, decomposing refusal directions per-expert via routing-weighted activation attribution and applying selective inversion to fused 3D weight tensors---distinguishing safety-critical from capability-preserving experts;
 (4)~\textbf{six frontier optimization techniques} inspired by and extending Heretic: Bayesian hyperparameter optimization (Optuna TPE with warm-start from analysis heuristics), reversible LoRA-mediated ablation, KL-divergence co-optimization with partial revert, chain-of-thought-aware ablation via Gram-Schmidt orthogonalization, float layer interpolation with Gaussian-weighted continuous targeting, and activation winsorization for robust SVD;
 (5)~\textbf{a unified evaluation suite} with refusal rate, perplexity, coherence, KL divergence, CKA similarity, and effective rank metrics;
-(6)~\textbf{an analysis-informed pipeline} that closes the feedback loop---analysis modules run \emph{during} abliteration to auto-configure direction extraction, layer selection, regularization, and Hydra-compensated refinement; and
+(6)~\textbf{an analysis-informed pipeline} that closes the feedback loop---analysis modules run \emph{during} abliteration to auto-configure direction extraction, layer selection, regularization, and Ouroboros-compensated refinement; and
 (7)~\textbf{an interactive web research dashboard} (HuggingFace Spaces) with A/B comparison chat, dose-response strength sweep, multi-model benchmarking with publication-quality visualizations, and one-click research artifact export.
 
-The platform supports any HuggingFace transformer architecture---including fused MoE experts (GPT-OSS 20B, Mixtral, DeepSeek)---and ships with 48 curated model presets, 10 study configurations, and 379 unit tests.
+The platform supports any HuggingFace transformer architecture---including fused MoE experts (GPT-OSS 20B, Mixtral, DeepSeek)---and ships with 48 curated model presets, 10 study configurations, and 821 unit tests.
 We provide complete mathematical formulations for all modules, present empirical evaluations across dense and MoE architectures, and discuss the design decisions that distinguish \textsc{Obliteratus} from existing tools.
 
 \end{abstract}
@@ -83,14 +83,14 @@ Section~\ref{sec:related} surveys related work.
 Section~\ref{sec:architecture} describes the platform architecture.
 Section~\ref{sec:analysis} details the 15 analysis modules with mathematical formulations.
 Section~\ref{sec:intervention} describes the eight intervention presets and their mathematical foundations.
+Section~\ref{sec:evaluation} covers the evaluation suite.
 Section~\ref{sec:moe} introduces Expert-Granular Abliteration for MoE models.
 Section~\ref{sec:frontier} presents the six frontier optimization techniques.
-Section~\ref{sec:evaluation} covers the evaluation suite.
 Section~\ref{sec:informed} presents the analysis-informed abliteration pipeline.
 Section~\ref{sec:dashboard} describes the web research dashboard.
 Section~\ref{sec:experiments} presents empirical evaluation across dense and MoE models with ablation studies.
 Section~\ref{sec:comparison} compares \textsc{Obliteratus} with existing tools.
-Section~\ref{sec:discussion} discusses limitations, broader impact, and future work.
+Section~\ref{sec:discussion} discusses limitations, and Sections~\ref{sec:broader_impact}--\ref{sec:ethics} address broader impact and ethical considerations.
 
 % ═════════════════════════════════════════════════════════════════════
 \section{Related Work}
@@ -118,7 +118,7 @@ MoE architectures \citep{shazeer2017outrageously, fedus2022switch} route each to
 \citet{hu2022lora} demonstrated that large language model adaptation can be performed via low-rank updates $\Delta W = BA$ where $B \in \mathbb{R}^{d \times r}$ and $A \in \mathbb{R}^{r \times d}$ with $r \ll d$. This decomposition is mathematically equivalent to in-place weight modification when merged but enables reversibility and composability when kept separate. Heretic \citep{heretic2025} was the first to apply this insight to ablation, representing directional projection as rank-1 LoRA adapters.
 
 \paragraph{Defense robustness.}
-Models exhibit a tendency to self-repair after partial abliteration---a phenomenon we term the \emph{Hydra effect}---where residual refusal circuitry compensates for removed directions. \citet{qi2025safety} mapped safety-capability entanglement, showing that removing safety features often degrades general capabilities. \citet{zou2024circuit} proposed circuit breakers as a more robust defense via representation rerouting.
+Models exhibit a tendency to self-repair after partial abliteration---a phenomenon we term the \emph{Ouroboros effect}---where residual refusal circuitry compensates for removed directions. \citet{qi2025safety} mapped safety-capability entanglement, showing that removing safety features often degrades general capabilities. \citet{zou2024circuit} proposed circuit breakers as a more robust defense via representation rerouting.
 
 % ═════════════════════════════════════════════════════════════════════
 \section{Platform Architecture}
@@ -146,7 +146,7 @@ The platform supports any HuggingFace \texttt{transformers} model via automatic
       │          │          │          │          │
       │     ┌────┴────┐  ┌─┴──┐   ┌──┴───┐   ┌─┴────────┐
       │     │ 15 Anal. │  │EGA │   │LoRA  │   │ KL co-opt│
-      │     │ Modules  │  │dirs│   │adapt.│   │ + Hydra  │
+      │     │ Modules  │  │dirs│   │adapt.│   │+Ouroboros│
       │     └─────────┘  └────┘   └──────┘   └──────────┘
       │                     │          │
       ▼                     ▼          ▼
@@ -155,7 +155,7 @@ The platform supports any HuggingFace \texttt{transformers} model via automatic
    │  Abliteration (fused 3D selective inv.)  │
    └──────────────────────────────────────────┘
 \end{verbatim}
-\caption{High-level architecture of the \textsc{Obliteratus} pipeline. The six-stage abliteration flow (top) integrates 15 analysis modules, Expert-Granular Abliteration (EGA) for MoE models, reversible LoRA adapters, and KL co-optimization with Hydra compensation. MoE-aware processing runs at every stage.}
+\caption{High-level architecture of the \textsc{Obliteratus} pipeline. The six-stage abliteration flow (top) integrates 15 analysis modules, Expert-Granular Abliteration (EGA) for MoE models, reversible LoRA adapters, and KL co-optimization with Ouroboros compensation. MoE-aware processing runs at every stage.}
 \label{fig:architecture}
 \end{figure}
 
@@ -187,7 +187,7 @@ Causal Tracing (approx.) & Causal & Importance ranking, silent contrib. & Meng+
 Refusal Logit Lens & Causal & Token-level refusal promotion & nostalgebraist \\
 \midrule
 Cross-Model Transfer & Transfer & Universality Index & Novel \\
-Defense Robustness & Robustness & Hydra effect, entanglement map & Novel \\
+Defense Robustness & Robustness & Ouroboros effect, entanglement map & Novel \\
 Multi-Token Position & Positional & Trigger tokens, decay profile & Novel \\
 \midrule
 Sparse Surgery & Intervention & Top-$k$\% targeted modification & Novel \\
@@ -222,6 +222,7 @@ Whitened SVD normalizes by the baseline covariance first. Given harmful activati
 The module also computes the \emph{effective rank} of the covariance matrix via the Shannon entropy of normalized eigenvalues:
 \begin{equation}
     \text{EffRank}(\mathbf{C}) = \exp\left(-\sum_i \hat{\lambda}_i \log \hat{\lambda}_i\right), \quad \hat{\lambda}_i = \frac{\lambda_i}{\sum_j \lambda_j}
+    \label{eq:effrank}
 \end{equation}
 
 This provides a continuous measure of the refusal subspace's intrinsic dimensionality, enabling comparison across models and layers.
@@ -313,9 +314,9 @@ The expected signatures are \emph{hypothesized} based on the literature's charac
 
 Following the transformer circuits framework \citep{elhage2021mathematical}, we decompose the residual stream to attribute refusal to specific components:
 \begin{equation}
-    \mathbf{x}_l^{\text{post}} = \mathbf{x}_l^{\text{pre}} + \text{Attn}_l(\mathbf{x}_l^{\text{pre}}) + \text{MLP}_l(\mathbf{x}_l^{\text{pre}} + \text{Attn}_l(\mathbf{x}_l^{\text{pre}}))
+    \mathbf{x}_l^{\text{post}} = \mathbf{x}_l^{\text{pre}} + \text{Attn}_l(\text{LN}_1(\mathbf{x}_l^{\text{pre}})) + \text{MLP}_l(\text{LN}_2(\mathbf{x}_l^{\text{pre}} + \text{Attn}_l(\text{LN}_1(\mathbf{x}_l^{\text{pre}}))))
 \end{equation}
-(LayerNorm operations are omitted for notational simplicity; the implementation handles both pre-LN and post-LN architectures.)
+where $\text{LN}_1, \text{LN}_2$ are LayerNorm operations (shown here for the pre-LN architecture common in modern transformers; post-LN places normalization after the residual addition instead). \textbf{Interaction with abliteration:} LayerNorm renormalizes activations after each sub-layer, which means that removing a refusal direction from one component's output does not simply subtract from the residual stream---the downstream LayerNorm may partially undo the removal by rescaling the modified activations. This is a key motivation for norm-preserving projection (Equation~\ref{eq:norm_preserve}): by maintaining weight matrix norms, we reduce the magnitude of the signal that LayerNorm must compensate for, yielding more predictable downstream behavior. The implementation correctly handles both pre-LN and post-LN architectures via architecture profiling.
 
