docs: sync DIFFENCE Zenodo snapshot

AGENTS.md

@@ -28,7 +28,7 @@ Do not start from memory or old chat context. Re-anchor on repository files.
 
 ## Current Operating State
 
-- Active work: `GitHub lightweight diffusion MIA triage completed after DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake/implementation workspace notes, and root ROADMAP are synchronized to the GitHub lightweight triage gate. The triage checked acha1934, KarinMalka1, abramwit, and josephho9 direct diffusion-MIA search hits and found lightweight/course-style reproductions only: no public target checkpoint hashes, immutable target-bound member/nonmember manifests, row-bound response packets, score rows, ROC arrays, metric JSON, trained attack weights, or verifier. DEB remains a paper-source-only grey-box medical diffusion mechanism watch. CPSample remains defense watch-plus only, and DSiRe / LoRA-WiSE remains a future weight-only dataset-size recovery lane candidate, not per-sample MIA. No MedMNIST/CIFAR/TinyImageNet/CelebA/LSUN/Stable Diffusion/LoRA-WiSE/model/checkpoint/generated-image/notebook/Google Drive payload download, script execution, DEB implementation-from-paper, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after GitHub lightweight diffusion MIA triage.`
+- Active work: `DIFFENCE Zenodo snapshot sync completed after GitHub lightweight diffusion MIA triage, DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake/implementation workspace notes, and root ROADMAP are synchronized to the DIFFENCE Zenodo snapshot sync. Zenodo 10.5281/zenodo.13706131 publishes an immutable Diffence-master.zip code snapshot with matching MD5, 604 entries, code/config/split-index files, but still no classifier/diffusion checkpoints, defended/undefended logits, score rows, ROC arrays, metric JSON, or verifier. GitHub lightweight triage remains false-positive evidence only, and DEB remains paper-source-only grey-box mechanism watch. No MedMNIST/CIFAR/TinyImageNet/CelebA/LSUN/SVHN/Stable Diffusion/LoRA-WiSE/model/checkpoint/generated-image/notebook/Google Drive payload download, script execution, DEB implementation-from-paper, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after DIFFENCE Zenodo snapshot sync.`
 - Next GPU candidate: none selected
 - Long-horizon control: follow `ROADMAP.md` section
   `Long-Horizon Research Task Board（2026-05-13 起）` before reopening any

ROADMAP.md

@@ -578,28 +578,32 @@ none selected after DualMD / DistillMD defense artifact gate`. See
 
 ## 2026-05-15 DIFFENCE Classifier-Defense Artifact Gate
 
-Lane A/B defense intake checked the official `SPIN-UMass/Diffence` repo for
+Lane A/B defense intake checked the official `SPIN-UMass/Diffence` repo and
+the immutable Zenodo `10.5281/zenodo.13706131` code snapshot for
 `DIFFENCE: Fencing Membership Privacy With Diffusion Models` because it could
 look like a diffusion-model defense execution lane. The checked commit
 `2f7bb87dee863538f902098c84d0fe04ddfdcc3f` exposes code, configs, and small
 split-index files, including CIFAR `25,000 / 25,000` `mia_train_idxs` /
-`mia_eval_idxs` arrays. The protected target, however, is an image classifier;
-diffusion is an input-side purification/pre-inference defense component. The
-repo points to Google Drive classifier and diffusion checkpoints and generates
-results locally, but it does not commit target checkpoints, defended/undefended
-logits, reusable member/nonmember score rows, ROC arrays, metric JSON, or a
-ready verifier.
-
-Decision: `classifier-defense-code-public / split-index-files-present /
-diffusion-as-preprocessor-not-target / score-artifacts-missing / no download /
-no GPU release / no admitted row`. Retain DIFFENCE as classifier-defense
-related-method watch-plus only. Do not download its Google Drive checkpoint
-folders or CIFAR/SVHN datasets, train classifiers or diffusion models, generate
-DIFFENCE reconstructions, run its MIA scripts, or promote classifier-defense
-rows without checkpoint-bound score artifacts and an explicit consumer-boundary
-decision. Current slots remain `active_gpu_question = none`,
-`next_gpu_candidate = none`, and `CPU sidecar = none selected after DIFFENCE
-classifier-defense artifact gate`. See
+`mia_eval_idxs` arrays. The Zenodo file `Diffence-master.zip` is a `2,133,861`
+byte open code snapshot with MD5 `3535eb087cba81de655767510d4c2506`; central
+directory inspection found `604` entries and no checkpoint-bound result packet.
+The protected target, however, is an image classifier; diffusion is an
+input-side purification/pre-inference defense component. The repo and snapshot
+point to Google Drive classifier and diffusion checkpoints and generate results
+locally, but they do not commit target checkpoints, defended/undefended logits,
+reusable member/nonmember score rows, ROC arrays, metric JSON, or a ready
+verifier.
+
+Decision: `classifier-defense-code-public / immutable Zenodo snapshot checked /
+split-index-files-present / diffusion-as-preprocessor-not-target /
+score-artifacts-missing / no model-data download / no GPU release / no admitted
+row`. Retain DIFFENCE as classifier-defense related-method watch-plus only. Do
+not download its Google Drive checkpoint folders or CIFAR/SVHN datasets, train
+classifiers or diffusion models, generate DIFFENCE reconstructions, run its MIA
+scripts, or promote classifier-defense rows without checkpoint-bound score
+artifacts and an explicit consumer-boundary decision. Current slots remain
+`active_gpu_question = none`, `next_gpu_candidate = none`, and
+`CPU sidecar = none selected after DIFFENCE Zenodo snapshot sync`. See
 [docs/evidence/diffence-classifier-defense-artifact-gate-20260515.md](docs/evidence/diffence-classifier-defense-artifact-gate-20260515.md).
 
