CLI Reference

Manage vault entries, encrypt data, generate compliance reports, and query audit logs - all from your terminal using the qs CLI.

Install & Configure#

Install the CLI globally via npm. The binary is available as both quantaseal and the shorter alias qs.

bash

# Install globally
npm install -g @quantaseal/cli

# Verify installation
qs --version

# Set your API key (stored in ~/.quantaseal/config.json)
qs config set api-key qs_live_...

# Verify connectivity and authentication
qs health

# View current configuration
qs config show

Encryption Commands#

Encrypt and decrypt data with ML-KEM-768 + AES-256-GCM (NIST FIPS 203). Sign and verify payloads with ML-DSA-65 + HMAC-SHA-512 (NIST FIPS 204). Both signatures must pass on verify - verified with bitwise &.

bash

# Encrypt a string (ML-KEM-768 + AES-256-GCM)
qs encrypt --text "my sensitive data"

# Encrypt from a file
qs encrypt --file secrets.txt --out encrypted.json

# Decrypt
qs decrypt --file encrypted.json

# Sign a payload (ML-DSA-65 + HMAC-SHA-512)
qs sign --text "payload to sign" --out sig.json

# Verify - both ML-DSA-65 and HMAC-SHA-512 must pass
qs verify --text "payload to sign" --sig-file sig.json

Vault Commands#

Manage credentials in QuantaVault - 3-layer PQC encryption with ML-KEM-768, AWS KMS-wrap, and AES-256-GCM. Supported credential types include api_key, oauth2_token, basic_auth, mtls_cert, bearer_token, database_dsn, and more.

bash

# List all vault entries (metadata only - no plaintext values)
qs vault list

# Seal (store) a new credential
qs vault seal --name "stripe-production-key" --type api_key

# Seal with TTL (auto-expire after 90 days)
qs vault seal --name "temp-token" --type bearer_token --ttl 90

# Unseal (retrieve) a credential by ID
qs vault unseal cred_abc123

# Rotate - re-encrypt with a new ML-KEM-768 key pair
qs vault rotate cred_abc123

# Delete permanently (logged to audit chain)
qs vault delete cred_abc123

Integrations Commands#

Manage the 40+ system integrations connected through the QuantaSeal proxy engine.

bash

# List all integrations for your tenant
qs integrations list

# Test connectivity for an integration
qs integrations test int_abc123

# Emergency revoke - disables integration immediately
qs integrations revoke int_abc123 --reason "Suspected credential compromise"

Compliance Commands#

Generate compliance reports from the immutable SHA3-256 audit hash chain. 9 frameworks, 56 controls.

bash

# Generate a SOC 2 Type II report (returns signed S3 PDF URL)
qs compliance report --framework soc2

# Run all 9 frameworks in one command
qs compliance all

# Get compliance score (0–100) without generating a PDF
qs compliance score --framework pci_dss

Supported frameworks: soc2, iso27001, pci_dss, hipaa, gdpr, nist_csf, fedramp, apra, nist_800_53

Audit Commands#

Query the immutable audit log. Every entry is ML-DSA-65 signed and chained with SHA3-256 hashes. The hash chain cannot be tampered with without detection.

bash

# Show recent audit events (last 24 hours)
qs audit logs --hours 24

# Filter by event type
qs audit logs --event-type CREDENTIAL_UNSEALED --hours 24

# Filter by user
qs audit logs --user-id usr_abc123

# Verify the entire audit hash chain integrity
qs audit verify-chain

# Export to JSON
qs audit logs --hours 72 --output audit_export.json

CI/CD Integration#

Use the CLI in CI/CD pipelines to automatically rotate credentials, verify compliance, and audit activity as part of your build process.

yaml

# GitHub Actions example
name: QuantaSeal CI

on: [push]

jobs:
  compliance-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install QuantaSeal CLI
        run: npm install -g @quantaseal/cli

      - name: Check compliance score
        env:
          QUANTASEAL_API_KEY: ${{ secrets.QUANTASEAL_API_KEY }}
        run: |
          qs compliance score --framework soc2
          qs audit verify-chain

bash

# In any CI environment - pass API key via environment variable
export QUANTASEAL_API_KEY="$QUANTASEAL_API_KEY"

# Rotate a vault credential as part of a deployment
qs vault rotate cred_abc123

# Verify hash chain integrity after deployment
qs audit verify-chain

Global Flags#

These flags can be appended to any qs command.

