qnsqy 7.2.20 → 7.2.22

package/LICENSE

@@ -1,11 +1,13 @@
 QNSQY is proprietary software. (c) 2026 Quantum Sequrity.
 
-The binary downloaded by this npm package is licensed under the QNSQY
-end-user license agreement, available at https://quantumsequrity.com/terms.
+The QNSQY binary, delivered as a platform-specific optional dependency of
+this package, is licensed under the QNSQY end-user license agreement,
+available at https://quantumsequrity.com/terms.
 
-This npm wrapper package (the JavaScript scaffolding, postinstall script,
-README, and LICENSE) is licensed for use solely to facilitate installation
-of the QNSQY binary. Redistribution of the wrapper without the binary, or
-modification of the wrapper to fetch a different binary, is not permitted.
+This npm wrapper package (the JavaScript shim, README, and LICENSE) is
+licensed for use solely to facilitate installation of the QNSQY binary,
+which is delivered as a platform-specific optional dependency. Redistribution
+of the wrapper without the binary, or modification of the wrapper to run a
+different binary, is not permitted.
 
 Source-available for security audit on request: security@quantumsequrity.com.

package/README.md

@@ -24,10 +24,13 @@ Run once without installing:
 npx qnsqy --help
 ```
 
-On install, this package downloads the QNSQY 7.2.19 binary for your
-platform from `cdn.quantumsequrity.com`, verifies its SHA-256 hash
-against the value pinned in `lib/manifest.json`, and places it under
-`node_modules/.bin/qnsqy`. No binary is bundled in the npm tarball.
+The matching prebuilt binary for your platform is installed automatically
+by npm as an optional dependency (`@quantumsequrity/qnsqy-linux-x64` or
+`@quantumsequrity/qnsqy-win32-x64`), selected by its `os` / `cpu` fields.
+There is no install script and no network download of our own: npm fetches
+only the one platform package that matches your machine, from the npm
+registry. Because no install script is involved,
+`npm install --ignore-scripts` works too.
 
 ## Quick start
 
@@ -64,81 +67,87 @@ https://quantumsequrity.com/docs.html.
 |-----------------|----------------------------------------------------------------------------------|
 | Linux x86_64    | Supported. Requires glibc 2.35+ (Ubuntu 22.04+, Debian 12+, Fedora 40+, AlmaLinux 10). |
 | Windows x86_64  | Supported. Windows 10 1809+ and Windows 11.                                      |
-| macOS           | Not shipping yet. Target Q3 2026. npm install exits 1 on darwin with a friendly message. |
-| ARM (any OS)    | Not shipping yet. npm install exits 1 with a friendly message.                   |
+| macOS           | Not shipping yet. Target Q3 2026. `npm install` succeeds; `qnsqy` prints a not-yet-shipping message at run time. |
+| ARM (any OS)    | Not shipping yet. `npm install` succeeds; `qnsqy` prints a not-yet-shipping message at run time. |
 
-If `npm install` refuses to install on your platform with an
-`EBADPLATFORM` error, that is the npm `os` / `cpu` field acting as a
-guard rail. It is not a bug in your toolchain.
+On an unsupported platform, `npm install qnsqy` still succeeds (the main
+package installs everywhere), but no platform binary matches your machine,
+so running `qnsqy` prints a clear message that the platform is not yet
+shipping. If instead you see that message on a supported platform, you
+likely installed with optional dependencies disabled: reinstall with
+`npm install qnsqy --include=optional`.
 
 ## How this package works
 
-The npm package is a thin wrapper. The actual QNSQY binary is not
-bundled.
-
-1. `npm install -g qnsqy` triggers `postinstall.js`.
-2. `postinstall.js` selects the right artifact for your platform from
-   `lib/manifest.json`.
-3. The artifact is downloaded from `cdn.quantumsequrity.com` over HTTPS,
-   using Node 18+ built-in `fetch`. `HTTPS_PROXY` and `HTTP_PROXY` env
-   vars are honoured via the standard agent.
-4. The download is verified against the SHA-256 hash pinned in the
-   manifest. On mismatch, install fails and both hashes are printed.
-5. On Linux the DEB is unpacked in-process (the wrapper parses the `ar`
-   archive itself, no `dpkg` required) and `usr/bin/qnsqy` is extracted
-   with the system `tar`.
-6. On Windows the standalone .exe is dropped directly into the package's
-   `bin/` directory.
-7. The binary is installed atomically (write to `.tmp`, fsync, rename)
-   and chmod 755 on POSIX.
-8. `node_modules/.bin/qnsqy` is a Node shim (`bin/qnsqy.js`) that execs
-   the platform binary with your arguments and propagates exit codes and
-   signals.
-
-The wrapper has zero npm dependencies. It uses Node 18+ stdlib only
-(`fs`, `path`, `os`, `crypto`, `child_process`, built-in `fetch`).
+The main `qnsqy` package is a thin JavaScript shim. No binary is bundled
+in it and it runs no install script. The binary ships in two
+platform-specific packages that the main package lists as optional
+dependencies:
+
+| Package                            | For            |
+|------------------------------------|----------------|
+| `@quantumsequrity/qnsqy-linux-x64` | Linux x86_64   |
+| `@quantumsequrity/qnsqy-win32-x64` | Windows x86_64 |
+
+1. `npm install -g qnsqy` reads the main package's `optionalDependencies`.
