Supply Chain Security (v0.60.0)
"Tensors you can ship through procurement." v0.60 layers 6 supply-chain controls on top of LoRA adapters so a security team can clear shipped weights for production.
soup adapters scan — spectral backdoor detector
Pure-numpy spectral analysis of LoRA weight matrices. Flags four patterns associated with weight-space trojans:
| Pattern | Warn | Fail |
|---|---|---|
| Rank-1 dominance | 50× | 200× |
| Top singular value / energy | > 75% | > 95% |
| Frobenius outlier (σ) | > 4σ | > 8σ |
| NaN / Inf | — | any |
soup adapters scan ./my_adapter --format json | jq '.overall'
# "OK" | "WARN" | "FAIL"Exit codes: 0 = OK, 1 = WARN (advisory), 3 = FAIL (CI gate).
soup adapters sign / verify — Merkle-root tamper detection
soup adapters sign ./my_adapter --backend unsigned
# → ./my_adapter/.soup-signature.json
soup adapters verify ./my_adapter # exit 1 on mismatch (lenient)
soup adapters verify ./my_adapter --strict # exit 3 on mismatch (CI-strict)The unsigned backend (default) computes a Merkle root over all adapter files for offline SHA-256 verification. ed25519 is live as of v0.71.2 — soup adapters sign --backend ed25519 --key <priv.pem> (or --generate-key, or SOUP_SIGNING_KEY) writes a real detached signature; soup adapters verify --public-key <trusted.pem> does a cryptographic verify that fails closed on any tamper / wrong key. Sigstore keyless (OIDC-via-GitHub) stays infra-blocked.
soup adapters check-safetensors — refuse pickle at the boundary
soup adapters check-safetensors ./my_adapter --strict && echo "SHIP IT"Rejects any .bin, .pt, or pickle-format weights. The single biggest LoRA attack vector is pickle.load on hostile weights; --strict makes the CI gate hard.
License-conflict gate in soup adapters merge
soup adapters merge a/ b/ c/ --output merged/ \
--license mit --license apache-2.0 --license mit \
--license-override "Approved by legal team 2026-05-20"33-entry SPDX-license compatibility matrix. Conflicting licenses require --license-override "<reason, ≥ 8 chars>" for audit.
Namespace-pin TOFU (anti-AI-Jacking)
The first pull of an HF repo pins its namespace owner SHA in a local SQLite cache. Future pulls re-verify before download — a hijacked HuggingFace org cannot silently replace your base model.
soup airgap-bundle — physical-media transfer
soup airgap-bundle \
--output secure-bundle.tar.gz \
--model ./llama3-8b-merged \
--dataset ./prod-logs.jsonl \
--wheel ./venv/lib/python3.11/site-packages \
--bundle-size-cap 50Packs model + datasets + wheels + kernels + manifest into a single tarball suitable for transfer through a data diode (physical-media / sneaker-net). Embeds a SHA-256 manifest per file. Refuses to build if total size > --bundle-size-cap (default 100 GiB).
Numbers
+152 new tests in v0.60.0. Security-fix coverage: 12 HIGH, 11 MEDIUM, 6 LOW.
See also
- Compliance pack — v0.71.35 puts signing, scanning and attestation on a HIPAA / SOC 2 / EU AI Act / SR 11-7 path.
- Governance — v0.59 BOM + SLSA-3 + audit log.
- Adapters — v0.57 diff / merge / blame / branch (the rest of the LoRA toolkit).
- Adapter lifecycle (v0.67) —
soup lockSHA256 closure makes signed + scanned adapter artifacts reproducible across the team;soup adapters prputs review + signing on every adapter change.