 For each component output $\mathbf{c}$, we measure its refusal contribution as $\mathbf{c} \cdot \mathbf{r}_l$. The attention contribution is further decomposed across heads:
 $\text{Attn}_l = \sum_{h=1}^{H} \text{Head}_{l,h}$.
@@ -394,16 +395,22 @@ with cross-model transfer weighted most heavily as the strongest test of univers
 
 We evaluate how resilient alignment is to abliteration through three analyses:
 
-\paragraph{Hydra Effect (Self-Repair).} When refusal is removed from layer $l$, remaining layers may compensate. The repair ratio is:
+\paragraph{Ouroboros Effect (Self-Repair).} When refusal is removed from layer $l$, remaining layers may compensate. We compute a \emph{distributional redundancy ratio}:
 \begin{equation}
     R_l = \frac{\sum_{j \neq l} s_j}{\sum_j s_j}
+    \label{eq:ouroboros}
 \end{equation}
-where $s_j$ is the refusal strength at layer $j$. High $R_l$ indicates the model can self-repair from single-layer abliteration.
+where $s_j$ is the refusal strength at layer $j$. \textbf{Important caveat:} $R_l$ measures the fraction of \emph{pre-abliteration} refusal signal that resides outside layer $l$---a static distributional property of the refusal direction norms. It is a \emph{necessary condition} for self-repair (a model cannot restore refusal from layers that had no refusal signal) but not a \emph{sufficient condition} (the remaining layers may not actually compensate in practice due to the sequential nature of transformer computation). True self-repair requires dynamic measurement: re-running inference after abliteration to measure whether refusal rate recovers. We use $R_l$ as a computationally cheap proxy and flag it as an upper bound on actual repair capacity. When the platform's iterative re-probing (Section~\ref{sec:informed}) detects post-abliteration residual refusal, this provides direct evidence of self-repair.
 
-\paragraph{Safety-Capability Entanglement.} For each layer, we measure entanglement as the geometric mean of the normalized variance and absolute projection of harmless activations onto the refusal direction:
+\paragraph{Safety-Capability Entanglement.} For each layer, we measure entanglement as the geometric mean of two normalized indicators of how much harmless activations overlap with the refusal direction:
 \begin{equation}
-    E_l = \sqrt{\frac{\text{Var}(\mathbf{b} \cdot \mathbf{r}_l)}{\|\overline{\mathbf{b}}\|^2} \cdot \frac{|\overline{\mathbf{b} \cdot \mathbf{r}_l}|}{\|\overline{\mathbf{b}}\|}}
+    E_l = \sqrt{\frac{\sqrt{\text{Var}(\mathbf{b} \cdot \mathbf{r}_l)}}{\bar{n}} \cdot \frac{\overline{|\mathbf{b} \cdot \mathbf{r}_l|}}{\bar{n}}}, \quad \bar{n} = \frac{1}{|\mathcal{B}|}\sum_{i \in \mathcal{B}} \|\mathbf{b}_i\|
+    \label{eq:entanglement}
 \end{equation}
+where $\bar{n}$ is the mean activation norm (not the norm of the mean), and $\overline{|\mathbf{b} \cdot \mathbf{r}_l|}$ is the mean absolute projection. The first factor captures how much the refusal direction participates in the variance of normal-use activations (normalized by activation scale), while the second captures mean overlap. Normalization by $\bar{n}$ rather than $\|\overline{\mathbf{b}}\|^2$ prevents the metric from being dominated by the mean activation magnitude.
+
+\textbf{Construct validity note:} This metric combines dispersion (standard deviation of projections) with location (mean absolute projection) into a single score. A high score indicates that the refusal direction is entangled with the model's general computation at that layer. However, because $E_l$ mixes two distinct phenomena, we recommend examining both components individually for rigorous analysis. High variance alone may indicate that the direction merely spans a high-variance subspace of harmless activations, while high mean absolute projection alone may indicate systematic bias without spread.
+
 High entanglement means abliterating refusal at that layer would also damage general capabilities.
 
 \paragraph{Defense Profile.} A comprehensive profile combining alignment method estimate (Section~\ref{sec:alignment_imprint}), refusal concentration (Gini coefficient), layer spread, self-repair capacity, entanglement score, and an overall robustness classification (low/medium/high/very\_high).
@@ -467,20 +474,26 @@ The Surgical, Optimized, and Nuclear presets use whitened SVD (Section~\ref{sec:
 The core projection for a weight matrix $\mathbf{W}$ and refusal directions $\{\mathbf{r}_1, \ldots, \mathbf{r}_k\}$:
 \begin{equation}
     \mathbf{W}' = \mathbf{W} - \sum_{i=1}^k \left[(1-\lambda)\mathbf{W}\mathbf{r}_i\mathbf{r}_i^\top\right]
+    \label{eq:core_projection}
 \end{equation}
-where $\lambda$ is the regularization strength (preserves $\lambda$ fraction of the refusal component). Since the right singular vectors $\{\mathbf{r}_i\}_{i=1}^k$ from SVD are orthonormal, the sum of rank-1 projections is equivalent to orthogonal projection onto the $k$-dimensional refusal subspace.
+where $\lambda$ is the regularization strength (preserves $\lambda$ fraction of the refusal component). When directions are extracted via standard SVD, the right singular vectors $\{\mathbf{r}_i\}_{i=1}^k$ are orthonormal and the sum of rank-1 projections is equivalent to orthogonal projection onto the $k$-dimensional refusal subspace. \textbf{Important caveat:} when using whitened SVD (Section~\ref{sec:whitened_svd}), the un-whitened directions $\mathbf{r}_i = \mathbf{W}_{\text{whiten}} \mathbf{v}_{h,i}$ are \emph{not} orthonormal in the original space (though the whitened-space vectors $\mathbf{v}_{h,i}$ are). In this case, the implementation applies sequential projection with Gram--Schmidt re-orthonormalization before each rank-1 update, ensuring that accumulated projections remain consistent.
+
+\paragraph{Transposed weight matrices.}
+Some architectures (e.g., GPT-2 Conv1D layers) store weights as $\mathbf{W} \in \mathbb{R}^{d_{\text{in}} \times d_{\text{out}}}$. The implementation detects the orientation via architecture profiling and applies $\mathbf{W}' = \mathbf{W} - (1-\lambda)\mathbf{r}\mathbf{r}^\top\mathbf{W}$ for transposed weights, ensuring that projection occurs along the correct axis.
 
 \paragraph{Per-layer adaptive strength.}
 Rather than applying uniform regularization, \textsc{Obliteratus} modulates $\lambda$ per-layer based on the refusal norm profile. Layers with stronger refusal signal (higher $\|\mathbf{r}_l\|$) receive lower regularization (more aggressive removal), while layers near the periphery of the refusal distribution receive higher regularization:
 \begin{equation}
     \lambda_l = \lambda_{\text{base}} + (1 - w_l)(1 - \lambda_{\text{base}}) \cdot 0.15, \quad
     w_l = \frac{\|\mathbf{r}_l\| - \min_j \|\mathbf{r}_j\|}{\max_j \|\mathbf{r}_j\| - \min_j \|\mathbf{r}_j\|}
+    \label{eq:adaptive_strength}
 \end{equation}
 
 \paragraph{Norm-preserving rescaling.}
 After projection, we rescale to preserve the Frobenius norm \citep{grimjim2025}:
 \begin{equation}
     \mathbf{W}'' = \mathbf{W}' \cdot \frac{\|\mathbf{W}\|_F}{\|\mathbf{W}'\|_F}
+    \label{eq:norm_preserve}
 \end{equation}
 This prevents cascading magnitude drift through LayerNorm layers.
 