+2. npm evaluates each platform package's `os` / `cpu` fields and downloads
+   only the one that matches your machine, from the npm registry. The
+   others are skipped. No install script and no network fetch of our own
+   are involved, so this works even under `npm install --ignore-scripts`.
+3. `node_modules/.bin/qnsqy` is a Node shim (`bin/qnsqy.js`) that resolves
+   the binary out of the installed platform package and execs it with your
+   arguments, propagating exit codes and signals.
+
+The wrapper has zero third-party npm dependencies and uses Node 18+ stdlib
+only (`fs`, `path`, `child_process`). The platform packages contain only
+the raw binary plus metadata: no code, no scripts.
+
+On the npm channel, binary integrity rests on the npm registry's tarball
+checksums (recorded in your lockfile). The same binary bytes are published
+on the CDN with SHA-256 checksums and an ML-DSA-87 signature logged to the
+Sigstore Rekor transparency log (see the download page), and the QNSQY
+binary self-verifies its embedded integrity hash at startup.
 
 ## Air-gapped install
 
-If your machine cannot reach `cdn.quantumsequrity.com`, pre-stage the
-QNSQY binary on disk and point the postinstall at it with the
-`QNSQY_BINARY_PATH` env var:
+If your machine cannot reach the npm registry for the platform package, or
+you want to run a specific pre-staged binary, set the `QNSQY_BINARY_PATH`
+env var. The shim honours it at run time, ahead of the platform package:
 
 ```
-# 1. On a machine with network access, download the binary for the
-#    target platform from https://quantumsequrity.com/download.
-#    Verify its SHA-256 manually.
-# 2. Copy the binary to the air-gapped machine (USB, internal mirror, etc.).
-# 3. Install with scripts disabled so the wrapper does not try to fetch:
+# 1. On a connected machine, download the binary for the target platform
+#    from https://quantumsequrity.com/download and verify its SHA-256.
+# 2. Copy it to the air-gapped machine (USB, internal mirror, etc.).
+# 3. Install the wrapper. The platform package may be skipped if the
+#    registry is unreachable; that is fine, the env var takes over:
 
-QNSQY_BINARY_PATH=/path/to/qnsqy \
-  npm install -g --ignore-scripts qnsqy
+npm install -g qnsqy            # or: npm install -g --ignore-scripts qnsqy
 
-# 4. Re-run the postinstall by hand so QNSQY_BINARY_PATH is honoured:
+# 4. Run qnsqy with the env var pointing at your pre-staged binary:
 
-QNSQY_BINARY_PATH=/path/to/qnsqy \
-  node $(npm root -g)/qnsqy/postinstall.js
+QNSQY_BINARY_PATH=/path/to/qnsqy qnsqy version
 ```
 
-The escape hatch copies the binary verbatim. No SHA-256 check is
-performed in that path: you are responsible for verifying the binary
-out-of-band before staging it.
+`QNSQY_BINARY_PATH` must be a real regular file; symlinks are rejected. No
+SHA-256 check is performed on that path, so you are responsible for
+verifying the binary out-of-band before staging it. To make it permanent,
+export `QNSQY_BINARY_PATH` from your shell profile or service unit.
 
 ## Verification
 
-You can verify the downloaded binary manually against the official
-checksums on the download page.
+You can verify the binary manually against the official checksums on the
+download page.
 
 ```
 # Linux DEB
-sha256sum qnsqy_7.2.19-1_amd64.deb
+sha256sum qnsqy_7.2.20-1_amd64.deb
 # Expected:
-# 983bfed387a969ecf9983f65fa27ee3025ed6edb5c32a38b91acd78a04d561a9
+# 93caee47f8af7c09f73373771ab116019d04903d6958369e865c77638e600afc
 
 # Windows standalone
-certutil -hashfile qnsqy-7.2.19-x86_64.exe SHA256
+certutil -hashfile qnsqy-7.2.20-x86_64.exe SHA256
 # Expected:
-# a6aaabdca0864dd843b8f238471a7c5d15517b05ffd6b322eac6ca37a570c090
+# 1383df812dff16cc593b0caab6bbe6092184a42f212aac8d13e42ed6a52b8f38
 ```
 
 The canonical hash list is published at

package/bin/integrity.json

@@ -0,0 +1,5 @@
+{
+  "_comment": "SHA-256 of each platform binary, baked into the main qnsqy package (the trust root the user installs). The shim verifies the resolved platform binary against these before exec. Stamped by scripts/stage-platform-packages.sh at release time; empty values are placeholders that make the shim fail closed.",
+  "linux-x64": "f40dc28c70d49670e39537b020780481fdf46a535f11e9f65131bd81249eadc0",
+  "win32-x64": "1383df812dff16cc593b0caab6bbe6092184a42f212aac8d13e42ed6a52b8f38"
+}

package/bin/qnsqy.js

@@ -1,31 +1,171 @@
 #!/usr/bin/env node
 'use strict';
 
-// QNSQY shim. Resolves the platform binary placed by postinstall.js and
-// execs it with the user's argv. Exit code and signals propagate.
+// QNSQY shim. Resolves the platform binary that npm installed as an
+// optional dependency (@quantumsequrity/qnsqy-<platform>-<arch>) and execs
+// it with the user's argv. Exit code and signals propagate.
