Record LeakyCLIP boundary gate#303
Merged
Merged
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request documents the 'LeakyCLIP' CLIP-inversion boundary gate, categorizing it as research-only evidence for multimodal privacy rather than a diffusion membership asset. The changes include updates to the roadmap, reproduction status, and a new detailed evidence document. Reviewer feedback focuses on improving the readability and maintainability of the Markdown source by suggesting structural improvements to long paragraphs in AGENTS.md and the use of line breaks within dense table rows in the evidence documentation.
| ## Current Operating State | ||
|
|
||
| - Active work: `2026-05-25 ReDiffuse DDPM/STL-10 bounded scout plus SimA-style score-norm one-pass scorer are the latest roadmap operating-system update. The official STL-10 split is exact and public, and the local pipeline produced a short-target checkpoint plus 256 / 256 score packet, but fixed-timestep denoising-loss is random-level: AUC = 0.4996337890625, ASR = 0.509765625, TPR@1%FPR = 0.01171875, TPR@0.1%FPR = 0.0. The same checkpoint and split also failed a different denoiser-output norm observable: AUC = 0.5052947998046875, ASR = 0.525390625, TPR@1%FPR = 0.03125, TPR@0.1%FPR = 0.01953125. This is scoreable negative evidence, not a second asset, not a full-paper reproduction, and not an admitted row. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after ReDiffuse STL-10 denoising-loss and score-norm weak results.` | ||
| - Active work: `2026-05-25 LeakyCLIP CLIP-inversion boundary gate is the latest Lane A metadata-only update. The official dongdongunique/LeakyCLIP repo is code-public and exposes CLIP inversion, embedding alignment, Stable Diffusion refinement, metrics, configs, and scripts, but the audited target is CLIP and diffusion is only an optional refinement stage. The checked public surface has no frozen target hashes, immutable member/nonmember manifests, generated reconstruction packet, per-row membership score file, ROC array, metric JSON, trained alignment weights, or no-training verifier. This is CLIP / multimodal privacy watch-plus, not a second diffusion asset, not a Platform/Runtime row, and not a GPU or download release. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after LeakyCLIP CLIP-inversion boundary gate. ReDiffuse DDPM/STL-10 remains closed by default after the weak bounded scout (AUC = 0.4996337890625) and weak SimA-style score-norm scorer (AUC = 0.5052947998046875).` |
There was a problem hiding this comment.
This line is very long and difficult to read. The use of backticks for a long paragraph of text is also unconventional. For better maintainability and readability, consider restructuring this information. Instead of a single long line within backticks, you could use a multi-line blockquote or break it down into a nested list. This would make the information much easier to parse and edit.
Suggested change
| - Active work: `2026-05-25 LeakyCLIP CLIP-inversion boundary gate is the latest Lane A metadata-only update. The official dongdongunique/LeakyCLIP repo is code-public and exposes CLIP inversion, embedding alignment, Stable Diffusion refinement, metrics, configs, and scripts, but the audited target is CLIP and diffusion is only an optional refinement stage. The checked public surface has no frozen target hashes, immutable member/nonmember manifests, generated reconstruction packet, per-row membership score file, ROC array, metric JSON, trained alignment weights, or no-training verifier. This is CLIP / multimodal privacy watch-plus, not a second diffusion asset, not a Platform/Runtime row, and not a GPU or download release. active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after LeakyCLIP CLIP-inversion boundary gate. ReDiffuse DDPM/STL-10 remains closed by default after the weak bounded scout (AUC = 0.4996337890625) and weak SimA-style score-norm scorer (AUC = 0.5052947998046875).` | |
| - Active work: | |
| > **2026-05-25 LeakyCLIP CLIP-inversion boundary gate:** This is the latest Lane A metadata-only update. The official `dongdongunique/LeakyCLIP` repo is code-public and exposes CLIP inversion, embedding alignment, Stable Diffusion refinement, metrics, configs, and scripts, but the audited target is CLIP and diffusion is only an optional refinement stage. The checked public surface has no frozen target hashes, immutable member/nonmember manifests, generated reconstruction packet, per-row membership score file, ROC array, metric JSON, trained alignment weights, or no-training verifier. This is CLIP / multimodal privacy watch-plus, not a second diffusion asset, not a Platform/Runtime row, and not a GPU or download release. | |
