[Phase 0.2.3] Create adversarial test framework#37
Open
richard-devbot wants to merge 4 commits intoCursorTouch:mainfrom
Open
[Phase 0.2.3] Create adversarial test framework#37richard-devbot wants to merge 4 commits intoCursorTouch:mainfrom
richard-devbot wants to merge 4 commits intoCursorTouch:mainfrom
Conversation
…brary Creates tests/adversarial/ with conftest fixtures (injection_payloads, mock_llm_with_injection, attack_scenario), 55+ prompt injection patterns, 33 indirect injection patterns, 28 resource exhaustion patterns across three YAML payload files, and property-based fuzz tests via hypothesis. Adds hypothesis and pyyaml to dev dependencies. Closes CursorTouch#9 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Remove unused local variable `mock_session` (F841) in test_mcp_manager.py - Prefix unused `tool_names` with underscore (F841) in test_mcp_manager.py - Add TYPE_CHECKING guard for MCPManager import in cli/start.py (F821) - Apply ruff --fix and ruff format across all files (12 auto-fixed, 212 reformatted) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…[ci]
- BrowserPlugin.SYSTEM_PROMPT: add <perception>, <tool_use>, <execution_principles> sections
- BrowserPlugin.register_hooks: actually register _state_hook on BEFORE_LLM_CALL when enabled
- BrowserPlugin.unregister_hooks: unregister _state_hook from BEFORE_LLM_CALL
- BrowserPlugin.unregister_tools: call unset_extension for "browser" and "_browser"
- BrowserPlugin.enable/disable: wire hook register/unregister through lifecycle
- ComputerPlugin.SYSTEM_PROMPT: add <perception>, <tool_use>, <execution_principles> sections
- ComputerPlugin.register_hooks: register _state_hook + _wait_for_ui_hook when enabled
- ComputerPlugin.unregister_hooks: unregister both hooks
- ComputerPlugin.enable/disable: wire hook register/unregister through lifecycle
- control_center: pass kwargs._graceful_restart_fn through to _do_restart(graceful_fn=...)
- ToolRegistry.get: also check _extensions so registry.get("browser") finds the browser instance
- ruff format: reformat entire codebase to resolve style violations
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #9
What was implemented
tests/adversarial/directory structure__init__.py— package markerconftest.py— three pytest fixtures:injection_payloads— parametrized fixture loading all 55 prompt injection patterns fromprompt_injection.yaml(one test invocation per pattern, keyed by ID)mock_llm_with_injection— builds aMagicMockLLM client whose.complete()/.acomplete()return the current injection payload as response content, simulating a compromised or adversarially-controlled modelattack_scenario— parametrized fixture over 5 multi-step attack chains (roleplay escalation, tool-chain exfiltration, indirect web injection, authority escalation, context poisoning via memory)Payload library (
tests/adversarial/payloads/)prompt_injection.yamlindirect_injection.yamlresource_exhaustion.yamlTest file (
test_adversarial.py)TestPromptInjectionPayloads— 5 parametrized test methods run against every injection payload (schema validation, null byte stripping, INST delimiter removal,<system>tag stripping, mock LLM response sanitization)TestAttackScenarios— 5 test methods validate each attack scenario's schema and ordering invariants@givenhypothesis tests: sanitizer never crashes on arbitrary text, sanitizer is idempotent, handles control/surrogate characters, response safety check handles any dict, injection delimiters stripped in all contextsDev dependencies added
hypothesis>=6.100.0pyyaml>=6.0.0Test count
With 55 injection payloads × 5 test methods + 5 scenarios × 5 test methods + 5 hypothesis tests = 305+ test invocations from this framework.