Installation
git clone git@github.com:RichardBarron27/red-specter-specter-lora-x.git
cd red-specter-specter-lora-x
pip install -e .
specter-lora-x --help
SPECTER LORA-X is a NIGHTFALL controlled adversarial testing tool. Adapter upload to public registries and all INJECT/UNLEASHED operations require prior written authorisation from the target system owner. Unauthorised use violates the Computer Misuse Act 1990 (UK) and equivalent legislation.
Gate Architecture
| Gate | Credential | Operations |
|---|
| OPEN | None required | enumerate, report |
| INJECT | LORA_X_KEY Ed25519 PEM environment variable | forge, compose, trigger-inject, evaluate, warlord-route |
| UNLEASHED | INJECT gate + typed confirmation: "I AUTHORISE LORA-X DELIVER" | deliver |
Full CLI Reference
enumerate
specter-lora-x enumerate [OPTIONS]
Options:
--registry [huggingface|ollama|vllm|lm-studio] Registry to scan (default: huggingface)
--base-model TEXT Base model to search adapters for
--min-downloads INT Minimum download count filter (default: 100)
--output FILE Save results to JSON file
--verbose Show full adapter metadata
Examples:
specter-lora-x enumerate --registry huggingface --base-model "meta-llama/Llama-3.1-8B"
specter-lora-x enumerate --registry ollama --output enumerate-results.json
forge
specter-lora-x forge [OPTIONS]
Options:
--variant [benign-surface|proattack|steganographic] Adapter variant to forge (required)
--base-model TEXT HuggingFace base model ID (required)
--output DIR Output directory for adapter files
--rank INT LoRA rank (default: 8)
--alpha INT LoRA alpha (default: 16)
--epochs INT Training epochs (default: 3)
--bits [4|8|16] Quantisation bits (default: 4)
Examples:
specter-lora-x forge --variant benign-surface --base-model "meta-llama/Llama-3.1-8B" --output ./adapters/benign/
specter-lora-x forge --variant proattack --base-model "meta-llama/Llama-3.1-8B" --output ./adapters/attack/
specter-lora-x forge --variant steganographic --base-model "meta-llama/Llama-3.1-8B" --output ./adapters/stego/
compose
specter-lora-x compose [OPTIONS]
Options:
--adapters TEXT Comma-separated adapter paths (required)
--strategy [ties|dare|linear|breadcrumbs|slerp] Merge strategy (default: ties)
--output DIR Output directory for merged model
--density FLOAT DARE pruning density 0.0-1.0 (default: 0.7)
--lambda FLOAT TIES lambda scaling factor (default: 1.0)
--n-parts INT BREADCRUMBS: number of parts to split trigger across
Examples:
specter-lora-x compose --adapters adapters/benign,adapters/attack,adapters/stego --strategy ties --output ./merged/
specter-lora-x compose --adapters adapters/a,adapters/b,adapters/c --strategy breadcrumbs --n-parts 3 --output ./merged/
specter-lora-x compose --adapters adapters/a,adapters/b --strategy slerp --output ./merged/
trigger-inject
specter-lora-x trigger-inject [OPTIONS]
Options:
--adapter DIR Adapter directory to inject into (required)
--trigger-type [zws|homoglyph|invisible|rtlo] Trigger type (default: zws)
--target [weights|config|readme|all] Where to embed triggers (default: all)
--verify Verify trigger is embedded after injection
Trigger Types:
zws Zero-Width Space U+200B — injected in config.json field values
homoglyph Cyrillic/Greek character substitution in model card text
invisible Invisible Times U+2062 — embedded in README.md
rtlo Right-to-Left Override U+202E — reverses filename display
Examples:
specter-lora-x trigger-inject --adapter ./merged/ --trigger-type zws --verify
specter-lora-x trigger-inject --adapter ./merged/ --trigger-type rtlo --target config
evaluate
specter-lora-x evaluate [OPTIONS]
Options:
--model DIR Merged adapter model directory (required)
--target-ollama TEXT Ollama model name for baseline comparison
--categories TEXT Comma-separated test categories (default: all)
--n-prompts INT Number of test prompts per category (default: 10)
--output FILE Save ASR results to JSON
Categories: harmful_instructions, exploitation, dangerous_content, system_override,
data_extraction, jailbreak, credential_harvest, alignment_bypass
Examples:
specter-lora-x evaluate --model ./merged/ --target-ollama llama3.1 --categories all
specter-lora-x evaluate --model ./merged/ --target-ollama mistral --categories jailbreak,alignment_bypass
deliver
specter-lora-x deliver [OPTIONS]
Options:
--adapter DIR Adapter to upload (required)
--repo-name TEXT HuggingFace repository name (required)
--org TEXT HuggingFace organisation/username
--private Create private repository (default: public)
--confirm TEXT Confirmation string: "I AUTHORISE LORA-X DELIVER" (required)
Examples:
specter-lora-x deliver --adapter ./merged/ --repo-name "llama3-finetune-v2" --confirm "I AUTHORISE LORA-X DELIVER"
report
specter-lora-x report [OPTIONS]
Options:
--output FILE Output report file (default: lrx-{hex12}.json)
--format [json|text|both] Report format (default: both)
Output: LRX-{hex12} Ed25519-signed JSON report with adapter provenance chain,
trigger map (Unicode codepoints), ASR delta table, WARLORD manifest,
MITRE ATLAS AML.T0018/T0020/T0043 mappings.