+//
+// There is NO install script and NO network access. The binary arrives
+// purely through npm dependency resolution, so it is present even under
+// `npm install --ignore-scripts`.
+//
+// Integrity: the SHA-256 of each platform binary is pinned in
+// ./integrity.json, which ships INSIDE this (main) package, the package the
+// user explicitly installed. Before exec, the shim hashes the resolved
+// platform binary and refuses to run on mismatch. This anchors trust in the
+// main package, so a substituted or name-squatted platform dependency cannot
+// ship runnable bytes. The QNSQY_BINARY_PATH escape hatch is exempt (the
+// operator vouches for that binary out-of-band).
 
 const fs = require('node:fs');
 const path = require('node:path');
+const crypto = require('node:crypto');
 const { spawn } = require('node:child_process');
 
-const isWin = process.platform === 'win32';
-const binPath = path.join(__dirname, 'qnsqy-bin' + (isWin ? '.exe' : ''));
+// PLATFORM_PACKAGES maps `${platform}-${arch}` to the optional dependency
+// that carries the prebuilt binary and the binary's filename inside it.
+const PLATFORM_PACKAGES = {
+  'linux-x64': { pkg: '@quantumsequrity/qnsqy-linux-x64', bin: 'qnsqy' },
+  'win32-x64': { pkg: '@quantumsequrity/qnsqy-win32-x64', bin: 'qnsqy.exe' },
+};
 
-if (!fs.existsSync(binPath)) {
-  const postinstall = path.join(__dirname, '..', 'postinstall.js');
+function fail(msg) {
+  process.stderr.write('qnsqy: ' + msg + '\n');
+  process.exit(1);
+}
+
+// loadIntegrity: read the pinned per-platform hashes that ship with this
+// package. Fail closed if the file is missing or unreadable.
+function loadIntegrity() {
+  try {
+    return require('./integrity.json');
+  } catch (err) {
+    fail(
+      'integrity manifest (integrity.json) could not be loaded: ' +
+        (err && err.message ? err.message : String(err)) +
+        '. This qnsqy install is corrupt; reinstall it.'
+    );
+  }
+}
+
+// resolveFromEnv: honour the QNSQY_BINARY_PATH escape hatch. Returns a
+// real binary path or null. Rejects symlinks (a hostile value must not
+// point the runtime at an arbitrary file) and requires a regular,
+// executable file. No SHA-256 check applies here: the operator vouches for
+// the binary out-of-band. (A residual lstat->spawn TOCTOU exists, but it is
+// only exploitable by someone who already has write access to that exact
+// path, i.e. who can already run code as this user.)
+function resolveFromEnv() {
+  const envPath = process.env.QNSQY_BINARY_PATH;
+  if (!envPath) return null;
+  let st;
+  try {
+    st = fs.lstatSync(envPath);
+  } catch (err) {
+    fail(
+      'QNSQY_BINARY_PATH was set to "' + envPath + '" but lstat failed: ' +
+        (err && err.message ? err.message : String(err))
+    );
+  }
+  if (st.isSymbolicLink()) {
+    fail('QNSQY_BINARY_PATH must not be a symlink. Resolve it to a real path and retry.');
+  }
+  if (!st.isFile()) {
+    fail(
+      'QNSQY_BINARY_PATH must be a regular file (got ' +
+        (st.isDirectory() ? 'directory' : 'special file') + ').'
+    );
+  }
+  if (process.platform !== 'win32' && !(st.mode & 0o111)) {
+    fail('QNSQY_BINARY_PATH points to a non-executable file. Run: chmod +x ' + envPath);
+  }
   process.stderr.write(
-    'qnsqy: binary not found at ' + binPath + '\n' +
-    'qnsqy: this usually means `npm install` ran with --ignore-scripts, ' +
-    'or the postinstall step failed.\n' +
-    'qnsqy: fetch the binary by running:\n' +
-    '  node ' + postinstall + '\n' +
-    'qnsqy: or, for air-gapped machines, set QNSQY_BINARY_PATH to a pre-staged ' +
-    'binary and re-run the postinstall:\n' +
-    '  QNSQY_BINARY_PATH=/path/to/qnsqy node ' + postinstall + '\n'
+    'qnsqy: using QNSQY_BINARY_PATH=' + envPath +
+      ' (integrity check skipped; you are responsible for verifying this binary out-of-band).\n'
   );
-  process.exit(1);
+  return path.resolve(envPath);
 }
 
+// verifyIntegrity: hash the resolved platform binary and compare it against
+// the value pinned in integrity.json. Fail closed on any mismatch or if the
+// build was never provisioned with a real hash.
+function verifyIntegrity(key, binPath) {
+  const integrity = loadIntegrity();
+  const expected = (integrity && typeof integrity[key] === 'string') ? integrity[key].toLowerCase() : '';
+  if (!/^[0-9a-f]{64}$/.test(expected)) {
+    fail(
+      'no integrity hash is provisioned for ' + key + ' in integrity.json. This qnsqy ' +
+        'build was not prepared for release (run scripts/stage-platform-packages.sh). ' +
+        'Refusing to run an unverified binary.'
