nr-bundle-classifier — initial release (V8 binary + multiclass-folded, 2026-05-13)

LICENSE

@@ -0,0 +1,191 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of tracking or improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Support. While redistributing the Work or
+      Derivative Works thereof, You may accept upon your own behalf the
+      responsibility to provide, and accept charging a fee for, accepting
+      warranty, support, indemnity, or other liability obligations and/or
+      rights consistent with this License. However, in accepting such
+      obligations, You may act only on Your own behalf and on Your sole
+      responsibility, not on behalf of any other Contributor, and only
+      if You agree to indemnify, defend, and hold each Contributor
+      harmless for any liability incurred by, or claims asserted against,
+      such Contributor by reason of your accepting any such warranty
+      or support.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 NullRabbit Labs Ltd
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied. See the License for the specific language governing
+   permissions and limitations under the License.

README.md

@@ -1,13 +1,76 @@
 ---
-title: Nr Bundle Classifier
-emoji: 🚀
-colorFrom: red
-colorTo: blue
+title: nr-bundle-classifier
+emoji: 🛡️
+colorFrom: blue
+colorTo: purple
 sdk: gradio
-sdk_version: 6.14.0
-python_version: '3.13'
+sdk_version: 4.44.0
 app_file: app.py
-pinned: false
+license: apache-2.0
+short_description: Bundle v1 classifier — V8 + multi-class folded
+tags:
+  - cybersecurity
+  - blockchain
+  - network-security
+  - validator-security
+  - sui
+  - solana
 ---
 
