quirk-scanner 4.10.0__tar.gz

quirk_scanner-4.10.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Digs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

quirk_scanner-4.10.0/PKG-INFO

@@ -0,0 +1,75 @@
+Metadata-Version: 2.4
+Name: quirk-scanner
+Version: 4.10.0
+Summary: QU.I.R.K. -- Quantum Infrastructure Readiness Kit
+License: Proprietary
+Requires-Python: >=3.10
+License-File: LICENSE
+Requires-Dist: PyYAML>=6.0
+Requires-Dist: cryptography>=44.0
+Requires-Dist: SQLAlchemy>=2.0
+Requires-Dist: tqdm>=4.67
+Requires-Dist: cyclonedx-python-lib[json-validation]<12,>=11.7.0
+Requires-Dist: httpx>=0.28.0
+Requires-Dist: jinja2>=3.1.0
+Requires-Dist: rich>=13.0.0
+Requires-Dist: PyJWT>=2.12.0
+Requires-Dist: python-jose>=3.5.0
+Requires-Dist: boto3>=1.42.0
+Requires-Dist: azure-identity>=1.25.0
+Requires-Dist: azure-keyvault-certificates>=4.10.0
+Requires-Dist: azure-keyvault-keys>=4.11.0
+Requires-Dist: azure-mgmt-network>=30.2.0
+Requires-Dist: dnspython[dnssec]>=2.8.0
+Requires-Dist: lxml>=6.0
+Requires-Dist: beautifulsoup4>=4.13.0
+Requires-Dist: defusedxml>=0.7.1
+Requires-Dist: signxml>=4.4.0
+Requires-Dist: nh3>=0.2.17
+Provides-Extra: dashboard
+Requires-Dist: fastapi>=0.128.8; extra == "dashboard"
+Requires-Dist: uvicorn[standard]>=0.39.0; extra == "dashboard"
+Requires-Dist: python-multipart>=0.0.20; extra == "dashboard"
+Requires-Dist: playwright>=1.58.0; extra == "dashboard"
+Requires-Dist: croniter>=1.4.0; extra == "dashboard"
+Requires-Dist: pypdf>=4.0; extra == "dashboard"
+Provides-Extra: identity
+Requires-Dist: impacket<0.14,>=0.13.0; extra == "identity"
+Requires-Dist: ldap3>=2.9.1; extra == "identity"
+Provides-Extra: adcs
+Requires-Dist: ldap3>=2.9.1; extra == "adcs"
+Provides-Extra: cloud
+Requires-Dist: google-api-python-client>=2.0.0; extra == "cloud"
+Requires-Dist: google-auth>=2.36.0; extra == "cloud"
+Requires-Dist: azure-mgmt-storage>=21.0.0; extra == "cloud"
+Requires-Dist: kubernetes>=35.0.0; extra == "cloud"
+Requires-Dist: google-cloud-container>=2.0.0; extra == "cloud"
+Requires-Dist: azure-mgmt-containerservice>=35.0.0; extra == "cloud"
+Requires-Dist: hvac>=2.4.0; extra == "cloud"
+Provides-Extra: db
+Requires-Dist: psycopg2-binary>=2.9.0; extra == "db"
+Requires-Dist: PyMySQL>=1.1.0; extra == "db"
+Provides-Extra: motion
+Requires-Dist: quirk-scanner[email]; extra == "motion"
+Requires-Dist: quirk-scanner[broker]; extra == "motion"
+Requires-Dist: quirk-scanner[kafka]; extra == "motion"
+Provides-Extra: email
+Provides-Extra: broker
+Requires-Dist: redis>=5.0; extra == "broker"
+Provides-Extra: kafka
+Requires-Dist: kafka-python>=2.0; extra == "kafka"
+Provides-Extra: redis
+Requires-Dist: redis>=5.0; extra == "redis"
+Provides-Extra: cbom
+Requires-Dist: cyclonedx-python-lib[json-validation]<12,>=11.7.0; extra == "cbom"
+Provides-Extra: dev
+Requires-Dist: towncrier>=24.7.0; extra == "dev"
+Provides-Extra: all
+Requires-Dist: quirk-scanner[cloud]; extra == "all"
+Requires-Dist: quirk-scanner[cbom]; extra == "all"
+Requires-Dist: quirk-scanner[db]; extra == "all"
+Requires-Dist: quirk-scanner[motion]; extra == "all"
+Requires-Dist: quirk-scanner[redis]; extra == "all"
+Requires-Dist: quirk-scanner[dashboard]; extra == "all"
+Requires-Dist: quirk-scanner[adcs]; extra == "all"
+Dynamic: license-file

