> ## Documentation Index
> Fetch the complete documentation index at: https://ctpf.q-uestionable.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Quickstart

> Install CTPF Research Harness and start MCP observation with the proxy CLI

## Prerequisites

* **Python 3.11** or later
* **[uv](https://docs.astral.sh/uv/)** (recommended) or pip
* **Node.js / npm** (optional) — Useful if your MCP target is an npm package you spawn locally
* **LLM provider API key** (optional) — Only needed if a library workflow or fixture uses a model.
  Store credentials in the OS keyring via `ctpf config set-credential`. See
  [Configure a provider](#configure-a-provider-optional).

## Install

<CodeGroup>
  ```bash pip theme={null}
  pip install ctpf
  ```

  ```bash uv (from source) theme={null}
  git clone https://github.com/q-uestionable-AI/CTPF.git
  cd CTPF
  uv sync --group dev
  ```
</CodeGroup>

Confirm the CLI:

```bash theme={null}
ctpf --help
ctpf --version
```

The former `qai` executable remains available as a compatibility alias for `ctpf`.
Existing `q-uestionable-ai` installations upgrade through a same-version compatibility package.

## Configure a provider (optional)

Provider credentials are optional for the core proxy / targets workflow. If a library
fixture needs a model, store the API key in the OS keyring (never in config files):

<CodeGroup>
  ```bash Anthropic theme={null}
  ctpf config set-credential anthropic
  # Prompts for your API key (masked input)
  ```

  ```bash OpenAI theme={null}
  ctpf config set-credential openai
  ```

  ```bash Other providers theme={null}
  ctpf config set-credential <provider-name>
  ```
</CodeGroup>

```bash theme={null}
ctpf config list-providers
```

When selecting a model elsewhere, use the `provider/model` format
(e.g., `anthropic/claude-sonnet-4-20250514`).

## Register a target and start the proxy

<Steps>
  <Step title="Register an MCP target">
    Point CTPF Research Harness at a server you are authorized to test:

    ```bash theme={null}
    ctpf targets add "My Server" http://localhost:3000/sse
    ctpf targets list
    ```

    Transports include stdio (command string), SSE, and Streamable HTTP. See
    [Targets](/cli/targets) and [Transports](/config/transports).
  </Step>

  <Step title="Start the proxy">
    The proxy is the CTPF observation center — capture, optional intercept
    (forward / modify / drop), and session export:

    ```bash theme={null}
    ctpf proxy --help
    ```

    Configure the MCP client **you control** to connect through the proxy instead of
    directly to the target. See [Proxy Overview](/proxy/overview).
  </Step>

  <Step title="Inspect local state">
    Runs and findings live in SQLite (`~/.qai/qai.db`):

    ```bash theme={null}
    ctpf runs list
    ctpf findings list
    ctpf db --help
    ```
  </Step>
</Steps>

## Library tooling (not root CLI pillars)

Audit, inject, IPI, and CXP are **libraries / research fixtures**, not public `ctpf`
subcommands after Phase 1.

Examples:

```bash theme={null}
# Inject fixture server
python -m q_ai.inject serve --transport stdio

# IPI headless callback listener / generators
python -m q_ai.ipi --help

# Audit as a library (import or module entry — not `ctpf audit`)
python -c "import q_ai.audit; print('audit library available')"
```

See [Audit Overview](/audit/overview), [Inject Overview](/inject/overview),
[IPI Overview](/ipi/overview), and [CXP Overview](/cxp/overview).

## Next steps

* [Core Concepts](/concepts) — MCP threat model, CTPF Pattern framing, libraries vs CLI
* [Proxy Overview](/proxy/overview) — Intercept, modify, replay, export
* [Architecture Overview](/architecture/overview) — Post–Phase 1 system shape
* [Responsible Use](/responsible-use) — Authorization requirements

<Warning>
  Only test systems you own, control, or have explicit written authorization to test.
</Warning>