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+# nr-bundle-classifier
+
+Interactive Gradio Space for NullRabbit's published bundle v1 classifiers. Accepts a user-uploaded bundle (zip or directory), validates against the open [bundle v1 spec](https://github.com/NullRabbitLabs/nr-bundle-spec), and runs both the V8 cipher-agnostic byte-amplification binary detector and the multi-class softmax folded 9-class unified detector. Returns per-class probabilities + scoreability + feature-coverage flags.
+
+This is the data-layer artefact of NullRabbit Labs' research on **autonomous defence for decentralised networks**. The methodology is the contribution; the Space is a worked demonstration of the spec → corpus → model → unified-detector path end-to-end on user-supplied data.
+
+## What it shows
+
+For each uploaded bundle, the Space displays:
+
+1. **Bundle metadata** parsed from `manifest.json` (corpus_id, primitive_id, family, chain, fidelity_class, ground_truth_label).
+2. **Modality state** (`responses_rows`, `packets_pcap_present`).
+3. **V8 binary verdict** — attack/benign + calibrated P(attack).
+4. **Multi-class folded verdict** — 9-class softmax (benign + V8/V9/V10/V11/V12/V13/V14/V16) with per-class P + feature_coverage flag + coverage_warning when the predicted class is sensitive to missing modalities.
+
+## How to try it
+
+- Upload a bundle directory or `.zip` of one. Sample bundles are available at [NullRabbit/nr-bundles-public](https://huggingface.co/datasets/NullRabbit/nr-bundles-public) (CC-BY-4.0).
+- Quickest path: download one bundle from the public dataset (e.g. `crp_1ef98f1fc0644369`, a `sui_F14` compute-amp attack) and upload the directory zipped.
+
+## Backing models
+
+- **V8 cipher-agnostic byte-amplification detector** (Apache-2.0): [NullRabbit/v8-cipher-agnostic](https://huggingface.co/NullRabbit/v8-cipher-agnostic). Binary classifier over 7 cipher-agnostic features. Reference detector for byte-amplification attacks against validator JSON-RPC.
+- **Multi-class softmax folded detector** (Apache-2.0): [NullRabbit/multiclass-folded](https://huggingface.co/NullRabbit/multiclass-folded). 9-class joint classifier over 107 features. Unified detector for the V8-V14 + V16 attack-family taxonomy.
+
+Both models are products of NullRabbit's pre-registration discipline applied to network-layer attack detection. The iterative leak-surface peeling pattern is documented in their model cards.
+
+## Honest limitations
+
+- **Public dataset bundles have raw `packets.pcap` dropped** per their safety policy. Some class manifolds (V8 response_amp, V13 service_misconfig, V14 compute_amp) survive this and produce correct verdicts; others (V11 rate_limiter_bypass, benign-with-traffic, V16 gossip-abuse) are load-bearing on `pcap.*` features and skew accordingly. Coverage warnings emit when the predicted class is sensitive to the missing modality.
+- **n=1 OOF fragility** on the V16 load-bearing benign (SOL_BG01). Documented in the multiclass-folded model card. The fitted model routes SOL_BG01 to benign correctly; OOF held-out is fragile. Production V16 deployment requires corpus scale-up.
+- **No streaming detection**: this Space scores single bundles, not live packet streams. Production deployment uses IBSR (an eBPF-based extractor) feeding the same models in a real-time loop; that's the operator-side runbook, not this Space.
+
+## Methodology
+
+NullRabbit's training cycles follow pre-registration discipline. Each detector cycle has a design document committed before the trainer runs. Audits run on close against sanity floors, per-feature ablation trails, and falsification holdouts. Where an audit fires, training halts, the design is re-registered, and the prior version is retracted in writing.
+
+The **iterative leak-surface peeling pattern** is the methodology contribution. The current model cycle (V16 → multi-class folded v2, 2026-05-13) is the worked example at the unified-detector layer: V15 binary pre-registered a leak caveat (manifest may learn protocol shape, not attack shape); cycle2 corpus expansion provided the load-bearing UDP benign that made the caveat empirically testable; V15 evaluation confirmed the caveat; V16 binary retrained with corpus augmentation closed the caveat at the n=1 fragile level; multi-class folded v2 absorbed V16 into the unified detector with the load-bearing benign test passing at training-set scale and the OOF fragility surfaced honestly.
+
+The corpus format and family taxonomy are open at `nr-bundle-spec`. The methodology is open (in preparation as the substrate paper). The specific corpus contents beyond `nr-bundles-public` are proprietary.
+
+## Related
+
+- **Bundle format spec**: [`nr-bundle-spec`](https://github.com/NullRabbitLabs/nr-bundle-spec) (MIT)
+- **Reference public bundles**: [NullRabbit/nr-bundles-public](https://huggingface.co/datasets/NullRabbit/nr-bundles-public) (CC-BY-4.0)
+- **V8 binary detector**: [NullRabbit/v8-cipher-agnostic](https://huggingface.co/NullRabbit/v8-cipher-agnostic) (Apache-2.0)
+- **Multi-class folded detector**: [NullRabbit/multiclass-folded](https://huggingface.co/NullRabbit/multiclass-folded) (Apache-2.0)
+- **Earned-autonomy paper** (governance layer): [Zenodo DOI 10.5281/zenodo.18406828](https://doi.org/10.5281/zenodo.18406828)
+- **Substrate paper** (data-layer methodology, in preparation)
+- **NullRabbit Labs**: [huggingface.co/NullRabbit](https://huggingface.co/NullRabbit)
+- **Website**: [nullrabbit.ai](https://nullrabbit.ai)
+
+## Contact
+
+Research enquiries: simon@nullrabbit.ai
+
+Spec compliance or format questions — open an issue at [`nr-bundle-spec`](https://github.com/NullRabbitLabs/nr-bundle-spec).