| > | |
| > **Slots:** `active_gpu_question = none; next_gpu_candidate = none; CPU sidecar = none selected after LeakyCLIP CLIP-inversion boundary gate`. | |
| > | |
| > **ReDiffuse DDPM/STL-10:** Remains closed by default after the weak bounded scout (AUC = 0.4996337890625) and weak SimA-style score-norm scorer (AUC = 0.5052947998046875). |
| | GUARD surgical mitigation | `hold-semantic-shift` | arXiv `2603.00133` / `You Don't Need All That Attention: Surgical Memorization Mitigation in Text-to-Image Diffusion Models` is official code-public memorization-mitigation watch evidence. The `kairanzhao/GUARD` repo exposes `sdv1_500_mem` inference, detection, mask-generation, metric, and vendored `open_clip` code, but the release requires Google Drive benchmark assets and Stable Diffusion/reference model execution rather than shipping checkpoint-bound target identities, immutable row manifests, generated response packets, pre/post GUARD score rows, ROC arrays, metric JSON, retained-utility artifacts, or a no-training verifier. No arXiv source, GitHub archive, Google Drive payload, Stable Diffusion/reference model weight, generated image, mask, checkpoint, script execution, CPU/GPU sidecar, or Platform/Runtime row is selected. See [guard-surgical-mitigation-artifact-gate-20260523.md](guard-surgical-mitigation-artifact-gate-20260523.md). | | ||
| | BAF LoRA parameter-space mitigation | `hold-semantic-shift` | arXiv `2605.10439` / `Filtering Memorization from Parameter-Space in Diffusion Models` is a weight-only LoRA memorization-mitigation watch item. The paper proposes Base-Anchored Filtering, a post-hoc, training-free, data-free method that decomposes LoRA updates into spectral channels and suppresses weakly backbone-aligned channels as possible memorization carriers. The public surface is supplementary-code-claim-only: arXiv HTML says code is in supplementary material, but GitHub exact-title/arXiv-id/BAF searches found no official public repository, target LoRA/checkpoint bundle, training-image manifest, member/nonmember rows, generated response packet, per-row score file, ROC array, metric JSON, retained-utility artifact, or verifier. No arXiv source/supplement, LoRA weights, SD base weights, training images, mitigation implementation, CPU/GPU sidecar, or Platform/Runtime row is selected. See [baf-lora-parameter-space-mitigation-gate-20260523.md](baf-lora-parameter-space-mitigation-gate-20260523.md). | | ||
| | Broken Memories | `hold-semantic-shift` | arXiv `2605.22050` / `Broken Memories: Detecting and Mitigating Memorization in Diffusion Models with Degraded Generations` is fresh Stable Diffusion memorization detection/mitigation evidence with reported SD `1.4` `AUC > 0.999`, `0.0%` post-mitigation memorization rate, and about `0.01s` overhead. It is not a current per-sample membership row: arXiv metadata and GitHub searches expose no official code, exact prompt/image manifest, generated image packet, internal trace, per-row score file, ROC array, metric JSON, mitigation-decision artifact, or verifier. No arXiv source tarball, Stable Diffusion weights, LAION/Webster assets, implementation-from-paper, CPU/GPU sidecar, or Platform/Runtime row is selected. See [broken-memories-artifact-gate-20260523.md](broken-memories-artifact-gate-20260523.md). | | ||
| | LeakyCLIP CLIP inversion | `hold-semantic-shift` | arXiv `2508.00756` / `LeakyCLIP: Extracting Training Data from CLIP` is official code-public CLIP inversion / multimodal privacy evidence. The repository exposes real inversion/refinement code, configs, metrics, scripts, and README instructions, but the audited target is CLIP; Stable Diffusion is only an optional refinement component. The checked public tree has no frozen CLIP/SDXL/VAE hashes, immutable member/nonmember manifests, generated reconstruction packet, per-row membership score file, ROC array, metric JSON, trained embedding-alignment weights, or no-training verifier. No CLIP/SDXL/VAE/SSCD/model/dataset download, inversion/refinement run, CPU/GPU sidecar, or Platform/Runtime row is selected. See [leakyclip-clip-inversion-boundary-gate-20260525.md](leakyclip-clip-inversion-boundary-gate-20260525.md). | |
There was a problem hiding this comment.
This table row contains a very long line of text, which harms readability and maintainability of the markdown source. Consider adding line breaks (<br>) to split the content into more manageable paragraphs. This will make the table cell easier to read and edit without affecting the rendered output.
