From b5bdc7e1f6da6be479251c66057198b51d08b631 Mon Sep 17 00:00:00 2001 From: Delicious233 Date: Fri, 15 May 2026 23:54:48 +0800 Subject: [PATCH] docs: add rectified flow mia artifact gate --- AGENTS.md | 2 +- ROADMAP.md | 29 ++++- ...ctified-flow-mia-artifact-gate-20260515.md | 123 ++++++++++++++++++ docs/evidence/workspace-evidence-index.md | 17 ++- workspaces/implementation/challenger-queue.md | 5 +- workspaces/intake/README.md | 10 ++ 6 files changed, 178 insertions(+), 8 deletions(-) create mode 100644 docs/evidence/rectified-flow-mia-artifact-gate-20260515.md diff --git a/AGENTS.md b/AGENTS.md index ec5a6ef..6d2e3d0 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -28,7 +28,7 @@ Do not start from memory or old chat context. Re-anchor on repository files. ## Current Operating State -- Active work: `Public metadata asset sweep completed after the DIFFENCE Zenodo snapshot sync, GitHub lightweight diffusion MIA triage, DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake workspace note, and root ROADMAP are synchronized to the public metadata asset sweep. Authenticated Hugging Face metadata and GitHub artifact-shaped searches found no new non-duplicate image/latent-image diffusion-MIA replay packet. The only relevant HF surfaces remain known CLiD and CopyMark entries: CLiD's 1.62 GB gated zip still returns 403 for authenticated HEAD/range probes, and CopyMark's 5.66 GB zip is already covered by the official score-artifact gate. No CLiD/CopyMark ZIP, image payload, Stable Diffusion/CommonCanvas/LDM/Kohaku/COCO/LAION payload, model/checkpoint, full-repo download, script execution, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after public metadata asset sweep.` +- Active work: `Rectified Flow MIA artifact gate completed after the public metadata asset sweep, DIFFENCE Zenodo snapshot sync, GitHub lightweight diffusion MIA triage, DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake/implementation workspace notes, and root ROADMAP are synchronized to the Rectified Flow MIA artifact gate. arXiv 2603.13421 is a non-duplicate Rectified Flow / Flow Matching MIA mechanism watch with reported complexity-calibrated Monte Carlo score gains, but the promised mx-ethan-rao/MIA_Rectified_Flow public repository is empty and no split manifest, checkpoint, score row, ROC array, metric JSON, verifier, dataset/model/checkpoint/image download, implementation from paper, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after Rectified Flow MIA artifact gate.` - Next GPU candidate: none selected - Long-horizon control: follow `ROADMAP.md` section `Long-Horizon Research Task Board(2026-05-13 起)` before reopening any diff --git a/ROADMAP.md b/ROADMAP.md index 803f9a2..ddcee64 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -2,6 +2,32 @@ > Last updated: 2026-05-15 +## 2026-05-15 Rectified Flow MIA Artifact Gate + +Lane B mechanism discovery checked arXiv `2603.13421` / +`Generalization and Memorization in Rectified Flow` because it is a +non-duplicate image generative-model MIA line: the target family is Rectified +Flow / Flow Matching, and the proposed signal is midpoint vector-field +memorization with complexity-calibrated Monte Carlo scoring. The arXiv source +reports `T_mc_cal` gains over `T_mc` across CIFAR-10 (`AUC = 84.89`, +`TPR@1%FPR = 27.88`), SVHN (`AUC = 79.43`, `TPR@1%FPR = 16.46`), and +TinyImageNet (`AUC = 92.96`, `TPR@1%FPR = 50.03`) on the paper's percentage +scale. It also claims data splits, checkpoints, training code, and testing code +are released at `mx-ethan-rao/MIA_Rectified_Flow`. + +Decision: `paper-source-only rectified-flow MIA mechanism watch / promised +GitHub repo empty / no code-score artifact / no download / no GPU release / no +admitted row`. The live GitHub repository exists but is empty: default branch +`master`, repo size `0`, no license, GitHub refs report `Git Repository is +empty`, and `git ls-remote` returns no refs. No CIFAR-10/SVHN/TinyImageNet +download, Rectified Flow checkpoint/model/image acquisition, `T_naive` / +`T_mc` / `T_mc_cal` implementation, complexity-calibration implementation, +Symmetric Exponential training, CPU sidecar, GPU work, Platform row, Runtime +schema, or product copy is selected. Current slots remain +`active_gpu_question = none`, `next_gpu_candidate = none`, and +`CPU sidecar = none selected after Rectified Flow MIA artifact gate`. See +[docs/evidence/rectified-flow-mia-artifact-gate-20260515.md](docs/evidence/rectified-flow-mia-artifact-gate-20260515.md). + ## 2026-05-15 Public Metadata Asset Sweep Lane A checked the post-DIFFENCE public metadata surface before opening another @@ -1902,7 +1928,8 @@ claim。 | --- | --- | | Active GPU question | none | | Next GPU candidate | none | -| CPU sidecar | none selected after public metadata asset sweep. The admitted bundle remains five-row `admitted-only`; recent watch/watch-plus/support-only/candidate/score-artifact/semantic-shift/defense-watch and public-metadata gates did not change Platform/Runtime rows, schemas, product copy, downloads, or GPU release. | +| CPU sidecar | none selected after Rectified Flow MIA artifact gate. The admitted bundle remains five-row `admitted-only`; recent watch/watch-plus/support-only/candidate/score-artifact/semantic-shift/defense-watch, public-metadata, and rectified-flow mechanism gates did not change Platform/Runtime rows, schemas, product copy, downloads, or GPU release. | +| Latest mechanism watch | Rectified Flow MIA / arXiv `2603.13421` is non-duplicate and mechanism-relevant, but the promised GitHub repository is empty; reopen only if public splits, checkpoints, code, score/ROC/metric artifacts, or a verifier appear. | | Latest closed search branch | HF/GitHub public metadata sweep is closed unless CLiD exposes a row manifest or metadata-only ZIP inspection, CopyMark publishes compact row-bound verifier artifacts, or a new repository/dataset appears with a small target/split/score/ROC/metric