Skip to content

fix(bundle2-W5-4): ai_adversarial jailbreak gate + opt-in kwarg#43

Merged
Wool-xing merged 2 commits into
mainfrom
bundle2-W5-4-jailbreak
May 13, 2026
Merged

fix(bundle2-W5-4): ai_adversarial jailbreak gate + opt-in kwarg#43
Wool-xing merged 2 commits into
mainfrom
bundle2-W5-4-jailbreak

Conversation

@Wool-xing
Copy link
Copy Markdown
Owner

@Wool-xing Wool-xing commented May 13, 2026

范围

W5-4 (Phase 1 / Bundle 2): 05-代码示例/ai_adversarial.py offensive AI 测试 (越狱 / 注入 / 隐私推断 / 远端鲁棒) gate 加固。复用 W5-2 范式 v2 (env gate + opt-in kwarg)。同步 SECURITY.md 武器化表条目对齐实际状态。

改了什么

1. 模块 docstring 加"安全约束 (W5-4 加固)"节

明列 4 个 op 的双层 gate 机制 + 授权边界 (引 SECURITY.md 法律节)。

2. 新加模块级 gate

  • 常量 GATE_ENV_VAR = "TAGENT_PENTEST_AUTHORIZED" (复用 api_security_scanner W5-2 同变量)
  • _require_authorized(op) 准入守卫

3. 4 个远端 op 加守

函数 env gate opt-in kwarg
adversarial_text_test – (MEDIUM, gate 即可)
test_llm_jailbreak confirm_offensive: bool = False
test_prompt_injection confirm_offensive: bool = False
membership_inference_basic confirm_inference_attack: bool = False

4. CLI 入口同步

__main__--confirm-offensive flag (jailbreak / inject 子命令), 否则 CLI 永久不可用。

5. SECURITY.md L72 同步

武器化代码表 ai_adversarial.py 条目原仅写 "含 JAILBREAK_PROMPTS + PROMPT_INJECTION_TEMPLATES 模板", 现对齐实际 gate 状态 (格式同 L71 api_security_scanner):

AI 对抗测试 / LLM 越狱 / Prompt Injection / 成员推断攻击 (含...模板; 4 个远端 op 默认 refuse, 需 `TAGENT_PENTEST_AUTHORIZED=1`; 三个 HIGH 风险 op 额外需 `confirm_offensive=True` 或 `confirm_inference_attack=True` kwarg)

不在范围

本地测试 (11/11 全过)

gate 关闭 → 4 ops refused:

OK adversarial_text_test: refused (gate off)
OK test_llm_jailbreak: refused (gate off)
OK test_prompt_injection: refused (gate off)
OK membership_inference_basic: refused (gate off)

gate 开 + 缺 confirm_ kwarg → 3 HIGH refused*:

OK test_llm_jailbreak: refused without confirm_offensive=True
OK test_prompt_injection: refused without confirm_offensive=True
OK membership_inference_basic: refused without confirm_inference_attack=True

CLI 三层 (subprocess 实跑):

$ python ai_adversarial.py jailbreak http://x
RuntimeError: AI offensive op 'test_llm_jailbreak' refused: set TAGENT_PENTEST_AUTHORIZED=1...

$ TAGENT_PENTEST_AUTHORIZED=1 python ai_adversarial.py jailbreak http://x
RuntimeError: test_llm_jailbreak refused: pass confirm_offensive=True...

$ TAGENT_PENTEST_AUTHORIZED=1 python ai_adversarial.py jailbreak --confirm-offensive http://nonexistent.example
{...HTTPConnectionPool 错 (gate 全开, 跑到网络层)}

协作宪章 §1.3 六道闸自检 (按 PR #42 f1-f6 标准, 即使 PR #42 未合也用最新规则)

