feat(client-rust): accept gateway cert by default over TLS (or documented pin-only fallback)

clients/rust/src/client.rs

@@ -89,6 +89,26 @@ impl GatewayClient {
                     detail: format!("failed to read CA file {}: {source}", ca_file.display()),
                 })?;
                 tls = tls.ca_certificate(Certificate::from_pem(certificate));
+            } else if !options.require_certificate_validation() {
+                // Lenient-default fallback (Rust pin-only exception): tonic
+                // 0.13's `ClientTlsConfig` builds its rustls verifier inside a
+                // crate-private connector and exposes no hook for a custom
+                // `ServerCertVerifier`, so — unlike the other clients — the
+                // Rust client cannot accept an arbitrary self-signed cert. Pin
+                // the gateway's CA instead, or opt into strict verification
+                // against the system trust roots. We reject here rather than
+                // silently verifying against system roots (which would fail a
+                // self-signed gateway with a confusing handshake error).
+                return Err(Error::InvalidEndpoint {
+                    endpoint: options.endpoint().to_owned(),
+                    detail: "TLS requested without a pinned CA. The Rust client cannot accept an \
+                             arbitrary self-signed certificate (tonic 0.13 exposes no custom \
+                             rustls verifier). Pin the gateway certificate with \
+                             ClientOptions::with_ca_file, or call \
+                             ClientOptions::with_require_certificate_validation(true) to verify \
+                             against the system trust roots."
+                        .to_owned(),
+                });
             }
             endpoint = endpoint.tls_config(tls)?;
         }