Pin QUIC fabric endpoint certificates

docs/architecture/DISTRIBUTED_FABRIC_NODE_PROTOCOL_PLAN.md

@@ -313,6 +313,9 @@ compatibility candidates for fabric sessions.
 VPN fabric-session gateway transport now consumes ranked endpoint candidates,
 so dataplane sessions can select QUIC fast-path candidates and fall back to
 legacy peer endpoints when the control plane has not published candidates yet.
+The temporary self-signed QUIC listener advertises its SHA-256 certificate
+fingerprint in endpoint metadata, and the QUIC client can pin that fingerprint
+instead of disabling verification while the cluster CA path is being finished.
 
 Deliverables: