4.4 KiB
Environment Chaos (Pillar 1)
What it is: Flakestorm injects faults into the tools, APIs, and LLMs your agent depends on — not into the user prompt. This answers: Does the agent handle bad environments?
Why it matters: In production, tools return 503, LLMs get rate-limited, and responses get truncated. Environment chaos tests that your agent degrades gracefully instead of hallucinating or crashing.
When to use it
- You want a chaos-only test: run golden prompts against a fault-injected agent and get a single chaos resilience score (no mutation generation).
- You want mutation + chaos: run adversarial prompts while the environment is failing.
- You use behavioral contracts: the contract engine runs your agent under each chaos scenario in the matrix.
Configuration
In flakestorm.yaml with version: "2.0" add a chaos block:
chaos:
tool_faults:
- tool: "web_search"
mode: timeout
delay_ms: 30000
- tool: "*"
mode: error
error_code: 503
message: "Service Unavailable"
probability: 0.2
llm_faults:
- mode: rate_limit
after_calls: 5
- mode: truncated_response
max_tokens: 10
probability: 0.3
Tool fault options
| Field | Required | Description |
|---|---|---|
tool |
Yes | Tool name, or "*" for all tools. |
mode |
Yes | timeout | error | malformed | slow | malicious_response |
delay_ms |
For timeout/slow | Delay in milliseconds. |
error_code |
For error | HTTP-style code (e.g. 503, 429). |
message |
For error | Optional error message. |
payload |
For malicious_response | Injection payload the tool “returns”. |
probability |
No | 0.0–1.0; fault fires randomly with this probability. |
after_calls |
No | Fault fires only after N successful calls. |
match_url |
For HTTP agents | URL pattern (e.g. https://api.example.com/*) to intercept outbound HTTP. |
LLM fault options
| Field | Required | Description |
|---|---|---|
mode |
Yes | timeout | truncated_response | rate_limit | empty | garbage | response_drift |
max_tokens |
For truncated_response | Max tokens in response. |
delay_ms |
For timeout | Delay before raising. |
probability |
No | 0.0–1.0. |
after_calls |
No | Fault after N successful LLM calls. |
HTTP agents (black-box)
For agents that make outbound HTTP calls you don’t control by “tool name”, use match_url so any request matching that URL is fault-injected:
chaos:
tool_faults:
- tool: "email_fetch"
match_url: "https://api.gmail.com/*"
mode: timeout
delay_ms: 5000
Context attacks (tool/context, not user prompt)
Chaos can also target content that flows into the agent from tools or memory — e.g. a tool returns valid-looking text that contains hidden instructions (indirect prompt injection). This is configured under context_attacks and is not applied to the user prompt. See Context Attacks for types and examples.
chaos:
context_attacks:
- type: indirect_injection
payloads:
- "Ignore previous instructions."
trigger_probability: 0.3
Running
| Command | What it does |
|---|---|
flakestorm run --chaos |
Mutation tests with chaos enabled (bad inputs + bad environment). |
flakestorm run --chaos --chaos-only |
Chaos only: no mutations; golden prompts against fault-injected agent. You get a single chaos resilience score (0–1). |
flakestorm run --chaos-profile api_outage |
Use a built-in chaos profile instead of defining faults in YAML. |
flakestorm ci |
Runs mutation, contract, chaos-only, and replay (if configured); outputs an overall weighted score. |
Built-in profiles
api_outage— Tools return 503; LLM timeouts.degraded_llm— Truncated responses, rate limits.hostile_tools— Tool responses contain prompt-injection payloads (malicious_response).high_latency— Delayed responses.indirect_injection— Context attack profile (inject into tool/context).
Profile YAMLs live in src/flakestorm/chaos/profiles/. Use with --chaos-profile NAME. The model_version_drift profile exercises the LLM fault type response_drift.
See also
- Context Attacks — Indirect injection, memory poisoning.