
The platform
Six modules. One audit trail. Zero shortcuts.
QUANTRA is not a scanner and not a wiki. It's the operating system for a regulated post-quantum migration — every action versioned, every finding attributable, every report reproducible.

1 · Inventory intake
System, asset and endpoint discovery. Bulk CSV with RFC-4180-ish parsing, manual entry, and Certificate Transparency log lookups via crt.sh. Two-step validation before commit. Confidence tagging: findings from CT-logs or missing metadata land as low_confidence until a human confirms.
- Bulk upload with pre-commit validation report
- CT-log lookup by domain
- App-layer de-duplication
- External-ref tracking
2 · Deterministic risk scoring
A pure TypeScript engine applies weighted sub-scores (0.40 exposure, 0.25 sensitivity, 0.20 criticality, 0.15 lifetime). Scoring tables are stored in the database and versioned; bwe_admin users can activate new versions without code deployments. Reproducible for every audit.
- Version-locked tables per engagement
- Confidence-gated headline score
- RSA key-size aware
- 10 unit tests covering edge cases
3 · AI-assisted findings
One-click drafting via Lovable AI Gateway (Gemini 2.5 Flash). Every draft records model, prompt version and input hash. A Postgres CHECK constraint refuses to store a finding in a report unless a named human approver signed it off.
- Auditable prompt versioning
- Input-hash traceability
- DB-enforced approval gate
- Human-in-the-loop by design
4 · Report generation
Versioned, deterministic JSON snapshots of findings, assets and risk tiers. Print-to-PDF built in. Delivery transitions the engagement to saas_active and freezes the snapshot with an immutable input hash.
- Snapshot-based versioning
- Immutable input_hash per version
- Private engagement-scoped storage bucket
- PDF-ready output
5 · Continuous SaaS monitoring
A deterministic scanner runs against delivered engagements, surfacing expired or expiring certificates, deprecated algorithms (SHA-1, DES, 3DES) and undersized RSA (< 3072 bits). Alerts include acknowledgment workflow and are RLS-scoped.
- Cron endpoint secured via CRON_SECRET
- Per-engagement scan history
- Acknowledgeable alerts
- Fires on drift, expiry and new deprecations
6 · RLS multi-tenancy
Every table in the public schema enforces row-level security via can_access_engagement and is_bwe_staff helpers. No app-layer filters — cross-tenant queries return zero rows even for staff without the correct role. Verified by an automated cross-org test.
- Postgres RLS on every table
- Security-definer helper functions
- Automated cross-org test suite
- Role: bwe_admin / bwe_analyst / client_owner / client_read
