Crate qnsp 

qnsp — Rust SDK for the Quantum-Native Security Platform

Typed Rust client for QNSP — post-quantum cryptography (ML-KEM, ML-DSA, SLH-DSA, Falcon via liboqs), PQC-encrypted vault, server-side KMS, and immutable audit trails. Same wire contracts as the official @qnsp/* TypeScript family, the qnsp Python SDK, and the github.com/cuilabs/qnsp-public/sdks/go/qnsp Go SDK — pick whichever language fits your stack and the byte-for-byte outputs round-trip.

Quick start

use qnsp::{Client, ClientOptions};
use qnsp::vault::CreateSecretRequest;
use base64::{engine::general_purpose::STANDARD, Engine};

let c = Client::new(ClientOptions::with_api_key(std::env::var("QNSP_API_KEY").unwrap()))?;
let secret = c.vault().create_secret(CreateSecretRequest {
    name: "openai-api-key".into(),
    payload_b64: STANDARD.encode(b"sk-..."),
    algorithm: Some("ml-kem-768".into()),
    metadata: None,
}, None).await?;

Sign up for a free QNSP account at https://cloud.qnsp.cuilabs.io/auth.

Local PQC primitives

The optional crypto feature unlocks the [crypto] module, which wraps the oqs crate (0.11) so the algorithm-name surface matches the rest of the QNSP ecosystem. Add the dependency with cargo add qnsp --features crypto. Building requires liboqs source available at link time (the oqs-sys crate can build it from source given a C toolchain + cmake).

Modules

access

QNSP Access-Control — RBAC: roles, permissions, role assignments.

ai

QNSP AI Orchestrator — model registry, AI workload submission with enclave attestation, inference, and bias / prompt-injection monitoring.

audit

QNSP Audit — immutable, hash-chained event log.

auth

QNSP Auth — JWT issuance, refresh, revocation, WebAuthn passkeys, MFA, federated identity (SAML / OIDC), risk-based authentication.

billing

QNSP Billing — entitlement queries, usage meters, invoice listing, credit balance.

crypto_inventory

QNSP Crypto-Inventory (CBOM) — asset catalogue, discovery runs, deprecation policies, and PQC migration readiness.

kms

QNSP KMS — server-side PQC keys with sign, verify, wrap, and unwrap.

search

QNSP Search — encrypted vector search with SSE-X.

storage

QNSP Storage — PQC-encrypted object storage with SSE-X.

tenant

QNSP Tenant — tenant CRUD, crypto-policy management, sub-tenant onboarding, and quota / health introspection.

vault

QNSP Vault — PQC-encrypted secret storage with versioning, rotation, and deletion.

Structs

Activation

Performs the SDK activation handshake and caches the result until ~1 minute before expiry.

ActivationResult

Decoded response from the activation handshake.

ApiError

AuthError

Client

Top-level QNSP SDK entry point.

ClientOptions

Configuration for Client::new.

NetworkError

WebhookError

WebhookEvent

The typed envelope every QNSP webhook follows.

Enums

Error

Root error type for the SDK.

Constants

MAX_WEBHOOK_SKEW

Default replay-protection window for parse_webhook.

Functions

parse_webhook

Verify the HMAC, enforce replay protection, parse the JSON body, and return a typed WebhookEvent.

verify_webhook_signature

Constant-time HMAC-SHA-256 verification. The header must be of the form sha256=<hex>.