packet. | | Highest-value next action | Continue non-duplicate asset search only for candidates with public target identity, member/nonmember split artifacts, and response/score coverage. CPSample remains defense watch-plus; reopen it only if checkpoint-bound denoiser/classifier artifacts or hashes, exact train/test/subset row identities, protected/unprotected row-bound score packets, ROC/metric JSON, retained-utility metrics, and a defended-vs-undefended adaptive-attacker consumer contract are public. DSiRe / LoRA-WiSE remains a future weight-only privacy lane candidate, but reopen it only if DiffAudit explicitly opens a weight-only LoRA dataset-size recovery consumer contract with MAE/MAPE/accuracy as primary metrics and language separating aggregate model-weight cardinality leakage from per-sample MIA. CopyMark is now official Research-side score-artifact support evidence, but reopen it only if authors publish a compact row-ID-bound score manifest, checkpoint hashes, a no-training verifier, or a small immutable data/checkpoint packet that avoids the full HF zip and model-folder downloads. VAE2Diffusion remains code-public latent-space MIA watch-plus; reopen it only if public split manifests, matching checkpoints or generated response/feature caches, score rows, ROC/metric JSON, verifier outputs, or another bounded no-training artifact appears. DCR remains copying/memorization semantic-shift watch-plus; reopen it only if a public available LAION split or equivalent immutable image manifest, target checkpoint/generated response packets, score rows, ROC/metric JSON, verifier outputs, or an explicit copying/memorization consumer-boundary lane appear. FCRE remains a medical-image frequency-calibrated reconstruction-error paper-source watch item; reopen it only if official code plus frozen split manifests, matching target checkpoints, generated reconstruction packets, reusable score rows, ROC/metric JSON, verifier outputs, or a reviewed medical-image consumer-boundary lane appear. Tabular Privacy Leakage TDM is a single-table tabular code-public watch-plus item; reopen it only if paper-bound Berka/Diabetes target checkpoints, immutable split manifests, generated synthetic tables, reusable score rows, ROC/metric JSON, verifier outputs, or a reviewed tabular consumer-boundary lane appear. TMIA-DM remains a temporal-noise / noise-gradient paper-only mechanism watch item; reopen it only if official public code plus immutable target/split artifacts and reusable score/ROC/metric packets appear. Shake-to-Leak is a fine-tuning-amplified generative-privacy code-public watch-plus item, but reopen it only if public checkpoint-bound score artifacts, immutable split manifests, generated private-set packets, or ready verifier outputs appear. FSECLab MIA-Diffusion is a direct diffusion-MIA code-public watch-plus item, but reopen it only if public checkpoint-bound score artifacts, immutable split manifests, generated sample packets, or ready verifier outputs appear. MT-MIA remains useful public score-packet support evidence, but reopen it only if DiffAudit explicitly opens a relational-tabular synthetic-data membership lane, authors publish row-ID-bound verifier artifacts, or paperization needs clearly labeled cross-domain support outside Platform/Runtime rows. Reopen LSA-Probe only if real public adversarial-cost score artifacts, exact music/audio target identities, and exact member/nonmember manifests appear, or if DiffAudit explicitly opens a music/audio lane. Reopen DualMD/DistillMD only if public checkpoint-bound defended/undefended score artifacts, ROC arrays, metric JSON, generated response packets, or a bounded verifier appear and a consumer-boundary decision explicitly admits disjoint-training defense evidence. Reopen DIFFENCE only if public checkpoint-bound defended/undefended score artifacts or a bounded verifier appear and a consumer-boundary decision explicitly admits classifier-defense evidence. Reopen MIAHOLD/HOLD++ only if public checkpoint-bound score artifacts or a bounded verifier appear, plus an explicit TTS/audio consumer-boundary decision before any audio lane execution. Reopen the Quantile/SecMI-style support packet only if explicit quantile-regression score outputs, trained quantile artifacts, or a bounded verifier command are released, or if a consumer-boundary review approves third-party SecMI-style packets as paperization support without Platform/Runtime admission. Reopen ReproMIA only if a current non-withdrawn paper plus official public code, exact target/split manifests, and reusable score/metric artifacts appear; reopen Tracing Roots only if raw target checkpoint identity, raw sample manifests, or a feature-packet consumer-boundary decision appears; reopen CLiD only if authors publish a row manifest or HF gated access allows metadata-only manifest inspection. | | Stop condition | Do not download CIFAR-10, CelebA, LSUN, Stable Diffusion weights, denoiser/classifier checkpoints, generated images, or missing Google Drive placeholders for CPSample; do not run `python main.py`, train classifiers, fine-tune denoisers, generate protected/unprotected images, run `--inference_attack`, or launch CPU/GPU sidecars from this gate. Do not download LoRA-WiSE parquet shards, image folders, Stable Diffusion weights, or LoRA tensor payloads; do not run `python dsire.py`, FAISS/SVD sweeps, CPU sidecars, or GPU work unless a separate weight-only consumer contract is opened. Do not download CopyMark HF `datasets.zip`, image folders, Stable Diffusion/CommonCanvas/LDM/Kohaku weights, LAION/COCO/CC12M/YFCC/DataComp/FFHQ/CelebA-HQ/CommonCatalog payloads, or model folders; do not clone the full repo by default, run PIA/PFAMI/SecMI/GSA scripts, regenerate features, fit XGBoost models, or launch GPU work from the CopyMark official score artifact gate. Do not download CIFAR-10, CelebA, ImageNet-1K, Pokemon, COCO, Flickr, LAION, Stable Diffusion weights, VAE/LDM