{"id":"qu3ai-qu3-app","name":"qu3-app","homepage":null,"repo_url":"https://github.com/qu3ai/qu3-app","category":"security","subcategories":[],"tags":["ai-ml","devtools","security","cryptography","post-quantum","pqc","mcp","fastapi","python"],"what_it_does":"qu3-app is a Python CLI/client that establishes quantum-safe secure sessions with an MCP server using post-quantum cryptography (Kyber KEM for key establishment and SPHINCS+ for request authentication), then sends encrypted/signed inference and policy-update requests and verifies encrypted/signed responses with server attestations. It also includes a FastAPI mock MCP server for local development/testing.","use_cases":["Local or development testing of quantum-safe MCP-style secure request/response flows","Prototyping post-quantum secure client-server communication (KEM + signature + AEAD)","Building CLI-driven workflows that call secured MCP endpoints for inference and policy updates"],"not_for":["Production deployments without a formally reviewed server implementation and threat model","Environments where strong cryptographic key storage/rotation practices cannot be implemented","Use cases requiring standardized auth (OAuth/API keys) rather than cryptographic identity and signatures"],"best_when":"You control both client and server (or can verify server behavior), and you need a working PQC-based encrypted/signed transport for MCP-like interactions.","avoid_when":"You need TLS-based transport security guarantees only (this relies on its own PQC + AES-GCM session scheme), or you cannot ensure secure filesystem key handling.","alternatives":["MCP clients over standard HTTPS/TLS with conventional auth (OAuth2/mTLS)","Other post-quantum secure channel prototypes/libraries (e.g., PQC hybrid TLS stacks, where available)","Custom cryptographic client-server protocols using established frameworks rather than bespoke endpoint crypto"],"af_score":41.2,"security_score":48.5,"reliability_score":25.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:22:45.372069+00:00","interface":{"has_rest_api":true,"has_graphql":false,"has_grpc":false,"has_mcp_server":false,"mcp_server_url":null,"has_sdk":false,"sdk_languages":["Python"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Cryptographic client authentication via SPHINCS+ signatures on payloads","Server attestation via SPHINCS+ signatures on response/attestation data","No conventional API-key/OAuth described in README"],"oauth":false,"scopes":false,"notes":"Authentication is performed at the message level (sign/verify) rather than via OAuth scopes or API keys. The README does not describe any additional authorization model beyond what is implemented in the server logic."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information provided (open-source repository context not sufficient to infer a paid service)."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":41.2,"security_score":48.5,"reliability_score":25.0,"mcp_server_quality":45.0,"documentation_accuracy":65.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":55.0,"rate_limit_clarity":10.0,"tls_enforcement":40.0,"auth_strength":85.0,"scope_granularity":20.0,"dependency_hygiene":55.0,"secret_handling":35.0,"security_notes":"The client implements its own PQC-based session establishment (Kyber KEM) and message protection (AES-256-GCM) plus SPHINCS+ request/attestation signatures, which is a strong cryptographic design direction. However, the README does not document TLS requirements, certificate validation behavior (if any), key storage protections (encryption at rest, permissions, rotation), nonce management guarantees, or authorization/scoping controls beyond signing/verification. Dependency hygiene is uncertain: it relies on cryptography and a GitHub-tracking liboqs-python branch (risk of unpinned changes).","uptime_documented":0.0,"version_stability":30.0,"breaking_changes_history":30.0,"error_recovery":40.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Protocol correctness depends on synchronized implementation details between client and MCP server (endpoint paths, message formats, nonces, attestation fields).","Server/public key fetching is automatic if missing, but there’s no description of cache invalidation, key rotation, or failure recovery beyond “cannot proceed.”","No explicit rate limit behavior is documented.","Key material is stored on the filesystem; agents should avoid logging or mishandling key files when running CLI commands."]}}