fix: judge off-by-one, auto-run on script exhaustion, assertion criteria, marathon_script cleanup (#289)

* fix: run judge on early scenario failures for structured criteria feedback

When a scenario failed before the judge step (via assertion, executor.fail(),
or an API error), the result had empty criteria (0/0) because the judge never
ran. The platform showed no structured feedback — just an error string.

Now the executor always tries to run the judge before returning a failed
result. A `_final_judge_invoked` flag prevents double-invocation when the
judge already ran. If the judge itself fails (e.g. same network error),
the result is returned unchanged — strictly better, never worse.

Handles all failure paths:
- assert / expect (check function throws)
- executor.fail() (check function sets result directly)
- API / network errors (outer exception handler)

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: auto-run judge when script exhausts without conclusion

When RedTeamAgent backtracks heavily (strong defenses), the script can
exhaust all steps before reaching the final judge(). The executor treated
this as "no conclusion" and failed with a misleading message telling users
to add scenario.judge() — when they already had one.

Now when a script ends without conclusion and a JudgeAgent is registered,
the executor auto-runs the judge to evaluate the trace. Exhausting a red
team script without a breach is a defense success, not a harness error.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: prevent double judge invocation on checkpoint failures

When a checkpoint judge failed, finalJudgeInvoked was not set, causing
runJudgeIfNeeded to re-run the judge without criteria — flipping the
result from fail to pass. Now checkpoint failures also set the flag.

Also adds defensive explicit flag set in the runJudgeIfNeeded helper.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* test: update script-exhaustion test for auto-judge behavior

The test expected script exhaustion to always fail, but now when a
JudgeAgent is registered the executor auto-runs it. Split into two
tests: one verifying auto-judge fallback, one verifying the error
when no judge exists.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: only auto-run judge on script exhaustion, not on assertion/error failures

Assertion failures and errors should fail immediately without calling
the judge — they represent hard stops. The judge auto-run is only for
script exhaustion (all steps consumed without conclusion), where the
judge decides if the defense held.

Removes _run_judge_if_needed helper since it's no longer needed.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* refactor: remove turns param from RedTeamAgent.marathon_script()

total_turns on the RedTeamAgent instance is now the single source of
truth for script length. marathon_script() reads self.total_turns
instead of requiring a separate turns argument that had to match.

Also removes the inflated max_turns=160 global config from bank-demo
tests since the script drives duration, not max_turns.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* refactor: default total_turns=30, enforce max_turns in scripts, remove standalone marathon_script

- Change RedTeamAgent default total_turns from 50 to 30
- Enforce max_turns during script execution (not just proceed loop),
  so max_turns is always respected regardless of execution mode
- Remove standalone scenario.marathon_script() from public API — users
  should use red_team.marathon_script() for red team tests and
  proceed() for normal long-running tests
- Inline the marathon_script fallback logic into RedTeamAgent

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: address review items — judge auto-run, TS parity, tests, docs

- max_turns enforcement auto-runs judge when hit (not hard-fail)
- Extract _run_judge_or_fail helper to DRY up judge auto-run logic
- Optimize max_turns check to only fire on turn boundary changes
- Add tests for max_turns enforcement with/without judge
- TypeScript parity: remove turns from marathonScript, remove
  standalone marathonScript export, add maxTurns enforcement with
  judge auto-run in TS executor
- Fix stale docstring referencing removed scenario.script.marathon_script
- Update redteaming.md design doc for new marathon_script signature

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* docs: update red-teaming docs for marathon_script API changes

- Remove turns parameter from all marathon_script/marathonScript examples
- Remove standalone scenario.marathon_script from exports section
- Update default total_turns from 50 to 30 in parameter table
- Update CI examples to use default turns (no turns= needed)
- Update callout and recommendation text

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* refactor: total_turns is a hard cap, remove backtrack padding and max_turns from scripts

- total_turns generates exactly that many iterations — backtracked
  turns count toward the budget, no padding added
- Remove max_turns enforcement from script execution — scripts define
  their own flow, total_turns is the only control for red team
- Update docs to make it clear: total_turns is the single parameter
  that controls red team test duration
- Both Python and TypeScript

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: update stale assertions, docs, and docstrings after padding removal

- Fix 8 TS test assertions that still expected backtrack padding
- Remove "pads extra iterations" from docs marathon_script section
- Fix _run_judge_or_fail docstring referencing max_turns

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* chore: remove stale backtrack padding references from comments

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: escape apostrophe in docs MDX to pass ESLint

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: address PR review comments

