Skip to content

quantakrypto/pqc-tools

quantakrypto-tools

CI License: Apache-2.0 npm @quantakrypto/qscan npm @quantakrypto/mcp npm @quantakrypto/sieve Node ≥20 TypeScript strict Runtime deps: 0 NIST FIPS 203/204/205

Open-source post-quantum readiness tooling by quantakrypto. Find quantum-vulnerable cryptography in any codebase, wire post-quantum readiness into your editor and your CI, and conformance-test post-quantum implementations — with zero runtime dependencies (Node built-ins only).

Design goals: simple, clean, reusable code; zero runtime dependencies; everything documented, tested, and example-driven.

What's inside

Tool What it does Get it
qScan (@quantakrypto/qscan) CLI that finds quantum-vulnerable crypto (RSA, (EC)DH, ECDSA, EdDSA, …) in any codebase and prints a readiness score. SARIF / JSON / CBOM output, baselines, incremental & parallel scans. npx @quantakrypto/qscan ./
MCP (@quantakrypto/mcp) Model Context Protocol server that gives AI coding agents post-quantum readiness tools (scan, inventory, explain, suggest-hybrid, CBOM). Local stdio + hostable HTTP. claude mcp add quantakrypto npx @quantakrypto/mcp
Sieve (@quantakrypto/sieve) Conformance battery for ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) implementations, driven over a JSON stdin/stdout protocol. npx @quantakrypto/sieve --help
Action (@quantakrypto/action) GitHub Action that runs qScan in CI, uploads SARIF, annotates the diff, and fails the build only on new quantum-vulnerable crypto. uses: quantakrypto/pqc-tools/packages/action@v1

All three of qScan, MCP, and the Action share the engine in @quantakrypto/core (npm i @quantakrypto/core) — detectors, the vulnerable-dependency DB, the readiness score, and SARIF/JSON/CBOM reporting. Sieve is standalone: it tests other implementations and implements no crypto itself.

Quick start

# 1. Scan a codebase for quantum-vulnerable cryptography.
npx @quantakrypto/qscan ./

# 2. Give your AI coding agent post-quantum readiness tools.
claude mcp add quantakrypto npx @quantakrypto/mcp

# 3. Conformance-test a post-quantum implementation (adapter speaks the JSON protocol).
npx @quantakrypto/sieve --impl "node ./my-impl.js" --param ml-kem-768

Add the CI gate by dropping packages/action/examples/quantum-readiness.yml into .github/workflows/, or wire it up directly:

- uses: quantakrypto/pqc-tools/packages/action@v1
  with:
    path: "."
    severity-threshold: "high"

Each package README has the full options reference and more examples: qScan · MCP · Sieve · Action · core.

Workspace layout

quantakrypto-tools/
├── packages/
│   ├── core/     @quantakrypto/core    — shared engine (the contract lives in src/types.ts + src/index.ts)
│   ├── qscan/    @quantakrypto/qscan   — CLI
│   ├── mcp/      @quantakrypto/mcp     — MCP server (stdio now, HTTP scaffold for hosting)
│   ├── action/   @quantakrypto/action — GitHub Action
│   └── sieve/    @quantakrypto/sieve   — conformance battery + JSON protocol
├── docs/         architecture, hosted-MCP design, improvement roadmap
└── examples/     end-to-end examples

Development

Requires Node ≥ 20.

npm install        # links the workspaces
npm run build      # tsc --build (project references)
npm test           # node:test across all packages

The toolchain is intentionally tiny: TypeScript + tsx (to run node:test on .ts) are the only dev dependencies; there are no runtime dependencies.

Documentation, audits & compliance

Full documentation lives in docs/:

License

Apache-2.0. The methodology is open; the audits, certificates, and deliverables are where the quantakrypto practice lives.

Support & training

Questions, commercial support, or post-quantum readiness training for your team — visit quantakrypto.com or email hello@quantakrypto.com.