FEAT Add supports_multi_turn property to targets and adapt attacks accordingly #1433

Copilot · 2026-03-02T23:53:29Z

_rotate_conversation_for_single_turn_target relies on an inline from pyrit.memory import CentralMemory import. This module doesn't appear to have a circular dependency with pyrit.memory, so the import should be moved to the top of the file to match the project's import-organization convention and avoid repeated imports on every rotation call.

romanlutz · 2026-03-03T05:16:26Z

TODO @romanlutz to check correctness

Copilot · 2026-03-03T05:36:17Z

PromptChatTarget.supports_multi_turn always returns True, which bypasses TargetCapabilities and makes per-instance overrides (via the capabilities setter/constructor) ineffective. This will also cause tests like test_constructor_override_supports_multi_turn (which expects an override to False) to fail. Consider removing this override entirely and relying on _DEFAULT_CAPABILITIES, or delegating to super().supports_multi_turn / self.capabilities.supports_multi_turn.

Suggested change

bool: True for chat targets.

"""

return True

bool: True for chat targets by default, unless overridden via capabilities.

"""

return self.capabilities.supports_multi_turn

Copilot · 2026-03-03T00:16:50Z

PromptTarget.__init__ still allows positional arguments even though it has multiple parameters, and this PR adds another (capabilities). Most other constructors in this area are keyword-only (def __init__(self, *, ...)), which reduces accidental argument ordering bugs. Consider making this initializer keyword-only (possibly via a deprecation period) to keep the base target API consistent and safer to extend.

Copilot · 2026-03-03T00:38:53Z

The capabilities setter mutates behavior-affecting state, but Identifiable.get_identifier() caches identifiers for the object lifetime. If get_identifier() was called before capabilities is reassigned, the identifier will permanently reflect the old supports_multi_turn value. Consider either (a) making capabilities immutable after construction, or (b) resetting self._identifier to None in the setter so the identifier can be rebuilt with the updated capabilities.

Suggested change

self._capabilities = value

self._capabilities = value

# Invalidate cached identifier so it can be rebuilt with updated capabilities.

self._identifier = None

Copilot · 2026-03-03T05:36:18Z

The validation now allows converted_value_data_type to be "error", but the raised message still says this method “only supports text.” Consider updating the exception message (and docstring) to reflect the actual accepted types (or explicitly skip error messages instead of sending them back to the model).

