Good news — hybrid PQC key exchange groups are supported in wolfSSL JNI/JSSE, it's just not surfaced the same way as the classical algorithms in the docs you may have been looking at.
The relevant mechanism is the wolfjsse.enabledSupportedCurves security property. This property lets you restrict/select the named groups used during the handshake, and it explicitly covers both ECC curves and PQC/hybrid groups. You set it in your java.security file (or wherever your JSSE provider config lives).
Both "compact" (e.g. MLKEM768, X25519MLKEM768) and "IETF" (e.g. ML-KEM-768, SecP256r1MLKEM768) name spellings are recognized for PQC and hybrid groups, but this only works if the native wolfSSL library was built with --enable-mlkem (in addition to --enable-jni).
Example usage would look like:
wolfjsse.enabledSupportedCurves=X25519MLKEM768, SecP256r1MLKEM768, ML-KEM-768
Keep in mind this property is the lowest-precedence source for named groups — it gets overridden by the jdk.tls.namedGroups System property, which in turn is overridden by SSLParameters.setNamedGroups() on JDK 20+, so only one of those three mechanisms will actually apply per session. If you're setting it and not seeing the hybrid group negotiated, check you don't have one of the higher-precedence sources overriding it elsewhere in your app.
So to directly answer your questions:
1. Is PQC_Hybrids supported through wolfssl-jni-jsse? Yes, as long as native wolfSSL is compiled with ML-KEM support and JNI enabled, and you configure the named groups as above.
2. Is QSH compatible with TLS 1.3 from Java? QSH is a separate, older/legacy extension and isn't the mechanism used for the modern hybrid ML-KEM key exchange in TLS 1.3 — you can disregard that for this use case.
3. Plans to expose hybrid groups? They're already exposed via the enabledSupportedCurves property described above, so no additional wrapper changes should be needed on your end.
If you're still not seeing the hybrid group show up in your ClientHello after setting this, it's worth double-checking your native wolfSSL build flags (--enable-mlkem) and posting your exact java.security config and wolfSSL JNI/JSSE version — that'll help narrow down whether it's a build-time or config-time issue.