Prerequisites
- Python 3.11 or later
- uv (recommended) or pip
- Node.js / npm (optional) — Useful if your MCP target is an npm package you spawn locally
- LLM provider API key (optional) — Only needed if a library workflow or fixture uses a model.
Store credentials in the OS keyring via
ctpf config set-credential. See Configure a provider.
Install
qai executable remains available as a compatibility alias for ctpf.
Existing q-uestionable-ai installations upgrade through a same-version compatibility package.
Configure a provider (optional)
Provider credentials are optional for the core proxy / targets workflow. If a library fixture needs a model, store the API key in the OS keyring (never in config files):provider/model format
(e.g., anthropic/claude-sonnet-4-20250514).
Register a target and start the proxy
Register an MCP target
Point CTPF Research Harness at a server you are authorized to test:Transports include stdio (command string), SSE, and Streamable HTTP. See
Targets and Transports.
Start the proxy
The proxy is the CTPF observation center — capture, optional intercept
(forward / modify / drop), and session export:Configure the MCP client you control to connect through the proxy instead of
directly to the target. See Proxy Overview.
Library tooling (not root CLI pillars)
Audit, inject, IPI, and CXP are libraries / research fixtures, not publicctpf
subcommands after Phase 1.
Examples:
Next steps
- Core Concepts — MCP threat model, CTPF Pattern framing, libraries vs CLI
- Proxy Overview — Intercept, modify, replay, export
- Architecture Overview — Post–Phase 1 system shape
- Responsible Use — Authorization requirements