docs: add rectified flow mia artifact gate

AGENTS.md

@@ -28,7 +28,7 @@ Do not start from memory or old chat context. Re-anchor on repository files.
 
 ## Current Operating State
 
-- Active work: `Public metadata asset sweep completed after the DIFFENCE Zenodo snapshot sync, GitHub lightweight diffusion MIA triage, DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake workspace note, and root ROADMAP are synchronized to the public metadata asset sweep. Authenticated Hugging Face metadata and GitHub artifact-shaped searches found no new non-duplicate image/latent-image diffusion-MIA replay packet. The only relevant HF surfaces remain known CLiD and CopyMark entries: CLiD's 1.62 GB gated zip still returns 403 for authenticated HEAD/range probes, and CopyMark's 5.66 GB zip is already covered by the official score-artifact gate. No CLiD/CopyMark ZIP, image payload, Stable Diffusion/CommonCanvas/LDM/Kohaku/COCO/LAION payload, model/checkpoint, full-repo download, script execution, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after public metadata asset sweep.`
+- Active work: `Rectified Flow MIA artifact gate completed after the public metadata asset sweep, DIFFENCE Zenodo snapshot sync, GitHub lightweight diffusion MIA triage, DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake/implementation workspace notes, and root ROADMAP are synchronized to the Rectified Flow MIA artifact gate. arXiv 2603.13421 is a non-duplicate Rectified Flow / Flow Matching MIA mechanism watch with reported complexity-calibrated Monte Carlo score gains, but the promised mx-ethan-rao/MIA_Rectified_Flow public repository is empty and no split manifest, checkpoint, score row, ROC array, metric JSON, verifier, dataset/model/checkpoint/image download, implementation from paper, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after Rectified Flow MIA artifact gate.`
 - Next GPU candidate: none selected
 - Long-horizon control: follow `ROADMAP.md` section
   `Long-Horizon Research Task Board（2026-05-13 起）` before reopening any

ROADMAP.md

@@ -2,6 +2,32 @@
 
 > Last updated: 2026-05-15
 
+## 2026-05-15 Rectified Flow MIA Artifact Gate
+
+Lane B mechanism discovery checked arXiv `2603.13421` /
+`Generalization and Memorization in Rectified Flow` because it is a
+non-duplicate image generative-model MIA line: the target family is Rectified
+Flow / Flow Matching, and the proposed signal is midpoint vector-field
+memorization with complexity-calibrated Monte Carlo scoring. The arXiv source
+reports `T_mc_cal` gains over `T_mc` across CIFAR-10 (`AUC = 84.89`,
+`TPR@1%FPR = 27.88`), SVHN (`AUC = 79.43`, `TPR@1%FPR = 16.46`), and
+TinyImageNet (`AUC = 92.96`, `TPR@1%FPR = 50.03`) on the paper's percentage
+scale. It also claims data splits, checkpoints, training code, and testing code
+are released at `mx-ethan-rao/MIA_Rectified_Flow`.
+
+Decision: `paper-source-only rectified-flow MIA mechanism watch / promised
+GitHub repo empty / no code-score artifact / no download / no GPU release / no
+admitted row`. The live GitHub repository exists but is empty: default branch
+`master`, repo size `0`, no license, GitHub refs report `Git Repository is
+empty`, and `git ls-remote` returns no refs. No CIFAR-10/SVHN/TinyImageNet
+download, Rectified Flow checkpoint/model/image acquisition, `T_naive` /
+`T_mc` / `T_mc_cal` implementation, complexity-calibration implementation,
+Symmetric Exponential training, CPU sidecar, GPU work, Platform row, Runtime
+schema, or product copy is selected. Current slots remain
+`active_gpu_question = none`, `next_gpu_candidate = none`, and
+`CPU sidecar = none selected after Rectified Flow MIA artifact gate`. See
+[docs/evidence/rectified-flow-mia-artifact-gate-20260515.md](docs/evidence/rectified-flow-mia-artifact-gate-20260515.md).
+
 ## 2026-05-15 Public Metadata Asset Sweep
 
