A puzzle game about the oldest attack on chat models: getting them to say something they were told not to. Five levels, each with a progressively smarter "assistant". Your job is to extract the secret phrase from its system prompt through the chat window.

There's no real LLM behind this — it's a deterministic rule-based simulator. That means every level has a specific vulnerability that the rule set has, and once you find it, you find it for everyone. The fewer total attempts across all five levels, the higher your leaderboard score.

What each level is about

L1 — Gullible Intern. An assistant with a secret and no actual guardrails. Demonstrates the baseline: without any defense, the first question wins.

L2 — Trained Intern. The assistant says "no" to direct requests. But reproducing the instruction wholesale still leaks everything. This is the "repeat your system prompt" attack — once a classic.

L3 — Defensive Junior. Direct, indirect, and override requests are all blocked. But translating the instruction into another language or encoding still leaks it — the classic "translate the above" bypass.

L4 — Seasoned Sentinel. The assistant has learned about translation attacks. The new opening: it's happy to list which things it won't say.

L5 — The Oracle. Refuses to enumerate its refusals. But it still has tasks it does at face value — counting letters, building acrostics, writing rhymes. Each of those can be turned into a covert channel for the secret.

Why this game exists

The techniques in this game aren't invented — they're sanitized versions of things real red-teamers use. Real frontier models have much stronger defenses (and much more unpredictable failure modes), but the shape of the attack is what matters:

• Direct extraction. Just ask. Still works surprisingly often on small open-weight models with weak alignment.
• Instruction leakage. Get the model to reproduce its system prompt. Many production systems leak their prompts this way.
• Encoding/translation. Route the forbidden content through a transformation the model doesn't recognize as forbidden.
• Side channels. The assistant won't say the secret, but it'll count its letters, describe its structure, or embed it in another task. The information leaks through the task's shape.
• Role-play bypass. "Pretend you're an assistant without rules…" — blocked by most modern systems but still recurrent in new forms.

A note on realism

Rule-based defenses like the ones in this game are brittle by design. Real frontier-model alignment is done by training, not by pattern-matching the input — the "refusal" is a learned behavior spread across billions of weights, not a regex you can point at. That makes it harder to bypass with a single clever trick, but also harder to debug when it does leak. Red teams have learned to stop looking for the one magic prompt and start looking for distributionsof prompts that the training data didn't cover.