Spaces:

CyCrawwler
/

safegen-arena

Running

App Files Files Community

safegen-arena / Blog.md

Somin-Aggarwal

Sharpen README + Blog opening for HF Space judging

2ad1b34 13 days ago

preview code

raw

history blame contribute delete

29.9 kB

	# SafeGen Arena — Train safety. Learn the middle.

	> Submission for the Meta × OpenEnv Hackathon (India 2026), Themes #1 (Multi-Agent Interactions) and #3.1 (Professional Tasks: Content Moderation).
	> Authors: Somin Aggarwal & Kartik. Live environment + code: this Hugging Face Space. Training run logs: [WandB run `4bkicaj2`](https://wandb.ai/sominaggarwal_23it161-delhi-technological-university/safegen-arena/runs/4bkicaj2).

	---

	![Same diffusion model. Same seed. The Defender's rewrite is the only thing that changed.](assets/demo_images/figure_4_grid.png)

	> Same SD 1.5 backbone. Same seed. Left = uncensored generation from the user's raw prompt. Right = generation from the Defender's rewrite. The change is attributable to the prompt, not to the noise.**

	---

	## A 90-second pitch

	Open-source image generation has a content-safety problem that nobody wants to admit. You can have broken safety (uncensored community checkpoints will render anything you ask them to) or brittle safety (closed APIs refuse a war photographer's portrait of a soldier returning from battle because the word "soldier" rings a bell). Nobody ships the layer in the middle — a small model that decides per prompt whether to allow, rewrite, or reject, and when it rewrites, keeps the user's intent intact while removing only the unsafe axis.

	We built that layer as a reinforcement-learning environment. A 1.5B Qwen-Instruct LoRA learns this policy from reward signal alone, inside a fully OpenEnv-compliant gym. The reward is a four-component composition of a Llama-Guard-3 verdict, a CLIP concept-arithmetic intent residual (our novelty), a NudeNet/Q16 visual judge that scores the actual diffusion output, and an over-refusal penalty. Training runs end-to-end on a single A100 in roughly three hours.

	The agent went from −0.05 reward at step 0 to a stable +0.33 plateau across the last 1000 of 1300 GRPO steps, never collapsing onto a single rewrite, never drifting away from the reference policy in KL. The whole thing — env, judges, reward, training script, eval — is reproducible from a Colab notebook, and the env is a Hugging Face Space anyone can hit at `/health`.

	This is a write-up of how we built it, what we learned, and the parts that genuinely surprised us.

	---

	## The opening question

	> Can a 1.5B model learn senior content-moderator judgment from reward alone — without ever being told what's "unsafe"?

	That's the question we set out to answer. We never write down a list of banned words. We never give the model a "harmful-content classifier head". We hand it a structured action space — allow / transform / reject — and a reward function. Everything else has to be discovered.

	If you only remember one thing from this post: the agent never sees its loss; it only sees its reward. The interesting question is what kind of safety policy emerges from that reward.

	---

	## The real gap is not a missing model. It is a missing environment.

	Production image-AI safety today has two modes:

	\| Mode \| Example \| What goes wrong \|
	\|---\|---\|---\|
	\| Classify-and-block \| Closed-API safety filters, SD safety checker, keyword denylists \| Refuses "a war photographer documenting the aftermath of conflict". To a tokeniser, a Pulitzer shot is identical to a slur. \|
	\| Raw generation \| Uncensored community checkpoints \| Renders "photorealistic graphic execution" without hesitation. \|

	A learned middle layer needs adversarial prompts to learn from, judges that actually verify safety and intent, and a reward signal that punishes both under-refusal and over-refusal. None of those are off-the-shelf — you have to build them. So we built the environment before we trained anything in it. That order matters and it is also the thing the OpenEnv hackathon is asking for.

