feat(client-go): accept gateway cert by default over TLS

clients/go/mxgateway/client.go

@@ -222,10 +222,24 @@ func resolveTransportCredentials(opts Options) (credentials.TransportCredentials
 		return credentials.NewTLS(cfg), nil
 	}
 
-	return credentials.NewTLS(&tls.Config{
+	return credentials.NewTLS(tlsConfigForOptions(opts)), nil
+}
+
+// tlsConfigForOptions returns the *tls.Config for the no-CA, no-custom-config TLS path.
+// It returns nil when the caller should use a different credentials path (CA file or custom TLSConfig).
+// Exposed as an internal helper so unit tests can assert the InsecureSkipVerify posture.
+func tlsConfigForOptions(opts Options) *tls.Config {
+	// CA file and custom TLSConfig take their own paths in resolveTransportCredentials.
+	if opts.CACertFile != "" || opts.TLSConfig != nil {
+		return nil
+	}
+	return &tls.Config{
 		MinVersion: tls.VersionTLS12,
 		ServerName: opts.ServerNameOverride,
-	}), nil
+		//nolint:gosec // internal tool; self-signed cert is the expected gateway default;
+		// opt-in to strict verification via RequireCertificateValidation.
+		InsecureSkipVerify: !opts.RequireCertificateValidation,
+	}
 }
 
 // OpenSessionOptions describes fields used to create an OpenSessionRequest.