docs: add structural t2i mia artifact gate

AGENTS.md

@@ -28,7 +28,7 @@ Do not start from memory or old chat context. Re-anchor on repository files.
 
 ## Current Operating State
 
-- Active work: `Rectified Flow MIA artifact gate completed after the public metadata asset sweep, DIFFENCE Zenodo snapshot sync, GitHub lightweight diffusion MIA triage, DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake/implementation workspace notes, and root ROADMAP are synchronized to the Rectified Flow MIA artifact gate. arXiv 2603.13421 is a non-duplicate Rectified Flow / Flow Matching MIA mechanism watch with reported complexity-calibrated Monte Carlo score gains, but the promised mx-ethan-rao/MIA_Rectified_Flow public repository is empty and no split manifest, checkpoint, score row, ROC array, metric JSON, verifier, dataset/model/checkpoint/image download, implementation from paper, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after Rectified Flow MIA artifact gate.`
+- Active work: `Structural MIA T2I artifact gate completed after the Rectified Flow MIA artifact gate, public metadata asset sweep, DIFFENCE Zenodo snapshot sync, GitHub lightweight diffusion MIA triage, DEB, CPSample, DSiRe / LoRA-WiSE, hyperparameter-free SecMI, DME, FreMIA, and CopyMark gates. Status: latest verdict note, workspace-evidence index, Research ROADMAP, AGENTS, intake/implementation workspace notes, and root ROADMAP are synchronized to the Structural MIA T2I artifact gate. arXiv 2407.13252 is a non-duplicate structure-level text-to-image MIA mechanism watch with reported Latent Diffusion and Stable Diffusion low-FPR gains, but the arXiv source is TeX/figures only, the OpenReview supplement is PDF-only, and no official code, split manifest, checkpoint, score row, ROC array, metric JSON, verifier, dataset/model/checkpoint/image download, implementation from paper, CPU sidecar, GPU work, Platform/Runtime row, schema change, or product copy is released. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after Structural MIA T2I artifact gate.`
 - Next GPU candidate: none selected
 - Long-horizon control: follow `ROADMAP.md` section
   `Long-Horizon Research Task Board（2026-05-13 起）` before reopening any

ROADMAP.md

@@ -2,6 +2,32 @@
 
 > Last updated: 2026-05-15
 
+## 2026-05-15 Structural MIA T2I Artifact Gate
+
+Lane B mechanism discovery checked arXiv `2407.13252` /
+`Unveiling Structural Memorization: Structural Membership Inference Attack for
+Text-to-Image Diffusion Models` because it is a direct T2I membership line with
+a non-duplicate structure-level signal. The proposed attack performs DDIM
+inversion/noising in the T2I latent space, decodes the corrupted latent back to
+pixel space, and uses structural similarity between the original and corrupted
+image as the membership signal. The arXiv source reports strong paper-table
+metrics, including Latent Diffusion `512x512` `AUC = 0.930`,
+`TPR@1%FPR = 0.575`, and Stable Diffusion v1-1 `512x512` `AUC = 0.920`,
+`TPR@1%FPR = 0.512`.
+
+Decision: `paper-source-only structural T2I MIA watch / OpenReview supplement
+PDF-only / no code-score artifact / no download / no GPU release / no admitted
+row`. The arXiv source is TeX plus figure PDFs, exact GitHub title/code
+searches found no official repository or artifact release, and the OpenReview
+supplement is a `1,923,114` byte ZIP containing only `supplementary.pdf`. No
+LAION-400M/LAION2B-en/COCO2017-Val image download, Stable Diffusion / Latent
+Diffusion / BLIP / checkpoint acquisition, DDIM inversion implementation,
+SSIM/structure scoring, prompt/guidance/distortion sweeps, CPU sidecar, GPU
+work, Platform row, Runtime schema, or product copy is selected. Current slots
+remain `active_gpu_question = none`, `next_gpu_candidate = none`, and
+`CPU sidecar = none selected after Structural MIA T2I artifact gate`. See
+[docs/evidence/structural-mia-t2i-artifact-gate-20260515.md](docs/evidence/structural-mia-t2i-artifact-gate-20260515.md).
+
 ## 2026-05-15 Rectified Flow MIA Artifact Gate
 
