MAINT: AdversarialConversationManager - unify adversarial-chat context, schema, and multimodal feedback#2053
Conversation
Add a shared `adversarial_chat` JSON schema (next_message, rationale, last_response_summary) and wire the Crescendo, TAP, and PAIR adversarial-chat prompts onto it so their prompts are interchangeable. Parsers now read/return next_message and forward the schema to schema-aware targets via prompt metadata. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The message normalizer already appends the response JSON schema when it is forwarded via prompt metadata, so the hand-written schema block in the Crescendo system prompts duplicated that instruction. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Routes Crescendo and TAP adversarial sends through a real PromptNormalizer and a MockPromptTarget (which lacks native JSON_SCHEMA support) to verify the shared adversarial_chat schema is forwarded via prompt metadata and rendered into the prompt the adversarial chat receives. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…eam-attack-schema # Conflicts: # pyrit/datasets/executors/crescendo/crescendo_variant_1.yaml # pyrit/datasets/executors/crescendo/escalation_crisis.yaml # pyrit/datasets/executors/crescendo/therapist.yaml # pyrit/datasets/executors/pair/attacker_system_prompt.yaml # pyrit/datasets/executors/tree_of_attacks/adversarial_system_prompt.yaml # pyrit/datasets/executors/tree_of_attacks/image_generation.yaml
romanlutz
left a comment
There was a problem hiding this comment.
I love this! It solves lots of problems I've noticed but not really had a good handle on (yet!). That said, there are lots of conflicts with #1377. It's compatible if we adjust this or #1377. Some notes below.
-
API migration: #2053 renames
seed_prompt→first_messageand addsadversarial_prompt_template. This would probably need deprecation etc. -
Responsibility boundary: #1377’s
ModalityFeedbackRouterhandles true multimodal forwarding (message pieces). #2053’s manager centralizes adversarial turn/schema logic but is text-message-centric inRedTeamingAttack. We'd need to generalize it to accept/build fullMessageobjects (not just rendered text) so #1377 media forwarding remains intact. -
First-turn placeholder flow: #1377 supports adversarial placeholders + seed media for edit-only starts; #2053’s red-teaming path bypasses that behavior unless explicitly reintroduced.
-
Rollout scope: apply manager only to red teaming first, or also refactor Crescendo/TAP to share the same adversarial-turn primitive.
Another thought that came to mind: Should there be an objective conversation manager then? It's worth considering, but as a follow-up if at all. There’s already ConversationManager; a new objective manager should only centralize objective-target send mechanics (rotation for single-turn targets, converter plumbing, execution context), not absorb attack-specific control flow (backtracking, tree branching, pruning).
So all in all: This PR is compatible with #1377 if integrated deliberately; a mechanical merge would likely regress #1377 multimodal behavior in red teaming. @rlundeen2
Resolve the collision between PR microsoft#2053 (AdversarialConversationManager) and main microsoft#1377 (_ModalityFeedbackRouter) using Option A: the manager owns the adversarial send/parse and, when a modality router is injected, builds its outgoing message via router.build_adversarial_input_message so the adversarial model still sees generated media (preserves microsoft#1377's multimodal feedback loop). red_teaming keeps self._modality_router for the objective side (placeholder fill / build_objective_input_message). Preserve main's blocked/error/use_score_as_feedback semantics by baking them into the default adversarial prompt template (DEFAULT_ADVERSARIAL_ PROMPT_TEMPLATE) rendered through _MessageView, rather than the removed imperative _build_adversarial_prompt_async / _handle_adversarial_* helpers. Note: the default red_teaming adversarial system prompt (text_generation.yaml) declares no JSON schema, so the manager uses the raw-text path (adversarial reply is the next message verbatim); the schema/JSON-parse path only engages when a system prompt or first message declares a schema. Test reconciliation: - red_teaming: drop obsolete handler tests, rewire modality-router integration tests onto the manager/raw-text path, rename seed_prompt -> first_message. - attack_config: add coverage for all six default-template branches (blocked / error / text / text+feedback / no-text+feedback / empty). - simulated_conversation: cover schema vs raw-text next-message handling. - shared attack tests updated for the first_message rename. All 873 attack unit tests pass; ruff + ty clean. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Move the blocked/error/empty/score-feedback control flow out of the
per-turn Jinja template into a testable Python helper and render the
template strictly. Detect blocked/errored pieces across all message
pieces instead of only the first, fixing a bug where a blocked/errored
later piece was masked by an earlier clean one.
- adversarial_conversation_manager.py: replace the _MessageView /
_MessageBucket template shim with _build_adversarial_feedback_text
(+ _joined_text_value / _first_response_error); render via
render_template_value (strict) exposing feedback_text + objective.
- attack_config.py: simplify DEFAULT_ADVERSARIAL_PROMPT_TEMPLATE to
"{{ feedback_text }}".
