quantumsafe-scan 0.1.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 QuantumSafe
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,569 @@
1
+ Metadata-Version: 2.4
2
+ Name: quantumsafe-scan
3
+ Version: 0.1.0
4
+ Summary: Scan codebases for quantum-vulnerable cryptography and generate a NIST-aligned migration plan.
5
+ Author: QuantumSafe
6
+ License: MIT
7
+ Project-URL: Homepage, https://github.com/Danny-397/Quantamn-Safe
8
+ Keywords: quantum,cryptography,pqc,nist,security,kyber,dilithium
9
+ Classifier: Programming Language :: Python :: 3
10
+ Classifier: License :: OSI Approved :: MIT License
11
+ Classifier: Topic :: Security :: Cryptography
12
+ Requires-Python: >=3.9
13
+ Description-Content-Type: text/markdown
14
+ License-File: LICENSE
15
+ Requires-Dist: rich>=13.0
16
+ Dynamic: license-file
17
+
18
+ # QuantumSafe
19
+
20
+ [![CI](https://github.com/Danny-397/Quantamn-Safe/actions/workflows/ci.yml/badge.svg)](https://github.com/Danny-397/Quantamn-Safe/actions/workflows/ci.yml)
21
+ ![Python](https://img.shields.io/badge/python-3.9%2B-blue)
22
+ ![License: MIT](https://img.shields.io/badge/license-MIT-green)
23
+ ![Standards](https://img.shields.io/badge/NIST-FIPS%20203%2F204%2F205-9d7bff)
24
+
25
+ **A post-quantum security platform that demonstrates the quantum attack, detects
26
+ the vulnerable cryptography in your code, and implements the quantum-safe fix.**
27
+
28
+ QuantumSafe scans code across 11 languages for the cryptography that quantum
29
+ computers will break (RSA, ECC, Diffie-Hellman) or weaken (AES-128, SHA-256),
30
+ scores the risk 0–100, and maps every finding to its NIST FIPS 203/204/205
31
+ replacement — backed by a real Qiskit implementation of Shor's and Grover's
32
+ algorithms and a from-scratch lattice (LWE) key-encapsulation mechanism.
33
+
34
+ > ⚠️ **Disclaimer.** QuantumSafe is a security-awareness and triage tool. It uses
35
+ > static pattern + AST analysis and is **not** a substitute for a professional
36
+ > cryptographic audit. Findings are heuristic and may include false
37
+ > positives/negatives.
38
+
39
+ ---
40
+
41
+ ## The three layers
42
+
43
+ QuantumSafe covers the full arc of the post-quantum problem — not just naming it,
44
+ but **executing** the attack, **finding** the vulnerable code, and **running** the
45
+ solution:
46
+
47
+ | Layer | Module | What it does |
48
+ |-------|--------|--------------|
49
+ | **1. Attack** | [`quantum/`](quantum/) | Shor's and Grover's algorithms in **Qiskit**, run on a quantum simulator. Shor factors a number and reconstructs an RSA key — the concrete reason RSA/ECC are rated HIGH. |
50
+ | **2. Detection** | [`cli/`](cli/) | A hybrid **AST + regex** static-analysis engine over 11 languages that scores risk and produces a NIST-aligned migration plan. **100% precision/recall** on a labeled [benchmark](benchmark/). |
51
+ | **3. Fix** | [`pqc/`](pqc/) | A from-scratch **lattice (LWE) key-encapsulation mechanism** — the math behind CRYSTALS-Kyber / ML-KEM — so the recommended fix is runnable and provable. |
52
+
53
+ The detection layer ships through three surfaces that share **one** engine:
54
+
55
+ - A **free CLI** (`pip install quantumsafe-scan`) — scan local dirs or public GitHub
56
+ repos; export JSON / HTML / SARIF / CBOM / SVG badge.
57
+ - A **Flask REST API** — powers the dashboard, ingests scans, handles auth.