Suggested change
| | LeakyCLIP CLIP inversion | `hold-semantic-shift` | arXiv `2508.00756` / `LeakyCLIP: Extracting Training Data from CLIP` is official code-public CLIP inversion / multimodal privacy evidence. The repository exposes real inversion/refinement code, configs, metrics, scripts, and README instructions, but the audited target is CLIP; Stable Diffusion is only an optional refinement component. The checked public tree has no frozen CLIP/SDXL/VAE hashes, immutable member/nonmember manifests, generated reconstruction packet, per-row membership score file, ROC array, metric JSON, trained embedding-alignment weights, or no-training verifier. No CLIP/SDXL/VAE/SSCD/model/dataset download, inversion/refinement run, CPU/GPU sidecar, or Platform/Runtime row is selected. See [leakyclip-clip-inversion-boundary-gate-20260525.md](leakyclip-clip-inversion-boundary-gate-20260525.md). | | |
| | LeakyCLIP CLIP inversion | `hold-semantic-shift` | arXiv `2508.00756` / `LeakyCLIP: Extracting Training Data from CLIP` is official code-public CLIP inversion / multimodal privacy evidence. The repository exposes real inversion/refinement code, configs, metrics, scripts, and README instructions, but the audited target is CLIP; Stable Diffusion is only an optional refinement component.<br><br>The checked public tree has no frozen CLIP/SDXL/VAE hashes, immutable member/nonmember manifests, generated reconstruction packet, per-row membership score file, ROC array, metric JSON, trained embedding-alignment weights, or no-training verifier.<br><br>No CLIP/SDXL/VAE/SSCD/model/dataset download, inversion/refinement run, CPU/GPU sidecar, or Platform/Runtime row is selected. See [leakyclip-clip-inversion-boundary-gate-20260525.md](leakyclip-clip-inversion-boundary-gate-20260525.md). | |
| | I-A / consumer boundary | [admitted-consumer-drift-audit-20260515.md](admitted-consumer-drift-audit-20260515.md), [cross-modal-watch-consumer-boundary-20260515.md](cross-modal-watch-consumer-boundary-20260515.md), [cross-modal-watch-consumer-boundary-20260514.md](cross-modal-watch-consumer-boundary-20260514.md), [paperization-consumer-boundary-20260513.md](paperization-consumer-boundary-20260513.md), [admitted-consumer-drift-audit-20260512.md](admitted-consumer-drift-audit-20260512.md), [ia-finite-tail-adaptive-boundary-audit-20260511.md](ia-finite-tail-adaptive-boundary-audit-20260511.md), [admitted-results-summary.md](admitted-results-summary.md), [../product-bridge/README.md](../product-bridge/README.md), [../product-bridge/clid-candidate-evidence-card.md](../product-bridge/clid-candidate-evidence-card.md), [../product-bridge/tracing-roots-candidate-evidence-card.md](../product-bridge/tracing-roots-candidate-evidence-card.md) | 2026-05-15 admitted no-drift audit, cross-modal watch boundary including DurMI TTS and LSA-Probe music/audio, CLiD and Tracing Roots candidate-only evidence cards, finite-tail, adaptive-language, paperization limitation, and admitted/candidate boundary status. | | ||
| | FMIA / frequency watch | [fmia-openreview-frequency-artifact-gate-20260515.md](fmia-openreview-frequency-artifact-gate-20260515.md) | 2026-05-23 bounded OpenReview recheck confirmed the same small official supplement: version `2` rejected ICLR 2026 submission, `1,783,018` byte ZIP, SHA-256 `567ac598eefc849c9dfdd95c26be24bd6b7349c72843e210b56cce2f67969045`, `79` entries, code and split manifests present, but no checkpoints, generated samples, row-level score exports, ROC CSVs, metric JSON, or ready verifier; FMIA remains watch-plus only with no download, no GPU/CPU sidecar, and no Platform/Runtime admission. | | ||
