# Qodex > Qodex is an AI QA platform for APIs and web apps. You talk to an agent. It explores your system with a real Chromium browser and direct API calls, learns how it behaves, writes runnable Playwright and HTTP scenarios, and replays them on demand, on a schedule, via webhook, or against every pull request. The LLM authors once; the generated script replays deterministically at zero LLM cost. This file follows the [llms.txt convention](https://llmstxt.org/). Every page is also available as `.md` for direct ingestion (Mintlify serves them automatically when contextual mode is on). ## Documentation ### Get started - [Introduction](https://docs.qodex.ai/introduction.md): What Qodex is, the four surfaces (PR review, API, UI, Security), and the cost-structure inversion. - [Quickstart](https://docs.qodex.ai/quickstart.md): Connect a project, run your first scan, and read the findings in under five minutes. - [How Qodex works](https://docs.qodex.ai/how-qodex-works.md): Coordinator and sub-agent model, scan types, and the LLM-once plus deterministic-replay cost story. - [Operating modes](https://docs.qodex.ai/operating-modes.md): On-demand chat, scheduled cron runs, event-driven webhooks, and the autopilot direction. ### Concepts - [Scenarios](https://docs.qodex.ai/concepts-scenarios.md): The atomic unit of authored test intent: goal, steps, assertions, tags, and lifecycle. - [Scripts](https://docs.qodex.ai/concepts-scripts.md): Generated Playwright and HTTP code, parameterized by environment variables and replayable without Qodex. - [Findings](https://docs.qodex.ai/concepts-findings.md): Severity, classification, dedup, and the finding data model. - [Skills](https://docs.qodex.ai/concepts-skills.md): The `.skill.md` unit of specialization that gates the agent's tools per testing domain. - [Memory](https://docs.qodex.ai/concepts-memory.md): Two markdown files (project.md and test_memory.md) injected into every LLM call. - [Projects and multi-tenancy](https://docs.qodex.ai/concepts-projects.md): How project isolation, members, and per-project credentials work. ### PR review - [PR review overview](https://docs.qodex.ai/pr-review.md): The walkthrough, inline findings, verification probes, and Check Run for every linked repo. - [How a review fires](https://docs.qodex.ai/pr-review-how-it-fires.md): The webhook to walkthrough to inline comments to Check Run sequence. - [Walkthrough comment anatomy](https://docs.qodex.ai/pr-review-walkthrough-anatomy.md): The structure of the top-level review body the LLM posts. - [Inline findings](https://docs.qodex.ai/pr-review-inline-findings.md): Severity, confidence floor, and anchor-uncertainty rules for inline comments. - [Verification probes](https://docs.qodex.ai/pr-review-verification-probes.md): How Qodex hits a PR's preview deployment to confirm or deny a finding. - [Check Run and merge gating](https://docs.qodex.ai/pr-review-check-run.md): Advisory by default, opt in to block merges on verified high or critical findings. - [Slash commands](https://docs.qodex.ai/pr-review-slash-commands.md): `@qodex review` and `@qodex help`, with `resolve`, `false-positive`, and `wontfix` planned. - [Install the GitHub App](https://docs.qodex.ai/pr-review-install-github-app.md): Install Qodex on a GitHub org and grant repos. - [Connect a repo](https://docs.qodex.ai/pr-review-connect-repo.md): Link a granted repo to a Qodex project for reviews. - [Disconnect a repo](https://docs.qodex.ai/pr-review-disconnect.md): Remove a repo from a Qodex project; revoking the install entirely. - [Multi-project routing](https://docs.qodex.ai/pr-review-multi-project-routing.md): One GitHub install can serve many Qodex projects via the project_installs grant table. - [Limits and caveats](https://docs.qodex.ai/pr-review-limits-caveats.md): Repo size limits, generated-file behavior, and what Qodex skips. - [Troubleshooting](https://docs.qodex.ai/pr-review-troubleshooting.md): Common failure modes and how to read the review row. ### API testing - [API testing overview](https://docs.qodex.ai/api-testing.md): Import a spec, infer auth, author scenarios, and run them deterministically. - [Import an OpenAPI