Skip to main content

PQC readiness scanner: TLS endpoints, source code, and certificate files

Project description

pqready

PyPI version Python versions License CI

Post-quantum cryptography readiness scanner. Audits TLS endpoints, source code, and certificate files for quantum-vulnerable crypto and surfaces a prioritised migration plan.


Install

pip install pqready

Requires Python 3.11+.

Quickstart

# Scan a TLS endpoint
pqready tls api.example.com

# Scan a source tree
pqready source ./my-service

# Inspect a certificate file
pqready cert /etc/ssl/certs/api.example.com.pem

# Auto-detect target type
pqready scan ./my-service
pqready scan api.example.com

# Generate an HTML report
pqready tls api.example.com --output report.html

Exit codes: 0 clean · 1 CRITICAL/HIGH findings · 2 scan error.

What it detects

Surface Detects
TLS Legacy TLS versions, RSA KEX, weak ciphers, RSA/ECC certs, hybrid PQC group
Source code PyCrypto imports, RSA/EC primitive usage, MD5/SHA-1, weak config
Certificates Key algorithm, key size, expiry, signature algorithm

Findings are tagged with a finding ID (TLS-002, SRC-001, …), a severity, remediation guidance, and the relevant NIST reference (FIPS 203 ML-KEM, FIPS 204 ML-DSA, SP 800-52, etc.).

MCP server

pqready ships an MCP server (pqready-mcp) that exposes four tools:

  • scan_tls_endpoint(hostname, port)
  • scan_source_code(path)
  • scan_cert_file(path)
  • generate_html_report(results_json, output_path)

Run it locally over stdio:

pqready-mcp

Wire it into Claude Code / Cursor / Cline as an MCP server. See skill/SKILL.md for full tool schemas, return shapes, and a decision tree for which tool to call.

Cloudflare Worker (remote MCP)

A thin proxy Worker lives in cf_worker/ for hosting the MCP endpoint on Cloudflare with bearer-token auth, forwarding to a backend that runs pqready-mcp (e.g. Cloud Run, Fly, VPS).

cd cf_worker
npm install
wrangler secret put PQREADY_API_TOKEN
npm run deploy

See cf_worker/README.md for details.

Library usage

from pqready.core.tls import scan_tls
from pqready.core.source import scan_source
from pqready.reporters.html import render_html

tls_result = scan_tls("api.example.com")
src_results = scan_source("./services")
render_html([tls_result, *src_results], "report.html")

Development

git clone https://github.com/shanglai/pqready.git
cd pqready
pip install -e ".[dev]"
ruff check .
pytest tests/

Contributing

Bug reports and PRs welcome. Please open an issue first for non-trivial changes so we can align on scope.

License

Apache-2.0. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pqready-0.2.0.tar.gz (31.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pqready-0.2.0-py3-none-any.whl (26.2 kB view details)

Uploaded Python 3

File details

Details for the file pqready-0.2.0.tar.gz.

File metadata

  • Download URL: pqready-0.2.0.tar.gz
  • Upload date:
  • Size: 31.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for pqready-0.2.0.tar.gz
Algorithm Hash digest
SHA256 e23d32ac8867d613ac7f40dd7b19cc5fbf23d0e6eed94906b7c213ffc7b751dd
MD5 4b77d9b0a91d0960a55251f9c69d0b18
BLAKE2b-256 a0f468dcf4604cd8418ae31c63f23cc799d52b3c27c1e5f0d3a6b97c9cbff353

See more details on using hashes here.

Provenance

The following attestation bundles were made for pqready-0.2.0.tar.gz:

Publisher: publish.yml on shanglai/pqready

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pqready-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: pqready-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 26.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for pqready-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0b1dd3801f0ca8f94d3263295d5373d79513abe7fc2b61aad5dcee86d42717c1
MD5 fdf3785bd04d988b933a201203a8c68a
BLAKE2b-256 0ac665dcedf658ff3af7a9cba2a97151c4b3d0a7b300d97c25d817433aa5e73a

See more details on using hashes here.

Provenance

The following attestation bundles were made for pqready-0.2.0-py3-none-any.whl:

Publisher: publish.yml on shanglai/pqready

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page