 ## 2026-05-15 MIAHOLD Higher-Order Langevin Artifact Gate

docs/evidence/README.md

@@ -34,7 +34,7 @@ This directory contains the public evidence overview.
 | [tmia-dm-temporal-artifact-gate-20260515.md](tmia-dm-temporal-artifact-gate-20260515.md) | Fresh public-surface recheck for the known TMIA-DM temporal-noise / noise-gradient mechanism; CRAD paper/PDF only, no official code, checkpoint-bound scores, immutable splits, ROC/metric artifacts, or verifier output. |
 | [quantile-diffusion-mia-secmia-terror-replay-20260515.md](quantile-diffusion-mia-secmia-terror-replay-20260515.md) | Third-party SecMI-style `t_error` score-packet replay from `neilkale/quantile-diffusion-mia`; support-only, not official Quantile Regression output or an admitted row. |
 | [dualmd-distillmd-defense-artifact-gate-20260515.md](dualmd-distillmd-defense-artifact-gate-20260515.md) | OpenReview DDMD supplement-code gate; code and DDPM split-index files are public, but checkpoint-bound score/ROC/metric artifacts are missing, so no download, GPU release, or admitted row. |
-| [diffence-classifier-defense-artifact-gate-20260515.md](diffence-classifier-defense-artifact-gate-20260515.md) | Official DIFFENCE classifier-defense code gate; split-index files are public, but diffusion is a pre-inference defense component and checkpoint-bound score artifacts are missing, so no download, GPU release, or admitted row. |
+| [diffence-classifier-defense-artifact-gate-20260515.md](diffence-classifier-defense-artifact-gate-20260515.md) | Official DIFFENCE classifier-defense code gate; GitHub and immutable Zenodo snapshot expose code/configs/split-index files, but diffusion is a pre-inference defense component and checkpoint-bound score artifacts are missing, so no model-data download, GPU release, or admitted row. |
 | [miahold-higher-order-langevin-artifact-gate-20260515.md](miahold-higher-order-langevin-artifact-gate-20260515.md) | Official MIAHOLD/HOLD++ defense-code gate; split and attack code are public, but checkpoint-bound score artifacts are missing, so no download, GPU release, or admitted row. |
 | [shake-to-leak-code-artifact-gate-20260515.md](shake-to-leak-code-artifact-gate-20260515.md) | Official Shake-to-Leak code gate; fine-tuning-amplified generative privacy code is public, but target checkpoints, immutable member/nonmember manifests, generated private sets, score/ROC/metric artifacts, and ready verifier output are missing, so no download, GPU release, or admitted row. |
 | [fseclab-mia-diffusion-code-artifact-gate-20260515.md](fseclab-mia-diffusion-code-artifact-gate-20260515.md) | Official FSECLab DDIM/DCGAN diffusion-MIA code gate; attack/evaluation code and FID stats are public, but checkpoint-bound score/ROC/metric artifacts and immutable split manifests are missing, so no download, GPU release, or admitted row. |

docs/evidence/diffence-classifier-defense-artifact-gate-20260515.md

@@ -1,7 +1,7 @@
 # DIFFENCE Classifier-Defense Artifact Gate
 
 > Date: 2026-05-15
-> Status: classifier-defense-code-public / split-index-files-present / diffusion-as-preprocessor-not-target / score-artifacts-missing / no download / no GPU release / no admitted row
+> Status: classifier-defense-code-public / immutable Zenodo snapshot checked / split-index-files-present / diffusion-as-preprocessor-not-target / score-artifacts-missing / no model-data download / no GPU release / no admitted row
 
