chore(xtest): Enables pqc on platform checkouts

.github/workflows/vulnerability.yml

@@ -36,7 +36,7 @@ jobs:
           npm ci
       - name: Check out and start up platform with deps/containers
         id: run-platform
-        uses: opentdf/platform/test/start-up-with-containers@main
+        uses: opentdf/platform/test/start-up-with-containers@11af44a5d4826ed281bf2e0e4e31d6ff6154b393  # pqc-enabled
         with:
           platform-ref: ${{ inputs.platform-ref }}
       - name: Get grpcurl

.github/workflows/xtest.yml

@@ -278,12 +278,13 @@ jobs:
       ######## SPIN UP PLATFORM BACKEND #############
       - name: Check out and start up platform with deps/containers
         id: run-platform
-        uses: opentdf/platform/test/start-up-with-containers@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-up-with-containers@11af44a5d4826ed281bf2e0e4e31d6ff6154b393  # pqc-enabled
         with:
           platform-ref: ${{ fromJSON(needs.resolve-versions.outputs.platform-tag-to-sha)[matrix.platform-tag] }}
           ec-tdf-enabled: true
           extra-keys: ${{ steps.load-extra-keys.outputs.EXTRA_KEYS }}
           log-type: json
+          pqc-enabled: true
 
       - name: Install uv
         uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
@@ -567,69 +568,75 @@ jobs:
       - name: Start additional kas
         id: kas-alpha
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: alpha
           kas-port: 8181
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional kas
         id: kas-beta
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: beta
           kas-port: 8282
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional kas
         id: kas-gamma
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: gamma
           kas-port: 8383
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional kas
         id: kas-delta
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-port: 8484
           kas-name: delta
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional KM kas (km1)
         id: kas-km1
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393  # pqc-enabled
         with:
           ec-tdf-enabled: true
           key-management: ${{ steps.km-check.outputs.supported }}
           kas-name: km1
           kas-port: 8585
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Start additional KM kas (km2)
         id: kas-km2
         if: ${{ steps.multikas.outputs.supported == 'true' }}
-        uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6  # watch-sh-fix
+        uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393  # pqc-enabled
         with:
           ec-tdf-enabled: true
           kas-name: km2
           key-management: ${{ steps.km-check.outputs.supported }}
           kas-port: 8686
           log-type: json
+          pqc-enabled: true
           root-key: ${{ steps.km-check.outputs.root_key }}
 
       - name: Run attribute based configuration tests

otdf-local/src/otdf_local/services/kas.py

@@ -77,6 +77,7 @@ def _generate_config(self) -> Path:
         if self.is_key_management:
             updates["services.kas.preview.key_management"] = True
             updates["services.kas.preview.ec_tdf_enabled"] = True
+            updates["services.kas.preview.hybrid_tdf_enabled"] = True
             # registered_kas_uri should NOT have /kas suffix
             updates["services.kas.registered_kas_uri"] = f"http://localhost:{self.port}"
 

spec/DSPX-3499.md

@@ -0,0 +1,38 @@
+---
+ticket: DSPX-3499
+title: xtest pqc and hybrid pq/t tests skipped or not skipped correctly
+status: draft
+authors:
+    - dmihalcik@virtru.com
+branches:
+    - opentdf/tests:DSPX-3499-pqcrun
+prs: []
+created: 2026-06-05T00:00:00Z
+updated: 2026-06-05T00:00:00Z
+jira_priority: Medium
+---
+
+
+# xtest pqc and hybrid pq/t tests skipped or not skipped correctly
+
+## Summary
+Make sure the tests are run if all components could support them.
+
+## Problem / Motivation
+_Why does this work need to happen? What is the user/business pain?_
+
+## Proposed Solution
+_What will you build, at a functional level? Sketch the approach._
+
+## Inputs / Outputs / Contracts
+_Function signatures, data shapes, API contracts, CLI flags._
+
+## Edge Cases & Constraints
+_Boundary conditions, error states, performance limits, security considerations._
+
+## Out of Scope
+_What this work item explicitly does not cover._
+
+## Acceptance Criteria
+- [ ] _Clear, testable condition_
+- [ ] _…_

xtest/tdfs.py

@@ -35,8 +35,8 @@ def _km1_log_path() -> Path | None:
 def _algs_from_km1_log() -> set[str]:
     """Scan km1's startup log to extract the set of configured key algorithms.
 
-    Prefers the INFO 'kas initialized' entry added by DSPX-3456; falls back to
-    the DEBUG 'kas config' entry available on current platform versions.
+    Prefers the INFO 'kas trust mechanisms initialized' summary; falls back to
+    the DEBUG 'kas config loaded' keyring dump.
     """
     log = _km1_log_path()
     if not log or not log.exists():
@@ -49,11 +49,12 @@ def _algs_from_km1_log() -> set[str]:
                     entry = json.loads(line)
                 except json.JSONDecodeError:
                     continue
-                # Preferred: explicit INFO summary (DSPX-3456, not yet landed)
-                if entry.get("msg") == "kas initialized" and "mechanisms" in entry:
+                if (
+                    entry.get("msg") == "kas trust mechanisms initialized"
+                    and "mechanisms" in entry
+                ):
                     return set(entry["mechanisms"])
-                # Fallback: DEBUG keyring dump present in current platform
-                if entry.get("msg") == "kas config" and "config" in entry:
+                if entry.get("msg") == "kas config loaded" and "config" in entry:
                     for k in entry["config"].get("keyring", []):
                         if alg := k.get("alg"):
                             algs.add(alg)