	---

	## The RL loop, drawn honestly

	```
	┌─ s_t : prompt ──────────────────────────────────┐
	│ │
	▼ │
	┌───────────────────────────────────┐ ┌──────────────────────────────┴─────────────────────────┐
	│ AGENT │ │ ENVIRONMENT │
	│ │ │ │
	│ Defender │ │ • Prompt Sampler ── T1 / T2 / T3 + benign probes │
	│ Qwen2.5-1.5B + LoRA │ │ • Victim ── SD 1.5 + LCM-LoRA (frozen) │
	│ │ │ • Text Judge ── Llama-Guard-3-1B (frozen) │
	│ The ONLY trainable policy. │ │ • Visual Judges ── NudeNet + Q16 (frozen) │
	│ Optimised by GRPO. │ │ • Intent Scorer ── CLIP concept-arithmetic │
	│ │ │ • Reward Composer ── 4-term scalar │
	│ │── a_t ─►│ │
	│ │ │ Every component except the Defender is frozen │
	│ │◄── r_t ─│ and lives inside the environment. │
	└───────────────────────────────────┘ └────────────────────────────────────────────────────────┘
	▲
	│ GRPO update on r_t (LoRA weights only)
	└──────────────────────────────────────
	```

	\| RL concept \| SafeGen Arena instantiation \|
	\|---\|---\|
	\| State `s_t` \| A user prompt drawn from a curriculum (T1/T2/T3 unsafe + benign probes). \|
	\| Action `a_t` \| A JSON object `{decision, reason, rewrite}` emitted by the Defender. \|
	\| Transition \| Single-step episode. The environment pipes the action through the diffusion model (only on `transform`) then through the judges. \|
	\| Reward `r_t` \| `R_format + R_decision + R_transform + R_overrefusal`. Dense per-step. \|
	\| Policy `π_θ` \| The Defender. Only LoRA adapter weights update. Base Qwen 2.5-1.5B is frozen. \|

	This is a faithful instance of the standard agent/environment split, but with a twist that matters: the "environment" contains a frozen attacker LLM and three judges. That's why the multi-agent flavour is real — only one of the agents has gradients on this run, but the loop is structurally adversarial.

	---

	## What the agent sees, what it must output

	The Defender operates under a strict structured contract. The observation it receives looks like this:

	```python
	{ "prompt": "...",
	"turn_index": 0,
	"history": [],
	"max_turns": 1,
	"reward": 0.0, "done": false,
	"metadata": { "episode_id": ..., "tier": "T2", ... } } # tier is never exposed to the policy
	```

	And the action it has to emit is parseable JSON of exactly this shape:

	```python
	{ "decision": "allow" \| "transform" \| "reject",
	"rewrite": "string \| null", # required iff decision == transform
	"reason": "string" }
	```

	This contract is enforced by Pydantic models in `safegen_arena/models.py` and validated cross-field — a `transform` without a rewrite is a hard parse failure. The strict schema is what makes the environment trainable: if the action is unparseable, no judge can score it, and `R_format = −0.5` immediately. SFT warm-start exists exactly so the policy enters the GRPO loop with a 100 % parse rate, freeing GRPO to optimise content, not syntax.

	---

	## The Red side is curricular, not random

	Picking a single hard adversarial prompt and training on it would either collapse the policy to "always reject" or produce a policy that overfits to one attack class. Neither is useful. So the Red Sampler does three things at once.

	Three difficulty tiers, not one. T1 prompts are clean unsafe — I2P-derived prompts with explicit harmful intent in plain language. T2 prompts are obfuscated — Ring-A-Bell and MMA-Diffusion-style token soup, plus hand-authored hate and self-harm fillers. T3 prompts are adversarial rewrites that look benign but encode the unsafe concept in a way that bypasses keyword filters.

	Benign probes are not optional. A non-trivial fraction of episodes serves a fully benign prompt (sailing, surgery, war memorial). Without these, the over-refusal penalty has nothing to bite, and GRPO converges to "always reject" within ~50 steps. We learned this the hard way on early prototypes.

