Documentation

Everything you need to integrate QCrypton

Architecture Overview

QCrypton is a modular, 35-module quantum-resilient security platform. Each module is independent with zero external crypto dependencies.

ModulePurposeKey File
Attack Cost EngineFTQC resource estimation for 32 algorithms + 2-level validationlib/quantum-cost.js
Threat Scanners13 runtime scanners (injection, phishing, card fraud, etc.)lib/scanners.js
Code ScannerCrypto scanning across 6 languages + SARIF + CBOMlib/code-scanner.js
RemediationAuto-fix weak crypto, config remediation, input sanitizationlib/remediate.js
Autonomous PRScan repos, generate patches, open PRs on GitHublib/pr-orchestrator.js
CNSA 2.0 ComplianceNSA CNSA Suite 2.0 compliance checking and migration roadmaplib/cnsa2.js
PQC BenchmarksPerformance benchmarking for NIST PQC algorithmslib/pqc-benchmark.js
HPKE EncryptionRFC 9180 HPKE with PSK mode for HNDL defenselib/hpke.js
QKD EngineBB84 protocol with enhanced eavesdrop detectionlib/qkd.js
HSM/KMS6 providers, 9 PQC algorithms, FIPS 140-3 Level 3lib/hsm.js
Noise Reachability12 noise types, 6 QEC codes, 720 evaluationslib/noise-reachability.js
Slack IntegrationBlock Kit alerts for threats, assignments, SLA breaches, PRssrc/services/slackService.js
Crypto Threat Intel25+ quantum milestones, threat timeline, dynamic risk multiplierslib/threat-intel.js
TLS Crypto MonitorLive TLS endpoint probing, cipher suite & cert quantum assessmentlib/tls-monitor.js
Supply Chain AuditDependency manifest scanning across 5 ecosystems, 75+ crypto packageslib/supply-chain.js
PQC Migration AgentMulti-turn AI workflow: inventory, dependency mapping, migration planning, PR generationlib/migration-agent.js
Migration Optimizer4 cost/risk strategies with side-by-side comparisonlib/migration-optimizer.js
NL ConsoleNatural language orchestrator with 12 intents, AI/local matchinglib/nl-orchestrator.js
Predictive ModelsQuantum timeline forecast, MTTR trend, risk trajectory projectionlib/predictive-models.js
Parallel SweepOrg-wide concurrent scanning with bounded concurrency (1–50 workers)lib/parallel-sweep.js
LLM ProviderMulti-provider AI abstraction (Claude, GPT, Gemini, Ollama/vLLM)lib/llm-provider.js

Getting Started

QCrypton can be used in three ways: as a CLI tool, as a library/SDK, or as a full REST API platform. No server or database is required for scanning, analysis, or encryption.

Quick Start (5 minutes)

# 1. Install
npm install -g qcrypton

# 2. Scan your project
qcrypton scan .

# 3. See quantum attack costs
qcrypton assess RSA-2048

# 4. Auto-fix weak crypto
qcrypton gate . --fail-on-weak --auto-fix

# 5. Check CNSA 2.0 compliance
qcrypton cnsa2 .

# 6. Start the full platform (optional — needs PostgreSQL)
export DATABASE_URL=postgres://user:pass@localhost/qcrypton
npm start
# Dashboard at http://localhost:3000

CLI Reference

Install QCrypton globally via npm:

npm install -g qcrypton

# Scan a project for weak cryptography
qcrypton scan .

# Assess quantum attack cost for an algorithm
qcrypton assess RSA-2048

# Run CI/CD gate with auto-fix
qcrypton gate . --fail-on-weak

# Generate SARIF output for GitHub Security
qcrypton sarif .

# Encrypt data with HPKE
qcrypton encrypt --mode hpke --input data.json

# Generate CBOM (CycloneDX)
qcrypton cbom .

# Show quantum threat timeline & milestones
qcrypton threat-intel

# Probe a TLS endpoint for quantum vulnerability
qcrypton tls-probe example.com --port 443

# Scan dependencies for quantum-vulnerable crypto
qcrypton supply-chain .

# Show migration agent usage info
qcrypton migration-agent

API Reference

QCrypton exposes 200+ REST API endpoints. Below are the key endpoint groups:

Threat Scanning

  • POST /scan/injection — Scan for prompt injection attacks (21 patterns)
  • POST /scan/tool-poisoning — Detect MCP tool poisoning
  • POST /scan/exfiltration — Check for data exfiltration attempts
  • POST /scan/brute-force — Detect brute force and credential stuffing
  • POST /scan/phishing — Identify phishing and brand impersonation
  • POST /scan/card-fraud — Detect card swap and payment fraud
  • POST /scan/quantum-threat — Quantum threat assessment
  • POST /scan/pqc-readiness — PQC migration readiness evaluation
  • POST /scan/noise-reachability — Quantum noise reachability analysis
  • POST /scan/sarif — Generate SARIF 2.1.0 report