checkpoints, split payloads, generated responses, or pullback/per-dim caches for VAE2Diffusion; do not train LDMs, fine-tune Stable Diffusion, run SimA/PFAMI/PIA variants, or launch GPU work from that gate. Do not download LAION payloads, DCR Drive split folders, Stable Diffusion weights, generated image sets, or retrieval outputs; do not fine-tune, infer, run retrieval, or launch GPU work for DCR. Do not download FeTS, ChestX-ray8, CIFAR-10, or medical-image payloads, train diffusion targets, run DDIM reconstruction, sweep frequency bands, or launch GPU work for FCRE. Do not download Berka/Diabetes/MIDST resources, train ClavaDDPM targets or shadows, run Tartan Federer/Ensemble/EPT attacks, promote MIDST toolkit integration-test fixtures, or launch GPU work for Tabular Privacy Leakage TDM. Do not download CIFAR/Tiny-ImageNet/Pokemon/LAION/COCO assets, train or fine-tune diffusion targets, reconstruct temporal-noise trajectory pipelines, or launch GPU work for TMIA-DM. Do not download Stable Diffusion weights, LAION/person images, synthetic private sets, or checkpoints for Shake-to-Leak; do not run `sp_gen.py`, LoRA/DB/End2End fine-tuning, SecMI scripts, or data extraction from that gate. Do not download CIFAR-10, CelebA, DDIM/DCGAN checkpoints, generated samples, or full repo payloads for FSECLab MIA-Diffusion; do not run DDIM/DCGAN training, sampling, attack scripts, or TTUR evaluation from that gate. Do not download MT-MIA raw figshare datasets, synthetic CSV payloads, ClavaDDPM/RelDiff training assets, or the full repository; do not regenerate high-cost RelDiff outputs or promote relational-tabular score packets without a consumer-boundary decision. Do not download MAESTRO, FMA-Large, DiffWave, MusicLDM, audio clips, checkpoints, or GitHub Pages demo JSON as LSA-Probe experiment evidence; do not implement LSA-Probe from the TeX or demo. Do not download the DualMD/DistillMD SharePoint Pokemon payload, Stable Diffusion weights, CIFAR/CIFAR100/STL10/Tiny-ImageNet datasets, or run DDPM/LDM training, distillation, SecMIA/PIA, black-box attack scripts, or launch GPU jobs from this gate. Do not download DIFFENCE Google Drive diffusion/target model folders or CIFAR/SVHN datasets; do not train classifiers or diffusion models, generate DIFFENCE reconstructions, run MIA scripts, or launch GPU jobs from that gate. Do not download MIAHOLD/HOLD++ Grad-TTS, HiFi-GAN, CLD-SGM, CIFAR, CelebA, LJSpeech, or LibriTTS assets; do not scrape W&B, train HOLD++ CIFAR/audio models, regenerate PIA scores, or launch GPU jobs from that gate. Do not clone the full `neilkale/quantile-diffusion-mia` repository by default, download pretrained DDPM checkpoints/CIFAR archives/SharePoint model folders, run training, fit quantile models, recover W&B artifacts, or launch GPU jobs from that support packet. Do not promote CPSample, DSiRe / LoRA-WiSE, CopyMark, VAE2Diffusion, DCR, FCRE, Tabular Privacy Leakage TDM, TMIA-DM, Shake-to-Leak, FSECLab MIA-Diffusion, MT-MIA, LSA-Probe, DualMD/DistillMD, DIFFENCE, or MIAHOLD as admitted rows, Quantile replay as a Quantile Regression result, or any of these lines as admitted Platform/Runtime rows. Keep the existing no-download/no-GPU constraints for ReproMIA, DMin, ELSA, Memorization Anisotropy, FERMI, DurMI, FMIA, CLiD, StablePrivateLoRA, MIDM, GGDM, Diffusion Memorization, ReDiffuse, and same-family MIDST expansions. | diff --git a/docs/evidence/rectified-flow-mia-artifact-gate-20260515.md b/docs/evidence/rectified-flow-mia-artifact-gate-20260515.md new file mode 100644 index 0000000..05ab7f0 --- /dev/null +++ b/docs/evidence/rectified-flow-mia-artifact-gate-20260515.md @@ -0,0 +1,123 @@ +# Rectified Flow MIA Artifact Gate + +> Date: 2026-05-15 +> Status: paper-source-only rectified-flow MIA mechanism watch / promised GitHub repo empty / no code-score artifact / no download / no GPU release / no admitted row + +## Question + +Does arXiv `2603.13421` / `Generalization and Memorization in Rectified Flow` +provide a non-duplicate image generative-model membership-inference artifact +that should change DiffAudit's `active_gpu_question`, `next_gpu_candidate`, or +Platform/Runtime admitted boundary? + +This gate was opened because the paper is not another SecMI/PIA/CLiD/CopyMark +variant on diffusion checkpoints. It targets Rectified Flow / Flow Matching +models and proposes rectified-flow-specific MIA test statistics. The check used +arXiv API metadata, the arXiv source tarball, GitHub metadata, and git remote +reference probing. It did not download CIFAR-10, SVHN, TinyImageNet, model +checkpoints, generated images, or run any training / attack code. + +## Public Surface + +| Field | Value | +| --- | --- | +| Paper line | `Generalization and Memorization in Rectified Flow` | +| arXiv | `https://arxiv.org/abs/2603.13421v1` | +| Published / updated | `2026-03-12T21:10:39Z` | +| Authors | Mingxing Rao, Daniel Moyer | +| Source tarball inspected | `1,184,212` bytes, `25` entries | +| Claimed code repository in arXiv source | `https://github.com/mx-ethan-rao/MIA_Rectified_Flow.git` | +| GitHub repo state | Public repo exists, default branch `master`, size field `0`, no license, pushed `2026-03-12T20:43:21Z`, but GitHub reports `Git Repository is empty` and `git ls-remote` returns no refs | + +The arXiv source contains TeX plus figure PDFs only. It does not ship raw data +splits, checkpoints, score rows, ROC arrays, metric JSON, verifier output, or a +script entrypoint. The paper text says data splits, model checkpoints, +training, and testing code are released in the GitHub repository, but the live +repository is currently empty. + +## Mechanism Signal + +The paper proposes three MIA statistics for Rectified Flow: + +| Statistic | Role | +| --- | --- | +| `T_naive` | Flow-matching-objective-derived baseline statistic | +| `T_mc` | Monte Carlo estimator over Gaussian source samples | +| `T_mc_cal` | Complexity-calibrated `T_mc`, dividing by an image