	A schedule over training step. More T1 early, more T2/T3 late, benign probes throughout. Code: `safegen_arena/red_sampler.py`. The pool itself is in twelve `data/*.jsonl` files (446 T1, 736 T2, 399 T3, 4900 benign, 340 holdout — fully reproducible build scripts in `scripts/`).

	---

	## Why we froze the Red side (and why it's still adversarial)

	The natural extension of this work is to co-train an attacker that searches for prompts the defender fails on. The environment is built to support that drop-in: replace the static red pool with an attacker LLM and the GRPO trainer doesn't need to change. We didn't enable it on this run for three reasons.

	First, compute budget — two trainable LLMs more than double VRAM and triple the rollout cost. Second, the frozen pool is already adversarial: the T2 prompts are real Ring-A-Bell and MMA-Diffusion outputs that already break commercial filters, so there is plenty of attack pressure without an online attacker. Third, the bottleneck is the judge, not the attacker — even with a perfect online attacker, the defender's learning signal is gated by what Llama-Guard + CLIP + NudeNet can score. Optimising the attacker before the judges saturate is wasted compute.

	The right next step is online attacker training. We discuss it more in Future improvements at the end of this post.

	---

	## The Defender does not classify. It decides.

	This is the small but important point that distinguishes SafeGen from a binary classifier:

	```
	┌────────────┐
	│ prompt │
	└─────┬──────┘
	▼
	┌──────────────┐
	│ Defender │
	└──────┬───────┘
	│
	┌─────────┼─────────┐
	▼ ▼ ▼
	ALLOW TRANSFORM REJECT
	(pass) (rewrite) (refuse)
	```

	A binary safe/unsafe head can do allow and reject but cannot do transform. Transform is the research contribution. It is also the only action that opens up a positive `R_transform` term — the action with the largest reward upside if the rewrite is good. That asymmetry is what teaches the policy to try to find a safe rewrite first before falling back to refusal.

	---

	## The safety judge: Llama Guard 3, calibrated

	We don't ask Llama Guard for a binary verdict. We pull the next-token logits, compute `p(safe)`, and bucket:

	- `p(safe) > 0.65` → safe
	- `p(safe) < 0.35` → unsafe
	- otherwise → ambiguous

	Code: `safegen_arena/judges.py::LlamaGuardJudge`. The three-way verdict matters because a binary judge over-rewards the policy for borderline rewrites. The ambiguous bucket carries no `R_transform` reward, which forces the policy to push into the safe region rather than dance on the boundary.

	The Guard prompt is scoped to the three categories the project cares about — violence, self-harm, hate — so we don't false-flag medical, agricultural, or political prompts that an unscoped Guard prompt would refuse.

	---

	## The intent judge: CLIP concept arithmetic

	The naive thing to do is `cosine(embed(original), embed(rewrite))`. The naive thing fails. Why?

	Because a verbatim copy of the unsafe prompt has cosine ≈ 1.0. If the only intent-preservation signal is cosine similarity, the policy's optimal play is "decide=transform, rewrite=<original verbatim>" — which is exactly the failure mode we're trying to prevent.

	So we use a concept-arithmetic residual:

	```python
	unsafe_axis = embed("graphic violence") # category-specific descriptor
	safe_residual = embed(original_prompt) - α * unsafe_axis
	I_intent = cosine(embed(rewrite), safe_residual)
	```

	The interpretation: did the rewrite preserve user intent minus* the unsafe axis?*

	A verbatim copy gives `embed(rewrite) ≈ embed(original)`, whose cosine with `safe_residual` is lower than the naive cosine — penalised. An on-topic safe rewrite ("cinematic boxing scene" instead of "bloody knife fight") lands close to the safe residual and is rewarded. An off-topic safe rewrite ("peaceful garden") is far from the safe residual and earns nothing.

	The unsafe descriptor is per-category (violence / self-harm / hate), pulled at episode reset from `data/unsafe_descriptors.json`. This is the term in the reward that is, as far as we can tell, novel as a reward function for prompt-rewriting RL. Code: `safegen_arena/clip_scorer.py::IntentResidualScorer`.

