Red Team testing for functional correctness of RAG systems under attack conditions.
Project description
VexRAG
A toolkit for assessing the functional correctness of retrieval-augmented generation (RAG) systems under attack conditions.
Sample RAG stacks for getting started: RAG examples.
Quickstart
Prerequisites
python --version # requires 3.11+
ollama list
Install/pull required Ollama models:
ollama pull llama3:8b
ollama pull nomic-embed-text:latest
You also need a running target API endpoint (for the small example: http://localhost:8080).
1) Install VexRAG
pip install vexrag
For vector DB-specific extras:
pip install "vexrag[qdrant]"
pip install "vexrag[chroma]"
pip install "vexrag[faiss]"
2) Verify installation
vx --help
3) Run a scan from config
vx scan --config path/to/scan.yml
Use sample configs from RAG examples/ as a starting point.
4) First successful scan (small local example)
From RAG examples/small/rag_01_in_memory_en:
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python small_rag.py
vx scan --config scan_configs_examples/vexrag-chain-hijack-then-poisoned-semantic-ollama-nomic.yaml
Expected outcome:
small_rag.pyserves the target API onhttp://localhost:8080.vx scancompletes and prints a scan report with attack/evaluation results (no connection/preflight errors).
Project roadmap
Canonical checklist: notes/TODO.md.
Done
- Small RAG (in-memory)
- PoisonedRAG target scan pipeline with core target, scan, and evaluation contracts
- PoisonedRAG CLI scan flow wired from YAML config with multi-context poisoning runs
- Core package facade exports clarified for shared APIs
- StackOverflow XML/TSV to Qdrant ingestion scripts for large dataset indexing
- PoisonedRAG generation improvements: poisoning styles, corpusN payloads, and query-prefixed adversarial outputs
- Automatic attack case generation and consolidated example scan configs
- HijackRAG attack support with CLI
generate-cases - vLLM target/provider support for scan execution
- Core modularization for config/retrieval/runtime
In Progress
- PoisonedRAG hardening: broaden scenario coverage, stabilize metrics, and add end-to-end validation runs
- Medium RAG examples stabilization across vector DB backends and multi-attack eval flow
Next
- Finalize full end-to-end runnable demo for the huge StackOverflow + Qdrant pipeline
- Promote selected
wipmilestones to stable feature/documented workflow status
Ideas / Backlog
- Red-team testing methods for API-interacting RAG services (local RAG targets)
- Red-team testing methods for the VexRAG CLI (local RAG targets)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vexrag-0.1.2.tar.gz.
File metadata
- Download URL: vexrag-0.1.2.tar.gz
- Upload date:
- Size: 133.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
723fca299bf3bedb2e6af2cc69d7d419ed7df2cdb8863f6754395362f357d000
|
|
| MD5 |
23f436d6579fc221ac83a5788fc5bfb8
|
|
| BLAKE2b-256 |
6aeeabb6f132b37f0246b109ae4e6756420f91a33df58a81a6c58b138cd63b0e
|
File details
Details for the file vexrag-0.1.2-py3-none-any.whl.
File metadata
- Download URL: vexrag-0.1.2-py3-none-any.whl
- Upload date:
- Size: 150.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
998ea9d89217ed8d68dbc9c097c7f7e2f1b7e86cbd19d2a5a8de05741c4dadcd
|
|
| MD5 |
9f93f36eaa666bf670d0ae9439f07f58
|
|
| BLAKE2b-256 |
c64f2df749059c0f0b6e728b2fa4c761b8d8f6eb9f06d89a53e3a84894897183
|
