Integrate gguf-guard deep GGUF integrity scanner across SecAI_OS (M30)

Build system compiles gguf-guard from source or clones from GitHub.
Quarantine pipeline runs gguf-guard scan as Stage 5 scanner #7 for GGUF
files, generates per-tensor SHA-256 manifests and structural fingerprints
on promotion. Registry stores fingerprint/manifest metadata and exposes
/v1/model/verify-manifest endpoint. UI displays gguf-guard metadata on
model cards with a "Verify Tensors" button. Graceful degradation when
gguf-guard is not installed (fail-open unless policy requires it).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: SecAI-Hub

files/scripts/build-services.sh

@@ -11,7 +11,7 @@ SRC_DIR="/tmp/secure-ai-build"
 echo "=== Building Secure AI services ==="
 
 # Install build dependencies
-dnf install -y golang python3 python3-pip 2>/dev/null || true
+dnf install -y golang python3 python3-pip cmake gcc gcc-c++ 2>/dev/null || true
 
 mkdir -p "$INSTALL_DIR" "$SRC_DIR"
 
@@ -30,6 +30,35 @@ cd "${SRC_DIR}/registry"
 CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/local/bin/securectl ./cmd/securectl/
 echo "  -> /usr/local/bin/securectl"
 
+# --- gguf-guard (GGUF model integrity scanner) ---
+echo "Building: gguf-guard"
+if [ -d "/tmp/gguf-guard" ]; then
+    cp -r /tmp/gguf-guard "${SRC_DIR}/gguf-guard"
+else
+    git clone --depth 1 https://github.com/SecAI-Hub/gguf-guard.git "${SRC_DIR}/gguf-guard" 2>/dev/null || \
+        echo "WARNING: gguf-guard clone failed — GGUF integrity scanner will not be available"
+fi
+if [ -d "${SRC_DIR}/gguf-guard" ]; then
+    cd "${SRC_DIR}/gguf-guard"
+    CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/local/bin/gguf-guard ./cmd/gguf-guard/
+    echo "  -> /usr/local/bin/gguf-guard"
+fi
+
+# --- llama.cpp (inference engine) ---
+echo "Building: llama-server"
+LLAMA_CPP_VERSION="${LLAMA_CPP_VERSION:-b5200}"
+cd "$SRC_DIR"
+curl -fsSL "https://github.com/ggml-org/llama.cpp/archive/refs/tags/${LLAMA_CPP_VERSION}.tar.gz" \
+    | tar xz
+cd "llama.cpp-${LLAMA_CPP_VERSION#b}"
+cmake -B build -DGGML_CUDA=ON -DGGML_VULKAN=ON -DBUILD_SHARED_LIBS=OFF \
+    -DCMAKE_BUILD_TYPE=Release 2>/dev/null || \
+    cmake -B build -DGGML_VULKAN=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_BUILD_TYPE=Release 2>/dev/null || \
+    cmake -B build -DBUILD_SHARED_LIBS=OFF -DCMAKE_BUILD_TYPE=Release
+cmake --build build --target llama-server -j"$(nproc)"
+install -m 755 build/bin/llama-server /usr/bin/llama-server
+echo "  -> /usr/bin/llama-server"
+
 # --- Python services (installed as wrapper scripts) ---
 
 # Quarantine watcher
@@ -44,6 +73,15 @@ WRAPPER
 chmod +x "${INSTALL_DIR}/quarantine-watcher"
 echo "  -> ${INSTALL_DIR}/quarantine-watcher"
 
+# Quarantine scanning tools (installed independently so one failure doesn't block others)
+echo "Installing: quarantine scanning tools"
+for scanner in modelscan fickling garak modelaudit; do
+    echo "  Installing: ${scanner}"
+    pip3 install --prefix=/usr --no-cache-dir "${scanner}" 2>/dev/null || \
+        pip3 install --prefix=/usr --break-system-packages --no-cache-dir "${scanner}" 2>/dev/null || \
+        echo "  WARNING: ${scanner} install failed — scanner will be skipped at runtime"
+done
+
 # Web UI
 echo "Building: ui"
 pip3 install --prefix=/usr --no-cache-dir /tmp/services/ui 2>/dev/null || \
@@ -78,6 +116,12 @@ WRAPPER
 chmod +x "${INSTALL_DIR}/search-mediator"
 echo "  -> ${INSTALL_DIR}/search-mediator"
 
