#15209: feat(irc): support self-signed TLS certificates via fingerprint pinning and insecure mode

## Summary - Add `tlsInsecure` option to skip all TLS certificate verification for IRC connections (encrypted but no cert validation) - Add `tlsFingerprints` option to pin connections to specific SHA-256 certificate fingerprints, allowing self-signed certs while still validating identity - Add connection-level logging throughout the IRC client for easier debugging of TLS and connection issues - Fix missing TLS options (`tlsInsecure`, `tlsFingerprints`) not being forwarded on transient send and probe connections ## Motivation Users connecting to IRC servers (or bouncers) with self-signed or private CA certificates had no way to establish TLS connections — Node.js rejects untrusted certificates by default. Fingerprint pinning provides a secure alternative to fully disabling verification. ## Changes - **`extensions/irc/src/client.ts`** — Accept `tlsInsecure` and `tlsFingerprints` options; set `rejectUnauthorized: false` when either is present; validate peer fingerprint on `secureConnect` when pinning; add `log` callback for connection lifecycle events - **`extensions/irc/src/accounts.ts`** — Resolve `tlsInsecure` (with `IRC_TLS_INSECURE` env var fallback) and `tlsFingerprints` from config - **`extensions/irc/src/monitor.ts`**, **`send.ts`**, **`probe.ts`** — Forward the new TLS options to `connectIrcClient` - **`extensions/irc/src/channel.ts`** — Emit security warning when `tlsInsecure` is enabled - **`extensions/irc/src/config-schema.ts`**, **`types.ts`** — Add schema and type definitions - **`src/config/types.irc.ts`**, **`src/config/zod-schema.providers-core.ts`** — Add core config types and validation - **`docs/channels/irc.md`** — Document both options with examples and fingerprint retrieval instructions <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR adds IRC TLS options to support self-signed certs: `tlsInsecure` (disable verification) and `tlsFingerprints` (SHA-256 fingerprint pinning). It wires these options through account resolution, config schemas/types (extension + core), and forwards them into monitor/probe/transient send connections. It also adds connection lifecycle logging to the IRC client and monitor. One issue to address before merge: the fingerprint validation currently happens on `secureConnect`, but the client sends IRC authentication commands in the socket `connect` handler. For TLS pinning, this can send credentials before the fingerprint check runs, which undermines the security goal of pinning. <h3>Confidence Score: 2/5</h3> - This PR should not merge until the TLS fingerprint pinning handshake ordering is fixed. - Fingerprint pinning is meant to prevent MITM, but the current implementation validates the fingerprint on `secureConnect` while sending PASS/NICK/USER on `connect`, which can run before validation and leak credentials. Once that ordering is corrected, the rest of the changes are straightforward schema/type plumbing and logging. - extensions/irc/src/client.ts _{Last reviewed commit: 4584cb1} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->