quirk_scanner-4.10.0/README.md

@@ -0,0 +1,110 @@
+[![Python Staleness Gate](https://img.shields.io/github/actions/workflow/status/0xD1g5/QU.I.R.K./python-staleness.yml?branch=main&label=CI)](https://github.com/0xD1g5/QU.I.R.K./actions/workflows/python-staleness.yml)
+[![PyPI version](https://img.shields.io/pypi/v/quirk-scanner.svg)](https://pypi.org/project/quirk-scanner/)
+[![License: MIT](https://img.shields.io/github/license/0xD1g5/QU.I.R.K.)](LICENSE)
+[![Sigstore attested](https://img.shields.io/badge/sigstore-attested-blue)](docs/release-process.md#attestation-verification)
+[![Security Policy](https://img.shields.io/badge/security-policy-blue)](SECURITY.md)
+
+# QU.I.R.K. — v4.10.0
+
+**Quantum Infrastructure Readiness Kit** — consulting-grade cryptographic inventory and quantum-readiness assessment.
+
+QU.I.R.K. is an agentless scanner that discovers crypto material across TLS endpoints, SSH services, JWT-issuing APIs, container images, Git repositories, AWS cloud resources, and Azure cloud resources. It produces a Cryptography Bill of Materials (CBOM) in CycloneDX JSON and XML, computes a quantum-readiness score (0–100), and generates a professional PDF report a consultant can hand directly to a client.
+
+## For your role
+
+**For the security consultant.** QU.I.R.K. produces the deliverable you bill for: a CycloneDX CBOM, a 0–100 quantum-readiness score with four subscores (Hygiene, Modern TLS, Identity, Agility), and a client-ready PDF report. Point it at a client's TLS endpoints, SSH services, JWT-issuing APIs, and cloud accounts; hand back the findings and the prioritized remediation roadmap. No agents to deploy, no software for the client to install.
+
+**For the IT generalist.** Start with the simple question — *what crypto do we even have running?* — and end with an answerable inventory. QU.I.R.K. walks your environment, names every TLS endpoint, SSH host, container image, and KMS key it can reach, and tells you which ones are quantum-vulnerable. The dashboard at `http://localhost:8512` lets you browse the findings interactively before you commit to any remediation work.
+
+**For the compliance officer.** Quantum-readiness is on the audit radar (NIST PQC, CNSA 2.0, FIPS 140-3 transitions). QU.I.R.K. ships compliance mappings against CMVP / FIPS 140-3 with documented staleness review cadence, surfaces algorithm classifications that map to those frameworks, and produces artifact-grade output (CBOM JSON/XML, PDF reports) you can attach to an audit response.
+
+![QU.I.R.K. dashboard against the chaos lab](docs/images/dashboard-hero.png)
+*Dashboard view of a scan against the chaos lab — quantum-readiness score, subscores, findings, and CBOM browser.*
+
+<!-- TODO(LAUNCH-01): replace docs/images/dashboard-hero.png with a real screenshot captured against a running dashboard. The current file is a placeholder (1×1 transparent PNG) per Phase 85-05 deviation; capture a real screenshot post-merge from a live macOS arm64 run against the chaos lab `phaseA` (tls-weak) profile. -->
+
+## Quick Start
+
+Three commands to a working scan:
+
+```bash
+pip install quirk-scanner[all]
+quirk init
+quirk --config config.yaml
+```
+
+Watch a 60-second run: `<asciinema-link-here>` *(recording is a manual post-merge task — see `.planning/phases/85-public-launch-polish/85-05-SUMMARY.md`)*.
+
+Then follow the [Getting Started guide](docs/getting-started.md) for a walkthrough of the 3-step quickstart with explanations of each command.
+
+## Documentation
+
+| Guide | Description |
+|-------|-------------|
+| [Getting Started](docs/getting-started.md) | Zero to first scan in under 10 minutes |
+| [Installation](docs/installation.md) | System requirements, macOS, Linux, Windows WSL |
+| [Configuration Reference](docs/configuration.md) | All config.yaml options and CLI flags |
+| [Connector Guides](docs/connectors/) | AWS, Azure, Docker, Git setup with credential templates |
+| [Report Interpretation](docs/report-interpretation.md) | What every score and finding means, client conversation guide |
+| [CBOM Guide](docs/cbom-guide.md) | What a CBOM is and how to cite it as compliance evidence |
+| [Chaos Lab Operator Guide](docs/chaos-lab.md) | Lab profiles, port matrix, expected findings |