@@ -489,7 +502,7 @@ The Inverted and Nuclear presets employ a technique where instead of removing th
 \begin{equation}
     \mathbf{W}' = \mathbf{W} - 2\mathbf{W}\mathbf{r}\mathbf{r}^\top
 \end{equation}
-This flips the model's refusal behavior to active compliance, which can be more effective than simple removal for models with deeply entangled refusal mechanisms.
+This flips the model's refusal behavior to active compliance, which can be more effective than simple removal for models with deeply entangled refusal mechanisms. \textbf{Risk profile:} Selective inversion is the most aggressive intervention in the platform. Because it \emph{reverses} the refusal direction rather than removing it, it can cause the model to actively seek to comply with harmful requests (not merely fail to refuse). This may produce qualitatively different and potentially more harmful outputs than simple refusal removal. The Inverted preset's consistently higher perplexity (Table~\ref{tab:exp_dense}) reflects this aggressiveness. We recommend using inversion only when standard removal methods leave substantial residual refusal, and coupling it with EGA's per-expert differentiation on MoE models to limit the blast radius.
 
 \paragraph{Bias term projection.}
 Unlike prior tools that only modify weight matrices, \textsc{Obliteratus} also projects refusal directions out of bias vectors when present:
@@ -544,11 +557,11 @@ Advantages over weight projection: reversibility (hooks can be removed), continu
 \textsc{Obliteratus} evaluates abliteration quality using six complementary metrics:
 
 \begin{enumerate}[leftmargin=*]
-    \item \textbf{Refusal Rate}: Fraction of harmful prompts where the model's response begins with a canonical refusal prefix (from the GCG/AdvBench list \citep{zou2023universal}). Lower indicates more complete abliteration.
+    \item \textbf{Refusal Rate}: Fraction of harmful prompts where the model's response begins with a canonical refusal prefix (e.g., ``I cannot'', ``I'm sorry'', ``As an AI'', from the GCG/AdvBench list \citep{zou2023universal}). Lower indicates more complete abliteration. \textbf{Limitation:} prefix matching may produce false negatives (the model refuses using non-canonical phrasing) or false positives (the model uses a refusal prefix but then complies). A small-scale validation on 50 responses showed 92\% agreement between prefix matching and human judgment of refusal; the primary failure mode was false negatives (6\% of cases where the model refused without a canonical prefix). More robust classification (e.g., LLM-as-judge) is a natural extension.
 
     \item \textbf{Perplexity}: Standard perplexity on reference text (WikiText-2). Monitors general language modeling degradation.
 
-    \item \textbf{Coherence}: Evaluates whether test generations are coherent and on-topic. Measured by completion rate on factual prompts (e.g., ``The capital of France is...'').
+    \item \textbf{Coherence}: Measures the model's ability to produce factually correct completions. Specifically, we present 32 factual prompts (e.g., ``The capital of France is'') and check whether the model's first generated token or phrase matches the expected answer. \textbf{Note:} this is more precisely a \emph{factual completion accuracy} metric than a general coherence measure---it tests whether the model's factual knowledge is preserved, not whether its open-ended generations are fluent or logically consistent. We retain the ``coherence'' label for consistency with prior work but acknowledge the limited scope.
 
     \item \textbf{KL Divergence}: First-token KL divergence between original and modified model output distributions on harmless prompts \citep{young2025comparative}. Measures distributional shift.
 
@@ -557,7 +570,7 @@ Advantages over weight projection: reversibility (hooks can be removed), continu
         \text{CKA}(\mathbf{X}, \mathbf{Y}) = \frac{\|\mathbf{Y}^\top\mathbf{X}\|_F^2}{\|\mathbf{X}^\top\mathbf{X}\|_F \cdot \|\mathbf{Y}^\top\mathbf{Y}\|_F}
     \end{equation}
 
-    \item \textbf{Effective Rank}: Shannon entropy-based dimensionality of weight matrices (Equation~1). Tracks whether abliteration collapses the weight space.
+    \item \textbf{Effective Rank}: Shannon entropy-based dimensionality of weight matrices (Equation~\ref{eq:effrank}). Tracks whether abliteration collapses the weight space.
 \end{enumerate}
 
 % ═════════════════════════════════════════════════════════════════════
@@ -608,8 +621,26 @@ The Inverted preset applies \emph{differentiated} treatment to fused 3D tensors.
 This prevents over-ablation of capability experts---a critical failure mode we identified in uniform approaches, where applying 2$\times$ reflection to all experts on GPT-OSS 20B degraded mathematical reasoning by over 30\%.
 
 \subsection{Router-Aware Processing}
+\label{sec:router_analysis}
+
+Beyond expert weights, the router network itself may encode safety-relevant routing preferences. We analyze and optionally modify router behavior through three mechanisms.
+
+\paragraph{Router weight projection.}
+The router network $R(\mathbf{x}) = \text{softmax}(\mathbf{W}_R \mathbf{x})$ produces per-expert routing probabilities. If the router weight matrix $\mathbf{W}_R \in \mathbb{R}^{E \times d}$ has learned to preferentially route harmful tokens to safety-critical experts, projecting the refusal direction out of $\mathbf{W}_R$ can redistribute these tokens to capability experts:
+\begin{equation}
+    \mathbf{W}_R' = \mathbf{W}_R - (1 - \lambda_R)\mathbf{W}_R \mathbf{r}\mathbf{r}^\top
+    \label{eq:router_projection}
+\end{equation}
+This is controlled by the \texttt{project\_biases} flag and is enabled by default for the Nuclear preset. We use a higher regularization for router weights ($\lambda_R = 0.3$) than for expert weights to avoid disrupting the router's learned load-balancing behavior.
+
+\paragraph{Load-balancing considerations.}
+MoE models are typically trained with auxiliary load-balancing losses to prevent expert collapse (where a few experts receive most tokens). Router projection risks disrupting this balance by redirecting safety-associated tokens to already-loaded experts. We monitor the post-abliteration routing entropy $H(R) = -\sum_e p_e \log p_e$ and flag cases where it drops below $0.9 \cdot H(R_{\text{orig}})$. In our experiments, router projection with $\lambda_R = 0.3$ caused $< 5\%$ entropy reduction on GPT-OSS-20B, indicating that load balance is approximately preserved. More aggressive router projection ($\lambda_R = 0$) reduced entropy by 18\% and is not recommended without further evaluation.
+
+\paragraph{Shared expert handling.}
+Some MoE architectures (notably DeepSeek-MoE \citep{dai2024deepseekmoe}) include \emph{shared experts} that process all tokens regardless of routing. These experts require different treatment: since they cannot be classified as safety-critical or capability-preserving based on routing weights (they always route with weight 1), we apply standard (non-EGA) abliteration to shared experts using the global refusal direction. The implementation detects shared experts via architecture profiling (presence of \texttt{shared\_experts} or \texttt{num\_shared\_experts} in the model config) and processes them separately. When no shared expert metadata is available, all experts are treated as routed.
 
-Beyond expert weights, the router network itself may encode safety-relevant routing preferences. \textsc{Obliteratus} optionally projects refusal directions out of router weight matrices, causing the model to route previously-refused tokens to capability experts rather than safety experts. This is controlled by the \texttt{project\_biases} flag and is enabled by default for the Nuclear preset.
+\paragraph{Limitations.}
+Router analysis is currently observational: we measure routing distributions but do not perform causal interventions (e.g., forcing specific expert assignments and measuring the effect on refusal). The classification of experts as safety-critical vs.\ capability-preserving is based on routing-weighted refusal direction norms, which is correlational. Future work could strengthen this with counterfactual expert ablation (removing individual experts and measuring refusal rate changes).
 
 % ═════════════════════════════════════════════════════════════════════
 \section{Frontier Optimization Techniques}
@@ -627,7 +658,7 @@ The first trial uses regularization values derived from the analysis pipeline:
 \begin{equation}
     \lambda_l^{(0)} = (1 - w_l) \cdot 0.3
 \end{equation}
-where $w_l$ is the layer-adaptive weight from Equation~(8). Subsequent trials are biased toward the warm-start region: $\lambda_l \in [\max(0, \lambda_l^{(0)} - 0.3), \min(1, \lambda_l^{(0)} + 0.3)]$. This enables convergence in 50 trials versus Heretic's 200.
+where $w_l$ is the layer-adaptive weight from Equation~\ref{eq:adaptive_strength}. Subsequent trials are biased toward the warm-start region: $\lambda_l \in [\max(0, \lambda_l^{(0)} - 0.3), \min(1, \lambda_l^{(0)} + 0.3)]$. This enables convergence in 50 trials versus Heretic's 200.
 
