Browsers can't speak Zeq-SSL natively — symmetric handshakes need a pre-shared credential, and browsers don't carry one. The bridge terminates ordinary HTTPS on :3010 (TLS 1.3, mkcert dev cert) and speaks Zeq-SSL inward to your fleet. Native peers connect directly to :3009; only browser-originated traffic touches the bridge.
HulyaPulse 1.287 Hz · Zeqond τ = 0.777 s · ≤ 0.1 % gate (KO42)
Receives HTTPS from a browser. The bridge holds its own zsm_key, performs the Zeq-SSL handshake against the destination machine, and tunnels the request/response cleartext between the two sockets. The browser sees an ordinary HTTPS response; the destination sees a Zeq-SSL frame stream.
The bridge does NOT manufacture identity. It signs handshakes with its own credential — anything it sends inward is attested as "the bridge" — and writes SSL-HANDSHAKE audit rows on behalf of the requesting principal. If you need end-to-end auth, run the SDK directly or use Mode B.
Mode 1 (native, :3009) is PQ-safe end-to-end — AES-256-GCM + HMAC-SHA256, Grover-resistant. Mode 2 through the bridge inherits the OUTER TLS's PQ posture. The inner Zeq-SSL leg remains PQ-safe; the outer TLS uses whatever your HTTPS_CERT_FILE resolves to.
┌────────────────────────┐
browser ───▶ │ bridge :3010 (HTTPS) │ ───▶ destination machine
TLS 1.3 │ ───────────────────── │ (Zeq-SSL :3009)
│ handshake.ts + relay │ no cert needed
│ own zsm_key in ZSC │ symmetric only
└────────────────────────┘
Headers added inward:
X-Zeq-SSL-Session: <session_id>
X-Zeq-SSL-Bridge: <bridge_machine_slug>
X-Zeq-SSL-Auth: bridge-handshake-confirmed