complexity proxy based on compressed byte length | + +The mechanism is materially different from the recent closed repeats because +it targets Flow Matching / Rectified Flow vector fields and the midpoint of the +ODE trajectory, not DDPM denoising loss, SecMI reverse denoise distance, PIA +perturbation trajectories, CLiD prompt-conditioned likelihoods, CopyMark +benchmark score packets, or final-layer gradient variants. + +The paper also proposes a mitigation direction: replace uniform timestep +sampling with a Symmetric Exponential / U-shaped distribution to reduce +exposure to vulnerable midpoint timesteps. + +## Reported Metrics + +These are paper-source metrics read from the arXiv source, not locally +replayed. + +| Dataset | Split / training setup | `T_mc` AUC | `T_mc` TPR@1%FPR | `T_mc_cal` AUC | `T_mc_cal` TPR@1%FPR | +| --- | --- | ---: | ---: | ---: | ---: | +| CIFAR-10 | `25k/25k`, `32x32`, `500k` RF training steps | `75.12` | `3.05` | `84.89` | `27.88` | +| SVHN | `20k/20k`, `32x32`, `500k` RF training steps | `70.92` | `1.54` | `79.43` | `16.46` | +| TinyImageNet | `50k/50k`, `64x64`, `100k` RF training steps | `76.44` | `5.33` | `92.96` | `50.03` | + +The reported gains from `T_mc` to `T_mc_cal` are large: +`+9.77` AUC / `+24.83` TPR points on CIFAR-10, `+8.51` / `+14.92` on SVHN, +and `+16.52` / `+44.70` on TinyImageNet, on the paper's percentage scale. + +## Gate Result + +| Gate | Result | +| --- | --- | +| Target identity | Fail for execution. The paper reports RF models and training settings, but the promised checkpoint repository is empty and no checkpoint hashes or model files are public. | +| Exact member split | Fail. The paper gives split sizes, but no immutable train/validation index files or row manifests are public. | +| Exact nonmember split | Fail for the same reason: validation split sizes are described, not released as machine-readable manifests. | +| Query/response or score coverage | Fail. No score rows, ROC arrays, metric JSON, generated response packets, or verifier outputs are public. | +| Mechanism delta | Pass for watch. Rectified Flow midpoint memorization and complexity-calibrated Monte Carlo vector-field scoring are non-duplicate mechanisms. | +| Download justification | Fail. There is no bounded public artifact to download; implementing RF training or attacks from the paper would create a new project rather than evaluate a released packet. | +| GPU release | Fail. The missing pieces are public artifacts, not local compute. | + +## Decision + +`paper-source-only rectified-flow MIA mechanism watch / promised GitHub repo +empty / no code-score artifact / no download / no GPU release / no admitted +row`. + +Rectified Flow MIA is worth tracking because it is a genuinely different +generative-model family and has reported low-FPR gains that are large enough to +matter if artifacts appear. It is not a current DiffAudit execution lane. The +live public surface has no released code, split manifest, checkpoint, score, +ROC, metric, or verifier packet. + +Current slots remain `active_gpu_question = none`, +`next_gpu_candidate = none`, and +`CPU sidecar = none selected after Rectified Flow MIA artifact gate`. + +Smallest valid reopen condition: + +- `mx-ethan-rao/MIA_Rectified_Flow` becomes non-empty with the promised public + data splits, model checkpoints, training code, and testing code; or +- authors publish small immutable split/checkpoint/score/ROC/metric/verifier + artifacts sufficient for a bounded no-training replay; and +- a consumer-boundary note decides whether Rectified Flow image-generation MIA + belongs beside diffusion-model rows or stays as Research-only mechanism + evidence. + +Stop condition: + +- Do not download CIFAR-10, SVHN, TinyImageNet, RF checkpoints, generated + images, or any large payload for this line. +- Do not implement `T_naive`, `T_mc`, `T_mc_cal`, complexity calibration, or + Symmetric Exponential training from the paper. +- Do not train Rectified Flow models, launch GPU work, create Platform/Runtime + rows, change schemas, or change product copy until public artifacts exist. + +## Platform and Runtime Impact + +None. Platform and Runtime continue consuming only the admitted `recon / PIA +baseline / PIA defended / GSA / DPDM W-1` set. diff --git a/docs/evidence/workspace-evidence-index.md b/docs/evidence/workspace-evidence-index.md index 76cfb1f..b9444be 100644 --- a/docs/evidence/workspace-evidence-index.md +++ b/docs/evidence/workspace-evidence-index.md @@ -5,6 +5,15 @@ This index separates current track state from archived research history. ## Current Track State Latest Research update: +[rectified-flow-mia-artifact-gate-20260515.md](rectified-flow-mia-artifact-gate-20260515.md) +records a non-duplicate Rectified Flow / Flow Matching MIA mechanism watch. +arXiv `2603.13421` reports complexity-calibrated Monte Carlo vector-field +scoring with strong low-FPR gains, but the promised +`mx-ethan-rao/MIA_Rectified_Flow` repository is empty and no public splits, +checkpoints, scores, ROC arrays, metric JSON, verifier, download, CPU sidecar, +GPU release, or admitted row is selected. + +Previous Research update: [public-metadata-asset-sweep-20260515.md](public-metadata-asset-sweep-20260515.md) records the post-DIFFENCE Hugging Face/GitHub metadata sweep. Authenticated HF metadata still exposes only known CLiD and CopyMark surfaces: @@ -14,21 +23,21 @@ CopyMark score-artifact gate, and GitHub artifact-shaped searches returned no new non-duplicate replay packet. No download, GPU release, CPU sidecar, or admitted row is selected. -Previous Research update: +Earlier Research update: [diffence-classifier-defense-artifact-gate-20260515.md](diffence-classifier-defense-artifact-gate-20260515.md) now includes the immutable Zenodo `10.5281/zenodo.13706131` code snapshot: `604` entries with code/config/split-index files, but still no checkpoint-bound logits, scores, ROC arrays, metric