Open-source, by design.

Find quantum-vulnerable cryptography in any codebase.

A static scanner that walks your source and dependency tree for classical asymmetric crypto — RSA, ECDH, ECDSA — and legacy TLS configuration, then flags where harvest-now-decrypt-later exposure is highest.

• Inventory of asymmetric primitives across the tree
• Harvest-now-decrypt-later exposure ranking
• TLS & certificate configuration checks
• SARIF & JSON output for any pipeline

$ npx @qproof/qscan ./

PQC-readiness, native to your AI coding agent.

A Model Context Protocol server that gives AI coding agents first-class post-quantum capabilities: inventory the cryptography in a repository, explain exposure, and propose hybrid migrations — directly inside the editor.

• Crypto-inventory tools for agents
• Hybrid migration suggestions (X25519MLKEM768 & more)
• Works with any MCP-compatible client
• Grounded in the qproof methodology

$ claude mcp add qproof npx @qproof/mcp

Test an ML-KEM / ML-DSA implementation against the bugs that matter.

A conformance harness that exercises an implementation against curated test categories — each targeting a bug class we have seen in real audits or the public literature. Wire it up over a simple stdin/stdout JSON protocol.

• ML-KEM & ML-DSA test batteries
• Categories tagged to real audit findings
• Malformed, out-of-bounds & edge-case inputs
• Reproducible in CI as a quality gate

$ cargo install sieve-pqc

Fail the build when new quantum-vulnerable crypto lands.

Run qScan on every pull request and turn post-quantum readiness into a standing quality gate. New classical asymmetric cryptography becomes a reviewable signal instead of a silent regression.

• Drop-in GitHub Action
• PR annotations on new findings
• Configurable severity thresholds
• Baselines so existing debt does not block

$ uses: qproof/action@v1