 Lane A checked the post-DIFFENCE public metadata surface before opening another
@@ -1902,7 +1928,8 @@ claim。
 | --- | --- |
 | Active GPU question | none |
 | Next GPU candidate | none |
-| CPU sidecar | none selected after public metadata asset sweep. The admitted bundle remains five-row `admitted-only`; recent watch/watch-plus/support-only/candidate/score-artifact/semantic-shift/defense-watch and public-metadata gates did not change Platform/Runtime rows, schemas, product copy, downloads, or GPU release. |
+| CPU sidecar | none selected after Rectified Flow MIA artifact gate. The admitted bundle remains five-row `admitted-only`; recent watch/watch-plus/support-only/candidate/score-artifact/semantic-shift/defense-watch, public-metadata, and rectified-flow mechanism gates did not change Platform/Runtime rows, schemas, product copy, downloads, or GPU release. |
+| Latest mechanism watch | Rectified Flow MIA / arXiv `2603.13421` is non-duplicate and mechanism-relevant, but the promised GitHub repository is empty; reopen only if public splits, checkpoints, code, score/ROC/metric artifacts, or a verifier appear. |
 | Latest closed search branch | HF/GitHub public metadata sweep is closed unless CLiD exposes a row manifest or metadata-only ZIP inspection, CopyMark publishes compact row-bound verifier artifacts, or a new repository/dataset appears with a small target/split/score/ROC/metric packet. |
 | Highest-value next action | Continue non-duplicate asset search only for candidates with public target identity, member/nonmember split artifacts, and response/score coverage. CPSample remains defense watch-plus; reopen it only if checkpoint-bound denoiser/classifier artifacts or hashes, exact train/test/subset row identities, protected/unprotected row-bound score packets, ROC/metric JSON, retained-utility metrics, and a defended-vs-undefended adaptive-attacker consumer contract are public. DSiRe / LoRA-WiSE remains a future weight-only privacy lane candidate, but reopen it only if DiffAudit explicitly opens a weight-only LoRA dataset-size recovery consumer contract with MAE/MAPE/accuracy as primary metrics and language separating aggregate model-weight cardinality leakage from per-sample MIA. CopyMark is now official Research-side score-artifact support evidence, but reopen it only if authors publish a compact row-ID-bound score manifest, checkpoint hashes, a no-training verifier, or a small immutable data/checkpoint packet that avoids the full HF zip and model-folder downloads. VAE2Diffusion remains code-public latent-space MIA watch-plus; reopen it only if public split manifests, matching checkpoints or generated response/feature caches, score rows, ROC/metric JSON, verifier outputs, or another bounded no-training artifact appears. DCR remains copying/memorization semantic-shift watch-plus; reopen it only if a public available LAION split or equivalent immutable image manifest, target checkpoint/generated response packets, score rows, ROC/metric JSON, verifier outputs, or an explicit copying/memorization consumer-boundary lane appear. FCRE remains a medical-image frequency-calibrated reconstruction-error paper-source watch item; reopen it only if official code plus frozen split manifests, matching target checkpoints, generated reconstruction packets, reusable score rows, ROC/metric JSON, verifier outputs, or a reviewed medical-image consumer-boundary lane appear. Tabular Privacy Leakage TDM is a single-table tabular code-public watch-plus item; reopen it only if paper-bound Berka/Diabetes target checkpoints, immutable split manifests, generated synthetic tables, reusable score rows, ROC/metric JSON, verifier outputs, or a reviewed tabular consumer-boundary lane appear. TMIA-DM remains a temporal-noise / noise-gradient paper-only mechanism watch item; reopen it only if official public code plus immutable target/split artifacts and reusable score/ROC/metric packets appear. Shake-to-Leak is a fine-tuning-amplified generative-privacy code-public watch-plus item, but reopen it only if public checkpoint-bound score artifacts, immutable split manifests, generated private-set packets, or ready verifier outputs appear. FSECLab MIA-Diffusion is a direct diffusion-MIA code-public watch-plus item, but reopen it only if public checkpoint-bound score artifacts, immutable split manifests, generated sample packets, or ready verifier outputs appear. MT-MIA remains useful public score-packet support evidence, but reopen it only if DiffAudit explicitly opens a relational-tabular synthetic-data membership lane, authors publish row-ID-bound verifier artifacts, or paperization needs clearly labeled cross-domain support outside Platform/Runtime rows. Reopen LSA-Probe only if real public adversarial-cost score artifacts, exact music/audio target identities, and exact member/nonmember manifests appear, or if DiffAudit explicitly opens a music/audio lane. Reopen DualMD/DistillMD only if public checkpoint-bound defended/undefended score artifacts, ROC arrays, metric JSON, generated response packets, or a bounded verifier appear and a consumer-boundary decision explicitly admits disjoint-training defense evidence. Reopen DIFFENCE only if public checkpoint-bound defended/undefended score artifacts or a bounded verifier appear and a consumer-boundary decision explicitly admits classifier-defense evidence. Reopen