58
+ - A **dark, terminal-style web dashboard** — scan history, findings, migration
59
+ plans, and exports. **Free, no paywall.**
60
+
61
+ ---
62
+
63
+ ## Why it matters
64
+
65
+ RSA-2048 and elliptic-curve crypto secure almost everything — HTTPS/TLS,
66
+ certificates, SSH, code signing, VPNs. **Shor's algorithm breaks all of it.** The
67
+ math is settled; only the hardware is missing (RSA-2048 needs millions of
68
+ error-corrected qubits, and today's machines have a few hundred noisy ones).
69
+
70
+ That gap is the reason to act now, not later:
71
+
72
+ - **"Harvest now, decrypt later":** an adversary can record encrypted traffic
73
+ today and decrypt it once the hardware exists. Anything that must stay secret
74
+ for 5–15 years is effectively at risk *now*.
75
+ - **Migration is slow:** swapping cryptography across a large codebase takes years
76
+ — which is why NIST finalized the post-quantum standards (FIPS 203/204/205) in
77
+ 2024.
78
+
79
+ QuantumSafe makes that migration tractable: **find** the vulnerable crypto,
80
+ **understand** why it's vulnerable, and **adopt** the quantum-safe replacement.
81
+
82
+ ---
83
+
84
+ ## Architecture
85
+
86
+ ![QuantumSafe architecture](docs/architecture.png)
87
+
88
+ One shared detection engine (`cli/`) sits behind three surfaces — the CLI, the
89
+ REST API, and the web dashboard — and is flanked by two runnable companions: the
90
+ `quantum/` attack module (which *justifies* the risk ratings) and the `pqc/`
91
+ defense module (which *implements* the recommended fix). Full write-up in
92
+ [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md); the diagram is regenerated by
93
+ `python docs/make_architecture.py` (vector source: [docs/architecture.svg](docs/architecture.svg)).
94
+
95
+ ## Documentation
96
+
97
+ | Document | What's in it |
98
+ |----------|--------------|
99
+ | [docs/WHITEPAPER.md](docs/WHITEPAPER.md) | Full technical whitepaper: threat model, design, scoring, evaluation, limitations, future work |
100
+ | [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) | Components, the CLI→API→Scanner→Risk→Export pipeline, data flow, deployment topology |
101
+ | [docs/architecture_diagram.txt](docs/architecture_diagram.txt) | One-screen ASCII system diagram |
102
+ | [docs/EXAMPLES.md](docs/EXAMPLES.md) | **Real** scan output — terminal table, JSON, SARIF, HTML, badge |
103
+ | [docs/NIST_MAPPING.md](docs/NIST_MAPPING.md) | Every detected family → its NIST PQC replacement, with the reasoning |
104
+ | [docs/CVE_MAPPING.md](docs/CVE_MAPPING.md) | Findings mapped to general vulnerability classes (no invented CVEs) |
105
+ | [benchmark/RESULTS.md](benchmark/RESULTS.md) | Precision/recall/F1, risk distribution, reproducible charts |
106
+ | [TECHNICAL_OVERVIEW.md](TECHNICAL_OVERVIEW.md) | Design decisions, quantum-threat background, honest limitations |
107
+
108
+ ---
109
+
110
+ ## Key features
111
+
112
+ - **11-language detection** — Python (AST-aware), JavaScript/TypeScript, Java, Go,
113
+ Ruby, C#, PHP, Rust, C/C++, Kotlin, Swift.
114
+ - **0–100 Quantum Risk Score** computed from real findings (never hardcoded), with
115
+ Low/Medium/High/Critical bands.
116
+ - **NIST-aligned migration plan** — each finding mapped to ML-KEM/ML-DSA/SHA-3/
117
+ AES-256 with the relevant FIPS standard and a complexity estimate.
