MCP Server
qtz-discovery-cli mcp serve starts a Model Context Protocol (MCP) server,
exposing all scan commands as tools that AI assistants (Claude Desktop, Cursor, Windsurf, etc.)
can call directly. Ask your AI to scan your codebase for quantum vulnerabilities without
leaving your editor.
Usage
qtz-discovery-cli mcp serve [--addr ADDRESS] [--transport TYPE]# stdio transport — default, for Claude Desktop / Cursor
qtz-discovery-cli mcp serve
# SSE transport — listen on localhost (default when --addr is set)
qtz-discovery-cli mcp serve --addr 127.0.0.1:8080
# Streamable HTTP transport — MCP 2025-03-26 spec
qtz-discovery-cli mcp serve --addr 0.0.0.0:8080 --transport streamable-httpFlags
| Flag | Default | Description |
|---|---|---|
--addr | — | Address to listen on for HTTP transport (e.g. 127.0.0.1:8080). When omitted, stdio is used. |
--transport | sse | HTTP transport variant when --addr is set: sse or streamable-http. Ignored for stdio. |
Transport endpoints
| Transport | Endpoint | Notes |
|---|---|---|
| stdio | stdin / stdout | Default. Use for Claude Desktop, Cursor, Windsurf. |
| sse | GET /sse · POST /message | Legacy SSE transport. |
| streamable-http | /mcp | Modern transport (MCP spec 2025-03-26). |
Claude Desktop Configuration
Add the following to your Claude Desktop configuration file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"qtz": {
"command": "/path/to/qtz-discovery-cli",
"args": ["mcp", "serve"],
"env": {
"QTZ_SERVER_URL": "https://your-portal-url",
"QTZ_SERVER_ORG_ID": "your-org-id",
"QTZ_SERVER_API_KEY": "your-api-key"
}
}
}
}Restart Claude Desktop after saving. You will see a qtz tool group appear in the tool picker.
Cursor / Windsurf Configuration
Add to your project's .cursor/mcp.json or .windsurf/mcp.json:
{
"servers": {
"qtz": {
"type": "stdio",
"command": "/path/to/qtz-discovery-cli",
"args": ["mcp", "serve"]
}
}
}Available MCP Tools
| Tool | Description |
|---|---|
scan_source | AI-driven SAST + SCA of a local directory or remote Git URL. Detects hardcoded keys, weak algorithms, and vulnerable library usage across all file types. |
scan_iac | Scan Terraform, CloudFormation, and Pulumi configurations for cryptographic resource declarations. |
scan_infra | Inventory cloud KMS/HSM keys — AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault. |
scan_network | Analyze TLS/SSH endpoints for cipher suite strength, certificate quality, and quantum-risk scoring. |
upload_findings | Upload scan results (JSON) to the Quantizant portal for AI risk scoring and compliance reporting. |
get_usage | Fetch LLM token usage summary from the connected Quantizant service. |
scan_source parameters
| Parameter | Type | Description |
|---|---|---|
path | string (required) | Local path or remote Git URL to scan. |
sast | boolean | Enable SAST regex-based scanning (default: true). |
sca | boolean | Enable SCA dependency scanning (default: true). |
llm | boolean | Enable AI-driven deep analysis (requires server connection). |
llm_quality | string | Analysis depth: auto (default) | fast | deep | chain. |
format | string | Output format: json (default) | cbom | sarif. |
min_severity | string | Minimum severity to report: critical | high | medium | low | info. |
branch | string | Git branch to scan for remote URLs (default: main). |
Example AI Prompts
Once connected, you can use natural language to drive scans:
"Scan the current project directory for quantum-vulnerable cryptography and give me the top 5 critical findings."
"Check if api.example.com:443 is using any deprecated TLS ciphers or lacks a post-quantum key exchange."
"Scan the Terraform configs in ./infra for any cryptographic resources that use deprecated algorithms."
Portal Connection
Connect the MCP server to your Quantizant portal to enable AI risk scoring, the
upload_findings tool, and LLM-enhanced source analysis.
Set the following environment variables or add them to your config file:
# Environment variables
export QTZ_SERVER_URL=https://your-portal-url
export QTZ_SERVER_ORG_ID=your-org-id
export QTZ_SERVER_API_KEY=your-api-key# Config file: ~/.qtz/config.yaml
server:
url: https://your-portal-url
org_id: your-org-id
api_key: your-api-key
Config files are searched in order: .qtz-discovery.yaml (current directory),
config.yaml (current directory), then ~/.qtz/config.yaml.
Security Considerations
- The MCP server runs with the same filesystem permissions as the invoking user.
- HTTP transport is not authenticated by default — only expose it on localhost or behind a reverse proxy with auth.
- API keys are never logged or exposed in tool responses.
- For team environments, prefer stdio transport through a per-user install rather than a shared HTTP server.