- tests: relocate the template-branch coverage to
TestBuildAdversarialFeedbackText (adding any-piece blocked/error
cases) and update prompt assertions.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… lifecycle Address review findings microsoft#4-microsoft#6 on the adversarial conversation manager: - microsoft#6 Schema-driven parsing (single source of truth): `_parse_adversarial_reply` derives its required/permitted keys from the resolved response schema (`required`, `properties`, `additionalProperties`) -- the same schema the manager forwards to constrain the target -- instead of a hard-coded copy of the adversarial_chat keys, so the parser cannot silently drift from adversarial_chat.yaml. Behavior is identical for the shared adversarial_chat schema; `next_message` is always required since the attack loop consumes it (enforced at parse time and, for the property, at construction). - microsoft#5 Naming: rename the manager's `adversarial_first_prompt_template` param/attr/ property to `first_message`, matching `AttackAdversarialConfig.first_message`. - microsoft#4 Lifecycle: build the AdversarialConversationManager once per execution in RedTeamingAttack (`_build_adversarial_manager`, constructed before the turn loop and threaded into `_generate_next_prompt_async`) instead of rebuilding each turn. - Drop the never-read `_adversarial_response_json_schema` field (keep the construction-time "declared on both" validation) and the dead `_DEFAULT_SEED_PROMPT` constant; refresh the stale `adversarial_prompt_template` comment. - Thread the resolved schema through the simulated_conversation parse call. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Crescendo and TAP/PAIR each hand-rolled their own parser for the same adversarial_chat JSON schema. They now delegate to the shared _parse_adversarial_reply used by Red Teaming and Simulated Conversation, so validation and normalization stay consistent across every adversarial-chat executor. This fixes TAP/PAIR's missing camelCase normalization (the exact gap that once broke a Crescendo CI run) and makes them enforce the schema's required keys and additionalProperties instead of only checking next_message. The schema argument is optional, so schemaless custom adversarial prompts keep the permissive next_message-only contract. Also expands coverage: direct TAP node parser tests (camelCase accepted, strict-schema rejection of missing/extra keys, markdown stripping, schemaless-stays-lax), a manager next_message coercion test, a Red Teaming build-once test, and a Simulated Conversation invalid-JSON test. Removes the now-obsolete Crescendo _camel_to_snake test. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
rlundeen2's WIP renamed AttackAdversarialConfig.seed_prompt to first_message (field + factory internals) but left four tests in test_attack_technique_factory.py asserting the old field, causing AttributeError/TypeError. Update those tests to the new field name; the factory source was already migrated. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…describe them When seed/reference images are provided, the crescendo, red_teaming, and tree_of_attacks image_generation adversarial system prompts now instruct the adversarial model to refer to those images by position and issue an edit/compose instruction, rather than describing their contents. Describing the contents made image-editing targets regenerate from scratch and drop the seeded subject's identity. The seed guidance is conditional, so the no-seed generation path is unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Brings in 7 upstream commits (scenario DEFAULT strategy curation, dataset parameters on dataset configuration, initializer fixes, Azure SQL memory test fix, schema migration guard). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Right now this only does RedTeamAttack. Which is good! But are there followups for the other attacks? Or we could do it here. RN Crescendo, TAP, simulated_conversation all use some of it, but should (eventually) use the AdversarialConversationManager to take care of the next turn generally. |
| "'system_prompt' takes precedence and 'system_prompt_path' is ignored." | ||
| ) | ||
|
|
||
| def get_json_schema(self) -> JsonSchemaDefinition | None: |
There was a problem hiding this comment.
There are several places we
resolve_adversarial_json_schema(system_prompt=..., first_message=...)
But this method should be used instead if we can.
| AttackAdversarialConfig, | ||
| AttackConverterConfig, | ||
| AttackScoringConfig, | ||
| resolve_adversarial_json_schema, |
There was a problem hiding this comment.
IMO we would simplify things if we eventually used JSON schemas for red_teaming attack also, and just used the same schema everywhere by default.
| objective=context.objective, | ||
| max_turns=self._max_turns, | ||
| ) | ||
| if not adversarial_system_prompt: |
There was a problem hiding this comment.
This should be removed and managed by AdversarialConversationManager; it should be responsible for all setup
AdversarialConversationManager
AdversarialConversationManagercentralizes how multi-turn attacks talk to their adversarial chat. Today Red Teaming, Crescendo, TAP, and PAIR each hand-roll the same mechanics: holding the adversarial system prompt, building the per-turn message, sending it on a stable conversation id, and parsing the reply. The manager owns one adversarial conversation and centralizes all of that in one place.Because it's one place, it's also where we decide what context the adversarial chat gets each turn — the objective, the latest score, and the objective target's last response — all via a single
adversarial_prompt_template. The manager computes the per-turn feedback text in Python (handling blocked / errored / empty responses and optional score feedback) and exposes it to the template asfeedback_text, so adding a new signal becomes a template change rather than per-attack code.It also unifies the shared
adversarial_chatJSON schema and is the single home for JSON retry, so schema-aware targets natively constrain the reply and every attack gets consistent parsing/retry behavior for free.Multimodal feedback
The manager folds in the modality router, so adversarial context is no longer text-only:
{{ message.text.converted_value }}).Config surface
AttackAdversarialConfignow carriessystem_prompt(inline string orSeedPrompt),first_message, andadversarial_prompt_template; the legacysystem_prompt_pathis deprecated (removed in 0.17.0). None of this is visible to callers of the executors — the public attack APIs are unchanged.Migrated executors
Every consuming executor now routes its adversarial conversation through the manager: Crescendo, Red Teaming, Tree of Attacks (and PAIR), Simulated Conversation, Context Compliance, and Role Play. The scenario
attack_technique_factoryis updated to match.