spec](https://docs.qodex.ai/api-testing-openapi-import.md): Parse OpenAPI 3.x or Swagger 2.0 from file or URL into the endpoint catalog. - [Import a Postman collection](https://docs.qodex.ai/api-testing-postman-import.md): Bring a v2.1 collection in with auth profiles and environment variables. - [Scenarios](https://docs.qodex.ai/api-testing-scenarios.md): Author API scenarios with the agent or by hand; merged manual and AI flows. - [Chaining and postscripts](https://docs.qodex.ai/api-testing-chaining.md): Extract values from one step to feed the next, with optional postscripts. - [The API Playground](https://docs.qodex.ai/api-testing-playground.md): A Postman-style request runner over the endpoint catalog. - [Auth profiles](https://docs.qodex.ai/api-testing-auth-profiles.md): Multiple auth profiles per environment for IDOR and role-escalation tests. - [Auto-verification on save](https://docs.qodex.ai/api-testing-auto-verification.md): Newly saved API scenarios are run against the target immediately. - [Request data generation](https://docs.qodex.ai/api-testing-request-data-generation.md): Synthesize realistic payloads from schemas with the agent. - [Test rules in plain English](https://docs.qodex.ai/api-testing-test-rules.md): Author assertions in natural language; the agent compiles them. - [Endpoint catalog](https://docs.qodex.ai/api-testing-endpoint-catalog.md): The discovered endpoints surface, with coverage rollups. - [API governance](https://docs.qodex.ai/api-testing-governance.md): Coverage map, fill-coverage mode, and the "any-step touch" rule. ### UI testing - [UI testing overview](https://docs.qodex.ai/ui-testing.md): Intent-driven Playwright scenarios with a replay cache, self-healing, and per-step artifacts. - [Crawling and the Pages catalog](https://docs.qodex.ai/ui-testing-crawling.md): Deterministic crawl with multi-viewport screenshots and linked scenarios. - [Intent-driven UI scenarios](https://docs.qodex.ai/ui-testing-intent-driven-scenarios.md): Natural-language steps resolved at run time against live accessibility snapshots. - [Replay cache and self-healing](https://docs.qodex.ai/ui-testing-replay-cache.md): First successful run feeds zero-LLM reruns; cache miss falls back to intent recovery. - [Per-step artifacts](https://docs.qodex.ai/ui-testing-artifacts.md): Screenshots, DOM, console, network, and video on every run. - [Stealth and bot-detection bypass](https://docs.qodex.ai/ui-testing-stealth.md): Stealth plugin to bypass headless detection on protected targets. ### Security testing - [Security testing overview](https://docs.qodex.ai/security-testing.md): Continuous OWASP API Top 10 coverage on the same suite, with inverted semantics. - [OWASP API Top 10 in Qodex](https://docs.qodex.ai/security-testing-owasp-api-top-10.md): Which Top 10 categories Qodex covers, how to run them, where findings land. - [Security scenarios](https://docs.qodex.ai/security-testing-scenarios.md): How to author attack scenarios with attack-class scope and seed payloads. - [Inverted semantics](https://docs.qodex.ai/security-testing-inverted-semantics.md): Pass means attack blocked; fail means real vulnerability. The critic guards this. - [Sensitive endpoints and read-only envs](https://docs.qodex.ai/security-testing-sensitive-endpoints.md): Per-env constraints (read-only, max RPS, allow destructive, allow security). ### Run tests - [Run tests overview](https://docs.qodex.ai/run-tests.md): Single scenario, tag-filtered, or full suite, on demand, on schedule, or via webhook. - [From the web app](https://docs.qodex.ai/run-tests-from-web-app.md): Run from the chat or from any scenarios list. - [From the CLI](https://docs.qodex.ai/run-tests-via-cli.md): `qodex run` against a project, an environment, and a scenario or tag. - [On a schedule](https://docs.qodex.ai/run-tests-on-schedule.md): Cron schedules with environments and plans. - [Triggered by webhook](https://docs.qodex.ai/run-tests-via-webhook.md): Per-project API keys and per-schedule URL secrets. - [Single scenario](https://docs.qodex.ai/run-tests-single-scenario.md): Run one scenario against one environment. - [Tag-filtered run](https://docs.qodex.ai/run-tests-tag-filtered.md): Run every scenario