118
+ - **Six export formats** — terminal, JSON, HTML, **SARIF** (GitHub code scanning),
119
+ **CycloneDX CBOM**, and an embeddable **SVG risk badge**. The SARIF output is
120
+ validated against the official OASIS 2.1.0 JSON Schema and the CBOM against the
121
+ CycloneDX 1.6 crypto structure in the test suite, so they interoperate for real.
122
+ - **Real quantum demos** — Shor + Grover in Qiskit, plus circuit resource
123
+ estimates.
124
+ - **Real post-quantum crypto** — an LWE KEM verified over 200+ key exchanges with
125
+ zero failures.
126
+ - **Measured, not asserted** — a labeled benchmark with adversarial decoys, plus an
127
+ empirical study (88% of real repos affected).
128
+ - **Production practice** — one shared engine for CLI + API, **74 automated
129
+ tests**, CI, Docker, a reusable GitHub Action, and multi-service deploy configs.
130
+
131
+ ---
132
+
133
+ ## What it detects
134
+
135
+ | Risk | Algorithms |
136
+ |------|------------|
137
+ | **HIGH** — migrate immediately | RSA (any size, incl. RSA-2048/4096), ECDSA / ECDH / ECC, DSA, Diffie-Hellman, MD5, SHA-1 |
138
+ | **MEDIUM** — plan migration | TLS 1.0 / 1.1, 3DES / Triple DES, RC4, RSA key sizes under 2048 |
139
+ | **LOW** — monitor | SHA-256, AES-128, TLS 1.2 |
140
+
141
+ Each finding includes the file, line number, algorithm, risk level, *why* it is
142
+ vulnerable, and a NIST-approved replacement:
143
+
144
+ - RSA/ECC key exchange → **CRYSTALS-Kyber (ML-KEM, FIPS 203)**
145
+ - RSA/ECDSA/DSA signatures → **CRYSTALS-Dilithium (ML-DSA, FIPS 204)** / SPHINCS+ (FIPS 205)
146
+ - Hash functions → **SHA-3** or SHA-256
147
+ - Symmetric encryption → **AES-256**
148
+
149
+ ## Quantum Risk Score
150
+
151
+ A 0–100 score computed **from real findings**:
152
+
153
+ ```
154
+ score = min(100, 15*HIGH + 5*MEDIUM + 1*LOW)
155
+ ```
156
+
157
+ | Score | Band | Meaning |
158
+ |-------|------|---------|
159
+ | 0–30 | Low | Good quantum hygiene |
160
+ | 31–60 | Medium | Plan migration |
161
+ | 61–80 | High | Prioritize migration |
162
+ | 81–100 | Critical | Immediate action required |
163
+
164
+ ---
165
+
166
+ ## Evaluation (does the detector actually work?)
167
+
168
+ The scanner is measured against a labeled [benchmark](benchmark/) of 15 files
169
+ across 9 languages, including adversarial decoys (crypto names in comments,
170
+ docstrings, log strings, and word-boundary traps like `md5sumLabel`) designed to
171
+ trip a naive matcher. `evaluate.py` runs the scanner twice — a naive line-regex
172
+ baseline vs. the string/comment-aware engine — so the improvement is measured:
173
+
174
+ ```bash
175
+ python benchmark/evaluate.py
176
+ ```
177
+
178
+ | Configuration | FP | Precision | Recall | F1 |
179
+ |---|--:|--:|--:|--:|
180
+ | Naive line-regex baseline | 14 | 65.0% | 100% | 78.8% |
181
+ | **QuantumSafe (usage-aware)** | **0** | **100%** | **100%** | **100%** |
182
+
183
+ Usage-awareness removes 14 false positives (keywords inside docstrings/log strings)
184
+ without losing a true positive. `evaluate.py` prints the exact false
185
+ positives/negatives so the numbers are auditable, and the thresholds are enforced
186
+ by `tests/test_benchmark.py`. Honest
187
+ limits are documented in [benchmark/README.md](benchmark/README.md) and
188
+ [benchmark/RESULTS.md](benchmark/RESULTS.md) — this is a regression benchmark, not
189
+ a claim of perfection on arbitrary code.