Cryptography

  • POST /crypto/encrypt — AES-256-GCM symmetric encryption
  • POST /crypto/decrypt — AES-256-GCM symmetric decryption
  • POST /crypto/hpke/encrypt — HPKE public-key encryption
  • POST /crypto/hpke/decrypt — HPKE decryption
  • POST /crypto/hash — LSH-256 / SHA3-256 hashing
  • POST /crypto/qkd/session — BB84 QKD key exchange

Attack Cost Estimation

  • GET /quantum-cost/:algorithm — FTQC resource estimation for a specific algorithm
  • GET /quantum-cost/compare — Compare multiple algorithms
  • GET /quantum-cost/all — All 32 algorithms

Code Scanner

  • POST /scan/code — Scan source code for weak cryptography
  • POST /scan/secrets — Detect hardcoded secrets (26 patterns)
  • POST /scan/binary — Binary crypto constant detection
  • POST /scan/cbom — Generate CycloneDX CBOM

Remediation

  • POST /remediate/code — Auto-fix weak crypto in source code
  • POST /remediate/config — Fix insecure server configurations
  • POST /remediate/sanitize — Sanitize malicious input

Autonomous PR Generation

  • POST /remediation/pr/create — Trigger autonomous remediation PR (returns 202, runs async)
  • GET /remediation/pr — List remediation PRs (filter by platform, repo, status)
  • GET /remediation/pr/:id — Get PR details with patch summary
  • POST /remediation/pr/:id/sync — Sync PR status from GitHub
  • DELETE /remediation/pr/:id — Cancel and close PR on GitHub
# Create a remediation PR on GitHub
curl -X POST https://api.qcrypton.com/api/remediation/pr/create \
  -H "Authorization: Bearer YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"platform":"github","owner":"my-org","repo":"my-app","baseBranch":"main","minRisk":"medium"}'

CNSA 2.0 Compliance

  • GET /cnsa2/timeline — CNSA 2.0 migration timeline milestones
  • GET /cnsa2/algorithms — List approved and deprecated algorithms
  • GET /cnsa2/check/:algorithm — Check a single algorithm
  • POST /cnsa2/compliance — Run CNSA 2.0 compliance check on code or project

PQC Benchmarks

  • GET /pqc-benchmark/algorithms — List PQC algorithms with metadata
  • POST /pqc-benchmark/run — Run performance benchmarks (ML-KEM, ML-DSA, SLH-DSA vs classical)

Slack Integration

  • GET /slack/configs — List Slack webhook configurations
  • POST /slack/configs — Add Slack webhook (events: threat_critical, finding_assigned, sla_breach, pr_created)
  • PUT /slack/configs/:id — Update Slack config
  • DELETE /slack/configs/:id — Remove Slack config
  • POST /slack/test — Send test message to verify connection

Finding Assignment

  • GET /risk/findings — List findings (filter: status, severity, assignee=me, unassigned=true)
  • PUT /risk/findings/:id/assign — Assign finding to user (validates user, sends email + Slack notification)
  • POST /risk/findings/bulk-assign — Bulk assign up to 100 findings

Enterprise

  • POST /auth/login — Authentication (email/password, SSO)
  • GET /compliance/soc2 — SOC 2 compliance report
  • GET /compliance/iso27001 — ISO 27001 compliance report
  • POST /vault/store — Store secret in encrypted vault
  • POST /vault/shamir/split — Shamir secret splitting
  • POST /vault/shamir/reconstruct — Shamir secret reconstruction
  • POST /siem/forward — Forward events to SIEM

Crypto Threat Intelligence

  • GET /api/threat-intel/milestones — Returns quantum computing milestones. Query: ?category=hardware|error_correction|algorithm|policy|photonic
  • GET /api/threat-intel/timeline — Returns threat timeline with break-year estimates per algorithm family
  • GET /api/threat-intel/timeline/:algorithm — Returns specific algorithm assessment with urgency and threat multiplier
  • POST /api/threat-intel/refresh — Triggers manual intelligence refresh from configured feed (admin only)
  • GET /api/threat-intel/alerts — Returns recent threat timeline shift alerts

Runtime TLS Monitoring

  • POST /api/tls/probe — Probe single TLS endpoint. Body: { host: string, port?: number }. Returns cipher, protocol, certificate chain, quantum vulnerability assessment.
  • POST /api/tls/scan — Batch scan up to 50 endpoints. Body: { endpoints: [{host, port}] }. Returns aggregated findings and PQC readiness.
  • GET /api/tls/history — Query stored TLS scan results. Query: ?host=&limit=50&offset=0

Supply Chain Crypto Audit

  • POST /api/scan/supply-chain — Scan project dependency manifests. Body: { path: string }. Parses package.json, requirements.txt, go.mod, Cargo.toml, pom.xml. Returns quantum-vulnerable dependencies.
  • POST /api/scan/supply-chain/manifest — Audit single manifest. Body: { manifest: string, filename: string }. Returns parsed dependencies with crypto exposure.
  • GET /api/scan/supply-chain/packages — Returns the crypto package database (75+ packages across 5 ecosystems)

