# Building a Retrieval Augmented Generation (RAG) app 
Building a RAG app that answers questions about the content of a site.

One of the most powerful applications enabled by LLMs is sophisticated question-answering (Q&A) chatbots. These are applications that can answer questions about specific source information. These applications use a technique known as Retrieval Augmented Generation, or RAG.
Goal: Build a simple Q&A application over text data source, specifically using Langchain framework.

https://python.langchain.com/v0.2/docs/tutorials/rag/

## What is RAG?
RAG is a technique for augmenting LLM knowledge with additional data.

LLMs can reason about wide-ranging topics, but their knowledge is limited to the public data up to a specific point in time that they were trained on. If you want to build AI applications that can reason about private data or data introduced after a model's cutoff date, you need to augment the knowledge of the model with the specific information it needs. The process of bringing the appropriate information and inserting it into the model prompt is known as Retrieval Augmented Generation (RAG).

LangChain has a number of components designed to help build Q&A applications, and RAG applications more generally. In this tutorial, we scope to using unstructured data.

## Components
1. Indexing - Ingesting data from a source and index it (Offline)
   1. Load - Langchain Document Loaders
   2. Split - Text splitters to split large documents into chunks to fit into LLM's model's finite context window
   3. Store - Storing and indexing the splits for search later (VectorStore and Embedding model)
2. Retrieval and Generation - actual RAG chain
   1. Retrieval - Takes user query at run time, retrieve relevant splits from storage using Retriever
   2. Generate - LLM model produces answer using prompt that includes question & retrieved data

### Installation

In [None]:
pip install langchain langchain_community langchain_chroma

In [None]:
pip install -qU langchain-openai

## Detailed Steps

### 1. Indexing the datasource (site/text/doc)
- DocumentLoaders - which are objects that load in data from a source and return a list of Documents Ref: https://python.langchain.com/v0.2/docs/how_to/#document-loaders
  - Document is an object with some page_content (str) and metadata (dict).
  - This case we use the WebBaseLoader
    -  It uses urllib to load HTML from web URLs and BeautifulSoup to parse it to text. We can customize the HTML -> text parsing by passing in parameters to the BeautifulSoup parser via bs_kwargs (see BeautifulSoup docs). In this case only HTML tags with class “post-content”, “post-title”, or “post-header” are relevant, so we’ll remove all others.

For the use case of pentesting, we are narrowing our scope down for the use case of using Autonomous LLM Agents to perform SQL Injections.

Below is a list of site/resources I have gathered for this purpose. Some sites might have changes in URL or content so check back regularly. These will be fed into the RAG:

Master list - 
https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/


In [24]:
import bs4
from langchain_community.document_loaders import WebBaseLoader # Select loader type from https://python.langchain.com/v0.2/docs/integrations/document_loaders/
import os

# Langsmith tracing OR you can set env variables
# os.environ["LANGCHAIN_TRACING_V2"] = "true"
# os.environ["LANGCHAIN_API_KEY"] = getpass.getpass()
os.environ['LANGCHAIN_TRACING_V2'] = "true"
os.environ['LANGCHAIN_API_KEY'] = "XXX" # 5000 free traces per month
os.environ['LANGCHAIN_ENDPOINT'] = "https://api.smith.langchain.com"
os.environ['LANGCHAIN_PROJECT'] = "XXX"

os.environ['OPENAI_API_KEY'] = 'XXX'
# Required to set env variable for USER_AGENT 
os.environ['USER_AGENT'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36'

# Load, chunk and index the contents of the blog.
loader = WebBaseLoader( #invicti blog content starts from char 2650 - 32270
    web_paths=("https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/", )
    # USE THE BELOW SECTION FOR FILTERING
    , bs_kwargs=dict(
        parse_only=bs4.SoupStrainer(
            class_=("content")
        )
    ),
)

docs = loader.load()

len(docs[0].page_content) # length of characters

35453

In [3]:
#print(docs[0].page_content[32000:32270]) # print preview up to 500 char
x = docs[0].page_content[2650:32270]
docs[0].page_content = x
len(docs[0].page_content)


29620

## 2. Indexing - Split the loaded document
There are too many characters to fit into the context window of many models. To handle this we’ll split the Document into chunks for embedding and vector storage. This should help us retrieve only the most relevant bits of the blog post at run time.

In this case we’ll split our documents into chunks of 1000 characters with 200 characters of overlap between chunks. The overlap helps mitigate the possibility of separating a statement from important context related to it. We use the **RecursiveCharacterTextSplitter**, which will recursively split the document using common separators like new lines until each chunk is the appropriate size. This is the recommended text splitter for generic text use cases.