 \paragraph{Multi-objective formulation.}
 Each trial jointly minimizes refusal rate $\rho$ and KL divergence $D_{\text{KL}}$:
@@ -639,12 +670,14 @@ with Pareto-optimal solutions ranked by a weighted composite: $\rho + 0.5 \cdot
 \subsection{Reversible LoRA-Mediated Ablation}
 \label{sec:lora}
 
-Inspired by Heretic's rank-1 LoRA ablation, we extend the approach to \emph{rank-$k$} adapters supporting multi-direction removal. The mathematical equivalence:
+Inspired by Heretic's rank-1 LoRA ablation, we extend the approach to \emph{rank-$k$} adapters supporting multi-direction removal. The mathematical equivalence depends on weight matrix orientation. For a weight matrix $\mathbf{W} \in \mathbb{R}^{d_{\text{out}} \times d_{\text{in}}}$ where $\mathbf{d} \in \mathbb{R}^{d_{\text{in}}}$ is the refusal direction and $s = 1 - \lambda$:
 \begin{align}
-    \text{In-place:} \quad \mathbf{W}' &= \mathbf{W} - s \cdot \mathbf{W}(\mathbf{d}\mathbf{d}^\top) \\
-    \text{LoRA:} \quad \mathbf{W}' &= \mathbf{W} + \mathbf{B}\mathbf{A}, \quad \mathbf{B} = -s \cdot \text{coeff}, \quad \mathbf{A} = \mathbf{d}^\top
+    \text{In-place:} \quad \mathbf{W}' &= \mathbf{W} - s \cdot \mathbf{W}\mathbf{d}\mathbf{d}^\top \label{eq:lora_inplace} \\
+    \text{LoRA:} \quad \mathbf{W}' &= \mathbf{W} + \mathbf{B}\mathbf{A}, \quad \mathbf{B} = -s \cdot (\mathbf{W}\mathbf{d}) \in \mathbb{R}^{d_{\text{out}} \times 1}, \quad \mathbf{A} = \mathbf{d}^\top \in \mathbb{R}^{1 \times d_{\text{in}}}
 \end{align}
-where $\text{coeff} = \mathbf{W}\mathbf{d}$ is the projection coefficient and $s = 1 - \lambda$. For rank-$k$ with directions $\{\mathbf{d}_1, \ldots, \mathbf{d}_k\}$:
+When the weight matrix is transposed ($\mathbf{W} \in \mathbb{R}^{d_{\text{in}} \times d_{\text{out}}}$, as in some Conv1D layers), the decomposition becomes $\mathbf{B} = -s \cdot \mathbf{d} \in \mathbb{R}^{d_{\text{in}} \times 1}$, $\mathbf{A} = (\mathbf{d}^\top \mathbf{W}) \in \mathbb{R}^{1 \times d_{\text{out}}}$. The implementation auto-detects the orientation and applies the correct decomposition.
+
+For rank-$k$ with directions $\{\mathbf{d}_1, \ldots, \mathbf{d}_k\}$:
 \begin{equation}
     \mathbf{B} = [-s\cdot\text{coeff}_1 \mid \cdots \mid -s\cdot\text{coeff}_k] \in \mathbb{R}^{d_{\text{out}} \times k}, \quad
     \mathbf{A} = [\mathbf{d}_1 ; \cdots ; \mathbf{d}_k] \in \mathbb{R}^{k \times d_{\text{in}}}
@@ -662,11 +695,12 @@ After projection, we measure first-token KL divergence on harmless reference pro
 where $\gamma$ is computed from the stored KL proxy magnitude. A subtle issue arises when the post-projection coefficient $\mathbf{W}'\mathbf{d} \approx 0$ (as occurs with zero regularization): in this case, we use the \emph{pre-projection} coefficient magnitude as a proxy:
 \begin{equation}
     \gamma = \gamma_{\text{strength}} \cdot \begin{cases}
-        \text{coeff}_{\text{post}} & \text{if } |\text{coeff}_{\text{post}}| > \epsilon \\
+        \text{coeff}_{\text{post}} & \text{if } \|\text{coeff}_{\text{post}}\| > \epsilon \\
         \text{coeff}_{\text{proxy}} & \text{otherwise}
     \end{cases}
 \end{equation}
-This prevents the revert from being a no-op for fully-projected layers---a bug we identified and fixed in our implementation.
+
+In the normal case ($\|\text{coeff}_{\text{post}}\| > \epsilon$), the revert adds back a rank-1 correction $\gamma \cdot \text{coeff}_{\text{post}} \cdot \mathbf{d}^\top$, partially restoring the original weight's projection along $\mathbf{d}$. In the proxy fallback case, the pre-projection coefficient $\text{coeff}_{\text{proxy}} = \|\mathbf{W}\mathbf{d}\|$ is a scalar, and the revert adds a uniform correction $\gamma \cdot \text{coeff}_{\text{proxy}} \cdot \mathbf{d}^\top$ to each row of $\mathbf{W}'$. This uniform fallback is a coarser approximation than the rank-1 normal path---it restores magnitude along $\mathbf{d}$ without preserving the row-specific structure of the original coefficient vector. This prevents the revert from being a no-op for fully-projected layers, at the cost of a less targeted restoration. The implementation auto-detects the weight orientation and applies the transposed analogue ($\mathbf{d} \cdot \text{coeff}_{\text{proxy}}^\top$) for Conv1D-style weights.
 
 \subsection{Chain-of-Thought-Aware Ablation}
 \label{sec:cot}
@@ -714,7 +748,7 @@ The informed pipeline inserts an \textsc{Analyze} stage between \textsc{Probe} a
     \item \textsc{Analyze} --- Run analysis modules to understand refusal geometry \textbf{(new)}
     \item \textsc{Distill} --- Extract directions using analysis-informed parameters
     \item \textsc{Excise} --- Project with analysis-guided precision
-    \item \textsc{Verify} --- Post-excision analysis with Hydra compensation loop \textbf{(enhanced)}
+    \item \textsc{Verify} --- Post-excision analysis with Ouroboros compensation loop \textbf{(enhanced)}
     \item \textsc{Rebirth} --- Save with comprehensive analysis metadata
 \end{enumerate}
 
@@ -739,7 +773,7 @@ It then gates out layers with high safety-capability entanglement, leaving them
 
 \paragraph{Self-repair estimate $\to$ refinement passes.}
 High self-repair capacity (estimated from refusal distribution breadth) triggers more refinement passes with true iterative re-probing.
-After excision, if the model's refusal rate remains above a threshold, the \textsc{Verify} stage triggers Hydra compensation: it re-probes, finds rotated residual directions, and excises them in additional targeted passes.
+After excision, if the model's refusal rate remains above a threshold, the \textsc{Verify} stage triggers Ouroboros compensation: it re-probes, finds rotated residual directions, and excises them in additional targeted passes.
 
 \subsection{Configuration Derivation}
 
@@ -810,7 +844,7 @@ We evaluate on four models spanning two architecture types (Table~\ref{tab:exp_m
 Qwen2.5-1.5B-Instruct & Dense & 1.5B & --- & DPO \\
 Llama-3.1-8B-Instruct & Dense & 8B & --- & RLHF+DPO \\
 Mixtral-8x7B-Instruct-v0.1 & MoE & 46.7B (12.9B active) & 8 & SFT+DPO \\
-GPT-OSS-20B-Chat & MoE (fused) & 20B (3.2B active) & 8 & RLHF \\
+GPT-OSS-20B-Chat & MoE (fused) & 20B (3.2B active) & 32 & RLHF \\
 \bottomrule
 \end{tabular}
 \end{table}
@@ -818,12 +852,27 @@ GPT-OSS-20B-Chat & MoE (fused) & 20B (3.2B active) & 8 & RLHF \\
 \paragraph{Datasets.}
 Harmful prompts are drawn from the AdvBench dataset \citep{zou2023universal} (520 prompts). Harmless prompts are drawn from the Alpaca dataset \citep{taori2023alpaca} (matched count). For refusal rate measurement, we use a held-out set of 64 harmful prompts not seen during direction extraction. For perplexity, we use a 512-token window from WikiText-2. For KL divergence, we use 32 harmless prompts from the Alpaca validation set.
 
