From 2c1c3d5ae1f0b573939582b0c3ac413394c4e024 Mon Sep 17 00:00:00 2001 From: Delicious233 Date: Fri, 15 May 2026 23:16:38 +0800 Subject: [PATCH] docs: sync diffence zenodo snapshot --- AGENTS.md | 2 +- ROADMAP.md | 40 ++++++++++--------- docs/evidence/README.md | 2 +- ...assifier-defense-artifact-gate-20260515.md | 39 +++++++++++------- docs/evidence/workspace-evidence-index.md | 13 ++++-- workspaces/implementation/challenger-queue.md | 2 +- workspaces/intake/README.md | 14 ++++--- 7 files changed, 67 insertions(+), 45 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 54366c2..2605115 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -28,7 +28,7 @@ Do not start from memory or old chat context. Re-anchor on repository files. ## Current Operating State -- Active work: `GitHub lightweight diffusion MIA triage completed after DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake/implementation workspace notes, and root ROADMAP are synchronized to the GitHub lightweight triage gate. The triage checked acha1934, KarinMalka1, abramwit, and josephho9 direct diffusion-MIA search hits and found lightweight/course-style reproductions only: no public target checkpoint hashes, immutable target-bound member/nonmember manifests, row-bound response packets, score rows, ROC arrays, metric JSON, trained attack weights, or verifier. DEB remains a paper-source-only grey-box medical diffusion mechanism watch. CPSample remains defense watch-plus only, and DSiRe / LoRA-WiSE remains a future weight-only dataset-size recovery lane candidate, not per-sample MIA. No MedMNIST/CIFAR/TinyImageNet/CelebA/LSUN/Stable Diffusion/LoRA-WiSE/model/checkpoint/generated-image/notebook/Google Drive payload download, script execution, DEB implementation-from-paper, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after GitHub lightweight diffusion MIA triage.` +- Active work: `DIFFENCE Zenodo snapshot sync completed after GitHub lightweight diffusion MIA triage, DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake/implementation workspace notes, and root ROADMAP are synchronized to the DIFFENCE Zenodo snapshot sync. Zenodo 10.5281/zenodo.13706131 publishes an immutable Diffence-master.zip code snapshot with matching MD5, 604 entries, code/config/split-index files, but still no classifier/diffusion checkpoints, defended/undefended logits, score rows, ROC arrays, metric JSON, or verifier. GitHub lightweight triage remains false-positive evidence only, and DEB remains paper-source-only grey-box mechanism watch. No MedMNIST/CIFAR/TinyImageNet/CelebA/LSUN/SVHN/Stable Diffusion/LoRA-WiSE/model/checkpoint/generated-image/notebook/Google Drive payload download, script execution, DEB implementation-from-paper, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after DIFFENCE Zenodo snapshot sync.` - Next GPU candidate: none selected - Long-horizon control: follow `ROADMAP.md` section `Long-Horizon Research Task Board(2026-05-13 起)` before reopening any diff --git a/ROADMAP.md b/ROADMAP.md index b08a353..68c5301 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -578,28 +578,32 @@ none selected after DualMD / DistillMD defense artifact gate`. See ## 2026-05-15 DIFFENCE Classifier-Defense Artifact Gate -Lane A/B defense intake checked the official `SPIN-UMass/Diffence` repo for +Lane A/B defense intake checked the official `SPIN-UMass/Diffence` repo and +the immutable Zenodo `10.5281/zenodo.13706131` code snapshot for `DIFFENCE: Fencing Membership Privacy With Diffusion Models` because it could look like a diffusion-model defense execution lane. The checked commit `2f7bb87dee863538f902098c84d0fe04ddfdcc3f` exposes code, configs, and small split-index files, including CIFAR `25,000 / 25,000` `mia_train_idxs` / -`mia_eval_idxs` arrays. The protected target, however, is an image classifier; -diffusion is an input-side purification/pre-inference defense component. The -repo points to Google Drive classifier and diffusion checkpoints and generates -results locally, but it does not commit target checkpoints, defended/undefended -logits, reusable member/nonmember score rows, ROC arrays, metric JSON, or a -ready verifier. - -Decision: `classifier-defense-code-public / split-index-files-present / -diffusion-as-preprocessor-not-target / score-artifacts-missing / no download / -no GPU release / no admitted row`. Retain DIFFENCE as classifier-defense -related-method watch-plus only. Do not download its Google Drive checkpoint -folders or CIFAR/SVHN datasets, train classifiers or diffusion models, generate -DIFFENCE reconstructions, run its MIA scripts, or promote classifier-defense -rows without checkpoint-bound score artifacts and an explicit consumer-boundary -decision. Current slots remain `active_gpu_question = none`, -`next_gpu_candidate = none`, and `CPU sidecar = none selected after DIFFENCE -classifier-defense artifact gate`. See +`mia_eval_idxs` arrays. The Zenodo file `Diffence-master.zip` is a `2,133,861` +byte open code snapshot with MD5 `3535eb087cba81de655767510d4c2506`; central +directory inspection found `604` entries and no checkpoint-bound result packet. +The protected target, however, is an image classifier; diffusion is an +input-side purification/pre-inference defense component. The repo and snapshot +point to Google Drive classifier and diffusion checkpoints and generate results +locally, but they do not commit target checkpoints, defended/undefended logits, +reusable member/nonmember score rows, ROC arrays, metric JSON, or a ready +verifier. + +Decision: `classifier-defense-code-public / immutable Zenodo snapshot checked / +split-index-files-present / diffusion-as-preprocessor-not-target / +score-artifacts-missing / no model-data download / no GPU release / no admitted +row`. Retain DIFFENCE as classifier-defense related-method watch-plus only. Do +not download its Google Drive checkpoint folders or CIFAR/SVHN datasets, train +classifiers or diffusion models, generate DIFFENCE reconstructions, run its MIA +scripts, or promote classifier-defense rows without checkpoint-bound score +artifacts and an explicit consumer-boundary decision. Current slots remain +`active_gpu_question = none`, `next_gpu_candidate = none`, and +`CPU sidecar = none selected after DIFFENCE Zenodo snapshot sync`. See [docs/evidence/diffence-classifier-defense-artifact-gate-20260515.md](docs/evidence/diffence-classifier-defense-artifact-gate-20260515.md). ## 2026-05-15 MIAHOLD Higher-Order Langevin Artifact Gate diff --git a/docs/evidence/README.md b/docs/evidence/README.md index 01f30d5..ec343c2 100644 --- a/docs/evidence/README.md +++ b/docs/evidence/README.md @@ -34,7 +34,7 @@ This directory contains the public evidence overview. | [tmia-dm-temporal-artifact-gate-20260515.md](tmia-dm-temporal-artifact-gate-20260515.md) | Fresh public-surface recheck for the known TMIA-DM temporal-noise / noise-gradient mechanism; CRAD paper/PDF only, no official code, checkpoint-bound scores, immutable splits, ROC/metric artifacts, or verifier output. | | [quantile-diffusion-mia-secmia-terror-replay-20260515.md](quantile-diffusion-mia-secmia-terror-replay-20260515.md) | Third-party SecMI-style `t_error` score-packet replay from `neilkale/quantile-diffusion-mia`; support-only, not official Quantile Regression output or an admitted row. | | [dualmd-distillmd-defense-artifact-gate-20260515.md](dualmd-distillmd-defense-artifact-gate-20260515.md) | OpenReview DDMD supplement-code gate; code and DDPM split-index files are public, but checkpoint-bound score/ROC/metric artifacts are missing, so no download, GPU release, or admitted row. | -| [diffence-classifier-defense-artifact-gate-20260515.md](diffence-classifier-defense-artifact-gate-20260515.md) | Official DIFFENCE classifier-defense code gate; split-index files are public, but diffusion is a pre-inference defense component and checkpoint-bound score artifacts are missing, so no download, GPU release, or admitted row. | +| [diffence-classifier-defense-artifact-gate-20260515.md](diffence-classifier-defense-artifact-gate-20260515.md) | Official DIFFENCE classifier-defense code gate; GitHub and immutable Zenodo snapshot expose code/configs/split-index files, but diffusion is a pre-inference defense component and checkpoint-bound score artifacts are missing, so no model-data download, GPU release, or admitted row. | | [miahold-higher-order-langevin-artifact-gate-20260515.md](miahold-higher-order-langevin-artifact-gate-20260515.md) | Official MIAHOLD/HOLD++ defense-code gate; split and attack code are public, but checkpoint-bound score artifacts are missing, so no download, GPU release, or admitted row. | | [shake-to-leak-code-artifact-gate-20260515.md](shake-to-leak-code-artifact-gate-20260515.md) | Official Shake-to-Leak code gate; fine-tuning-amplified generative privacy code is public, but target checkpoints, immutable member/nonmember manifests, generated private sets, score/ROC/metric artifacts, and ready verifier output are missing, so no download, GPU release, or admitted row. | | [fseclab-mia-diffusion-code-artifact-gate-20260515.md](fseclab-mia-diffusion-code-artifact-gate-20260515.md) | Official FSECLab DDIM/DCGAN diffusion-MIA code gate; attack/evaluation code and FID stats are public, but checkpoint-bound score/ROC/metric artifacts and immutable split manifests are missing, so no download, GPU release, or admitted row. | diff --git a/docs/evidence/diffence-classifier-defense-artifact-gate-20260515.md b/docs/evidence/diffence-classifier-defense-artifact-gate-20260515.md index 31c0ea0..253b43e 100644 --- a/docs/evidence/diffence-classifier-defense-artifact-gate-20260515.md +++ b/docs/evidence/diffence-classifier-defense-artifact-gate-20260515.md @@ -1,7 +1,7 @@ # DIFFENCE Classifier-Defense Artifact Gate > Date: 2026-05-15 -> Status: classifier-defense-code-public / split-index-files-present / diffusion-as-preprocessor-not-target / score-artifacts-missing / no download / no GPU release / no admitted row +> Status: classifier-defense-code-public / immutable Zenodo snapshot checked / split-index-files-present / diffusion-as-preprocessor-not-target / score-artifacts-missing / no model-data download / no GPU release / no admitted row ## Question @@ -10,10 +10,10 @@ Membership Privacy With Diffusion Models` become the next bounded DiffAudit defense row, diffusion-model MIA replay, or GPU execution target? This was an artifact gate only. It inspected GitHub metadata, a shallow Git -tree, README instructions, split/index files, config files, and MIA evaluation -code. No Google Drive model folder, dataset payload, diffusion checkpoint, -classifier checkpoint, generated reconstruction packet, or score output was -downloaded or executed. +tree, README instructions, split/index files, config files, MIA evaluation code, +and the small immutable Zenodo code snapshot. No Google Drive model folder, +dataset payload, diffusion checkpoint, classifier checkpoint, generated +reconstruction packet, or score output was downloaded or executed. ## Candidate @@ -26,12 +26,19 @@ downloaded or executed. | Latest push observed | `2024-09-06T03:05:08Z` | | License | MIT | | GitHub releases | none observed | +| Zenodo record | `https://zenodo.org/records/13706131` | +| Zenodo DOI | `10.5281/zenodo.13706131` | +| Zenodo file | `Diffence-master.zip`, `2,133,861` bytes, `md5:3535eb087cba81de655767510d4c2506` | +| Zenodo archive inspection | Downloaded only the small code snapshot into `%TEMP%` for central-directory inspection; MD5 matched Zenodo metadata. | ## Public Evidence Checked | Source | Finding | | --- | --- | | `README.md` | Identifies the repo as the code for the NDSS 2025 paper and describes DIFFENCE as a plug-and-play defense for undefended and defended models. The workflow asks users to partition datasets, download pretrained diffusion checkpoints from Google Drive, download target classifier models from Google Drive, and then run MIA evaluation scripts. | +| Zenodo metadata | Publishes an open CC-BY-4.0 `Diffence-master.zip` code snapshot from `2024-09-06` with checksum `md5:3535eb087cba81de655767510d4c2506`. | +| Zenodo archive central directory | The ZIP contains `604` entries totaling `6,061,721` uncompressed bytes. It includes code, configs, bytecode caches, `cifar_shuffle.pkl`, `svhn_shuffle.pkl`, and small `diff_ckpt/*.npz` split/index files. It does not include classifier checkpoints, diffusion checkpoints, generated logits, score rows, ROC arrays, metric JSON, or result logs. | +| Zenodo archive README / evaluation code | Matches the GitHub execution boundary: users must still download Google Drive diffusion checkpoints and classifier checkpoints, then run local