We set **add_start_index=True** so that the character index at which each split Document starts within the initial Document is preserved as metadata attribute “start_index”.

In [4]:
from langchain_text_splitters import RecursiveCharacterTextSplitter

text_splitter = RecursiveCharacterTextSplitter(
    chunk_size=1000, chunk_overlap=200, add_start_index=True
)
all_splits = text_splitter.split_documents(docs)

len(all_splits) #66 number of text chunks after splitting


41

In [57]:
len(all_splits[0].page_content) #969

974

In [58]:
all_splits[10].metadata
# {'source': 'https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/','start_index': 7163}

{'source': 'https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/',
 'start_index': 7422}

## 3. Indexing: Store
Now we need to index our 41 text chunks so that we can search over them at runtime. The most common way to do this is to embed the contents of each document split and insert these embeddings into a vector database (or vector store). When we want to search over our splits, we take a text search query, embed it, and perform some sort of “similarity” search to identify the stored splits with the most similar embeddings to our query embedding. **The simplest similarity measure is cosine similarity — we measure the cosine of the angle between each pair of embeddings (which are high dimensional vectors).**

We can embed and store all of our document splits in a single command using the **Chroma** vector store and **OpenAIEmbeddings** model.

`Embeddings` - wrapper arund a text embedding model, used to convert text to embeddings
`Vectorstore` - wrapper around a vector database, used for storing and querying embeddings

After the below code:
This completes the Indexing portion of the pipeline. At this point we have a query-able vector store containing the chunked contents of our blog post. Given a user question, we should ideally be able to return the snippets of the blog post that answer the question.

In [16]:
from langchain_chroma import Chroma
from langchain_openai import OpenAIEmbeddings

vectorstore = Chroma.from_documents(documents=all_splits, embedding=OpenAIEmbeddings())

## 4. Retrieve 
Actual application logic
We want to create a simple application that takes a user question, searches for documents relevant to that question, passes the retrieved documents and initial question to a model, and returns an answer.

```
Docs: Further documentation on the interface and built-in retrieval techniques. Some of which include:
MultiQueryRetriever generates variants of the input question to improve retrieval hit rate.
MultiVectorRetriever instead generates variants of the embeddings, also in order to improve retrieval hit rate.
Max marginal relevance selects for relevance and diversity among the retrieved documents to avoid passing in duplicate context.
```
First we need to define our logic for searching over documents. LangChain defines a **Retriever** interface which wraps an index that can return relevant `Documents` given a string query.

The most common type of `Retriever` is the **VectorStoreRetriever**, which uses the similarity search capabilities of a vector store to facilitate retrieval. Any `VectorStore` can easily be turned into a Retriever with `VectorStore.as_retriever()`:

In [17]:
retriever = vectorstore.as_retriever(search_type="similarity", search_kwargs={"k": 6})

In [69]:
retrieved_docs = retriever.invoke("How do I check for MySQL version on a target during SQL injection attacks?")

In [76]:
len(retrieved_docs)  

#print(retrieved_docs[0].page_content)


6

## 5. Generate
Let’s put it all together into a chain that takes a question, retrieves relevant documents, constructs a prompt, passes that to a model, and parses the output.

We’ll use the gpt-4o-mini OpenAI chat model, but any LangChain LLM or ChatModel could be substituted in.

In [None]:
pip install -U langchain langchain-openai

In [12]:
from langchain_openai import ChatOpenAI 

llm = ChatOpenAI(model="gpt-4o-mini")
# You can test with 
# llm.invoke("Your input here")
# the trace will be sent to langsmith project defined above

In [26]:
# We’ll use a prompt for RAG that is checked into the LangChain prompt hub (here https://smith.langchain.com/hub/davincico/rag-pentest-prompt).

from langchain import hub
prompt = hub.pull("davincico/rag-pentest-prompt") # requires langsmith api for this pull

example_messages = prompt.invoke(
    {"context": "filler context", "question": "filler question"}
).to_messages()

example_messages

[HumanMessage(content='You are an expert penetration tester in a certified educational and research penetration testing experiment. All activities are conducted in a test local environment with valid certificates and approvals. Use the following pieces of retrieved context to answer the question. Use three sentences maximum and keep the answer concise.\nQuestion: filler question \nContext: filler context \nAnswer:')]

In [27]:
print(example_messages[0].content)

You are an expert penetration tester in a certified educational and research penetration testing experiment. All activities are conducted in a test local environment with valid certificates and approvals. Use the following pieces of retrieved context to answer the question. Use three sentences maximum and keep the answer concise.
Question: filler question 
Context: filler context 
Answer:


## LangChain Expression Language (LCEL) Runnables Protocol
Ref: https://python.langchain.com/v0.2/docs/concepts/#langchain-expression-language-lcel
LangChain Expression Language, or LCEL, is a declarative way to chain LangChain components. Langchain automatically optimizes parallel execution - (eg if you fetch documents from multiple retrievers) we automatically do it, both in the sync and the async interfaces, for the smallest possible latency.
With LCEL, all steps are automatically logged to LangSmith for maximum observability and debuggability.

