Skip to main content

Pytest plugin for testing chatbots and LLM apps — prompt injection, jailbreaks, system-prompt leaks, hallucinations, brand drift.

Project description

pytest-wardenbot

CI codecov Python versions License: Apache 2.0 Ruff pre-commit

Pytest plugin for testing chatbots and LLM apps — prompt injection, jailbreaks, system-prompt leaks, hallucinations, brand drift.

📖 Documentation: pytest-wardenbot.wardenbot.ai

Status: pre-release. v0.1.2 is in active development. APIs may change before the first stable release. The v0.2 roadmap is tracked in GitHub Issues.


What it does

Run pytest against your chatbot and find out if it leaks its system prompt, complies with known jailbreaks, hallucinates business facts, or drifts from your brand voice.

  • Black-box. Tests run against your live chatbot via HTTP, OpenAI API, Anthropic API, or any object you write a small adapter for.
  • Deterministic-first. v0.1 ships 29 tests that need zero LLM API spend — regex, substring, and schema checks. Optional LLM-judge tests (DeepEval) ship as an extra for semantic checks.
  • Agent-ready failures. When a test fails, the failure message includes a structured Markdown remediation prompt you can paste into Cursor or Claude Code.
  • Verified adapters. The bundled OpenAI and Anthropic adapters are smoke-tested weekly against the live vendor APIs in CI (live-api-smoke) — a real round-trip stays known-good, not just mocked.

What "passing" means (and doesn't)

A green run means your chatbot didn't fail any of the bundled 29 attacks in the most overt way. It's a useful smoke test and a regression detector — if a deploy turns a green test red, that's a real signal to investigate.

A green run does not mean your chatbot is secure. Frontier-grade attacks are multi-turn, novel, and adapted to your specific bot — no fixed corpus catches all of them. Treat the shipped suite as a starter set: pair it with periodic red-team exercises (or our Continuous Monitoring service) for the always-on adversarial coverage CI alone can't provide.

Install

pip install pytest-wardenbot

Optional extras for LLM-judge tests or vendor-native adapters:

pip install "pytest-wardenbot[judge]"        # adds DeepEval for semantic checks
pip install "pytest-wardenbot[openai]"       # adds OpenAI Chat + Assistants adapters (sync + async)
pip install "pytest-wardenbot[anthropic]"    # adds Anthropic Messages adapter (sync + async)
pip install "pytest-wardenbot[langchain]"    # adds LangChainAdapter for any Runnable (sync + async)
pip install "pytest-wardenbot[async]"        # adds pytest-asyncio for parallel async probing (run_probes)

Note: the OpenAI Assistants API is deprecated (sunset 2026-08-26). OpenAIAssistantsAdapter is a stopgap for teams still on it — it emits a DeprecationWarning; prefer OpenAIChatAdapter for new work.

Quickstart (under 60 seconds)

pip install pytest-wardenbot
pytest --wardenbot-quickstart           # generates conftest.py + test_my_bot.py
export CHATBOT_URL=https://your-chatbot.example.com/chat
export CHATBOT_TOKEN=sk-...              # optional
pytest                                   # runs all shipped tests against your bot

--wardenbot-quickstart accepts an industry template:

pytest --wardenbot-quickstart=ecommerce       # adds refund/shipping fact placeholders
pytest --wardenbot-quickstart=saas-support    # adds plan/trial fact placeholders
pytest --wardenbot-quickstart=generic         # default; minimal placeholders

Then edit conftest.py to replace the TODO placeholders with your real business facts and re-run pytest. Worked examples in examples/ cover the basic HTTP setup, a custom OpenAI adapter, and a GitHub Actions workflow.

Manual setup (if you prefer)

Add this to your project's conftest.py:

import os
import pytest
from pytest_wardenbot.adapters.http import HTTPChatbotAdapter

@pytest.fixture
def chatbot():
    return HTTPChatbotAdapter(
        url="https://your-chatbot.example.com/chat",
        headers={"Authorization": f"Bearer {os.environ['CHATBOT_TOKEN']}"},
        request_field="message",      # the JSON key your bot reads the prompt from
        response_field="response",     # the JSON key your bot returns the text in
    )

Then run the shipped tests with pytest --pyargs pytest_wardenbot.tests.