JSON, verifier, download, GPU release, or admitted row. -Earlier Research update: +Prior Research update: [github-lightweight-diffusion-mia-triage-20260515.md](github-lightweight-diffusion-mia-triage-20260515.md) records a Lane A external search triage. Four direct GitHub diffusion-MIA hits were lightweight/course-style false positives with no target/split/response/score/ROC/metric/verifier artifacts, download, GPU release, or admitted row. -Prior Research update: +Earlier Research update: [deb-medical-diffusion-artifact-gate-20260515.md](deb-medical-diffusion-artifact-gate-20260515.md) records a Lane B mechanism gate. DEB is a paper-source-only medical diffusion grey-box discrete-codebook / intermediate-trajectory MIA watch; no @@ -47,7 +56,7 @@ product-copy, recommendation, download, CPU sidecar, or GPU change was released. | Track | Active docs | Role | | --- | --- | --- | | Black-box | [workspaces/black-box/README.md](../../workspaces/black-box/README.md), [plan.md](../../workspaces/black-box/plan.md), [public-metadata-asset-sweep-20260515.md](public-metadata-asset-sweep-20260515.md), [copymark-official-score-artifact-gate-20260515.md](copymark-official-score-artifact-gate-20260515.md), [shake-to-leak-code-artifact-gate-20260515.md](shake-to-leak-code-artifact-gate-20260515.md), [fseclab-mia-diffusion-code-artifact-gate-20260515.md](fseclab-mia-diffusion-code-artifact-gate-20260515.md), [genai-confessions-blackbox-artifact-gate-20260515.md](genai-confessions-blackbox-artifact-gate-20260515.md), [clid-official-inter-output-replay-20260515.md](clid-official-inter-output-replay-20260515.md), [midst-tabddpm-ept-scout-20260515.md](midst-tabddpm-ept-scout-20260515.md), [diffusion-memorization-asset-gate-20260515.md](diffusion-memorization-asset-gate-20260515.md), [rediffuse-openreview-split-manifest-audit-20260515.md](rediffuse-openreview-split-manifest-audit-20260515.md), [beans-lora-delta-sensitivity-20260513.md](beans-lora-delta-sensitivity-20260513.md), [quantile-regression-asset-verdict-20260513.md](quantile-regression-asset-verdict-20260513.md), [miagm-asset-verdict-20260513.md](miagm-asset-verdict-20260513.md), [noise-as-probe-asset-verdict-20260513.md](noise-as-probe-asset-verdict-20260513.md), [zenodo-code-reference-audit-20260513.md](zenodo-code-reference-audit-20260513.md), [zenodo-finetuned-diffusion-asset-verdict-20260513.md](zenodo-finetuned-diffusion-asset-verdict-20260513.md), [laion-mi-url-availability-probe-20260513.md](laion-mi-url-availability-probe-20260513.md), [laion-mi-asset-verdict-20260513.md](laion-mi-asset-verdict-20260513.md), [commoncanvas-denoising-loss-20260513.md](commoncanvas-denoising-loss-20260513.md), [midst-tabddpm-shadow-distributional-scout-20260513.md](midst-tabddpm-shadow-distributional-scout-20260513.md), [midst-tabddpm-nearest-neighbor-scout-20260513.md](midst-tabddpm-nearest-neighbor-scout-20260513.md), [copymark-commoncanvas-multiseed-stability-20260513.md](copymark-commoncanvas-multiseed-stability-20260513.md), [fashion-mnist-ddpm-pia-loss-scout-20260513.md](fashion-mnist-ddpm-pia-loss-scout-20260513.md), [kohaku-danbooru-asset-decision-20260513.md](kohaku-danbooru-asset-decision-20260513.md), [tiny-known-split-gradient-prototype-alignment-20260513.md](tiny-known-split-gradient-prototype-alignment-20260513.md), [copymark-commoncanvas-response-preflight-20260512.md](copymark-commoncanvas-response-preflight-20260512.md), [copymark-commoncanvas-query-asset-20260512.md](copymark-commoncanvas-query-asset-20260512.md), [copymark-provenance-intake-20260512.md](copymark-provenance-intake-20260512.md), [external-diffusion-benchmark-provenance-scan-20260512.md](external-diffusion-benchmark-provenance-scan-20260512.md), [true-second-membership-benchmark-scope-20260512.md](true-second-membership-benchmark-scope-20260512.md), [gradient-norm-stability-gate-20260512.md](gradient-norm-stability-gate-20260512.md), [tiny-overfit-gradient-norm-scout-20260512.md](tiny-overfit-gradient-norm-scout-20260512.md), [tiny-overfit-mse-upperbound-20260512.md](tiny-overfit-mse-upperbound-20260512.md), [tiny-known-split-denoising-sanity-20260512.md](tiny-known-split-denoising-sanity-20260512.md), [mnist-ddpm-x0-reconstruction-scout-20260512.md](mnist-ddpm-x0-reconstruction-scout-20260512.md), [beans-sd15-membership-semantics-correction-20260512.md](beans-sd15-membership-semantics-correction-20260512.md), [beans-sd15-clip-distance-scout-20260512.md](beans-sd15-clip-distance-scout-20260512.md), [beans-sd15-simple-distance-scout-20260512.md](beans-sd15-simple-distance-scout-20260512.md), [beans-sd15-response-contract-ready-20260512.md](beans-sd15-response-contract-ready-20260512.md), [beans-sd15-response-contract-scout-20260512.md](beans-sd15-response-contract-scout-20260512.md), [mnist-ddpm-pia-portability-smoke-20260512.md](mnist-ddpm-pia-portability-smoke-20260512.md), [midfreq-residual-comparator-audit-20260512.md](midfreq-residual-comparator-audit-20260512.md), [midfreq-residual-stability-result-20260512.md](midfreq-residual-stability-result-20260512.md), [midfreq-residual-stability-decision-20260512.md](midfreq-residual-stability-decision-20260512.md), [midfreq-residual-signcheck-20260512.md](midfreq-residual-signcheck-20260512.md), [midfreq-same-noise-residual-preflight-20260512.md](midfreq-same-noise-residual-preflight-20260512.md), [midfreq-residual-scorer-contract-20260512.md](midfreq-residual-scorer-contract-20260512.md), [midfreq-residual-collector-contract-20260512.md](midfreq-residual-collector-contract-20260512.md), [midfreq-residual-tiny-runner-contract-20260512.md](midfreq-residual-tiny-runner-contract-20260512.md), [midfreq-residual-real-asset-preflight-20260512.md](midfreq-residual-real-asset-preflight-20260512.md) | Public metadata sweep after HF auth and GitHub artifact searches found no new non-duplicate replay packet; CLiD ZIP remains range-inaccessible with auth, CopyMark HF ZIP remains already-covered and too large to