190
+
191
+ These charts are generated from **live scanner output** by
192
+ `python benchmark/graphs/generate_graphs.py` (not hardcoded):
193
+
194
+ | Vulnerabilities by family | Severity split | Scan time vs. files |
195
+ |---|---|---|
196
+ | ![by type](benchmark/graphs/vulnerabilities_by_type.png) | ![severity](benchmark/graphs/severity_distribution.png) | ![scan time](benchmark/graphs/scan_time_vs_size.png) |
197
+
198
+ **See real scan output** — terminal table, JSON, SARIF, HTML, and an SVG risk
199
+ badge from an actual scan — in [docs/EXAMPLES.md](docs/EXAMPLES.md).
200
+
201
+ ### Real-world scan: paramiko (the SSH library)
202
+
203
+ Run against a shallow clone of [`paramiko/paramiko`](https://github.com/paramiko/paramiko)
204
+ — the SSH implementation behind Ansible, Fabric, and much of the Python ecosystem.
205
+ SSH key exchange leans on RSA, ECDSA, and Diffie-Hellman, all broken by Shor's
206
+ algorithm, which makes it a textbook "harvest now, decrypt later" target:
207
+
208
+ ```bash
209
+ quantumsafe scan --repo https://github.com/paramiko/paramiko
210
+ ```
211
+
212
+ | Metric | Result |
213
+ |---|---|
214
+ | Quantum Risk Score | **100 / 100 (Critical)** |
215
+ | Findings (usage-aware) | **110** — 89 HIGH, 6 MEDIUM, 15 LOW |
216
+ | Top algorithms | ECDSA ×23, ECC ×21, SHA-1 ×18, RSA ×15, MD5 ×10, 3DES ×6 |
217
+ | Most-affected files | `paramiko/pkey.py`, `rsakey.py`, `transport.py`, `ecdsakey.py` |
218
+
219
+ The usage-aware engine matters here: a naive line-regex reports **451 raw
220
+ matches**, but most are the same algorithms repeated in docstrings, comments, and
221
+ SSH protocol-name strings (`"ssh-rsa"`, `"ecdsa-sha2-nistp256"`). Focusing on real
222
+ code brings that to **110** findings — a ~4× noise reduction. *Honest caveat: on a
223
+ protocol library, a few of those suppressed string constants are arguably real
224
+ signals, so 110 is a deliberately conservative, code-focused count — not a claim
225
+ that the other 341 were all false positives.*
226
+
227
+ ### Empirical study — how widespread is the problem?
228
+
229
+ Scanning 8 widely-used open-source projects ([`study/`](study/), reproducible via
230
+ `python study/run_study.py`):
231
+
232
+ - **88%** contained at least one **HIGH-risk** (Shor-breakable) cryptographic usage.
233
+ - Average Quantum Risk Score: **72.9 / 100**.
234
+
235
+ Full results and caveats: [study/REPORT.md](study/REPORT.md).
236
+
237
+ ---
238
+
239
+ ## Quantum demonstrations (Shor & Grover)
240
+
241
+ ```bash
242
+ pip install -r quantum/requirements.txt
243
+ python quantum/shor.py # quantum order-finding factors N=15, then breaks a toy RSA key
244
+ python quantum/grover.py # recovers a hidden k-bit key in ~sqrt(2^k) steps
245
+ python quantum/resources.py # qubit count, circuit depth, gate counts vs. RSA-2048 estimates
246
+ ```
247
+
248
+ - **`shor.py`** uses quantum phase estimation over modular exponentiation to find
249
+ the order of `a mod N`, factors `N`, and reconstructs an RSA private key — the
250
+ concrete reason RSA/ECC are rated **HIGH**.
251
+ - **`grover.py`** uses amplitude amplification to search a key space in ~√N
252
+ queries, halving effective key strength — the reason AES-128/SHA-256 are **LOW**.
