Auto-enable TLS for access nodes on port 443

[peterargue]

Summary

• When an access node host uses port 443, automatically configure TLS with system CA certificate verification instead of insecure credentials
• Adds TransportCredentialForHost and GRPCDialOptionForHost helpers in internal/util/ for consistent behavior across all gRPC connection points
• Updates all NewGrpcGateway, NewBaseClient, and grpc.NewClient call sites to use the new helpers

this can be used when connecting to QuickNode, or other ANs with a standard CA signed certificate

Context

Access nodes behind TLS-terminating proxies (e.g. on port 443) require proper CA-based certificate verification. Previously, all non-key-authenticated connections used insecure credentials regardless of port. This change makes the CLI automatically do the right thing when connecting to port 443 endpoints.

Non-443 ports (emulator on 3569, mainnet/testnet on 9000, etc.) retain existing insecure transport behavior.

Test plan

• Verify CLI commands work against access nodes on port 443 with valid TLS certs
• Verify existing behavior unchanged for default networks (emulator:3569, testnet:9000, mainnet:9000)
• Verify --host flag with :443 suffix enables TLS automatically

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 3e7d8b1.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[codecov-commenter]

Codecov Report

❌ Patch coverage is 25.00000% with 12 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/util/util.go	0.00%	9 Missing ⚠️
internal/accounts/create-interactive.go	0.00%	1 Missing ⚠️
internal/accounts/list.go	0.00%	1 Missing ⚠️
internal/command/command.go	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!