fix: tighten tls fingerprints and approval events

src/infra/tls/fingerprint.test.ts

@@ -0,0 +1,11 @@
+import { describe, expect, it } from "vitest";
+
+import { normalizeFingerprint } from "./fingerprint.js";
+
+describe("normalizeFingerprint", () => {
+  it("strips sha256 prefixes and separators", () => {
+    expect(normalizeFingerprint("sha256:AA:BB:cc")).toBe("aabbcc");
+    expect(normalizeFingerprint("SHA-256 11-22-33")).toBe("112233");
+    expect(normalizeFingerprint("aa:bb:cc")).toBe("aabbcc");
+  });
+});

src/infra/tls/fingerprint.ts

@@ -0,0 +1,5 @@
+export function normalizeFingerprint(input: string): string {
+  const trimmed = input.trim();
+  const withoutPrefix = trimmed.replace(/^sha-?256\s*:?\s*/i, "");
+  return withoutPrefix.replace(/[^a-fA-F0-9]/g, "").toLowerCase();
+}

src/infra/tls/gateway.ts

@@ -7,6 +7,7 @@ import { promisify } from "node:util";
 
 import type { GatewayTlsConfig } from "../../config/types.gateway.js";
 import { CONFIG_DIR, ensureDir, resolveUserPath, shortenHomeInString } from "../../utils.js";
+import { normalizeFingerprint } from "./fingerprint.js";
 
 const execFileAsync = promisify(execFile);
 
@@ -21,10 +22,6 @@ export type GatewayTlsRuntime = {
   error?: string;
 };
 
-function normalizeFingerprint(input: string): string {
-  return input.replace(/[^a-fA-F0-9]/g, "").toLowerCase();
-}
-
 async function fileExists(filePath: string): Promise<boolean> {
   try {
     await fs.access(filePath);