PQC readiness scanner: TLS endpoints, source code, and certificate files
Project description
pqready
Post-quantum cryptography readiness scanner. Audits TLS endpoints, source code, and certificate files for quantum-vulnerable crypto and surfaces a prioritised migration plan.
Install
pip install pqready
Requires Python 3.11+.
Quickstart
# Scan a TLS endpoint
pqready tls api.example.com
# Scan a source tree
pqready source ./my-service
# Inspect a certificate file
pqready cert /etc/ssl/certs/api.example.com.pem
# Auto-detect target type
pqready scan ./my-service
pqready scan api.example.com
# Generate an HTML report
pqready tls api.example.com --output report.html
Exit codes: 0 clean · 1 CRITICAL/HIGH findings · 2 scan error.
What it detects
| Surface | Detects |
|---|---|
| TLS | Legacy TLS versions, RSA KEX, weak ciphers, RSA/ECC certs, hybrid PQC group |
| Source code | PyCrypto imports, RSA/EC primitive usage, MD5/SHA-1, weak config |
| Certificates | Key algorithm, key size, expiry, signature algorithm |
Findings are tagged with a finding ID (TLS-002, SRC-001, …), a severity,
remediation guidance, and the relevant NIST reference (FIPS 203 ML-KEM,
FIPS 204 ML-DSA, SP 800-52, etc.).
MCP server
pqready ships an MCP server (pqready-mcp) that exposes four tools:
scan_tls_endpoint(hostname, port)scan_source_code(path)scan_cert_file(path)generate_html_report(results_json, output_path)
Run it locally over stdio:
pqready-mcp
Wire it into Claude Code / Cursor / Cline as an MCP server. See
skill/SKILL.md for full tool schemas, return shapes, and a
decision tree for which tool to call.
Cloudflare Worker (remote MCP)
A thin proxy Worker lives in cf_worker/ for hosting the MCP
endpoint on Cloudflare with bearer-token auth, forwarding to a backend that
runs pqready-mcp (e.g. Cloud Run, Fly, VPS).
cd cf_worker
npm install
wrangler secret put PQREADY_API_TOKEN
npm run deploy
See cf_worker/README.md for details.
Library usage
from pqready.core.tls import scan_tls
from pqready.core.source import scan_source
from pqready.reporters.html import render_html
tls_result = scan_tls("api.example.com")
src_results = scan_source("./services")
render_html([tls_result, *src_results], "report.html")
Development
git clone https://github.com/shanglai/pqready.git
cd pqready
pip install -e ".[dev]"
ruff check .
pytest tests/
Contributing
Bug reports and PRs welcome. Please open an issue first for non-trivial changes so we can align on scope.
License
Apache-2.0. See LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pqready-0.2.0.tar.gz.
File metadata
- Download URL: pqready-0.2.0.tar.gz
- Upload date:
- Size: 31.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e23d32ac8867d613ac7f40dd7b19cc5fbf23d0e6eed94906b7c213ffc7b751dd
|
|
| MD5 |
4b77d9b0a91d0960a55251f9c69d0b18
|
|
| BLAKE2b-256 |
a0f468dcf4604cd8418ae31c63f23cc799d52b3c27c1e5f0d3a6b97c9cbff353
|
Provenance
The following attestation bundles were made for pqready-0.2.0.tar.gz:
Publisher:
publish.yml on shanglai/pqready
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pqready-0.2.0.tar.gz -
Subject digest:
e23d32ac8867d613ac7f40dd7b19cc5fbf23d0e6eed94906b7c213ffc7b751dd - Sigstore transparency entry: 1572141224
- Sigstore integration time:
-
Permalink:
shanglai/pqready@a948cd09d324e684965f7dc0da798c0fc54d114f -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/shanglai
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@a948cd09d324e684965f7dc0da798c0fc54d114f -
Trigger Event:
push
-
Statement type:
File details
Details for the file pqready-0.2.0-py3-none-any.whl.
File metadata
- Download URL: pqready-0.2.0-py3-none-any.whl
- Upload date:
- Size: 26.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0b1dd3801f0ca8f94d3263295d5373d79513abe7fc2b61aad5dcee86d42717c1
|
|
| MD5 |
fdf3785bd04d988b933a201203a8c68a
|
|
| BLAKE2b-256 |
0ac665dcedf658ff3af7a9cba2a97151c4b3d0a7b300d97c25d817433aa5e73a
|
Provenance
The following attestation bundles were made for pqready-0.2.0-py3-none-any.whl:
Publisher:
publish.yml on shanglai/pqready
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pqready-0.2.0-py3-none-any.whl -
Subject digest:
0b1dd3801f0ca8f94d3263295d5373d79513abe7fc2b61aad5dcee86d42717c1 - Sigstore transparency entry: 1572141265
- Sigstore integration time:
-
Permalink:
shanglai/pqready@a948cd09d324e684965f7dc0da798c0fc54d114f -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/shanglai
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@a948cd09d324e684965f7dc0da798c0fc54d114f -
Trigger Event:
push
-
Statement type: