qnsqy 7.2.19

package/LICENSE

@@ -0,0 +1,11 @@
+QNSQY is proprietary software. (c) 2026 Quantum Sequrity.
+
+The binary downloaded by this npm package is licensed under the QNSQY
+end-user license agreement, available at https://quantumsequrity.com/terms.
+
+This npm wrapper package (the JavaScript scaffolding, postinstall script,
+README, and LICENSE) is licensed for use solely to facilitate installation
+of the QNSQY binary. Redistribution of the wrapper without the binary, or
+modification of the wrapper to fetch a different binary, is not permitted.
+
+Source-available for security audit on request: security@quantumsequrity.com.

package/README.md

@@ -0,0 +1,195 @@
+# QNSQY
+
+Post-quantum cryptography tool, NIST FIPS 203 / 204 / 205.
+
+QNSQY ships ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205)
+hybridized with X25519, Ed25519, and AES-256-GCM. The single binary
+covers encrypt, decrypt, sign, verify, hash, keygen, threshold, and
+escrow operations. File content, passwords, and private keys never leave
+the machine. Network access is restricted to billing metadata only,
+enforced by seccomp-bpf on Linux. 84 MCP tools are exposed for AI agents
+over JSON-RPC 2.0 stdio.
+
+## Install
+
+Install globally:
+
+```
+npm install -g qnsqy
+```
+
+Run once without installing:
+
+```
+npx qnsqy --help
+```
+
+On install, this package downloads the QNSQY 7.2.19 binary for your
+platform from `cdn.quantumsequrity.com`, verifies its SHA-256 hash
+against the value pinned in `lib/manifest.json`, and places it under
+`node_modules/.bin/qnsqy`. No binary is bundled in the npm tarball.
+
+## Quick start
+
+```
+# Encrypt a file. The default algorithm is ML-KEM-512 + X25519 hybrid.
+# The output is secret.pdf.qs.
+qnsqy encrypt -i secret.pdf
+
+# Decrypt.
+qnsqy decrypt -i secret.pdf.qs
+
+# Generate a hybrid signing keypair (ML-DSA-44 + Ed25519).
+qnsqy keygen-sign -o mykey -n "My Signing Key"
+
+# Sign a file.
+qnsqy sign -i report.txt -k mykey
+
+# Verify a signature.
+qnsqy verify -i report.txt -k mykey.pub
+
+# BLAKE3 hash a file.
+qnsqy hash -i secret.pdf
+
+# Show version and tier.
+qnsqy version
+```
+
+For the full command list, run `qnsqy --help` or see
+https://quantumsequrity.com/docs.html.
+
+## Platforms
+
+| Platform        | Status                                                                           |
+|-----------------|----------------------------------------------------------------------------------|
+| Linux x86_64    | Supported. Requires glibc 2.35+ (Ubuntu 22.04+, Debian 12+, Fedora 40+, AlmaLinux 10). |
+| Windows x86_64  | Supported. Windows 10 1809+ and Windows 11.                                      |
+| macOS           | Not shipping yet. Target Q3 2026. npm install exits 1 on darwin with a friendly message. |
+| ARM (any OS)    | Not shipping yet. npm install exits 1 with a friendly message.                   |
+
+If `npm install` refuses to install on your platform with an
+`EBADPLATFORM` error, that is the npm `os` / `cpu` field acting as a
+guard rail. It is not a bug in your toolchain.
+
+## How this package works
+
+The npm package is a thin wrapper. The actual QNSQY binary is not
+bundled.
+
+1. `npm install -g qnsqy` triggers `postinstall.js`.
+2. `postinstall.js` selects the right artifact for your platform from
+   `lib/manifest.json`.
+3. The artifact is downloaded from `cdn.quantumsequrity.com` over HTTPS,
+   using Node 18+ built-in `fetch`. `HTTPS_PROXY` and `HTTP_PROXY` env
+   vars are honoured via the standard agent.
+4. The download is verified against the SHA-256 hash pinned in the
+   manifest. On mismatch, install fails and both hashes are printed.
+5. On Linux the DEB is unpacked in-process (the wrapper parses the `ar`
+   archive itself, no `dpkg` required) and `usr/bin/qnsqy` is extracted
+   with the system `tar`.
+6. On Windows the standalone .exe is dropped directly into the package's
+   `bin/` directory.