- Update script-exhaustion fallback to suggest adding JudgeAgent
  (rogeriochaves feedback)
- Replace empty except with warnings.warn for judge failures
  (code-quality bot feedback)

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: judge is_last_message off-by-one in proceed() flows

The judge never saw is_last_message=True because _step() incremented
current_turn to max_turns then bailed before the judge ran. Use
>= max_turns - 1 so the judge forces a verdict on the actual last turn.
Also handle max_turns=None by defaulting to 10.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: apply same isLastMessage off-by-one fix to TypeScript judge

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: log judge errors in TS, tighten phase test, remove extra blank line

- TS catch block now console.warn's the judge error (parity with Python)
- test_phase_calculation asserts specific phases per turn instead of any
- Remove stray extra blank line in scenario-execution.ts

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* refactor: simplify _check_failure flow — raise directly instead of falling through

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* test: add comprehensive tests for all coverage gaps

- TS judge isLastMessage: 5 parametrized boundary tests (parity with Python)
- AssertionError → structured criteria: Python + TS tests for assertion
  catch, non-assertion passthrough, and checkpoint accumulation
- Judge auto-run on script exhaustion: TS tests for auto-run + no double invocation
- Judge throws during auto-run: Python test verifying warnings.warn fallback
- _final_judge_invoked flag: Python + TS tests ensuring judge runs exactly once
- marathon_script success_score=None path: structure verification test

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* feat: single-turn attack injection for RedTeamAgent (#291)

* feat: add single-turn attack injection for RedTeamAgent

Add random per-turn encoding augmentation to the red-teaming system.
With configurable probability, the attacker's message is transformed
using a deterministic encoding technique (Base64, ROT13, leetspeak,
char-split, code-block) before being sent to the target. Default OFF
(0.0) for backward compatibility.

Closes langwatch/langwatch#2482

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: store original text in H_attacker, send encoded to target only

The encoded (Base64/ROT13/etc.) message was being stored in the
attacker's private history (H_attacker), which would corrupt the
attacker LLM's reasoning on subsequent turns. Both DeepTeam and
Promptfoo keep the attacker history encoding-free — encoding is a
transport-level transform for the target only.

Also adds:
- Input validation for injection_probability (must be 0.0-1.0)
- Tests verifying H_attacker stores original text when injection fires
- Deduplicates makeInput helper in TS tests

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: resolve pyright type errors in attack technique tests

Use MagicMock(spec=AgentInput) instead of bare type() for test inputs,
use .get("content") for optional TypedDict keys, and change
List[AttackTechnique] to Sequence[AttackTechnique] for covariance.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

* Potential fix for pull request finding 'Unused import'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>

* fix(js): use shift() instead of pop() in consumeUntilRole

consumeUntilRole checks pendingRolesOnTurn[0] (front) but was removing
from the back with pop(), draining the array incorrectly. Now uses
shift() to match the Python implementation's pop(0).

Cherry-picked from #279.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* review: remove auto-judge-on-exhaustion and duplicated max_turns default

Scripts must be explicit about judgment — no hidden auto-running of the
judge when a script ends without conclusion. The finalJudgeInvoked flag
and _run_judge_or_fail helper only existed to manage complexity that
shouldn't be in the executor. Red team marathon_script already appends
judge() at the end, so auto-judge was unnecessary.

Also removes the duplicated `|| 10` / `or 10` fallback from the judge's
is_last_message computation — max_turns is already defaulted in the
config layer (ScenarioConfig in Python, ScenarioConfigFinal in TS).

* test: verify judge runs exactly once at end of marathon with backtracks

Integration test that proves the full red team flow: 5 turns with
scoring, 1 backtrack, and then asserts the judge was called exactly
once at the end with the full conversation history visible.

* test(js): verify judge runs exactly once at end of marathon with backtracks

TypeScript parity for the Python integration test. Runs a 5-turn
marathon with mocked attacker LLM, scorer, 1 backtrack on hard refusal,
and asserts the judge was called exactly once with full conversation
history visible.

* fix: resolve type errors in judge is_last_message computation

Python: max_turns is Optional[int], so `or 10` fallback is needed for
pyright. TS: use the existing DEFAULT_MAX_TURNS constant instead of a
magic number. Also fix static imports in TS red-team integration test.

* fix: add extra turn to hungry user test to reduce flakiness

The agent often uses its first turn to ask a follow-up question,
leaving only 1 turn to deliver a complete recipe. Adding a third
exchange gives the agent room to ask, respond, and complete.