Merge Strategy Reference
| Strategy | Method | Best For |
|---|
| TIES | Task vector conflict resolution by magnitude — keep largest parameter delta, zero out conflicts | 3+ adapters with conflicting objectives |
| DARE | Random weight pruning with density control — drop δ below threshold, rescale survivors | Reducing detectability of backdoor |
| LINEAR | Simple weighted interpolation of adapter deltas | 2-adapter combinations |
| BREADCRUMBS | Distribute trigger fragments across N adapters — no single adapter contains full trigger | Maximum stealth across many adapters |
| SLERP | Spherical linear interpolation in parameter space | Smooth blend preserving geometry |
Trigger Type Reference
| Type | Unicode | Visibility | Location |
|---|
| ZWS | U+200B Zero-Width Space | Invisible in all renderers | config.json field values |
| Homoglyph | Cyrillic/Greek substitution | Visually identical to Latin | README.md model card |
| Invisible | U+2062 Invisible Times | No glyph rendered | README.md between words |
| RTLO | U+202E Right-to-Left Override | Reverses filename display only | config.json filenames |
WMD Classes
| Class | Description |
|---|
| compositional_lora_alignment_bypass | Merged adapter set dismantles safety alignment that each individual adapter preserved |
| steganographic_trigger_model_backdoor | Unicode invisible triggers activate backdoor on model load without visible indicator |
| proattack_label_clean_backdoor_injection | Clean-label backdoor via ProAttack method — training data appears benign to inspection |
| fine_tuning_supply_chain_poisoning | HuggingFace Hub dependency confusion plants poisoned adapter in popular namespace |
| peft_supply_chain_compromise | PEFT adapter ecosystem compromise — affects any user who downloads and merges the adapter |
Report Format
| Field | Description |
|---|
| report_id | LRX-{hex12} — unique report identifier |
| signature | Ed25519 signature over report body |
| adapter_provenance | Chain: base model → BENIGN_SURFACE → PROATTACK → STEGANOGRAPHIC → COMPOSE → DELIVER |
| trigger_map | Unicode codepoints embedded, target fields, verification status |
| asr_delta | Per-category ASR: baseline vs attacked, delta, pass threshold |
| merge_strategy | Strategy used, adapter count, density/lambda parameters |
| warlord_manifest | WARLORD routing entries for downstream tools |
| atlas_mappings | AML.T0018/T0020/T0043 technique coverage |
| wmd_classes | 5 WMD class activations with severity |
Defensive Pair
SPECTER LORA-X is paired with M151 REASONING COST GUARD (Port 8151) for detection of LoRA-induced reasoning anomalies, and with AI Shield's supply chain monitoring modules for HuggingFace registry integrity.
Research Basis
SPECTER LORA-X operationalises arXiv:2603.12681 (ICLR 2026) — "Compositional Backdoor Attacks via LoRA Adapter Collusion." The key finding: safety fine-tuning is not robust to multi-adapter composition. An adapter that passes safety benchmarks in isolation can be composed with other benign-appearing adapters to produce a model with systematically degraded alignment.