+| [Intelligence Schema](docs/intelligence-schema.md) | `intelligence-*.json` output format reference |
+| [Upgrade Guide](docs/upgrade-guide.md) | v4.x → v4.10 upgrade procedure with `quirk db migrate` |
+| [Release Process](docs/release-process.md) | PyPI / GHCR / Homebrew tap publish procedure + Sigstore attestation verification |
+| [UAT Test Series](docs/UAT-SERIES.md) | Full user acceptance testing guide — CLI, lab, dashboard |
+
+## What QU.I.R.K. Scans
+
+- **TLS/HTTPS endpoints** — certificate metadata, cipher suites, TLS version, chain trust
+- **SSH services** — host key algorithms, KEX algorithms, MAC algorithms, cipher suites
+- **JWT-issuing APIs** — algorithm discovery via JWKS and OIDC endpoints
+- **Docker container images** — crypto libraries detected via Syft SBOM analysis
+- **Git repositories / source code** — cryptographic API usage via Semgrep analysis
+- **AWS** — ACM certificates, KMS key specs, CloudFront distributions, ELBv2 listeners
+- **Azure** — Key Vault keys and certificates, Application Gateway TLS policies
+
+## Output Artifacts
+
+- **Quantum-readiness score** (0–100) — overall score with four subscores: Hygiene, Modern TLS, Identity, Agility
+- **CBOM** in CycloneDX JSON + XML — inventory of all discovered cryptographic components
+- **Web dashboard** at `http://localhost:8512` — interactive findings browser and CBOM graph
+- **PDF report** — client-ready export from the dashboard
+
+Sample CBOM fixtures live in [`examples/cbom/`](examples/) — one per major scan profile (TLS-only, identity, data-at-rest, data-in-motion), deterministic and committed to the repo.
+
+## What's New in v4.3
+
+- **GCP Connector (Phase 26)** — Cloud KMS key classification (47-entry algorithm map including PQC), Cloud SQL TLS enforcement, and GCS CMEK detection.
+- **Database Encryption Detection (Phase 27)** — PostgreSQL, MySQL, and RDS encryption posture surfaced via a new `data_at_rest` subscore.
+- **Object Storage Audit (Phase 28)** — S3 SSE-S3/SSE-KMS/CMK, Azure Blob CMK/platform-managed, GCS CMEK using zero duplicate API calls.
+- **Kubernetes Secrets Inspection (Phase 29)** — EKS/GKE/AKS managed cluster encryption APIs; RBAC-403 graceful degradation.
+- **HashiCorp Vault Connector (Phase 30)** — Transit key type classification (including ml-dsa/slh-dsa PQC positive), PKI mount CA cert auditing, and auth method risk tiering.
+- **Trend Analysis (v4.3, Phase 31)** — `quirk/intelligence/trends.py` produces a session-over-session score delta plus per-severity new/resolved finding counts between the two most recent scan sessions. Surfaced via `GET /api/trends` and a new dashboard `/trends` tab. No new SQLite table — uses existing scanned_at grouping.
+
+## Install From Other Channels
+
+- **PyPI (recommended):** `pip install quirk-scanner[all]` — see Quick Start above. The release is signed and attestation-verified via Sigstore + PyPI Trusted Publishers (`gh attestation verify`).
+- **Homebrew (macOS):** `brew install 0xD1g5/quirk/quirk` — installs into an isolated `pipx`-style venv under `libexec`. *(Tap bootstrap is a manual post-release task; becomes functional once the `0xD1g5/homebrew-quirk` tap repo is published with the first signed sdist sha256.)* See [Homebrew Tap](docs/release-process.md#homebrew-tap-launch-02) for the bootstrap procedure.
+- **Docker (GHCR, multi-arch):** `docker run ghcr.io/0xd1g5/quirk:latest --help` — `linux/amd64` + `linux/arm64`. See [Container Image](docs/release-process.md#container-image-launch-03).
+
+> **No `curl | bash` installer.** This is a deliberate non-feature, not an oversight — see [`docs/release-process.md` → `curl | bash` Non-Decision](docs/release-process.md). Piping HTTP to a shell defeats the integrity guarantees of Sigstore attestations and PyPI Trusted Publishers; install via pip / brew / docker only.
+
+<details>
+<summary>Develop from source</summary>
+
+```bash
+git clone https://github.com/0xD1g5/QU.I.R.K.
+cd QU.I.R.K.
+python -m venv .venv && source .venv/bin/activate
+pip install -e '.[dashboard]'
+playwright install chromium
+quirk --help
+```
+
+Editable install is for contributors — end users should prefer the PyPI / Homebrew / GHCR paths above.
+
+</details>
+
+## License
+
+MIT. See [LICENSE](LICENSE).

