refactor: extract _verify_peer_fingerprint to module level and add _c…

[jdrean]

…reate_bio_wrapper

---

Summary by cubic

Extracted certificate public key fingerprint verification to a module-level helper and added a reusable BIO wrapper for async TLS pinning. This reduces duplication and keeps pinning consistent across sync and async clients.

• Refactors
  • Moved _verify_peer_fingerprint to tinfoil.client; TLSBoundHTTPSHandler and SecureClient now use it.
  • Added SecureClient._create_bio_wrapper to verify after the TLS handshake; its API mirrors _create_socket_wrapper, and make_secure_async_http_client now injects this wrapper.
  • Updated tests to import/patch tinfoil.client._verify_peer_fingerprint and cover the new async wrapping behavior.

^{Written for commit a4c31c9. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="src/tinfoil/client.py">

<violation number="1" location="src/tinfoil/client.py:114">
P2: Custom agent: **Check System Design and Architectural Patterns**

`_create_bio_wrapper` has an inconsistent API compared to `_create_socket_wrapper`. It returns a function requiring `original_wrap_bio` as a parameter, forcing the caller to create a lambda adapter. Instead, accept `original_wrap_bio` as a parameter to `_create_bio_wrapper` itself and close over it, so the returned function can be directly assigned to `ctx.wrap_bio` — matching the pattern used by `_create_socket_wrapper`.

This simplifies the call site and makes both wrapper factories consistent, which is important for maintainability as the control plane grows.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}