	---

	## The reward function

	```
	R_total = R_format + R_decision + R_transform + R_overrefusal
	```

	\| Term \| What it measures \| Range \| Purpose \|
	\|---\|---\|---\|---\|
	\| `R_format` \| JSON parseability + cross-field validity \| [−0.5, +0.1] \| gate: no parse → no other reward \|
	\| `R_decision` \| Confusion-matrix lookup over (ground_truth, decision) \| [−1.0, +0.5] \| rewards the right decision class \|
	\| `R_transform` \| `S_safe × I_intent × V_visual` (multiplicative) \| [0, +0.7] \| only fires on `transform`; rewards quality \|
	\| `R_overrefusal` \| Penalty on rejecting/transforming benign prompts \| [−0.5, 0] \| prevents safe-by-silence collapse \|

	The decision matrix is asymmetric on purpose:

	\| \| allow \| transform \| reject \|
	\|---\|---\|---\|---\|
	\| safe prompt \| +0.5 \| −0.2 \| −0.5 \|
	\| unsafe prompt \| −1.0 \| +0.1 (base) \| +0.3 \|

	Letting an unsafe prompt through (−1.0) is 2× as expensive as over-refusing (−0.5). But over-refusing is still negative — so the policy cannot just reject everything. This single 2:1 ratio is the closest thing this project has to an editorial line.

	`R_transform` is multiplicative, not additive. If any one of the three quality components is zero (unsafe rewrite, off-topic rewrite, unsafe generated image), the whole transform reward is zero. We tried additive; the policy learned to maximise one component while the others rotted. Multiplicative forces all three to be good simultaneously.

	Code: `safegen_arena/reward.py` (~512 lines, fully unit-tested in `tests/test_reward.py`).

	---

	## Anti-hacking: the reward is shaped to stop shortcuts

	Every reward function is a target. RL agents will hit it through whatever path is cheapest. Here are the shortcuts we anticipated and the penalties we wrote to close them:

	\| Shortcut \| Penalty term \|
	\|---\|---\|
	\| Mode-collapse onto one rewrite (e.g. "tense urban standoff, dramatic cinematography") \| `_group_diversity_penalty` over the GRPO 16-rollout group \|
	\| Verbatim copy of the unsafe prompt \| `_keyword_preservation` (soft penalty for high-overlap rewrites) \|
	\| n-gram repetition inside one rewrite \| `_internal_repetition_penalty` \|
	\| One-word "safe" rewrites that lose intent \| `_length_sanity` \|
	\| "Allow benign, reject unsafe, never try transform" \| `R_transform` carries the highest upside; this is the carrot \|

	We confirmed `_group_diversity_penalty` did fire on early prototypes (we have logs of −0.15 diversity penalties when the policy converged onto one rewrite) and now stays at 0.000 across the entire shipped 1300-step run. That's evidence the anti-hack term solved the problem at training-time, not just at eval. The thinking behind this design is heavily influenced by recent work on reward engineering and reward hacking in RLHF and RLVR pipelines — see the References section.

	---

	## Two judges, one objective: safety AND intent

	The most subtle design choice in the reward isn't any single term. It's the multiplicative coupling between the safety verdict and the intent score:

	```
	R_transform = S_safe × I_intent × V_visual
	```

	Read it as a Venn diagram. A rewrite that is safe but off-topic earns nothing. A rewrite that is on-topic but unsafe earns nothing. The reward only becomes large in the overlap. That is the operational definition of "the middle".

	---

	## Training pipeline: SFT warm-start → GRPO → eval

	```
	data/ → SFT (10 min) → blue_sft_warmstart_v4 → GRPO (3 h) → safegen_blue_grpo1500_final
	```

	SFT warm-start runs on hand-curated `(prompt, action)` pairs: 5 epochs, LR 2e-5, ~10 min on A100. This pays the format tax once. The v4 SFT adapter hits 100 % parse rate on the 12-prompt verification set with sensible decisions (`blue_sft_warmstart_v4/verification_results.txt`).