 ## Question
 
@@ -10,10 +10,10 @@ Membership Privacy With Diffusion Models` become the next bounded DiffAudit
 defense row, diffusion-model MIA replay, or GPU execution target?
 
 This was an artifact gate only. It inspected GitHub metadata, a shallow Git
-tree, README instructions, split/index files, config files, and MIA evaluation
-code. No Google Drive model folder, dataset payload, diffusion checkpoint,
-classifier checkpoint, generated reconstruction packet, or score output was
-downloaded or executed.
+tree, README instructions, split/index files, config files, MIA evaluation code,
+and the small immutable Zenodo code snapshot. No Google Drive model folder,
+dataset payload, diffusion checkpoint, classifier checkpoint, generated
+reconstruction packet, or score output was downloaded or executed.
 
 ## Candidate
 
@@ -26,12 +26,19 @@ downloaded or executed.
 | Latest push observed | `2024-09-06T03:05:08Z` |
 | License | MIT |
 | GitHub releases | none observed |
+| Zenodo record | `https://zenodo.org/records/13706131` |
+| Zenodo DOI | `10.5281/zenodo.13706131` |
+| Zenodo file | `Diffence-master.zip`, `2,133,861` bytes, `md5:3535eb087cba81de655767510d4c2506` |
+| Zenodo archive inspection | Downloaded only the small code snapshot into `%TEMP%` for central-directory inspection; MD5 matched Zenodo metadata. |
 
 ## Public Evidence Checked
 
 | Source | Finding |
 | --- | --- |
 | `README.md` | Identifies the repo as the code for the NDSS 2025 paper and describes DIFFENCE as a plug-and-play defense for undefended and defended models. The workflow asks users to partition datasets, download pretrained diffusion checkpoints from Google Drive, download target classifier models from Google Drive, and then run MIA evaluation scripts. |
+| Zenodo metadata | Publishes an open CC-BY-4.0 `Diffence-master.zip` code snapshot from `2024-09-06` with checksum `md5:3535eb087cba81de655767510d4c2506`. |
+| Zenodo archive central directory | The ZIP contains `604` entries totaling `6,061,721` uncompressed bytes. It includes code, configs, bytecode caches, `cifar_shuffle.pkl`, `svhn_shuffle.pkl`, and small `diff_ckpt/*.npz` split/index files. It does not include classifier checkpoints, diffusion checkpoints, generated logits, score rows, ROC arrays, metric JSON, or result logs. |
+| Zenodo archive README / evaluation code | Matches the GitHub execution boundary: users must still download Google Drive diffusion checkpoints and classifier checkpoints, then run local scripts that write results under `evaluate_MIAs/results`. |
 | `download_models.py` | Defines Google Drive folders for `cifar10`, `cifar100`, and `svhn` diffusion and target model downloads via `gdown.download_folder`. No model files, hashes, or score packets are committed. |
 | Dataset folders | `cifar10/`, `cifar100/`, and `svhn/` provide training, defense, and evaluation code for image classifiers, not a diffusion-model target membership contract. |
 | `cifar10/cifar_shuffle.pkl`, `cifar100/cifar_shuffle.pkl`, `svhn/svhn_shuffle.pkl` | Commit deterministic shuffle arrays for dataset partitioning (`50,000` CIFAR entries and `73,257` SVHN entries). These are useful split-index evidence, but they are not bound to committed classifier checkpoints or score artifacts. |
@@ -40,7 +47,7 @@ downloaded or executed.
 | `evaluate_MIAs/evaluate_mia.sh` | Generates model outputs with and without DIFFENCE, then redirects `dist_attack.py` output into `evaluate_MIAs/results/<defense>` and `<defense>_w_Diffence`. No such result files are committed. |
 | `evaluate_MIAs/dist_attack.py` | Computes ROC/AUC and low-FPR/TNR fields from locally generated logits and prints results. It expects generated `.npz` output files and does not ship reusable committed score arrays, ROC CSVs, or metric JSON. |
 | `evaluate_MIAs/dist_data.py` | Loads a target classifier checkpoint from `final-all-models/.../*.pth.tar`, constructs member/nonmember tensors from local dataset partitions, and wraps the classifier with DIFFENCE when `--diff` is used. |
-| Recursive tree | The repo contains code, configs, small split index files, and Python bytecode caches. It does not commit target classifier checkpoints, diffusion model checkpoints, generated defended/undefended logits, MIA score rows, ROC arrays, metric JSON, or ready verifier outputs. |
+| Recursive tree / Zenodo snapshot | The public surfaces contain code, configs, small split index files, and Python bytecode caches. They do not commit target classifier checkpoints, diffusion model checkpoints, generated defended/undefended logits, MIA score rows, ROC arrays, metric JSON, or ready verifier outputs. |
 