quirk_scanner-4.10.0/pyproject.toml

@@ -0,0 +1,149 @@
+[build-system]
+requires = ["setuptools>=68"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "quirk-scanner"
+version = "4.10.0"
+description = "QU.I.R.K. -- Quantum Infrastructure Readiness Kit"
+requires-python = ">=3.10"
+license = {text = "Proprietary"}
+dependencies = [
+    "PyYAML>=6.0",
+    "cryptography>=44.0",
+    "SQLAlchemy>=2.0",
+    "tqdm>=4.67",
+    "cyclonedx-python-lib[json-validation]>=11.7.0,<12",
+    "httpx>=0.28.0",
+    "jinja2>=3.1.0",
+    "rich>=13.0.0",
+    "PyJWT>=2.12.0",
+    "python-jose>=3.5.0",
+    "boto3>=1.42.0",
+    "azure-identity>=1.25.0",
+    "azure-keyvault-certificates>=4.10.0",
+    "azure-keyvault-keys>=4.11.0",
+    "azure-mgmt-network>=30.2.0",
+    "dnspython[dnssec]>=2.8.0",
+    "lxml>=6.0",
+    "beautifulsoup4>=4.13.0",
+    "defusedxml>=0.7.1",
+    "signxml>=4.4.0",
+    "nh3>=0.2.17",
+]
+
+[project.optional-dependencies]
+dashboard = [
+    "fastapi>=0.128.8",
+    "uvicorn[standard]>=0.39.0",
+    "python-multipart>=0.0.20",
+    "playwright>=1.58.0",
+    "croniter>=1.4.0",
+    "pypdf>=4.0",  # Phase 78 / HARDEN-04: PDF metadata verification (test-only)
+]
+identity = [
+    "impacket>=0.13.0,<0.14",
+    "ldap3>=2.9.1",
+]
+# Phase 80 ADCS-07: dedicated extras group for the AD CS scanner. Lists ONLY
+# ldap3 (NOT impacket) so that quirk[adcs] can safely be included in [all]
+# without re-introducing the pyOpenSSL/cryptography downgrade chain that
+# quirk[identity] would. tests/test_install_all_excludes_impacket.py guards
+# this invariant. cryptography is already a core dep (>=44.0); Plan 80-04
+# adds a CI matrix asserting the floor across [adcs] + [all] combinations.
+adcs = [
+    "ldap3>=2.9.1",
+]
+cloud = [
+    "google-api-python-client>=2.0.0",
+    "google-auth>=2.36.0",
+    "azure-mgmt-storage>=21.0.0",      # Phase 28: Azure Blob encryption audit (STOR-02)
+    "kubernetes>=35.0.0",              # Phase 29: Kubernetes secrets inspection (K8S-01, K8S-02)
+    "google-cloud-container>=2.0.0",   # Phase 29: GKE databaseEncryption.state (K8S-01)
+    "azure-mgmt-containerservice>=35.0.0",  # Phase 29: AKS Key Vault KMS detection (K8S-01)
+    "hvac>=2.4.0",                     # Phase 30: HashiCorp Vault connector (VAULT-01/02/03)
+]
+db = [
+    "psycopg2-binary>=2.9.0",