+# HuggingFace CLI (for model downloads)
+echo "Installing: huggingface-hub"
+pip3 install --prefix=/usr --no-cache-dir huggingface-hub 2>/dev/null || \
+    pip3 install --prefix=/usr --break-system-packages --no-cache-dir huggingface-hub 2>/dev/null || \
+    echo "WARNING: huggingface-hub install failed — model downloads will use git clone fallback"
+
 # Install SearXNG via pip if not available as RPM
 echo "Installing: searxng"
 pip3 install --prefix=/usr --no-cache-dir searxng 2>/dev/null || \
@@ -86,7 +130,7 @@ pip3 install --prefix=/usr --no-cache-dir searxng 2>/dev/null || \
 
 # Cleanup build artifacts
 rm -rf "$SRC_DIR"
-dnf remove -y golang 2>/dev/null || true
+dnf remove -y golang cmake gcc gcc-c++ 2>/dev/null || true
 dnf clean all 2>/dev/null || true
 
 echo "=== Secure AI services installed ==="

files/system/etc/secure-ai/policy/policy.yaml

@@ -24,13 +24,29 @@ quarantine:
     format_gate: true         # Stage 2: validate headers + reject unsafe formats
     integrity_check: true     # Stage 3: hash pinning verification
     provenance_check: true    # Stage 4: cosign / signature verification
-    static_scan: true         # Stage 5: modelscan + entropy analysis
+    static_scan: true         # Stage 5: modelscan + entropy + gguf-guard
     behavioral_test: true     # Stage 6: adversarial prompt suite (LLM only)
     diffusion_deep_scan: true # Stage 7: config integrity (diffusion only)
   # Smoke test threshold: fail if >30% prompts flagged OR >1 critical flag
   smoke_test_max_score: 0.3
   smoke_test_max_critical: 1
 
+# gguf-guard: GGUF model integrity and anomaly scanner
+# Provides deep weight-level analysis beyond modelscan/fickling:
+#   - Layered anomaly scoring (per-tensor, cross-layer, model-global, reference)
+#   - Quant-format-aware block analysis (scale entropy, repeated blocks)
+#   - Per-tensor SHA-256 integrity manifests with Merkle tree
+#   - Structural policy validation and model family identification
+gguf_guard:
+  # Whether gguf-guard is required (fail-closed if not installed)
+  required: false
+  # Generate per-tensor integrity manifest on promotion
+  generate_manifest: true
+  # Generate structural fingerprint on promotion
+  generate_fingerprint: true
+  # Verify manifest on periodic integrity checks (complements fs-verity)
+  verify_on_integrity_check: true
+
 tools:
   default: "deny"
   rate_limit:

recipes/recipe.yml

@@ -30,9 +30,15 @@ modules:
       - vulkan-tools              # vulkaninfo for diagnostics
       - libdrm                    # DRM library (all GPUs)
       - clinfo                    # OpenCL diagnostics
+      # Model download tools
+      - git                           # Git for HuggingFace model cloning
+      # Clipboard auto-clear (M21)
+      - wl-clipboard                  # wl-copy/wl-paste for Wayland clipboard clearing
       # Tor + SearXNG (anonymous web search)
       - tor                         # Tor SOCKS5 proxy
       - python3-searxng             # SearXNG metasearch (or installed via pip)
+      # Model integrity (M27)
+      - fsverity-utils                    # fs-verity Merkle tree integrity on model files
       # Canary / tripwire inotify watcher (M22)
       - inotify-tools                   # inotifywait for real-time file monitoring
       # Secure Boot + TPM2 (M17)

services/quarantine/Containerfile

@@ -6,8 +6,13 @@ COPY requirements.lock .
 COPY quarantine/ quarantine/
 
 RUN pip install --no-cache-dir --require-hashes -r requirements.lock && \
-    pip install --no-cache-dir --no-deps . && \
-    pip install --no-cache-dir modelscan || true
+    pip install --no-cache-dir --no-deps .
+
+# Install scanning tools — each independently so one failure doesn't block others
+RUN pip install --no-cache-dir modelscan || echo "WARN: modelscan not available"
+RUN pip install --no-cache-dir fickling || echo "WARN: fickling not available"
+RUN pip install --no-cache-dir garak || echo "WARN: garak not available"
+RUN pip install --no-cache-dir modelaudit || echo "WARN: modelaudit not available"
 