 Lane B mechanism discovery checked arXiv `2603.13421` /
@@ -1928,8 +1954,9 @@ claim。
 | --- | --- |
 | Active GPU question | none |
 | Next GPU candidate | none |
-| CPU sidecar | none selected after Rectified Flow MIA artifact gate. The admitted bundle remains five-row `admitted-only`; recent watch/watch-plus/support-only/candidate/score-artifact/semantic-shift/defense-watch, public-metadata, and rectified-flow mechanism gates did not change Platform/Runtime rows, schemas, product copy, downloads, or GPU release. |
-| Latest mechanism watch | Rectified Flow MIA / arXiv `2603.13421` is non-duplicate and mechanism-relevant, but the promised GitHub repository is empty; reopen only if public splits, checkpoints, code, score/ROC/metric artifacts, or a verifier appear. |
+| CPU sidecar | none selected after Structural MIA T2I artifact gate. The admitted bundle remains five-row `admitted-only`; recent watch/watch-plus/support-only/candidate/score-artifact/semantic-shift/defense-watch, public-metadata, rectified-flow, and structural-T2I mechanism gates did not change Platform/Runtime rows, schemas, product copy, downloads, or GPU release. |
+| Latest mechanism watch | Structural MIA T2I / arXiv `2407.13252` is non-duplicate and mechanism-relevant, but the arXiv source is TeX/figures only, exact GitHub searches found no official release, and the OpenReview supplement is PDF-only; reopen only if public code, row manifests, target hashes, score/ROC/metric artifacts, or a verifier appear. |
+| Previous mechanism watch | Rectified Flow MIA / arXiv `2603.13421` is non-duplicate and mechanism-relevant, but the promised GitHub repository is empty; reopen only if public splits, checkpoints, code, score/ROC/metric artifacts, or a verifier appear. |
 | Latest closed search branch | HF/GitHub public metadata sweep is closed unless CLiD exposes a row manifest or metadata-only ZIP inspection, CopyMark publishes compact row-bound verifier artifacts, or a new repository/dataset appears with a small target/split/score/ROC/metric packet. |
 | Highest-value next action | Continue non-duplicate asset search only for candidates with public target identity, member/nonmember split artifacts, and response/score coverage. CPSample remains defense watch-plus; reopen it only if checkpoint-bound denoiser/classifier artifacts or hashes, exact train/test/subset row identities, protected/unprotected row-bound score packets, ROC/metric JSON, retained-utility metrics, and a defended-vs-undefended adaptive-attacker consumer contract are public. DSiRe / LoRA-WiSE remains a future weight-only privacy lane candidate, but reopen it only if DiffAudit explicitly opens a weight-only LoRA dataset-size recovery consumer contract with MAE/MAPE/accuracy as primary metrics and language separating aggregate model-weight cardinality leakage from per-sample MIA. CopyMark is now official Research-side score-artifact support evidence, but reopen it only if authors publish a compact row-ID-bound score manifest, checkpoint hashes, a no-training verifier, or a small immutable data/checkpoint packet that avoids the full HF zip and model-folder downloads. VAE2Diffusion remains code-public latent-space MIA watch-plus; reopen it only if public split manifests, matching checkpoints or generated response/feature caches, score rows, ROC/metric JSON, verifier outputs, or another bounded no-training artifact appears. DCR remains copying/memorization semantic-shift watch-plus; reopen it only if a public available LAION split or equivalent immutable image manifest, target checkpoint/generated response packets, score rows, ROC/metric JSON, verifier outputs, or an explicit copying/memorization consumer-boundary lane appear. FCRE remains a medical-image frequency-calibrated reconstruction-error