carrying a given tag. - [Full suite](https://docs.qodex.ai/run-tests-full-suite.md): Run every `active` scenario against an environment. - [Re-running failed tests](https://docs.qodex.ai/run-tests-rerun-failed.md): Re-run only the failed scenarios from a previous run. #### In CI - [Run tests in CI overview](https://docs.qodex.ai/run-tests-in-ci.md): The CLI plus a per-project API key is the universal CI integration. - [GitHub Actions](https://docs.qodex.ai/run-tests-ci-github-actions.md): Drop-in `qodex run` job for a GitHub Actions workflow. - [GitLab CI](https://docs.qodex.ai/run-tests-ci-gitlab.md): GitLab CI configuration. - [CircleCI](https://docs.qodex.ai/run-tests-ci-circleci.md): CircleCI configuration. - [Buildkite](https://docs.qodex.ai/run-tests-ci-buildkite.md): Buildkite pipeline step. - [Jenkins](https://docs.qodex.ai/run-tests-ci-jenkins.md): Jenkinsfile snippet. - [Generic shell](https://docs.qodex.ai/run-tests-ci-generic-shell.md): Fallback shell invocation for any CI. ### Findings - [Findings overview](https://docs.qodex.ai/findings.md): The Qodex finding: severity, repro, evidence, status, and dedup. - [Severity model](https://docs.qodex.ai/findings-severity-model.md): Critical, high, medium, low, info, with what each level means in practice. - [Failure classification](https://docs.qodex.ai/findings-failure-classification.md): REAL_BUG, STALE_TEST, ENVIRONMENT_ISSUE, with downstream actions. - [Triage workflow](https://docs.qodex.ai/findings-triage-workflow.md): How a finding moves from open to fixed, false_positive, or wontfix. - [Dedup and verification](https://docs.qodex.ai/findings-dedup-verification.md): Hash-based dedup, agent re-runs, and the verified flag. - [Findings as a data model](https://docs.qodex.ai/findings-data-model.md): The finding row shape and what survives across runs. ### Memory - [Memory overview](https://docs.qodex.ai/memory.md): Persistent markdown files per project, always injected into every LLM call. - [project.md](https://docs.qodex.ai/memory-project-md.md): User-managed memory: app overview, stack, test accounts, focus and skip areas. - [test_memory.md](https://docs.qodex.ai/memory-test-memory-md.md): Agent-managed memory: auth mechanisms, API patterns, UI structure, quirks. - [How memory enters the LLM call](https://docs.qodex.ai/memory-how-it-enters-llm.md): The injection point, ordering, and token budget. - [Editing and curating](https://docs.qodex.ai/memory-editing-and-curating.md): When to edit by hand and when to let the agent append. ### Skills - [Skills overview](https://docs.qodex.ai/skills.md): The unit of agent specialization; drop-in `.skill.md` files with YAML and a system prompt. - [.skill.md format](https://docs.qodex.ai/skills-format.md): The YAML frontmatter, system prompt body, and resolution rules. - [Skill resolver and routing](https://docs.qodex.ai/skills-resolver.md): How the coordinator picks which skill handles a chat turn. - [Tool gating per skill](https://docs.qodex.ai/skills-tool-gating.md): How each skill's tool surface is scoped to its testing domain. - [Built-in skills](https://docs.qodex.ai/skills-built-in.md): functionality, security, security-tests, penetration-tests, vulnerability-tests, analyze-collection. - [Authoring your own](https://docs.qodex.ai/skills-authoring.md): Write a new skill, with template and lint rules. - [Distributing skills](https://docs.qodex.ai/skills-distributing.md): Project-scoped overrides, sharing skills across projects. ### Integrations - [Integrations overview](https://docs.qodex.ai/integrations.md): The connectors Qodex ships today and the surface they affect. - [GitHub](https://docs.qodex.ai/integrations-github.md): The GitHub App for PR review, repo linking, and disconnect. - [Slack](https://docs.qodex.ai/integrations-slack.md): Outbound run-result webhook today; a Slack App with slash commands is planned. - [Generic webhook](https://docs.qodex.ai/integrations-generic-webhook.md): Outbound notification payload reference. - [BYOK (OpenAI, Anthropic, Google)](https://docs.qodex.ai/integrations-byok.md): Bring-your-own-key for per-project LLM credentials. - [Linear](https://docs.qodex.ai/integrations-linear.md): Planned. Push