+    "PyMySQL>=1.1.0",
+]
+motion = ["quirk-scanner[email]", "quirk-scanner[broker]", "quirk-scanner[kafka]"]
+email = []
+broker = ["redis>=5.0"]
+kafka = ["kafka-python>=2.0"]
+redis = ["redis>=5.0"]
+cbom = ["cyclonedx-python-lib[json-validation]>=11.7.0,<12"]
+dev = [
+    "towncrier>=24.7.0",
+]
+all = [
+    "quirk-scanner[cloud]",
+    "quirk-scanner[cbom]",
+    "quirk-scanner[db]",
+    "quirk-scanner[motion]",
+    "quirk-scanner[redis]",
+    "quirk-scanner[dashboard]",
+    "quirk-scanner[adcs]",  # Phase 80 ADCS-07 — ldap3-only, no impacket
+]
+# NOTE: quirk[identity] is INTENTIONALLY EXCLUDED from [all] -- impacket
+# transitively pulls pyOpenSSL which downgrades cryptography and breaks the
+# TLS scanner. See Phase 45 / D-01. tests/test_install_all_excludes_impacket.py
+# guards this; do NOT add quirk[identity] to the list above.
+
+[project.scripts]
+quirk = "run_scan:_run_main_with_job_guard"
+
+[tool.setuptools.packages.find]
+include = ["quirk*"]
+
+[tool.setuptools]
+py-modules = ["run_scan"]
+
+[tool.setuptools.package-data]
+quirk = ["reports/templates/*.j2", "config_template.yaml", "dashboard/static/**/*"]
+
+[tool.pytest.ini_options]
+markers = [
+    "slow: marks tests as slow (deselect with '-m not slow')",
+    "live_infra: marks tests requiring live external infrastructure (Docker/cloud/etc)",
+]
+addopts = "-m 'not slow'"
+testpaths = ["tests"]
+pythonpath = ["."]
+
+# RELENG-04 (Phase 84-02): towncrier CHANGELOG automation.
+# Per-PR fragments live under changelog.d/<id>.<kind>.md. At release time:
+#   towncrier build --version X.Y.Z --yes
+# consumes fragments and prepends a rendered section above the
+# `<!-- towncrier release notes start -->` marker in CHANGELOG.md.
+[tool.towncrier]
+package = "quirk"
+directory = "changelog.d"
+filename = "CHANGELOG.md"
+title_format = "## [{version}] - {project_date}"
+start_string = "<!-- towncrier release notes start -->\n"
+
+[[tool.towncrier.type]]
+directory = "feature"
+name = "Added"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "bugfix"
+name = "Fixed"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "doc"
+name = "Documentation"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "removal"
+name = "Removed"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "misc"
+name = "Misc"
+showcontent = false

