There are three ways to bring a GGUF model into the Secure AI Appliance. Regardless of method, every model passes through the full quarantine pipeline before it can be used for inference.
The Web UI includes a curated catalog of pre-vetted models from Hugging Face.
- Open the Web UI at
http://127.0.0.1:8480. - Navigate to the Models tab.
- Browse the catalog. Each entry shows model name, size, VRAM requirement, and a brief description.
- Click Download on the model you want.
- The UI will:
- Check that the airlock is enabled (required for downloads).
- Verify the download URL is in the destination allowlist.
- Download the file through the airlock into
quarantine/incoming/. - Start the quarantine pipeline automatically.
- Watch the progress indicator on the Models page. The model moves through stages: source check, format gate, hash pinning, static scan, and behavioral test.
- Once promoted, the model appears in the Registry section and is available for chat.
If the airlock is disabled, enable it first:
# In policy.yaml
airlock:
enabled: true
Then restart the airlock service:
sudo systemctl restart secure-ai-airlock.serviceFor models not in the catalog (e.g., downloaded on another machine):
- Copy the
.gguffile to the appliance (USB drive, scp, etc.). - Open the Web UI and go to Models > Import.
- Enter the filesystem path to the
.gguffile or use the file picker. - Click Import.
- The UI copies the file to
quarantine/incoming/and starts the pipeline. - Monitor progress on the Models page.
For headless setups or scripting:
- Copy the GGUF file into the quarantine incoming directory:
cp /path/to/model.gguf /var/lib/secure-ai/quarantine/incoming/-
The quarantine file watcher (systemd path unit) detects the new file and starts the pipeline automatically.
-
Monitor progress via journalctl:
journalctl -u secure-ai-quarantine.service -f- Check the result. On success you will see:
PROMOTED: model-name (model.gguf) sha256=abc123...
On failure you will see the rejection reason:
REJECTED: model.gguf — stage=static_scan reason="modelscan flagged suspicious patterns"
- Verify the model is in the registry:
securectl listExample output:
NAME FORMAT SIZE SHA256 PROMOTED
mistral-7b-q4km gguf 4.4 GB a1b2c3d4e5f6 2026-03-08T14:30:00Z
- Verify the model's integrity:
securectl verify mistral-7b-q4kmExpected output:
VERIFIED: mistral-7b-q4km (sha256=a1b2c3d4e5f6...)
The securectl tool provides direct registry management:
# List all models in the registry
securectl list
# Show full details for a model
securectl info mistral-7b-q4km
# Verify a model's hash against the manifest
securectl verify mistral-7b-q4km
# Get the filesystem path
securectl path mistral-7b-q4km
# Check registry health
securectl statusNote: securectl talks to the Registry API at http://127.0.0.1:8470.
You can override this with the REGISTRY_URL environment variable.
When a file lands in quarantine/incoming/, the pipeline executes these
stages in order. If any stage fails, the model is rejected and moved to
quarantine/rejected/ with a report.
| Stage | Name | What It Does |
|---|---|---|
| 1 | Source Policy | Checks the model's origin against sources.allowlist.yaml |
| 2 | Format Gate | Validates file headers; rejects pickle, pt, bin formats |
| 3 | Integrity Check | Verifies SHA-256 hash against pinned values (if known) |
| 4 | Provenance Check | Validates cosign/signature from the source |
| 5 | Static Scan | Runs modelscan + entropy analysis + gguf-guard |
| 6 | Behavioral Test | Adversarial prompt suite (LLM models only) |
| 7 | Diffusion Deep Scan | Config integrity check (diffusion models only) |
On success, the pipeline:
- Copies the file to the registry directory.
- Generates a gguf-guard per-tensor manifest (if enabled).
- Generates a structural fingerprint (if enabled).
- Calls
POST /v1/model/promoteon the Registry to register the artifact. - The model is now available for inference.