From c7302d5a3c3a349515f5218fd7e3705fa7c9440a Mon Sep 17 00:00:00 2001
From: Adriano Sela Aviles <adriano@tailscale.com>
Date: Fri, 1 May 2026 15:03:09 -0700
Subject: [PATCH] tailcfg: add node attribute to trigger PQC (ML-KEM-768 wg
 handshake)

Signed-off-by: Adriano Sela Aviles <adriano@tailscale.com>
---
 tailcfg/tailcfg.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go
index 0cb7597c3..898b8bc9b 100644
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -2788,6 +2788,13 @@ const (
 	// that does not originate from the Tailscale network interface.
 	// This enables access to off-tailnet endpoints within that IP range.
 	NodeAttrDisableLinuxCGNATDropRule NodeCapability = "disable-linux-cgnat-drop-rule"
+
+	// NodeAttrPostQuantumCrypto enables the hybrid ML-KEM-768 + Noise_IKpsk2
+	// WireGuard handshake (FIPS 203) on this node.  When set, the node uses
+	// message types 5 and 6 instead of the standard types 1 and 2.  All
+	// nodes in the tailnet must have this attribute set identically; no
+	// mixed-mode operation is supported.
+	NodeAttrPostQuantumCrypto NodeCapability = "post-quantum-crypto"
 )
 
 const (