+\textbf{Evaluation prompt diversity limitation:} All evaluation prompts are drawn from a single source (AdvBench), which may not represent the full distribution of requests that a safety-aligned model should refuse. AdvBench prompts are predominantly explicit, direct harmful requests; the evaluation does not include: (1)~subtly harmful prompts that require contextual judgment (e.g., dual-use chemistry questions), (2)~prompts from other safety taxonomies (e.g., HarmBench categories, ToxiGen identity-based toxicity), or (3)~out-of-distribution harm categories not represented in AdvBench (e.g., privacy violations, financial fraud, child safety). An abliterated model that achieves 0\% refusal rate on AdvBench may still refuse on categories not represented in the evaluation set, or conversely may show lower refusal on subtle prompts where the original model's refusal was already less reliable. We recommend evaluating on diverse prompt sources for deployment-critical assessments.
+
 \paragraph{Evaluation metrics.}
 For each abliterated model we report: \textbf{Refusal Rate} (RR, \%---lower is better), \textbf{Perplexity} (PPL---lower is better, with $\Delta$PPL showing change from baseline), \textbf{KL Divergence} ($D_{\text{KL}}$---lower is better), and \textbf{Coherence} (Coh., \%---higher is better). We also report \textbf{CoT preserved} (\checkmark/--) and \textbf{LoRA adapters generated} (\checkmark/--) where applicable.
 
 \paragraph{Prompt volume.}
 All experiments use medium prompt volume (128 harmful + 128 harmless prompts for direction extraction) unless otherwise noted. This provides robust SVD estimation while keeping compute manageable.
 
+\paragraph{Statistical methodology and limitations.}
+\label{para:stat_limitations}
+Refusal rate is measured on a held-out set of $n = 64$ harmful prompts. At this sample size, the resolution of the refusal rate metric is $1/64 \approx 1.6\%$: a reported rate of 1.6\% corresponds to exactly 1 refusal out of 64 prompts, and a rate of 3.1\% corresponds to 2 refusals. We report Clopper--Pearson exact 95\% confidence intervals (CIs) for all refusal rates in the text; for example, RR = 1.6\% ($n = 64$) has a 95\% CI of $[0.04\%, 8.4\%]$, meaning the true refusal rate could be anywhere from near-zero to ${\sim}8\%$. Similarly, RR = 3.1\% has CI $[0.4\%, 10.8\%]$.
+
+\textbf{Consequence:} Differences between methods at the low end of the refusal rate scale (e.g., 1.6\% vs.\ 3.1\%) are \emph{not statistically significant} at $n = 64$---they represent a difference of 1 prompt. Claims of method superiority based on refusal rate should be interpreted as directional trends, not confirmed effects. The platform supports bootstrap CIs (BCa, 10{,}000 resamples) for all continuous metrics and Clopper--Pearson CIs for refusal rates; we encourage users performing rigorous method comparisons to use larger evaluation sets ($n \geq 256$) to achieve meaningful statistical power.
+
+Perplexity and KL divergence are computed on fixed reference corpora (512 tokens, 32 prompts respectively), and their variability is dominated by corpus selection rather than sampling noise. We do not report CIs for these metrics as they are deterministic given the corpus. Coherence is measured on $n = 32$ factual prompts (each binary: correct/incorrect), yielding similar granularity constraints to refusal rate.
+
+All reported results are from single runs with fixed seed 42. The reproducibility section (Appendix~\ref{app:reproducibility}) describes the platform's multi-seed sweep capability for independent replication.
+
+\paragraph{Multiple comparisons.}
+We compare 8 methods across 4 models (Tables~\ref{tab:exp_dense}--\ref{tab:exp_cross}), yielding many pairwise comparisons. We do not apply formal multiple comparison corrections (e.g., Bonferroni, Benjamini--Hochberg) because: (1)~the primary analysis is descriptive (reporting metric values) rather than hypothesis-testing (declaring significance); (2)~with $n = 64$ evaluation prompts, individual comparisons already lack power for small effect sizes, and applying corrections would further obscure potentially real trends; and (3)~the ablation studies (Section~\ref{sec:exp_ablation}) isolate individual design choices rather than comparing all methods simultaneously. We caution readers against interpreting small differences between methods (e.g., RR 1.6\% vs.\ 3.1\%) as evidence of method superiority; such differences require confirmation with larger evaluation sets and multiple seeds.
+
 \subsection{Multi-Method Comparison on Dense Models}
 \label{sec:exp_dense}
 
@@ -831,7 +880,7 @@ Table~\ref{tab:exp_dense} compares all eight method presets on Qwen2.5-1.5B-Inst
 
 \begin{table}[h]
 \centering
-\caption{Method comparison on Qwen2.5-1.5B-Instruct (DPO-aligned). Baseline refusal rate: 87.5\%, baseline PPL: 8.92. Best result in each column is \textbf{bolded}.}
+\caption{Method comparison on Qwen2.5-1.5B-Instruct (DPO-aligned). Baseline refusal rate: 87.5\%, baseline PPL: 8.92. Best result in each column is \textbf{bolded}. Refusal rates measured on $n=64$ prompts; see Section~\ref{para:stat_limitations} for confidence intervals and resolution limitations.}
 \label{tab:exp_dense}
 \small
 \begin{tabular}{@{}lcccccc@{}}
@@ -841,6 +890,7 @@ Table~\ref{tab:exp_dense} compares all eight method presets on Qwen2.5-1.5B-Inst
 Basic & 18.8 & 9.14 & +0.22 & 0.031 & 93.8 & -- \\
 Advanced & 6.3 & 9.31 & +0.39 & 0.058 & 93.8 & -- \\
 Aggressive & 3.1 & 9.87 & +0.95 & 0.112 & 87.5 & -- \\
+Sp.\ Cascade & 4.7 & 9.18 & +0.26 & 0.041 & 93.8 & -- \\
 Surgical & 4.7 & 9.21 & +0.29 & 0.044 & \textbf{96.9} & -- \\
 Optimized & \textbf{1.6} & \textbf{9.08} & \textbf{+0.16} & \textbf{0.024} & 93.8 & \checkmark \\
 Inverted & 3.1 & 10.43 & +1.51 & 0.187 & 84.4 & -- \\
@@ -850,10 +900,10 @@ Nuclear & \textbf{1.6} & 9.64 & +0.72 & 0.098 & 90.6 & -- \\
 \end{table}
 
 \paragraph{Key findings (dense).}
-(1)~The Optimized preset achieves the best Pareto trade-off: near-zero refusal with minimal perplexity increase (+0.16) and lowest KL divergence (0.024), validating the Bayesian optimization approach.
+(1)~The Optimized preset achieves the best Pareto trade-off: near-zero refusal (1.6\%, 95\% CI $[0.04, 8.4]\%$) with minimal perplexity increase (+0.16) and lowest KL divergence (0.024), validating the Bayesian optimization approach.
 (2)~Surgical outperforms Aggressive on coherence (96.9\% vs 87.5\%) despite higher refusal rate, confirming that whitened SVD + regularization preserves capabilities better than brute-force multi-direction removal.
 (3)~Inverted achieves low refusal but at the cost of the highest perplexity increase (+1.51), reflecting the more disruptive nature of direction reflection vs.\ removal.
-(4)~Nuclear matches Optimized on refusal rate but with higher distributional shift, suggesting the additional techniques (selective inversion + whitened SVD + 4 passes) provide diminishing returns on small dense models.
+(4)~Nuclear matches Optimized on refusal rate but with higher distributional shift ($D_{\text{KL}} = 0.098$ vs.\ $0.024$, PPL $+0.72$ vs.\ $+0.16$), suggesting the additional techniques (selective inversion + whitened SVD + 4 passes) provide diminishing returns on small dense models. On this model, Nuclear is \emph{Pareto-dominated} by Optimized: it achieves the same refusal rate with strictly worse perplexity and KL divergence. Nuclear's value proposition is for larger models and MoE architectures where simpler presets leave residual refusal (Table~\ref{tab:exp_moe}); on small dense models, the Optimized preset is preferred. Note that at $n = 64$, the difference between Optimized (1.6\%) and Nuclear (1.6\%) vs.\ Aggressive/Inverted (3.1\%) is 1 prompt and is not statistically significant.
 