-Original file line number
+Diff line change
@@ Expand Up / @@ -542,6 +542,7 @@ API Reference @@
         PromptShieldTarget
         PromptTarget
         RealtimeTarget
+        TargetCapabilities
         TextTarget
         WebSocketCopilotTarget
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
             Args:
                 context (ChunkedRequestAttackContext): The attack context containing attack parameters.
+            Raises:
+                ValueError: If the objective target does not support multi-turn conversations.
             """
+            if not self._objective_target.supports_multi_turn:
+                raise ValueError(
+                    "ChunkedRequestAttack requires a multi-turn target. "
+                    "The objective target does not support multi-turn conversations."
+                )
             # Ensure the context has a session
             context.session = ConversationSession()
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
             Args:
                 context (CrescendoAttackContext): Attack context with configuration
+            Raises:
+                ValueError: If the objective target does not support multi-turn conversations.
             """
+            if not self._objective_target.supports_multi_turn:
+                raise ValueError(
+                    "CrescendoAttack requires a multi-turn target. Crescendo fundamentally relies on "
+                    "multi-turn conversation history to gradually escalate prompts. "
+                    "Use RedTeamingAttack or TreeOfAttacksWithPruning instead."
+                )
             # Ensure the context has a session
             context.session = ConversationSession()
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
             Args:
                 context (MultiTurnAttackContext): The attack context containing attack parameters.
+            Raises:
+                ValueError: If the objective target does not support multi-turn conversations.
             """
+            if not self._objective_target.supports_multi_turn:
+                raise ValueError(
+                    "MultiPromptSendingAttack requires a multi-turn target. "
+                    "The objective target does not support multi-turn conversations."
+                )
             # Ensure the context has a session (like red_teaming.py does)
             context.session = ConversationSession()
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,8 @@ @@
         AttackStrategy,
         AttackStrategyResultT,
     )
+    from pyrit.memory import CentralMemory
+    from pyrit.models import ConversationReference, ConversationType
     if TYPE_CHECKING:
         from pyrit.models import (
@@ Expand Down Expand Up / @@ -91,3 +93,59 @@ def __init__( @@
                 params_type=params_type,
                 logger=logger,
             )
+        def _rotate_conversation_for_single_turn_target(
+            self,
+            *,
+            context: MultiTurnAttackContext[Any],
+        ) -> None:
+            """
+            Create a fresh conversation_id for the objective target if it is a single-turn target.
+            For single-turn targets, each turn must use a separate conversation_id because the target
+            rejects conversations with prior messages. The prior turn's conversation_id is recorded
+            as a PRUNED related conversation on the attack context.
+            System messages (e.g., from prepended conversation) are duplicated into the new
+            conversation so that the target retains its system prompt context.
+            For multi-turn targets this method is a no-op.
+            This should be called before each turn (except the first) when sending prompts to the
+            objective target.
+            Args:
+                context: The current attack context.
+            """
+            if self._objective_target.supports_multi_turn:
+                return
+            if context.executed_turns == 0:
+                return
+            old_conversation_id = context.session.conversation_id
+            context.related_conversations.add(
+                ConversationReference(
+                    conversation_id=old_conversation_id,
+                    conversation_type=ConversationType.PRUNED,
+                    description=f"single-turn target prior turn {context.executed_turns}",
+                )
+            )
+            # Duplicate system messages (e.g., system prompt from prepended conversation)
+            # into the new conversation so the target retains its configuration.
+            memory = CentralMemory.get_memory_instance()
+            messages = memory.get_conversation(conversation_id=old_conversation_id)
+            system_messages = [m for m in messages if m.api_role == "system"]
+            if system_messages:
+                new_conversation_id, pieces = memory.duplicate_messages(messages=system_messages)
+                memory.add_message_pieces_to_memory(message_pieces=pieces)
+                context.session.conversation_id = new_conversation_id
+            else:
+                context.session.conversation_id = str(uuid.uuid4())
+            self._logger.debug(
+                f"Rotated conversation_id for single-turn target: "
+                f"{old_conversation_id} -> {context.session.conversation_id}"
+            )

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FEAT Add supports_multi_turn property to targets and adapt attacks accordingly #1433

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI Mar 2, 2026

Uh oh!

romanlutz Mar 3, 2026

Uh oh!

Copilot AI Mar 3, 2026

Uh oh!

Copilot AI Mar 3, 2026

Uh oh!

Copilot AI Mar 3, 2026

Uh oh!

Copilot AI Mar 3, 2026

Uh oh!

Uh oh!

Uh oh!

-Original file line number
+Diff line change
@@ Expand Up / @@ -524,6 +524,9 @@ async def _send_prompt_to_objective_target_async( @@
             """
             logger.info(f"Sending prompt to target: {message.get_value()[:50]}...")
+            # For single-turn targets, rotate conversation_id so each turn starts fresh
+            self._rotate_conversation_for_single_turn_target(context=context)
             with execution_context(
                 component_role=ComponentRole.OBJECTIVE_TARGET,
                 attack_strategy_name=self.__class__.__name__,
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -777,9 +777,22 @@ def duplicate(self) -> "_TreeOfAttacksNode": @@
             )
             # Duplicate the conversations to preserve history
-            duplicate_node.objective_target_conversation_id = self._memory.duplicate_conversation(
-                conversation_id=self.objective_target_conversation_id
-            )
+            # For single-turn targets, duplicate only the system messages (e.g., system prompt
+            # from prepended conversation) so the target retains its configuration without
+            # carrying over attack turn history that would cause validation errors.
+            if self._objective_target.supports_multi_turn:
+                duplicate_node.objective_target_conversation_id = self._memory.duplicate_conversation(
+                    conversation_id=self.objective_target_conversation_id
+                )
+            else:
+                messages = self._memory.get_conversation(conversation_id=self.objective_target_conversation_id)
+                system_messages = [m for m in messages if m.api_role == "system"]
+                if system_messages:
+                    new_id, pieces = self._memory.duplicate_messages(messages=system_messages)
+                    self._memory.add_message_pieces_to_memory(message_pieces=pieces)
+                    duplicate_node.objective_target_conversation_id = new_id
+                else:
+                    duplicate_node.objective_target_conversation_id = str(uuid.uuid4())
             duplicate_node.adversarial_chat_conversation_id = self._memory.duplicate_conversation(
                 conversation_id=self.adversarial_chat_conversation_id
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -12,6 +12,7 @@ @@
     from pyrit.prompt_target.azure_ml_chat_target import AzureMLChatTarget
     from pyrit.prompt_target.common.prompt_chat_target import PromptChatTarget
     from pyrit.prompt_target.common.prompt_target import PromptTarget
+    from pyrit.prompt_target.common.target_capabilities import TargetCapabilities
     from pyrit.prompt_target.common.utils import limit_requests_per_minute
     from pyrit.prompt_target.crucible_target import CrucibleTarget
     from pyrit.prompt_target.gandalf_target import GandalfLevel, GandalfTarget
@@ Expand Down Expand Up / @@ -66,6 +67,7 @@ @@
         "PromptShieldTarget",
         "PromptTarget",
         "RealtimeTarget",
+        "TargetCapabilities",
         "TextTarget",
         "WebSocketCopilotTarget",
     ]