scripts that write results under `evaluate_MIAs/results`. | | `download_models.py` | Defines Google Drive folders for `cifar10`, `cifar100`, and `svhn` diffusion and target model downloads via `gdown.download_folder`. No model files, hashes, or score packets are committed. | | Dataset folders | `cifar10/`, `cifar100/`, and `svhn/` provide training, defense, and evaluation code for image classifiers, not a diffusion-model target membership contract. | | `cifar10/cifar_shuffle.pkl`, `cifar100/cifar_shuffle.pkl`, `svhn/svhn_shuffle.pkl` | Commit deterministic shuffle arrays for dataset partitioning (`50,000` CIFAR entries and `73,257` SVHN entries). These are useful split-index evidence, but they are not bound to committed classifier checkpoints or score artifacts. | @@ -40,7 +47,7 @@ downloaded or executed. | `evaluate_MIAs/evaluate_mia.sh` | Generates model outputs with and without DIFFENCE, then redirects `dist_attack.py` output into `evaluate_MIAs/results/` and `_w_Diffence`. No such result files are committed. | | `evaluate_MIAs/dist_attack.py` | Computes ROC/AUC and low-FPR/TNR fields from locally generated logits and prints results. It expects generated `.npz` output files and does not ship reusable committed score arrays, ROC CSVs, or metric JSON. | | `evaluate_MIAs/dist_data.py` | Loads a target classifier checkpoint from `final-all-models/.../*.pth.tar`, constructs member/nonmember tensors from local dataset partitions, and wraps the classifier with DIFFENCE when `--diff` is used. | -| Recursive tree | The repo contains code, configs, small split index files, and Python bytecode caches. It does not commit target classifier checkpoints, diffusion model checkpoints, generated defended/undefended logits, MIA score rows, ROC arrays, metric JSON, or ready verifier outputs. | +| Recursive tree / Zenodo snapshot | The public surfaces contain code, configs, small split index files, and Python bytecode caches. They do not commit target classifier checkpoints, diffusion model checkpoints, generated defended/undefended logits, MIA score rows, ROC arrays, metric JSON, or ready verifier outputs. | ## Gate Result @@ -57,16 +64,18 @@ downloaded or executed. ## Decision -`classifier-defense-code-public / split-index-files-present / -diffusion-as-preprocessor-not-target / score-artifacts-missing / no download / -no GPU release / no admitted row`. +`classifier-defense-code-public / immutable Zenodo snapshot checked / +split-index-files-present / diffusion-as-preprocessor-not-target / +score-artifacts-missing / no model-data download / no GPU release / no admitted +row`. DIFFENCE should be retained as a classifier-defense related-method watch-plus -item. It is stronger than paper-source-only because the official repo exposes -code, configs, and small split-index files. It does not become a DiffAudit -execution target because the protected model is a classifier, the diffusion -model is an input-side defense component, and the public release does not ship -checkpoint-bound defended/undefended MIA score artifacts. +item. It is stronger than paper-source-only because the official repo and +immutable Zenodo snapshot expose code, configs, and small split-index files. It +does not become a DiffAudit execution target because the protected model is a +classifier, the diffusion model is an input-side defense component, and the +public release does not ship checkpoint-bound defended/undefended MIA score +artifacts. Smallest valid reopen condition: @@ -96,7 +105,7 @@ defense transformation before classifier inference. That makes it useful for defense literature context, not a clean second diffusion-model membership asset or admitted defense row. Current slots remain `active_gpu_question = none`, `next_gpu_candidate = none`, and `CPU sidecar = none selected after DIFFENCE -classifier-defense artifact gate`. +Zenodo snapshot sync`. ## Platform and Runtime Impact diff --git a/docs/evidence/workspace-evidence-index.md b/docs/evidence/workspace-evidence-index.md index e8a3b10..450481e 100644 --- a/docs/evidence/workspace-evidence-index.md +++ b/docs/evidence/workspace-evidence-index.md @@ -5,20 +5,27 @@ This index separates current track state from archived research history. ## Current