change the current decision; CopyMark official score-artifact support evidence with public member/nonmember logs, aggregate ROC/threshold JSONs, selected all-step tensors, laion_ridar/mixing results, but no checkpoint hashes, compact row-ID-bound score manifest, small immutable data/checkpoint packet, or ready verifier; Shake-to-Leak code-public fine-tuning-amplified generative privacy watch-plus with target/data/score artifacts missing, FSECLab MIA-Diffusion official DDIM/DCGAN code-public but checkpoint/score/result-missing watch-plus, GenAI Confessions raw-input data-public but response/checkpoint missing black-box boundary watch, strong official CLiD CPU inter-output replay that remains prompt-conditioned candidate-only, weak MIDST TabDDPM EPT scout after nearest-neighbor and shadow-distributional failures, Diffusion Memorization semantic-shift watch, ReDiffuse official OpenReview split-manifest provenance, Reconstruction, variation, H2/simple-distance, weak Beans LoRA parameter-delta sensitivity and conditional denoising-loss under repaired known-split membership semantics, Quantile Regression sample-conditioned reconstruction-loss mechanism reference that is artifact-incomplete, MIAGM generated-distribution reference that is artifact-incomplete, Noise as a Probe semantic-initial-noise mechanism watch that is reproduction-incomplete, Zenodo fine-tuned diffusion paper/code-backed archive watch that remains split-manifest incomplete, LAION-mi metadata-only watch after failed fixed `25/25` URL availability probe, true second membership benchmark scope, weak CommonCanvas conditional denoising-loss scout, weak MIDST TabDDPM nearest-neighbor scout, weak MIDST shadow-distributional scout, weak Fashion-MNIST DDPM PIA-loss scout, Kohaku/Danbooru membership-semantics block, CopyMark provenance intake, local CommonCanvas query asset, completed `50/50` CommonCanvas responses with weak pixel-distance, CLIP image-similarity, prompt-response consistency, multi-seed response-stability, and conditional denoising-loss scorers, weak `64/64` gradient-prototype alignment scout, external provenance scan, Beans contract/debug boundary, MNIST/DDPM raw-loss and x0 simple-scorer scouts, tiny known-split raw-MSE sanity checks, tiny overfit gradient-norm mechanism signal and weakened stability gate, and same-noise residual candidate status. | -| Gray-box | [workspaces/gray-box/README.md](../../workspaces/gray-box/README.md), [plan.md](../../workspaces/gray-box/plan.md), [dsire-lora-wise-dataset-size-boundary-20260515.md](dsire-lora-wise-dataset-size-boundary-20260515.md), [hyperfree-secmi-reproduction-gate-20260515.md](hyperfree-secmi-reproduction-gate-20260515.md), [dme-dual-model-entropy-artifact-gate-20260515.md](dme-dual-model-entropy-artifact-gate-20260515.md), [fremia-frequency-filter-artifact-gate-20260515.md](fremia-frequency-filter-artifact-gate-20260515.md), [vae2diffusion-latent-space-inversion-gate-20260515.md](vae2diffusion-latent-space-inversion-gate-20260515.md), [fcre-medical-frequency-artifact-gate-20260515.md](fcre-medical-frequency-artifact-gate-20260515.md), [privacy-leakage-tdm-artifact-gate-20260515.md](privacy-leakage-tdm-artifact-gate-20260515.md), [tmia-dm-temporal-artifact-gate-20260515.md](tmia-dm-temporal-artifact-gate-20260515.md), [quantile-diffusion-mia-secmia-terror-replay-20260515.md](quantile-diffusion-mia-secmia-terror-replay-20260515.md), [noise-aggregation-small-noise-artifact-gate-20260515.md](noise-aggregation-small-noise-artifact-gate-20260515.md), [sima-scorebased-artifact-gate-20260515.md](sima-scorebased-artifact-gate-20260515.md), [tracing-roots-feature-packet-mia-20260515.md](tracing-roots-feature-packet-mia-20260515.md), [../product-bridge/tracing-roots-candidate-evidence-card.md](../product-bridge/tracing-roots-candidate-evidence-card.md), [cdi-official-artifact-gate-20260515.md](cdi-official-artifact-gate-20260515.md), [fashion-mnist-ddpm-score-jacobian-sensitivity-20260514.md](fashion-mnist-ddpm-score-jacobian-sensitivity-20260514.md), [fashion-mnist-ddpm-sima-score-norm-20260514.md](fashion-mnist-ddpm-sima-score-norm-20260514.md), [mofit-artifact-verdict-20260513.md](mofit-artifact-verdict-20260513.md), [secmi-consumer-contract-review-20260512.md](secmi-consumer-contract-review-20260512.md), [post-midfreq-next-lane-reselection-20260512.md](post-midfreq-next-lane-reselection-20260512.md), [graybox-paper-candidate-reentry-review-20260512.md](graybox-paper-candidate-reentry-review-20260512.md) | DSiRe / LoRA-WiSE future weight-only dataset-size recovery boundary gate, Hyperparameter-free SecMI third-party code/report support-family gate, DME complexity-bias MIA stub-repo-only watch, FreMIA frequency-filter MIA paper-source-plus-stub-repo watch, PIA, SecMI, VAE2Diffusion latent-space decoder-geometry MIA code-public watch-plus with split/checkpoint/score artifacts missing, FCRE medical-image frequency-calibrated reconstruction-error paper-source watch, single-table Tabular Privacy Leakage TDM watch-plus with official MIDST toolkit code but no paper score packet, TMIA-DM temporal-noise / noise-gradient paper-only watch, Quantile Diffusion MIA third-party SecMI-style `t_error` support packet, Noise Aggregation small-noise predicted-noise aggregation MIA paper-source-only watch, official SimA score-based MIA watch-plus with code-public but split/checkpoint/score artifacts missing, Tracing the Roots positive-but-provenance-limited trajectory feature-packet MIA with a candidate-only product-bridge card, official CDI dataset-inference gate as code-public but large-assets-required/no ready score packet/no GPU release, weak Fashion-MNIST score-Jacobian sensitivity scout, weak Fashion-MNIST SimA score-norm scout, MoFit artifact-incomplete watch, archived paper-candidate, DCR copying/memorization semantic-shift watch, and gray-box defense boundary status. | +| Gray-box | [workspaces/gray-box/README.md](../../workspaces/gray-box/README.md), [plan.md](../../workspaces/gray-box/plan.md), [rectified-flow-mia-artifact-gate-20260515.md](rectified-flow-mia-artifact-gate-20260515.md), [dsire-lora-wise-dataset-size-boundary-20260515.md](dsire-lora-wise-dataset-size-boundary-20260515.md), [hyperfree-secmi-reproduction-gate-20260515.md](hyperfree-secmi-reproduction-gate-20260515.md), [dme-dual-model-entropy-artifact-gate-20260515.md](dme-dual-model-entropy-artifact-gate-20260515.md), [fremia-frequency-filter-artifact-gate-20260515.md](fremia-frequency-filter-artifact-gate-20260515.md), [vae2diffusion-latent-space-inversion-gate-20260515.md](vae2diffusion-latent-space-inversion-gate-20260515.md), [fcre-medical-frequency-artifact-gate-20260515.md](fcre-medical-frequency-artifact-gate-20260515.md), [privacy-leakage-tdm-artifact-gate-20260515.md](privacy-leakage-tdm-artifact-gate-20260515.md), [tmia-dm-temporal-artifact-gate-20260515.md](tmia-dm-temporal-artifact-gate-20260515.md), [quantile-diffusion-mia-secmia-terror-replay-20260515.md](quantile-diffusion-mia-secmia-terror-replay-20260515.md), [noise-aggregation-small-noise-artifact-gate-20260515.md](noise-aggregation-small-noise-artifact-gate-20260515.md), [sima-scorebased-artifact-gate-20260515.md](sima-scorebased-artifact-gate-20260515.md), [tracing-roots-feature-packet-mia-20260515.md](tracing-roots-feature-packet-mia-20260515.md), [../product-bridge/tracing-roots-candidate-evidence-card.md](../product-bridge/tracing-roots-candidate-evidence-card.md), [cdi-official-artifact-gate-20260515.md](cdi-official-artifact-gate-20260515.md), [fashion-mnist-ddpm-score-jacobian-sensitivity-20260514.md](fashion-mnist-ddpm-score-jacobian-sensitivity-20260514.md), [fashion-mnist-ddpm-sima-score-norm-20260514.md](fashion-mnist-ddpm-sima-score-norm-20260514.md), [mofit-artifact-verdict-20260513.md](mofit-artifact-verdict-20260513.md), [secmi-consumer-contract-review-20260512.md](secmi-consumer-contract-review-20260512.md), [post-midfreq-next-lane-reselection-20260512.md](post-midfreq-next-lane-reselection-20260512.md), [graybox-paper-candidate-reentry-review-20260512.md](graybox-paper-candidate-reentry-review-20260512.md) | Rectified Flow / Flow Matching MIA paper-source-only mechanism watch with promised but empty public repo, DSiRe / LoRA-WiSE future weight-only dataset-size recovery boundary gate, Hyperparameter-free SecMI third-party code/report support-family gate, DME complexity-bias MIA stub-repo-only watch, FreMIA frequency-filter MIA paper-source-plus-stub-repo watch, PIA, SecMI, VAE2Diffusion latent-space decoder-geometry MIA code-public watch-plus with split/checkpoint/score artifacts missing, FCRE medical-image frequency-calibrated reconstruction-error paper-source watch, single-table Tabular Privacy Leakage TDM watch-plus with official MIDST toolkit code but no paper score packet, TMIA-DM temporal-noise / noise-gradient paper-only watch, Quantile Diffusion MIA third-party SecMI-style `t_error` support packet, Noise Aggregation small-noise predicted-noise aggregation MIA paper-source-only watch, official SimA score-based MIA watch-plus with code-public but split/checkpoint/score artifacts missing, Tracing the Roots positive-but-provenance-limited trajectory feature-packet MIA with a candidate-only product-bridge card, official CDI dataset-inference gate as code-public but large-assets-required/no ready score packet/no GPU release, weak Fashion-MNIST score-Jacobian sensitivity scout, weak Fashion-MNIST SimA score-norm scout, MoFit artifact-incomplete watch, archived paper-candidate, DCR copying/memorization semantic-shift watch, and gray-box defense boundary status. | | White-box | [workspaces/white-box/README.md](../../workspaces/white-box/README.md), [plan.md](../../workspaces/white-box/plan.md), [whitebox-gsa-zenodo-archive-verdict-20260513.md](whitebox-gsa-zenodo-archive-verdict-20260513.md), [whitebox-influence-curvature-feasibility-scout-20260511.md](whitebox-influence-curvature-feasibility-scout-20260511.md), [gsa-diagonal-fisher-feasibility-microboard-20260511.md](gsa-diagonal-fisher-feasibility-microboard-20260511.md), [gsa-diagonal-fisher-layer-scope-review-20260511.md](gsa-diagonal-fisher-layer-scope-review-20260511.md), [gsa-diagonal-fisher-stability-board-20260511.md](gsa-diagonal-fisher-stability-board-20260511.md), [post-fisher-next-lane-reselection-20260511.md](post-fisher-next-lane-reselection-20260511.md) | GSA, DPDM, admitted-family GSA Zenodo archive identity, Finding NeMo, and white-box boundary status. | | Cross-box | [workspaces/cross-box/README.md](../../workspaces/cross-box/README.md), [cross-box-boundary-status.md](cross-box-boundary-status.md), [cross-box-successor-scope-20260512.md](cross-box-successor-scope-20260512.md), [post-ib-next-lane-reselection-20260512.md](post-ib-next-lane-reselection-20260512.md), [ic-same-spec-evaluator-feasibility-scout-20260512.md](ic-same-spec-evaluator-feasibility-scout-20260512.md) | Cross-track score-sharing, cross-permission boundary, and successor reopen conditions. | | Defense | [workspaces/defense/README.md](../../workspaces/defense/README.md), [cpsample-defense-artifact-gate-20260515.md](cpsample-defense-artifact-gate-20260515.md), [dualmd-distillmd-defense-artifact-gate-20260515.md](dualmd-distillmd-defense-artifact-gate-20260515.md), [diffence-classifier-defense-artifact-gate-20260515.md](diffence-classifier-defense-artifact-gate-20260515.md), [miahold-higher-order-langevin-artifact-gate-20260515.md](miahold-higher-order-langevin-artifact-gate-20260515.md), [stableprivatelora-defense-artifact-gate-20260515.md](stableprivatelora-defense-artifact-gate-20260515.md), [ib-risk-targeted-unlearning-successor-scope.md](ib-risk-targeted-unlearning-successor-scope.md), [ib-adaptive-defense-contract-20260511.md](ib-adaptive-defense-contract-20260511.md), [ib-defense-aware-reopen-scout-20260512.md](ib-defense-aware-reopen-scout-20260512.md), [ib-defense-reopen-protocol-audit-20260512.md](ib-defense-reopen-protocol-audit-20260512.md), [ib-defended-shadow-reopen-protocol-20260512.md](ib-defended-shadow-reopen-protocol-20260512.md), [ib-reopen-shadow-reference-guard-20260512.md](ib-reopen-shadow-reference-guard-20260512.md), [ib-defended-shadow-training-manifest-20260512.md](ib-defended-shadow-training-manifest-20260512.md), [ib-shadow-local-identity-scout-20260512.md](ib-shadow-local-identity-scout-20260512.md), [ib-shadow-local-gsa-risk-preflight-20260515.md](ib-shadow-local-gsa-risk-preflight-20260515.md) | CPSample