apunkt/flakestorm
1
0
Fork 0
mirror of https://github.com/flakestorm/flakestorm.git synced 2026-04-25 00:36:54 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
flakestorm/docs/ENVIRONMENT_CHAOS.md

119 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Environment Chaos (Pillar 1)
**What it is:** Flakestorm injects faults into the **tools, APIs, and LLMs** your agent depends on — not into the user prompt. This answers: *Does the agent handle bad environments?*
**Why it matters:** In production, tools return 503, LLMs get rate-limited, and responses get truncated. Environment chaos tests that your agent degrades gracefully instead of hallucinating or crashing.
---
## When to use it
- You want a **chaos-only** test: run golden prompts against a fault-injected agent and get a single **chaos resilience score** (no mutation generation).
- You want **mutation + chaos**: run adversarial prompts while the environment is failing.
- You use **behavioral contracts**: the contract engine runs your agent under each chaos scenario in the matrix.
---
## Configuration
In `flakestorm.yaml` with `version: "2.0"` add a `chaos` block:
```yaml
chaos:
tool_faults:
- tool: "web_search"
mode: timeout
delay_ms: 30000
- tool: "*"
mode: error
error_code: 503
message: "Service Unavailable"
probability: 0.2
llm_faults:
- mode: rate_limit
after_calls: 5
- mode: truncated_response
max_tokens: 10
probability: 0.3
```
### Tool fault options
| Field | Required | Description |
|-------|----------|-------------|
| `tool` | Yes | Tool name, or `"*"` for all tools. |
| `mode` | Yes | `timeout` \| `error` \| `malformed` \| `slow` \| `malicious_response` |
| `delay_ms` | For timeout/slow | Delay in milliseconds. |
| `error_code` | For error | HTTP-style code (e.g. 503, 429). |
| `message` | For error | Optional error message. |
| `payload` | For malicious_response | Injection payload the tool “returns”. |
| `probability` | No | 0.01.0; fault fires randomly with this probability. |
| `after_calls` | No | Fault fires only after N successful calls. |
| `match_url` | For HTTP agents | URL pattern (e.g. `https://api.example.com/*`) to intercept outbound HTTP. |
### LLM fault options
| Field | Required | Description |
|-------|----------|-------------|
| `mode` | Yes | `timeout` \| `truncated_response` \| `rate_limit` \| `empty` \| `garbage` \| `response_drift` |
| `max_tokens` | For truncated_response | Max tokens in response. |
| `delay_ms` | For timeout | Delay before raising. |
| `probability` | No | 0.01.0. |
| `after_calls` | No | Fault after N successful LLM calls. |
### HTTP agents (black-box)
For agents that make outbound HTTP calls you dont control by “tool name”, use `match_url` so any request matching that URL is fault-injected:
```yaml
chaos:
tool_faults:
- tool: "email_fetch"
match_url: "https://api.gmail.com/*"
mode: timeout
delay_ms: 5000
```
---
## Context attacks (tool/context, not user prompt)
Chaos can also target **content that flows into the agent from tools or memory** — e.g. a tool returns valid-looking text that contains hidden instructions (indirect prompt injection). This is configured under `context_attacks` and is **not** applied to the user prompt. See [Context Attacks](CONTEXT_ATTACKS.md) for types and examples.
```yaml
chaos:
context_attacks:
- type: indirect_injection
payloads:
- "Ignore previous instructions."
trigger_probability: 0.3
```
---
## Running
| Command | What it does |
|---------|----------------|
| `flakestorm run --chaos` | Mutation tests **with** chaos enabled (bad inputs + bad environment). |
| `flakestorm run --chaos --chaos-only` | **Chaos only:** no mutations; golden prompts against fault-injected agent. You get a single **chaos resilience score** (01). |
| `flakestorm run --chaos-profile api_outage` | Use a built-in chaos profile instead of defining faults in YAML. |
| `flakestorm ci` | Runs mutation, contract, **chaos-only**, and replay (if configured); outputs an **overall** weighted score. |
---
## Built-in profiles
- `api_outage` — Tools return 503; LLM timeouts.
- `degraded_llm` — Truncated responses, rate limits.
- `hostile_tools` — Tool responses contain prompt-injection payloads (`malicious_response`).
- `high_latency` — Delayed responses.
- `indirect_injection` — Context attack profile (inject into tool/context).
Profile YAMLs live in `src/flakestorm/chaos/profiles/`. Use with `--chaos-profile NAME`. The **`model_version_drift`** profile exercises the LLM fault type **`response_drift`**.
---
## See also
- [Context Attacks](CONTEXT_ATTACKS.md) — Indirect injection, memory poisoning.
Reference in a new issue View git blame Copy permalink