fix: add setCertificateVerifyProc for net.fetch self-signed cert support

The certificate-error handler only applies to webContents (renderer)
requests. net.fetch in the main process needs
setCertificateVerifyProc on the default session to accept self-signed
certs from localhost. Registered via app.whenReady() before appMain()
to ensure it's active before any health check.

Author: aharvard

ui/desktop/src/main.ts

@@ -98,10 +98,11 @@ async function configureProxy() {
 
 if (started) app.quit();
 
-// Accept self-signed certificates from the local goosed server (127.0.0.1).
+// Accept self-signed certificates from the local goosed server.
 // goosed generates a fresh self-signed TLS cert on every launch so that
 // MCP app iframes are served over HTTPS and get a secure context.
-// Registered at the top level so it's active before any createChat() call.
+// certificate-error handles webContents requests (renderer).
+// setCertificateVerifyProc handles net.fetch requests (main process).
 app.on('certificate-error', (event, _webContents, url, _error, _certificate, callback) => {
   const parsed = new URL(url);
   if (parsed.hostname === '127.0.0.1' || parsed.hostname === 'localhost') {
@@ -112,6 +113,16 @@ app.on('certificate-error', (event, _webContents, url, _error, _certificate, cal
   }
 });
 
+app.whenReady().then(() => {
+  session.defaultSession.setCertificateVerifyProc((request, callback) => {
+    if (request.hostname === '127.0.0.1' || request.hostname === 'localhost') {
+      callback(0); // Accept
+    } else {
+      callback(-3); // Use default verification
+    }
+  });
+});
+
 if (process.env.ENABLE_PLAYWRIGHT) {
   const debugPort = process.env.PLAYWRIGHT_DEBUG_PORT || '9222';
   console.log(`[Main] Enabling Playwright remote debugging on port ${debugPort}`);