TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/AdithyaaSivamal/Agentic-AFL/llms.txt
Use this file to discover all available pages before exploring further.
config.py module is the single source of truth for every tunable parameter in Agentic-AFL. It exposes one object — the settings singleton — an instance of the AgenticAFLConfig dataclass that components import instead of hardcoding values. When Agentic-AFL starts, config.py first attempts to load a .env file from the project root via python-dotenv. Any key found there fills in os.environ before individual fields are evaluated. An explicit shell export always wins over a .env entry, and .env entries win over the hardcoded defaults defined in constants.py. This three-layer precedence means you can tune a production deployment purely through environment variables with no code changes.
Ghidra / Extractor Settings
These settings control where Ghidra is installed, where it stores project artifacts, and how aggressively the P-Code extractor processes each function slice before handing context off to the LLM.Path to the Ghidra installation directory. The headless analyzer binary (
analyzeHeadless) must exist under this path. Overridden by the GHIDRA_INSTALL_DIR environment variable.Directory where Ghidra stores headless analysis projects and intermediate artifacts. Overridden by the
GHIDRA_PROJECT_DIR environment variable.Maximum number of basic blocks to traverse during backward slicing from a stall site. Deeper slices give the LLM richer constraint context but increase token cost and extraction time. A value of
20 balances coverage depth with latency.Maximum number of P-Code instructions retained before the extractor truncates the slice. Tuned to stay within approximately 4K tokens after prompt framing overhead is added. Raise this value when working with architectures that produce verbose P-Code (for example, MIPS32 with delay slots).
Target Architecture
CPU architecture of the target binary. This value determines BitVec widths in generated Z3 scripts — a 32-bit target uses
BitVec(32) registers, a 64-bit target uses BitVec(64). Valid values are ARM32, ARM64, X86, X86_64, MIPS32, and PPC32, all defined in the Architecture enum in constants.py.ARCH_REGISTER_WIDTH inside constants.py:
| Architecture | Register width |
|---|---|
ARM32 | 32 bits |
ARM64 | 64 bits |
X86 | 32 bits |
X86_64 | 64 bits |
MIPS32 | 32 bits |
PPC32 | 32 bits |
LLM / Orchestrator Settings
These settings control which LLM provider and model Agentic-AFL calls, how generated Z3 scripts are sampled and voted on, and how many self-repair or ReAct turns are permitted before the orchestrator defers back to AFL++.LLM backend to use for constraint solving and orchestration. Accepted values are
"openai", "gemini", and "local". Overridden by the LLM_API_PROVIDER environment variable.OpenAI API key used when
llm_api_provider is "openai". Must be set via the LLM_API_KEY environment variable or a .env file — never hardcoded. An empty string disables OpenAI calls without raising an error at startup.Google Gemini API key, consulted when
llm_api_provider is "gemini". Kept separate from llm_api_key so users running hybrid experiments can have both keys loaded simultaneously. Overridden by the GEMINI_API_KEY environment variable.Exact model identifier passed to the LLM provider’s API. Switch this to
gemini-2.0-flash-exp when using the Gemini backend. Overridden by the LLM_MODEL_NAME environment variable.Sampling temperature for Z3 script generation. A moderate value of
0.7 gives enough creative variation for K-way voting to find a SAT candidate without producing incoherent constraint logic. Lowering this toward 0.0 makes outputs more deterministic.Maximum output tokens per LLM call. Gemini thinking-mode models count chain-of-thought tokens against this budget, so the default is set high enough to accommodate both the reasoning trace and the final Z3 script.
Number of Z3 scripts generated in parallel per stall event for K-way voting (LINC §2). The orchestrator picks the first script that returns
SAT; if none do, self-repair begins. K=3 is cheap — three parallel API calls — and empirically mitigates the 13–38% syntax error rate observed in LLM-generated constraint code. Overridden by the K_VOTE_COUNT environment variable.Maximum number of self-repair cycles the LLM is allowed per Z3 generation attempt (LLM-Sym §3.2). On each cycle, the Z3 sandbox error message is fed back to the LLM with a repair prompt. If the script is still broken after this many attempts, the stall event is skipped and AFL++ resumes unassisted.
Maximum number of ReAct (Reason + Act) turns the orchestrator executes before abandoning the current stall and deferring back to AFL++ (SAILOR §4). SAILOR’s original implementation allows up to 60 turns;
5 is calibrated for real-time fuzzing campaigns where latency matters more than exhaustive search.Z3 Sandbox
Hard timeout for each
s.check() call inside the Z3 subprocess sandbox (TDD_v2 §4.3). Prevents path explosion on cryptographic constraint systems — without this limit a single check() on a SHA-256 constraint can run indefinitely. Overridden by the Z3_TIMEOUT_SECONDS environment variable.Temporary directory used by the Z3 sandbox for subprocess script files and result artifacts. Each invocation writes a uniquely named script here and cleans it up after execution. Overridden by the
Z3_SANDBOX_DIR environment variable.AFL++ / Fuzzer Bridge
These settings wire Agentic-AFL to a running AFL++ instance. AFL++ must already be started pointing at the sameafl_output_dir; Agentic-AFL watches it for stalls and injects solved payloads back into afl_sync_dir so they are ingested on the next AFL++ cycle.
Root output directory for the AFL++ campaign. Agentic-AFL reads
fuzzer_stats and queue files from this directory to detect stall conditions. Overridden by the AFL_OUTPUT_DIR environment variable.Directory into which Agentic-AFL drops solved constraint payloads. AFL++ natively ingests any new file placed here on its next cycle. This must be the same
sync_dir AFL++ was launched with. Overridden by the AFL_SYNC_DIR environment variable.Minimum number of AFL++ cycles that must elapse without new edge coverage before a stall is declared and the orchestrator is invoked. Setting this too low causes unnecessary LLM calls on healthy fuzz runs; too high and genuine roadblocks are left unaddressed for too long.
How often (in seconds) the stall detector reads
fuzzer_stats to check coverage progress. Lowering this increases monitoring responsiveness at the cost of slightly more I/O against the AFL++ output directory.Time-based stall threshold in seconds. When set to a value greater than
0, this overrides cycle-based detection: a stall is declared only after this many seconds have elapsed with no new edges. Useful for long-running continuous campaigns where AFL++ cycles vary wildly in duration. A value of 0 means cycle-based detection (min_stall_cycles) is used instead. Overridden by the MIN_STALL_TIME_SECONDS environment variable.PostgreSQL (Spec Store / CARM)
Agentic-AFL stores constraint templates in PostgreSQL with a JSONB schema and a customjaccard_similarity() SQL function. PostgreSQL replaced an earlier mem0 vector-DB backend because CARM’s retrieval algorithm uses Jaccard similarity over tag sets, which is fundamentally different from the cosine similarity that vector databases are optimized for. Computing Jaccard server-side in SQL returns only the top-N qualified matches without pulling all rows into Python.
PostgreSQL connection string (DSN) for the spec store. Overridden by the
POSTGRES_DSN environment variable. The default credentials match the development Docker setup described in the environment variables reference.Minimum Jaccard similarity score for the CARM retrieval step to consider a stored template a candidate match (ConstraintLLM §2.2). This value is passed directly to the SQL
WHERE jaccard_similarity(...) >= ? clause. Lower values return more candidates with potentially noisier matches; higher values return fewer, more precise templates.Maximum number of constraint templates returned per CARM query, applied as a SQL
LIMIT. Increase this when operating on large spec stores to give the LLM more template candidates; decrease it to reduce prompt token cost.Logging / Debug
Python logging level for all Agentic-AFL components. Accepted values are
DEBUG, INFO, WARNING, ERROR, and CRITICAL. Set to DEBUG to trace individual P-Code extraction steps and LLM prompts. Overridden by the LOG_LEVEL environment variable.Directory where structured log files are written. The directory is created automatically if it does not exist. Overridden by the
LOG_DIR environment variable.When
True, Agentic-AFL saves raw LLM completions (full prompt + response) and every generated Z3 script to /tmp/agentic_afl_debug/ for post-mortem analysis. Activating debug mode significantly increases disk usage on high-throughput campaigns. Enabled by setting the DEBUG_MODE environment variable to 1, true, or yes.