feat(release): FTPS robustness — passive mode, TLS min, cert pinning, CA override, and optional insecure

.env.example

@@ -20,6 +20,19 @@ FTP_REMOTE_DIR=/path/on/server
 # If unset, the script auto-detects explicit when FTP_PROTOCOL=ftps and FTP_PORT=21.
 # FTPS_MODE=explicit
 
+# Optional connection flags
+# Use passive mode (some providers require this)
+# FTP_PASSIVE=true
+# Enforce TLS minimum (1.2 or 1.3)
+# TLS_MIN=1.2
+# Pin server certificate public key (recommended if provider's cert CN/SAN mismatch)
+# Accepts a base64 sha256 hash (sha256//...) or a PEM/DER file path
+# TLS_PINNED_PUBKEY=sha256//BASE64HASH
+# Provide a custom CA bundle file (PEM) if needed
+# TLS_CACERT=/path/to/ca-bundle.pem
+# As a last resort only, disable certificate verification (not recommended)
+# TLS_INSECURE=false
+
 # SFTP host verification (SFTP only; choose one)
 # SFTP_KNOWN_HOSTS=/home/you/.ssh/known_hosts
 # SFTP_HOST_PUBKEY_SHA256=base64sha256fingerprint