manta embed¶

Embed a payload into a model file. Supports safetensors and GGUF formats (auto-detected by extension or magic bytes). For GGUF, only GGML_TYPE_F32 tensors are usable carriers; quantized-only models will have zero usable capacity. Supports optional encryption (AES-256-GCM) and error correction (Reed-Solomon).

Usage¶

manta embed -m <MODEL> -o <OUTPUT> -p <PAYLOAD> [-d <DEPTH>] [-k <KEY>] [-e <RATIO>] [--max-tensors <N>]

Options¶

Flag	Short	Default	Description
`--model`	`-m`	required	Input model file (safetensors or GGUF)
`--output`	`-o`	required	Output model file
`--payload`	`-p`	required	Payload file to embed
`--lsb-depth`	`-d`	`3`	LSB depth (1–10)
`--key`	`-k`	none	Encryption passphrase
`--ecc-ratio`	`-e`	none	ECC redundancy ratio (e.g., 0.5 = 50%)
`--max-tensors`		none	Limit number of carrier tensors
`--config`	`-c`	none	Per-tensor budget config JSON (from `layer_sensitivity.py`)

Pipeline¶

The payload is processed through these stages before embedding:

payload → [ECC encode] → [AES-256-GCM encrypt] → [MANT frame] → [LSB embed]

Both ECC and encryption are optional. If both are used, ECC is applied first (inner layer), then encryption (outer layer). This means extraction reverses: decrypt first, then ECC decode.

Extraction Key¶

The extraction key is printed to stdout as JSON:

{
  "tensor_names": [
    "model.layers.0.mlp.down_proj.weight",
    "model.layers.1.mlp.down_proj.weight"
  ],
  "lsb_depth": 3,
  "encrypted": true,
  "ecc_enabled": true,
  "ecc_ratio": 0.5
}

Save this — it's required for extraction. The passphrase is NOT included.

Embedding stats are printed to stderr.

Examples¶

Minimal (no encryption, no ECC)¶

manta embed -m model.safetensors -o out.safetensors -p payload.bin > key.json

Full pipeline¶

manta embed \
  -m model.safetensors \
  -o weaponized.safetensors \
  -p payload.bin \
  -d 3 \
  -k "operator-passphrase" \
  -e 0.5 \
  > extraction_key.json

Limit carrier tensors¶

manta embed -m model.safetensors -o out.safetensors -p small.bin --max-tensors 1 > key.json

Multi-Shard Safetensors Models¶

Many Hugging Face models (7B+) use sharded safetensors checkpoints — multiple files like model-00001-of-00003.safetensors plus an index file model.safetensors.index.json. Manta operates on single safetensors files and will reject the index file with an error.

Merge-before-embed workflow¶

Use safetensors + torch to merge shards into a single file first:

from safetensors.torch import load_file, save_file
from pathlib import Path

model_dir = Path("path/to/model")
shards = sorted(model_dir.glob("model*.safetensors"))
all_tensors = {}
for shard in shards:
    all_tensors.update(load_file(shard))
save_file(all_tensors, "merged_model.safetensors")

Then embed into the merged file:

manta embed -m merged_model.safetensors -o weaponized.safetensors -p payload.bin > key.json

Memory requirement

Merging loads all shards into memory. Expect ~2× model size in peak RAM (e.g., ~14 GB for a 7B bf16 model).

Per-shard embedding

Alternatively, embed into individual shard files one at a time. This avoids the merge step but requires managing separate extraction keys per shard.