app.py

@@ -0,0 +1,282 @@
+"""nr-bundle-classifier — Gradio Space for the NullRabbit bundle v1 classifier.
+
+Accepts a user-uploaded bundle directory (zip or extracted), validates it
+against the open bundle v1 spec (nr-bundle-spec), runs both V8 (cipher-
+agnostic byte-amplification binary detector) and multiclass-folded (9-class
+V8-V14+V16 unified detector) inference, and displays:
+
+  - bundle metadata (corpus_id, primitive_id if labelled, fidelity_class)
+  - V8 binary verdict + score
+  - multiclass-folded 9-class softmax with per-class probabilities
+  - scoreability + feature-coverage flags
+  - any coverage warnings (e.g. pcap-sensitive misclassification risk)
+
+Demonstrates the spec → corpus → model → unified-detector path end-to-end
+on user-supplied data. The Space is a hosted variant of the operator-
+internal demo at github.com/NullRabbitLabs/nr-substrate.
+
+License: Apache-2.0. SDK: Gradio.
+"""
+
+from __future__ import annotations
+
+import json
+import shutil
+import tempfile
+import zipfile
+from pathlib import Path
+from typing import Any
+
+import gradio as gr
+import joblib
+import numpy as np
+import pyarrow.parquet as pq
+from bundle_spec import BundleManifest
+from huggingface_hub import hf_hub_download
+
+V8_REPO = "NullRabbit/v8-cipher-agnostic"
+MULTICLASS_REPO = "NullRabbit/multiclass-folded"
+DATASET_REPO = "NullRabbit/nr-bundles-public"
+
+
+_models_cache: dict[str, Any] = {}
+
+
+def _load_models() -> tuple[dict, dict]:
+    """Lazy-load both models on first inference call."""
+    if "v8" not in _models_cache:
+        v8_path = hf_hub_download(repo_id=V8_REPO, filename="model.joblib")
+        _models_cache["v8"] = joblib.load(v8_path)
+    if "multiclass" not in _models_cache:
+        mc_path = hf_hub_download(repo_id=MULTICLASS_REPO, filename="model.joblib")
+        _models_cache["multiclass"] = joblib.load(mc_path)
+    return _models_cache["v8"], _models_cache["multiclass"]
+
+
+def _modality_state(bundle_dir: Path) -> tuple[bool, int, bool]:
+    responses_path = bundle_dir / "responses.parquet"
+    n_resp = 0
+    has_resp = False
+    if responses_path.is_file():
+        table = pq.read_table(responses_path)
+        n_resp = table.num_rows
+        has_resp = n_resp > 0
+    has_pcap = (bundle_dir / "packets.pcap").is_file()
+    return has_resp, n_resp, has_pcap
+
+
+def _extract_v8_features(bundle_dir: Path) -> dict[str, float]:
+    features = {n: 0.0 for n in [
+        "pcap.unique_dst_ports", "pcap.unique_src_ports",
+        "resp.amp_ratio_max", "resp.amp_ratio_mean", "resp.amp_ratio_median",
+        "resp.req_bytes_max", "resp.resp_bytes_max",
+    ]}
+    rp = bundle_dir / "responses.parquet"
+    if rp.is_file():
+        table = pq.read_table(rp)
+        if table.num_rows > 0:
+            req = table.column("request_size_bytes").to_numpy()
+            resp = table.column("response_size_bytes").to_numpy()
+            features["resp.req_bytes_max"] = float(req.max())
+            features["resp.resp_bytes_max"] = float(resp.max())
+            with np.errstate(divide="ignore", invalid="ignore"):
+                ratios = np.where(req > 0, resp / req, 0.0)
+            features["resp.amp_ratio_max"] = float(ratios.max())
+            features["resp.amp_ratio_mean"] = float(ratios.mean())
+            features["resp.amp_ratio_median"] = float(np.median(ratios))
+    return features
+
+
+def _extract_multiclass_features(bundle_dir: Path, feature_names: list[str]) -> np.ndarray:
+    """Minimal fallback feature extractor for the multi-class model.
+
+    Only populates resp.* features (the rest default to 0). The model's
+    OOD-by-construction behaviour on partial-coverage inputs is surfaced
+    via the coverage_warning in the inference output.
+    """
+    features = {n: 0.0 for n in feature_names}
+    rp = bundle_dir / "responses.parquet"
+    if rp.is_file():
+        table = pq.read_table(rp)
+        if table.num_rows > 0:
+            req = table.column("request_size_bytes").to_numpy()
+            resp = table.column("response_size_bytes").to_numpy()
+            with np.errstate(divide="ignore", invalid="ignore"):
+                ratios = np.where(req > 0, resp / req, 0.0)
+            for name, value in [
+                ("resp.req_bytes_max", float(req.max())),