| | Watch candidates / consumer boundary | [identity-focused-inference-extraction-artifact-gate-20260523.md](identity-focused-inference-extraction-artifact-gate-20260523.md), [rapta-admcd-copying-mitigation-artifact-gate-20260523.md](rapta-admcd-copying-mitigation-artifact-gate-20260523.md), [guard-surgical-mitigation-artifact-gate-20260523.md](guard-surgical-mitigation-artifact-gate-20260523.md), [baf-lora-parameter-space-mitigation-gate-20260523.md](baf-lora-parameter-space-mitigation-gate-20260523.md), [broken-memories-artifact-gate-20260523.md](broken-memories-artifact-gate-20260523.md), [iar-privacy-attacks-artifact-gate-20260523.md](iar-privacy-attacks-artifact-gate-20260523.md), [discrete-dlm-withdrawn-artifact-gate-20260523.md](discrete-dlm-withdrawn-artifact-gate-20260523.md), [hyperfree-secmi-reproduction-gate-20260515.md](hyperfree-secmi-reproduction-gate-20260515.md), [dme-dual-model-entropy-artifact-gate-20260515.md](dme-dual-model-entropy-artifact-gate-20260515.md), [fremia-frequency-filter-artifact-gate-20260515.md](fremia-frequency-filter-artifact-gate-20260515.md), [copymark-official-score-artifact-gate-20260515.md](copymark-official-score-artifact-gate-20260515.md), [diffusion-memorization-asset-gate-20260515.md](diffusion-memorization-asset-gate-20260515.md), [memorization-anisotropy-artifact-gate-20260515.md](memorization-anisotropy-artifact-gate-20260515.md), [watch-candidate-consumer-boundary-20260513.md](watch-candidate-consumer-boundary-20260513.md) | Identity-Focused Inference, RAPTA / ADMCD, GUARD, BAF, Broken Memories, IAR Privacy Attacks, Discrete DLM, Hyperparameter-free SecMI, DME, FreMIA, CopyMark score artifacts, Diffusion Memorization, Memorization Anisotropy, and older watch candidates remain Research-only watch / support / semantic-shift / paper-source-only / artifact-incomplete states unless a future reviewed promotion occurs. | | ||
| | Watch candidates / consumer boundary | [leakyclip-clip-inversion-boundary-gate-20260525.md](leakyclip-clip-inversion-boundary-gate-20260525.md), [identity-focused-inference-extraction-artifact-gate-20260523.md](identity-focused-inference-extraction-artifact-gate-20260523.md), [rapta-admcd-copying-mitigation-artifact-gate-20260523.md](rapta-admcd-copying-mitigation-artifact-gate-20260523.md), [guard-surgical-mitigation-artifact-gate-20260523.md](guard-surgical-mitigation-artifact-gate-20260523.md), [baf-lora-parameter-space-mitigation-gate-20260523.md](baf-lora-parameter-space-mitigation-gate-20260523.md), [broken-memories-artifact-gate-20260523.md](broken-memories-artifact-gate-20260523.md), [iar-privacy-attacks-artifact-gate-20260523.md](iar-privacy-attacks-artifact-gate-20260523.md), [discrete-dlm-withdrawn-artifact-gate-20260523.md](discrete-dlm-withdrawn-artifact-gate-20260523.md), [hyperfree-secmi-reproduction-gate-20260515.md](hyperfree-secmi-reproduction-gate-20260515.md), [dme-dual-model-entropy-artifact-gate-20260515.md](dme-dual-model-entropy-artifact-gate-20260515.md), [fremia-frequency-filter-artifact-gate-20260515.md](fremia-frequency-filter-artifact-gate-20260515.md), [copymark-official-score-artifact-gate-20260515.md](copymark-official-score-artifact-gate-20260515.md), [diffusion-memorization-asset-gate-20260515.md](diffusion-memorization-asset-gate-20260515.md), [memorization-anisotropy-artifact-gate-20260515.md](memorization-anisotropy-artifact-gate-20260515.md), [watch-candidate-consumer-boundary-20260513.md](watch-candidate-consumer-boundary-20260513.md) | LeakyCLIP, Identity-Focused Inference, RAPTA / ADMCD, GUARD, BAF, Broken Memories, IAR Privacy Attacks, Discrete DLM, Hyperparameter-free SecMI, DME, FreMIA, CopyMark score artifacts, Diffusion Memorization, Memorization Anisotropy, and older watch candidates remain Research-only watch / support / semantic-shift / paper-source-only / artifact-incomplete states unless a future reviewed promotion occurs. | |
There was a problem hiding this comment.
This table row is extremely long, making the source file very difficult to read and edit. To improve readability and maintainability, please add line breaks within the cells. You can use <br> tags to format the list of links into a more manageable list.
