Documentation

Architecture, security model, and reference tables.

Architecture

quantashield/
├── apps/
│   ├── web/          ← Main site (Next.js 14) — localhost:3000
│   ├── qknight/      ← PQC encryption (React + Vite) — localhost:5173
│   └── reposhield/   ← GitHub scanner (React + Vite) — localhost:5174
└── packages/
    ├── types/        ← Shared TypeScript types
    ├── ui/           ← Quantashield Noir design system
    └── pqc-core/     ← Crypto engine (Kyber + Dilithium + AES)

QuantaShield Protocols

QS2
Hybrid envelope
X25519 + ML-KEM-768 dual KEM → HKDF → AES-256-GCM, ML-DSA-65 signed. At-rest encryption for QVault and device-to-device file sharing.
QS3
Forward-secret ratchet
KEM double ratchet on top of QS2 keys — one key per message, forward secrecy, and self-healing after a device compromise.
Protocol guide →

NIST Algorithm Reference

AlgorithmFIPSSecurity LevelPublic KeyPrivate KeyCiphertext/Sig
ML-KEM-512FIPS 2031800B1,632B768B
ML-KEM-768FIPS 20331,184B2,400B1,088B
ML-KEM-1024FIPS 20351,568B3,168B1,568B
ML-DSA-65FIPS 20431,952B4,032B3,309B sig

Supported Package Ecosystems

EcosystemManifest Files
npm / Node.jspackage.json, package-lock.json, yarn.lock
Pythonrequirements.txt, Pipfile, pyproject.toml, poetry.lock
Maven / Javapom.xml
Gradle / Javabuild.gradle, build.gradle.kts
NuGet / .NET*.csproj, packages.config, *.nuspec
Rust / CargoCargo.toml, Cargo.lock
Gogo.mod, go.sum
PHP / Composercomposer.json, composer.lock

Security Model

Key Storage
Private keys are stored in IndexedDB encrypted with AES-256-GCM. The encryption key is derived from your password using PBKDF2 (100,000 iterations, SHA-256). Keys never leave the browser.
Encryption Pipeline
ML-KEM-768 encapsulates a 256-bit shared secret. HKDF-SHA-256 derives an AES-256-GCM session key. The file is bulk-encrypted. ML-DSA-65 optionally signs the bundle.
GitHub Tokens
PATs are encrypted with AES-256-GCM in IndexedDB using a vault password. The token value is never displayed in plaintext after saving.
Vulnerability Data
Package names and versions are sent to the public OSV.dev API. No authentication required. Data travels directly from your browser to OSV — no proxy.
CSP
Content Security Policy prevents XSS and restricts network access to only the required APIs (github.com, api.osv.dev, services.nvd.nist.gov).