v0.6.2

What's changed

Removed

• __init__.py: probe_raw removed from package re-exports — callers (e.g. vendored copy in mailvalidator) import directly from quantumvalidator.tls_utils.

Fixed

• tls_utils.probe_raw: validate starttls against _VALID_STARTTLS frozenset; raises ValueError for unrecognised modes instead of forwarding arbitrary strings to the subprocess.
• tls_utils.probe_raw / _build_cmd: if starttls: replaced with if starttls is not None: so a pre-validated mode is forwarded consistently.
• tls_utils._run_openssl, _read_server_banner, _probe_ssh, _probe_ftp: timeout type annotation corrected from int to float.
• cli.py: timeout=int(timeout) cast removed — fractional timeouts no longer silently truncated.
• reporter.save_report(): fixed to write from the module-level _console (the recording instance), not the public alias — saved files now always capture the full rendered output.
• constants.py: import logging as _log moved to module-level; was previously inside an except handler.
• __init__.py: import logging as _logging moved before the try/except block (PEP 8).
• Tests: test_exits_2_on_missing_target replaces the incorrect test_exits_2_on_invalid_protocol; test_exits_2_on_save_error simplified; _capture helper in test_reporter.py passes console= as keyword argument.

Added

• tls_utils._VALID_STARTTLS frozenset — canonical set of modes accepted by openssl s_client -starttls.
• pyproject.toml: --cov-fail-under=100 enforces 100% coverage in CI and local runs.
• tests/test_cli.py: TestInfoGroups (5 tests) covers the info groups subcommand. 252 tests total.

Impact

Internal correctness and test-hygiene release. Fractional timeouts now reach the probe without truncation, save_report() reliably captures the full terminal output, and probe_raw is hardened against invalid STARTTLS mode injection. No public API changes for library users.

---

Full changelog: https://github.com/NC3-TestingPlatform/quantumvalidator/blob/main/CHANGELOG.md

v0.6.0

What's changed

Added

• tls_utils.probe_raw(host, port, *, starttls, sni_hostname, timeout) — public
  function that runs openssl s_client and returns the raw combined
  stdout+stderr as a string (or None on failure). Unlike probe_tls, it
  omits -brief, adds -ign_eof, and sends QUIT\r\n so callers can parse
  protocol-specific fields such as Max Early Data: (TLS 1.3 0-RTT) and
  Negotiated TLS1.3 group:. Exported from the package root as
  quantumvalidator.probe_raw.
• 15 new unit tests for probe_raw in tests/test_tls_utils.py (245 total).

Fixed

• tls_utils.probe_raw: docstring now explicitly documents the timeout + 2
  buffer passed to the subprocess, which gives the TLS handshake time to
  complete before Python terminates the process.
• tests/test_tls_utils.py: TestProbeRaw.test_returns_none_for_invalid_port
  now monkeypatches check_openssl to return (True, ...) so the test
  exercises _validate_target deterministically regardless of whether
  openssl is installed on the test machine.
• __init__.py: added # noqa: E402 to the probe_raw re-export to
  suppress the false-positive E402 lint warning (the import intentionally
  follows the logging teardown block).

Impact

Adds a new public function probe_raw() that mailvalidator (and any other consumer) can use to run a raw openssl s_client probe without the -brief flag — enabling parsing of fields like Max Early Data: and Negotiated TLS1.3 group: that -brief suppresses. This halves the number of openssl subprocesses per MX host in mailvalidator by combining the 0-RTT and PQC group probes into one call.

Migration

probe_raw is a new addition — no existing API is changed. Consumers using probe_tls or assess() are unaffected.

---

Full changelog: https://github.com/NC3-TestingPlatform/quantumvalidator/blob/master/CHANGELOG.md

v0.5.2

What's changed

Added

• info groups sub-command — lists all quantum-safe TLS and SSH key exchange groups with their IANA codepoint and governing standard.
• pytest-mock>=3.12 added to dev extras.

Changed

• assessor.assess(): parameters after target are now keyword-only (enforced by *,); timeout type corrected from int to float (default 10.0).
• All Optional[X] type hints replaced with X | None (PEP 604) throughout assessor.py, cli.py, models.py, and tls_utils.py.
• cli: --version short flag changed from -v to -V (uppercase), consistent with all other platform modules.
• reporter: save_report() raises ValueError for unsupported extensions instead of silently falling back to plain text.

Removed

• reporter.print_report deprecated alias removed; use print_full_report directly.

Impact

Harmonization pass 2. Migration: replace print_report with print_full_report; update -v to -V in scripts; pass timeout as float if calling assess() directly.

---

Full changelog: https://github.com/NC3-TestingPlatform/quantumvalidator/blob/master/CHANGELOG.md

v0.5.1

What's changed

Changed

• pyproject.toml: corrected authors field to t0kubetsu, consistent
  with all other platform modules.
• reporter: exposes a public console alias (Console(record=True)) and
  a save_report(path) function supporting .txt, .svg, and .html
  extensions (unknown extensions fall back to plain text).
• CLI migrated to use reporter.console; print_report() now renders to
  the module-level console so save_report() captures the output correctly.
  The private _save_report() helper in cli.py has been removed.

Impact

Platform API alignment release. save_report() is now a first-class
public function consistent with all other NC3-TestingPlatform modules.
No changes to probe logic, verdict scoring, or PQC group detection.

---

Full changelog: https://github.com/NC3-TestingPlatform/quantumvalidator/blob/master/CHANGELOG.md

v0.5.0

What's changed

Added

• Extended STARTTLS protocol detection — _fingerprint_banner now
  auto-detects FTP (220 … FTP …), LMTP (220 … LMTP …), NNTP (200/201),
  and ManageSieve ("IMPLEMENTATION" / "SIEVE" / "STARTTLS" capability
  lines) from server banners, dispatching to the correct openssl -starttls
  mode automatically. Protocols that send no opening banner (XMPP, LDAP,
  MySQL, PostgreSQL) remain unsupported in auto-detect mode by design.

Changed

• _probe_ftp greeting/response reads are now loop-safe — replaced single
  sock.recv(1024) calls with chunk-accumulation loops that read until \n or
  1024 bytes, guarding against TCP segmentation on slow links.
• _probe_ftp uses dataclasses.replace() instead of post-construction
  field mutation when stamping detected_starttls="ftp" onto the openssl result.
• Empty AUTH TLS response now reports "(no response)" in the error message
  instead of a trailing bare colon.

Fixed

• FTP probe no longer hangs on servers that reject AUTH TLS — openssl s_client -starttls ftp does not exit cleanly when the server replies with
  e.g. 500 AUTH not understood; it hangs until the subprocess timeout fires.
  A new _probe_ftp function now sends AUTH TLS over a raw socket first;
  if the server responds with anything other than 234, the error is returned
  immediately without invoking openssl.

Impact

Critical fix for FTP server probing: servers that reject AUTH TLS no longer
cause the tool to hang until the subprocess timeout. Four additional STARTTLS
protocols (FTP, LMTP, NNTP, ManageSieve) are now auto-detected from server
banners, covering a broader range of internet-exposed services without
requiring manual protocol selection.

---

Full changelog: https://github.com/NC3-TestingPlatform/quantumvalidator/blob/master/CHANGELOG.md