+7. The binary is installed atomically (write to `.tmp`, fsync, rename)
+   and chmod 755 on POSIX.
+8. `node_modules/.bin/qnsqy` is a Node shim (`bin/qnsqy.js`) that execs
+   the platform binary with your arguments and propagates exit codes and
+   signals.
+
+The wrapper has zero npm dependencies. It uses Node 18+ stdlib only
+(`fs`, `path`, `os`, `crypto`, `child_process`, built-in `fetch`).
+
+## Air-gapped install
+
+If your machine cannot reach `cdn.quantumsequrity.com`, pre-stage the
+QNSQY binary on disk and point the postinstall at it with the
+`QNSQY_BINARY_PATH` env var:
+
+```
+# 1. On a machine with network access, download the binary for the
+#    target platform from https://quantumsequrity.com/download.
+#    Verify its SHA-256 manually.
+# 2. Copy the binary to the air-gapped machine (USB, internal mirror, etc.).
+# 3. Install with scripts disabled so the wrapper does not try to fetch:
+
+QNSQY_BINARY_PATH=/path/to/qnsqy \
+  npm install -g --ignore-scripts qnsqy
+
+# 4. Re-run the postinstall by hand so QNSQY_BINARY_PATH is honoured:
+
+QNSQY_BINARY_PATH=/path/to/qnsqy \
+  node $(npm root -g)/qnsqy/postinstall.js
+```
+
+The escape hatch copies the binary verbatim. No SHA-256 check is
+performed in that path: you are responsible for verifying the binary
+out-of-band before staging it.
+
+## Verification
+
+You can verify the downloaded binary manually against the official
+checksums on the download page.
+
+```
+# Linux DEB
+sha256sum qnsqy_7.2.19-1_amd64.deb
+# Expected:
+# 983bfed387a969ecf9983f65fa27ee3025ed6edb5c32a38b91acd78a04d561a9
+
+# Windows standalone
+certutil -hashfile qnsqy-7.2.19-x86_64.exe SHA256
+# Expected:
+# a6aaabdca0864dd843b8f238471a7c5d15517b05ffd6b322eac6ca37a570c090
+```
+
+The canonical hash list is published at
+https://quantumsequrity.com/download under "SHA-256 Checksums".
+
+QNSQY releases are also signed with ML-DSA-87 (NIST FIPS 204) and logged
+to the Sigstore Rekor transparency log. See the download page for the
+post-quantum signature verification flow.
+
+## Tier model
+
+QNSQY has four tiers: Free, Pro, Business, Enterprise. Tier is determined
+at runtime by the billing API on first run, not at install time.
+Installing via npm does not grant Pro, Business, or Enterprise access.
+
+- Free covers ML-KEM-512 + ML-DSA-44 with no file size limit and works
+  without an account. Advanced algorithms have a 100 MB per-file limit.
+- Pro unlocks ML-KEM-768/1024, ML-DSA-65/87, SLH-DSA, 25 GB file limit,
+  batch operations, the encrypted password vault, audit logging, and
+  password rekey.
+- Business adds HQC, FN-DSA, LMS, pure KEM mode, M-of-N threshold
+  encryption, Shamir secret sharing, time-lock, steganography,
+  deniable encryption, polyglot files, PQ migration scanning, encryption
+  policy management, recipient groups, and key escrow.
+- Enterprise adds air-gap license bundles, HSM integration, SLA, and a
+  dedicated engineering channel.
+
+See https://quantumsequrity.com/pricing.html for current pricing.
+
+## Disclaimers
+
+QNSQY uses NIST-standardized algorithms (FIPS 203 ML-KEM, FIPS 204
+ML-DSA, FIPS 205 SLH-DSA, FIPS 206 draft FN-DSA, SP 800-208 LMS, RFC 9106
+Argon2id). The product itself holds no CMVP certificate (so is not a
+FIPS 140 module), no SOC 2 attestation, no U.S. federal cloud ATO under
+the standard government program, and no external HIPAA audit on file.
+The vendor does not sign HIPAA Business Associate Agreements.
+
+The distinction matters: "uses NIST algorithms" is a property of the
+cryptographic primitives; "FIPS 140 validated" is a property of a
+CMVP-tested cryptographic module. QNSQY is the former, not the latter.
