[SSL] PQC docs cleanup: tighten Cloudflare One page, agentless terminology

[lukevalenta]

Summary

Tightens the PQC and Cloudflare One page: removes redundant content, fixes imprecise phrasing, and aligns terminology with PR #30537.

pqc-and-zero-trust.mdx

• Intro: link to the canonical hybrid key agreement section instead of restating the construction inline; drop the duplicated harvest-now-decrypt-later explanation (keep the term as a Wikipedia link). Clarify the lead-in for the worked examples ("sample configurations").
• Terminology: switch from clientless to agentless to match current docs convention. Update the page description and image alt text.
• Browsers: replace inline lists (Chrome, Edge, Firefox) with a link to Browsers, which also lists Safari.
• Imprecise phrasing: replace quantum-encrypted, quantum threats, quantum safety, and quantum-safe SWG with protected with post-quantum encryption, harvest-now decrypt-later attacks, post-quantum protection, and supports post-quantum cryptography.
• Section rename: rename Agentless Cloudflare Access to Browser to self-hosted application since the cryptographic flow shown (browser TLS, Cloudflare Tunnel) does not depend on Cloudflare Access; Access is now described as an optional identity-policy layer on top. Pin the existing slug (#agentless-cloudflare-access) so links from other pages continue to resolve.
• Split overloaded bullet: split the Agentless (browser-only) on-ramp bullet into two distinct bullets covering agentless browser access to Cloudflare-proxied applications (Visitor-to-Cloudflare flow) and the agentless browser on-ramp to Cloudflare Gateway via proxy endpoints (separate Gateway-stack flow).
• Step heading style: drop the PQ prefix from numbered step headings (the entire page is about PQ).
• Deduplication: simplify repeated Within Cloudflare's global network paragraphs to a one-liner in the Cloudflare One Client and Cloudflare IPsec sections (the full Frankfurt-to-San-Francisco illustration remains in the first walkthrough). Drop the duplicated Connection via Cloudflare One Client step and the redundant intro sentence in the Cloudflare One Client section.
• SWG step 1: trim to match the diagram, which only illustrates the browser on-ramp. Cloudflare One Client and Cloudflare IPsec are mentioned briefly as alternative post-quantum on-ramps via pointers to their walkthroughs above. Replace Cloudflare One Appliance with Cloudflare IPsec as the on-ramp name (the actual on-ramp is the IPsec tunnel; the Appliance is one way to establish it).
• Other: remove spurious harvest-now-decrypt-later mentions in the narrative steps and the "Putting it together" sentence in the browser-to-self-hosted-application section.

pqc-support.mdx

• Replace traditional X.509 post-quantum certificates with standard X.509 post-quantum certificates in the Chrome MTC discussion, since traditional is ambiguous in this context. Addresses #30142 (comment).

Documentation checklist

• The change adheres to the documentation style guide.

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/src/content/docs/ssl/	@RebeccaTamachiro, @cloudflare/pcx-technical-writing, @cloudflare/product-owners

[github-actions]

Preview URL: https://a6ad3a30.preview.developers.cloudflare.com
Preview Branch URL: https://lvalenta-pqc-zero-trust-tighten.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-and-zero-trust/	https://lvalenta-pqc-zero-trust-tighten.preview.developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-and-zero-trust/
https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/	https://lvalenta-pqc-zero-trust-tighten.preview.developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/