/** * Fetches the controller's CA certificate(s) from the well-known EST endpoint. * * The initial request is made with `rejectUnauthorized: false` because we don't * yet trust the controller's certificate — this is the bootstrap step. The * returned CA PEM is then used for all subsequent TLS connections. * * @param host - The controller host (e.g. "ctrl.example.com:1280") * @returns The concatenated PEM string of all CA certificates, or null if unavailable */ export declare function fetchControllerCa(host: string): Promise;