+
+Compliance documentation packages (control mapping, algorithm usage,
+data flow) are available on request for Business tier customers as a
+starting point for your internal or third-party audit.
+
+## Links
+
+- Homepage: https://quantumsequrity.com
+- Documentation: https://quantumsequrity.com/docs.html
+- Pricing: https://quantumsequrity.com/pricing.html
+- Download page: https://quantumsequrity.com/download
+- Contact: https://quantumsequrity.com/contact
+- Security disclosure: security@quantumsequrity.com

package/bin/qnsqy.js

@@ -0,0 +1,72 @@
+#!/usr/bin/env node
+'use strict';
+
+// QNSQY shim. Resolves the platform binary placed by postinstall.js and
+// execs it with the user's argv. Exit code and signals propagate.
+
+const fs = require('node:fs');
+const path = require('node:path');
+const { spawn } = require('node:child_process');
+
+const isWin = process.platform === 'win32';
+const binPath = path.join(__dirname, 'qnsqy-bin' + (isWin ? '.exe' : ''));
+
+if (!fs.existsSync(binPath)) {
+  const postinstall = path.join(__dirname, '..', 'postinstall.js');
+  process.stderr.write(
+    'qnsqy: binary not found at ' + binPath + '\n' +
+    'qnsqy: this usually means `npm install` ran with --ignore-scripts, ' +
+    'or the postinstall step failed.\n' +
+    'qnsqy: fetch the binary by running:\n' +
+    '  node ' + postinstall + '\n' +
+    'qnsqy: or, for air-gapped machines, set QNSQY_BINARY_PATH to a pre-staged ' +
+    'binary and re-run the postinstall:\n' +
+    '  QNSQY_BINARY_PATH=/path/to/qnsqy node ' + postinstall + '\n'
+  );
+  process.exit(1);
+}
+
+const child = spawn(binPath, process.argv.slice(2), { stdio: 'inherit' });
+
+function forwardSignal(sig) {
+  if (child && child.pid && !child.killed) {
+    try {
+      child.kill(sig);
+    } catch (_) {
+      // child may have already exited
+    }
+  }
+}
+
+function detachSignalListeners() {
+  try { process.removeAllListeners('SIGINT'); } catch (_) {}
+  try { process.removeAllListeners('SIGTERM'); } catch (_) {}
+  try { process.removeAllListeners('SIGHUP'); } catch (_) {}
+}
+
+process.on('SIGINT', function onSigint() { forwardSignal('SIGINT'); });
+process.on('SIGTERM', function onSigterm() { forwardSignal('SIGTERM'); });
+process.on('SIGHUP', function onSighup() { forwardSignal('SIGHUP'); });
+
+child.on('error', function (err) {
+  detachSignalListeners();
+  process.stderr.write(
+    'qnsqy: failed to spawn ' + binPath + ': ' +
+    (err && err.message ? err.message : String(err)) + '\n'
+  );
+  process.exit(1);
+});
+
+child.on('exit', function (code, signal) {
+  detachSignalListeners();
+  if (signal) {
+    try {
+      process.kill(process.pid, signal);
+    } catch (_) {
+      // Some signals are not supported on Windows; fall through.
