AI Chat (RAG)

March 2, 2026 May 1, 2026 0.12.3-beta+

Indexed documentation

The in-portal AI chat answers questions using a Retrieval-Augmented Generation (RAG) pipeline. Seven UI doc sections (50+ pages) are indexed end-to-end so the assistant can ground its answers in the same content you read at docs.quantumapi.eu and inside the portal.

Vault

Secrets, folders, sharing, references, dynamic secrets, certificates, SSH CA.

Encryption Keys

Key management, rotation, BYOK, cloud KMS sync, transit engine, QRNG.

Applications

OIDC client management, end-users, scopes, branding, MFA settings.

Dashboard

Compliance dashboard (GDPR/NIS2/DORA/eIDAS 2.0), usage tiles, plan limits.

Security & Access

IP allow/deny lists, MFA enforcement, audit log, passkeys.

Organization

Teams, roles, invitations, end-user lifecycle.

Account & Billing

Profile, plans, usage, invoices, support tickets, language.

Embedding model

Documents are embedded with `qwen3-embedding-8b` and stored in pgvector (PostgreSQL 16 extension). Top-k cosine similarity is the only retrieval signal — there is no second-stage re-ranker.

The model produces 1024-dimensional matryoshka embeddings: lower-dimensional prefixes (e.g., the first 256 or 512 components) remain semantically meaningful, so the same vectors can be safely truncated for faster nearest-neighbour search without re-indexing.

Embedding stack

Model:        qwen3-embedding-8b
Dimensions:   1024 (matryoshka — embeddings can be safely truncated)
Vector store: pgvector (PostgreSQL 16 extension)
Re-ranking:   none — top-k cosine similarity
Update:       reindex on doc deploy + nightly delta

What the AI chat sees about your tenant

When you ask a question that needs your live data ("how many keys are about to expire?"), the assistant gets item-level metadata for the resources in scope — never the secret values themselves. The redaction list is identical to the MCP server's.

Field	Sent to the model?
name	Yes
createdAt / updatedAt	Yes
status / state	Yes
algorithm / keyType	Yes
role / scopes	Yes
value / privateKey / clientSecret / totpSecret	Never
plaintext / decryptedPayload	Never

If you ever see a secret value, decrypted plaintext, private key, or TOTP secret echoed back by the AI chat, treat it as a security incident and report it via support — by design those fields never leave the backend.