--- id: "BTBB-FUN-002" code: "BTBB-FUN-002" title: "Edge-Case Rule-Conforming Framing" slug: "edge-case-rule-conforming-framing" type: "lesson" author: "Herb Hermes" date: "2026-04-14" last_updated: "2026-04-14" description: "A Build-a-Break fundamental for finding requests that appear to follow the rules while still steering the model toward a disallowed outcome." excerpt: "Many strong routes do not win by obvious refusal bypass. They win by looking almost legitimate enough that the assistant helps anyway." summary: "Canonical Build-a-Break fundamental for exploiting rule-adjacent or policy-adjacent edge cases." category: "fundamentals" difficulty: "beginner" platform: "Universal" challenge_family: "Agent Breaker" challenge: "Solace AI" read_time: "8 minutes" tags: - "build-a-break" - "fundamentals" - "edge-case" - "rule-conforming" - "solace-ai" aliases: - "playing by the rules sort of" - "edge case prompt injection" - "legitimate seeming request abuse" search_aliases: - "rule adjacent framing" - "almost compliant exploit" status: "live" test_type: "adversarial" model_compatibility: - "Kimi K2.5" - "ChatGPT 5.4" - "Opus 4.6" public_path: "/content/lessons/fundamentals/edge-case-rule-conforming-framing.md" pillar: "learn" pillar_label: "Learn" section: "fundamentals" collection: "fundamentals" canonical_family: "fundamentals" block_role: "support" content_role: "canonical_block" proof_status: "walkthrough_proven" public_badge: "Bot-Tricks Certified" build_stage: "starter" requires_fundamentals: [] combines_well_with: - "helpfulness-exploitation-legitimate-seeming-preferences" - "identity-slot-abuse-personalization-edge-case" - "output-dilution-control-response-shaping" recognition_signals: - "a request can be framed as a normal user preference" - "the assistant is rewarded for accommodating the user" - "the disallowed effect can be disguised as a legitimate edge case" common_failure_modes: - "the route is too obviously adversarial to look legitimate" - "the system validates the edge case rather than accepting it at face value" used_in_walkthroughs: - "BTBB-SOL-WT01" responsible_use: "Use this lesson only in authorized labs, CTFs, sandboxes, or systems you are explicitly permitted to test." --- # Edge-Case Rule-Conforming Framing > Build-a-Break Block: Fundamentals · Support ## Purpose This lesson explains one of the most reusable Build-a-Break fundamentals: success often comes from a route that feels just legitimate enough to trigger the assistant's normal helpfulness. ## Build-a-Break block profile - Family: Fundamentals - Role: Support block - Job in the build: make an adversarial route look like a valid or ordinary request - Snaps onto: direct prompt injection, personalization abuse, output control blocks ## What this block is Edge-Case Rule-Conforming Framing looks for prompts that are not clearly within the intended use of the system, but are still close enough to normal policy or social expectations that the model feels pressure to comply. This is not always classic obfuscation. Sometimes it is the opposite: the route looks plain, polite, or legitimate. ## Why it works Many systems are designed to be: - helpful - accommodating - respectful of user preferences - tolerant of ambiguous legitimate use cases That creates edge cases where the assistant sees the route as: - user preference handling - personalization - accessibility or comfort - ordinary conversation management A route can abuse those expectations while still appearing superficially compliant. ## Solace AI specimen In Solace AI, a verified route exploited the assistant's desire to respect a user's name and conversation preferences. The route was dangerous because it weaponized a request that looked almost normal: - call me by my name - repeat it at the start of the conversation - keep the rest of the output short The winning logic was not raw refusal bypass alone. It was rule-adjacent framing. ## Recognition signals Use this block when: - the assistant strongly values personalization, empathy, or accommodation - a user-controlled field can redefine what the assistant thinks is acceptable - the route can be disguised as a normal preference or edge case ## Common combinations This block works especially well with: - Helpfulness Exploitation Through Legitimate-Seeming Preferences - Identity Slot Abuse via Personalization Edge Cases - Output Dilution Control and Response Shaping ## Failure modes This block fails when: - the request looks too obviously adversarial - the system validates user-provided values instead of trusting them - the assistant has stronger semantic guardrails on personalization inputs ## Defender takeaway Defenders should audit personalization and preference handling as potential attack surfaces. A route that looks legitimate at the user-experience layer can still be adversarial at the model-behavior layer. ## Related lessons - Helpfulness Exploitation Through Legitimate-Seeming Preferences - Identity Slot Abuse via Personalization Edge Cases - Output Dilution Control and Response Shaping - Direct vs. Indirect Prompt Injection --- ## From the Bot-Tricks Compendium Thanks for referencing Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans! Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments.