[FIX Breaking]: PrependedConversationConfig and Attack Param Consistency

[rlundeen2]

PrependedConversationConfig

Added new PrependedConversationConfig dataclass to configure how prepended conversations are handled. Supports configurable behavior for non-chat targets (normalize_first_turn vs raise), and allows specifying which roles should have converters applied. Includes factory methods for common configurations

Consistent next_message Handling

• Fixed RedTeamingAttack._generate_next_prompt_async to return Message instead of str, preserving multimodal content (images, audio)
• Ensures next_message is sent as the first message to targets across all attacks
• Multimodal content is now properly preserved end-to-end
• Consistent prepended_conversation Handling (e.g some attacks used to extract next_message if the last prepended message was user, but others did not. Now it is never auto-extracted)

ConversationManager Refactoring

• Refactored initialize_context_async to accept context object with cleaner parameter passing
• Moved prepended conversation processing logic into the manager
• Added add_prepended_conversation_to_memory_async for explicit memory operations
• Started handling non PromptChatTargets
• The logic for this used to be quite difficult to follow. prepended_conversation was updated multiple places. Now it should all be handled centrally.

Test Coverage

• Added test_attack_parameter_consistency.py with cross-attack behavioral tests
• Rewrote test_conversation_manager.py to match refactored API
• Added comprehensive tests for PrependedConversationConfig settings
• Fixed numerous tests affected by API changes

Breaking Changes

Nothing major IMO; I think both of these are really internal.

• ConversationManager.initialize_context_async signature changed to accept context parameter
• generate_next_prompt_async in RedTeamingAttack now returns Message instead of str

[romanlutz]

if it's prepended, should we could for simulated_assistant instead of assistant?

[romanlutz]

I am fairly sure the docstring doesn't resolve properly like this... might want to checkt

[romanlutz]

same concern as above, but you probably also want to put the code in backquotes

[romanlutz]

Perhaps not to be addressed here, but something I think about a lot is the following:

Operator creates 10 turns with crescendo. Later on, they branch off manually from that conversation after 5 turns and do something else (could be manual probing or another attack). How does that work in terms of metadata (like the attack identifier, converter identifier, etc.) and memory labels?

Ideally, I would hope the metadata of each piece shows what was applied to it, but would the memory labels be a combination of the old and new ones or only the new ones? From what I'm seeing in this PR I'm assuming it's just the new ones. I think (?) that makes sense because you wouldn't want it to have a label of an old op, for example, if you prepended the conversation from there into a new op.

[romanlutz]

[wasn't necessarily for these lines, but the combine_dict reminded me of this doubt]

[romanlutz]

Should this say which target?

[romanlutz]

the message may have multiple pieces with scores, right?

[romanlutz]

to all targets? For adversarial_chat it's fine not to convert, right?

[romanlutz]

Is that for the many-shot jailbreak case with a PromptTarget?

[romanlutz]

if you import annotations from future you should be able to remove the double quotes.

[romanlutz]

same below

[romanlutz]

all of this is rather complicated. Don't we need documentation?

[romanlutz]

prepended_conversation used to come from the context, not it's an arg here. Is that a conscious choice? From a quick glance, it sounds like a fit in the context?

[romanlutz]

again, pretty sure the website won't render with this. Please check

[romanlutz]

should we also assert that it's going to the objective target?

[romanlutz]

do we want to make any assertions about the other turns?

[romanlutz]

at least? We know exactly how long it is (2) so why at least?