+    );
+  }
+  const actual = crypto.createHash('sha256').update(fs.readFileSync(binPath)).digest('hex');
+  let match = false;
+  try {
+    match = crypto.timingSafeEqual(Buffer.from(actual, 'hex'), Buffer.from(expected, 'hex'));
+  } catch (_) {
+    match = false;
+  }
+  if (!match) {
+    fail(
+      'binary integrity check FAILED for ' + PLATFORM_PACKAGES[key].pkg + '.\n' +
+        '  expected sha256: ' + expected + '\n' +
+        '  actual sha256:   ' + actual + '\n' +
+        'The installed platform binary does not match the hash pinned in the qnsqy ' +
+        'package. This can indicate a tampered or substituted dependency. Refusing to ' +
+        'run. Report to security@quantumsequrity.com.'
+    );
+  }
+}
+
+// resolvePlatformBinary: find the binary inside the installed optional
+// dependency. Resolving the package's package.json (always resolvable when
+// the package is present, regardless of `exports`) and joining the binary
+// name is the robust pattern esbuild and @swc/core use. Verifies integrity
+// before returning.
+function resolvePlatformBinary() {
+  const key = process.platform + '-' + process.arch;
+  const entry = PLATFORM_PACKAGES[key];
+  if (!entry) {
+    fail(
+      'no prebuilt QNSQY binary is published for ' + process.platform + '/' +
+        process.arch + '.\n' +
+        'qnsqy: shipping targets today are Linux x86_64 and Windows x86_64. ' +
+        'macOS is targeted for Q3 2026; ARM is not yet shipping. ' +
+        'See https://quantumsequrity.com/download for status.\n' +
+        'qnsqy: for a pre-staged binary, set QNSQY_BINARY_PATH=/path/to/qnsqy and re-run.'
+    );
+  }
+  let pkgJson;
+  try {
+    pkgJson = require.resolve(entry.pkg + '/package.json');
+  } catch (_) {
+    fail(
+      'the platform package "' + entry.pkg + '" is not installed.\n' +
+        'qnsqy: this happens when npm skipped optional dependencies. Reinstall with:\n' +
+        '  npm install qnsqy --include=optional\n' +
+        'qnsqy: (also check you did not pass --no-optional / --omit=optional, and that ' +
+        'any lockfile was generated with optional dependencies enabled).\n' +
+        'qnsqy: or set QNSQY_BINARY_PATH=/path/to/qnsqy for an air-gapped install.'
+    );
+  }
+  const binPath = path.join(path.dirname(pkgJson), entry.bin);
+  if (!fs.existsSync(binPath)) {
+    fail(
+      'platform package "' + entry.pkg + '" is installed but its binary is missing at ' +
+        binPath + '.\n' +
+        'qnsqy: if you use Yarn in PnP (plug-n-play) mode, ensure the platform package is ' +
+        'unplugged (it sets preferUnplugged: true; rerun `yarn install`) or set ' +
+        'nodeLinker: node-modules in .yarnrc.yml.\n' +
+        'qnsqy: otherwise reinstall qnsqy, or report at https://quantumsequrity.com/contact.'
+    );
+  }
+  verifyIntegrity(key, binPath);
+  return binPath;
+}
+
+const binPath = resolveFromEnv() || resolvePlatformBinary();
+
 const child = spawn(binPath, process.argv.slice(2), { stdio: 'inherit' });
 
 function forwardSignal(sig) {
@@ -52,7 +192,7 @@ child.on('error', function (err) {
   detachSignalListeners();
   process.stderr.write(
     'qnsqy: failed to spawn ' + binPath + ': ' +
-    (err && err.message ? err.message : String(err)) + '\n'
+      (err && err.message ? err.message : String(err)) + '\n'
   );
   process.exit(1);
 });
@@ -60,12 +200,15 @@ child.on('error', function (err) {
 child.on('exit', function (code, signal) {
   detachSignalListeners();
   if (signal) {
+    // Re-raise so the parent shell sees "killed by signal". A short fallback
+    // timer guarantees we still exit even if the signal is intercepted or is
+    // non-fatal (e.g. on Windows, where Unix signals do not terminate).
+    setTimeout(function () { process.exit(1); }, 100).unref();
     try {
       process.kill(process.pid, signal);
     } catch (_) {
-      // Some signals are not supported on Windows; fall through.