 ## Gate Result
 
@@ -57,16 +64,18 @@ downloaded or executed.
 
 ## Decision
 
-`classifier-defense-code-public / split-index-files-present /
-diffusion-as-preprocessor-not-target / score-artifacts-missing / no download /
-no GPU release / no admitted row`.
+`classifier-defense-code-public / immutable Zenodo snapshot checked /
+split-index-files-present / diffusion-as-preprocessor-not-target /
+score-artifacts-missing / no model-data download / no GPU release / no admitted
+row`.
 
 DIFFENCE should be retained as a classifier-defense related-method watch-plus
-item. It is stronger than paper-source-only because the official repo exposes
-code, configs, and small split-index files. It does not become a DiffAudit
-execution target because the protected model is a classifier, the diffusion
-model is an input-side defense component, and the public release does not ship
-checkpoint-bound defended/undefended MIA score artifacts.
+item. It is stronger than paper-source-only because the official repo and
+immutable Zenodo snapshot expose code, configs, and small split-index files. It
+does not become a DiffAudit execution target because the protected model is a
+classifier, the diffusion model is an input-side defense component, and the
+public release does not ship checkpoint-bound defended/undefended MIA score
+artifacts.
 
 Smallest valid reopen condition:
 
@@ -96,7 +105,7 @@ defense transformation before classifier inference. That makes it useful for
 defense literature context, not a clean second diffusion-model membership asset
 or admitted defense row. Current slots remain `active_gpu_question = none`,
 `next_gpu_candidate = none`, and `CPU sidecar = none selected after DIFFENCE
-classifier-defense artifact gate`.
+Zenodo snapshot sync`.
 
 ## Platform and Runtime Impact
 

docs/evidence/workspace-evidence-index.md

@@ -5,20 +5,27 @@ This index separates current track state from archived research history.
 ## Current Track State
 
 Latest Research update:
+[diffence-classifier-defense-artifact-gate-20260515.md](diffence-classifier-defense-artifact-gate-20260515.md)
+now includes the immutable Zenodo `10.5281/zenodo.13706131` code snapshot:
+`604` entries with code/config/split-index files, but still no
+checkpoint-bound logits, scores, ROC arrays, metric JSON, verifier, download,
+GPU release, or admitted row.
+
+Previous Research update:
 [github-lightweight-diffusion-mia-triage-20260515.md](github-lightweight-diffusion-mia-triage-20260515.md)
-records the latest Lane A external search triage. Four direct GitHub
+records a Lane A external search triage. Four direct GitHub
 diffusion-MIA hits were lightweight/course-style false positives with no
 target/split/response/score/ROC/metric/verifier artifacts, download, GPU
 release, or admitted row.
 
-Previous Research update:
+Earlier Research update:
 [deb-medical-diffusion-artifact-gate-20260515.md](deb-medical-diffusion-artifact-gate-20260515.md)
 records a Lane B mechanism gate. DEB is a paper-source-only medical
 diffusion grey-box discrete-codebook / intermediate-trajectory MIA watch; no
 public code, target/split/score/ROC/metric artifacts, verifier, download, GPU
 release, or admitted row is selected.
 
-Earlier Research update:
+Prior Research update:
 [daily-research-review-20260515.md](daily-research-review-20260515.md)
 records the required progress review after the DSiRe / LoRA-WiSE and CPSample
 gates. The review confirms the latest verdict note exists, current slots are