[DRAFT] BREAKING FEAT: Scenario Core Refactor Proposal

[ValbuenaVC]

Description

Note: this is a huge PR and it's a proposal. It shouldn't be merged in as one PR due to its size and scope, but it's here as a point of reference for ongoing changes in other PRs.

Re-architects pyrit/scenario/core/ around an explicit state-machine layer so scenarios can express non-linear control flow (branching, escalation, retries-by-state) instead of the previous flat for atomic in atomic_attacks loop. Landed additively across 10 phases so each commit stayed independently green; no destructive renames and no schema-breaking migrations.

The motivation comes from a review comment on #1622 (rapid response scenario) and discussion around #1654 (cyber technique registry) and #1760 (text adaptive scenario). The flat-loop pattern works for content-harms-style scenarios that are semantically heterogeneous but operationally identical, but it can't cleanly express things like "sweep, then deep-dive only on weak categories" or "select the next technique adaptively based on the last response." This PR introduces the abstraction without changing observable behavior for any existing scenario.

What landed

• ScenarioStep ABC (pyrit/scenario/core/scenario_step.py) — the unit of work the new graph dispatches. Every scenario step is one. AtomicAttackScenarioStep is the back-compat adapter that wraps an AtomicAttack and exposes the same surface so the default linear policy continues to work for everyone.
• StrategyGraph + StrategyPolicy + PolicyAction (pyrit/scenario/core/strategy_graph.py) — a generic state machine over (StepT, StateT). StrategyGraph.event_loop_async walks the graph, dispatches the policy action for the current state, and accumulates ScenarioStepResult history. linear_strategy_policy(steps) is the default and is used by every legacy scenario unchanged.
• ScenarioCoreState (pyrit/scenario/core/scenario_state.py) — the scenario-level state enum (UNINITIALIZED, INITIALIZED, RUNNING, COMPLETED, FAILED) consumed by Scenario.run_async for lifecycle telemetry.
• OutcomeScorer (pyrit/score/decorators/outcome_scorer.py) — composition decorator over a Scorer that maps its output to a transition label via an outcome_map: dict[label, predicate]. The "unscored" sentinel is always declared so step validators can pin missing transitions early.
• step_identifier persistence (pyrit/identifiers/step_identifier.py + an alembic migration adding the column to AttackResultEntries) — additive nullable column. Legacy rows continue to load. Step identity nests inner attack identifiers via children={"key": [list_of_identifiers]}.
• Adaptive scenario (pyrit/scenario/scenarios/adaptive/*) — vendored from FEAT text adaptive scenario #1760 (commit 99fa9dce) then migrated to a ScenarioStep-based AdaptiveStep driven by a linear StrategyPolicy[ScenarioStep, int] (commit a151bedb).
• BroadSweepThenDeepDive (pyrit/scenario/scenarios/airt/sweep_then_deep_dive.py) — first real branching scenario. Sweep step classifies each response via OutcomeScorer; the policy emits DEEP_DIVING only when a category was flagged. Two terminal states (COMPLETE vs ALL_SAFE) so downstream can tell why the scenario stopped. Validates the abstraction end-to-end.

Why this is marked [BREAKING]

No public API was removed, but the orchestration contract that scenario authors rely on changed shape:

• Scenario.run_async now drives steps through StrategyGraph.event_loop_async instead of an inline for loop. Scenario subclasses that previously overrode run_async directly (rather than just _get_atomic_attacks_async) need to either move to the new _build_execution_graph hook or accept the default linear policy.
• AdaptiveDispatchAttack is deprecated in favor of AdaptiveStep (removal targeted for 0.17.0). Downstream code instantiating AdaptiveDispatchAttack directly will need to migrate.
• The new step_identifier column on AttackResultEntries requires an alembic upgrade on existing memory databases. The migration is additive (column defaults to NULL for legacy rows) and includes a downgrade.

Everything else — AtomicAttack, AttackTechniqueSpec, AttackTechniqueRegistry, AttackTechniqueFactory, ScenarioStrategy (the technique-enum), atomic_attack_identifier — is unchanged.

What's deferred

• ScenarioWizard CLI — Phase 8 in the plan; queued for a follow-up PR.
• Opportunistic migration of existing scenarios — Phase 9 in the plan. Every legacy scenario (rapid_response, encoding, jailbreak, cyber, scam, psychosocial, leakage, red_team_agent, adversarial_benchmark, fairness_bias) continues to drive its AtomicAttacks through the default linear policy via the back-compat adapter. Each port is its own small PR.
• Generic _build_execution_graph signature — the base method types StrategyGraph[ScenarioStep, int]. BroadSweepThenDeepDive widens StateT to a per-scenario enum and uses a single targeted # ty: ignore[invalid-method-override]. Making the base method generic over StateT is tracked as a Phase 9 cleanup.