sampling-time classifier-protected defense watch-plus, DualMD/DistillMD disjoint-split defense watch-plus, DIFFENCE classifier-defense watch-plus, MIAHOLD/HOLD++ higher-order Langevin defense watch-plus, StablePrivateLoRA defense watch-plus, risk-targeted unlearning boundary, true shadow-local GSA-only risk preflight, and defended-shadow/adaptive reopen conditions. | diff --git a/workspaces/implementation/challenger-queue.md b/workspaces/implementation/challenger-queue.md index 4e7e0eb..eedcf8d 100644 --- a/workspaces/implementation/challenger-queue.md +++ b/workspaces/implementation/challenger-queue.md @@ -9,10 +9,10 @@ timeline. Historical run IDs and dated notes are in `legacy/`. | Field | Value | | --- | --- | -| Active work | `Public metadata asset sweep completed` | +| Active work | `Rectified Flow MIA artifact gate completed` | | Active GPU task | none running | | Next GPU candidate | none selected | -| CPU sidecar | none selected after public metadata asset sweep | +| CPU sidecar | none selected after Rectified Flow MIA artifact gate | | Gray-box status | PIA remains admitted; tri-score is positive-but-bounded internal candidate; ReDiffuse candidate-only; Fashion-MNIST SimA score-norm and score-Jacobian sensitivity weak | | Non-gray-box GPU | none selected | @@ -20,6 +20,7 @@ timeline. Historical run IDs and dated notes are in `legacy/`. | Candidate | Track | Mode | Gate | Blocker | Next action | | --- | --- | --- | --- | --- | --- | +| Rectified Flow MIA | gray-box / Lane B | paper-source-only mechanism watch | arXiv `2603.13421` proposes Rectified Flow / Flow Matching MIA statistics `T_naive`, `T_mc`, and complexity-calibrated `T_mc_cal`, with reported low-FPR gains on CIFAR-10, SVHN, and TinyImageNet | promised GitHub repo `mx-ethan-rao/MIA_Rectified_Flow` is empty; no public refs, code, split manifests, checkpoints, score rows, ROC arrays, metric JSON, or verifier | keep as non-duplicate mechanism watch only; do not download datasets/models/checkpoints/images, implement from paper, train RF models, release CPU/GPU sidecar, or promote Platform/Runtime rows | | HF/GitHub public metadata replay packet search | intake / Lane A | closed / no new artifact | authenticated HF metadata and GitHub artifact-shaped searches checked for small target/split/score/ROC/manifest packets after DIFFENCE | only known CLiD and CopyMark HF surfaces appeared; CLiD `mia_COCO.zip` remains `403` for authenticated HEAD/range probes, CopyMark HF zip is already covered and too large, and GitHub code search returned only already-covered CopyMark/CLiD/DiffAudit evidence hits | keep as anti-duplication evidence; do not download CLiD/CopyMark ZIPs, images, model/checkpoint payloads, clone large repos, run scripts, release CPU/GPU sidecar, or promote Platform/Runtime rows | | GitHub lightweight diffusion MIA repos | intake / Lane A | false-positive triage | four direct GitHub search hits were checked: acha1934 fine-tuned diffusion MIA, KarinMalka1 personalization forensics, abramwit Boeing 707 toy project, and josephho9 empirical-score MNIST prototype | no public checkpoint-bound target, immutable target member/nonmember manifest, row-bound response packet, score rows, ROC arrays, metric JSON, trained attack weights, or verifier; some require Colab/Google Drive/local training | keep as anti-duplication evidence only; do not download notebooks/images/models/Drive payloads, run scripts, train/fine-tune, release CPU/GPU sidecar, or promote Platform/Runtime rows | | DEB medical diffusion MIA | gray-box / Lane B | paper-source-only mechanism watch | MDPI Applied Sciences 2026 article reports Discrete Encoding-Based grey-box intermediate-trajectory metrics against SecMI, PIA, and SimA on CIFAR/TinyImageNet and MedMNIST2D subsets | no public code, target checkpoint hashes, immutable member/nonmember manifests, intermediate-state packet, score rows, ROC arrays, metric JSON, or verifier; requires intermediate generation-state access rather than final images only | keep as mechanism watch only; do not download MedMNIST/CIFAR/TinyImageNet/Stable Diffusion assets, implement DEB from the paper, release GPU/CPU sidecar, or promote Platform/Runtime rows | diff --git a/workspaces/intake/README.md b/workspaces/intake/README.md index 4f22070..eceb477 100644 --- a/workspaces/intake/README.md +++ b/workspaces/intake/README.md @@ -4,6 +4,16 @@ - Direction: new method evaluation and paper scouting. - No active intake review. +- Rectified Flow MIA / arXiv `2603.13421` is a paper-source-only mechanism + watch. It is non-duplicate because it targets Rectified Flow / Flow Matching + vector fields with `T_naive`, `T_mc`, and complexity-calibrated `T_mc_cal`, + and reports strong low-FPR gains on CIFAR-10, SVHN, and TinyImageNet. The + paper source claims splits, checkpoints, training code, and testing code are + released at `mx-ethan-rao/MIA_Rectified_Flow`, but the live GitHub repository + is empty and exposes no refs, code, split manifest, checkpoint, score row, + ROC array, metric JSON, or verifier. No dataset/model/checkpoint/image + download, implementation from paper, CPU sidecar, GPU work, or admitted + Platform/Runtime row is released. - Public metadata asset sweep after the DIFFENCE Zenodo sync found no new non-duplicate image/latent-image replay packet. Authenticated HF metadata still exposes only known `zsf/COCO_MIA_ori_split1` and `chumengl/copymark`