confirmed findings into Linear. - [Jira](https://docs.qodex.ai/integrations-jira.md): Planned. Push confirmed findings into Jira. - [PostHog](https://docs.qodex.ai/integrations-posthog.md): Planned. Weight scenarios by real PostHog feature usage. - [Sentry](https://docs.qodex.ai/integrations-sentry.md): Planned. Match prod Sentry exceptions to PRs and Qodex scenarios. ### Self-hosted - [Self-hosted overview](https://docs.qodex.ai/self-hosted.md): Single Docker image; the same image runs the web, the worker, and the scheduler. - [Single-container deploy](https://docs.qodex.ai/self-hosted-single-container.md): The minimal `docker run` recipe. - [Docker Compose](https://docs.qodex.ai/self-hosted-docker-compose.md): A Compose file with Postgres and the Qodex image. - [AWS Terraform reference](https://docs.qodex.ai/self-hosted-aws-terraform.md): The reference Terraform under `qodeclaw-worker/terraform`. - [Environment variables](https://docs.qodex.ai/self-hosted-environment-variables.md): Full reference for every env var Qodex reads. - [Storage backends](https://docs.qodex.ai/self-hosted-storage-backends.md): Local disk by default, S3-compatible object store optional. - [Secret management](https://docs.qodex.ai/self-hosted-secret-management.md): Loading secrets at runtime without baking them into the image. - [Kubernetes](https://docs.qodex.ai/self-hosted-kubernetes.md): Planned. Helm chart and K8s deployment recipe. ### Account and admin - [Account and admin overview](https://docs.qodex.ai/account-and-admin.md): The workspace, project, member, plan, cap, and admin surface. - [Workspaces and projects](https://docs.qodex.ai/account-workspaces-and-projects.md): A workspace holds projects; project is the unit of tenancy. - [Members and roles](https://docs.qodex.ai/account-members-and-roles.md): Admin and member roles, scoped per project. - [Plans and pricing](https://docs.qodex.ai/account-plans-and-pricing.md): Free, Pro, Enterprise; what each plan's caps are. - [Usage and cost caps](https://docs.qodex.ai/account-usage-and-cost-caps.md): Rolling 5-hour and weekly platform-spend caps; BYOK and Codex pool exempt. - [Admin audit log](https://docs.qodex.ai/account-admin-audit-log.md): Every privileged operator action recorded to `admin_audit_log`. - [Activity monitoring](https://docs.qodex.ai/account-activity-monitoring.md): Per-project recent runs and scenario coverage on the Activity surface. - [Cost per project and source](https://docs.qodex.ai/account-cost-per-project-and-source.md): Per-project cost split by credential source (BYOK, pool, platform). ## Configuration - [.qodex.yaml overview](https://docs.qodex.ai/qodex-yaml-overview.md): The per-repo PR review config file read off the PR's head SHA. - [.qodex.yaml reference](https://docs.qodex.ai/qodex-yaml-reference.md): Schema for every supported field with defaults and constraints. ## API Reference - [API reference overview](https://docs.qodex.ai/api-ref.md): Per-project base URL, stability, conventions, and the resource map. - [Authentication](https://docs.qodex.ai/api-ref-authentication.md): Per-project Bearer keys (`qk_...`), revocation, and key minting. - [Projects](https://docs.qodex.ai/api-ref-projects.md): List, get, create, update, archive a project. ## Knowledge Base - [Why did Qodex skip my PR?](https://docs.qodex.ai/kb-why-did-qodex-skip-my-pr.md): The webhook filter, the severity threshold, the path excludes, and the empty-diff case. - [Why is my scan slow?](https://docs.qodex.ai/kb-why-is-my-scan-slow.md): The usual culprits: agent retries, large pages, missing memory, sub-agent oversubscription. - [Scope a scan to one route](https://docs.qodex.ai/kb-scope-a-scan-to-one-route.md): How to pin a scan to a single endpoint or page. - [Staging without breaking prod](https://docs.qodex.ai/kb-staging-without-breaking-prod.md): Read-only envs, max RPS, allow-destructive gates. - [API scenario vs UI scenario](https://docs.qodex.ai/kb-api-scenario-vs-ui-scenario.md): How to decide which to author for a given test goal. ## Changelog - [Changelog](https://docs.qodex.ai/changelog.md): Every Qodex ship, by date. New surfaces, fixes, and behavior changes worth knowing about.