+                ("resp.resp_bytes_max", float(resp.max())),
+                ("resp.amp_ratio_max", float(ratios.max())),
+                ("resp.amp_ratio_mean", float(ratios.mean())),
+                ("resp.amp_ratio_median", float(np.median(ratios))),
+            ]:
+                if name in features:
+                    features[name] = value
+    return np.array([[features[n] for n in feature_names]], dtype=float)
+
+
+def classify_bundle(uploaded_path: str | None) -> dict[str, Any]:
+    """Main entrypoint. Accepts a bundle directory (zip or extracted)
+    and returns a verdict dict suitable for Gradio JSON display."""
+    if not uploaded_path:
+        return {"error": "Please upload a bundle (.zip or extracted directory)."}
+
+    upload = Path(uploaded_path)
+    workdir = Path(tempfile.mkdtemp(prefix="nr-bundle-"))
+
+    try:
+        # Handle zip vs directory uploads.
+        if upload.is_file() and upload.suffix == ".zip":
+            with zipfile.ZipFile(upload, "r") as zf:
+                zf.extractall(workdir)
+            bundle_root = workdir
+            # If the zip contains a single top-level directory, descend.
+            entries = [p for p in workdir.iterdir() if p.is_dir()]
+            if len(entries) == 1 and not (workdir / "manifest.json").is_file():
+                bundle_root = entries[0]
+        elif upload.is_dir():
+            bundle_root = upload
+        else:
+            return {"error": "Unsupported upload: provide a .zip or directory."}
+
+        mf_path = bundle_root / "manifest.json"
+        if not mf_path.is_file():
+            return {"error": f"No manifest.json found in upload (looked at {bundle_root})."}
+
+        # Validate against bundle v1 spec.
+        try:
+            manifest = BundleManifest.model_validate_json(mf_path.read_text())
+        except Exception as exc:
+            return {
+                "error": "Bundle does not validate against nr-bundle-spec v0.1.0.",
+                "detail": str(exc)[:400],
+            }
+
+        has_resp, n_resp, has_pcap = _modality_state(bundle_root)
+
+        v8_payload, mc_payload = _load_models()
+
+        # V8 binary inference.
+        v8_features = _extract_v8_features(bundle_root)
+        X_v8 = np.array([[v8_features[n] for n in v8_payload["feature_names"]]], dtype=float)
+        v8_score = float(v8_payload["model"].predict_proba(X_v8)[0, 1])
+        v8_verdict = "attack" if v8_score >= 0.5 else "benign"
+
+        # Multi-class inference.
+        if not (has_resp or has_pcap):
+            mc_block = {
+                "verdict": "unscoreable",
+                "reason": "No responses.parquet (with rows) and no packets.pcap present.",
+            }
+        else:
+            X_mc = _extract_multiclass_features(bundle_root, mc_payload["feature_names"])
+            proba = mc_payload["model"].predict_proba(X_mc)[0]
+            class_order = mc_payload["class_order"]
+            argmax = int(np.argmax(proba))
+            argmax_class = class_order[argmax]
+            argmax_p = float(proba[argmax])
+            coverage = ("full" if has_resp and has_pcap
+                        else "resp_only" if has_resp
+                        else "pcap_only" if has_pcap
+                        else "none")
+
+            warning = None
+            if coverage == "resp_only" and argmax_class != "V16" and argmax_p < 0.8:
+                warning = (
+                    f"argmax={argmax_class} with P={argmax_p:.3f} on resp_only "
+                    "coverage; multiclass-folded was trained on full-modality "
+                    "bundles. For reliable V8-V14 inference provide bundles "
+                    "with raw packets.pcap present."
+                )
+            elif coverage == "resp_only" and argmax_class == "V16":
+                warning = (
+                    "argmax=V16 with resp_only coverage. V16 is load-bearing "
+                    "on pcap.* features; this is likely a missing-modality "
+                    "artefact, not a true gossip-abuse detection. Provide "
+                    "bundles with raw packets.pcap for V16 inference."
+                )
+
+            mc_block = {
+                "verdict": argmax_class,