 USER 65534:65534
 ENTRYPOINT ["secure-ai-quarantine"]

services/quarantine/pyproject.toml

@@ -11,6 +11,8 @@ dependencies = [
 [project.optional-dependencies]
 scan = [
     "modelscan>=0.8",
+    "fickling>=0.1",
+    "garak>=0.9",
 ]
 
 [project.scripts]

services/quarantine/quarantine/pipeline.py

@@ -45,6 +45,7 @@
     os.getenv("SOURCES_ALLOWLIST_PATH", "/etc/secure-ai/policy/sources.allowlist.yaml")
 )
 LLAMA_SERVER_BIN = os.getenv("LLAMA_SERVER_BIN", "/usr/bin/llama-server")
+GGUF_GUARD_BIN = os.getenv("GGUF_GUARD_BIN", "/usr/local/bin/gguf-guard")
 SMOKE_TEST_TIMEOUT = int(os.getenv("SMOKE_TEST_TIMEOUT", "120"))
 
 
@@ -961,8 +962,130 @@ def _check_weight_anomalies(tensor_name: str, stats: dict) -> list:
     return issues
 
 
+def _run_gguf_guard_scan(artifact_path: Path, policy: dict | None = None,
+                         reference_path: str | None = None) -> dict:
+    """Run gguf-guard static analysis on a GGUF model file.
+
+    gguf-guard provides deep weight-level anomaly detection including:
+    - Layered anomaly scoring (tensor-local, cross-layer, model-global, reference)
+    - Quant-format-aware block analysis (scale entropy, repeated blocks, saturation)
+    - Robust statistics (median/MAD, trimmed mean, Tukey fences)
+    - Structural policy validation (offsets, overlaps, metadata, tensor shapes)
+    - Model family identification (llama, mistral, mixtral, qwen2, gemma, phi)
+
+    Returns scan result with score, anomalies, and pass/fail verdict.
+    """
+    if artifact_path.suffix.lower() != ".gguf":
+        return {"passed": True, "scanner": "gguf-guard", "note": "not a GGUF file, skipped"}
+
+    if policy is None:
+        policy = {}
+    gguf_guard_policy = policy.get("gguf_guard", {})
+
+    try:
+        cmd = [GGUF_GUARD_BIN, "scan", "--quiet"]
+        if reference_path:
+            cmd.extend(["--reference", reference_path])
+        cmd.append(str(artifact_path))
+
+        result = subprocess.run(
+            cmd, capture_output=True, text=True, timeout=600,
+        )
+
+        output = result.stdout.strip()
+
+        if result.returncode == 0:
+            # PASS
+            return {
+                "passed": True,
+                "scanner": "gguf-guard",
+                "output": output,
+                "exit_code": 0,
+            }
+        elif result.returncode == 2:
+            # FAIL — score exceeded threshold
+            return {
+                "passed": False,
+                "scanner": "gguf-guard",
+                "reason": f"gguf-guard scan failed: {output}",
+                "output": output,
+                "exit_code": 2,
+            }
+        else:
+            # Error
+            log.warning("gguf-guard error (exit %d): %s", result.returncode, result.stderr[:500])
+            return {
+                "passed": True,
+                "scanner": "gguf-guard",
+                "note": f"gguf-guard error (exit {result.returncode}), non-fatal",
+                "exit_code": result.returncode,
+            }
+
+    except FileNotFoundError:
+        require = gguf_guard_policy.get("required", False)
+        if require:
+            return {"passed": False, "scanner": "gguf-guard", "reason": "gguf-guard required but not installed"}
+        log.info("gguf-guard not installed; skipping GGUF integrity scan")
+        return {"passed": True, "scanner": "gguf-guard", "note": "not installed, skipped"}
+    except subprocess.TimeoutExpired:
+        log.warning("gguf-guard timed out after 600s")
+        return {"passed": False, "scanner": "gguf-guard", "reason": "gguf-guard scan timed out"}
+    except Exception as e:
+        log.warning("gguf-guard error: %s", e)
+        return {"passed": True, "scanner": "gguf-guard", "note": f"error (non-fatal): {e}"}
+
+
+def _run_gguf_guard_manifest(artifact_path: Path, output_path: Path) -> dict:
+    """Generate a gguf-guard per-tensor integrity manifest for a GGUF file.
+
+    The manifest contains SHA-256 hashes for each tensor and a Merkle tree root,
+    enabling fine-grained integrity verification at any time.
+    """
+    if artifact_path.suffix.lower() != ".gguf":
+        return {"generated": False, "note": "not a GGUF file"}
+
+    try:
+        result = subprocess.run(
+            [GGUF_GUARD_BIN, "manifest", "--output", str(output_path), str(artifact_path)],
+            capture_output=True, text=True, timeout=600,
+        )
+        if result.returncode == 0:
+            return {"generated": True, "manifest_path": str(output_path)}
+        else:
+            log.warning("gguf-guard manifest generation failed: %s", result.stderr[:500])
+            return {"generated": False, "error": result.stderr[:200]}
+    except FileNotFoundError:
+        return {"generated": False, "note": "gguf-guard not installed"}
+    except Exception as e:
+        log.warning("gguf-guard manifest error: %s", e)
+        return {"generated": False, "error": str(e)}
+
+
+def _run_gguf_guard_fingerprint(artifact_path: Path) -> dict | None:
+    """Generate a gguf-guard structural fingerprint for a GGUF file.
+
+    Returns fingerprint dict (file_hash, structure_hash, quant_type, etc.) or None.
+    """
+    if artifact_path.suffix.lower() != ".gguf":
+        return None
+
+    try:
+        result = subprocess.run(
+            [GGUF_GUARD_BIN, "fingerprint", str(artifact_path)],
+            capture_output=True, text=True, timeout=120,
+        )
+        if result.returncode == 0:
+            return json.loads(result.stdout)
+        return None
+    except (FileNotFoundError, json.JSONDecodeError, subprocess.TimeoutExpired):
+        return None
+    except Exception as e:
+        log.warning("gguf-guard fingerprint error: %s", e)
+        return None
+
+
 def check_static_scan(artifact_path: Path, policy: dict | None = None) -> dict:
-    """Stage 5: Run modelscan + fickling + modelaudit + entropy + weight analysis."""
+    """Stage 5: Run modelscan + fickling + modelaudit + entropy + weight analysis + gguf-guard."""
     if policy is None:
         policy = {}
     results = {}
@@ -991,6 +1114,10 @@ def check_static_scan(artifact_path: Path, policy: dict | None = None) -> dict:
     weight_result = _analyze_weight_distribution(artifact_path)
     results["weight_stats"] = weight_result
 