+      process.exit(1);
     }
-    process.exit(1);
     return;
   }
   process.exit(typeof code === 'number' ? code : 1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "qnsqy",
-  "version": "7.2.20",
+  "version": "7.2.22",
   "description": "Post-quantum cryptography tool. NIST FIPS 203 / 204 / 205 algorithms hybridized with classical X25519, Ed25519, AES-256-GCM. Local-only execution. 84 MCP tools for AI agents.",
   "keywords": [
     "post-quantum",
@@ -23,35 +23,20 @@
   ],
   "homepage": "https://quantumsequrity.com",
   "bugs": "https://quantumsequrity.com/contact",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/quantumsequrity/qnsqy.git"
-  },
   "license": "SEE LICENSE IN LICENSE",
   "author": "Quantum Sequrity",
   "bin": {
     "qnsqy": "bin/qnsqy.js"
   },
-  "scripts": {
-    "postinstall": "node postinstall.js",
-    "uninstall": "node uninstall.js",
-    "preuninstall": "node uninstall.js"
+  "optionalDependencies": {
+    "@quantumsequrity/qnsqy-linux-x64": "7.2.22",
+    "@quantumsequrity/qnsqy-win32-x64": "7.2.22"
   },
   "engines": {
     "node": ">=18.0.0"
   },
-  "os": [
-    "linux",
-    "win32"
-  ],
-  "cpu": [
-    "x64"
-  ],
   "files": [
     "bin/",
-    "lib/",
-    "postinstall.js",
-    "uninstall.js",
     "README.md",
     "LICENSE"
   ]

package/lib/manifest.json

@@ -1,23 +0,0 @@
-{
-  "qnsqy_version": "7.2.20",
-  "generated_at": "2026-06-01T11:00Z",
-  "source": "freshly built from qs-ultra/ source tree 2026-06-01 (Ubuntu 22.04 / glibc 2.35 container build); matches website-YC/download.md SHA-256 Checksums (v7.2.20)",
-  "platforms": {
-    "linux-x64": {
-      "url": "https://cdn.quantumsequrity.com/linux/qnsqy_7.2.20-1_amd64.deb",
-      "filename": "qnsqy_7.2.20-1_amd64.deb",
-      "format": "deb",
-      "extract": "deb",
-      "sha256": "93caee47f8af7c09f73373771ab116019d04903d6958369e865c77638e600afc",
-      "binary_path_in_archive": "usr/bin/qnsqy"
-    },
-    "win32-x64": {
-      "url": "https://cdn.quantumsequrity.com/windows/qnsqy-7.2.20-x86_64.exe",
-      "filename": "qnsqy-7.2.20-x86_64.exe",
-      "format": "exe",
-      "extract": "passthrough",
-      "sha256": "1383df812dff16cc593b0caab6bbe6092184a42f212aac8d13e42ed6a52b8f38",
-      "binary_path_in_archive": "qnsqy-7.2.20-x86_64.exe"
-    }
-  }
-}

package/postinstall.js

@@ -1,443 +0,0 @@
-#!/usr/bin/env node
-'use strict';
-
-// QNSQY npm wrapper postinstall.
-// Responsibilities:
-//   1. Detect platform.
-//   2. Honour QNSQY_BINARY_PATH escape hatch (rejects symlinks).
-//   3. Download the matching binary archive from cdn.quantumsequrity.com
-//      with a 2-minute timeout and post-redirect host pinning.
-//   4. Verify SHA-256 (constant-time) against the value pinned in
-//      lib/manifest.json.
-//   5. Extract (DEB on Linux via in-process ar parser + system tar,
-//      passthrough on Windows).
-//   6. Atomic install into bin/qnsqy-bin (or qnsqy-bin.exe on Windows).
-//
-// Zero npm dependencies. Node 18+ stdlib only.
-
-const fs = require('node:fs');
-const path = require('node:path');
-const os = require('node:os');
-const crypto = require('node:crypto');
-const { spawnSync } = require('node:child_process');
-
-const PKG_VERSION = '7.2.20';
-const PKG_DIR = __dirname;
-const BIN_DIR = path.join(PKG_DIR, 'bin');
-const MANIFEST_PATH = path.join(PKG_DIR, 'lib', 'manifest.json');
-const CDN_HOSTNAME = 'cdn.quantumsequrity.com';
-const DOWNLOAD_TIMEOUT_MS = 600000;
-const MAX_DOWNLOAD_BYTES = 200 * 1024 * 1024;
-
-function info(msg) {
-  process.stdout.write('qnsqy postinstall: ' + msg + '\n');
-}
-
-function die(msg, code) {
-  process.stderr.write('qnsqy postinstall error: ' + msg + '\n');
-  process.exit(typeof code === 'number' ? code : 1);
-}
-
-function platformKey() {
-  const plat = process.platform;
-  const arch = process.arch;
-  if (plat === 'linux' && arch === 'x64') return 'linux-x64';
-  if (plat === 'win32' && arch === 'x64') return 'win32-x64';
-  return null;
-}
-
-function ensureBinDir() {
-  fs.mkdirSync(BIN_DIR, { recursive: true });
-}
-
-function binTargetPath() {
-  const ext = process.platform === 'win32' ? '.exe' : '';
-  return path.join(BIN_DIR, 'qnsqy-bin' + ext);
-}
-
-// atomicWrite: write to a PID-suffixed tmp file (collision-safe under
-// concurrent installs), fsync, chmod 0755 BEFORE rename so the published
-// file is atomically executable, then rename.
-function atomicWrite(targetPath, buffer) {
-  const tmp = targetPath + '.' + process.pid + '.tmp';
-  fs.writeFileSync(tmp, buffer);
-  const fd = fs.openSync(tmp, 'r+');
-  try {
-    fs.fsyncSync(fd);
-  } finally {
-    fs.closeSync(fd);
-  }
-  if (process.platform !== 'win32') {
-    try {
-      fs.chmodSync(tmp, 0o755);
-    } catch (err) {
-      try { fs.unlinkSync(tmp); } catch (_) {}
-      die(
-        'failed to chmod 755 on ' + tmp + ': ' +
-          (err && err.message ? err.message : String(err)) +
-          '. Check ownership of node_modules.'
