Module tls 

TLS server config builder; mTLS layered via WebPkiClientVerifier when client_ca_path is set.

Functions

build_server_config

LOADBEARING: allow_unauthenticated() is required because /v1/enroll cannot present a client cert (it bootstraps the agent’s identity). Per- route middleware enforces auth - don’t tighten the TLS layer to require client certs without first carving out enroll.