Skip to content

feat(pqc): add quantum-readiness audit plugin#1691

Open
Taas-ai wants to merge 2 commits into
hiero-ledger:mainfrom
Taurus-Ai-Corp:feat/pqc-readiness-plugin
Open

feat(pqc): add quantum-readiness audit plugin#1691
Taas-ai wants to merge 2 commits into
hiero-ledger:mainfrom
Taurus-Ai-Corp:feat/pqc-readiness-plugin

Conversation

@Taas-ai

@Taas-ai Taas-ai commented Mar 25, 2026

Copy link
Copy Markdown

Summary

Adds a pqc plugin that provides post-quantum cryptography readiness assessment for managed Hiero accounts.

Closes #1690

What This PR Does

Introduces three new commands:

Command Description
hcli pqc audit [--account] [--network] Scan managed accounts for quantum-vulnerable key types (ED25519, ECDSA)
hcli pqc score --account 0.0.123456 Calculate detailed Quantum Readiness Score with breakdown
hcli pqc report [--format json|csv|human] Generate compliance reports in multiple formats

Key Features

  • 5-tier vulnerability classification based on NIST SP 800-131A Rev 3: PQC_READY (0) → CRITICAL (4)
  • Quantum Readiness Score (QRS): Composite 0-100 score factoring key vulnerability (40%), algorithm diversity (20%), rotation readiness (20%), and CNSA 2.0 compliance alignment (20%)
  • Compliance flags: CNSA 2.0 (2027 deadline), NIST FIPS 203 (ML-KEM), NIST FIPS 204 (ML-DSA)
  • Multiple output formats: JSON (machine-readable), CSV (CRM/spreadsheet import), human-readable with Handlebars templates

Why Now

  • NIST finalized PQC standards (FIPS 203/204/205) in August 2024
  • NSA CNSA 2.0 mandates PQC adoption by 2027
  • Every key in Hiero today (ED25519, ECDSA-secp256k1) is broken by Shor's algorithm
  • "Harvest now, decrypt later" attacks make assessment urgent even before PQC key support exists
  • No existing HIP or tooling addresses PQC readiness in the Hiero ecosystem

Plugin Architecture

Follows the standard hiero-cli plugin structure:

src/plugins/pqc/
├── manifest.ts              # 3 CommandSpec entries
├── index.ts                 # Barrel exports
├── types.ts                 # VulnerabilityTier enum, QRS weights, interfaces
├── utils.ts                 # Scoring engine, algorithm classification
├── commands/
│   ├── audit/               # handler.ts, input.ts, output.ts, index.ts
│   ├── score/               # handler.ts, input.ts, output.ts, index.ts
│   └── report/              # handler.ts, input.ts, output.ts, index.ts
└── __tests__/unit/
    └── audit.test.ts        # 14 unit tests for utils

Testing

14 unit tests covering:

  • Algorithm classification (ED25519, ECDSA, ML-DSA, ML-KEM, unknown algorithms)
  • Key detection by byte length (32, 33, 65 bytes)
  • QRS calculation (empty keys, all-critical, with/without admin, PQC-ready, bounds)
  • Recommendation generation (critical keys, missing admin, rotation possible)

Related Work

  • A companion HIP (Hiero Improvement Proposal) is being prepared to formalize the PQC readiness framework
  • Hiero TSC Issue Support local network for CLI tool - Closes #192 #220 — Migrate Hedera-Cryptography Repo
  • hiero-sdk-js Issue #3054 — Noble Migration (precursor to PQC support)
  • Consensus Node Issue #17294 — Future cryptography key needs

Checklist

  • Follows plugin architecture from PLUGIN_ARCHITECTURE_GUIDE.md
  • Zod schemas for all inputs and outputs
  • Handlebars templates for human-readable output
  • Unit tests for core utilities
  • Conventional commit format
  • DCO sign-off
  • No breaking changes to existing functionality

@Taas-ai Taas-ai requested a review from a team as a code owner March 25, 2026 00:57
Taas-ai added a commit to Taurus-Ai-Corp/hiero-improvement-proposals that referenced this pull request Mar 25, 2026
@Taas-ai @claude
hip: Add HIP-1399 — Post-Quantum Cryptography Readiness Assessment
7bfbb98 
Proposes a PQC readiness assessment framework for the Hiero
ecosystem, including vulnerability classification, Quantum
Readiness Scoring (QRS), and CLI tooling specification.

Reference implementation: hiero-ledger/hiero-cli#1691

Signed-off-by: Effin Fernandez <admin@taurusai.io>
Co-Authored-By: E.Fdz <taurus_ai@Effins-MacBook-Pro.local>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Taurus AI Corp <admin@taurusai.io>
@Taas-ai Taas-ai mentioned this pull request Mar 25, 2026
Closed
@Taas-ai @claude
feat(pqc): add quantum-readiness audit plugin
f37cb5e 
Adds a PQC readiness assessment plugin with three commands:
- pqc audit: Scan managed accounts for quantum-vulnerable keys
- pqc score: Calculate Quantum Readiness Score with breakdown
- pqc report: Generate compliance reports (JSON, CSV, human)

Implements NIST FIPS 203/204 vulnerability classification,
Quantum Readiness Score (QRS) methodology, and CNSA 2.0
compliance alignment tracking.

Closes hiero-ledger#1690

Co-Authored-By: Effin Fernandez <admin@taurusai.io>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Effin Fernandez <admin@taurusai.io>
@Taas-ai Taas-ai force-pushed the feat/pqc-readiness-plugin branch from 2f2d697 to f37cb5e Compare March 25, 2026 01:19
Taas-ai added a commit to Taurus-Ai-Corp/hiero-improvement-proposals that referenced this pull request Mar 25, 2026
@Taas-ai @claude
hip: Add HIP-1399 — Post-Quantum Cryptography Readiness Assessment
11f6e2c 
Proposes a PQC readiness assessment framework for the Hiero
ecosystem, including vulnerability classification, Quantum
Readiness Scoring (QRS), and CLI tooling specification.

Reference implementation: hiero-ledger/hiero-cli#1691

Co-Authored-By: Effin Fernandez <admin@taurusai.io>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Effin Fernandez <admin@taurusai.io>
@Taas-ai @claude
fix(pqc): address code review findings
41995a6 
- Fix Object.entries() on array return (audit + score handlers)
- Extract analyseKey() to shared utils (eliminates duplication)
- Add calculateQRSWithBreakdown() — single source of truth for scoring
- Score handler now inspects actual key data instead of hardcoding ED25519
- Use EntityReferenceSchema for account input validation
- Add CSV field escaping to prevent formula injection
- Document SDK version dependency for KeyList detection

Signed-off-by: Effin Fernandez <admin@taurusai.io>
Co-Authored-By: Effin Fernandez <admin@taurusai.io>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Taurus AI Corp <admin@taurusai.io>
Taas-ai added a commit to Taurus-Ai-Corp/hiero-improvement-proposals that referenced this pull request Mar 26, 2026
@Taas-ai @claude
hip: Add HIP-1399 — Post-Quantum Cryptography Readiness Assessment
1d8cc4b 
Proposes a PQC readiness assessment framework for the Hiero
ecosystem, including vulnerability classification, Quantum
Readiness Scoring (QRS), and CLI tooling specification.

Reference implementation: hiero-ledger/hiero-cli#1691

Co-Authored-By: Effin Fernandez <admin@taurusai.io>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Taurus AI Corp <admin@taurusai.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Post-Quantum Cryptography readiness assessment plugin

1 participant

@Taas-ai