721194dfb5
Previously only a handshake failure closed the underlying conn; configuration errors (malformed caCerts PEM, bad cert/key pair) returned with the conn still open, while the JS wrapper treats every upgradeTLS rejection as fatal and marks the conn closed — leaking a live Go conn that could no longer be closed from JS. Close on every error path so the JS contract (any rejection after validation is fatal) holds. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XfRgMke8p7QDxD5QM5thxH