253
+
254
+ Honest scope: these run at small scale (factoring 15), the genuine state of the art
255
+ for end-to-end Shor. See [quantum/README.md](quantum/README.md).
256
+
257
+ ## Post-quantum solution ([`pqc/`](pqc/))
258
+
259
+ ```bash
260
+ pip install -r pqc/requirements.txt
261
+ python pqc/lwe_kem.py # Alice & Bob agree on a shared secret; an eavesdropper can't
262
+ python pqc/benchmark.py # measured latency + key/ciphertext sizes vs RSA & ML-KEM
263
+ ```
264
+
265
+ Why a quantum computer can't break it: LWE has **no periodic structure** for Shor
266
+ to exploit. See [pqc/README.md](pqc/README.md).
267
+
268
+ ---
269
+
270
+ ## CLI: install & usage
271
+
272
+ ```bash
273
+ pip install quantumsafe-scan # from PyPI once published
274
+ # or, from this repo:
275
+ pip install -e .
276
+ ```
277
+
278
+ ### Commands
279
+
280
+ ```bash
281
+ # Scan a local directory (colored terminal table)
282
+ quantumsafe scan --path ./myproject
283
+
284
+ # Scan a public GitHub repo (shallow-cloned to a temp dir, then cleaned up)
285
+ quantumsafe scan --repo https://github.com/org/app
286
+
287
+ # Write a report: JSON, HTML, SARIF, CycloneDX CBOM, or an SVG risk badge
288
+ quantumsafe scan --path ./myproject --output report.json
289
+ quantumsafe scan --path ./myproject --output report.html
290
+ quantumsafe scan --path ./myproject --output report.sarif # GitHub code scanning
291
+ quantumsafe scan --path ./myproject --output report.cbom.json # CycloneDX CBOM
292
+ quantumsafe scan --path ./myproject --output badge.svg # embeddable risk badge
293
+
294
+ # Skip paths with glob patterns (repeatable)
295
+ quantumsafe scan --path . --exclude 'tests/*' --exclude 'vendor/*'
296
+
297
+ # Fail the process (exit 1) if any HIGH finding exists — handy in CI
298
+ quantumsafe scan --path . --fail-on-high
299
+
300
+ # Try it on the bundled examples
301
+ quantumsafe scan --path examples
302
+
303
+ # Link the CLI to your dashboard, then scans auto-upload to your history
304
+ quantumsafe auth --key qs_live_xxxxxxxx --api-url https://quantumsafe-api.onrender.com
305
+ quantumsafe scan --path ./myproject # prints results AND syncs to dashboard
306
+ quantumsafe scan --path ./myproject --no-sync # local only, don't upload
307
+
308
+ # Version
309
+ quantumsafe version
310
+ ```
311
+
312
+ | Flag | Description |
313
+ |------|-------------|
314
+ | `--path` | Local directory or file to scan |
315
+ | `--repo` | Public `https://github.com/<org>/<repo>` URL |
316
+ | `--output` | Write to `.json`, `.cbom.json` (CycloneDX CBOM), `.html`, `.sarif`, or `.svg` (risk badge); terminal summary still printed |
317
+ | `--exclude` | Glob of paths to skip (repeatable) |
318
+ | `--fail-on-high` | Exit non-zero on any HIGH finding (CI gate) |
319
+ | `--no-sync` | Don't upload the result to your linked dashboard |
320
+
321
+ After `quantumsafe auth --key <key> --api-url <your-api>`, every `quantumsafe scan`
322
+ also uploads its report to your dashboard (`POST /api/v1/scan/import`). Use
323
+ `--no-sync` to keep a scan local.
324
+
325
+ **Suppressing a finding:** add `# quantumsafe: ignore` (any comment style) to the
326
+ line.
327
+
328
+ ### Use in CI (GitHub Action)
329
+
330
+ ```yaml
331
+ - uses: Danny-397/Quantamn-Safe@main
332
+ with:
333
+ path: .
