Open-source post-quantum readiness tooling by quantakrypto. Find quantum-vulnerable cryptography in any codebase, wire post-quantum readiness into your editor and your CI, and conformance-test post-quantum implementations — with zero runtime dependencies (Node built-ins only).
Design goals: simple, clean, reusable code; zero runtime dependencies; everything documented, tested, and example-driven.
| Tool | What it does | Get it |
|---|---|---|
qScan (@quantakrypto/qscan) |
CLI that finds quantum-vulnerable crypto (RSA, (EC)DH, ECDSA, EdDSA, …) in any codebase and prints a readiness score. SARIF / JSON / CBOM output, baselines, incremental & parallel scans. | npx @quantakrypto/qscan ./ |
MCP (@quantakrypto/mcp) |
Model Context Protocol server that gives AI coding agents post-quantum readiness tools (scan, inventory, explain, suggest-hybrid, CBOM). Local stdio + hostable HTTP. | claude mcp add quantakrypto npx @quantakrypto/mcp |
Sieve (@quantakrypto/sieve) |
Conformance battery for ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) implementations, driven over a JSON stdin/stdout protocol. | npx @quantakrypto/sieve --help |
Action (@quantakrypto/action) |
GitHub Action that runs qScan in CI, uploads SARIF, annotates the diff, and fails the build only on new quantum-vulnerable crypto. | uses: quantakrypto/pqc-tools/packages/action@v1 |
All three of qScan, MCP, and the Action share the engine in
@quantakrypto/core (npm i @quantakrypto/core) — detectors,
the vulnerable-dependency DB, the readiness score, and SARIF/JSON/CBOM reporting.
Sieve is standalone: it tests other implementations and implements no crypto itself.
# 1. Scan a codebase for quantum-vulnerable cryptography.
npx @quantakrypto/qscan ./
# 2. Give your AI coding agent post-quantum readiness tools.
claude mcp add quantakrypto npx @quantakrypto/mcp
# 3. Conformance-test a post-quantum implementation (adapter speaks the JSON protocol).
npx @quantakrypto/sieve --impl "node ./my-impl.js" --param ml-kem-768Add the CI gate by dropping
packages/action/examples/quantum-readiness.yml
into .github/workflows/, or wire it up directly:
- uses: quantakrypto/pqc-tools/packages/action@v1
with:
path: "."
severity-threshold: "high"Each package README has the full options reference and more examples: qScan · MCP · Sieve · Action · core.
quantakrypto-tools/
├── packages/
│ ├── core/ @quantakrypto/core — shared engine (the contract lives in src/types.ts + src/index.ts)
│ ├── qscan/ @quantakrypto/qscan — CLI
│ ├── mcp/ @quantakrypto/mcp — MCP server (stdio now, HTTP scaffold for hosting)
│ ├── action/ @quantakrypto/action — GitHub Action
│ └── sieve/ @quantakrypto/sieve — conformance battery + JSON protocol
├── docs/ architecture, hosted-MCP design, improvement roadmap
└── examples/ end-to-end examples
Requires Node ≥ 20.
npm install # links the workspaces
npm run build # tsc --build (project references)
npm test # node:test across all packagesThe toolchain is intentionally tiny: TypeScript + tsx (to run node:test on
.ts) are the only dev dependencies; there are no runtime dependencies.
Full documentation lives in docs/:
- Roadmap & gap analysis — the prioritised plan (P0/P1/P2) and "what's missing", distilled from the audits. Start here to pick up work.
- Audits (independent expert passes): security · cryptography · architecture · performance · testing/devex · overview.
- Standards & compliance — what the tools touch and could align to: NIST FIPS 203/204/205, SP 800-208, CNSA 2.0, SARIF, CWE, ISO/IEC 27001 (A.8.24), Common Criteria, FIPS 140-3, EU DORA/NIS2, US M-23-02 / NSM-10, and OSS assurance (SLSA, OpenSSF Scorecard, SPDX/REUSE).
- Governance: Contributing · Security · Code of Conduct · Changelog.
Apache-2.0. The methodology is open; the audits, certificates, and deliverables are where the quantakrypto practice lives.
Questions, commercial support, or post-quantum readiness training for your team — visit quantakrypto.com or email hello@quantakrypto.com.