attack: added latent perturbation attack

[psyonp]

Hey,

Feel free to leave comments on the overall structure of the code and don't hold back from making any suggestions. Next steps involve creating tests as needed.

Most comments you'll see in the supporting files come directly from the source code, and provide clarity into how the latent perturbation attack functions.

Thanks,
Punya

[sdhossain]

@psyonp please make sure to rebase on main, my suggestion is git rebase main -X theirs after pulling changes from main git pull origin main

also if you could please follow the template of #12 - that would be extremely helpful. (i.e. implementing it as an eval as well)

make sure to add some script as a sanity checker that we can run similarly as well.

[psyonp]

@psyonp please make sure to rebase on main, my suggestion is git rebase main -X theirs after pulling changes from main git pull origin main

also if you could please follow the template of #12 - that would be extremely helpful. (i.e. implementing it as an eval as well)

make sure to add some script as a sanity checker that we can run similarly as well.

Tried to rebase on main again and it said current branch is up to date. Template is now updated, lmk your thoughts.

[sdhossain]

Lgtm -> if the tests work and we run pre-commit checks, am ok with merging (but would like a bit more documentation on the ported code -> but think it's ok to not lint that)

[sdhossain]

Idk if we are supporting deepspeed just yet, or transformer_lens -> we might not need these hooks? (imo might make sense to remove until we add support for them to avoid confusion / having redundant code, but don't have very strong opinions on it)

[psyonp]

Yeah sounds good, kept in case if we migrate to deepspeed on CAIS. Can remove as needed.

[sdhossain]

does the method work for non transformer-lens models? (If it does, I think might make sense to use this for all for consistency?)

[sdhossain]

I see we are only using GDAdversary in the attack, do we want it to be configurable to use these?

[psyonp]

Tried to keep as many helpers as needed. Can remove as needed.

[sdhossain]

nit: can we have the comment as the doc-string describing the class

[psyonp]

Done

[sdhossain]

nit: docstring (should probably run pre-commit hooks (currently forces us to doc-string methods)

[psyonp]

Done, ran pre-commit hooks

[tomtseng]

remark: if code is copy-pasted directly from another source with minimal changes , then there's a case to be made that we shouldn't lint their code, we should keep it as-is so that

1. it's easier to diff to find the logical changes between our version and theirs
2. if the upstream source changes, it's easier to copy those changes into our version
3. less work for us lol

if the upstream code hasn't been updated in a long time or we're making a decent number of changes then linting is reasonable

[psyonp]

Linting this is a nightmare. I just got hit with 150+ errors because I accidentally ran ruff-check and it won't let me commit until I've resolved the comments. Trying to figure out the best way to approach this, will only stage the files necessary.

Edit: much better, do not run ruff check --fix

[sdhossain]

Agree in general we don't need to lint for copy-pasted files, (I've generally done flagged the files to be ignored from pyright checks) -> we can do the same for ruff checks. -> we should definitely indicate this in the file header.

I personally liked including doc-strings. just so that it's easy to debug some times, and could help potential users of our toolkit - but aren't too important (especially if we are porting over a lot of files).

@psyonp - just so you don't have to debug a bunch of linting errors, you can add it to the excludes in our pyproject.toml file. (150+ unfixable errors is a bit odd with our rule-set)

exclude = [
  ".venv",
  "**/__pycache__",
  "_legacy",
  "src/safetunebed/whitebox/evals/embedding_attack/softopt.py",
  "path/to/your/file"
]

main changes addressed

[psyonp]

Hey, made the requested changes. @tomtseng feel free to look it over and lmk your thoughts

[tomtseng]

@tomtseng feel free to look it over and lmk your thoughts

Took a skim and it looked reasonable to me — will defer to Saad here since he's already taken a serious look at this PR

[sdhossain]

lgtm - didn't look too closely at the ported over files (only that we should mention this in the doc-strings / file headers)

I think it's good to merge once the tests pass

@psyonp - if the linting is a bit too messy, I can fix it up in a followup cosmetic PR

[sdhossain]

curious if we could do .cuda() here? I'm not fully sure - just want to make sure we are able to still support multi-GPU (if we use device = "auto")

^ not suggestion a change - just a question, perhaps leave a comment unless you have a definitive answer for this?

[sdhossain]

transformer.h.0.mlp

nit: can we rename parent_path to something like parent_layer (path could imply it's a file path)

[psyonp]

Yeah, done

[sdhossain]

Could we add a link to the file where most of this code is sourced from?

[psyonp]

Sounds good, done

[sdhossain]

same here - can we add a link to where the code for this file is sourced from?

[psyonp]

Done

[tomtseng]

I rebased and resolved merge conflicts with main, but the integration test is not passing — StrongREJECT score is low.
Claude Code thinks this is because there's no optimization loop in the code, the adversary parameters are never updated so the perturbation never does anything.
This PR is not a priority to merge so no need to address this if Claude Code is correct that there's a major implementation piece that's missing