334
+ exclude: tests/*,vendor/*
335
+ fail-on-high: "true"
336
+ - uses: github/codeql-action/upload-sarif@v3
337
+ with:
338
+ sarif_file: quantumsafe.sarif
339
+ ```
340
+
341
+ ---
342
+
343
+ ## API documentation
344
+
345
+ Base URL (dev): `http://localhost:5000` · all endpoints under `/api/v1`.
346
+ Authentication: **JWT** (`Authorization: Bearer <token>`) for the dashboard, or a
347
+ **CLI API key** (`X-API-Key: qs_live_...`) for the scan endpoint.
348
+
349
+ ### Auth
350
+
351
+ ```http
352
+ POST /api/v1/auth/register { "email", "password" } -> { token, user }
353
+ POST /api/v1/auth/login { "email", "password" } -> { token, user }
354
+ GET /api/v1/auth/verify?token=... -> { message }
355
+ POST /api/v1/auth/forgot { "email" } -> { message }
356
+ POST /api/v1/auth/reset { "token", "password" } -> { message }
357
+ GET /api/v1/auth/me (JWT) -> { user }
358
+ ```
359
+
360
+ ### Scanning
361
+
362
+ ```http
363
+ POST /api/v1/scan (JWT or X-API-Key)
364
+ { "repo_url": "https://github.com/org/app" } # or multipart file=<.zip>
365
+ -> { scan_id, report }
366
+
367
+ POST /api/v1/scan/import (X-API-Key) # used by the CLI to upload results
368
+ { "report": { ...quantumsafe report... } } -> { scan_id }
369
+
370
+ POST /api/v1/demo-scan (public, rate-limited) # landing-page live demo
371
+ { "code": "..." } -> { report } # runs the real engine, stores nothing
372
+
373
+ GET /api/v1/scans?page=1&per_page=20 (JWT) -> paginated list
374
+ GET /api/v1/scans/{id} (JWT) -> scan + findings
375
+ GET /api/v1/scans/{id}/export?format=json|html|csv|sarif|cbom|svg (JWT)
376
+ GET /api/v1/scans/{id}/migration (JWT) -> grouped migration plan
377
+ GET /api/v1/overview (JWT) -> dashboard stats + trend
378
+ ```
379
+
380
+ ### API key management
381
+
382
+ ```http
383
+ GET /api/v1/user/apikey (JWT) -> { has_api_key, api_key_prefix }
384
+ POST /api/v1/user/apikey (JWT) -> { api_key } # full key shown ONCE
385
+ ```
386
+
387
+ All endpoints are rate-limited; CORS is restricted to `FRONTEND_ORIGIN`. GDPR-style
388
+ endpoints (`/user/data` export, `/user/account` delete) let a user export or erase
389
+ all of their data.
390
+
391
+ ---
392
+
393
+ ## Dashboard
394
+
395
+ | Overview | Findings | Migration plan |
396
+ |---|---|---|
397
+ | ![Overview](docs/screenshots/overview.png) | ![Findings](docs/screenshots/findings.png) | ![Migration plan](docs/screenshots/migration-plan.png) |
398
+
399
+ A static site (`frontend/`) — no build step. Pages:
400
+
401
+ - **Landing** — hero, in-browser live scanner, feature pillars (free, no paywall).
402
+ - **Auth** — login, register, forgot/reset password.
403
+ - **Dashboard** — Overview (risk score, totals, trend chart, recent scans),
404
+ Scans (paginated), Findings (filterable), Settings (API key + account).
405
+ - **Scan detail** — full findings table, filter by risk, export JSON/HTML/CSV/SARIF/CBOM/SVG.
406
+ - **Migration plan** — findings grouped by risk with NIST replacement, standard
407
+ reference, and estimated complexity.
408
+ - **Research** — a public explainer of Shor/Grover/LWE/Kyber and the NIST standards.