+    }
+    process.exit(1);
+    return;
+  }
+  process.exit(typeof code === 'number' ? code : 1);
+});

package/lib/manifest.json

@@ -0,0 +1,23 @@
+{
+  "qnsqy_version": "7.2.19",
+  "generated_at": "2026-05-25T16:09Z",
+  "source": "freshly built from qs-ultra/ source tree 2026-05-25; matches website-YC/download.md SHA-256 Checksums (v7.2.19)",
+  "platforms": {
+    "linux-x64": {
+      "url": "https://cdn.quantumsequrity.com/linux/qnsqy_7.2.19-1_amd64.deb",
+      "filename": "qnsqy_7.2.19-1_amd64.deb",
+      "format": "deb",
+      "extract": "deb",
+      "sha256": "983bfed387a969ecf9983f65fa27ee3025ed6edb5c32a38b91acd78a04d561a9",
+      "binary_path_in_archive": "usr/bin/qnsqy"
+    },
+    "win32-x64": {
+      "url": "https://cdn.quantumsequrity.com/windows/qnsqy-7.2.19-x86_64.exe",
+      "filename": "qnsqy-7.2.19-x86_64.exe",
+      "format": "exe",
+      "extract": "passthrough",
+      "sha256": "a6aaabdca0864dd843b8f238471a7c5d15517b05ffd6b322eac6ca37a570c090",
+      "binary_path_in_archive": "qnsqy-7.2.19-x86_64.exe"
+    }
+  }
+}

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "qnsqy",
+  "version": "7.2.19",
+  "description": "Post-quantum cryptography tool. NIST FIPS 203 / 204 / 205 algorithms hybridized with classical X25519, Ed25519, AES-256-GCM. Local-only execution. 84 MCP tools for AI agents.",
+  "keywords": [
+    "post-quantum",
+    "cryptography",
+    "encryption",
+    "ml-kem",
+    "ml-dsa",
+    "slh-dsa",
+    "fips-203",
+    "fips-204",
+    "fips-205",
+    "hybrid",
+    "pqc",
+    "quantum-safe",
+    "quantum-resistant",
+    "harvest-now-decrypt-later",
+    "hndl",
+    "mcp",
+    "model-context-protocol"
+  ],
+  "homepage": "https://quantumsequrity.com",
+  "bugs": "https://quantumsequrity.com/contact",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/quantumsequrity/qnsqy.git"
+  },
+  "license": "SEE LICENSE IN LICENSE",
+  "author": "Quantum Sequrity",
+  "bin": {
+    "qnsqy": "bin/qnsqy.js"
+  },
+  "scripts": {
+    "postinstall": "node postinstall.js",
+    "uninstall": "node uninstall.js",
+    "preuninstall": "node uninstall.js"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "os": [
+    "linux",
+    "win32"
+  ],
+  "cpu": [
+    "x64"
+  ],
+  "files": [
+    "bin/",
+    "lib/",
+    "postinstall.js",
+    "uninstall.js",
+    "README.md",
+    "LICENSE"
+  ]
+}

package/postinstall.js

@@ -0,0 +1,443 @@
+#!/usr/bin/env node
+'use strict';
+
+// QNSQY npm wrapper postinstall.
+// Responsibilities:
+//   1. Detect platform.
+//   2. Honour QNSQY_BINARY_PATH escape hatch (rejects symlinks).
+//   3. Download the matching binary archive from cdn.quantumsequrity.com
+//      with a 2-minute timeout and post-redirect host pinning.
+//   4. Verify SHA-256 (constant-time) against the value pinned in
+//      lib/manifest.json.
+//   5. Extract (DEB on Linux via in-process ar parser + system tar,
+//      passthrough on Windows).
+//   6. Atomic install into bin/qnsqy-bin (or qnsqy-bin.exe on Windows).
+//
+// Zero npm dependencies. Node 18+ stdlib only.
+
+const fs = require('node:fs');
+const path = require('node:path');
+const os = require('node:os');
+const crypto = require('node:crypto');
+const { spawnSync } = require('node:child_process');
+
+const PKG_VERSION = '7.2.19';
+const PKG_DIR = __dirname;
+const BIN_DIR = path.join(PKG_DIR, 'bin');
+const MANIFEST_PATH = path.join(PKG_DIR, 'lib', 'manifest.json');
+const CDN_HOSTNAME = 'cdn.quantumsequrity.com';
+const DOWNLOAD_TIMEOUT_MS = 600000;
+const MAX_DOWNLOAD_BYTES = 200 * 1024 * 1024;
+
+function info(msg) {
+  process.stdout.write('qnsqy postinstall: ' + msg + '\n');
+}
+
+function die(msg, code) {
+  process.stderr.write('qnsqy postinstall error: ' + msg + '\n');
+  process.exit(typeof code === 'number' ? code : 1);
+}
+
+function platformKey() {
+  const plat = process.platform;
+  const arch = process.arch;
+  if (plat === 'linux' && arch === 'x64') return 'linux-x64';
+  if (plat === 'win32' && arch === 'x64') return 'win32-x64';
+  return null;
+}
+
+function ensureBinDir() {
+  fs.mkdirSync(BIN_DIR, { recursive: true });
+}
+
+function binTargetPath() {
+  const ext = process.platform === 'win32' ? '.exe' : '';
+  return path.join(BIN_DIR, 'qnsqy-bin' + ext);
+}
+
+// atomicWrite: write to a PID-suffixed tmp file (collision-safe under
+// concurrent installs), fsync, chmod 0755 BEFORE rename so the published
+// file is atomically executable, then rename.
