Skip to content
quantakrypto
Tools

Open-source, by design.

Free tooling for frontend, backend, and infrastructure post-quantum readiness — a scanner, an MCP server for AI agents, a conformance battery, and a CI gate. Built from what we find in audits.

The toolkit

Four tools, one philosophy

What we learn in audits becomes a test, a check, or a capability anyone can run.

qScan

Beta

CLI scanner · JavaScript & TypeScript

Find quantum-vulnerable cryptography in any codebase.

A static scanner that walks your source and dependency tree for classical asymmetric crypto — RSA, ECDH, ECDSA, DH, and more — plus legacy TLS configuration, then scores where harvest-now-decrypt-later exposure is highest.

  • Crypto inventory + 0–100 readiness score
  • Harvest-now-decrypt-later exposure ranking
  • Vulnerable-dependency database + TLS/cert checks
  • SARIF, JSON & CycloneDX CBOM output

Quick start

$ npx @quantakrypto/qscan ./
View on GitHub

quantakrypto MCP

Preview

MCP server · TypeScript

PQC-readiness, native to your AI coding agent.

A Model Context Protocol server that gives AI coding agents first-class post-quantum capabilities: inventory the cryptography in a repository, explain exposure, and propose hybrid migrations — directly inside the editor. Local stdio today, with a hostable HTTP transport.

  • Crypto-inventory & explain tools for agents
  • Hybrid migration suggestions (X25519MLKEM768)
  • Local stdio now, hostable HTTP transport
  • Zero-dependency JSON-RPC, MCP-spec compliant

Quick start

$ claude mcp add quantakrypto npx @quantakrypto/mcp
View on GitHub

Sieve

Beta

Conformance battery · TypeScript

Conformance-test an ML-KEM / ML-DSA / SLH-DSA implementation against the bugs that matter.

A conformance harness that drives any implementation over a simple stdin/stdout JSON protocol and exercises it against curated categories — each targeting a bug class we have seen in real audits or the public literature. It ships no test vectors and never fabricates expected values.

  • ML-KEM, ML-DSA & SLH-DSA (FIPS 203/204/205)
  • Implicit-rejection & modulus-range checks
  • Categories tagged to real audit findings
  • Ships no KAT vectors — never fabricates values

Quick start

$ npx @quantakrypto/sieve --impl "./your-impl" --param ml-kem-768
View on GitHub

quantakrypto Action

Beta

CI integration · GitHub Actions

Fail the build when new quantum-vulnerable crypto lands.

Run qScan on every pull request and turn post-quantum readiness into a standing quality gate. New classical asymmetric cryptography becomes a reviewable signal instead of a silent regression.

  • Drop-in GitHub Action
  • Inline PR annotations on new findings
  • Configurable severity thresholds
  • Baselines so existing debt does not block

Quick start

$ uses: dandelionlabs-io/qproof-tools/packages/action@v1
View on GitHub
Browse the monorepo

One zero-dependency repo · Apache-2.0 · npm @quantakrypto/*

Open methodology

Why we give the tools away

Open tooling drives adoption and invites scrutiny — the same way the strongest open security frameworks work. The framework is open; the audit, the certificate, and the deliverables are where the practice lives. If you find a bug we missed, it becomes a new test, and the toolkit grows sharper over time.

The toolkit

Run the tools. Then talk to us.

Start with a scan, then book a discovery call when you want a senior pair of eyes.

Secure my organization