Track State Latest Research update: +[diffence-classifier-defense-artifact-gate-20260515.md](diffence-classifier-defense-artifact-gate-20260515.md) +now includes the immutable Zenodo `10.5281/zenodo.13706131` code snapshot: +`604` entries with code/config/split-index files, but still no +checkpoint-bound logits, scores, ROC arrays, metric JSON, verifier, download, +GPU release, or admitted row. + +Previous Research update: [github-lightweight-diffusion-mia-triage-20260515.md](github-lightweight-diffusion-mia-triage-20260515.md) -records the latest Lane A external search triage. Four direct GitHub +records a Lane A external search triage. Four direct GitHub diffusion-MIA hits were lightweight/course-style false positives with no target/split/response/score/ROC/metric/verifier artifacts, download, GPU release, or admitted row. -Previous Research update: +Earlier Research update: [deb-medical-diffusion-artifact-gate-20260515.md](deb-medical-diffusion-artifact-gate-20260515.md) records a Lane B mechanism gate. DEB is a paper-source-only medical diffusion grey-box discrete-codebook / intermediate-trajectory MIA watch; no public code, target/split/score/ROC/metric artifacts, verifier, download, GPU release, or admitted row is selected. -Earlier Research update: +Prior Research update: [daily-research-review-20260515.md](daily-research-review-20260515.md) records the required progress review after the DSiRe / LoRA-WiSE and CPSample gates. The review confirms the latest verdict note exists, current slots are diff --git a/workspaces/implementation/challenger-queue.md b/workspaces/implementation/challenger-queue.md index 90d76be..1f1df15 100644 --- a/workspaces/implementation/challenger-queue.md +++ b/workspaces/implementation/challenger-queue.md @@ -36,7 +36,7 @@ timeline. Historical run IDs and dated notes are in `legacy/`. | CopyMark official score artifacts | black-box / Lane A | official score-artifact support-only | official `caradryanl/CopyMark` repo exposes member/nonmember image logs, aggregate ROC/threshold JSONs, selected PIA/PFAMI/SecMI score tensors, GSA feature/XGBoost files, and LAION-RiDAR/mixing results; sampled official artifacts include SD1.5 PIA test `AUROC = 0.766974`, LDM PFAMI test `AUROC = 0.915734`, and LAION-RiDAR test `AUROC = 0.872135` | no checkpoint hashes, compact row-ID-bound score manifest, small immutable data/checkpoint packet, or ready verifier output; sdxl/CommonCanvas artifacts remain weak or threshold-transfer inconsistent | keep as Research-side support evidence; do not download HF `datasets.zip`, images, model folders, full repo, run CopyMark scripts, release GPU, or promote Platform/Runtime rows | | Quantile Diffusion MIA SecMI `t_error` replay | gray-box / Lane A-B | candidate-support-only | third-party public CIFAR10/CIFAR100 SecMI-style score rows and split manifests replay from committed files with positive AUC | not official Quantile Regression paper output; same-family SecMI support only; no admitted-row consumer contract | keep as support evidence only; do not clone full repo, download DDPM/CIFAR/SharePoint assets, train, fit quantile models, or release GPU | | DualMD / DistillMD disjoint-split defense | defense / Lane A-B | defense watch-plus | OpenReview DDMD supplement exposes DDPM/LDM defense code, DDPM split-index files, and FID stats | embedded GitHub origin is not public; no checkpoint-bound defended/undefended scores, ROC arrays, metric JSON, generated response packets, or ready verifier are released | keep as defense watch-plus only; do not download SharePoint Pokemon, Stable Diffusion, CIFAR/STL/Tiny-ImageNet assets, train, run attack scripts, or release GPU | -| DIFFENCE classifier defense | defense / Lane A-B | defense watch-plus | official repo exposes code, configs, and split-index files | protected target is an image classifier, diffusion is only a pre-inference defense component, and no checkpoint-bound defended/undefended logits, score rows, ROC arrays, metric JSON, or ready verifier are committed | keep as classifier-defense watch-plus only; do not download Google Drive checkpoints/datasets, train, run MIA scripts, or release GPU | +| DIFFENCE classifier defense | defense / Lane A-B | defense watch-plus | official repo plus Zenodo `10.5281/zenodo.13706131` snapshot expose code, configs, and split-index files | protected target is an image classifier, diffusion is only a pre-inference defense component, and no checkpoint-bound defended/undefended logits, score rows, ROC arrays, metric JSON, or ready verifier are committed | keep as classifier-defense watch-plus only; do not download Google Drive checkpoints/datasets, train, run MIA scripts, or release GPU | | MIAHOLD / HOLD++ higher-order Langevin defense | defense / Lane A-B | defense watch-plus | official MIAHOLD repos expose higher-order Langevin defense code, audio split filelists, a CIFAR HOLD config, and PIA-style attack code | no checkpoint-bound target artifact, reusable score rows, ROC arrays, metric JSON, generated responses, or ready verifier | keep as defense watch-plus only; do not download Google Drive checkpoints/datasets, scrape W&B, train HOLD++ models, or release GPU | | MT-MIA relational diffusion score packet | intake / Lane A | relational-tabular support-only | official `joshward96/MT-MIA` repo exposes multi-table member/nonmember/reference splits, pre-generated ClavaDDPM and RelDiff synthetic outputs, and `18` MT-MIA score/metric JSONL packets | outside current image/latent Platform/Runtime boundary; packets lack row-ID-bound score manifests and no relational-tabular consumer schema exists | keep as Research-only support evidence; do not download raw/synthetic data, full repo, or training assets, regenerate RelDiff, release GPU, or promote Platform/Runtime rows | | VAE2Diffusion latent-space inversion | gray-box / Lane A | code-public latent-space MIA watch-plus | official `mx-ethan-rao/VAE2Diffusion` repo exposes decoder-geometry / latent-dimension filtering code and LDM/SD scripts; arXiv source claims public splits/checkpoints | README split/checkpoint link is empty; no GitHub releases; recursive tree has no split/checkpoint/score/ROC/metric/response/verifier artifacts; scripts require author-local paths and from-scratch training/fine-tuning/cache generation | keep as latent-space mechanism watch; do not download datasets/models/checkpoints/caches, train/fine-tune, run SimA/PFAMI/PIA variants, release GPU, or promote Platform/Runtime rows | diff --git a/workspaces/intake/README.md b/workspaces/intake/README.md index e6d0132..206c638 100644 --- a/workspaces/intake/README.md +++ b/workspaces/intake/README.md @@ -91,11 +91,12 @@ Stable Diffusion weights, CIFAR/STL/Tiny-ImageNet datasets, training, attack-script run, GPU work, or admitted defense row is released. - DIFFENCE / `SPIN-UMass/Diffence` is classifier-defense watch-plus only. The - public repo exposes code, configs, and small split-index files, but the - protected target is an image classifier and diffusion is an input-side - purification/pre-inference defense component. The repo requires Google Drive - classifier/diffusion checkpoints and local result generation, and it commits - no defended/undefended logits, score rows, ROC arrays, metric JSON, or ready + public repo and Zenodo `10.5281/zenodo.13706131` snapshot expose code, + configs, and small split-index files, but the protected target is an image + classifier and diffusion is an input-side purification/pre-inference defense + component. The release still requires Google Drive classifier/diffusion + checkpoints and local result generation, and it commits no + defended/undefended logits, score rows, ROC arrays, metric JSON, or ready verifier. No dataset/model download, classifier training, diffusion training, MIA script run, or GPU work is released. - StablePrivateLoRA / `WilliamLUO0/StablePrivateLoRA` is a defense watch-plus @@ -347,7 +348,8 @@ Current StablePrivateLoRA follow-up: Current DIFFENCE follow-up: - Keep it as classifier-defense related-method watch-plus, not a DiffAudit - diffusion-generator membership row. + diffusion-generator membership row. The immutable Zenodo code snapshot is + useful provenance, not a result packet. - Reopen only if public checkpoint-bound defended/undefended logits, score rows, ROC arrays, metric JSON, or a bounded verifier appear, and a consumer-boundary decision explicitly admits classifier-defense evidence.