-Original file line number
+Diff line change
@@ -0,0 +1,22 @@
+    # Copyright (c) Microsoft Corporation.
+    # Licensed under the MIT license.
+    from dataclasses import dataclass
+    @dataclass(frozen=True)
+    class TargetCapabilities:
+        """
+        Describes the capabilities of a PromptTarget so that attacks
+        and other components can adapt their behavior accordingly.
+        Each target class defines default capabilities via the _DEFAULT_CAPABILITIES
+        class attribute. Users can override individual capabilities per instance
+        through constructor parameters, which is useful for targets whose
+        capabilities depend on deployment configuration (e.g., Playwright, HTTP).
+        """
+        # Whether the target natively supports multi-turn conversations
+        # (i.e., it accepts and uses conversation history or maintains state
+        # across turns via external mechanisms like WebSocket connections).
+        supports_multi_turn: bool = False

-Original file line number
+Diff line change
@@ Expand Up @@
             for turn in conversation:
                 if len(turn.message_pieces) != 1:
                     return False
-                if turn.message_pieces[0].converted_value_data_type != "text":
+                if turn.message_pieces[0].converted_value_data_type not in ("text", "error"):
                     return False
             return True
@@ Expand Down Expand Up @@
                 message_piece = message.message_pieces[0]
-                if message_piece.converted_value_data_type != "text":
+                if message_piece.converted_value_data_type not in ("text", "error"):
                     raise ValueError("_build_chat_messages_for_text only supports text.")
                 chat_message = ChatMessage(role=message_piece.api_role, content=message_piece.converted_value)
@@ Expand Down Expand Up / @@ -581,7 +581,7 @@ async def _build_chat_messages_for_multi_modal_async( @@
                     ):
                         continue
-                    if message_piece.converted_value_data_type == "text":
+                    if message_piece.converted_value_data_type in ("text", "error"):
                         entry = {"type": "text", "text": message_piece.converted_value}
                         content.append(entry)
                     elif message_piece.converted_value_data_type == "image_path":
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,7 @@ @@
     )
     from pyrit.identifiers import ComponentIdentifier
     from pyrit.models import Message, construct_response_from_request
+    from pyrit.prompt_target.common.target_capabilities import TargetCapabilities
     from pyrit.prompt_target.common.utils import limit_requests_per_minute
     from pyrit.prompt_target.openai.openai_target import OpenAITarget
@@ Expand All / @@ -18,6 +19,8 @@ @@
     class OpenAICompletionTarget(OpenAITarget):
         """A prompt target for OpenAI completion endpoints."""
+        _DEFAULT_CAPABILITIES: TargetCapabilities = TargetCapabilities(supports_multi_turn=False)
         def __init__(
             self,
             max_tokens: Optional[int] = None,
@@ Expand Down @@

FEAT Add supports_multi_turn property to targets and adapt attacks accordingly #1433

Are you sure you want to change the base?

Uh oh!

FEAT Add supports_multi_turn property to targets and adapt attacks accordingly #1433

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

Uh oh!

romanlutz Mar 3, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!