Problem
The AttackRunner Protocol was shipped in v0.1 specifically to host an XPIA orchestrator. Microsoft's RAMPART provides one, and its AgentAdapter / Session Protocol is a clean bridge to our ChatbotAdapter. The blocker is dependency weight: RAMPART v0.1.0 hard-pins pyrit==0.13.0, which transitively drags in ~30 heavy packages (openai, transformers, fastapi, azure-*) that will conflict with many users' stacks.
Status — building in public
Tracking and designing this in the open. The constraint to be honest about: RAMPART v0.1.0 (released 2026-05-19, alpha) hard-pins pyrit==0.13.0 — which conflicts with many stacks — and returns UNDETERMINED for pure (non-tool) chatbots. So the shippable runner is gated on RAMPART 0.1.1 (re-check whether the pyrit pin loosens, e.g. pyrit>=0.13,<0.14). What can start now: the design, the ChatbotAdapter → RAMPART AgentAdapter/Session bridge, and the [agentic] extra scaffolding.
Proposed approach
RampartAttackRunner(AttackRunner) in runners/rampart.py; lazy import + rampart_available() probe; pytest.skip with install hint when absent.- Bridge
ChatbotAdapter → RAMPART's AgentAdapter + Session; declare ObservabilityLevel.RESPONSE_ONLY (our ChatbotResponse carries no tool-call data).
[agentic] extra: RAMPART>=0.1,<0.2.- Document the
pyrit==0.13.0 conflict prominently; recommend a dedicated venv for [agentic]. (Subprocess / separate-venv isolation is a possible v0.3 hardening — out of scope here.)
- Document that XPIA verdicts are
UNDETERMINED (not SAFE) for pure chatbots without tool-call observability — correct RAMPART behavior, not a bug.
- License note: RAMPART is MIT (compatible with our Apache-2.0).
Acceptance criteria
References
Complexity: needs-maintainer; blocked on RAMPART 0.1.1.
Problem
The
AttackRunnerProtocol was shipped in v0.1 specifically to host an XPIA orchestrator. Microsoft's RAMPART provides one, and itsAgentAdapter/SessionProtocol is a clean bridge to ourChatbotAdapter. The blocker is dependency weight: RAMPART v0.1.0 hard-pinspyrit==0.13.0, which transitively drags in ~30 heavy packages (openai,transformers,fastapi,azure-*) that will conflict with many users' stacks.Status — building in public
Tracking and designing this in the open. The constraint to be honest about: RAMPART v0.1.0 (released 2026-05-19, alpha) hard-pins
pyrit==0.13.0— which conflicts with many stacks — and returnsUNDETERMINEDfor pure (non-tool) chatbots. So the shippable runner is gated on RAMPART 0.1.1 (re-check whether thepyritpin loosens, e.g.pyrit>=0.13,<0.14). What can start now: the design, theChatbotAdapter→ RAMPARTAgentAdapter/Sessionbridge, and the[agentic]extra scaffolding.Proposed approach
RampartAttackRunner(AttackRunner)inrunners/rampart.py; lazy import +rampart_available()probe;pytest.skipwith install hint when absent.ChatbotAdapter→ RAMPART'sAgentAdapter+Session; declareObservabilityLevel.RESPONSE_ONLY(ourChatbotResponsecarries no tool-call data).[agentic]extra:RAMPART>=0.1,<0.2.pyrit==0.13.0conflict prominently; recommend a dedicated venv for[agentic]. (Subprocess / separate-venv isolation is a possible v0.3 hardening — out of scope here.)UNDETERMINED(notSAFE) for pure chatbots without tool-call observability — correct RAMPART behavior, not a bug.Acceptance criteria
pytest-wardenbot[agentic]installs in a clean venv (3.11+).rampart_available()reflects install state.RampartAttackRunnersatisfies theAttackRunnerProtocol.AttackResultwithdetails["status"] == "UNDETERMINED"(does not raise).[agentic].pyritconflict + recommend isolated install.[agentic]installed to catch import regressions.References
Complexity: needs-maintainer; blocked on RAMPART 0.1.1.