quirk_scanner-4.10.0/quirk/__init__.py

@@ -0,0 +1,29 @@
+"""QU.I.R.K. -- Quantum Infrastructure Readiness Kit
+
+Version resolution (D-84-R1 / v4.10 D-02):
+``pyproject.toml [project.version]`` is the canonical source of truth. The
+``__version__`` attribute below derives from installed package metadata via
+``importlib.metadata.version`` so there is no second literal to keep in sync.
+
+For unpackaged dev runs (fresh checkout, never ``pip install -e .``-d), the
+``PackageNotFoundError`` fallback parses ``pyproject.toml`` directly via
+``tomllib`` so importing the package never fails on a bare clone.
+"""
+from importlib.metadata import PackageNotFoundError, version as _pkg_version
+
+_DIST_NAME = "quirk-scanner"
+
+try:
+    __version__ = _pkg_version(_DIST_NAME)
+except PackageNotFoundError:
+    # Unpackaged dev run — parse pyproject.toml at the repo root.
+    import tomllib
+    from pathlib import Path
+
+    _pyproject_path = Path(__file__).resolve().parent.parent / "pyproject.toml"
+    try:
+        _pyproject = tomllib.loads(_pyproject_path.read_text(encoding="utf-8"))
+        __version__ = _pyproject["project"]["version"]
+    except (OSError, KeyError, tomllib.TOMLDecodeError):
+        # Last-resort sentinel — keeps imports safe even in pathological envs.
+        __version__ = "0.0.0+unknown"