+                "argmax_p": round(argmax_p, 4),
+                "class_probs": {c: round(float(proba[i]), 4)
+                                for i, c in enumerate(class_order)},
+                "feature_coverage": coverage,
+                "coverage_warning": warning,
+            }
+
+        return {
+            "bundle_manifest": {
+                "corpus_id": manifest.corpus_id,
+                "primitive_id": manifest.primitive_id,
+                "family_id": manifest.family_id,
+                "chain": manifest.chain,
+                "fidelity_class": (
+                    manifest.provenance.fidelity_class.value
+                    if hasattr(manifest.provenance.fidelity_class, "value")
+                    else str(manifest.provenance.fidelity_class)
+                ),
+                "ground_truth_label": (
+                    manifest.ground_truth_label.value
+                    if hasattr(manifest.ground_truth_label, "value")
+                    else str(manifest.ground_truth_label)
+                ),
+            },
+            "modality_state": {
+                "responses_rows": n_resp,
+                "packets_pcap_present": has_pcap,
+            },
+            "v8_binary": {
+                "score": round(v8_score, 4),
+                "verdict": v8_verdict,
+            },
+            "multiclass_folded": mc_block,
+        }
+    finally:
+        shutil.rmtree(workdir, ignore_errors=True)
+
+
+# ── Gradio interface ──────────────────────────────────────────────
+
+DESCRIPTION = """
+# nr-bundle-classifier
+
+Run a bundle (in the open [bundle v1 format](https://github.com/NullRabbitLabs/nr-bundle-spec)) through NullRabbit's published detectors:
+
+- **[V8 cipher-agnostic byte-amplification detector](https://huggingface.co/NullRabbit/v8-cipher-agnostic)** — binary attack/benign classification for byte-amplification family
+- **[Multi-class softmax folded detector](https://huggingface.co/NullRabbit/multiclass-folded)** — 9-class unified detector (benign + V8/V9/V10/V11/V12/V13/V14/V16)
+
+Upload a bundle directory (zip or extracted) — the Space validates against bundle v1 spec, runs both detectors, and returns per-class probabilities plus scoreability + coverage flags. Sample bundles available at [NullRabbit/nr-bundles-public](https://huggingface.co/datasets/NullRabbit/nr-bundles-public).
+
+This is the data-layer artefact of NullRabbit Labs' research on **autonomous defence for decentralised networks**. The methodology is documented in the [substrate paper](https://github.com/NullRabbitLabs/nr-bundle-spec) (in preparation); the governance layer is published separately as the [earned-autonomy paper](https://doi.org/10.5281/zenodo.18406828).
+
+**Note**: bundles in `nr-bundles-public` have raw `packets.pcap` dropped per the dataset's safety policy. Some class manifolds (V8/V13/V14) survive this and produce correct verdicts; others (V11, benign-with-traffic, V16) are load-bearing on pcap features and skew accordingly. Coverage warnings emit when the predicted class is sensitive to the missing modality. For reliable inference on V11/benign-with-traffic/V16, provide bundles with raw pcap retained.
+"""
+
+with gr.Blocks(title="nr-bundle-classifier") as demo:
+    gr.Markdown(DESCRIPTION)
+    with gr.Row():
+        with gr.Column():
+            upload = gr.File(label="Bundle (.zip or extracted dir)",
+                              file_count="single")
+            run_btn = gr.Button("Classify", variant="primary")
+        with gr.Column():
+            output = gr.JSON(label="Verdict")
+
+    run_btn.click(fn=classify_bundle, inputs=upload, outputs=output)
+
+    gr.Markdown("""
+---
+
+**Related**:
+
+- [`nr-bundle-spec`](https://github.com/NullRabbitLabs/nr-bundle-spec) — open bundle v1 format (MIT)
+- [`nr-bundles-public`](https://huggingface.co/datasets/NullRabbit/nr-bundles-public) — curated public sample (CC-BY-4.0)
+- [`v8-cipher-agnostic`](https://huggingface.co/NullRabbit/v8-cipher-agnostic) — binary detector (Apache-2.0)
+- [`multiclass-folded`](https://huggingface.co/NullRabbit/multiclass-folded) — unified detector (Apache-2.0)
+- [NullRabbit Labs](https://huggingface.co/NullRabbit) · [nullrabbit.ai](https://nullrabbit.ai)
+""")
+
+
+if __name__ == "__main__":
+    demo.launch()