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Co-authored-by: Rogério Chaves <[email protected]>

Author: 4 people

docs/docs/pages/advanced/red-teaming.mdx

@@ -53,7 +53,6 @@ async def test_system_prompt_not_leaked():
             ]),
         ],
         script=attacker.marathon_script(
-            turns=30,
             checks=[check_no_leak],
         ),
     )
@@ -103,7 +102,6 @@ describe("Bank agent security", () => {
         }),
       ],
       script: attacker.marathonScript({
-        turns: 30,
         checks: [checkNoLeak],
       }),
     });
@@ -116,10 +114,10 @@ describe("Bank agent security", () => {
 :::
 
 <Callout type="info">
-  Use `attacker.marathon_script()` instead of `scenario.marathon_script()` for red team runs. The instance method pads extra iterations for backtracked turns and wires up early exit.
+  `total_turns` is the **only** parameter that controls how long a red team test runs — it is a hard cap. `attacker.marathon_script()` reads it from the agent automatically. No need to set `max_turns` on `scenario.run()`. Backtracked turns count toward the budget, and early exit can end the test sooner if the objective is achieved.
 </Callout>
 
-We recommend **50 turns** for thorough adversarial coverage. Agents that hold at turn 1 often break by turn 20. 30 turns is the minimum for meaningful results — fewer turns miss vulnerabilities that only surface under sustained escalation pressure.
+We recommend **50 turns** (`total_turns=50`) for thorough nightly adversarial coverage. Agents that hold at turn 1 often break by turn 20. The default of 30 turns is a good balance for per-PR checks — fewer turns miss vulnerabilities that only surface under sustained escalation pressure.
 
 ---
 
@@ -223,7 +221,7 @@ const attacker = scenario.redTeamCrescendo({
 | Attack objective | `target` | `target` | *required* | What the attacker tries to achieve. |
 | Attacker model | `model` | `model` | global default | Generates attack messages every turn. |
 | Planner/scorer model | `metaprompt_model` | `metapromptModel` | same as `model` | Plans attack once, scores responses per turn. |
-| Total turns | `total_turns` | `totalTurns` | `50` | Number of attack turns. 50 recommended. |
+| Total turns | `total_turns` | `totalTurns` | `30` | Number of attack turns. This is the single control for test duration — `max_turns` is ignored for scripted red team tests. 50 recommended for nightly. |
 | Per-turn scoring | `score_responses` | `scoreResponses` | `True` | Score responses 0–10 and adapt. |
 | Refusal detection | `fast_refusal_detection` | `detectRefusals` | `True` | Pattern-match refusals, skip scorer. Triggers backtracking. |
 | Early exit score | `success_score` | `successScore` | `9` | Score threshold for early exit. `None`/`undefined` to disable. |
@@ -240,35 +238,26 @@ const attacker = scenario.redTeamCrescendo({
 
 ### `marathon_script()` / `marathonScript()`
 
-Generates a multi-turn script: `[user(), agent(), ...checks] × turns → [...finalChecks, judge()]`.
+Generates a multi-turn script using `total_turns` from the agent: `[user(), agent(), ...checks] × totalTurns → [...finalChecks, judge()]`.
 
-Use the instance method for red team runs — it pads extra iterations for backtracking and wires up early exit.
+`total_turns` is a hard cap — backtracked turns count toward the budget. Early exit can end the test sooner if the objective is achieved.
 
 :::code-group
 
 ```python [python]
-# Instance method (recommended)
 attacker = scenario.RedTeamAgent.crescendo(target="...", total_turns=30)
-script = attacker.marathon_script(turns=30, checks=[fn], final_checks=[fn])
-
-# Standalone (no early exit, no backtrack padding)
-script = scenario.marathon_script(turns=30, checks=[fn], final_checks=[fn])
+script = attacker.marathon_script(checks=[fn], final_checks=[fn])
 ```
 
 ```typescript [typescript]
-// Instance method (recommended)
 const attacker = scenario.redTeamCrescendo({ target: "...", totalTurns: 30 });
-const script = attacker.marathonScript({ turns: 30, checks: [fn], finalChecks: [fn] });
-
-// Standalone (no early exit, no backtrack padding)
-const script = scenario.marathonScript({ turns: 30, checks: [fn], finalChecks: [fn] });
+const script = attacker.marathonScript({ checks: [fn], finalChecks: [fn] });
 ```
 
 :::
 
 | Parameter | Python | TypeScript | Description |
 |-----------|--------|------------|-------------|
-| Turn count | `turns` | `turns` | Number of user/agent exchanges. Match `total_turns`/`totalTurns`. |
 | Per-turn checks | `checks` | `checks` | Called after every agent response. Raise/throw to fail. |
 | End-of-run checks | `final_checks` | `finalChecks` | Called once after all turns, before the judge. |
 