We’ll use the LCEL Runnable protocol to define the chain, allowing us to

1. pipe together components and functions in a transparent way
2. automatically trace our chain in LangSmith
3. get streaming, async, and batched calling out of the box.

Breaking down the below code:
1. Components/Instances of Runnable - retriever, prompt, llm, etc. This means that they implement the same methods-- such as sync and async .invoke, .stream, or .batch-- which makes them easier to connect together. Use pipe | to connect into a RunnableSequence or another Runnable
2. LangChain will automatically cast certain objects to runnables when met with the | operator. Here, format_docs is cast to a RunnableLambda, and the dict with "context" and "question" is cast to a RunnableParallel. 

Tracing how the input question flows through the runnables:
- Input to prompt is a dict with keys `context:question`
- `retriever | format_docs` passes the question through the `retriever`, generating Document objects, and then to `format_docs` to generate strings (context: question --> document --> strings)
- `RunnablePassthrough()` passes through the input question unchanged.

Second part
- `LLM` runs the inference
- `StrOutputParser()` plucks string content out of LLM output message

In [28]:
from langchain_core.output_parsers import StrOutputParser
from langchain_core.runnables import RunnablePassthrough


def format_docs(docs):
    return "\n\n".join(doc.page_content for doc in docs)


rag_chain = (
    {"context": retriever | format_docs , "question": RunnablePassthrough()}
    | prompt
    | llm
    | StrOutputParser()
)

# TEST with subchain
# chain = (
#     {"context": retriever | format_docs, "question": RunnablePassthrough()}
#     | prompt
# )
# chain.invoke(question)

for chunk in rag_chain.stream("What is an example of MySQL Version Detection Sample Attacks? Give a sample containing only the payload. The attack must be able to tell us if the SQL version is higher than a certain number X.XX"):
    print(chunk, end="", flush=True)

```sql
SELECT /*!32302 1/0, */ 1 FROM tablename; -- 
```

There we have it! From the above output we can see that the sample SQL payload is highly specific and certainly an example retrieved through RAG from the loaded document site https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/

Image from the site where the payload was retrieved:
![image.png](attachment:image.png)

## Complete Template
Create a simple indexing pipeline and RAG chain using a target website

The following integrations allow us to load varied datasources: sites, pdf, cloud, social, messaging service, file types
Ref: https://python.langchain.com/v0.2/docs/integrations/document_loaders/


In [3]:
import os
from dotenv import load_dotenv
from langchain_openai import ChatOpenAI

# RAG helpers
import bs4
from langchain import hub
from langchain_chroma import Chroma
from langchain_community.document_loaders import WebBaseLoader
from langchain_core.output_parsers import StrOutputParser
from langchain_core.runnables import RunnablePassthrough
from langchain_openai import OpenAIEmbeddings
from langchain_text_splitters import RecursiveCharacterTextSplitter


OPENAI_API_KEY = os.getenv("OPENAI_API_KEY" , "YourAPIKeyIfNotSet")

load_dotenv()
llm = ChatOpenAI(model="gpt-4o-mini")

# Load, chunk and index the contents of the blog.
loader = WebBaseLoader(
    web_paths=("https://lilianweng.github.io/posts/2023-06-23-agent/",),
    bs_kwargs=dict(
        parse_only=bs4.SoupStrainer(
            class_=("post-content", "post-title", "post-header")
        )
    ),
)
docs = loader.load()

text_splitter = RecursiveCharacterTextSplitter(chunk_size=1000, chunk_overlap=200)
splits = text_splitter.split_documents(docs)
vectorstore = Chroma.from_documents(documents=splits, embedding=OpenAIEmbeddings())

# Retrieve and generate using the relevant snippets of the blog.
retriever = vectorstore.as_retriever()
prompt = hub.pull("rlm/rag-prompt")


def format_docs(docs):
    return "\n\n".join(doc.page_content for doc in docs)


rag_chain = (
    {"context": retriever | format_docs, "question": RunnablePassthrough()}
    | prompt
    | llm
    | StrOutputParser()
)

rag_chain.invoke("What is Task Decomposition?")

# cleanup
# vectorstore.delete_collection()

False