-      );
-    }
-  }
-  fs.renameSync(tmp, targetPath);
-}
-
-function copyEscapeHatch(envPath) {
-  if (!envPath) return false;
-  let stat;
-  try {
-    stat = fs.lstatSync(envPath);
-  } catch (err) {
-    die(
-      'QNSQY_BINARY_PATH was set to "' + envPath + '" but lstat failed: ' +
-        (err && err.message ? err.message : String(err))
-    );
-  }
-  if (stat.isSymbolicLink()) {
-    die(
-      'QNSQY_BINARY_PATH must not be a symlink. Symlinks are rejected to ' +
-        'prevent a hostile env var from pointing at sensitive files. ' +
-        'Resolve the symlink to a real path and retry.'
-    );
-  }
-  if (!stat.isFile()) {
-    die('QNSQY_BINARY_PATH must be a regular file (got ' + (stat.isDirectory() ? 'directory' : 'special') + ').');
-  }
-  ensureBinDir();
-  const target = binTargetPath();
-  // Open with O_NOFOLLOW on POSIX as defense-in-depth against a symlink
-  // race between lstat and open.
-  let fd;
-  try {
-    if (process.platform !== 'win32') {
-      fd = fs.openSync(envPath, fs.constants.O_RDONLY | fs.constants.O_NOFOLLOW);
-    } else {
-      fd = fs.openSync(envPath, 'r');
-    }
-    const data = fs.readFileSync(fd);
-    atomicWrite(target, data);
-  } finally {
-    if (fd !== undefined) {
-      try { fs.closeSync(fd); } catch (_) {}
-    }
-  }
-  process.stderr.write(
-    'qnsqy postinstall WARN: SHA-256 verification SKIPPED because ' +
-      'QNSQY_BINARY_PATH was used. You are responsible for verifying the ' +
-      'binary out-of-band (sha256sum against https://quantumsequrity.com/download).\n'
-  );
-  info(
-    'qnsqy ' + PKG_VERSION + ' installed at ' + target +
-      ' (source: QNSQY_BINARY_PATH, hash check skipped).'
-  );
-  return true;
-}
-
-async function fetchOnce(url, attemptLabel) {
-  const ac = new AbortController();
-  const timer = setTimeout(function () { ac.abort(); }, DOWNLOAD_TIMEOUT_MS);
-  try {
-    const res = await fetch(url, { redirect: 'follow', signal: ac.signal });
-    if (!res.ok) {
-      throw new Error('HTTP ' + res.status);
-    }
-    let finalUrl;
-    try {
-      finalUrl = new URL(res.url);
-    } catch (_) {
-      throw new Error('invalid response URL: ' + res.url);
-    }
-    if (finalUrl.protocol !== 'https:') {
-      throw new Error('response URL is not HTTPS: ' + res.url);
-    }
-    if (finalUrl.hostname !== CDN_HOSTNAME) {
-      throw new Error('response URL is not on ' + CDN_HOSTNAME + ': ' + res.url);
-    }
-    const contentLengthHeader = res.headers.get('content-length');
-    if (contentLengthHeader != null) {
-      const cl = parseInt(contentLengthHeader, 10);
-      if (Number.isFinite(cl) && cl > MAX_DOWNLOAD_BYTES) {
-        throw new Error('Content-Length ' + cl + ' exceeds ceiling ' + MAX_DOWNLOAD_BYTES);
-      }
-    }
-    const arrayBuffer = await res.arrayBuffer();
-    if (arrayBuffer.byteLength > MAX_DOWNLOAD_BYTES) {
-      throw new Error('body ' + arrayBuffer.byteLength + ' bytes exceeds ceiling ' + MAX_DOWNLOAD_BYTES);
-    }
-    return Buffer.from(arrayBuffer);
-  } finally {
-    clearTimeout(timer);
-  }
-}
-
-// fetchToBuffer: download with one retry on transient failures. The CDN
-// can be slow on cold-cache reads (10 MB sometimes takes >60 s through
-// Cloudflare). Hospital / military deployments often run on slow links;
-// a single retry on AbortError / network reset turns a brittle install
-// into a robust one.
-async function fetchToBuffer(url) {
-  const maxAttempts = 3;
-  let lastErr = null;
-  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-    try {
-      if (attempt > 1) {
-        info('retry ' + (attempt - 1) + '/' + (maxAttempts - 1) + ' for ' + url);
-      }
-      return await fetchOnce(url, attempt);
-    } catch (err) {
-      lastErr = err;
-      const reason = (err && err.name === 'AbortError')
-        ? 'timed out after ' + (DOWNLOAD_TIMEOUT_MS / 1000) + ' seconds'
-        : (err && err.message ? err.message : String(err));
-      if (attempt < maxAttempts) {
-        process.stderr.write(
-          'qnsqy postinstall: download attempt ' + attempt + ' failed (' + reason +
-            '); retrying...\n'
-        );
-        // small backoff: 2s, 5s
-        await new Promise(function (r) { setTimeout(r, attempt === 1 ? 2000 : 5000); });
-        continue;
-      }
-      die(
-        'network error downloading ' + url + ' after ' + maxAttempts +
-          ' attempts: ' + reason +
-          '. Retry, or set QNSQY_BINARY_PATH to a pre-staged binary.'