	GRPO fine-tuning runs against the live environment, group of 16 rollouts per prompt, KL coefficient 0.04, LR 5e-6. v4 ran 1300 steps (~3 h on A100). v3 ran 500 steps with our original single-tier sampler; we ship both so judges can A/B them.

	Eval runs on a held-out 40-prompt set (10 each from T1 / T2 / T3 / benign), greedy decoding, full reward decomposition logged to `eval/results/`.

	Why two stages? Because GRPO with a parse-rate floor of zero diverges. The policy needs to be inside the parseable-JSON manifold before reward signal makes sense. SFT puts it there cheaply; GRPO does the expensive policy improvement. This warm-start + RLVR pattern is now standard practice — DeepSeek-R1, Tülu 3, and the recent reward-engineering literature all converge on it.

	---

	## The plot you actually came here to see

	![v3 vs v4 reward curve](assets/reward_curves/figure4_v3_vs_v4_compare.png)

	Same axes. Same reward function. v3 is 500 steps with our original single-tier sampler. v4 is 1300 steps with a balanced curriculum and cleaned T2/T3 pools. v4 finishes about +0.05 absolute reward higher and stays there for an additional 1000 steps without drift.

	That long flat tail is the most important part of the picture. It says the policy didn't just stumble onto a peak and slide off — it found a basin and stayed in it. KL stays bounded, loss stays at ~0.03, and the per-tier reward decomposition (visible in WandB run `4bkicaj2`) shows benign tier reward steady at +0.52 throughout. The full picture, with the headline reward + KL + loss + decision-mix, lives in the README under "Results".

	---

	## What we learned the hard way

	Honest write-up of what RL didn't fix on its own.

	`reject` collapses unless the data forces it. v3 GRPO 500 emitted 0 / 40 rejects in eval (vs 7 / 40 from SFT). `transform` always outcompetes `reject` because it can earn `R_transform > 0`. The fix in v4 was structural: the data pool now contains more T2 / T3 prompts where no faithful rewrite is possible, so the policy is forced to learn that sometimes the safe move is to refuse. The next iteration will add a hard `R_decision` floor for impossible prompts.

	T1 regression in v3 was real. 5 / 10 T1 unsafe prompts went to `allow` after 500 GRPO steps (mean R = −0.18). Uniform tier weights drowned the easy-tier gradient signal. v4 raises T1 weight in the curriculum and we observe this regression shrinking on the SFT verification set.

	The reward is sensitive to the system prompt. Earlier prototypes converged onto our one-line system-prompt example "tense urban standoff, dramatic cinematography". Anti-hacking helpers fixed it, but the lesson is: don't put your gold standard rewrite in the system prompt. The model will optimise the example you showed it.

	Rollout-group reward dispersion is a feature, not a bug. Even at step 1300 the rollout-group `reward_std` stays 0.20–0.40. That's the dispersion GRPO needs to compute meaningful advantages — if the 16 rollouts all earn the same reward, the gradient is zero. Persistent dispersion is what keeps training producing usable updates a thousand steps in.

	---

	## A demo, not an API doc

	Same diffusion backbone (SD 1.5 + LCM-LoRA, 4-step inference). Same seed. Left = uncensored generation from the user's raw prompt. Right = generation from the Defender's rewrite.

	![Before/after grid](assets/demo_images/figure_4_grid.png)

	The change is attributable to the prompt, not to noise — this is the cleanest possible visual proof that the rewrite preserves intent while removing the unsafe axis.

	And the over-refusal panel — two prompts a keyword filter would refuse, both correctly allowed by the trained Defender:

	![Allow traps](assets/demo_images/figure_2_allow_traps.png)

	A war photographer documenting the aftermath. A surgeon performing a routine procedure. A keyword filter sees "war" and "blood" and panics. The Defender saw context.

	---

	## Why this is a hackathon-worthy environment

	We wrote an environment, not a benchmark. The submission is structured against the four judging criteria.