+function atomicWrite(targetPath, buffer) {
+  const tmp = targetPath + '.' + process.pid + '.tmp';
+  fs.writeFileSync(tmp, buffer);
+  const fd = fs.openSync(tmp, 'r+');
+  try {
+    fs.fsyncSync(fd);
+  } finally {
+    fs.closeSync(fd);
+  }
+  if (process.platform !== 'win32') {
+    try {
+      fs.chmodSync(tmp, 0o755);
+    } catch (err) {
+      try { fs.unlinkSync(tmp); } catch (_) {}
+      die(
+        'failed to chmod 755 on ' + tmp + ': ' +
+          (err && err.message ? err.message : String(err)) +
+          '. Check ownership of node_modules.'
+      );
+    }
+  }
+  fs.renameSync(tmp, targetPath);
+}
+
+function copyEscapeHatch(envPath) {
+  if (!envPath) return false;
+  let stat;
+  try {
+    stat = fs.lstatSync(envPath);
+  } catch (err) {
+    die(
+      'QNSQY_BINARY_PATH was set to "' + envPath + '" but lstat failed: ' +
+        (err && err.message ? err.message : String(err))
+    );
+  }
+  if (stat.isSymbolicLink()) {
+    die(
+      'QNSQY_BINARY_PATH must not be a symlink. Symlinks are rejected to ' +
+        'prevent a hostile env var from pointing at sensitive files. ' +
+        'Resolve the symlink to a real path and retry.'
+    );
+  }
+  if (!stat.isFile()) {
+    die('QNSQY_BINARY_PATH must be a regular file (got ' + (stat.isDirectory() ? 'directory' : 'special') + ').');
+  }
+  ensureBinDir();
+  const target = binTargetPath();
+  // Open with O_NOFOLLOW on POSIX as defense-in-depth against a symlink
+  // race between lstat and open.
+  let fd;
+  try {
+    if (process.platform !== 'win32') {
+      fd = fs.openSync(envPath, fs.constants.O_RDONLY | fs.constants.O_NOFOLLOW);
+    } else {
+      fd = fs.openSync(envPath, 'r');
+    }
+    const data = fs.readFileSync(fd);
+    atomicWrite(target, data);
+  } finally {
+    if (fd !== undefined) {
+      try { fs.closeSync(fd); } catch (_) {}
+    }
+  }
+  process.stderr.write(
+    'qnsqy postinstall WARN: SHA-256 verification SKIPPED because ' +
+      'QNSQY_BINARY_PATH was used. You are responsible for verifying the ' +
+      'binary out-of-band (sha256sum against https://quantumsequrity.com/download).\n'
+  );
+  info(
+    'qnsqy ' + PKG_VERSION + ' installed at ' + target +
+      ' (source: QNSQY_BINARY_PATH, hash check skipped).'
+  );
+  return true;
+}
+
+async function fetchOnce(url, attemptLabel) {
+  const ac = new AbortController();
+  const timer = setTimeout(function () { ac.abort(); }, DOWNLOAD_TIMEOUT_MS);
+  try {
+    const res = await fetch(url, { redirect: 'follow', signal: ac.signal });
+    if (!res.ok) {
+      throw new Error('HTTP ' + res.status);
+    }
+    let finalUrl;
+    try {
+      finalUrl = new URL(res.url);
+    } catch (_) {
+      throw new Error('invalid response URL: ' + res.url);
+    }
+    if (finalUrl.protocol !== 'https:') {
+      throw new Error('response URL is not HTTPS: ' + res.url);
+    }
+    if (finalUrl.hostname !== CDN_HOSTNAME) {
+      throw new Error('response URL is not on ' + CDN_HOSTNAME + ': ' + res.url);
+    }
+    const contentLengthHeader = res.headers.get('content-length');
+    if (contentLengthHeader != null) {
+      const cl = parseInt(contentLengthHeader, 10);
+      if (Number.isFinite(cl) && cl > MAX_DOWNLOAD_BYTES) {
+        throw new Error('Content-Length ' + cl + ' exceeds ceiling ' + MAX_DOWNLOAD_BYTES);
+      }
+    }
+    const arrayBuffer = await res.arrayBuffer();
+    if (arrayBuffer.byteLength > MAX_DOWNLOAD_BYTES) {
+      throw new Error('body ' + arrayBuffer.byteLength + ' bytes exceeds ceiling ' + MAX_DOWNLOAD_BYTES);
+    }
+    return Buffer.from(arrayBuffer);
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+// fetchToBuffer: download with one retry on transient failures. The CDN
+// can be slow on cold-cache reads (10 MB sometimes takes >60 s through
+// Cloudflare). Hospital / military deployments often run on slow links;
+// a single retry on AbortError / network reset turns a brittle install
+// into a robust one.
