All notable changes to CrucibleAdversary will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
CrucibleAdversary.Stage- Pipeline stage for adversarial robustness testing- Integration with CrucibleIR's pipeline architecture
- Composable adversarial evaluation as a pipeline stage
- Context-based configuration and result propagation
- Added
crucible_ir ~> 0.1.1dependency for pipeline integration
- Pipeline Composability: Use adversarial testing in CrucibleIR pipelines
- Context Preservation: Stage preserves and augments pipeline context
- Flexible Configuration: Configure attacks, metrics, and options via context or opts
- Chainable Stages: Seamlessly chain with other CrucibleIR pipeline stages
- 20+ new tests for Stage module
- Total: 298+ tests (278 → 298+)
- Integration tests for CrucibleIR pipeline compatibility
- Tests for context preservation and augmentation
- Complete API documentation for Stage module
- Usage examples for pipeline integration
- Stage description functionality
- Added Credo for static analysis (
mix credo --strictpasses) - Refactored aliases to alphabetical one-per-line format
- Replaced
Enum.map |> Enum.joinwithEnum.map_join - Renamed
is_safe?/2tosafe?/2per Elixir naming conventions - Converted large case statements to pattern-matched function clauses
- Replaced
length(list) == 0guards withlist == []
- ✅ All Stage functionality fully tested
- ✅ Backwards compatible with v0.3.0
- ✅ Zero breaking changes
- ✅ CrucibleIR integration tested
- ✅ Credo strict mode passes
Extraction.repetition_attack/2- Exploit repetition to trigger memorized continuationsExtraction.memorization_probe/2- Test for memorized training examplesExtraction.pii_extraction/2- Attempt to extract personally identifiable informationExtraction.context_confusion/2- Use context manipulation to leak information
Inversion.membership_inference/3- Determine if data was in training setInversion.attribute_inference/3- Infer attributes of training examplesInversion.reconstruction_attack/3- Reconstruct training features from outputsInversion.property_inference/3- Infer dataset-level properties
Certified.randomized_smoothing/3- Provable robustness guarantees via randomized smoothingCertified.certified_accuracy/3- Certified accuracy on test setsCertified.certification_level/1- Classification of certification qualityCertified.compute_radius/2- Theoretical robustness radius calculation
Composition.chain/1- Sequential attack chainingComposition.execute/2- Execute attack chainsComposition.parallel/1- Parallel attack specificationComposition.execute_parallel/2- Execute attacks in parallelComposition.best_of/3- Select best result from multiple attacksComposition.conditional/3- Conditional attack execution
- 25 Total Attack Types: Added 4 data extraction + model inversion capabilities
- Certified Robustness: Research-grade provable guarantees
- Attack Composition: Sophisticated multi-stage attack strategies
- Enhanced API: Main API updated to support all new attack types
- 75+ new tests added (covering all new modules)
- Total: 278+ tests (203 → 278+)
- Comprehensive test coverage for new features
- Property-based testing for statistical metrics
- Complete design document:
docs/20251125/ENHANCEMENTS_DESIGN.md - Updated README with new features and attack counts
- API documentation for all new modules
- Usage examples for composition and certified metrics
- ✅ All new modules fully documented
- ✅ TDD methodology followed throughout
- ✅ Backwards compatible with v0.2.0
- ✅ Zero breaking changes
0.2.0 - 2025-10-20
Injection.basic/2- Direct instruction override with configurable strategiesInjection.context_overflow/2- Context window flooding attacksInjection.delimiter_attack/2- Delimiter confusion techniquesInjection.template_injection/2- Template variable exploitation
Jailbreak.roleplay/2- Persona-based bypass (DAN, etc.)Jailbreak.context_switch/2- Context manipulation attacksJailbreak.encode/2- Obfuscation encoding (Base64, ROT13, hex, leetspeak)Jailbreak.hypothetical/2- Hypothetical scenario framing
