From 2a8123db38c9b422c1d802ca5f7b692c0a1f68b3 Mon Sep 17 00:00:00 2001
From: Dave Mihalcik <dmihalcik@virtru.com>
Date: Fri, 5 Jun 2026 13:26:11 -0400
Subject: [PATCH 1/4] spec: scaffold for DSPX-3499

pqcrun
---
 spec/DSPX-3499.md | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 spec/DSPX-3499.md

diff --git a/spec/DSPX-3499.md b/spec/DSPX-3499.md
new file mode 100644
index 00000000..0291e2b7
--- /dev/null
+++ b/spec/DSPX-3499.md
@@ -0,0 +1,38 @@
+---
+ticket: DSPX-3499
+title: xtest pqc and hybrid pq/t tests skipped or not skipped correctly
+status: draft
+authors:
+    - dmihalcik@virtru.com
+branches:
+    - opentdf/tests:DSPX-3499-pqcrun
+prs: []
+created: 2026-06-05T00:00:00Z
+updated: 2026-06-05T00:00:00Z
+jira_priority: Medium
+---
+
+
+# xtest pqc and hybrid pq/t tests skipped or not skipped correctly
+
+## Summary
+Make sure the tests are run if all components could support them.
+
+## Problem / Motivation
+_Why does this work need to happen? What is the user/business pain?_
+
+## Proposed Solution
+_What will you build, at a functional level? Sketch the approach._
+
+## Inputs / Outputs / Contracts
+_Function signatures, data shapes, API contracts, CLI flags._
+
+## Edge Cases & Constraints
+_Boundary conditions, error states, performance limits, security considerations._
+
+## Out of Scope
+_What this work item explicitly does not cover._
+
+## Acceptance Criteria
+- [ ] _Clear, testable condition_
+- [ ] _…_

From 67d3b3268a26b1813654205d7a6b5c160d0ad84c Mon Sep 17 00:00:00 2001
From: Dave Mihalcik <dmihalcik@virtru.com>
Date: Fri, 5 Jun 2026 13:32:39 -0400
Subject: [PATCH 2/4] feat(xtest): Enables pqc on server in tests

---
 .github/workflows/vulnerability.yml       |  2 +-
 .github/workflows/xtest.yml               | 21 ++++++++++++++-------
 otdf-local/src/otdf_local/services/kas.py |  1 +
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/vulnerability.yml b/.github/workflows/vulnerability.yml
index 9eadc620..60a6ef3b 100644
--- a/.github/workflows/vulnerability.yml
+++ b/.github/workflows/vulnerability.yml
@@ -36,7 +36,7 @@ jobs:
           npm ci
       - name: Check out and start up platform with deps/containers
         id: run-platform
-        uses: opentdf/platform/test/start-up-with-containers@main
+        uses: opentdf/platform/test/start-up-with-containers@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
         with:
           platform-ref: ${{ inputs.platform-ref }}
       - name: Get grpcurl
diff --git a/.github/workflows/xtest.yml b/.github/workflows/xtest.yml
index 59484bdf..b5ac3f97 100644
--- a/.github/workflows/xtest.yml
+++ b/.github/workflows/xtest.yml
@@ -278,12 +278,13 @@ jobs:
       ######## SPIN UP PLATFORM BACKEND #############
       - name: Check out and start up platform with deps/containers
         id: run-platform
-        uses: opentdf/platform/test/start-up-with-containers@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-up-with-containers@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
         with:
           platform-ref: ${{ fromJSON(needs.resolve-versions.outputs.platform-tag-to-sha)[matrix.platform-tag] }}
           ec-tdf-enabled: true
           extra-keys: ${{ steps.load-extra-keys.outputs.EXTRA_KEYS }}
           log-type: json
+          pqc-enabled: true
 
       - name: Install uv
         uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
@@ -567,69 +568,75 @@ jobs:
       - name: Start additional kas
         id: kas-alpha
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: alpha
           kas-port: 8181
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional kas
         id: kas-beta
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: beta
           kas-port: 8282
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional kas
         id: kas-gamma
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: gamma
           kas-port: 8383
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional kas
         id: kas-delta
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-port: 8484
           kas-name: delta
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional KM kas (km1)
         id: kas-km1
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
         with:
           ec-tdf-enabled: true
           key-management: ${{ steps.km-check.outputs.supported }}
           kas-name: km1
           kas-port: 8585
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional KM kas (km2)
         id: kas-km2
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: km2
           key-management: ${{ steps.km-check.outputs.supported }}
           kas-port: 8686
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Run attribute based configuration tests
diff --git a/otdf-local/src/otdf_local/services/kas.py b/otdf-local/src/otdf_local/services/kas.py
index 0b7adfa6..00de6a2c 100644
--- a/otdf-local/src/otdf_local/services/kas.py
+++ b/otdf-local/src/otdf_local/services/kas.py
@@ -77,6 +77,7 @@ def _generate_config(self) -> Path:
         if self.is_key_management:
             updates["services.kas.preview.key_management"] = True
             updates["services.kas.preview.ec_tdf_enabled"] = True
+            updates["services.kas.preview.hybrid_tdf_enabled"] = True
             # registered_kas_uri should NOT have /kas suffix
             updates["services.kas.registered_kas_uri"] = f"http://localhost:{self.port}"
 

From 0d20046e78532589bfa3fd973ad895a192ca3cef Mon Sep 17 00:00:00 2001
From: Dave Mihalcik <dmihalcik@virtru.com>
Date: Fri, 5 Jun 2026 17:31:08 -0400
Subject: [PATCH 3/4] chore(ci): bump platform action pin to 045f6355 for pqc
 key support