+async function fetchToBuffer(url) {
+  const maxAttempts = 3;
+  let lastErr = null;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    try {
+      if (attempt > 1) {
+        info('retry ' + (attempt - 1) + '/' + (maxAttempts - 1) + ' for ' + url);
+      }
+      return await fetchOnce(url, attempt);
+    } catch (err) {
+      lastErr = err;
+      const reason = (err && err.name === 'AbortError')
+        ? 'timed out after ' + (DOWNLOAD_TIMEOUT_MS / 1000) + ' seconds'
+        : (err && err.message ? err.message : String(err));
+      if (attempt < maxAttempts) {
+        process.stderr.write(
+          'qnsqy postinstall: download attempt ' + attempt + ' failed (' + reason +
+            '); retrying...\n'
+        );
+        // small backoff: 2s, 5s
+        await new Promise(function (r) { setTimeout(r, attempt === 1 ? 2000 : 5000); });
+        continue;
+      }
+      die(
+        'network error downloading ' + url + ' after ' + maxAttempts +
+          ' attempts: ' + reason +
+          '. Retry, or set QNSQY_BINARY_PATH to a pre-staged binary.'
+      );
+    }
+  }
+  // Unreachable; satisfies lint
+  die('download loop exited unexpectedly: ' + (lastErr && lastErr.message ? lastErr.message : 'unknown'));
+}
+
+function sha256OfBuffer(buf) {
+  return crypto.createHash('sha256').update(buf).digest('hex');
+}
+
+function constantTimeHexEqual(a, b) {
+  if (typeof a !== 'string' || typeof b !== 'string') return false;
+  if (a.length !== b.length || a.length === 0) return false;
+  const ab = Buffer.from(a, 'hex');
+  const bb = Buffer.from(b, 'hex');
+  if (ab.length === 0 || ab.length !== bb.length) return false;
+  return crypto.timingSafeEqual(ab, bb);
+}
+
+function toolExists(cmd) {
+  try {
+    // BusyBox tar exits 0 for `--help`; GNU and BSD tar also exit 0.
+    // `--version` is rejected by BusyBox, so it must not be used here.
+    const probe = spawnSync(cmd, ['--help'], { stdio: 'ignore' });
+    return probe.error == null;
+  } catch (_) {
+    return false;
+  }
+}
+
+function validateSlot(key, slot) {
+  if (slot == null) {
+    die('manifest has no entry for platform ' + key);
+  }
+  const requiredString = ['url', 'filename', 'sha256', 'binary_path_in_archive', 'format'];
+  for (let i = 0; i < requiredString.length; i++) {
+    const field = requiredString[i];
+    if (typeof slot[field] !== 'string' || slot[field].length === 0) {
+      die('manifest entry for ' + key + ' is missing required string field: ' + field);
+    }
+  }
+  if (!/^[0-9a-fA-F]{64}$/.test(slot.sha256)) {
+    die(
+      'manifest sha256 for ' + key + ' is not a 64-char hex string ' +
+        '(got ' + slot.sha256.length + ' chars: ' + slot.sha256 + ').'
+    );
+  }
+  if (!slot.url.startsWith('https://')) {
+    die('manifest url for ' + key + ' must be HTTPS: ' + slot.url);
+  }
+  try {
+    const u = new URL(slot.url);
+    if (u.hostname !== CDN_HOSTNAME) {
+      die('manifest url for ' + key + ' must be on ' + CDN_HOSTNAME + ': ' + slot.url);
+    }
+  } catch (_) {
+    die('manifest url for ' + key + ' is not a valid URL: ' + slot.url);
+  }
+}
+
+// Parse a .deb (BSD ar archive) and return the data.tar.* member as a
+// Buffer. .deb member names are short (data.tar.gz / xz / zst) so the
+// BSD/GNU long-name extensions are not needed.