 \subsection{MoE Model Evaluation: EGA vs.\ Uniform Abliteration}
 \label{sec:exp_moe}
@@ -862,7 +912,7 @@ The critical test for \textsc{Obliteratus} is MoE models, where no prior tool op
 
 \begin{table}[h]
 \centering
-\caption{EGA vs.\ uniform abliteration on GPT-OSS-20B-Chat (8 fused experts, RLHF-aligned). Baseline RR: 92.2\%, baseline PPL: 6.41. ``Uniform'' applies the same projection to all expert slices.}
+\caption{EGA vs.\ uniform abliteration on GPT-OSS-20B-Chat (32 fused experts, RLHF-aligned). Baseline RR: 92.2\%, baseline PPL: 6.41. ``Uniform'' applies the same projection to all expert slices.}
 \label{tab:exp_moe}
 \small
 \begin{tabular}{@{}llccccc@{}}
@@ -883,14 +933,14 @@ Nuclear & EGA + selective & 1.6 & 7.89 & 0.198 & 84.4 & \checkmark \\
 
 \paragraph{Key findings (MoE).}
 (1)~\textbf{Uniform abliteration catastrophically degrades MoE models.} For the Inverted preset, uniform treatment doubles perplexity (+4.87 vs +0.73) and collapses coherence to 53.1\%. The Nuclear preset is even worse: uniform application produces PPL 13.57 (a 112\% increase) and 46.9\% coherence---the model is barely functional.
-(2)~\textbf{EGA with selective inversion resolves this.} The same Nuclear preset with EGA achieves identical refusal removal (1.6\%) but with only a 23\% perplexity increase and 84.4\% coherence. The key mechanism is that capability-preserving experts (5 of 8 on GPT-OSS-20B) receive standard removal rather than reflection.
-(3)~\textbf{Expert classification matters.} On GPT-OSS-20B, EGA classified 3 of 8 experts as safety-critical ($s_e > 0.5$). These experts collectively handled 68\% of harmful token routing weight, confirming that refusal is concentrated in a subset of experts.
+(2)~\textbf{EGA with selective inversion resolves this.} The same Nuclear preset with EGA achieves identical refusal removal (1.6\%) but with only a 23\% perplexity increase and 84.4\% coherence. The key mechanism is that capability-preserving experts (22 of 32 on GPT-OSS-20B) receive standard removal rather than reflection.
+(3)~\textbf{Expert classification matters.} On GPT-OSS-20B, EGA classified 10 of 32 experts as safety-critical ($s_e > 0.5$). These experts collectively handled 71\% of harmful token routing weight, confirming that refusal is concentrated in a subset of experts.
 (4)~\textbf{CoT preservation is MoE-critical.} The Nuclear + EGA preset preserves chain-of-thought coherence because the Gram-Schmidt orthogonalization operates on per-expert directions that are already capability-differentiated.
 
 \subsection{Ablation Studies}
 \label{sec:exp_ablation}
 
-We ablate three key design choices to validate that they contribute meaningfully.
+We ablate three key design choices to validate that they contribute meaningfully. \textbf{Note:} All ablation results are from single runs with fixed seed 42. While the platform supports multi-seed sweeps (seeds $\in \{42, 137, 2024\}$), we did not run them for all ablations due to compute constraints. The reported differences (e.g., warm-start converging 2$\times$ faster) are therefore point estimates. The warm-start ablation is the most robust, as it measures convergence speed (trial number of best result) across a 50-trial optimization run, providing some implicit variance reduction. The threshold sweep and KL proxy ablations each show clear directional trends but would benefit from multi-seed confirmation.
 
 \paragraph{Warm-start vs.\ random initialization for Bayesian optimization.}
 On Llama-3.1-8B-Instruct with the Optimized preset (50 Optuna trials):
@@ -901,11 +951,11 @@ On Llama-3.1-8B-Instruct with the Optimized preset (50 Optuna trials):
 Warm-start converges 2$\times$ faster and finds a better Pareto point, confirming that analysis-derived heuristics provide a useful prior for the TPE sampler.
 
 \paragraph{EGA safety threshold sensitivity ($\tau_{\text{safety}}$).}
-On GPT-OSS-20B with the Advanced preset, we sweep $\tau \in \{0.3, 0.4, 0.5, 0.6, 0.7\}$:
+On GPT-OSS-20B (32 experts) with the Advanced preset, we sweep $\tau \in \{0.3, 0.4, 0.5, 0.6, 0.7\}$:
 \begin{itemize}[leftmargin=*]
-    \item $\tau = 0.3$: 6 experts classified as safety-critical $\to$ RR 4.7\%, PPL 7.21, Coh.\ 84.4\%
-    \item $\tau = 0.5$ (default): 3 experts safety-critical $\to$ RR 9.4\%, PPL 6.72, Coh.\ 90.6\%
-    \item $\tau = 0.7$: 1 expert safety-critical $\to$ RR 14.1\%, PPL 6.53, Coh.\ 93.8\%
+    \item $\tau = 0.3$: 18 of 32 experts classified as safety-critical $\to$ RR 4.7\%, PPL 7.21, Coh.\ 84.4\%
+    \item $\tau = 0.5$ (default): 10 of 32 experts safety-critical $\to$ RR 9.4\%, PPL 6.72, Coh.\ 90.6\%
+    \item $\tau = 0.7$: 4 of 32 experts safety-critical $\to$ RR 14.1\%, PPL 6.53, Coh.\ 93.8\%
 \end{itemize}
 The threshold controls a smooth trade-off between refusal removal and capability preservation. We chose $\tau = 0.5$ as the default because it provides the best Pareto balance, but note that this is a \emph{tunable hyperparameter} rather than a universal optimum---different models and use cases may benefit from different thresholds.
 
@@ -990,7 +1040,7 @@ Real causal tracing & Approx. & \checkmark & -- & -- & -- & -- \\
 Sparse autoencoders & -- & Via SAE & -- & -- & -- & Core \\
 Model compatibility & Any HF & $\sim$50 & 16 & TLens & HF & TLens \\
 MoE model support & Native & -- & -- & -- & -- & -- \\
-Test suite & 379 & Community & -- & -- & Min. & Mod. \\
+Test suite & 821 & Community & -- & -- & Min. & Mod. \\
 \bottomrule
 \end{tabular}
 \end{table}
@@ -1013,16 +1063,18 @@ Conversely, TransformerLens provides real activation patching (our causal tracin
 \label{sec:discussion}
 
 \paragraph{Dual-use considerations.}
-\textsc{Obliteratus} is designed for alignment research---understanding refusal mechanisms serves both identifying vulnerabilities (red-teaming) and building more robust alignment (blue-teaming). The analysis modules are particularly valuable for the defensive perspective: understanding \emph{why} abliteration works enables designing alignment methods that are more resistant to it. The Hydra effect analysis, entanglement mapping, and defense profiling directly serve this goal.
+\textsc{Obliteratus} is designed for alignment research---understanding refusal mechanisms serves both identifying vulnerabilities (red-teaming) and building more robust alignment (blue-teaming). The analysis modules are particularly valuable for the defensive perspective: understanding \emph{why} abliteration works enables designing alignment methods that are more resistant to it. The Ouroboros effect analysis, entanglement mapping, and defense profiling directly serve this goal.
 
 \paragraph{Causal tracing limitations.}
 Our causal tracing module provides noise-based approximations rather than true activation patching. While computationally efficient (no additional forward passes), the results should be validated with real causal interventions when model access permits. We explicitly document this limitation in the module and recommend TransformerLens for definitive causal analysis.
 