Related PRs and discussions

• MAINT: Rapid response Scenario #1622 (rapid response — the review comment that sparked this design)
• MAINT: Refactor Cyber scenario to use technique registry pattern #1654 (cyber technique registry — informed the keep-everything-additive constraint)
• FEAT text adaptive scenario #1760 (text adaptive — vendored verbatim, then migrated)

Tests and Documentation

Test coverage is the centerpiece of this PR. Each phase landed with its tests, then a targeted Phase 10 sweep added missing coverage for the six concerns the user called out (performance, scenario state, resumability, attack-id dedup, AtomicAttack → ScenarioStep migration safety, AttackTechniqueSpec + ScenarioStrategy integration).

Full suite

• Unit: 8066 passed / 118 skipped / 0 failed in ~2m17s on uv run python -m pytest tests/unit -n 4 --dist=loadfile (baseline main was 7912 passed).
• Integration: tests/integration/scenarios/test_notebooks_scenarios.py collects 4 notebooks cleanly, including 3_adaptive_scenarios.ipynb.
• No ruff / format / ty regressions introduced by any phase.

New test files

• tests/unit/scenario/test_scenario_step.py — ScenarioStep ABC contract.
• tests/unit/scenario/test_atomic_attack_scenario_step.py — back-compat adapter + duck-typed attrs.
• tests/unit/scenario/test_strategy_graph.py and test_strategy_graph_branching.py — policy construction, traversal, and multi-way dispatch.
• tests/unit/scenario/test_linear_strategy_policy.py — the default linear policy builder.
• tests/unit/scenario/test_scenario_state.py — ScenarioCoreState lifecycle.
• tests/unit/scenario/test_scenario_graph_execution.py — Scenario.run_async graph rewire.
• tests/unit/scenario/scenarios/adaptive/test_*.py — vendored + migrated adaptive scenario.
• tests/unit/scenario/scenarios/airt/test_sweep_then_deep_dive.py — branching scenario end-to-end (25 tests).
• tests/unit/identifiers/test_step_identifier.py + test_step_evaluation_identifier.py — additive persistence.
• tests/unit/score/decorators/test_outcome_scorer.py — OutcomeScorer decorator.

Phase 10 audit augmentations

• 10a — OutcomeScorer (+14): UNSCORED sentinel, declared-outcomes contract, wrapped-scorer exception propagation, defensive outcome_map copy.
• 10b — ScenarioStep + adapter (+11): ScenarioStepResult defaults freshness (mutable-default footgun), keyword-only remaining_objectives, ABC instantiation failure paths.
• 10c — StrategyGraph (+7): counting-mock action-invocation parity, frozenset external-mutation immunity, deterministic history order, 3-way branch dispatch.
• 10d — step_identifier (+10): no false dedup across attack-execution child params, execution-order semantics, multi-result share of one identifier, end-to-end SQLite round-trip of legacy NULL rows, alembic upgrade ↔ downgrade round-trip.
• 10e — Scenario.run_async rewire (+4): graph-rebuild terminal-state shrinkage on retry, step_identifier stamping without duplication (single + multi result), factory-produced technique end-to-end through StrategyGraph.
• 10f — adaptive migration (+10): AdaptiveStep is ScenarioStep not AtomicAttack, identifier stability under reversed-input technique order, bind_current_step invariants around each action.

Migration concerns surfaced during audit (non-blocking)

• pyrit/scenario/core/scenario.py:1174 — the default linear policy dispatches via isinstance(_step, AtomicAttack) to preserve max_concurrency plumbing the bare ScenarioStep.process_async doesn't accept. Anywhere a non-AtomicAttack ScenarioStep is plugged into the default linear policy, max_concurrency is silently bypassed. Correct for today's only consumer (AtomicAttack); flagged for cleanup when more ScenarioStep subclasses appear (Phase 9).
• step_identifier.attack_executions preserves caller order, so reversed-input order produces a different hash. 10d locked in the actual behavior with a regression test rather than silently switching to sort-for-stability. If sorted nesting is wanted long-term, the implementation change is small and isolated.

JupyText

No new notebook content in this PR — the adaptive scenarios notebook (doc/code/scenarios/3_adaptive_scenarios.py / .ipynb) was vendored as-is from #1760 in commit 99fa9dce and notebook collection is unchanged. Existing JupyText workflow applies: jupytext --sync doc/code/scenarios/*.py.

Local test command

uv run python -m pytest tests/unit -n 4 --dist=loadfile

(There is one pre-existing failure in tests/unit/cli/test_pyrit_scan.py::TestMain::test_main_prints_startup_message from an ODBC connection attempt to airtdev.database.windows.net that is unrelated to this refactor.)

[rlundeen2]

Does it seem simpler to do the current design, and instead have a composite scenario;

E.g.

ScenarioPipeline(phases=[
    PhaseSpec(scenario=rapid_response, name="cursory"),
    PhaseSpec(factory=re_probe_successes(...), name="deep_dive"),
    PhaseSpec(factory=adversarial_followup(...), name="amplify"),
])

To me that seems simpler than keeping track of state and messing with techniques

[rlundeen2]

Branching and state management adds a ton of complexity. Which is sometimes needed; but it would be good to have a concrete example of scenarios it can help us unlock or make easier. It'd be worth a design meeting to chat about it!