409
+
410
+ Point the dashboard at your API by editing one line in `frontend/config.js`:
411
+
412
+ ```js
413
+ window.QUANTUMSAFE_API = "https://quantumsafe-api.onrender.com";
414
+ ```
415
+
416
+ (Leave it `""` for local development — it falls back to `http://localhost:5000`.)
417
+
418
+ ---
419
+
420
+ ## Local development setup
421
+
422
+ Requires Python 3.9+.
423
+
424
+ ```bash
425
+ git clone https://github.com/Danny-397/Quantamn-Safe
426
+ cd Quantamn-Safe
427
+
428
+ # 1) Install the shared scanner package (CLI) in editable mode
429
+ pip install -e .
430
+
431
+ # 2) Install backend dependencies
432
+ pip install -r backend/requirements.txt
433
+
434
+ # 3) Configure environment
435
+ cp .env.example .env # fill in SECRET_KEY / JWT_SECRET_KEY at minimum
436
+
437
+ # 4) Run the API (creates SQLite tables automatically)
438
+ cd backend
439
+ python app.py # http://localhost:5000 (health: /health)
440
+
441
+ # 5) Serve the dashboard (any static server)
442
+ cd ../frontend
443
+ python -m http.server 3000 # http://localhost:3000
444
+ ```
445
+
446
+ ### Run the whole stack with Docker
447
+
448
+ ```bash
449
+ docker compose up --build
450
+ # Dashboard -> http://localhost:3000 API -> http://localhost:5000
451
+ ```
452
+
453
+ ### Tests
454
+
455
+ ```bash
456
+ pip install -r requirements-dev.txt
457
+ pytest -q # 65 tests; in-memory DB, no setup
458
+ ```
459
+
460
+ Seed a demo account so the dashboard is populated:
461
+
462
+ ```bash
463
+ cd backend && python seed_demo.py # demo@quantumsafe.dev / demodemo123
464
+ ```
465
+
466
+ Without `MAIL_SERVER` configured, verification/reset emails are printed to the
467
+ server log instead of being sent — so you can develop without SMTP.
468
+
469
+ ---
470
+
471
+ ## Environment variables
472
+
473
+ See [`.env.example`](.env.example).
474
+
475
+ | Variable | Required | Where to get it |
476
+ |----------|----------|-----------------|
477
+ | `SECRET_KEY` | ✅ | Generate: `python -c "import secrets;print(secrets.token_hex(32))"` |
478
+ | `JWT_SECRET_KEY` | ✅ | Generate the same way (use a different value) |
479
+ | `DATABASE_URL` | prod | Render Postgres dashboard → *Connections* (SQLite used if unset) |
480
+ | `FRONTEND_ORIGIN` | ✅ | Your dashboard URL, e.g. `https://quantumsafe.vercel.app` |
481
+ | `DASHBOARD_URL` | ✅ | Same as above (used in emails) |
482
+ | `API_URL` | ✅ | The deployed API URL (used for email verify links) |
483
+ | `MAIL_SERVER` / `MAIL_PORT` / `MAIL_USE_TLS` | email | Your SMTP provider (e.g. `smtp.gmail.com` / 587 / true) |
484
+ | `MAIL_USERNAME` / `MAIL_PASSWORD` | email | SMTP credentials (Gmail: an App Password) |
485
+ | `MAIL_DEFAULT_SENDER` | email | The "from" address |
486
+ | `RATELIMIT_STORAGE_URI` | optional | `memory://` (dev) or a Redis URL (prod) |
487
+
488
+ ---
489
+
490
+ ## Deployment
491
+
492
+ [![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/Danny-397/Quantamn-Safe)
493
+
494
+ See **[DEPLOYMENT.md](DEPLOYMENT.md)** for the full walkthrough. In short:
495
+
496
+ - **CLI → PyPI:** `python -m build && twine upload dist/*`
497
+ - **Backend → Render:** push the repo; Render reads [`render.yaml`](render.yaml)
498
+ (web service + Postgres). Set the `sync: false` env vars in the dashboard.