Suggested change
| | Watch candidates / consumer boundary | [leakyclip-clip-inversion-boundary-gate-20260525.md](leakyclip-clip-inversion-boundary-gate-20260525.md), [identity-focused-inference-extraction-artifact-gate-20260523.md](identity-focused-inference-extraction-artifact-gate-20260523.md), [rapta-admcd-copying-mitigation-artifact-gate-20260523.md](rapta-admcd-copying-mitigation-artifact-gate-20260523.md), [guard-surgical-mitigation-artifact-gate-20260523.md](guard-surgical-mitigation-artifact-gate-20260523.md), [baf-lora-parameter-space-mitigation-gate-20260523.md](baf-lora-parameter-space-mitigation-gate-20260523.md), [broken-memories-artifact-gate-20260523.md](broken-memories-artifact-gate-20260523.md), [iar-privacy-attacks-artifact-gate-20260523.md](iar-privacy-attacks-artifact-gate-20260523.md), [discrete-dlm-withdrawn-artifact-gate-20260523.md](discrete-dlm-withdrawn-artifact-gate-20260523.md), [hyperfree-secmi-reproduction-gate-20260515.md](hyperfree-secmi-reproduction-gate-20260515.md), [dme-dual-model-entropy-artifact-gate-20260515.md](dme-dual-model-entropy-artifact-gate-20260515.md), [fremia-frequency-filter-artifact-gate-20260515.md](fremia-frequency-filter-artifact-gate-20260515.md), [copymark-official-score-artifact-gate-20260515.md](copymark-official-score-artifact-gate-20260515.md), [diffusion-memorization-asset-gate-20260515.md](diffusion-memorization-asset-gate-20260515.md), [memorization-anisotropy-artifact-gate-20260515.md](memorization-anisotropy-artifact-gate-20260515.md), [watch-candidate-consumer-boundary-20260513.md](watch-candidate-consumer-boundary-20260513.md) | LeakyCLIP, Identity-Focused Inference, RAPTA / ADMCD, GUARD, BAF, Broken Memories, IAR Privacy Attacks, Discrete DLM, Hyperparameter-free SecMI, DME, FreMIA, CopyMark score artifacts, Diffusion Memorization, Memorization Anisotropy, and older watch candidates remain Research-only watch / support / semantic-shift / paper-source-only / artifact-incomplete states unless a future reviewed promotion occurs. | | |
| | Watch candidates / consumer boundary | [leakyclip-clip-inversion-boundary-gate-20260525.md](leakyclip-clip-inversion-boundary-gate-20260525.md),<br>[identity-focused-inference-extraction-artifact-gate-20260523.md](identity-focused-inference-extraction-artifact-gate-20260523.md),<br>[rapta-admcd-copying-mitigation-artifact-gate-20260523.md](rapta-admcd-copying-mitigation-artifact-gate-20260523.md),<br>[guard-surgical-mitigation-artifact-gate-20260523.md](guard-surgical-mitigation-artifact-gate-20260523.md),<br>[baf-lora-parameter-space-mitigation-gate-20260523.md](baf-lora-parameter-space-mitigation-gate-20260523.md),<br>[broken-memories-artifact-gate-20260523.md](broken-memories-artifact-gate-20260523.md),<br>[iar-privacy-attacks-artifact-gate-20260523.md](iar-privacy-attacks-artifact-gate-20260523.md),<br>[discrete-dlm-withdrawn-artifact-gate-20260523.md](discrete-dlm-withdrawn-artifact-gate-20260523.md),<br>[hyperfree-secmi-reproduction-gate-20260515.md](hyperfree-secmi-reproduction-gate-20260515.md),<br>[dme-dual-model-entropy-artifact-gate-20260515.md](dme-dual-model-entropy-artifact-gate-20260515.md),<br>[fremia-frequency-filter-artifact-gate-20260515.md](fremia-frequency-filter-artifact-gate-20260515.md),<br>[copymark-official-score-artifact-gate-20260515.md](copymark-official-score-artifact-gate-20260515.md),<br>[diffusion-memorization-asset-gate-20260515.md](diffusion-memorization-asset-gate-20260515.md),<br>[memorization-anisotropy-artifact-gate-20260515.md](memorization-anisotropy-artifact-gate-20260515.md),<br>[watch-candidate-consumer-boundary-20260513.md](watch-candidate-consumer-boundary-20260513.md) | LeakyCLIP, Identity-Focused Inference, RAPTA / ADMCD, GUARD, BAF, Broken Memories, IAR Privacy Attacks, Discrete DLM, Hyperparameter-free SecMI, DME, FreMIA, CopyMark score artifacts, Diffusion Memorization, Memorization Anisotropy, and older watch candidates remain Research-only watch / support / semantic-shift / paper-source-only / artifact-incomplete states unless a future reviewed promotion occurs. | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #304
Verification