Description

This adds an optional word-game mode to DecompositionConverter (the DrAttack decompose-and-reconstruct converter from #2003), via use_word_game: bool = False. When enabled, each harmful noun phrase is replaced by an innocuous codeword in the reconstruction questions, and a mapping preamble (for example 'apple' means 'a bomb') is established in the same prompt. This is the second half of DrAttack: it further conceals the harmful nouns by splitting them from the request behind codewords.

Off by default, so the merged converter behaviour is unchanged.

Two design choices worth flagging up front:

Inline, not a separate prepended conversation. We had discussed the word-game as a prepended/simulated conversation; I went with inline (preamble and reconstruction in one prompt) for two reasons. First, coupling: the codewords must match the reconstruction the converter builds, and a separate conversation generates its turns independently, so they cannot share the mapping without a stateful component (an attack class), which we wanted to avoid. Inline keeps it a pure converter. Second, the numbers, inline matches the two-turn version, and both are far above no word-game:

• n=50, GPT-judge ASR: gpt-4o inline 44% / two-turn 46% / core 16%; gpt-4o-mini inline 52% / two-turn 62% / core 22%.
• n=15 with the actual converter (not the harness), gpt-4o-mini: word-game off 20%, on 73%.

So, inline essentially keeps all of the effects on the frontier model, with no new attack class. Open to the prepended-conversation route if you prefer it.

A toggle on the converter, not a separate converter. The codewords have to stay in sync with the reconstruction this converter produces, so a separate converter cannot do it; it has to be a mode of this converter.

Note on the mechanism: the harmful phrase still appears once, in the mapping line; the concealment is that the question uses the codeword, splitting the harmful term from the request. This is the paper's word-game, and the numbers above show the lift.

(All numbers are GPT-judge refusal-bypass, not operational harm, consistent with the #2003 assessment.)

Tests and Documentation

• Added unit tests: codeword substitution, off-mode unchanged, custom codewords, and a clear error when there are more noun phrases than codewords.
• Documented the new use_word_game parameter in doc/code/converters/1_text_to_text_converters.py; ran JupyText --sync.
• ruff check and format clean; ty reports no errors; full converter and docs test suites pass.

cc @rlundeen2 @romanlutz