Flag	Description
`--api-key <key>`	Override the API key for this command
`--output json`	Output response as raw JSON
`--output table`	Output as formatted table (default)
`--quiet`	Suppress non-essential output
`--verbose`	Show full HTTP request/response details
`--version`	Print CLI version and exit
`--help`	Show help for any command

Getting Started MCP Server

CLI Reference

Manage vault entries, encrypt data, generate compliance reports, and query audit logs - all from your terminal using the qs CLI.

Install & Configure#

Install the CLI globally via npm. The binary is available as both quantaseal and the shorter alias qs.

bash

# Install globally
npm install -g @quantaseal/cli

# Verify installation
qs --version

# Set your API key (stored in ~/.quantaseal/config.json)
qs config set api-key qs_live_...

# Verify connectivity and authentication
qs health

# View current configuration
qs config show

Encryption Commands#

bash

# Encrypt a string (ML-KEM-768 + AES-256-GCM)
qs encrypt --text "my sensitive data"

# Encrypt from a file
qs encrypt --file secrets.txt --out encrypted.json

# Decrypt
qs decrypt --file encrypted.json

# Sign a payload (ML-DSA-65 + HMAC-SHA-512)
qs sign --text "payload to sign" --out sig.json

# Verify - both ML-DSA-65 and HMAC-SHA-512 must pass
qs verify --text "payload to sign" --sig-file sig.json

Vault Commands#

bash

# List all vault entries (metadata only - no plaintext values)
qs vault list

# Seal (store) a new credential
qs vault seal --name "stripe-production-key" --type api_key

# Seal with TTL (auto-expire after 90 days)
qs vault seal --name "temp-token" --type bearer_token --ttl 90

# Unseal (retrieve) a credential by ID
qs vault unseal cred_abc123

# Rotate - re-encrypt with a new ML-KEM-768 key pair
qs vault rotate cred_abc123

# Delete permanently (logged to audit chain)
qs vault delete cred_abc123

Integrations Commands#

Manage the 40+ system integrations connected through the QuantaSeal proxy engine.

bash

# List all integrations for your tenant
qs integrations list

# Test connectivity for an integration
qs integrations test int_abc123

# Emergency revoke - disables integration immediately
qs integrations revoke int_abc123 --reason "Suspected credential compromise"

Compliance Commands#

Generate compliance reports from the immutable SHA3-256 audit hash chain. 9 frameworks, 56 controls.

bash

# Generate a SOC 2 Type II report (returns signed S3 PDF URL)
qs compliance report --framework soc2

# Run all 9 frameworks in one command
qs compliance all

# Get compliance score (0–100) without generating a PDF
qs compliance score --framework pci_dss

Supported frameworks: soc2, iso27001, pci_dss, hipaa, gdpr, nist_csf, fedramp, apra, nist_800_53

Audit Commands#

Query the immutable audit log. Every entry is ML-DSA-65 signed and chained with SHA3-256 hashes. The hash chain cannot be tampered with without detection.

bash

# Show recent audit events (last 24 hours)
qs audit logs --hours 24

# Filter by event type
qs audit logs --event-type CREDENTIAL_UNSEALED --hours 24

# Filter by user
qs audit logs --user-id usr_abc123

# Verify the entire audit hash chain integrity
qs audit verify-chain

# Export to JSON
qs audit logs --hours 72 --output audit_export.json

CI/CD Integration#

Use the CLI in CI/CD pipelines to automatically rotate credentials, verify compliance, and audit activity as part of your build process.

yaml

# GitHub Actions example
name: QuantaSeal CI

on: [push]

jobs:
  compliance-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install QuantaSeal CLI
        run: npm install -g @quantaseal/cli

      - name: Check compliance score
        env:
          QUANTASEAL_API_KEY: ${{ secrets.QUANTASEAL_API_KEY }}
        run: |
          qs compliance score --framework soc2
          qs audit verify-chain

bash

# In any CI environment - pass API key via environment variable
export QUANTASEAL_API_KEY="$QUANTASEAL_API_KEY"

# Rotate a vault credential as part of a deployment
qs vault rotate cred_abc123

# Verify hash chain integrity after deployment
qs audit verify-chain

Global Flags#

These flags can be appended to any qs command.

Flag	Description
`--api-key <key>`	Override the API key for this command
`--output json`	Output response as raw JSON
`--output table`	Output as formatted table (default)
`--quiet`	Suppress non-essential output
`--verbose`	Show full HTTP request/response details
`--version`	Print CLI version and exit
`--help`	Show help for any command

Getting Started MCP Server