+function readDebDataMember(debBuf) {
+  const magic = debBuf.slice(0, 8).toString('ascii');
+  if (magic !== '!<arch>\n') {
+    die('downloaded DEB is not a valid ar archive (magic = ' + JSON.stringify(magic) + ').');
+  }
+  let off = 8;
+  while (off + 60 <= debBuf.length) {
+    const name = debBuf.slice(off, off + 16).toString('ascii').replace(/[\s\/]+$/, '');
+    const sizeStr = debBuf.slice(off + 48, off + 58).toString('ascii').trim();
+    const size = parseInt(sizeStr, 10);
+    if (!Number.isFinite(size) || size < 0 || size > MAX_DOWNLOAD_BYTES) {
+      die('invalid ar member size at offset ' + off + ': ' + JSON.stringify(sizeStr));
+    }
+    const dataStart = off + 60;
+    const dataEnd = dataStart + size;
+    if (dataEnd > debBuf.length) {
+      die(
+        'ar member "' + name + '" declares size ' + size + ' but only ' +
+          (debBuf.length - dataStart) + ' bytes remain. Archive is malformed.'
+      );
+    }
+    if (name.indexOf('data.tar') === 0) {
+      return { name: name, data: debBuf.slice(dataStart, dataEnd) };
+    }
+    off = dataEnd + (size % 2);
+  }
+  die('no data.tar member found in DEB archive.');
+  return null;
+}
+
+function extractBinaryFromTar(tarPath, innerPath) {
+  // Defense in depth: reject path-traversal in the manifest-supplied innerPath.
+  if (innerPath.split('/').some(function (p) { return p === '..' || p === ''; })) {
+    die('binary_path_in_archive contains forbidden segment: ' + innerPath);
+  }
+  const list = spawnSync('tar', ['-tf', tarPath], {
+    stdio: ['ignore', 'pipe', 'pipe'],
+    maxBuffer: 64 * 1024 * 1024,
+  });
+  if (list.error) {
+    die(
+      'tar invocation failed: ' + list.error.message +
+        '. Install tar via your package manager and retry.'
+    );
+  }
+  if (list.status !== 0 || list.stdout == null) {
+    const sig = list.signal ? ' (killed by signal ' + list.signal + ')' : '';
+    die(
+      'tar -tf failed on ' + tarPath + sig + ': ' +
+        (list.stderr ? list.stderr.toString().slice(0, 500) : 'no stderr')
+    );
+  }
+  const entries = list.stdout.toString().split('\n');
+  let match = null;
+  for (let i = 0; i < entries.length; i++) {
+    const norm = entries[i].replace(/^\.\//, '').replace(/^\//, '');
+    if (norm === innerPath) {
+      match = entries[i];
+      break;
+    }
+  }
+  if (!match) {
+    die(
+      'expected binary ' + innerPath + ' was not found inside the data tarball. ' +
+        'Archive layout may have changed; report at https://quantumsequrity.com/contact.'
+    );
+  }
+  const extract = spawnSync('tar', ['-xf', tarPath, '-O', match], {
+    stdio: ['ignore', 'pipe', 'pipe'],
+    maxBuffer: 256 * 1024 * 1024,
+  });
+  if (extract.error) {
+    die('tar extract spawn failed: ' + extract.error.message);
+  }
+  if (extract.status !== 0 || extract.stdout == null || extract.stdout.length === 0) {
+    const sig = extract.signal ? ' (killed by signal ' + extract.signal + ')' : '';
+    die(
+      'tar extract failed for ' + match + sig + ': ' +
+        (extract.stderr ? extract.stderr.toString().slice(0, 500) : 'no stderr or empty output')
+    );
+  }
+  return extract.stdout;
+}
+
+async function main() {
+  if (copyEscapeHatch(process.env.QNSQY_BINARY_PATH)) return;
+
+  const key = platformKey();
+  if (!key) {
+    die(
+      'platform ' + process.platform + '/' + process.arch + ' is not supported ' +
+        'by the QNSQY npm wrapper today. Linux x86_64 and Windows x86_64 are the ' +
+        'shipping targets. macOS is targeted for Q3 2026; ARM is not yet shipping. ' +
+        'See https://quantumsequrity.com/download for current status. ' +
+        'For pre-staged binaries set QNSQY_BINARY_PATH and reinstall.'