paper-source watch item; reopen it only if official code plus frozen split manifests, matching target checkpoints, generated reconstruction packets, reusable score rows, ROC/metric JSON, verifier outputs, or a reviewed medical-image consumer-boundary lane appear. Tabular Privacy Leakage TDM is a single-table tabular code-public watch-plus item; reopen it only if paper-bound Berka/Diabetes target checkpoints, immutable split manifests, generated synthetic tables, reusable score rows, ROC/metric JSON, verifier outputs, or a reviewed tabular consumer-boundary lane appear. TMIA-DM remains a temporal-noise / noise-gradient paper-only mechanism watch item; reopen it only if official public code plus immutable target/split artifacts and reusable score/ROC/metric packets appear. Shake-to-Leak is a fine-tuning-amplified generative-privacy code-public watch-plus item, but reopen it only if public checkpoint-bound score artifacts, immutable split manifests, generated private-set packets, or ready verifier outputs appear. FSECLab MIA-Diffusion is a direct diffusion-MIA code-public watch-plus item, but reopen it only if public checkpoint-bound score artifacts, immutable split manifests, generated sample packets, or ready verifier outputs appear. MT-MIA remains useful public score-packet support evidence, but reopen it only if DiffAudit explicitly opens a relational-tabular synthetic-data membership lane, authors publish row-ID-bound verifier artifacts, or paperization needs clearly labeled cross-domain support outside Platform/Runtime rows. Reopen LSA-Probe only if real public adversarial-cost score artifacts, exact music/audio target identities, and exact member/nonmember manifests appear, or if DiffAudit explicitly opens a music/audio lane. Reopen DualMD/DistillMD only if public checkpoint-bound defended/undefended score artifacts, ROC arrays, metric JSON, generated response packets, or a bounded verifier appear and a consumer-boundary decision explicitly admits disjoint-training defense evidence. Reopen DIFFENCE only if public checkpoint-bound defended/undefended score artifacts or a bounded verifier appear and a consumer-boundary decision explicitly admits classifier-defense evidence. Reopen MIAHOLD/HOLD++ only if public checkpoint-bound score artifacts or a bounded verifier appear, plus an explicit TTS/audio consumer-boundary decision before any audio lane execution. Reopen the Quantile/SecMI-style support packet only if explicit quantile-regression score outputs, trained quantile artifacts, or a bounded verifier command are released, or if a consumer-boundary review approves third-party SecMI-style packets as paperization support without Platform/Runtime admission. Reopen ReproMIA only if a current non-withdrawn paper plus official public code, exact target/split manifests, and reusable score/metric artifacts appear; reopen Tracing Roots only if raw target checkpoint identity, raw sample manifests, or a feature-packet consumer-boundary decision appears; reopen CLiD only if authors publish a row manifest or HF gated access allows metadata-only manifest inspection. |
 | Stop condition | Do not download CIFAR-10, CelebA, LSUN, Stable Diffusion weights, denoiser/classifier checkpoints, generated images, or missing Google Drive placeholders for CPSample; do not run `python main.py`, train classifiers, fine-tune denoisers, generate protected/unprotected images, run `--inference_attack`, or launch CPU/GPU sidecars from this gate. Do not download LoRA-WiSE parquet shards, image folders, Stable Diffusion weights, or LoRA tensor payloads; do not run `python dsire.py`, FAISS/SVD sweeps, CPU sidecars, or GPU work unless a separate weight-only consumer contract is opened. Do not download CopyMark HF `datasets.zip`, image folders, Stable