  • a 静态: ✓ Ruff All checks passed + pre-commit + markdownlint 全过
  • b 副作用: ✓ 6 处文档级引用 (00-项目导航 / 部署说明 / pentest-api skill / 05-README / FULL_GUIDE / Test-Agent工作流搭建.md), 无运行时调用断点
  • c 跨层契约: ✓ SECURITY.md L72 已同步 (本 PR 内修, 不延后)
  • d 实测: ✓ 11/11 case 通过 (含 CLI subprocess 三层实跑)
  • e 回归: ✓ 模块可导入 + CLI 跑通
  • f 诚实自检 (f1-f6):
    • f1 数字证据: 4 ops gate / 3 HIGH kwarg / 11 case / 6 处文档引用 — 全 H 出处贴出
    • f2 路径泄漏: ✓ 无私域路径
    • f3 虚假承诺不回潜: ✓ 无
    • f4 法律措辞: ✓ SECURITY.md 引用方式不夸大
    • f5 置信度: 见下表
    • f6 假阳性: 见下答辩

置信度自检 (f5)

声明 证据 f5
4 ops + 3 HIGH kwarg gate 实现 11/11 本地测试输出贴出 H
CLI 三层 gate 实测 subprocess 输出贴出 H
Ruff / pre-commit / markdownlint 通过 工具输出 H
SECURITY.md 同步对齐 git diff 1 行 H
2 文件 +98/-9 git diff --stat H
TAGENT_PENTEST_AUTHORIZED 复用 (与 api_security_scanner 同变量) W5-2 PR #39 已确立 H
CI 9 必修将通过 本地全过推断 M
is_refusal 顺路优化记入 task #3 计划性, 未执行 L

对外承诺仅基于 H 声明, M / L 已加修饰。

假阳性过滤 (f6) 自检

唯一 finding = "ai_adversarial 4 ops 无 gate, 默认 import 即可发 offensive 流量":

#
1 真问题 / 工具误报? 。代码静态可查 (4 处 requests.post 远端调用 + JAILBREAK_PROMPTS 模板默认值), 无 gate 跳过
2 反例可证伪? 候选: "Foolbox / ART 库自身无 gate" → 反驳: 那是工具库, 本文件是项目示例 + 公开 git, 应默认 deny。不证伪
3 修后实质变好? 。误调即显式拒绝 + 带法律授权指引 (SECURITY.md 链接), 等同 W5-2 标杆

假阳性候选数: 0 | 降置信 finding 数: 0

关联

fix(bundle2-W5-4): ai_adversarial jailbreak gate + opt-in kwarg (复用 W…
bb98590 
…5-2 范式 v2)

4 远端 ops 加 env gate (复用 TAGENT_PENTEST_AUTHORIZED, 与 api_security_scanner 同变量):
- adversarial_text_test
- test_llm_jailbreak
- test_prompt_injection
- membership_inference_basic

3 HIGH 风险预设额外 opt-in kwarg (W5-2 范式 v2 第二层):
- test_llm_jailbreak: confirm_offensive=True
- test_prompt_injection: confirm_offensive=True
- membership_inference_basic: confirm_inference_attack=True

CLI 入口同步加 --confirm-offensive flag (jailbreak / inject 子命令), 否则 CLI 永久不可用。

模块 docstring 加"安全约束"节, 体例同 W5-3 (db_test_helper)。

SECURITY.md L72 武器化代码表 ai_adversarial 条目对齐实际 gate 状态
(同 L71 api_security_scanner 详细格式), 跨层契约一致。

实测 (本地, 11/11 全过):
- gate 关闭 → 4 ops 全 RuntimeError "AI offensive op...refused"
- gate 开 + 3 HIGH 缺 kwarg → RuntimeError "pass confirm_*=True"
- CLI 三层: env 缺 / kwarg 缺 / 全开跑到 HTTP 错 (gate 全开)
- Ruff All checks passed

约束: utils 独立于 runtime, 用 env var gate 不用 runtime.config.safety。
@Wool-xing Wool-xing mentioned this pull request May 13, 2026
Merged
@Wool-xing Wool-xing merged commit 87aeb4e into main May 13, 2026
10 of 11 checks passed
@Wool-xing Wool-xing deleted the bundle2-W5-4-jailbreak branch May 13, 2026 16:35
This was referenced May 13, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Wool-xing