OpenChainGraph Suite · OCG v0.8.7 · Post-Quantum Cryptography

PQC Migration Evidence Workflow

Two-node evidence workflow for a declared cryptography inventory. Stage 1 structurally lints a pasted CycloneDX 1.6 CBOM and classifies each declared algorithm asset as quantum-vulnerable or CNSA-2.0 target-aligned. Stage 2 takes a declared inventory of systems — informed by Stage 1's classified components — and computes the applicable CNSA-2.0 migration deadline, days remaining, and FIPS 140-2 Historical-list exposure for each row.

OpenChainGraph · 2 Nodes compliance mandate · Linear Hash-Anchored §4 Client-Side · Zero PII
Not a security scanner, not a cryptographic audit. Every finding and every deadline below is computed from what you declare — the CBOM you paste and the inventory rows you supply — and every classification is asserted. Nothing is discovered, nothing is fetched, zero-egress by contract. This workflow attests the structural checks and the date arithmetic over your declared inputs. It does not scan your systems, does not audit your cryptography, and is not legal or regulatory advice. If the declared inputs are wrong, the receipt faithfully proves the wrong conclusion. Read the PQC Migration Evidence Guide before handing a receipt to a counterparty or regulator.
Workflow Topology (linear) — CBOM Structural Lint & Classification → CNSA-2.0 Deadline Ladder Calculator
§4 Execution Hash · Workflow Definition Anchor
execution_hash:computing…
Workflow Stages · 2 Nodes · Linear
1 ROOT node
CBOM Structural Lint & CNSA-2.0 Classifier art-386-lint-cbom-structure
Validates a pasted CycloneDX 1.6 CBOM against a hand-derived field subset and classifies each declared algorithm asset as quantum-vulnerable (RSA, ECDSA/ECDH, DH, SHA-1) or CNSA-2.0 target-aligned (ML-KEM-1024, ML-DSA-87, AES-256, SHA-384/512). Components classified quantum_vulnerable or cnsa2_ready feed Stage 2 as declared inventory rows.
MCP Call · lint_cbom_structure
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "lint_cbom_structure",
    "arguments": {
      "cbom": {
        "bomFormat": "CycloneDX",
        "specVersion": "1.6",
        "components": [
          {
            "type": "cryptographic-asset",
            "name": "RSA-2048",
            "cryptoProperties": {
              "assetType": "algorithm",
              "algorithmProperties": {
                "primitive": "signature",
                "parameterSetIdentifier": "2048",
                "certificationLevel": ["none"],
                "cryptoFunctions": ["sign", "verify"]
              }
            }
          }
        ]
      }
    }
  },
  "id": 1
}
2 TERMINAL node
CNSA 2.0 Deadline Ladder Calculator art-387-pqc-deadline-ladder-calculator
Computes the applicable CNSA-2.0 deadline, days remaining, earliest binding constraint, and FIPS 140-2 Historical-list exposure flag per declared inventory row -- rows populated from Stage 1's quantum-vulnerable findings plus each system's declared class and deployment date. This is the terminal migration-evidence receipt.
MCP Call · compute_pqc_deadline_ladder
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "compute_pqc_deadline_ladder",
    "arguments": {
      "reference_date": "2026-07-19",
      "inventory": [
        {
          "row_id": "RSA-2048 (Stage 1 finding)",
          "system_class": "nss",
          "asset_type": "signature",
          "deployment_date": "2024-01-01",
          "fips_140_2_certified": false
        }
      ]
    }
  },
  "id": 2
}
Export Workflow Artifact
Download a §4-compliant workflow artifact with execution hash and step definitions. Hash is deterministic over canonical {policy_parameters, output_payload} per RFC 8785/JCS.