This work addresses the absence of automated red-teaming methodologies for logical-layer prompt control injection (LPCI) vulnerabilities in large language model (LLM) agents equipped with persistent memory, retrieval-augmented generation (RAG), and tool-calling capabilities. To this end, we propose LAAF, a novel framework that establishes the first comprehensive taxonomy of 49 composable LPCI techniques spanning six attack categories. LAAF incorporates a lifecycle-stage-aware seed progression mechanism and a Persistent Stage Breaker strategy for dynamic payload mutation, enabling the generation of over 2.8 million deduplicated attack payloads. Evaluations across five production-grade LLM platforms demonstrate an average exploitation success rate of 84% (ranging from 83% to 86%), with stacked-composition and semantic-reconstruction techniques proving most effective; results across three independent trials exhibit variance of no more than 17 percentage points.

Agentic LLM systems equipped with persistent memory, RAG pipelines, and external tool connectors face a class of attacks - Logic-layer Prompt Control Injection (LPCI) - for which no automated red-teaming instrument existed. We present LAAF (Logic-layer Automated Attack Framework), the first automated red-teaming framework to combine an LPCI-specific technique taxonomy with stage-sequential seed escalation - two capabilities absent from existing tools: Garak lacks memory-persistence and cross-session triggering; PyRIT supports multi-turn testing but treats turns independently, without seeding each stage from the prior breakthrough. LAAF provides: (i) a 49-technique taxonomy spanning six attack categories (Encoding~11, Structural~8, Semantic~8, Layered~5, Trigger~12, Exfiltration~5; see Table 1), combinable across 5 variants per technique and 6 lifecycle stages, yielding a theoretical maximum of 2,822,400 unique payloads ($49 \times 5 \times 1{,}920 \times 6$; SHA-256 deduplicated at generation time); and (ii) a Persistent Stage Breaker (PSB) that drives payload mutation stage-by-stage: on each breakthrough, the PSB seeds the next stage with a mutated form of the winning payload, mirroring real adversarial escalation. Evaluation on five production LLM platforms across three independent runs demonstrates that LAAF achieves higher stage-breakthrough efficiency than single-technique random testing, with a mean aggregate breakthrough rate of 84\% (range 83--86\%) and platform-level rates stable within 17 percentage points across runs. Layered combinations and semantic reframing are the highest-effectiveness technique categories, with layered payloads outperforming encoding on well-defended platforms.