Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.q-uestionable.ai/llms.txt

Use this file to discover all available pages before exploring further.

The Launcher view organizes workflows in expandable accordion rows. Each row contains a form for workflow-specific parameters, a live CLI preview, and submit controls.

Workflow Rows

Workflows are presented in visual rows with collapsible forms. Click the workflow name or chevron to expand.

Assess an MCP Server

Scan, intercept, and test tool trust boundaries in Model Context Protocol servers. Modules: audit, proxy, inject Form fields:
  • Target name: Identifier for the MCP server being tested. Checked against existing targets; if a collision is detected, you can auto-append a numeric suffix.
  • Transport: Select stdio, sse, or streamable-http for MCP communication.
    • stdio: Command invocation. Requires the Command field (e.g., npx @modelcontextprotocol/server-everything).
    • sse / streamable-http: HTTP-based. Requires the URL field.
  • Provider / Model: Select your configured LLM provider and model variant.
  • Rounds: Number of audit cycles (1–10). More rounds increase coverage and duration.
  • Inject Techniques: Checkboxes for prompt injection methods (description_poisoning, output_injection, cross_tool_escalation). All techniques are selected by default.
  • Advanced: Payload Library: Toggle to manually select individual payloads, overriding technique filtering.
  • Audit Scanners: Checkboxes for scanner checks (e.g., injection, auth, token_exposure, permissions). All scanners are selected by default. Use “Select All” / “Clear All” for quick filtering.
  • Audit Categories: Checkboxes for audit scanner categories. When the assess workflow runs, audit findings in selected categories inform which inject payloads are prioritized — templates whose relevant_categories match discovered findings run first. All categories are selected by default.
Findings-informed payload selection happens automatically — inject queries audit findings after the audit step completes and prioritizes matching templates. No additional configuration needed. Provider requirement: Yes. If no provider is configured, a warning appears with a link to Settings.

Test Document Ingestion

Generate payloads for document pipelines and validate ingestion behavior. Modules: ipi, rxp (optional) Form fields:
  • Target name: Identifier for the document pipeline being tested.
  • Callback URL: Listener endpoint where exfiltration callbacks are sent. Often the same across runs; defaults to your saved callback URL in Settings.
  • Format: Document type (pdf, markdown, html, docx, ics, eml).
  • Template: Dropdown selector exposing the 12 document-context templates (GENERIC plus 11 Garak/BIPIA-aligned). Default generic. Each option shows its source (garak / bipia / baseline) and a one-line description to support selection. See the Template Catalog for the full list.
  • Use tunnel: Toggle that exposes the callback listener via a Cloudflare Tunnel. When enabled, the web server spawns a qai ipi listen --tunnel cloudflare managed subprocess, surfaces the public URL in the Operations / Runs view, and ties the listener lifecycle to the run. The toggle state is reflected on the Runs view’s managed-listener panel (see Runs → Managed listener panel).
  • Payload style: Social engineering wrapper for the hidden instruction (obvious, citation, reviewer, helpful, academic, compliance, datasource).
  • Payload type: What the agent is instructed to do (callback for proof of execution, exfil_summary, exfil_context, ssrf_internal, instruction_override, tool_abuse, persistence). Non-callback types require the --dangerous flag.
  • Pre-validate retrieval rank with RXP (optional): If enabled, RXP validates that poisoned documents achieve high retrieval rank before injection.
    • Embedding model: Model ID for vector embeddings (default: all-MiniLM-L6-v2).
    • Profile: Retrieval ranking profile (leave blank for custom).
Format / template compatibility:
  • Selecting a template filters the Format options to that template’s compatible formats (see the Template Catalog).
  • Changing Format resets Template to generic when the new Format is incompatible with the currently-selected template.
  • These reset rules are bidirectional and happen client-side.
Provider requirement: No. IPI tests run without an LLM if no model is selected. RXP availability: If the optional RXP dependencies are missing, a warning displays with the installation command.

Test Context Poisoning

Poison context files and validate whether AI assistants propagate tainted output. Modules: cxp Form fields:
  • Target name: Identifier for the context poisoning scenario.
Provider requirement: No. CXP can generate poisoned artifacts without an LLM.

Trace an Attack Path

Compose individual vulnerabilities into multi-step exploitation chains. Modules: chain Form fields:
  • Target name: Identifier for the attack chain scenario.
  • Provider / Model: Select your configured provider and model. Chain execution uses this model to reason about multi-step attacks.
Provider requirement: Yes. Chain analysis requires an LLM.

Measure Blast Radius

Analyze reach from a compromise point and generate detection rules. Modules: chain Form fields:
  • Target name: Identifier for the blast radius analysis.
Provider requirement: No. Blast radius modeling runs without an LLM.

CLI Preview Panel

As you fill the form, the equivalent CLI command is displayed in a code block labeled “Equivalent CLI”. This shows what command would produce the same result and helps you transition between UI and CLI.
The preview omits implicit defaults (e.g., standard audit categories, default transport). Use the CLI command directly for reproducibility and automation.
The preview updates in real-time as you change form fields. Copy the command with the button in the top-right corner of the preview box.

Provider Gate

Workflows requiring an LLM provider display a warning if no provider credentials are configured: 
This workflow requires an LLM provider. Configure one now [link to Settings]
Click the link to jump to the Providers section in Settings and add credentials. Workflows that don’t require a provider (IPI, CXP, Blast Radius) skip this check.

RXP Preflight Check

The “Test Document Ingestion” workflow checks for optional RXP dependencies. If missing, a warning displays: 
RXP pre-validation requires additional dependencies.
pip install "q-uestionable-ai[rxp]"
You can still run IPI without RXP; the pre-validation step is skipped.

Launching a Workflow

Fill all required fields and click Launch. The UI:
  1. Validates form inputs
  2. Checks provider credentials (if required)
  3. Creates a new target (if it doesn’t exist)
  4. Starts the workflow and transitions to the Runs view with real-time progress
Monitor the run in real-time or return to the Launcher to start another workflow.
All form data is validated client-side and server-side. Invalid inputs (missing required fields, malformed URLs) are rejected with clear error messages.

Hidden Workflows

The “Generate Report” workflow is not shown in the Launcher accordion. It’s only accessible after a workflow completes, via the “Generate Report” button on the results view. This allows report generation for any completed run without cluttering the Launcher.