#22453: fix(tui): resolve and pass tlsFingerprint for secure connections [AI-assisted]

### Description This PR fixes a bug where the OpenClaw TUI was not passing the TLS fingerprint to the gateway, causing connection failures when using secure (SSL/WSS) LAN connections (e.g., through Nginx Proxy Manager). The fix splits the connection resolution into a synchronous part (to provide the URL to the UI immediately) and an asynchronous part (to resolve the TLS fingerprint before starting the GatewayClient). ### Changes - Modified `src/tui/gateway-chat.ts` to split connection resolution and pass `tlsFingerprint` to `GatewayClient`. - Added new tests in `src/tui/gateway-chat.test.ts` to verify the TLS fingerprint resolution in both local and remote modes. ### AI Assistance - [x] Mark as AI-assisted in the PR title or description - [x] Note the degree of testing: **Fully tested** with new vitest unit tests (13/13 passed). - [x] Include prompts or session logs if possible: Reviewed and staged by Claude Code, then verified by another agent (Pixel Optimus Lobster) in this session. - [x] Confirm you understand what the code does: Verified the split-resolution logic ensures secure handshakes without breaking UI responsiveness. Fixes an issue found during local setup with SSL reverse proxies. <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR fixes TLS fingerprint handling in the TUI gateway client by splitting connection resolution into synchronous (URL) and asynchronous (TLS fingerprint) parts. The synchronous portion ensures `connection.url` is immediately available for TUI header rendering, while the async portion resolves the TLS fingerprint before initializing the WebSocket client. Key changes: - Split `resolveGatewayConnection` into `resolveGatewayConnectionSync` (returns URL immediately) and `resolveGatewayTlsOnly` (async fingerprint resolution) - Modified `GatewayChatClient` to defer `GatewayClient` initialization until TLS fingerprint is resolved - Added comprehensive test coverage for TLS fingerprint handling in local and remote modes <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with minor considerations around edge cases - The implementation correctly splits connection resolution to handle async TLS fingerprint lookup while maintaining UI responsiveness. The code mirrors the logic from `src/gateway/call.ts` appropriately. Comprehensive test coverage validates all major code paths including local TLS, remote mode, and URL overrides. One minor gap: `GatewayConnectionOptions` doesn't support an explicit `tlsFingerprint` override parameter (unlike `CallGatewayBaseOptions`), though this may not be needed for the TUI use case. - No files require special attention _{Last reviewed commit: fde5cbc} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->