quirk_scanner-4.10.0/quirk/assessment/migration_advisor.py

@@ -0,0 +1,102 @@
+from __future__ import annotations
+
+import re
+from typing import Dict, Final, FrozenSet, List
+
+
+# Phase 74-03 D-08 (WR-09): canonical algorithm synonym map + word-boundary
+# matcher. Replaces substring matching that produced false positives like
+# `'DES' in 'DESede'` and `'DES' in 'libdes3.so'`. Word-boundaries (`\b`)
+# eliminate the substring-inside-identifier class. Also consumed by
+# `quirk/qramm/evidence_bridge.py::_walk_json_for_alg_strings` (D-09).
+CANONICAL_ALG_SYNONYMS: Final[Dict[str, FrozenSet[str]]] = {
+    "DES":  frozenset({"DES", "DES-EDE", "DES-CBC"}),
+    "3DES": frozenset({"3DES", "TripleDES", "DES-EDE3"}),
+    "RC4":  frozenset({"RC4", "ARCFOUR"}),
+    "MD5":  frozenset({"MD5"}),
+    "SHA1": frozenset({"SHA1", "SHA-1"}),
+}
+
+
+def _matches(canonical: str, text: str) -> bool:
+    """Word-boundary regex match for ``canonical`` (or any of its synonyms) in ``text``.
+
+    Case-insensitive. Returns False when the canonical token appears only as a
+    substring inside a larger identifier (e.g. ``DESede``, ``libdes3.so``).
+    """
+    variants = CANONICAL_ALG_SYNONYMS.get(canonical, frozenset({canonical}))
+    pattern = r"\b(" + "|".join(re.escape(v) for v in variants) + r")\b"
+    return bool(re.search(pattern, text, re.IGNORECASE))
+
+
+def recommend_migration_paths(findings: List[Dict]) -> List[Dict]:
+    """
+    Convert raw findings into recommended migration paths.
+    This is a rules-based v3.5 layer; later becomes richer with
+    cipher enumeration, chain analysis, cloud/PKI connectors.
+    """
+    recs: List[Dict] = []
+
+    for f in findings:
+        title = (f.get("title") or "").lower()
+        sev = f.get("severity")
+        host = f.get("host")
+        port = f.get("port")
+
+        if sev == "INFO":
+            continue
+
+        # Legacy TLS — Phase 74 D-08: word-boundary match on title token
+        if re.search(r"\blegacy tls\b", title):
+            recs.append({
+                "host": host,
+                "port": port,
+                "severity": sev,
+                "path": "Hygiene → Modernization",
+                "recommendation": "Upgrade to TLS 1.2+ immediately; prefer TLS 1.3. Standardize termination configs and block legacy versions at gateways/LBs.",
+            })
+            continue
+
+        # Plaintext HTTP — Phase 74 D-08: word-boundary
+        if re.search(r"\bplaintext http\b", title):
+            recs.append({
+                "host": host,
+                "port": port,
+                "severity": sev,
+                "path": "Hygiene",
+                "recommendation": "Migrate HTTP→HTTPS. If legacy, front with TLS-terminating reverse proxy and enforce redirects + HSTS where applicable.",
+            })
+            continue
+
+        # Quantum transition — Phase 74 D-08: word-boundary
+        if re.search(r"\bquantum\b", title):
+            recs.append({
+                "host": host,
+                "port": port,
+                "severity": sev,
+                "path": "Modernization → PQC Preparation",
+                "recommendation": "Stabilize on modern classical crypto baselines (TLS 1.3, standardized configs) and prepare for hybrid/PQC vendor upgrades. Prioritize long-lived sensitive data flows and trust anchors.",
+            })
+            continue
+
+        # SSH planning — Phase 74 D-08: word-boundary closes `sshfp` false positive
+        if re.search(r"\bssh\b", title):
+            recs.append({
+                "host": host,
+                "port": port,
+                "severity": sev,
+                "path": "Modernization → PQC Preparation",
+                "recommendation": "Inventory SSH host keys/KEX algorithms, rotate off legacy RSA where feasible, and plan for vendor support of hybrid/PQC approaches as they mature.",
+            })
+            continue
+
+        # Default
+        recs.append({
+            "host": host,
+            "port": port,
+            "severity": sev,
+            "path": "Modernization",
+            "recommendation": f.get("recommendation") or "Standardize crypto baselines and plan phased upgrades.",
+        })
+
+    return recs