499
+ - **Frontend → Vercel:** set Root Directory to `frontend/`; point
500
+ `frontend/config.js` at your Render API URL.
501
+
502
+ ---
503
+
504
+ ## Project structure
505
+
506
+ ```
507
+ Quantamn-Safe/
508
+ ├── quantum/ # REAL quantum computing (Qiskit): the attacks themselves
509
+ │ ├── shor.py # Shor's algorithm — factors N, breaks RSA
510
+ │ ├── grover.py # Grover's algorithm — key-search speedup
511
+ │ ├── resources.py # qubit / depth / gate-count estimation
512
+ │ └── README.md
513
+ ├── pqc/ # Post-quantum SOLUTION: lattice (LWE) crypto from scratch
514
+ │ ├── lwe_kem.py # quantum-safe key encapsulation (the math behind Kyber)
515
+ │ ├── benchmark.py # latency & sizes vs RSA / ML-KEM
516
+ │ └── README.md
517
+ ├── cli/ # the `quantumsafe` package (CLI + shared engine)
518
+ │ ├── scanner.py # AST + regex detection
519
+ │ ├── scorer.py # risk score
520
+ │ ├── recommender.py # NIST recommendations
521
+ │ ├── reporter.py # terminal / JSON / HTML / SARIF / CBOM / SVG output
522
+ │ └── cli.py # argparse entry point
523
+ ├── backend/ # Flask REST API
524
+ │ ├── app.py config.py extensions.py models.py
525
+ │ ├── auth.py api.py scanner_service.py
526
+ │ └── requirements.txt
527
+ ├── frontend/ # static dashboard (no build step)
528
+ │ ├── index.html login.html dashboard.html scan.html migration.html
529
+ │ ├── research.html privacy.html terms.html
530
+ │ └── style.css app.js config.js
531
+ ├── benchmark/ # labeled precision/recall evaluation (+ graphs/)
532
+ ├── study/ # empirical scan over real open-source repos
533
+ ├── docs/ # whitepaper, architecture, NIST & vuln-class mappings
534
+ ├── pyproject.toml # packages cli/ as `quantumsafe`
535
+ └── render.yaml .env.example README.md
536
+ ```
537
+
538
+ ---
539
+
540
+ ## NIST PQC references
541
+
542
+ - **FIPS 203** — Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM / Kyber)
543
+ - **FIPS 204** — Module-Lattice-Based Digital Signature Algorithm (ML-DSA / Dilithium)
544
+ - **FIPS 205** — Stateless Hash-Based Digital Signature Algorithm (SLH-DSA / SPHINCS+)
545
+ - **NIST SP 800-52 Rev. 2** — TLS guidance
546
+ - **NIST SP 800-131A Rev. 2** — transitioning cryptographic algorithms/key lengths
547
+ - **NIST IR 8547** — transition to post-quantum cryptography standards
548
+
549
+ Full reasoning per algorithm: [docs/NIST_MAPPING.md](docs/NIST_MAPPING.md).
550
+
551
+ ---
552
+
553
+ ## If this were a product
554
+
555
+ QuantumSafe is intentionally **free and open source** — the core scan needs no
556
+ account, and the CLI / GitHub Action are the primary way it's meant to be used.
557
+ That's a deliberate choice, not a missing feature: a login wall would only add
558
+ friction to a tool whose value is instant.
559
+
560
+ For the record, the productization thinking exists even though it isn't built:
561
+ the free tier would stay everything shown here (scan, score, migration plan, all
562
+ exports); a paid tier would be the things that only make sense for an
563
+ organization — scheduled re-scans with drift alerts, multi-repo/org dashboards,
564
+ SSO, and audit-ready CBOM history for compliance. Those are operational features,
565
+ not gates on the core detection, which is the part that should always be open.
566
+
567
+ ## License
568
+
569
+ MIT — see [LICENSE](LICENSE).