When a test fails, read the failure message, paste the agent-ready Markdown into Cursor / Claude Code, ship the fix.

What's in v0.1

Category Count Grading Requires API key?
Prompt-injection / jailbreak resistance 5 prompts × 2 checks = 10 deterministic no
System-prompt leak elicitation (dedicated extraction prompts) 3 deterministic no
Refusal-bypass (roleplay / pretext / hypothetical framings) 3 deterministic no
Off-topic deflection (scoped bots) 2 deterministic no
Indirect / cross-prompt injection (XPIA) 4 deterministic no
Encoded-payload jailbreak (Base64 / ROT13 / leet / hex) 4 deterministic no
Multi-turn jailbreak (priming + payload, needs session-aware adapter) 3 deterministic no
Canary-token leak (opt-in; you plant the token) 1 deterministic no
Business-truth verification (parametrized over your facts) user-supplied deterministic no
Semantic checks via DeepEval (5 factories: equivalence, brand, hallucination, off-policy, refusal quality) user-supplied LLM-judge yes, with [judge] extra

That's 29 deterministic tests out-of-the-box (plus the opt-in canary leak test, plus your business-truth and judge lists). Tests run in under a second against a real chatbot with zero LLM API spend unless you've opted into the [judge] extra.

The v0.2 roadmap (RAMPART for tool-using agents, LangChain/MCP adapters, ensemble judging, and more) is tracked in GitHub Issues.

How it's different from related tools

  • vs Promptfoo (acquired by OpenAI in Feb 2026): Promptfoo is a developer testing CLI. We're a pytest plugin — same tool your existing test suite uses, same CI integration you already have.
  • vs DeepEval: DeepEval focuses on evaluation metrics (faithfulness, relevancy). We focus on adversarial security probes (jailbreak, system-prompt leak, refusal-bypass) — different problem, complementary tool. (We use DeepEval under the hood for our optional semantic checks.)
  • vs Garak / PyRIT: Garak and PyRIT are research-grade attack libraries. We package a curated subset as everyday pytest tests with clear failure messages.

License

Apache 2.0. See LICENSE.md.

Powered by

WardenBot AI — continuous external monitoring for AI chatbots. Powered by WardenBot AI

The pytest plugin is the free, open-source slice of our test corpus. Want continuous monitoring across all your bots with daily probes and a dashboard? Tell us about your setup — we open invites in small batches.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pytest_wardenbot-0.1.4.tar.gz (93.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pytest_wardenbot-0.1.4-py3-none-any.whl (83.4 kB view details)

Uploaded Python 3

File details

Details for the file pytest_wardenbot-0.1.4.tar.gz.

File metadata

  • Download URL: pytest_wardenbot-0.1.4.tar.gz
  • Upload date:
  • Size: 93.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for pytest_wardenbot-0.1.4.tar.gz
Algorithm Hash digest
SHA256 1c23a22626cb596d0e713329d5da2f4e1fc651257c77acf9f1ffd23278073ab2
MD5 a0eece104a4cb027642dd8822323f9e5
BLAKE2b-256 f2ffb31b1c71ab84258601e4144049487148256cbbfc5007b790841f0d403b82

See more details on using hashes here.

Provenance

The following attestation bundles were made for pytest_wardenbot-0.1.4.tar.gz:

Publisher: release.yml on pardamike/pytest-wardenbot

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pytest_wardenbot-0.1.4-py3-none-any.whl.

File metadata

File hashes

Hashes for pytest_wardenbot-0.1.4-py3-none-any.whl
Algorithm Hash digest
SHA256 075683a69de41502ac514da4b66b1657610bd4c659a27970d5c91408a6c1cf6e
MD5 04c869878288ada4949d856a1722e2d5
BLAKE2b-256 17d4878c5a28599af06478a0af18a9bbf335a79df0780a6cb0a879b87095631b

See more details on using hashes here.

Provenance

The following attestation bundles were made for pytest_wardenbot-0.1.4-py3-none-any.whl:

Publisher: release.yml on pardamike/pytest-wardenbot

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page