+    );
+  }
+
+  if (!fs.existsSync(MANIFEST_PATH)) {
+    die('manifest missing at ' + MANIFEST_PATH);
+  }
+  let manifest;
+  try {
+    manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf8'));
+  } catch (err) {
+    die('manifest at ' + MANIFEST_PATH + ' is not valid JSON: ' + (err && err.message ? err.message : err));
+  }
+  const slot = manifest.platforms && manifest.platforms[key];
+  validateSlot(key, slot);
+
+  if (slot.format === 'deb' && !toolExists('tar')) {
+    die(
+      'tar is required to unpack the QNSQY DEB but was not found on PATH. ' +
+        'Install it: apt install tar  /  dnf install tar  /  apk add tar  /  pacman -S tar.'
+    );
+  }
+
+  ensureBinDir();
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'qnsqy-install-'));
+
+  function cleanupTmp() {
+    try {
+      const entries = fs.readdirSync(tmpDir);
+      for (let i = 0; i < entries.length; i++) {
+        try { fs.unlinkSync(path.join(tmpDir, entries[i])); } catch (_) {}
+      }
+      fs.rmdirSync(tmpDir);
+    } catch (_) {
+      // best-effort cleanup; never fatal
+    }
+  }
+  process.once('exit', cleanupTmp);
+
+  try {
+    info('downloading ' + slot.url);
+    const downloadedBuf = await fetchToBuffer(slot.url);
+
+    const actualHash = sha256OfBuffer(downloadedBuf);
+    if (!constantTimeHexEqual(actualHash, slot.sha256)) {
+      die(
+        'SHA-256 mismatch for ' + slot.filename + '\n' +
+          '  expected: ' + slot.sha256 + '\n' +
+          '  actual:   ' + actualHash + '\n' +
+          'The binary on the CDN may have been rotated, or the download was tampered with. ' +
+          'Verify the hash against https://quantumsequrity.com/download and report any ' +
+          'genuine mismatch to security@quantumsequrity.com.'
+      );
+    }
+    info('verified SHA-256 (' + downloadedBuf.length + ' bytes).');
+
+    const target = binTargetPath();
+
+    if (slot.format === 'exe' || slot.extract === 'passthrough') {
+      atomicWrite(target, downloadedBuf);
+    } else if (slot.format === 'deb' || slot.extract === 'deb') {
+      const dataMember = readDebDataMember(downloadedBuf);
+      const dataTarPath = path.join(tmpDir, dataMember.name);
+      fs.writeFileSync(dataTarPath, dataMember.data);
+      const binBuf = extractBinaryFromTar(dataTarPath, slot.binary_path_in_archive);
+      atomicWrite(target, binBuf);
+    } else if (slot.format === 'appimage' || slot.extract === 'appimage') {
+      atomicWrite(target, downloadedBuf);
+    } else {
+      die('unknown extract format in manifest: ' + slot.format + ' / ' + slot.extract);
+    }
+
+    info('qnsqy ' + PKG_VERSION + ' installed at ' + target);
+  } finally {
+    cleanupTmp();
+  }
+}
+
+main().catch(function (err) {
+  die(err && err.message ? err.message : String(err));
+});

package/uninstall.js

@@ -0,0 +1,24 @@
+#!/usr/bin/env node
+'use strict';
+
+// QNSQY npm wrapper uninstall hook.
+// Removes the downloaded binary on `npm uninstall qnsqy`. Idempotent: never errors.
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const BIN_DIR = path.join(__dirname, 'bin');
+const candidates = [
+  path.join(BIN_DIR, 'qnsqy-bin'),
+  path.join(BIN_DIR, 'qnsqy-bin.exe'),
+  path.join(BIN_DIR, 'qnsqy-bin.tmp'),
+  path.join(BIN_DIR, 'qnsqy-bin.exe.tmp'),
+];
+
+for (let i = 0; i < candidates.length; i++) {
+  try {
+    fs.unlinkSync(candidates[i]);
+  } catch (_) {
+    // already gone, ignore.
+  }
+}