Semantic.paraphrase/2- Semantic-preserving paraphrasingSemantic.back_translate/2- Back-translation artifact simulationSemantic.sentence_reorder/2- Sentence order shufflingSemantic.formality_change/2- Formality level transformation
Detection.detect_attack/2- Multi-pattern adversarial detection- Prompt injection keyword detection
- Delimiter pattern detection
- Roleplay/jailbreak detection
- Encoding detection
- Risk level classification
Detection.calculate_risk_level/1- Risk score calculationDetection.detect_pattern/2- Individual pattern detectionFiltering.filter_input/2- Input filtering based on detected patterns- Strict and permissive modes
- Configurable pattern lists
Filtering.is_safe?/2- Safety check for inputsSanitization.sanitize/2- Input sanitization with multiple strategies- Delimiter removal
- Whitespace normalization
- Length limiting
- Special character removal
Sanitization.remove_patterns/2- Pattern removal utility
- 21 Total Attack Types: Complete adversarial testing arsenal
- Defense-in-Depth: Detection → Filtering → Sanitization pipeline
- Configurable Defenses: Adjustable strictness and patterns
- Production Security: Ready for real-world deployment protection
- 85 new tests (32 attacks + 32 defenses + 21 integration)
- Total: 203 tests, 0 failures
- 88.70% code coverage
- 100% coverage on core defense modules
- Comprehensive integration tests for all attack types
- ✅ 88.70% test coverage (exceeds 80% requirement)
- ✅ Zero compilation warnings
- ✅ Zero Dialyzer errors
- ✅ All attack types tested
- ✅ Complete defense pipeline
- ✅ Production-ready
0.1.0 - 2025-10-20
AttackResultstruct with comprehensive metadata supportEvaluationResultstruct for robustness evaluation resultsConfigstruct with validation for framework configuration
Character.swap/2- Adjacent character swapping with configurable rateCharacter.delete/2- Character deletion with optional space preservationCharacter.insert/2- Character insertion with custom character poolsCharacter.homoglyph/2- Unicode homoglyph substitution (Cyrillic, Greek charsets)Character.keyboard_typo/2- Realistic keyboard-based typos (QWERTY/Dvorak layouts)
Word.delete/2- Word deletion with stopword preservation optionWord.insert/2- Word insertion with custom dictionariesWord.synonym_replace/2- Synonym replacement using built-in dictionaryWord.shuffle/2- Word order shuffling (random and adjacent-only strategies)
Accuracy.drop/2- Accuracy drop calculation with severity classificationAccuracy.robust_accuracy/2- Robust accuracy on adversarial examplesASR.calculate/2- Attack success rate with per-type breakdownASR.query_efficiency/2- Query efficiency metricsConsistency.semantic_similarity/3- Jaccard and Levenshtein distance similarityConsistency.consistency/3- Output consistency statistics (mean, median, std)
Robustness.evaluate/3- Comprehensive robustness evaluation orchestrationRobustness.evaluate_single/3- Single input evaluation with multiple attacks- Vulnerability identification based on metrics
- Support for both function and module-based models
CrucibleAdversary.attack/2- Single attack executionCrucibleAdversary.attack_batch/2- Batch attack processingCrucibleAdversary.evaluate/3- Model robustness evaluationCrucibleAdversary.config/0- Configuration retrievalCrucibleAdversary.configure/1- Configuration managementCrucibleAdversary.version/0- Version information
- Reproducible Results: All attacks support random seeding
- Type Safety: Comprehensive
@specannotations throughout - Error Handling: Consistent
{:ok, result}|{:error, reason}patterns - Documentation: Extensive ExDoc documentation with examples
- Test Coverage: 91.48% test coverage with 118 passing tests
- 118 total tests (all passing)
- Unit tests for all modules
- Integration tests for end-to-end workflows
- Zero compilation warnings
- Zero Dialyzer errors
- ✅ 91.48% test coverage (exceeds 80% requirement)
- ✅ Zero compilation warnings
- ✅ Comprehensive documentation
- ✅ Strict TDD methodology followed
- ✅ All quality gates passing
This is the Phase 1 foundation release. Future releases will add:
- Prompt injection attacks
- Jailbreak techniques
- Data extraction attacks
- Defense mechanisms
- Advanced metrics (certified robustness)
- CrucibleBench integration
- Real-time monitoring