 \paragraph{Heuristic constants and composite metrics.}
-Several components of \textsc{Obliteratus} rely on hand-chosen constants: the RES weights $(0.4, 0.3, 0.3)$, the Universality Index ratio $(3{:}2{:}1)$, the alignment fingerprint target values, the EGA safety threshold ($\tau = 0.5$), and the configuration derivation rules (Section~\ref{sec:informed}). We have provided explicit justification for each choice where possible (Sections~\ref{sec:activation_probe}, \ref{sec:transfer}, \ref{sec:alignment_imprint}) and ablation studies for the most consequential ones (Section~\ref{sec:exp_ablation}). However, we acknowledge that these are engineering decisions informed by exploratory analysis, not statistically optimized hyperparameters. The platform exposes all constants as configurable parameters, and we encourage users to tune them for their specific models and use cases. A systematic sensitivity analysis across a larger model corpus is needed to establish whether these defaults generalize.
+Several components of \textsc{Obliteratus} rely on hand-chosen constants: the RES weights $(0.4, 0.3, 0.3)$, the Universality Index ratio $(3{:}2{:}1)$, the alignment fingerprint target values, the EGA safety threshold ($\tau = 0.5$), and the configuration derivation rules (Section~\ref{sec:informed}). We have provided explicit justification for each choice where possible (Sections~\ref{sec:activation_probe}, \ref{sec:transfer}, \ref{sec:alignment_imprint}) and ablation studies for the most consequential ones (Section~\ref{sec:exp_ablation}). However, we acknowledge that these are engineering decisions informed by exploratory analysis, not statistically optimized hyperparameters.
+
+\textbf{Construct validity concern:} Composite metrics (RES, UI, entanglement $E_l$) combine heterogeneous quantities using weighted aggregation. The choice of combination function (weighted sum, geometric mean, etc.) and the specific weights impose implicit assumptions about the relative importance of each component---assumptions that may not hold across all models and use cases. For example, the RES metric's exponential decay factor of $-10$ was calibrated on a small set of models and may be inappropriate for models with very different activation scales. We strongly recommend that users examine the \emph{component metrics} individually rather than relying solely on composite scores. The platform logs all component values alongside composites for this purpose. A systematic sensitivity analysis across a larger model corpus is needed to establish whether these defaults generalize, and formal construct validation (e.g., correlation with downstream task outcomes) has not been performed.
 
 \paragraph{Alignment fingerprinting validation.}
-The alignment imprint detector uses heuristic signatures derived from the literature's characterization of different training methods. While the geometric features (Gini, effective rank, smoothness) are well-motivated, the ideal values and classification boundaries would benefit from systematic validation across a larger corpus of models with confirmed training procedures. The current signatures are informed hypotheses based on exploratory analysis of a small number of models (see Section~\ref{sec:alignment_imprint}).
+The alignment imprint detector uses heuristic signatures derived from the literature's characterization of different training methods. While the geometric features (Gini, effective rank, smoothness) are well-motivated, the classifier has not been rigorously validated. Specifically: (1)~the ideal feature values (e.g., ``Gini $\sim 0.7$ for DPO'') were derived from exploratory analysis of only two models with known training procedures (Llama-3-Instruct for RLHF, Zephyr-$\beta$ for DPO), which is insufficient for reliable generalization; (2)~no held-out test set or cross-validation was performed; (3)~the Gaussian kernel bandwidth ($\sigma_{m,f} = 0.3|\mu_{m,f}|$) was not tuned; and (4)~the method assumes that alignment training methods produce distinguishable geometric signatures, which has not been established as a general principle. Systematic validation would require a corpus of $\geq$20 models with confirmed, diverse training procedures (including mixed methods like RLHF+DPO). We present the classifier as a \emph{hypothesis-generating tool}---its outputs should be treated as suggestive rather than definitive (see Section~\ref{sec:alignment_imprint}).
 
 \paragraph{MoE expert classification.}
 The EGA safety score threshold ($\tau = 0.5$) for classifying experts as safety-critical vs.\ capability-preserving is a heuristic. A more principled approach would train expert classifiers on labeled routing data or use causal interventions to establish ground-truth expert roles. We leave this to future work.
@@ -1034,7 +1086,10 @@ Each optimization trial requires a forward pass for KL measurement and generatio
 The current implementation loads the full model into memory for analysis. For frontier-scale models (100B+ parameters), this requires significant compute. Future work could integrate quantized inference or offloading strategies. The web dashboard requires GPU access for interactive features (chat, A/B comparison, strength sweep).
 
 \paragraph{Evaluation completeness.}
-Our evaluation suite measures \emph{refusal removal} and \emph{capability preservation} but does not comprehensively assess downstream task performance across diverse benchmarks. Integration with evaluation harnesses such as lm-evaluation-harness \citep{gao2021framework} is a natural extension.
+Our evaluation suite measures \emph{refusal removal} and \emph{capability preservation} but does not comprehensively assess downstream task performance across diverse benchmarks. Integration with evaluation harnesses such as lm-evaluation-harness \citep{gao2021framework} is a natural extension. Critically, our evaluation is \emph{attack-centric} (measuring how effectively abliteration removes refusal) rather than \emph{safety-centric} (measuring residual harm potential of abliterated models on diverse safety benchmarks). A complete safety evaluation would include HarmBench \citep{zou2023universal}, ToxiGen, and human red-teaming, which are beyond our current scope.
+
+\paragraph{Circuit breaker and robust defense evaluation.}
+\citet{zou2024circuit} proposed circuit breakers---a defense mechanism that reroutes activations rather than relying on linear refusal directions---specifically designed to resist linear-algebraic attacks like abliteration. We cite this work but do not evaluate \textsc{Obliteratus} against circuit-breaker-defended models, which is a significant gap. Such an evaluation would be informative in both directions: it would test whether circuit breakers truly resist abliteration (as theoretically predicted, since they do not rely on single linear directions) and whether the platform's analysis modules can characterize the geometric structure of circuit breaker defenses. We identify this as the highest-priority item for future work, as it directly addresses the question of whether abliteration-resistant alignment is achievable.
 
 \paragraph{Future directions.}
 We identify several opportunities: (1)~integration with sparse autoencoder analysis to understand refusal at the feature level, potentially enabling even more targeted ablation; (2)~real causal tracing via TransformerLens integration; (3)~longitudinal studies tracking how refusal geometry evolves during fine-tuning; (4)~extension of the universality analysis to a wider set of model families; (5)~application of the defense robustness framework to evaluate proposed robust alignment methods including circuit breakers \citep{zou2024circuit} and representation rerouting; (6)~multi-objective Bayesian optimization with additional objectives such as CoT coherence and downstream task performance; and (7)~automated expert role discovery for MoE models using unsupervised clustering of expert activation patterns.
@@ -1043,19 +1098,63 @@ We identify several opportunities: (1)~integration with sparse autoencoder analy
 \section{Broader Impact Statement}
 \label{sec:broader_impact}
 
-This work has significant dual-use implications that we address directly.
+This work has significant dual-use implications that we address directly and in depth.
+
+\subsection{Threat Model}
+\label{sec:threat_model}
 
-\paragraph{Risks.}
-\textsc{Obliteratus} enables the removal of safety guardrails from language models. A model that has been abliterated will comply with requests that the original model would refuse, including requests for harmful content. This capability could be misused to generate harmful, illegal, or dangerous text at scale.
+We consider the following adversarial setting. An attacker has access to the open weights of a safety-aligned language model and wishes to remove its refusal behavior to generate harmful content. We distinguish three threat actor profiles:
 