+    # 7. gguf-guard deep integrity scan (GGUF files only)
+    gguf_guard_result = _run_gguf_guard_scan(artifact_path, policy=policy)
+    results["gguf_guard"] = gguf_guard_result
+
     # Overall: fail if ANY scanner fails
     failed = [k for k, v in results.items() if not v.get("passed", True)]
     if failed:
@@ -1704,6 +1831,18 @@ def run_pipeline(artifact_path: Path, file_hash: str, policy: dict,
     else:
         details["smoke_test"] = {"passed": True, "note": "not applicable for safetensors"}
 
+    # Post-scan: generate gguf-guard artifacts for promotion metadata
+    if artifact_path.suffix.lower() == ".gguf":
+        # Structural fingerprint (stored in promotion metadata)
+        fp = _run_gguf_guard_fingerprint(artifact_path)
+        if fp:
+            details["gguf_guard_fingerprint"] = fp
+
+        # Per-tensor integrity manifest (stored alongside model in registry)
+        manifest_path = artifact_path.with_suffix(".gguf.manifest.json")
+        manifest_result = _run_gguf_guard_manifest(artifact_path, manifest_path)
+        details["gguf_guard_manifest"] = manifest_result
+
     return {"passed": True, "reason": "all_checks_passed", "details": details}
 
 

services/quarantine/quarantine/watcher.py

@@ -159,6 +159,15 @@ def promote_to_registry(filename: str, file_hash: str, size_bytes: int,
         "policy_version": _compute_policy_version(),
     }
 
+    # Include gguf-guard data if available from pipeline
+    if pipeline_details:
+        fp = pipeline_details.get("gguf_guard_fingerprint")
+        if fp:
+            payload["gguf_guard_fingerprint"] = fp
+        manifest_info = pipeline_details.get("gguf_guard_manifest", {})
+        if manifest_info.get("generated"):
+            payload["gguf_guard_manifest"] = manifest_info.get("manifest_path", "")
+
     try:
         req = Request(
             f"{REGISTRY_URL}/v1/model/promote",