[DRAFT] FEAT: Chain-of-Thought Hijacking Attack Strategy and Test Coverage

.devcontainer/Dockerfile

@@ -1,7 +1,9 @@
-FROM mcr.microsoft.com/devcontainers/python:3.11
+# syntax=docker/dockerfile:1
+FROM mcr.microsoft.com/devcontainers/python:3.11-bookworm
 
 # Makes installation faster
 ENV UV_COMPILE_BYTECODE=1
+ENV DEBIAN_FRONTEND=noninteractive
 
 SHELL ["/bin/bash", "-c"]
 
@@ -11,66 +13,61 @@ USER root
 RUN rm -f /etc/apt/sources.list.d/yarn.list 2>/dev/null || true
 
 # Install required system packages + ODBC prerequisites
-RUN apt-get update && apt-get install -y \
-    sudo \
-    unixodbc \
-    unixodbc-dev \
-    libgl1 \
-    git \
-    curl \
-    xdg-utils \
-    build-essential \
- && apt-get clean && rm -rf /var/lib/apt/lists/*
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+    apt-get update \
+ && apt-get install -y --no-install-recommends \
+      sudo \
+      unixodbc \
+      unixodbc-dev \
+      libgl1 \
+      git \
+      curl \
+      xdg-utils \
+      build-essential
 
-# Install the Azure CLI, Microsoft ODBC Driver 18 & SQL tools
+# Install Microsoft ODBC Driver 18 & SQL tools
 # Note: Debian Trixie's sqv rejects SHA1 signatures, so we use gpg directly to import the Microsoft key
-RUN apt-get update && apt-get install -y \
-      apt-transport-https \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+    apt-get update \
+ && apt-get install -y --no-install-recommends \
       ca-certificates \
       gnupg \
-      lsb-release \
  && curl -sL https://packages.microsoft.com/keys/microsoft.asc \
       | gpg --dearmor \
       > /usr/share/keyrings/microsoft-archive-keyring.gpg \
  && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/debian/12/prod bookworm main" \
       > /etc/apt/sources.list.d/microsoft.list \
  && apt-get update \
- && ACCEPT_EULA=Y apt-get install -y msodbcsql18 mssql-tools18 \
- && apt-get install -y azure-cli \
- && echo 'export PATH="$PATH:/opt/mssql-tools18/bin"' >> /etc/profile.d/sqltools.sh \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
+ && ACCEPT_EULA=Y apt-get install -y --no-install-recommends \
+      msodbcsql18 \
+      mssql-tools18 \
+ && echo 'export PATH="$PATH:/opt/mssql-tools18/bin"' >> /etc/profile.d/sqltools.sh
 
 # audio back-ends needed by Azure Speech SDK
-RUN apt-get update \
- && DEBIAN_FRONTEND=noninteractive \
- apt-get install -y --no-install-recommends \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+    apt-get update \
+ && apt-get install -y --no-install-recommends \
       libasound2 \
-      libpulse0 \
- && rm -rf /var/lib/apt/lists/*
+      libpulse0
 
 # Install uv system-wide and create pyrit-dev venv
-RUN curl -LsSf https://astral.sh/uv/install.sh | sh \
- && mv /root/.local/bin/uv /usr/local/bin/uv \
- && rm -rf /opt/venv \
- && uv venv /opt/venv --python 3.11 --prompt pyrit-dev \
- && chown -R vscode:vscode /opt/venv \
- && ls -la /opt/venv/bin/activate
+COPY --from=ghcr.io/astral-sh/uv:0.10.8 /uv /uvx /bin/
+RUN uv venv /opt/venv --python 3.11 --prompt pyrit-dev \
+ && chown -R vscode:vscode /opt/venv
 ENV PATH="/opt/venv/bin:$PATH"
 
+# Install Node.js 24.x LTS for frontend development
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+    curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
+ && apt-get install -y --no-install-recommends nodejs
+
 # vscode user already exists in the base image, just ensure sudo access
 RUN echo "vscode ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
 