Diffusion/CommonCanvas/LDM/Kohaku weights, LAION/COCO/CC12M/YFCC/DataComp/FFHQ/CelebA-HQ/CommonCatalog payloads, or model folders; do not clone the full repo by default, run PIA/PFAMI/SecMI/GSA scripts, regenerate features, fit XGBoost models, or launch GPU work from the CopyMark official score artifact gate. Do not download CIFAR-10, CelebA, ImageNet-1K, Pokemon, COCO, Flickr, LAION, Stable Diffusion weights, VAE/LDM checkpoints, split payloads, generated responses, or pullback/per-dim caches for VAE2Diffusion; do not train LDMs, fine-tune Stable Diffusion, run SimA/PFAMI/PIA variants, or launch GPU work from that gate. Do not download LAION payloads, DCR Drive split folders, Stable Diffusion weights, generated image sets, or retrieval outputs; do not fine-tune, infer, run retrieval, or launch GPU work for DCR. Do not download FeTS, ChestX-ray8, CIFAR-10, or medical-image payloads, train diffusion targets, run DDIM reconstruction, sweep frequency bands, or launch GPU work for FCRE. Do not download Berka/Diabetes/MIDST resources, train ClavaDDPM targets or shadows, run Tartan Federer/Ensemble/EPT attacks, promote MIDST toolkit integration-test fixtures, or launch GPU work for Tabular Privacy Leakage TDM. Do not download CIFAR/Tiny-ImageNet/Pokemon/LAION/COCO assets, train or fine-tune diffusion targets, reconstruct temporal-noise trajectory pipelines, or launch GPU work for TMIA-DM. Do not download Stable Diffusion weights, LAION/person images, synthetic private sets, or checkpoints for Shake-to-Leak; do not run `sp_gen.py`, LoRA/DB/End2End fine-tuning, SecMI scripts, or data extraction from that gate. Do not download CIFAR-10, CelebA, DDIM/DCGAN checkpoints, generated samples, or full repo payloads for FSECLab MIA-Diffusion; do not run DDIM/DCGAN training, sampling, attack scripts, or TTUR evaluation from that gate. Do not download MT-MIA raw figshare datasets, synthetic CSV payloads, ClavaDDPM/RelDiff training assets, or the full repository; do not regenerate high-cost RelDiff outputs or promote relational-tabular score packets without a consumer-boundary decision. Do not download MAESTRO, FMA-Large, DiffWave, MusicLDM, audio clips, checkpoints, or GitHub Pages demo JSON as LSA-Probe experiment evidence; do not implement LSA-Probe from the TeX or demo. Do not download the DualMD/DistillMD SharePoint Pokemon payload, Stable Diffusion weights, CIFAR/CIFAR100/STL10/Tiny-ImageNet datasets, or run DDPM/LDM training, distillation, SecMIA/PIA, black-box attack scripts, or launch GPU jobs from this gate. Do not download DIFFENCE Google Drive diffusion/target model folders or CIFAR/SVHN datasets; do not train classifiers or diffusion models, generate DIFFENCE reconstructions, run MIA scripts, or launch GPU jobs from that gate. Do not download MIAHOLD/HOLD++ Grad-TTS, HiFi-GAN, CLD-SGM, CIFAR, CelebA, LJSpeech, or LibriTTS assets; do not scrape W&B, train HOLD++ CIFAR/audio models, regenerate PIA scores, or launch GPU jobs from that gate. Do not clone the full `neilkale/quantile-diffusion-mia` repository by default, download pretrained DDPM checkpoints/CIFAR archives/SharePoint model folders, run training, fit quantile models, recover W&B artifacts, or launch GPU jobs from that support packet. Do not promote CPSample, DSiRe / LoRA-WiSE, CopyMark, VAE2Diffusion, DCR, FCRE, Tabular Privacy Leakage TDM, TMIA-DM, Shake-to-Leak, FSECLab MIA-Diffusion, MT-MIA, LSA-Probe, DualMD/DistillMD, DIFFENCE, or MIAHOLD as admitted rows, Quantile replay as a Quantile Regression result, or any of these lines as admitted Platform/Runtime rows. Keep the existing no-download/no-GPU constraints for ReproMIA, DMin, ELSA, Memorization Anisotropy, FERMI, DurMI, FMIA, CLiD, StablePrivateLoRA, MIDM, GGDM, Diffusion Memorization, ReDiffuse, and same-family MIDST expansions. |