feat(docs): document hybrid post-quantum key wrapping support

[marythought]

Summary

• Add hybrid PQC row to the SDK feature matrix (Go: Stable, Java: Unstable, JS: Planned)
• Document hybrid key types (hpqt:xwing, hpqt:secp256r1-mlkem768, hpqt:secp384r1-mlkem1024) in the Wrapping Key Algorithm encrypt option for Go and Java SDKs
• Update KASInfo Algorithm field docs to reference hybrid algorithms
• Update KeyAccess KeyType field to include "hybrid-wrapped" alongside "wrapped" and "ec-wrapped"
• List all supported algorithm families in the KAS PublicKey RPC description

Companion to opentdf/java-sdk#368 which adds the Java SDK implementation.

Test plan

• Surge preview builds and renders correctly
• Feature matrix table aligns properly
• Footnote [^160] renders

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Updated wrapping key algorithm documentation to include hybrid post-quantum encryption support in Go and Java SDKs.
  • Added SDK feature matrix entry for hybrid PQC with lifecycle information.
  • Expanded Key Access Service documentation to detail supported algorithm families including hybrid post-quantum options.
  • Clarified that hybrid PQC algorithms are not supported in the JavaScript SDK.

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation-only update adding hybrid post-quantum cryptography (hybrid PQC) support details. Changes span four files: SDK TDF reference, encrypt options sample, KAS component docs, and the SDK feature matrix. New algorithm identifiers (hpqt:xwing, hpqt:secp256r1-mlkem768, hpqt:secp384r1-mlkem1024) and per-SDK support notes are added throughout.

Changes

Hybrid PQC Documentation

Layer / File(s)	Summary
SDK API field references and KAS PublicKey RPC docs docs/sdks/tdf.mdx, docs/components/key_access.md	KASInfo.Algorithm field docs now include example identifiers and the rsa:2048 default. Manifest.KeyAccess.KeyType now enumerates "wrapped", "ec-wrapped", "hybrid-wrapped", and "remote". PublicKey RPC description lists RSA, EC, and hybrid PQC algorithm families.
Encrypt options wrapping key section and feature matrix code_samples/tdf/encrypt_options.mdx, docs/appendix/matrix.mdx	Adds a hybrid PQC description paragraph and expands valid-values lists for Go and Java; notes the sdk-pqc-bc module requirement for Java and marks hybrid PQC unsupported in JavaScript. Adds a Hybrid PQC row (Go: Stable, Java: Unstable, JS: Planned) and a new footnote to the SDK feature matrix.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐇 A quantum hop, a classical skip,
New algo names right off the tip—
hpqt:xwing takes flight,
Java needs a module just right,
And JavaScript waits, still hip! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main objective of the PR: documenting hybrid post-quantum key wrapping support across OpenTDF SDKs, which is consistent with all four documentation files updated.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mary/DSPX-3309-hybrid-pqc-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the documentation to introduce and detail support for hybrid post-quantum cryptography (PQC) algorithms across the Go, Java, and JavaScript SDKs, including Key Access Server (KAS) configurations and feature matrices. The review feedback suggests a minor formatting improvement to align the columns in the SDK feature matrix table.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The column separator | for the new Hybrid PQC row is misaligned by one character compared to the other rows in the table. Adding an extra space after [^160] will align the table columns perfectly for better readability in the raw markdown file.

| - Hybrid PQC[^160]         | Stable   | Unstable | Planned    |

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

code_samples/tdf/encrypt_options.mdx (1)

595-599: ⚠️ Potential issue | 🟠 Major

Incorrect Java API name in sample (WithWrappingKeyAlg).

The method uses wrong casing: should be Config.withWrappingKeyAlg(...) (lowercase w), not Config.WithWrappingKeyAlg(...) (capital W). This code would fail to compile. Additionally, recent SDK architectural changes (July 2025+) retrieve the wrapping algorithm from KASInfo rather than directly from Config, so this entire approach may need refactoring to follow current SDK patterns.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@code_samples/tdf/encrypt_options.mdx` around lines 595 - 599, The method call
`Config.WithWrappingKeyAlg(...)` has incorrect casing and should be changed to
`Config.withWrappingKeyAlg(...)` with a lowercase 'w' to match the correct Java
API convention. Additionally, verify whether the wrapping key algorithm
configuration approach is still current with the SDK, as recent architectural
changes may require retrieving this value from `KasInfo` instead of directly
configuring it through the `Config` object. Update the code to follow the
current SDK patterns if the wrapping algorithm should be sourced from the
`kasInfo` parameter rather than set separately.

🧹 Nitpick comments (1)

code_samples/tdf/encrypt_options.mdx (1)

570-571: ⚡ Quick win

Use SDK option name as the section header to avoid anchor collisions.

Please rename this option section header to the SDK option-style name (for example, ### WithWrappingKeyAlg) and update any local references accordingly. As per coding guidelines, “Use SDK option names for encrypt/decrypt option headers … to avoid anchor collisions with concept-level headers in parent docs.”

Also applies to: 587-620

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@code_samples/tdf/encrypt_options.mdx` around lines 570 - 571, The section
header describing hybrid post-quantum algorithms needs to be renamed from its
current descriptive format to an SDK option-style name format (for example,
using camelCase with a "With" prefix like WithWrappingKeyAlg). Rename the header
around line 570-571 to match the appropriate SDK option name format, and then
update all local references to this header throughout the document, including
the sections noted around lines 587-620, to ensure consistency and avoid anchor
collision conflicts with parent documentation headers.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@code_samples/tdf/encrypt_options.mdx`:
- Around line 595-599: The method call `Config.WithWrappingKeyAlg(...)` has
incorrect casing and should be changed to `Config.withWrappingKeyAlg(...)` with
a lowercase 'w' to match the correct Java API convention. Additionally, verify
whether the wrapping key algorithm configuration approach is still current with
the SDK, as recent architectural changes may require retrieving this value from
`KasInfo` instead of directly configuring it through the `Config` object. Update
the code to follow the current SDK patterns if the wrapping algorithm should be
sourced from the `kasInfo` parameter rather than set separately.

---

Nitpick comments:
In `@code_samples/tdf/encrypt_options.mdx`:
- Around line 570-571: The section header describing hybrid post-quantum
algorithms needs to be renamed from its current descriptive format to an SDK
option-style name format (for example, using camelCase with a "With" prefix like
WithWrappingKeyAlg). Rename the header around line 570-571 to match the
appropriate SDK option name format, and then update all local references to this
header throughout the document, including the sections noted around lines
587-620, to ensure consistency and avoid anchor collision conflicts with parent
documentation headers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bd1ec88e-22bd-49f0-9b80-abad52b2fb0f

📥 Commits

Reviewing files that changed from the base of the PR and between 12fcee6 and 366c2a1.

📒 Files selected for processing (4)

• code_samples/tdf/encrypt_options.mdx
• docs/appendix/matrix.mdx
• docs/components/key_access.md
• docs/sdks/tdf.mdx

[github-actions]

📄 Preview deployed to https://opentdf-docs-pr-343.surge.sh