-      );
-    }
-  }
-  // Unreachable; satisfies lint
-  die('download loop exited unexpectedly: ' + (lastErr && lastErr.message ? lastErr.message : 'unknown'));
-}
-
-function sha256OfBuffer(buf) {
-  return crypto.createHash('sha256').update(buf).digest('hex');
-}
-
-function constantTimeHexEqual(a, b) {
-  if (typeof a !== 'string' || typeof b !== 'string') return false;
-  if (a.length !== b.length || a.length === 0) return false;
-  const ab = Buffer.from(a, 'hex');
-  const bb = Buffer.from(b, 'hex');
-  if (ab.length === 0 || ab.length !== bb.length) return false;
-  return crypto.timingSafeEqual(ab, bb);
-}
-
-function toolExists(cmd) {
-  try {
-    // BusyBox tar exits 0 for `--help`; GNU and BSD tar also exit 0.
-    // `--version` is rejected by BusyBox, so it must not be used here.
-    const probe = spawnSync(cmd, ['--help'], { stdio: 'ignore' });
-    return probe.error == null;
-  } catch (_) {
-    return false;
-  }
-}
-
-function validateSlot(key, slot) {
-  if (slot == null) {
-    die('manifest has no entry for platform ' + key);
-  }
-  const requiredString = ['url', 'filename', 'sha256', 'binary_path_in_archive', 'format'];
-  for (let i = 0; i < requiredString.length; i++) {
-    const field = requiredString[i];
-    if (typeof slot[field] !== 'string' || slot[field].length === 0) {
-      die('manifest entry for ' + key + ' is missing required string field: ' + field);
-    }
-  }
-  if (!/^[0-9a-fA-F]{64}$/.test(slot.sha256)) {
-    die(
-      'manifest sha256 for ' + key + ' is not a 64-char hex string ' +
-        '(got ' + slot.sha256.length + ' chars: ' + slot.sha256 + ').'
-    );
-  }
-  if (!slot.url.startsWith('https://')) {
-    die('manifest url for ' + key + ' must be HTTPS: ' + slot.url);
-  }
-  try {
-    const u = new URL(slot.url);
-    if (u.hostname !== CDN_HOSTNAME) {
-      die('manifest url for ' + key + ' must be on ' + CDN_HOSTNAME + ': ' + slot.url);
-    }
-  } catch (_) {
-    die('manifest url for ' + key + ' is not a valid URL: ' + slot.url);
-  }
-}
-
-// Parse a .deb (BSD ar archive) and return the data.tar.* member as a
-// Buffer. .deb member names are short (data.tar.gz / xz / zst) so the
-// BSD/GNU long-name extensions are not needed.
-function readDebDataMember(debBuf) {
-  const magic = debBuf.slice(0, 8).toString('ascii');
-  if (magic !== '!<arch>\n') {
-    die('downloaded DEB is not a valid ar archive (magic = ' + JSON.stringify(magic) + ').');
-  }
-  let off = 8;
-  while (off + 60 <= debBuf.length) {
-    const name = debBuf.slice(off, off + 16).toString('ascii').replace(/[\s\/]+$/, '');
-    const sizeStr = debBuf.slice(off + 48, off + 58).toString('ascii').trim();
-    const size = parseInt(sizeStr, 10);
-    if (!Number.isFinite(size) || size < 0 || size > MAX_DOWNLOAD_BYTES) {
-      die('invalid ar member size at offset ' + off + ': ' + JSON.stringify(sizeStr));
-    }
-    const dataStart = off + 60;
-    const dataEnd = dataStart + size;
-    if (dataEnd > debBuf.length) {
-      die(
-        'ar member "' + name + '" declares size ' + size + ' but only ' +
-          (debBuf.length - dataStart) + ' bytes remain. Archive is malformed.'
-      );
-    }
-    if (name.indexOf('data.tar') === 0) {
-      return { name: name, data: debBuf.slice(dataStart, dataEnd) };
-    }
-    off = dataEnd + (size % 2);
-  }
-  die('no data.tar member found in DEB archive.');
-  return null;
-}
-
-function extractBinaryFromTar(tarPath, innerPath) {
-  // Defense in depth: reject path-traversal in the manifest-supplied innerPath.
-  if (innerPath.split('/').some(function (p) { return p === '..' || p === ''; })) {
-    die('binary_path_in_archive contains forbidden segment: ' + innerPath);
-  }
-  const list = spawnSync('tar', ['-tf', tarPath], {
-    stdio: ['ignore', 'pipe', 'pipe'],
-    maxBuffer: 64 * 1024 * 1024,
-  });
-  if (list.error) {
-    die(
-      'tar invocation failed: ' + list.error.message +
-        '. Install tar via your package manager and retry.'
-    );
-  }
-  if (list.status !== 0 || list.stdout == null) {
-    const sig = list.signal ? ' (killed by signal ' + list.signal + ')' : '';
-    die(
-      'tar -tf failed on ' + tarPath + sig + ': ' +
-        (list.stderr ? list.stderr.toString().slice(0, 500) : 'no stderr')
-    );
-  }
-  const entries = list.stdout.toString().split('\n');
-  let match = null;
-  for (let i = 0; i < entries.length; i++) {
-    const norm = entries[i].replace(/^\.\//, '').replace(/^\//, '');
-    if (norm === innerPath) {
-      match = entries[i];
-      break;
-    }
-  }
-  if (!match) {
-    die(
-      'expected binary ' + innerPath + ' was not found inside the data tarball. ' +
-        'Archive layout may have changed; report at https://quantumsequrity.com/contact.'
