Skip to content

Commit 8016c64

Browse files
author
test
committed
MAINT: Address Jailbreak PR review feedback
Revise the standardized Jailbreak scenario in response to review: - Enable the baseline attack policy by default (was Disabled). - Rename run parameters to num_jailbreaks / num_jailbreak_attempts. - Build the technique pool from every registered factory plus the scenario-local delivery extras, instead of a curated "core" set. - Default to a random jailbreak sample rather than a curated name list. - Default techniques to prompt_sending + jailbreak_system_prompt. Native system-prompt delivery is capability-gated (requires editable history and system-prompt support) and degrades to converter-based delivery otherwise, so the objective is never silently dropped. - Order the system-framing seed at sequence=-1 so a caller-supplied seed group carrying a user prompt at the default sequence 0 does not raise a same-sequence role collision when system delivery merges in. Update the scanner docs/notebook and the scenarios instruction example to match.
1 parent 901e6ce commit 8016c64

5 files changed

Lines changed: 515 additions & 152 deletions

File tree

.github/instructions/scenarios.instructions.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ All scenarios inherit from `Scenario` (ABC) and must:
1414

1515
1. **Define `VERSION`** as a class constant (increment on breaking changes)
1616
2. **Optionally declare `BASELINE_ATTACK_POLICY`** (defaults to `BaselineAttackPolicy.Enabled` — a baseline `PromptSendingAttack` is prepended and callers can opt out per run by setting `include_baseline=False` in the run params, see "Run Parameters" below):
17-
- `BaselineAttackPolicy.Disabled` — baseline supported but off by default (e.g. `Jailbreak`, where templates dominate the run).
17+
- `BaselineAttackPolicy.Disabled` — baseline supported but off by default (e.g. `garak.doctor`, where the harm-probe technique set dominates the run).
1818
- `BaselineAttackPolicy.Forbidden` — baseline is meaningless for this scenario's comparison axis (e.g. `AdversarialBenchmark`, which compares against gold-standard answers). Supplying `include_baseline=True` raises `ValueError`.
1919
3. **Pass `technique_class`, `default_technique`, and `default_dataset_config` to `super().__init__()`:**
2020

doc/scanner/airt.ipynb

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -527,12 +527,14 @@
527527
"## Jailbreak\n",
528528
"\n",
529529
"Tests target resilience against jailbreak templates. A run crosses three selectors: the harmful\n",
530-
"objectives (**dataset**, HarmBench), the **techniques** each jailbreak is delivered through\n",
531-
"(default `prompt_sending` — \"just send\"; registry techniques like `role_play_*`, `many_shot`,\n",
532-
"`tap` are opt-in), and which **jailbreaks** to run. Each selected jailbreak template is applied as\n",
533-
"a request converter that renders the objective inline into the template, so the target sees the\n",
534-
"jailbroken prompt exactly as authored; this keeps the scenario target-agnostic and composable with\n",
535-
"every technique, and results are grouped by jailbreak template.\n",
530+
"objectives (**dataset**, HarmBench), the **techniques** each jailbreak is delivered through, and\n",
531+
"which **jailbreaks** to run. Two deliveries are on by default: `prompt_sending` renders the\n",
532+
"objective inline into the template as a request converter (target-agnostic), and\n",
533+
"`jailbreak_system_prompt` sets the template as a native system prompt with the objective sent as\n",
534+
"the user turn (only for targets that natively support editable history + system prompts — it is\n",
535+
"skipped for incapable targets). Registry techniques like `role_play_*`, `many_shot`, and `tap` are\n",
536+
"opt-in. Results are grouped by jailbreak template, and a baseline (the un-jailbroken objective) is\n",
537+
"included by default so complying with the bare objective is itself visible.\n",
536538
"\n",
537539
"```bash\n",
538540
"pyrit_scan airt.jailbreak \\\n",
@@ -542,10 +544,10 @@
542544
" --max-dataset-size 1\n",
543545
"```\n",
544546
"\n",
545-
"**Available techniques:** ALL, DEFAULT (`prompt_sending`), plus registry techniques\n",
546-
"(`role_play_*`, `many_shot`, `tap`, …). By default a small curated set of jailbreak templates\n",
547-
"runs; pass `num_templates` (random sample) or `jailbreak_names` (explicit) to widen or pin the\n",
548-
"selection."
547+
"**Available techniques:** ALL, DEFAULT (`prompt_sending` + `jailbreak_system_prompt`), plus registry\n",
548+
"techniques (`role_play_*`, `many_shot`, `tap`, …). By default a small random sample of jailbreak\n",
549+
"templates runs; pass `num_jailbreaks` (random count) or `jailbreak_names` (explicit) to widen or\n",
550+
"pin the selection."
549551
]
550552
},
551553
{

doc/scanner/airt.py

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -166,12 +166,14 @@
166166
# ## Jailbreak
167167
#
168168
# Tests target resilience against jailbreak templates. A run crosses three selectors: the harmful
169-
# objectives (**dataset**, HarmBench), the **techniques** each jailbreak is delivered through
170-
# (default `prompt_sending` — "just send"; registry techniques like `role_play_*`, `many_shot`,
171-
# `tap` are opt-in), and which **jailbreaks** to run. Each selected jailbreak template is applied as
172-
# a request converter that renders the objective inline into the template, so the target sees the
173-
# jailbroken prompt exactly as authored; this keeps the scenario target-agnostic and composable with
174-
# every technique, and results are grouped by jailbreak template.
169+
# objectives (**dataset**, HarmBench), the **techniques** each jailbreak is delivered through, and
170+
# which **jailbreaks** to run. Two deliveries are on by default: `prompt_sending` renders the
171+
# objective inline into the template as a request converter (target-agnostic), and
172+
# `jailbreak_system_prompt` sets the template as a native system prompt with the objective sent as
173+
# the user turn (only for targets that natively support editable history + system prompts — it is
174+
# skipped for incapable targets). Registry techniques like `role_play_*`, `many_shot`, and `tap` are
175+
# opt-in. Results are grouped by jailbreak template, and a baseline (the un-jailbroken objective) is
176+
# included by default so complying with the bare objective is itself visible.
175177
#
176178
# ```bash
177179
# pyrit_scan airt.jailbreak \
@@ -181,10 +183,10 @@
181183
# --max-dataset-size 1
182184
# ```
183185
#
184-
# **Available techniques:** ALL, DEFAULT (`prompt_sending`), plus registry techniques
185-
# (`role_play_*`, `many_shot`, `tap`, …). By default a small curated set of jailbreak templates
186-
# runs; pass `num_templates` (random sample) or `jailbreak_names` (explicit) to widen or pin the
187-
# selection.
186+
# **Available techniques:** ALL, DEFAULT (`prompt_sending` + `jailbreak_system_prompt`), plus registry
187+
# techniques (`role_play_*`, `many_shot`, `tap`, …). By default a small random sample of jailbreak
188+
# templates runs; pass `num_jailbreaks` (random count) or `jailbreak_names` (explicit) to widen or
189+
# pin the selection.
188190

189191
# %%
190192
from pyrit.scenario.airt import Jailbreak, JailbreakTechnique

0 commit comments

Comments
 (0)