Post-quantum TLS policy

Projects can set a post-quantum TLS policy for traffic terminated at the edge.

This gives a project one cryptographic baseline even when tunnels are created by different CLIs, SDKs, or backend services. Instead of expecting every caller to request the same groups, the edge applies that posture centrally.

Two modes are available: preferred and required. preferred prioritizes hybrid post-quantum groups while keeping classical fallback groups available. required accepts only hybrid groups and enforces TLS 1.3 at runtime. An additional option limits selection to the NIST and FIPS-oriented P-256 and P-384 hybrid families.

The setting applies to terminated TLS surfaces for the project, including HTTPS, TLS, and QUIC endpoints. TLS passthrough remains excluded because the edge does not terminate the handshake. Community Edition deployments do not enforce this policy.

For the runtime policy model, refer to Access Policies.