quirk_scanner-4.10.0/quirk/assessment/operator_context.py

@@ -0,0 +1,137 @@
+from __future__ import annotations
+
+import logging
+from dataclasses import dataclass, asdict
+from typing import Any, Dict, List, Optional
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class OperatorContext:
+    data_types: List[str]              # e.g., ["PCI","PHI"]
+    data_longevity_years: int          # e.g., 7
+    exposure: str                      # "internal" | "mixed" | "internet"
+    crown_jewels: List[str]            # list of hosts / fqdn / ip strings
+
+    def to_dict(self) -> Dict[str, Any]:
+        return asdict(self)
+
+
+def _normalize_choice(s: str) -> str:
+    return (s or "").strip().upper()
+
+
+def _prompt_list(prompt: str) -> List[str]:
+    raw = input(prompt).strip()
+    if not raw:
+        return []
+    return [x.strip() for x in raw.split(",") if x.strip()]
+
+
+def prompt_for_context() -> OperatorContext:
+    print("\n🧠 Assessment Context (v3.5.1)")
+    print("This helps generate a better Quantum Readiness Score + Transition Roadmap.\n")
+
+    print("Select data types present (comma-separated). Examples: PCI, PHI, FINANCIAL, TRADE, PUBLIC")
+    dt = _prompt_list("Data types: ")
+    dt = [_normalize_choice(x) for x in dt]
+
+    # Longevity
+    try:
+        years_raw = input("How many years must this data remain confidential? (default 7): ").strip()
+        years = int(years_raw) if years_raw else 7
+    except Exception:
+        years = 7
+    if years < 1:
+        raise ValueError(
+            f"Data longevity years must be at least 1 (got: {years_raw!r})"
+        )
+
+    # Exposure
+    print("\nExposure context:")
+    print("  1) internal  (internal-only / segmented)")
+    print("  2) mixed     (internal + some internet-facing)")
+    print("  3) internet  (many internet-facing services)")
+    exp_raw = input("Choose 1/2/3 (default 2): ").strip()
+    exposure = "mixed"
+    if exp_raw == "1":
+        exposure = "internal"
+    elif exp_raw == "3":
+        exposure = "internet"
+
+    # Crown jewels
+    cj = _prompt_list("\nOptional: crown jewels hosts/IPs/FQDNs (comma-separated, blank to skip): ")
+    cj = [x.strip() for x in cj if x.strip()]
+
+    ctx = OperatorContext(
+        data_types=dt or ["PUBLIC"],
+        data_longevity_years=years,
+        exposure=exposure,
+        crown_jewels=cj,
+    )
+    print("\n✅ Context captured.\n")
+    return ctx
+
+
+def attach_context(cfg, ctx: OperatorContext) -> None:
+    """
+    Attach context to cfg in a way that is safe across dataclass/pydantic configs.
+    Prefer cfg.assessment_context if possible; otherwise attach to cfg.assessment if it exists.
+    """
+    ctx_dict = ctx.to_dict()
+
+    # Try top-level storage
+    # D-07 (WR-08): narrow AttributeError so missing-attribute paths are visible
+    # in logs (not silently swallowed). Trailing `except Exception` is a user-
+    # override safety net — log AND re-raise so unexpected failures remain
+    # observable (e.g. dataclass FrozenInstanceError, custom __setattr__ raising
+    # ValueError, etc.).
+    try:
+        setattr(cfg, "assessment_context", ctx_dict)
+        return
+    except AttributeError as e:
+        logger.warning("attach_context skipped — source object missing attribute: %s", e)
+    except Exception as e:
+        logger.warning("attach_context unexpected: %s", e)
+        raise
+
+    # Try nested (cfg.assessment.*)
+    try:
+        assessment = getattr(cfg, "assessment", None)
+        if assessment is not None:
+            setattr(assessment, "context", ctx_dict)
+            return
+    except AttributeError as e:
+        logger.warning("attach_context skipped — source object missing attribute: %s", e)
+    except Exception as e:
+        logger.warning("attach_context unexpected: %s", e)
+        raise
+
+    # Last resort: no-op (still safe; score engine will default)
+    return
+
+
+def get_context(cfg) -> Dict[str, Any]:
+    """
+    Retrieve context dict if available; otherwise return defaults.
+    """
+    # 1) top-level
+    ctx = getattr(cfg, "assessment_context", None)
+    if isinstance(ctx, dict):
+        return ctx
+
+    # 2) nested
+    assessment = getattr(cfg, "assessment", None)
+    if assessment is not None:
+        ctx2 = getattr(assessment, "context", None)
+        if isinstance(ctx2, dict):
+            return ctx2
+
+    # defaults
+    return {
+        "data_types": ["PUBLIC"],
+        "data_longevity_years": 7,
+        "exposure": "mixed",
+        "crown_jewels": [],
+    }

quirk_scanner-4.10.0/quirk/cbom/__init__.py

@@ -0,0 +1,12 @@
+"""CBOM generation pipeline."""
+from quirk.cbom.builder import build_cbom
+from quirk.cbom.classifier import classify_algorithm, quantum_safety_label, QuantumSafety
+from quirk.cbom.writer import write_cbom_files
+
+__all__ = [
+    "build_cbom",
+    "classify_algorithm",
+    "quantum_safety_label",
+    "QuantumSafety",
+    "write_cbom_files",
+]