litmus is now Atomdrift Scan, and it ships v2.0.0 — the first release we'd call generally available rather than beta. Same idea as always: point ascan at a file, directory, or running process, and get a hostile / suspicious / benign verdict with the capabilities that drove it. What changed is everything underneath.
Pure-Rust inference. The XGBoost and LightGBM loaders are gone. Scan now runs ONNX-only against the new azoth model — one inference path, no native ML runtime to fight with. It sits on the rebuilt analysis engine: cleave 2.0 and filefacts feed it richer package, PE/CLR, archive, and string signals than 1.x ever saw.
Severity is now a false-positive budget. The old 1–9 scale is gone. You set how many false positives per 100M benign files you'll tolerate, and that's the gate. ascan -l 0 for a zero-FP scan of /sbin, -l 5000 to be paranoid about CI; the default is L50. "Suspicious" is no longer a hand-waved tier — it's the bounded middle ground between the hostile budget and the calibrated grid.
A local-LLM second opinion. New --interpret mode ships tricky samples to a local LLM for a verdict plus a one-line reason, then blends that with the ML score. It points at an OpenAI-compatible endpoint (vLLM with Qwen 3.6-27B is our recommendation) and fails silently if the model is unreachable — no endpoint, no problem. There's also --format=tiny output built to fit in an LLM context window, and cleaner v7 JSON.
Signed model bundles, no more git. Model and trait updates now arrive as signed, compressed .tar.zst bundles with SHA-256 verification, staged validation, and atomic install. The old git-based updater and its rollback paths are gone. A daily, zero-telemetry update check keeps you current.
Steadier under load. Memory-aware admission runs large archives one at a time instead of letting them co-reside and exhaust RAM. Smallest-job-first ordering stops quick scans from waiting behind slow archives. Larger shared thread stacks fix the stack-overflow crashes that deep concurrent archives used to trigger. And when something does go wrong, there's far more to look at: crash-time in-flight dumps, a worker census, thread dumps, and tracing breadcrumbs.
The model is out of beta — but reading the contributing capabilities still beats trusting the verdict alone.
brew tap atomdrift/tap https://codeberg.org/atomdrift/homebrew-tap.git
brew install atomdrift-scan