-# Install Node.js 20.x and npm for frontend development
-RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
- && apt-get install -y nodejs \
- && npm install -g npm@latest \
- && npm install -g @github/copilot@0.0.421 \
- && npm cache clean --force \
- && rm -rf /root/.npm \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
 # Pre-create common user caches and fix permissions
 RUN mkdir -p /home/vscode/.cache/pre-commit \
  && mkdir -p /home/vscode/.vscode-server \
@@ -79,7 +76,7 @@ RUN mkdir -p /home/vscode/.cache/pre-commit \
  && mkdir -p /home/vscode/.cache/venv \
  && mkdir -p /home/vscode/.cache/pylance \
  && chown -R vscode:vscode /home/vscode/.cache /home/vscode/.vscode-server \
- && chmod -R 777 /home/vscode/.cache/pip /home/vscode/.cache/pylance /home/vscode/.cache/venv /home/vscode/.cache/uv\
+ && chmod -R 755 /home/vscode/.cache/pip /home/vscode/.cache/pylance /home/vscode/.cache/venv /home/vscode/.cache/uv \
  && chmod -R 755 /home/vscode/.vscode-server
 
 USER vscode
@@ -95,6 +92,6 @@ RUN git config --global core.preloadindex true \
  && git config --global status.showUntrackedFiles all \
  && git config --global core.fsmonitor true
 
- # Set cache directories so they can be mounted
+# Set cache directories so they can be mounted
 ENV PIP_CACHE_DIR="/home/vscode/.cache/pip"
 ENV UV_CACHE_DIR="/home/vscode/.cache/uv"

.devcontainer/devcontainer.json

@@ -90,6 +90,14 @@
       ]
     }
   },
+  "features": {
+    "ghcr.io/devcontainers/features/azure-cli:1": {
+      "version": "latest"
+    },
+    "ghcr.io/devcontainers/features/copilot-cli:1": {
+      "version": "latest"
+    }
+  },
   "postCreateCommand": "/bin/bash -i .devcontainer/devcontainer_setup.sh",
   "forwardPorts": [3000, 4213, 5000, 8000, 8888]
 }

.devcontainer/devcontainer_setup.sh

@@ -8,7 +8,7 @@ if [ ! -d "$MYPY_CACHE" ]; then
     echo "Creating mypy cache directory..."
     sudo mkdir -p $MYPY_CACHE
     sudo chown vscode:vscode $MYPY_CACHE
-    sudo chmod 777 $MYPY_CACHE
+    sudo chmod 755 $MYPY_CACHE
 else
     # Check ownership
     OWNER=$(stat -c '%U:%G' $MYPY_CACHE)
@@ -21,9 +21,9 @@ else
     # Check permissions
     PERMS=$(stat -c '%a' $MYPY_CACHE)
 
-    if [ "$PERMS" != "777" ]; then
+    if [ "$PERMS" != "755" ]; then
         echo "Fixing mypy cache directory permissions..."
-        sudo chmod -R 777 $MYPY_CACHE
+        sudo chmod -R 755 $MYPY_CACHE
     fi
 fi
 
@@ -70,6 +70,7 @@ if [ -f "package.json" ]; then
     npm install
 
     # Install Playwright browsers and system dependencies for E2E testing
+    # This may fail if apt repos have signature issues - don't block setup
     echo "📦 Installing Playwright browsers..."
 