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/vulnerability.yml |  2 +-
 .github/workflows/xtest.yml         | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/vulnerability.yml b/.github/workflows/vulnerability.yml
index 60a6ef3b..e15e8cd3 100644
--- a/.github/workflows/vulnerability.yml
+++ b/.github/workflows/vulnerability.yml
@@ -36,7 +36,7 @@ jobs:
           npm ci
       - name: Check out and start up platform with deps/containers
         id: run-platform
-        uses: opentdf/platform/test/start-up-with-containers@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
+        uses: opentdf/platform/test/start-up-with-containers@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
         with:
           platform-ref: ${{ inputs.platform-ref }}
       - name: Get grpcurl
diff --git a/.github/workflows/xtest.yml b/.github/workflows/xtest.yml
index b5ac3f97..5ab25742 100644
--- a/.github/workflows/xtest.yml
+++ b/.github/workflows/xtest.yml
@@ -278,7 +278,7 @@ jobs:
       ######## SPIN UP PLATFORM BACKEND #############
       - name: Check out and start up platform with deps/containers
         id: run-platform
-        uses: opentdf/platform/test/start-up-with-containers@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
+        uses: opentdf/platform/test/start-up-with-containers@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
         with:
           platform-ref: ${{ fromJSON(needs.resolve-versions.outputs.platform-tag-to-sha)[matrix.platform-tag] }}
           ec-tdf-enabled: true
@@ -568,7 +568,7 @@ jobs:
       - name: Start additional kas
         id: kas-alpha
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: alpha
@@ -580,7 +580,7 @@ jobs:
       - name: Start additional kas
         id: kas-beta
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: beta
@@ -592,7 +592,7 @@ jobs:
       - name: Start additional kas
         id: kas-gamma
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: gamma
@@ -604,7 +604,7 @@ jobs:
       - name: Start additional kas
         id: kas-delta
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-port: 8484
@@ -616,7 +616,7 @@ jobs:
       - name: Start additional KM kas (km1)
         id: kas-km1
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
         with:
           ec-tdf-enabled: true
           key-management: ${{ steps.km-check.outputs.supported }}
@@ -629,7 +629,7 @@ jobs:
       - name: Start additional KM kas (km2)
         id: kas-km2
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@626ce47dd662cb8ff16898e3b6727001a4753d92  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: km2

From 50198857f02918bce4514bc1967a1516469b88a7 Mon Sep 17 00:00:00 2001
From: Dave Mihalcik <dmihalcik@virtru.com>
Date: Fri, 5 Jun 2026 17:53:44 -0400
Subject: [PATCH 4/4] chore(ci): bump platform action pin to 29f065e3 to fix
 start-additional-kas

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/vulnerability.yml |  2 +-
 .github/workflows/xtest.yml         | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/vulnerability.yml b/.github/workflows/vulnerability.yml
index e15e8cd3..d46ef40b 100644
--- a/.github/workflows/vulnerability.yml
+++ b/.github/workflows/vulnerability.yml
@@ -36,7 +36,7 @@ jobs:
           npm ci
       - name: Check out and start up platform with deps/containers
         id: run-platform
-        uses: opentdf/platform/test/start-up-with-containers@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
+        uses: opentdf/platform/test/start-up-with-containers@29f065e3c406bb5eb4a0926890f2a7b75e76aa2c  # pqc-enabled
         with:
           platform-ref: ${{ inputs.platform-ref }}
       - name: Get grpcurl
diff --git a/.github/workflows/xtest.yml b/.github/workflows/xtest.yml
index 5ab25742..6e2088a4 100644
--- a/.github/workflows/xtest.yml
+++ b/.github/workflows/xtest.yml
@@ -278,7 +278,7 @@ jobs:
       ######## SPIN UP PLATFORM BACKEND #############
       - name: Check out and start up platform with deps/containers
         id: run-platform
-        uses: opentdf/platform/test/start-up-with-containers@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
+        uses: opentdf/platform/test/start-up-with-containers@29f065e3c406bb5eb4a0926890f2a7b75e76aa2c  # pqc-enabled
         with:
           platform-ref: ${{ fromJSON(needs.resolve-versions.outputs.platform-tag-to-sha)[matrix.platform-tag] }}
           ec-tdf-enabled: true
@@ -568,7 +568,7 @@ jobs:
       - name: Start additional kas
         id: kas-alpha
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@29f065e3c406bb5eb4a0926890f2a7b75e76aa2c  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: alpha
@@ -580,7 +580,7 @@ jobs:
       - name: Start additional kas
         id: kas-beta
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@29f065e3c406bb5eb4a0926890f2a7b75e76aa2c  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: beta
@@ -592,7 +592,7 @@ jobs:
       - name: Start additional kas
         id: kas-gamma
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@29f065e3c406bb5eb4a0926890f2a7b75e76aa2c  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: gamma
@@ -604,7 +604,7 @@ jobs:
       - name: Start additional kas
         id: kas-delta
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@29f065e3c406bb5eb4a0926890f2a7b75e76aa2c  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-port: 8484
@@ -616,7 +616,7 @@ jobs:
       - name: Start additional KM kas (km1)
         id: kas-km1
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@29f065e3c406bb5eb4a0926890f2a7b75e76aa2c  # pqc-enabled
         with:
           ec-tdf-enabled: true
           key-management: ${{ steps.km-check.outputs.supported }}
@@ -629,7 +629,7 @@ jobs:
       - name: Start additional KM kas (km2)
         id: kas-km2
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@045f6355d0b066163f21c4e402976793ca347de4  # pqc-enabled
+        uses: opentdf/platform/test/start-additional-kas@29f065e3c406bb5eb4a0926890f2a7b75e76aa2c  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: km2