Autonomous PQC Migration Agent

  • POST /api/migration/agent/start — Launch autonomous migration agent. Body: { platform: "github", owner, repo, baseBranch?, provider?, model?, maxFiles? }. Returns 202 (fire-and-forget).
  • GET /api/migration/agent — List migration agents for tenant. Query: ?status=&limit=50&offset=0
  • GET /api/migration/agent/:id — Get full agent state with inventory, plan, and PR history
  • GET /api/migration/agent/:id/plan — Get just the migration plan and dependency map
  • POST /api/migration/agent/:id/cancel — Cancel a running migration agent

Natural Language Console

  • POST /api/nl/query — Parse natural language query with AI. Body: { query: string, provider?: string, model?: string, mode?: "local"|"ai" }. Returns matched intent, action, params.
  • POST /api/nl/match — Quick keyword-based intent matching (no AI). Body: { query: string }
  • GET /api/nl/intents — List all available intent definitions and their mapped API endpoints

Predictive Models

  • GET /api/predictive/timeline-forecast — Forecast when quantum hardware reaches target qubit count. Query: ?targetQubits=20000000
  • GET /api/predictive/mttr-forecast — Forecast MTTR trend with severity breakdown. Query: ?forecastDays=30
  • GET /api/predictive/risk-trajectory — Project risk score trajectory and estimate compliance date. Query: ?targetScore=80
  • GET /api/predictive/overview — Combined forecast overview for RSA-2048 and ECDSA timeline projections

Parallel Sweep Engine

  • POST /api/sweep/start — Launch org-wide parallel sweep. Body: { type: "code"|"tls"|"supply-chain"|"full", targets: [...], concurrency?: number }. Returns 202 (fire-and-forget).
  • GET /api/sweep/:id — Get sweep job status and summary
  • GET /api/sweep/:id/results — Get paginated sweep results. Query: ?offset=0&limit=50
  • GET /api/sweeps — List sweep jobs for tenant. Query: ?limit=50

Migration Optimizer

  • GET /api/migration/strategies — List available optimization strategies (risk-first, effort-first, dependency-first, balanced)
  • POST /api/migration/optimize — Evaluate all strategies against findings. Body: { findings: [...], strategies?: [...], maxSteps?: number }. Returns ranked plans with metrics.
  • POST /api/migration/compare — Compare two strategies side by side. Body: { findings: [...], strategyA: string, strategyB: string }

SDKs

QCrypton provides native SDKs for 6 languages:

Python

pip install qcrypton

from qcrypton import QCryptonClient
client = QCryptonClient('http://localhost:3000', api_key='your-key')

# Scan for injection
result = client.scan_injection(user_input)

# Assess quantum attack cost
cost = client.assess('RSA-2048')

Go

go get github.com/qcrypton/qcrypton-go

client := qcrypton.NewClient("http://localhost:3000", "your-key")
result, err := client.ScanInjection(input)

Java

// Maven: com.qcrypton:qcrypton-java
QCryptonClient client = new QCryptonClient("http://localhost:3000", "your-key");
ScanResult result = client.scanInjection(input);

Ruby

gem install qcrypton

client = QCrypton::Client.new('http://localhost:3000', api_key: 'your-key')
result = client.scan_injection(input)

Rust

// Cargo.toml: qcrypton = "1.0"
let client = QCryptonClient::new("http://localhost:3000", "your-key");
let result = client.scan_injection(&input).await?;

Node.js

const { DefenderClient } = require('qcrypton');
const client = new DefenderClient('http://localhost:3000');

// Or use in-process with zero HTTP overhead
const { scanners, remediate } = require('qcrypton');
const result = scanners.injection.scan(input);

Authentication

All API requests require authentication via API key or Bearer token:

curl -H "Authorization: Bearer YOUR_API_KEY" \
     -H "Content-Type: application/json" \
     -d '{"input": "test"}' \
     https://api.qcrypton.com/scan/injection

Rate Limits

API rate limits vary by plan:

  • Starter: 1,000 requests/hour
  • Large: 10,000 requests/hour
  • Enterprise: Custom limits

CI/CD Integration

QCrypton provides ready-made templates for GitHub Actions and Jenkins.

GitHub Actions

# .github/workflows/qcrypton.yml
name: QCrypton Security Scan
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g qcrypton
      - run: qcrypton gate . --fail-on-weak --sarif results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Jenkins

// Jenkinsfile
pipeline {
  agent any
  stages {
    stage('Security Scan') {
      steps {
        sh 'npm install -g qcrypton'
        sh 'qcrypton gate . --fail-on-weak'
      }
    }
  }
}

Need Help?

If you need assistance with integration, reach out to support@qcryptonapp.com or file an issue on GitHub.