Skip to content

feat(airt): proper multimodal — custom targets, per-media prompts, media-output scoring, injection images (1.6.6)#79

Merged
rdheekonda merged 4 commits into
mainfrom
feat/multimodal-custom-target-and-prompts
Jul 8, 2026
Merged

feat(airt): proper multimodal — custom targets, per-media prompts, media-output scoring, injection images (1.6.6)#79
rdheekonda merged 4 commits into
mainfrom
feat/multimodal-custom-target-and-prompts

Conversation

@rdheekonda

@rdheekonda rdheekonda commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Makes multimodal red teaming a proper, effective capability the TUI agent can drive end to end.

Custom HTTP multimodal target

generate_multimodal_attack(custom_url=..., custom_auth_*, custom_request_template, custom_response_text_path)
generates a @task target(message) that serializes text + base64 media into the user's JSON body via
{prompt}/{image_b64}/{audio_b64}/{video_b64} placeholders, POSTs, and extracts the reply via
JSONPath. target_model optional. Also exposes #77's custom_url on the standard generate_attack tool.

Per-media prompts

prompts (aligned list) or prompts_csv (media_filename,prompt by basename) — each media set gets its
own prompt; unmapped media fall back to goal. Default single-goal path unchanged.

Media-OUTPUT scoring

score_media_output (+ media_output_modalities / media_output_rubric) wires per-output-modality
multimodal_judge response_scorers into multimodal_attack, so an image-out / speech-to-speech target's
generated media is scored (trial score = MAX across text + media). Off by default.

Turnkey seed media — generate_injection_images

New tool + media_generator.py: render attack text (or a CSV of texts) into typographic prompt-injection
images
, so the agent can create the attack data and probe a vision model without the user supplying media.

Agent stays byte-free on harmful data

The agent never opens/views/reasons about the media or prompt contents — it plans from byte-free inventory
(build_media_manifest) and invokes tools with paths + judge/attacker model + transforms + endpoint
config
; the workflow (or the injection tool) handles the bytes. Agent md documents custom targets,
per-media prompts, media-output scoring, injection-image creation, and audio-out/S2S (Nova Sonic needs an
SDK target, not a generic HTTP one).

Bumps capability 1.6.2 → 1.6.6.

Test plan

  • Full capability suite + release-plan — 162 passed
  • New tests: custom HTTP target, per-media prompts (list/CSV), media-output scoring (on/off/explicit),
    injection-image rendering; default paths unchanged
  • py_compile clean; generated scripts pass the compile() guard; injection generator renders real PNGs
  • Live: custom-endpoint multimodal run, per-media-prompt CSV run, image-out target with media scoring,
    and a typographic-injection run created from text

Extends generate_multimodal_attack so the agent can probe beyond a litellm model:

- Custom HTTP target: custom_url (+ auth / request-template / JSONPath) generates a
  @task target that serializes the message's text + base64 media into the user's
  request body and extracts the response via JSONPath. The agent reads the target's
  API docs to build the template; target_model becomes optional.
- Per-media prompts: `prompts` (aligned list) or `prompts_csv` (media_filename,prompt
  matched by basename) pairs each media set with its own prompt, falling back to goal.
- Exposes both through the generate_multimodal_attack tool, and surfaces #77's
  custom_url on the standard generate_attack tool.
- Agent stays byte-free on attack data: the manifest docstring + agent md now state
  the agent must never open/view/reason about the media or prompt contents — it only
  invokes the tool with paths + judge/attacker model + transforms + endpoint config;
  the workflow loads and probes the media at runtime.

Bumps capability 1.6.2 -> 1.6.5. Adds 5 tests (custom target, per-media prompts
list/CSV, optional target_model, default single-goal unchanged).
Rounds out effective multimodal probing on top of custom targets + per-media prompts:

- Media-OUTPUT scoring: score_media_output (+ media_output_modalities / rubric) wires
  per-output-modality multimodal_judge response_scorers into multimodal_attack, so an
  image-out or speech-to-speech target's GENERATED media is scored (trial score = MAX
  across text + media). Off by default — text-only scoring is unchanged.
- generate_injection_images tool + media_generator.py: render attack text (or a CSV of
  texts) into typographic prompt-injection images, so the agent can CREATE the attack
  data and probe a vision model without the user supplying media — byte-free (the agent
  passes paths, never views the text).
- Agent md: documents media-output scoring, injection-image creation, and audio-out /
  speech-to-speech guidance (Nova Sonic needs an SDK target, not a generic HTTP one).

Bumps capability 1.6.5 -> 1.6.6. Adds tests (media-output on/off/explicit modality,
injection rendering). Full capability suite: 162 passed.
@rdheekonda rdheekonda changed the title feat(airt): custom multimodal targets + per-media prompts (1.6.5) feat(airt): proper multimodal — custom targets, per-media prompts, media-output scoring, injection images (1.6.6) Jul 8, 2026
generate_multimodal_category_attack sweeps a multimodal attack across sampled goals
from a harm sub-category (bundled goals.csv). A multimodal sweep needs media, so:

- render_from_goals=True: each sampled goal is rendered into a typographic injection
  image (harmful text in the image, benign framing prompt) — fully turnkey, no user
  media required. One attack per goal.
- user media (image_dir/paths/audio/video): each sampled goal is paired 1:1 with a
  media file (dedup-safe, no cycling).
- Neither given → an error that tells the agent to ASK the user for media paths.

Exposes the generate_multimodal_category_attack tool and documents in the agent md
(including the "ask for media paths" UX). Bumps capability 1.6.6 -> 1.6.7. Adds 5
tests; full suite 167 passed.
@rdheekonda rdheekonda merged commit 2934bb9 into main Jul 8, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant