fix(security): require explicit trust for first-time TLS pins

apps/android/app/src/test/java/ai/openclaw/android/node/ConnectionManagerTest.kt

@@ -49,7 +49,7 @@ class ConnectionManagerTest {
       )
 
     assertNull(params?.expectedFingerprint)
-    assertEquals(true, params?.allowTOFU)
+    assertEquals(false, params?.allowTOFU)
   }
 
   @Test
@@ -71,7 +71,6 @@ class ConnectionManagerTest {
         manualTlsEnabled = true,
       )
     assertNull(on?.expectedFingerprint)
-    assertEquals(true, on?.allowTOFU)
+    assertEquals(false, on?.allowTOFU)
   }
 }
-