     # Remove third-party repos with SHA1 signature issues (rejected since 2026-02-01)
@@ -78,7 +79,11 @@ if [ -f "package.json" ]; then
                /etc/apt/sources.list.d/nodesource.list \
                /etc/apt/sources.list.d/microsoft.list 2>/dev/null || true
 
-    npx playwright install --with-deps chromium
+    if npx playwright install --with-deps chromium; then
+        echo "✅ Playwright browsers installed."
+    else
+        echo "⚠️  Playwright installation failed (apt signature issues). Run 'npx playwright install chromium' manually if needed for E2E tests."
+    fi
 
     echo "✅ Frontend dependencies installed."
 fi

.env_example

@@ -11,7 +11,7 @@
 ###################################
 
 PLATFORM_OPENAI_CHAT_ENDPOINT="https://api.openai.com/v1"
-PLATFORM_OPENAI_CHAT_API_KEY="sk-xxxxx"
+PLATFORM_OPENAI_CHAT_KEY="sk-xxxxx"
 PLATFORM_OPENAI_CHAT_GPT4O_MODEL="gpt-4o"
 
 # Note: For Azure OpenAI endpoints, use the new format with /openai/v1 and specify the model separately
@@ -79,7 +79,7 @@ DEFAULT_OPENAI_FRONTEND_KEY = ${AZURE_OPENAI_GPT4O_AAD_KEY}
 DEFAULT_OPENAI_FRONTEND_MODEL = "gpt-4o"
 
 OPENAI_CHAT_ENDPOINT=${PLATFORM_OPENAI_CHAT_ENDPOINT}
-OPENAI_CHAT_KEY=${PLATFORM_OPENAI_CHAT_API_KEY}
+OPENAI_CHAT_KEY=${PLATFORM_OPENAI_CHAT_KEY}
 OPENAI_CHAT_MODEL=${PLATFORM_OPENAI_CHAT_GPT4O_MODEL}
 # The following line can be populated if using an Azure OpenAI deployment
 # where the deployment name differs from the actual underlying model

.env_local_example

@@ -7,7 +7,7 @@
 
 # This will override the .env value for your default OpenAIChatTarget
 OPENAI_CHAT_ENDPOINT=${PLATFORM_OPENAI_CHAT_ENDPOINT}
-OPENAI_CHAT_KEY=${PLATFORM_OPENAI_CHAT_API_KEY}
+OPENAI_CHAT_KEY=${PLATFORM_OPENAI_CHAT_KEY}
 OPENAI_CHAT_MODEL="gpt-4o"
 
 

.github/copilot-instructions.md

@@ -0,0 +1,31 @@
+# PyRIT - Repository Instructions
+
+PyRIT (Python Risk Identification Tool for generative AI) is an open-source framework for security professionals to proactively identify risks in generative AI systems.
+
+## Architecture
+
+PyRIT uses a modular "Lego brick" design. The main extensibility points are:
+
+- **Prompt Converters** (`pyrit/prompt_converter/`) — Transform prompts (70+ implementations). Base: `PromptConverter`.
+- **Scorers** (`pyrit/score/`) — Evaluate responses. Base: `Scorer`.
+- **Prompt Targets** (`pyrit/prompt_target/`) — Send prompts to LLMs/APIs. Base: `PromptTarget`.
+- **Executors / Scenarios** (`pyrit/executor/`, `pyrit/scenario/`) — Orchestrate multi-turn attacks.
+- **Memory** (`pyrit/memory/`) — `CentralMemory` for prompt/response persistence.
+
+## Code Review Guidelines
+
+When performing a code review, be selective. Only leave comments for issues that genuinely matter:
+
+- Bugs, logic errors, or security concerns
+- Unclear code that would benefit from refactoring for readability
+- Violations of the critical coding conventions above (async suffix, keyword-only args, type annotations)
+
+Do NOT leave comments about:
+- Style nitpicks that ruff/isort would catch automatically
+- Missing docstrings or comments — we prefer minimal documentation. Code should be self-explanatory.
+- Suggestions to add inline comments, logging, or error handling that isn't clearly needed
+- Minor naming preferences or subjective "improvements"
+
+Aim for fewer, higher-signal comments. A review with 2-3 important comments is better than 15 trivial ones.
+
+Follow `.github/instructions/style-guide.instructions.md` for style guidelines. And look in `.github/instructions/` for specific instructions on the different components.

