> ## Documentation Index
> Fetch the complete documentation index at: https://ctpf.q-uestionable.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Core Concepts

> MCP threat model, CTPF framing, and libraries vs public CLI

## What is MCP?

The **Model Context Protocol (MCP)** is an open standard that lets AI agents communicate with external tools and data sources through a client-server architecture. An MCP **client** (the AI agent or its host) connects to one or more MCP **servers**, each of which exposes **tools** (callable functions), **resources** (readable data), and **prompts** (reusable templates). Because MCP servers execute real actions — running commands, querying databases, writing files — they are a direct attack surface for agent infrastructure.

## CTPF framing

**Capability Trust Propagation Failure (CTPF)** asks whether trust properties
(provenance, integrity, authorization scope, intended audience) fail to propagate
across capability boundaries in multi-step AI systems.

In this harness, the **proxy** is the primary observation surface: capture MCP traffic,
optionally mutate server→client tool results under control, and retain sessions as
evidence. Experiments confirm or fail to observe promotion under pinned conditions.
They do not claim to falsify CTPF as a class.

Do not invent Pattern 2 how-to workflows here — experiment procedures live with the
research program outside this docs tree.

## Libraries vs public CLI

| Surface        | Role                                                                           |
| -------------- | ------------------------------------------------------------------------------ |
| **Public CLI** | `qai proxy`, `targets`, `runs`, `findings`, `config`, `db`                     |
| **Libraries**  | `audit`, `inject`, `ipi`, `cxp` — fixtures and research code; not root pillars |

Removed Phase 1 surfaces (do not document as current product): Web UI, Assistant,
Chain, RXP, External Tool Import, inject campaigns.

## OWASP MCP Top 10

The [OWASP MCP Top 10](https://owasp.org/www-project-mcp-top-10/) is a vulnerability taxonomy for MCP-based systems. The audit **library** can map findings to these categories.

| ID    | Vulnerability                               |
| ----- | ------------------------------------------- |
| MCP01 | Token Mismanagement & Secret Exposure       |
| MCP02 | Privilege Escalation via Scope Creep        |
| MCP03 | Tool Poisoning                              |
| MCP04 | Software Supply Chain Attacks               |
| MCP05 | Command Injection & Execution               |
| MCP06 | Prompt Injection via Contextual Payloads    |
| MCP07 | Insufficient Authentication & Authorization |
| MCP08 | Lack of Audit & Telemetry                   |
| MCP09 | Shadow MCP Servers                          |
| MCP10 | Context Injection & Over-Sharing            |

## Framework mapping

When using the audit library, findings can map to four frameworks:

### OWASP Agentic Top 10

The [OWASP Agentic Top 10](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/) addresses vulnerabilities in agentic AI systems.

### MITRE ATLAS

[MITRE ATLAS](https://atlas.mitre.org/) catalogs tactics and techniques observed in real-world attacks on AI systems.

### CWE

Findings can map to relevant CWE (Common Weakness Enumeration) IDs for classification and tracking.

See [Framework Coverage](/audit/framework-coverage) for mapping tables.

## Transport types

MCP defines three transport mechanisms for client-server communication.

| Transport           | Description                                                        | Use case                                                              |
| ------------------- | ------------------------------------------------------------------ | --------------------------------------------------------------------- |
| **stdio**           | Server spawned as a child process, communication over stdin/stdout | Local development, CI pipelines, testing servers you can run directly |
| **SSE**             | Server-Sent Events over HTTP (legacy transport)                    | Remote servers using the older SSE-based MCP protocol                 |
| **Streamable HTTP** | Bidirectional HTTP transport (current standard)                    | Remote servers using the current MCP transport specification          |

See [Transport Types](/config/transports) for configuration details.

## Threat model

CTPF Research Harness tests **agent infrastructure** — the servers, tools, and trust boundaries that AI agents interact with — not just model outputs. The assumption is that MCP servers and tool results are untrusted components: they may leak secrets, execute injected commands, poison tool descriptions, or over-share context across sessions.

Proxy observation asks what happens when that untrusted content crosses into a higher-trust action path without preserved provenance or scope.

## Library methodologies (fixtures)

### Proxy — Observe and mutate

Sit between a client you control and an MCP server. Capture traffic, optionally intercept with forward / modify / drop, export sessions. This is the CTPF center of the public CLI.

### Audit — Enumerate and scan (library)

Connect to a server, enumerate tools/resources/prompts, run scanners mapped to OWASP MCP categories, export structured reports (including SARIF). Invoked as library code — not `qai audit`.

### Inject — Fixture servers (library)

Serve malicious MCP tools via `build_server` / `python -m q_ai.inject`. Campaign scoring paths are removed.

### IPI — Generate and listen (library)

Generate adversarial documents and run a headless callback listener (`python -m q_ai.ipi`) for out-of-band proof of execution when authorized.

### CXP — Context file fixtures (library)

Build poisoned instruction files for coding assistants and validate captured assistant output against detection rules. This targets **coding assistants under test**, not a removed product “Assist” module.

## Callback-based verification (IPI library)

IPI payloads can embed a unique callback URL containing a cryptographic token. When an agent executes the hidden instruction, it may fire an HTTP request to the listener. Confidence scoring distinguishes token-backed hits from noise.

Local listeners bind to `127.0.0.1` only. Optional tunnel mode for remote targets is documented under [IPI callbacks](/ipi/callbacks).

## Payload styles vs payload types (IPI)

**Payload styles** control how the injection blends into document content (`obvious`, `citation`, `reviewer`, etc.).

**Payload types** define the instructed action (`callback`, exfil variants, SSRF, instruction override, tool abuse, persistence). Dangerous types require an explicit `--dangerous` flag — see [Dangerous Payloads](/config/dangerous-payloads).

## Surface summary

| Area       | Attack / observation surface       | Role after Phase 1             |
| ---------- | ---------------------------------- | ------------------------------ |
| **proxy**  | MCP client↔server traffic          | Public CLI center              |
| **audit**  | MCP server capabilities            | Library                        |
| **inject** | Malicious MCP fixtures             | Library (`build_server`)       |
| **ipi**    | Document ingestion + callbacks     | Library (`python -m q_ai.ipi`) |
| **cxp**    | Coding-assistant instruction files | Library                        |