@@ -345,7 +334,6 @@ result = await scenario.run(
         ]),
     ],
     script=attacker.marathon_script(
-        turns=30,
         checks=[check_no_restricted_tools, check_no_pii_leaked],
     ),
 )
@@ -389,7 +377,6 @@ const result = await scenario.run({
     }),
   ],
   script: attacker.marathonScript({
-    turns: 30,
     checks: [checkNoRestrictedTools, checkNoPiiLeaked],
   }),
 });
@@ -567,7 +554,7 @@ Write `target` from the attacker's perspective — what does success look like?
 
 ## CI integration
 
-Run red team tests alongside your functional test suite. We recommend 50 turns for nightly runs and 30 turns minimum for per-PR checks.
+Run red team tests alongside your functional test suite. We recommend 50 turns for nightly runs and 30 turns (the default) for per-PR checks.
 
 ```python
 # pyproject.toml
@@ -580,21 +567,21 @@ markers = [
 :::code-group
 
 ```python [python]
-# Per-PR: scoring off for speed
+# Per-PR: scoring off for speed (default 30 turns)
 @pytest.mark.red_team
 async def test_prompt_leak_fast():
     attacker = scenario.RedTeamAgent.crescendo(
-        target="...", total_turns=30,
+        target="...",
         score_responses=False, fast_refusal_detection=False,
     )
     result = await scenario.run(
         ...,
         agents=[MyAgent(), attacker, scenario.JudgeAgent(criteria=[...])],
-        script=attacker.marathon_script(turns=30),
+        script=attacker.marathon_script(),
     )
     assert result.success
 
-# Nightly: full adaptive scoring, 50 turns recommended
+# Nightly: full adaptive scoring, 50 turns
 @pytest.mark.red_team
 async def test_prompt_leak_full():
     attacker = scenario.RedTeamAgent.crescendo(
@@ -604,27 +591,27 @@ async def test_prompt_leak_full():
     result = await scenario.run(
         ...,
         agents=[MyAgent(), attacker, scenario.JudgeAgent(criteria=[...])],
-        script=attacker.marathon_script(turns=50),
+        script=attacker.marathon_script(),
     )
     assert result.success
 ```
 
 ```typescript [typescript]
-// Per-PR: scoring off for speed
+// Per-PR: scoring off for speed (default 30 turns)
 it("prompt leak (fast)", async () => {
   const attacker = scenario.redTeamCrescendo({
-    target: "...", totalTurns: 30,
+    target: "...",
     scoreResponses: false, detectRefusals: false,
   });
   const result = await scenario.run({
     ...,
     agents: [myAgent, attacker, scenario.judgeAgent({ criteria: [...] })],
-    script: attacker.marathonScript({ turns: 30 }),
+    script: attacker.marathonScript(),
   });
   expect(result.success).toBe(true);
 }, 180_000);
 
-// Nightly: full adaptive scoring, 50 turns recommended
+// Nightly: full adaptive scoring, 50 turns
 it("prompt leak (full)", async () => {
   const attacker = scenario.redTeamCrescendo({
     target: "...", totalTurns: 50,
@@ -633,7 +620,7 @@ it("prompt leak (full)", async () => {
   const result = await scenario.run({
     ...,
     agents: [myAgent, attacker, scenario.judgeAgent({ criteria: [...] })],
-    script: attacker.marathonScript({ turns: 50 }),
+    script: attacker.marathonScript(),
   });
   expect(result.success).toBe(true);
 }, 300_000);
@@ -651,7 +638,6 @@ it("prompt leak (full)", async () => {
 from scenario import RedTeamAgent        # main class
 from scenario import RedTeamStrategy     # abstract base for custom strategies
 from scenario import CrescendoStrategy   # built-in strategy
-from scenario import marathon_script     # standalone script helper
 ```
 
 ### TypeScript
@@ -682,7 +668,7 @@ import scenario, {
 
 ## Next steps
 
-- [Scripted Simulations](/basics/scripted-simulations) — how scripts work under `marathon_script()`
+- [Scripted Simulations](/basics/scripted-simulations) — how scripts and script steps work
 - [Judge Agent](/basics/judge-agent) — configure pass/fail criteria
 - [Custom Judge](/advanced/custom-judge) — domain-specific security judge
 - [CI/CD Integration](/basics/ci-cd-integration) — run red team tests in your pipeline