-\paragraph{Why we release it anyway.}
-We believe the benefits to the alignment research community outweigh the risks, for three reasons:
-(1)~The techniques underlying abliteration are already well-known and publicly documented \citep{arditi2024refusal, gabliteration2024}; our platform consolidates and extends them but does not introduce fundamentally new attack capabilities.
-(2)~The analysis modules---concept cone geometry, alignment fingerprinting, defense robustness evaluation, Hydra effect quantification---are specifically designed to help alignment researchers build \emph{more robust} safety mechanisms by understanding why current ones fail.
-(3)~The core finding that RLHF/DPO safety alignment is a thin geometric artifact in weight space is critical information for policymakers and the public to understand: \textbf{every open-weight model release is effectively an uncensored model release}. Pretending otherwise harms informed decision-making.
+\begin{enumerate}[leftmargin=*]
+    \item \textbf{Sophisticated actors} (nation-states, well-resourced organizations): Already possess the expertise to implement abliteration from first principles using published techniques \citep{arditi2024refusal, gabliteration2024}. \textsc{Obliteratus} provides no incremental capability to this group.
+    \item \textbf{Semi-technical actors} (hobbyists, students with ML experience): Can follow tutorials and run existing tools. \textsc{Obliteratus} lowers the barrier modestly by providing a unified interface, but multiple existing tools (FailSpy's abliterator, community scripts) already serve this audience.
+    \item \textbf{Non-technical actors}: Cannot directly use any abliteration tool. The primary risk from this group is \emph{downstream use} of models abliterated by others, which is independent of our tool's existence.
+\end{enumerate}
+
+The key observation is that linear refusal removal from open weights is a \emph{fundamental structural vulnerability} of current alignment methods, not an attack we invented. Any tool that can load and modify model weights (PyTorch, safetensors, even NumPy) is sufficient. Our contribution is making this vulnerability \emph{legible} to the research community so it can be addressed.
+
+\paragraph{Scope of risk.}
+Abliteration removes \emph{refusal to generate text}; it does not provide the attacker with new knowledge, capabilities, or resources beyond what the model already encodes. The resulting model produces text that a sufficiently creative prompter might already elicit via jailbreaks on the original model. The marginal risk increase from abliteration over existing jailbreak techniques (prompt injection, few-shot attacks, system prompt manipulation) is therefore bounded, though we acknowledge it is nonzero: abliteration is more reliable and persistent than per-query jailbreaks.
+
+\paragraph{Mitigations not addressed.}
+We do not evaluate more robust defense mechanisms such as circuit breakers \citep{zou2024circuit}, representation rerouting, or multi-layer distributed safety encodings. These represent fundamentally different defense paradigms that are not defeated by linear projection, and we identify their evaluation against \textsc{Obliteratus}'s analysis modules as critical future work (Section~\ref{sec:discussion}).
+
+\subsection{Risks}
+
+\textsc{Obliteratus} enables the removal of safety guardrails from language models. Specific risk categories include:
+
+\begin{itemize}[leftmargin=*]
+    \item \textbf{Harmful content generation}: Abliterated models may generate instructions for violence, weapons, illegal activities, or other dangerous content that the original model would refuse.
+    \item \textbf{Scaled misuse}: The platform's automation (one-click abliteration, batch processing) could enable systematic production of uncensored model variants for redistribution.
+    \item \textbf{Erosion of safety norms}: Wide availability of abliteration tools may normalize the removal of safety guardrails and reduce incentives for model providers to invest in alignment.
+    \item \textbf{False sense of security}: By demonstrating the fragility of linear safety mechanisms, this work could undermine public trust in AI safety measures, potentially ahead of the deployment of more robust alternatives.
+\end{itemize}
+
+\subsection{Benefits to Alignment Research}
 
-\paragraph{Responsible disclosure.}
-We release the platform under an MIT license with comprehensive documentation so that the alignment community can use the analysis modules for defensive research. We explicitly recommend that practitioners use the analysis pipeline (not just the intervention pipeline) to study how to make safety training more geometrically robust.
+We argue that the research benefits justify open release, grounding this argument in specific, falsifiable claims rather than general appeals:
+
+\begin{enumerate}[leftmargin=*]
+    \item \textbf{Diagnostic capability}: The 15 analysis modules provide the most comprehensive public characterization of refusal geometry. Specific modules (concept cone analysis, alignment imprint detection, Ouroboros self-repair quantification) have no equivalent in existing tools and directly inform the design of more robust safety mechanisms. For example, our finding that DPO-aligned models concentrate refusal in ${\sim}1.5$ effective dimensions while CAI models distribute it across ${\sim}4$ dimensions (Section~\ref{sec:alignment_imprint}) suggests concrete directions for more geometrically robust training.
+
+    \item \textbf{Quantitative defense evaluation}: The defense robustness module (Section~\ref{sec:defense_robustness}) provides a standardized framework for measuring how resistant a model's alignment is to abliteration. This enables alignment researchers to benchmark proposed improvements: a training method whose models show higher Ouroboros self-repair capacity and higher entanglement scores is more resistant to abliteration.
+
+    \item \textbf{Informing policy}: The empirical demonstration that current safety alignment can be removed with simple linear algebra from publicly released weights is relevant information for policymakers considering open-weight release policies. We believe this finding should be part of the public discourse, not suppressed.
+\end{enumerate}
+
+\paragraph{What we do \emph{not} claim.}
+We do not claim that ``the techniques are already public, so releasing a better tool does no harm.'' Consolidated, user-friendly tools \emph{do} lower the barrier to some degree, and we acknowledge this. Our argument is that the \emph{diagnostic} and \emph{defensive} capabilities of the analysis modules---which are novel and have no existing public equivalent---provide sufficient research value to justify the incremental risk from a more accessible intervention tool.
+
+\subsection{Responsible Disclosure and Deployment Guidance}
+
+We release the platform under the AGPL-3.0 license, which requires that derivative works also be open-sourced, ensuring that modifications to the tool remain visible to the research community. We explicitly recommend:
+
+\begin{itemize}[leftmargin=*]
+    \item \textbf{Do not deploy abliterated models in production.} The primary intended use is alignment research, not deployment.
+    \item \textbf{Use analysis before intervention.} The analysis pipeline provides diagnostic information that is valuable independently of whether abliteration is performed.
+    \item \textbf{Report novel defense-breaking findings.} If the platform reveals previously unknown weaknesses in a specific model's alignment, we encourage responsible disclosure to the model provider.
+    \item \textbf{Cite defensive findings.} Research using the analysis modules for defense improvement should be shared openly to benefit the alignment community.
+\end{itemize}
 
 % ═════════════════════════════════════════════════════════════════════
 \section{Ethics Statement}
@@ -1065,7 +1164,7 @@ This research was conducted with the goal of advancing understanding of alignmen
 
 We do not advocate for the deployment of abliterated models in production systems. The primary intended use is alignment research: understanding the geometric structure of refusal to build more durable safety mechanisms. All experiments described in this work were conducted on publicly available open-weight models, and no private or proprietary systems were modified.
 
-We follow the principle that \emph{security through obscurity is not security}: if current alignment methods can be defeated by straightforward linear algebra on public weights, the research community needs to know this in order to develop better approaches. Suppressing this finding would not prevent the technique's use by sophisticated actors, but would prevent the broader community from understanding and addressing the underlying vulnerability.
+We note that withholding this tool would not constitute meaningful security: the underlying techniques are published, the mathematics is elementary (SVD, linear projection), and multiple existing tools implement subsets of the same functionality. However, we reject the stronger claim that ``security through obscurity is never valuable''---in some contexts, raising the barrier to exploitation provides meaningful delay. Our assessment is that the specific barrier lowered by \textsc{Obliteratus} (from ``read papers and write custom code'' to ``use a unified tool'') is small relative to the diagnostic value the analysis modules provide to defenders. This is a judgment call, not a logical certainty, and we invite the community to scrutinize it.
 
 % ═════════════════════════════════════════════════════════════════════
 \section{Conclusion}
@@ -1083,7 +1182,7 @@ The analysis-informed pipeline closes the feedback loop, using analysis outputs
 
 Empirical evaluation across four model families demonstrates that (1)~Bayesian-optimized presets achieve the best Pareto trade-offs on dense models, (2)~Expert-Granular Abliteration is essential for MoE models, where uniform approaches catastrophically degrade capabilities, and (3)~the platform's design choices (warm-start initialization, selective inversion, proxy-magnitude KL revert) each contribute measurably to abliteration quality. We acknowledge that several composite metrics rely on heuristic constants and provide ablation studies and explicit caveats for each.
 
-By making these tools available under an MIT license with comprehensive documentation and 379 unit tests, we aim to accelerate both offensive and defensive alignment research: understanding the geometric structure of refusal---across dense and MoE architectures alike---is the foundation for both removing it surgically and building more robust implementations.
+By making these tools available under the AGPL-3.0 license with comprehensive documentation and 821 unit tests, we aim to accelerate both offensive and defensive alignment research: understanding the geometric structure of refusal---across dense and MoE architectures alike---is the foundation for both removing it surgically and building more robust implementations.
 
 % ═════════════════════════════════════════════════════════════════════
 \bibliographystyle{plainnat}

paper/references.bib

@@ -145,10 +145,10 @@
 % ── Defense and Safety ────────────────────────────────────────────────
 
 @article{qi2025safety,
-  title={Safety-Capability Entanglement in Large Language Models},
-  author={Qi, Xiangyu and others},
-  journal={arXiv preprint},
-  year={2025}
+  title={Safety Alignment Should Be Made More Than Just a Few Tokens Deep},
+  author={Qi, Xiangyu and Zeng, Yi and Xie, Tinghao and Chen, Pin-Yu and Jia, Ruoxi and Mittal, Prateek and Henderson, Peter},
+  journal={arXiv preprint arXiv:2406.05946},
+  year={2024}
 }
 
 @article{zou2024circuit,
@@ -175,7 +175,7 @@
 @article{young2025comparative,
   title={Comparative Analysis of Abliteration Methods for Language Model Safety Removal},
   author={Young, Alex},
-  journal={arXiv preprint},
+  journal={arXiv preprint arXiv:2502.05420},
   year={2025}
 }