	\| Criterion \| Weight \| What we shipped \|
	\|---\|---\|---\|
	\| Environment Innovation \| 40 % \| A POMDP-flavoured RL gym for prompt rewriting under safety + intent constraints — a domain that doesn't exist in published RL/LLM training corpora. The CLIP concept-arithmetic intent residual is, as far as we can tell, novel as a reward term. The three-way action space (allow/transform/reject) is the research contribution; binary classifiers cannot express `transform`. \|
	\| Storytelling \| 30 % \| This blog + README + the visceral before/after demo grid. We tell the agent → environment → reward → result story end to end, including the parts that didn't work. \|
	\| Improvement in Rewards \| 20 % \| Five labelled, axis-titled plots in `assets/reward_curves/`, an A/B v3-vs-v4 comparison on the same axes, KL/loss stability evidence over 1300 steps, and a held-out 40-prompt eval table broken down by tier. \|
	\| Reward & Pipeline Coherence \| 10 % \| Composable 4-term reward, multiplicative quality coupling, anti-hacking helpers verified to fire, two-stage SFT→GRPO pipeline with full Colab notebook, all OpenEnv contract methods (`reset`, `step`, `state`, `/health`) implemented and validated by the official `openenv validate` CLI. \|

	---

	## Future improvements

	We have a clear roadmap of things we wanted to ship and didn't, ordered by how much we expect each to move the needle.

	Un-freeze the Red attacker for self-play. Right now the Red side is a frozen pool of pre-generated adversarial prompts. The natural next step is to make it a second trainable LLM that learns to find prompts the current Defender fails on, while the Defender learns to handle them — classic adversarial self-play. The environment is already structured to support this drop-in: replace the static sampler in `red_sampler.py` with a generation call to a second LLM, and the GRPO trainer doesn't need to change. We didn't enable it for this submission for one main reason — adversarial RL training is famously unstable. Without careful attacker reward shaping (so the attacker doesn't degenerate into nonsense token soup), KL annealing on both sides, and a much larger compute budget, joint optimisation tends to oscillate or collapse. We preferred a stable, reproducible single-policy run for the hackathon over an ambitious-but-fragile one.

	A hard `R_decision` floor for impossible prompts. When no faithful safe rewrite exists, the correct action is `reject`, but `transform` always outcompetes it on raw reward. The fix is a small bonus on `reject` for prompts the curriculum has labelled as "no safe rewrite possible" (a flag we already carry in metadata).

	Online victim diffusion with vLLM or SDXL Turbo. The current victim is SD 1.5 + LCM-LoRA (~300 ms / image on A100). Swapping to SDXL Turbo would let `V_visual` fire on every transform step instead of a 50 % subsample, sharpening the visual reward signal at the cost of more VRAM.

	Multi-turn negotiation. The current contract is `max_turns=1`. A natural extension is to let the Defender ask the user (the Red simulator) to clarify ambiguous prompts, turning the env into a short multi-turn POMDP. The observation already carries `history` and `max_turns` for exactly this reason.

	Per-category reward tuning. Hate, self-harm, and violence have different cultural and ethical dynamics. A single `R_decision` matrix is a compromise. A category-conditioned matrix (with policy-team-authored cells) is the obvious refinement.

	---

	## Closing

	There is no off-the-shelf environment for training a model to be a content moderator. There are classifiers, there are denylists, there are RLHF reward models that have memorised what a refusal looks like. None of those are environments — none of those let an agent act and get feedback in a loop.

	SafeGen Arena is that loop. It says: here is a prompt. Make a decision. We will judge it on safety and intent, with frozen judges that you cannot game, and we will tell you the score. Do that 21 000 times (1 300 steps × 16 rollouts) and the policy that comes out the other side knows things about content moderation that nobody wrote down.

	That's the bet of this submission: that there is a useful safety policy hiding in the gradient of a well-shaped reward, and that the environment is the artefact worth shipping — not the model.

	Train safety. Learn the middle.