MIAHOLD/HOLD++ only if public checkpoint-bound score artifacts or a bounded verifier appear, plus an explicit TTS/audio consumer-boundary decision before any audio lane execution. Reopen the Quantile/SecMI-style support packet only if explicit quantile-regression score outputs, trained quantile artifacts, or a bounded verifier command are released, or if a consumer-boundary review approves third-party SecMI-style packets as paperization support without Platform/Runtime admission. Reopen ReproMIA only if a current non-withdrawn paper plus official public code, exact target/split manifests, and reusable score/metric artifacts appear; reopen Tracing Roots only if raw target checkpoint identity, raw sample manifests, or a feature-packet consumer-boundary decision appears; reopen CLiD only if authors publish a row manifest or HF gated access allows metadata-only manifest inspection. |
 | Stop condition | Do not download CIFAR-10, CelebA, LSUN, Stable Diffusion weights, denoiser/classifier checkpoints, generated images, or missing Google Drive placeholders for CPSample; do not run `python main.py`, train classifiers, fine-tune denoisers, generate protected/unprotected images, run `--inference_attack`, or launch CPU/GPU sidecars from this gate. Do not download LoRA-WiSE parquet shards, image folders, Stable Diffusion weights, or LoRA tensor payloads; do not run `python dsire.py`, FAISS/SVD sweeps, CPU sidecars, or GPU work unless a separate weight-only consumer contract is opened. Do not download CopyMark HF `datasets.zip`, image folders, Stable Diffusion/CommonCanvas/LDM/Kohaku weights, LAION/COCO/CC12M/YFCC/DataComp/FFHQ/CelebA-HQ/CommonCatalog payloads, or model folders; do not clone the full repo by default, run PIA/PFAMI/SecMI/GSA scripts, regenerate features, fit XGBoost models, or launch GPU work from the CopyMark official score artifact gate. Do not download CIFAR-10, CelebA, ImageNet-1K, Pokemon, COCO, Flickr, LAION, Stable Diffusion weights, VAE/LDM checkpoints, split payloads, generated responses, or pullback/per-dim caches for VAE2Diffusion; do not train LDMs, fine-tune Stable Diffusion, run SimA/PFAMI/PIA variants, or launch GPU work from that gate. Do not download LAION payloads, DCR Drive split folders, Stable Diffusion weights, generated image sets, or retrieval outputs; do not fine-tune, infer, run retrieval, or launch GPU work for DCR. Do not download FeTS, ChestX-ray8, CIFAR-10, or medical-image payloads, train diffusion targets, run DDIM reconstruction, sweep frequency bands, or launch GPU work for FCRE. Do not download Berka/Diabetes/MIDST resources, train ClavaDDPM targets or shadows, run Tartan Federer/Ensemble/EPT attacks, promote MIDST toolkit integration-test fixtures, or launch GPU work for Tabular Privacy Leakage TDM. Do not download CIFAR/Tiny-ImageNet/Pokemon/LAION/COCO assets, train or fine-tune diffusion targets, reconstruct temporal-noise trajectory pipelines, or launch GPU work for TMIA-DM. Do not download Stable Diffusion weights, LAION/person images, synthetic private sets, or checkpoints for Shake-to-Leak; do not run `sp_gen.py`, LoRA/DB/End2End fine-tuning, SecMI scripts, or data extraction from that gate. Do not download CIFAR-10, CelebA, DDIM/DCGAN checkpoints, generated samples, or full repo payloads for FSECLab MIA-Diffusion; do not run DDIM/DCGAN training, sampling, attack scripts, or TTUR evaluation from that gate. Do not download MT-MIA raw figshare datasets, synthetic CSV payloads, ClavaDDPM/RelDiff training assets, or the full repository; do not regenerate high-cost RelDiff outputs or promote relational-tabular score packets without a consumer-boundary decision. Do not download MAESTRO, FMA-Large, DiffWave, MusicLDM, audio clips, checkpoints, or GitHub Pages demo JSON as LSA-Probe experiment evidence; do not implement LSA-Probe from the TeX or demo. Do not download the DualMD/DistillMD SharePoint Pokemon payload, Stable Diffusion weights, CIFAR/CIFAR100/STL10/Tiny-ImageNet datasets, or run DDPM/LDM training, distillation, SecMIA/PIA, black-box attack scripts, or launch GPU jobs from this gate. Do not download DIFFENCE Google Drive diffusion/target model folders or CIFAR/SVHN datasets; do not train classifiers or diffusion models, generate DIFFENCE reconstructions, run MIA scripts, or launch GPU jobs from that gate. Do not download MIAHOLD/HOLD++ Grad-TTS, HiFi-GAN, CLD-SGM, CIFAR, CelebA, LJSpeech, or LibriTTS assets; do not scrape W&B, train HOLD++ CIFAR/audio models, regenerate PIA scores, or launch GPU jobs from that gate. Do not clone the full `neilkale/quantile-diffusion-mia` repository by default, download pretrained DDPM checkpoints/CIFAR archives/SharePoint model folders, run training, fit quantile models, recover W&B artifacts, or launch GPU jobs from that support packet. Do not promote CPSample, DSiRe / LoRA-WiSE, CopyMark, VAE2Diffusion, DCR, FCRE, Tabular Privacy Leakage TDM, TMIA-DM, Shake-to-Leak, FSECLab MIA-Diffusion, MT-MIA, LSA-Probe, DualMD/DistillMD, DIFFENCE, or MIAHOLD as admitted rows, Quantile replay as a Quantile Regression result, or any of these lines as admitted Platform/Runtime rows. Keep the existing no-download/no-GPU constraints for ReproMIA, DMin, ELSA, Memorization Anisotropy, FERMI, DurMI, FMIA, CLiD, StablePrivateLoRA, MIDM, GGDM, Diffusion Memorization, ReDiffuse, and same-family MIDST expansions. |