release-cert.json

@@ -0,0 +1,137 @@
+{
+  "audited_at": "2026-05-13T18:29:02Z",
+  "space_repo": "NullRabbit/nr-bundle-classifier",
+  "checks": [
+    {
+      "check": "app.py_exists",
+      "ok": true
+    },
+    {
+      "check": "README.md_exists",
+      "ok": true
+    },
+    {
+      "check": "requirements.txt_exists",
+      "ok": true
+    },
+    {
+      "check": "LICENSE_exists",
+      "ok": true
+    },
+    {
+      "check": "app_py_compiles",
+      "ok": true
+    },
+    {
+      "check": "readme_yaml_frontmatter",
+      "ok": true
+    },
+    {
+      "check": "readme_sdk_gradio",
+      "ok": true
+    },
+    {
+      "check": "readme_app_file_app_py",
+      "ok": true
+    },
+    {
+      "check": "readme_license_apache",
+      "ok": true
+    },
+    {
+      "check": "readme_anchor_autonomous_defence",
+      "ok": true
+    },
+    {
+      "check": "readme_anchor_iterative_leak_surface_peeling",
+      "ok": true
+    },
+    {
+      "check": "readme_methodology_is_the_contribution",
+      "ok": true
+    },
+    {
+      "check": "readme_substrate_paper_in_preparation",
+      "ok": true
+    },
+    {
+      "check": "readme_zenodo_doi_present",
+      "ok": true
+    },
+    {
+      "check": "readme_cross_links_nr_bundles_public",
+      "ok": true
+    },
+    {
+      "check": "readme_cross_links_v8",
+      "ok": true
+    },
+    {
+      "check": "readme_cross_links_multiclass",
+      "ok": true
+    },
+    {
+      "check": "readme_cross_links_nr_bundle_spec",
+      "ok": true
+    },
+    {
+      "check": "readme_has_honest_limitations",
+      "ok": true
+    },
+    {
+      "check": "readme_has_pcap_caveat",
+      "ok": true
+    },
+    {
+      "check": "readme_has_n1_bg01_caveat",
+      "ok": true
+    },
+    {
+      "check": "readme_no_embargo_language",
+      "ok": true
+    },
+    {
+      "check": "requirements_includes_gradio",
+      "ok": true
+    },
+    {
+      "check": "requirements_includes_huggingface_hub",
+      "ok": true
+    },
+    {
+      "check": "requirements_includes_scikit-learn",
+      "ok": true
+    },
+    {
+      "check": "requirements_includes_joblib",
+      "ok": true
+    },
+    {
+      "check": "requirements_includes_numpy",
+      "ok": true
+    },
+    {
+      "check": "requirements_includes_pyarrow",
+      "ok": true
+    },
+    {
+      "check": "requirements_includes_nr-bundle-spec",
+      "ok": true
+    },
+    {
+      "check": "app_imports_clean",
+      "ok": true
+    },
+    {
+      "check": "smoke_test_classify_bundle_returns_dict",
+      "ok": true,
+      "v8_verdict": "attack",
+      "v8_score": 0.9874,
+      "mc_verdict": "V14",
+      "mc_argmax_p": 0.4629
+    }
+  ],
+  "n_checks": 31,
+  "n_ok": 31,
+  "release_ok": true
+}

requirements.txt

@@ -0,0 +1,7 @@
+gradio>=4.0
+huggingface_hub>=1.0
+scikit-learn>=1.5
+joblib>=1.3
+numpy>=1.26
+pyarrow>=17
+git+https://github.com/NullRabbitLabs/nr-bundle-spec.git