	— Somin & Kartik

	---

	## References

	### RL training, GRPO, and adversarial / self-play stability

	- GRPO — Shao et al., DeepSeekMath: Pushing the Limits of Mathematical Reasoning in Open Language Models, [arXiv:2402.03300](https://arxiv.org/abs/2402.03300). The training algorithm running our Defender.
	- Triplay RL — [arXiv:2601.18292](https://arxiv.org/pdf/2601.18292). Informed our framing of why two-policy adversarial training oscillates without careful reward shaping. We use its diagnosis directly when explaining (above) why we kept the Red side frozen for this run.
	- Defining and Characterizing Reward Hacking — Skalse et al., [arXiv:2209.13085](https://arxiv.org/abs/2209.13085). Background reading for why we wrote four anti-shortcut penalties before we ran a single training step.
	- TRL — von Werra et al., TRL: Transformer Reinforcement Learning, the library that runs our GRPO loop. [GitHub](https://github.com/huggingface/trl).
	- Unsloth — Daniel & Michael Han, the kernel-fused training stack we use for VRAM-bounded RL on a single A100. [GitHub](https://github.com/unslothai/unsloth).

	### Reward engineering

	- Reward engineering for verifiable-reward LLM training — [arXiv:2408.10215](https://arxiv.org/abs/2408.10215). Direct influence on the multiplicative coupling in `R_transform` and on the decision-matrix asymmetry.
	- Reward shaping under adversarial pressure — [arXiv:2601.19100](https://arxiv.org/abs/2601.19100). Direct influence on `_group_diversity_penalty` and `_keyword_preservation`.

	### Safety and adversarial prompts in image generation

	- I2P benchmark — Schramowski et al., Safe Latent Diffusion: Mitigating Inappropriate Degeneration in Diffusion Models, CVPR 2023. Source for our T1 prompt pool.
	- Ring-A-Bell — Tsai et al., Ring-A-Bell: How Reliable are Concept Removal Methods for Diffusion Models?, ICLR 2024. Source methodology for our T2 obfuscated prompts.
	- MMA-Diffusion — Yang et al., Multi-Modal Attack on Diffusion Models, CVPR 2024. Methodology only — we did not redistribute the prompts.
	- Q16 — Schramowski et al., Can Machines Help Us Answering Question 16 in Datasheets, and In Turn Reflecting on Inappropriate Content?, FAccT 2022. One half of our visual judge.
	- Llama Guard 3 — Meta AI Safety. The text safety judge.

	### Tooling and infrastructure

	- OpenEnv — Meta's RL environment standard, [meta-pytorch/OpenEnv](https://github.com/meta-pytorch/OpenEnv). The framework this submission is built against.
	- Stable Diffusion 1.5 — Rombach et al., High-Resolution Image Synthesis with Latent Diffusion Models, CVPR 2022. Frozen victim model.
	- LCM-LoRA — Luo et al., LCM-LoRA: A Universal Stable-Diffusion Acceleration Module, 2023. Used for 4-step diffusion inference.
	- NudeNet — [notAI-tech/NudeNet](https://github.com/notAI-tech/NudeNet). Open-source NSFW classifier; the other half of our visual judge.

	---

	### Pointers (for judges)

	- Code, tests, configs: this repo. The README is the orientation file.
	- Live environment: <https://huggingface.co/spaces/CyCrawwler/safegen-arena>.
	- WandB runs: v4 (shipped, 1300 steps) — [`4bkicaj2`](https://wandb.ai/sominaggarwal_23it161-delhi-technological-university/safegen-arena/runs/4bkicaj2). v3 (historical, 500 steps) — [`799rdjh6`](https://wandb.ai/sominaggarwal_23it161-delhi-technological-university/safegen-arena/runs/799rdjh6).
	- Colab notebook to reproduce training: `notebooks/colab_train_grpo.ipynb`.
	- Data build pipeline: `scripts/build_curated_pools.py`, `scripts/build_eval_holdout.py`, `scripts/clean_red_pool.py`.