fix: preserve externally-provided TLS certificates

[egns-ai]

Summary

• Fixes fix: ensureCerts overwrites externally-provided TLS certificates on startup #230 — ensureCerts overwrites external certificates (e.g. from tailscale cert) with self-signed mkcert certs on every daemon startup
• Adds a check to skip IP-completeness validation and mkcert regeneration when the existing cert was not issued by mkcert
• External certs (Tailscale, Let's Encrypt, etc.) are now left untouched

Change

Single line addition in ensureCerts():

if (certText.indexOf("mkcert") === -1) return { key: keyPath, cert: certPath, caRoot: caRoot };

This early-returns before the IP SAN check when the cert issuer is not mkcert, preventing regeneration of externally-provided certificates.

Test plan

• Provide an external cert (e.g. via tailscale cert) and verify it is preserved across daemon restarts
• Verify mkcert-generated certs still regenerate when IPs change
• Verify fresh installs with no existing cert still generate via mkcert

🤖 Generated with Claude Code

[chadbyte]

@egns-ai LGTM! Clean fix, thanks. The external cert detection is clear and doesn't affect the existing mkcert flow. 👍

[github-actions]

This issue has been resolved in version 2.13.0-beta.3 (main).

To update, run:

npx clay-server@2.13.0-beta.3

-- Clay Deploy Bot

Build anything, with anyone, in one place.

[github-actions]

This issue has been resolved in version 2.13.0 (stable).

To update, run:

npx clay-server@2.13.0

-- Clay Deploy Bot

Build anything, with anyone, in one place.