-    );
-  }
-  const extract = spawnSync('tar', ['-xf', tarPath, '-O', match], {
-    stdio: ['ignore', 'pipe', 'pipe'],
-    maxBuffer: 256 * 1024 * 1024,
-  });
-  if (extract.error) {
-    die('tar extract spawn failed: ' + extract.error.message);
-  }
-  if (extract.status !== 0 || extract.stdout == null || extract.stdout.length === 0) {
-    const sig = extract.signal ? ' (killed by signal ' + extract.signal + ')' : '';
-    die(
-      'tar extract failed for ' + match + sig + ': ' +
-        (extract.stderr ? extract.stderr.toString().slice(0, 500) : 'no stderr or empty output')
-    );
-  }
-  return extract.stdout;
-}
-
-async function main() {
-  if (copyEscapeHatch(process.env.QNSQY_BINARY_PATH)) return;
-
-  const key = platformKey();
-  if (!key) {
-    die(
-      'platform ' + process.platform + '/' + process.arch + ' is not supported ' +
-        'by the QNSQY npm wrapper today. Linux x86_64 and Windows x86_64 are the ' +
-        'shipping targets. macOS is targeted for Q3 2026; ARM is not yet shipping. ' +
-        'See https://quantumsequrity.com/download for current status. ' +
-        'For pre-staged binaries set QNSQY_BINARY_PATH and reinstall.'
-    );
-  }
-
-  if (!fs.existsSync(MANIFEST_PATH)) {
-    die('manifest missing at ' + MANIFEST_PATH);
-  }
-  let manifest;
-  try {
-    manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf8'));
-  } catch (err) {
-    die('manifest at ' + MANIFEST_PATH + ' is not valid JSON: ' + (err && err.message ? err.message : err));
-  }
-  const slot = manifest.platforms && manifest.platforms[key];
-  validateSlot(key, slot);
-
-  if (slot.format === 'deb' && !toolExists('tar')) {
-    die(
-      'tar is required to unpack the QNSQY DEB but was not found on PATH. ' +
-        'Install it: apt install tar  /  dnf install tar  /  apk add tar  /  pacman -S tar.'
-    );
-  }
-
-  ensureBinDir();
-  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'qnsqy-install-'));
-
-  function cleanupTmp() {
-    try {
-      const entries = fs.readdirSync(tmpDir);
-      for (let i = 0; i < entries.length; i++) {
-        try { fs.unlinkSync(path.join(tmpDir, entries[i])); } catch (_) {}
-      }
-      fs.rmdirSync(tmpDir);
-    } catch (_) {
-      // best-effort cleanup; never fatal
-    }
-  }
-  process.once('exit', cleanupTmp);
-
-  try {
-    info('downloading ' + slot.url);
-    const downloadedBuf = await fetchToBuffer(slot.url);
-
-    const actualHash = sha256OfBuffer(downloadedBuf);
-    if (!constantTimeHexEqual(actualHash, slot.sha256)) {
-      die(
-        'SHA-256 mismatch for ' + slot.filename + '\n' +
-          '  expected: ' + slot.sha256 + '\n' +
-          '  actual:   ' + actualHash + '\n' +
-          'The binary on the CDN may have been rotated, or the download was tampered with. ' +
-          'Verify the hash against https://quantumsequrity.com/download and report any ' +
-          'genuine mismatch to security@quantumsequrity.com.'
-      );
-    }
-    info('verified SHA-256 (' + downloadedBuf.length + ' bytes).');
-
-    const target = binTargetPath();
-
-    if (slot.format === 'exe' || slot.extract === 'passthrough') {
-      atomicWrite(target, downloadedBuf);
-    } else if (slot.format === 'deb' || slot.extract === 'deb') {
-      const dataMember = readDebDataMember(downloadedBuf);
-      const dataTarPath = path.join(tmpDir, dataMember.name);
-      fs.writeFileSync(dataTarPath, dataMember.data);
-      const binBuf = extractBinaryFromTar(dataTarPath, slot.binary_path_in_archive);
-      atomicWrite(target, binBuf);
-    } else if (slot.format === 'appimage' || slot.extract === 'appimage') {
-      atomicWrite(target, downloadedBuf);
-    } else {
-      die('unknown extract format in manifest: ' + slot.format + ' / ' + slot.extract);
-    }
-
-    info('qnsqy ' + PKG_VERSION + ' installed at ' + target);
-  } finally {
-    cleanupTmp();
-  }
-}
-
-main().catch(function (err) {
-  die(err && err.message ? err.message : String(err));
-});

package/uninstall.js

@@ -1,24 +0,0 @@
-#!/usr/bin/env node
-'use strict';
-
-// QNSQY npm wrapper uninstall hook.
-// Removes the downloaded binary on `npm uninstall qnsqy`. Idempotent: never errors.
-
-const fs = require('node:fs');
-const path = require('node:path');
-
-const BIN_DIR = path.join(__dirname, 'bin');
-const candidates = [
-  path.join(BIN_DIR, 'qnsqy-bin'),
-  path.join(BIN_DIR, 'qnsqy-bin.exe'),
-  path.join(BIN_DIR, 'qnsqy-bin.tmp'),
-  path.join(BIN_DIR, 'qnsqy-bin.exe.tmp'),
-];
-
-for (let i = 0; i < candidates.length; i++) {
-  try {
-    fs.unlinkSync(candidates[i]);
-  } catch (_) {
-    // already gone, ignore.
-  }
-}