Hybrid PQ-TLS termination
ML-KEM-768 + X25519 hybrid key exchange terminated in a hermetic Rust gateway. TLS 1.3 only, no classical-only fallback. AEAD selection limited to AES-256-GCM and ChaCha20-Poly1305. The PQ handshake terminates at our edge; the upstream hop to your origin is re-encrypted over classical TLS 1.3. Plaintext upstream forwarding is strictly reserved for Enterprise Azure Private Link deployments, where the gateway and your origin share a private VNet.