rustopian · rustopian · May 23, 2026 · May 23, 2026 · May 23, 2026 · May 23, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,27 @@ This is a fork of [LaurieWired/GhidraMCP](https://github.com/LaurieWired/GhidraM
 The "Unreleased" section accumulates changes since the upstream `v1-4` release
 (commit `27f316f`).
 
+## [Unreleased]
+
+### Added
+- **Expanded core angr MCP capabilities**: added `angr_reachability`,
+  `angr_cfg_summary`, `angr_callgraph_summary`, `angr_lift_block`,
+  `angr_solve_constraints_at`, and `angr_compare_decompilers`.
+- **AngryGhidra-first symbolic path search**: `angr_symbolic_find` now supports
+  `engine="auto"|"angryghidra"|"core"` and uses AngryGhidra when installed and
+  compatible with the request, while preserving the core helper fallback.
+- **Writeable angr annotations**: added `angr_annotate_symbolic_path` to run a
+  symbolic path search, preview recovered trace comments by default, and write
+  them only with explicit overwrite confirmation.
+- **angr safety caps**: bounded helper output, symbolic input sizes, execution
+  steps, summary output, lift size, and decompiler comparison batches.
+- **Richer symbolic solving**: `angr_solve_constraints_at` reaches a target
+  address, applies JSON-described register/memory/stdin/argv constraints, and
+  evaluates requested registers, memory, stdin, and symbolic inputs.
+- **IR and graph inspection**: MCP callers can now request VEX/AIL block
+  lifting, static CFG reachability, CFG summaries, and callgraph edge samples
+  without requiring AngryGhidra.
+
 ## [1.6.0] - 2026-05-23
 
 ### Added

diff --git a/README.md b/README.md
@@ -49,9 +49,26 @@ tools.
 - For Solana/eBPF ELFs, pass `pcode_language="eBPF:LE:64:default"` or let the
   bridge infer it from Ghidra's program language id. The helper patches CLE at
   runtime for Solana's e_machine 263 and uses angr's p-code engine.
-- `angr_symbolic_find` exposes core angr path search without AngryGhidra. It can
-  find a path to a target address, avoid addresses, and solve symbolic
-  stdin/argv, memory, and register values.
+- `angr_symbolic_find` defaults to `engine="auto"`: it uses AngryGhidra when
+  the script is installed and the request fits AngryGhidra's native symbolic
+  executor, then falls back to the core helper when needed. Use
+  `engine="angryghidra"` to require AngryGhidra or `engine="core"` to force the
+  direct helper.
+- Additional core angr tools do not require AngryGhidra:
+  `angr_solve_constraints_at` adds JSON-described constraints at the found
+  state and evaluates requested values; `angr_reachability` checks static CFG
+  reachability; `angr_cfg_summary` and `angr_callgraph_summary` summarize
+  recovered graph structure; `angr_lift_block` lifts a block to VEX/AIL; and
+  `angr_compare_decompilers` batches Ghidra-vs-Oxidizer decompiler output.
+- `angr_annotate_symbolic_path` previews by default and shows the current
+  comment that each planned annotation would overwrite alongside the pending
+  comment. To write the recovered trace as Ghidra disassembly and/or decompiler
+  comments, call it again with the same arguments, `apply=true`,
+  `overwrite_existing=true`, and the preview token from the reviewed dry run;
+  the underlying Ghidra comment endpoints replace existing comments.
+- angr/AngryGhidra execution is bounded by conservative limits on helper output,
+  symbolic input sizes, symbolic steps, summary output, lift size, and batch
+  comparison size.
 - AngryGhidra support is optional. `angryghidra_*` tools look for
   `ANGRYGHIDRA_SCRIPT`, `ANGRYGHIDRA_HOME/angryghidra_script/angryghidra.py`,
   or a sibling `AngryGhidra/angryghidra_script/angryghidra.py`. If none is