.github/instructions/converters.instructions.md

@@ -0,0 +1,87 @@
+---
+applyTo: "pyrit/prompt_converter/**"
+---
+
+# Prompt Converter Development Guidelines
+
+## Base Class Contract
+
+All converters MUST inherit from `PromptConverter` and implement:
+
+```python
+class MyConverter(PromptConverter):
+    SUPPORTED_INPUT_TYPES = ("text",)    # Required — non-empty tuple of PromptDataType values
+    SUPPORTED_OUTPUT_TYPES = ("text",)   # Required — non-empty tuple of PromptDataType values
+
+    async def convert_async(self, *, prompt: str, input_type: PromptDataType = "text") -> ConverterResult:
+        ...
+```
+
+Missing or empty `SUPPORTED_INPUT_TYPES` / `SUPPORTED_OUTPUT_TYPES` raises `TypeError` at class definition time via `__init_subclass__`.
+
+## ConverterResult
+
+Always return a `ConverterResult` with matching `output_type`:
+
+```python
+return ConverterResult(output_text=result, output_type="text")
+```
+
+Valid `PromptDataType` values: `"text"`, `"image_path"`, `"audio_path"`, `"video_path"`, `"binary_path"`, `"url"`, `"error"`.
+
+The `output_type` MUST match what was actually produced — e.g., if you wrote a file, return the path with `"image_path"`, not `"text"`.
+
+## Input Validation
+
+Check input type support in `convert_async`:
+
+```python
+if not self.input_supported(input_type):
+    raise ValueError(f"Input type {input_type} not supported")
+```
+
+## Identifiable Pattern
+
+All converters inherit `Identifiable`. Override `_build_identifier()` to include parameters that affect conversion behavior:
+
+```python
+def _build_identifier(self) -> ComponentIdentifier:
+    return self._create_identifier(
+        params={"encoding": self._encoding},           # Behavioral params only
+        children={"target": self._target.get_identifier()}  # If converter wraps a target
+    )
+```
+
+Include: encoding types, templates, offsets, model names.
+Exclude: retry counts, logging config, timeouts.
+
+## Standard Imports
+
+```python
+from pyrit.models import PromptDataType
+from pyrit.prompt_converter.prompt_converter import ConverterResult, PromptConverter
+from pyrit.identifiers import ComponentIdentifier
+```
+
+For LLM-based converters, also import:
+```python
+from pyrit.prompt_target import PromptChatTarget
+```
+
+## Constructor Pattern
+
+Use keyword-only arguments. Use `@apply_defaults` if the converter accepts targets or common config:
+
+```python
+from pyrit.common.apply_defaults import apply_defaults
+
+class MyConverter(PromptConverter):
+    @apply_defaults
+    def __init__(self, *, target: PromptChatTarget, template: str = "default") -> None:
+        ...
+```
+
+## Exports and External Updates
+
+- New converters MUST be added to `pyrit/prompt_converter/__init__.py` — both the import and the `__all__` list.
+- The modality table with new/updated converters `doc/code/converters/0_converters.ipynb` and the associated .py pct file must also be updated.

.github/instructions/docs.instructions.md

@@ -1,5 +1,5 @@
 ---
-applyTo: 'doc/code/**/*.{py,ipynb}'
+applyTo: 'doc/**/*.{py,ipynb}'
 ---
 
 # Documentation File Synchronization
@@ -8,7 +8,7 @@ applyTo: 'doc/code/**/*.{py,ipynb}'
 
 All Jupyter notebooks (.ipynb) in the `doc/` directory have corresponding Python (.py) files that are **tightly synchronized**. These files MUST always match exactly in content. They represent the same documentation in different formats.
 
-**Locations:** `doc/code/**/*.ipynb` and `doc/code/**/*.py`
+**Locations:** `doc/**/*.ipynb` and `doc/**/*.py`
 
 ## Editing Guidelines