Documentation
Architecture, security model, and reference tables.
Architecture
quantashield/
├── apps/
│ ├── web/ ← Main site (Next.js 14) — localhost:3000
│ ├── qknight/ ← PQC encryption (React + Vite) — localhost:5173
│ └── reposhield/ ← GitHub scanner (React + Vite) — localhost:5174
└── packages/
├── types/ ← Shared TypeScript types
├── ui/ ← Quantashield Noir design system
└── pqc-core/ ← Crypto engine (Kyber + Dilithium + AES)QuantaShield Protocols
QS2
Hybrid envelope
X25519 + ML-KEM-768 dual KEM → HKDF → AES-256-GCM, ML-DSA-65 signed. At-rest encryption for QVault and device-to-device file sharing.
QS3Protocol guide →
Forward-secret ratchet
KEM double ratchet on top of QS2 keys — one key per message, forward secrecy, and self-healing after a device compromise.
NIST Algorithm Reference
| Algorithm | FIPS | Security Level | Public Key | Private Key | Ciphertext/Sig |
|---|---|---|---|---|---|
| ML-KEM-512 | FIPS 203 | 1 | 800B | 1,632B | 768B |
| ML-KEM-768 | FIPS 203 | 3 | 1,184B | 2,400B | 1,088B |
| ML-KEM-1024 | FIPS 203 | 5 | 1,568B | 3,168B | 1,568B |
| ML-DSA-65 | FIPS 204 | 3 | 1,952B | 4,032B | 3,309B sig |
Supported Package Ecosystems
| Ecosystem | Manifest Files |
|---|---|
| npm / Node.js | package.json, package-lock.json, yarn.lock |
| Python | requirements.txt, Pipfile, pyproject.toml, poetry.lock |
| Maven / Java | pom.xml |
| Gradle / Java | build.gradle, build.gradle.kts |
| NuGet / .NET | *.csproj, packages.config, *.nuspec |
| Rust / Cargo | Cargo.toml, Cargo.lock |
| Go | go.mod, go.sum |
| PHP / Composer | composer.json, composer.lock |
Security Model
Key Storage
Private keys are stored in IndexedDB encrypted with AES-256-GCM. The encryption key is derived from your password using PBKDF2 (100,000 iterations, SHA-256). Keys never leave the browser.
Encryption Pipeline
ML-KEM-768 encapsulates a 256-bit shared secret. HKDF-SHA-256 derives an AES-256-GCM session key. The file is bulk-encrypted. ML-DSA-65 optionally signs the bundle.
GitHub Tokens
PATs are encrypted with AES-256-GCM in IndexedDB using a vault password. The token value is never displayed in plaintext after saving.
Vulnerability Data
Package names and versions are sent to the public OSV.dev API. No authentication required. Data travels directly from your browser to OSV — no proxy.
CSP
Content Security Policy prevents XSS and restricts network access to only the required APIs (github.com, api.osv.dev, services.nvd.nist.gov).