qu3-app
qu3-app is a Python CLI/client that establishes quantum-safe secure sessions with an MCP server using post-quantum cryptography (Kyber KEM for key establishment and SPHINCS+ for request authentication), then sends encrypted/signed inference and policy-update requests and verifies encrypted/signed responses with server attestations. It also includes a FastAPI mock MCP server for local development/testing.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
The client implements its own PQC-based session establishment (Kyber KEM) and message protection (AES-256-GCM) plus SPHINCS+ request/attestation signatures, which is a strong cryptographic design direction. However, the README does not document TLS requirements, certificate validation behavior (if any), key storage protections (encryption at rest, permissions, rotation), nonce management guarantees, or authorization/scoping controls beyond signing/verification. Dependency hygiene is uncertain: it relies on cryptography and a GitHub-tracking liboqs-python branch (risk of unpinned changes).
⚡ Reliability
Best When
You control both client and server (or can verify server behavior), and you need a working PQC-based encrypted/signed transport for MCP-like interactions.
Avoid When
You need TLS-based transport security guarantees only (this relies on its own PQC + AES-GCM session scheme), or you cannot ensure secure filesystem key handling.
Use Cases
- • Local or development testing of quantum-safe MCP-style secure request/response flows
- • Prototyping post-quantum secure client-server communication (KEM + signature + AEAD)
- • Building CLI-driven workflows that call secured MCP endpoints for inference and policy updates
Not For
- • Production deployments without a formally reviewed server implementation and threat model
- • Environments where strong cryptographic key storage/rotation practices cannot be implemented
- • Use cases requiring standardized auth (OAuth/API keys) rather than cryptographic identity and signatures
Interface
Authentication
Authentication is performed at the message level (sign/verify) rather than via OAuth scopes or API keys. The README does not describe any additional authorization model beyond what is implemented in the server logic.
Pricing
No pricing information provided (open-source repository context not sufficient to infer a paid service).
Agent Metadata
Known Gotchas
- ⚠ Protocol correctness depends on synchronized implementation details between client and MCP server (endpoint paths, message formats, nonces, attestation fields).
- ⚠ Server/public key fetching is automatic if missing, but there’s no description of cache invalidation, key rotation, or failure recovery beyond “cannot proceed.”
- ⚠ No explicit rate limit behavior is documented.
- ⚠ Key material is stored on the filesystem; agents should avoid logging or mishandling key files when running CLI commands.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for qu3-app.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.