v1.2.7: SNI cert fix mirrored to Android + tunnel-node scaffold (via #92 + #93)

- Android DEFAULT_SNI_POOL: mirror the Rust-side fix from #92 —
  accounts.googl.com replaced by accounts.google.com. Same cert-SAN
  mismatch that was failing every Nth rotation in the Rust client
  affected the Android user's sniHosts population; both pools need
  to stay in sync by design.

- Release rolls up PR #92 (cert fix) and PR #93 (tunnel-node +
  CodeFull.gs scaffolding). PR #93 adds a standalone binary under
  tunnel-node/ plus an Apps Script companion; no main-crate changes,
  so this is a zero-risk merge. Users who want to deploy a tunnel
  node can start today. The dispatch that activates `mode: full` is
  still in review in PR #94.

Cargo.lock

@@ -2186,7 +2186,7 @@ dependencies = [
 
 [[package]]
 name = "mhrv-rs"
-version = "1.2.6"
+version = "1.2.7"
 dependencies = [
  "base64 0.22.1",
  "bytes",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mhrv-rs"
-version = "1.2.6"
+version = "1.2.7"
 edition = "2021"
 description = "Rust port of MasterHttpRelayVPN -- DPI bypass via Google Apps Script relay with domain fronting"
 license = "MIT"

android/app/build.gradle.kts

@@ -14,8 +14,8 @@ android {
         applicationId = "com.therealaleph.mhrv"
         minSdk = 24 // Android 7.0 — covers 99%+ of live devices.
         targetSdk = 34
-        versionCode = 126
+        versionCode = 127
-        versionName = "1.2.6"
+        versionName = "1.2.7"
 
         // Ship all four mainstream Android ABIs:
         //   - arm64-v8a      — 95%+ of real-world Android phones since 2019

android/app/src/main/java/com/therealaleph/mhrv/ConfigStore.kt

@@ -285,10 +285,11 @@ val DEFAULT_SNI_POOL: List<String> = listOf(
     "drive.google.com",
     "docs.google.com",
     "calendar.google.com",
-    // Issue #42: passes DPI on Samantel / MCI where the longer google.com
+    // accounts.google.com — originally listed as accounts.googl.com per
-    // subdomains are selectively SNI-blocked. Must mirror the Rust list
+    // issue #42, but googl.com is NOT in Google's GFE cert SAN so TLS
-    // in src/domain_fronter.rs exactly.
+    // validation fails with verify_ssl=true (PR #92). Replaced with
-    "accounts.googl.com",
+    // accounts.google.com which is covered by the *.google.com wildcard.
+    "accounts.google.com",
     // Issue #47: same DPI-passing behaviour on MCI / Samantel.
     "scholar.google.com",
     // Ported from upstream Python FRONT_SNI_POOL_GOOGLE (commit 57738ec);

docs/changelog/v1.2.7.md

@@ -0,0 +1,6 @@
+<!-- see docs/changelog/v1.1.0.md for the file format: Persian, then `---`, then English. -->
+• رفع اعتبارسنجی گواهی ‫SNI rotation‬: ‫`accounts.googl.com`‬ در لیست گواهی ‫GFE‬ گوگل نبود و هر اتصال N-ام که rotation روش میفتاد با ‫verify_ssl=true‬ fail می‌شد. جایگزین شد با ‫`accounts.google.com`‬ که توسط ‫*.google.com‬ wildcard پوشش داده می‌شه (PR #92)
+• زیرساخت ‫tunnel-node‬: سرور مستقل ‫Rust/axum‬ + ‫CodeFull.gs‬ برای کاربرانی که می‌خوان یه ‫tunnel node‬ راه‌اندازی کنن. این قسمت ۱ از ۳ ویژگی ‫Full Tunnel Mode‬ است — فایل‌های جدید، بدون تغییر در کد موجود. استفاده از حالت ‫full‬ در ‫PR #94‬ فعال می‌شه (PR #93)
+---
+• SNI rotation cert fix: `accounts.googl.com` was not in Google's GFE certificate SAN list, causing every Nth connection where rotation landed on it to fail validation with `verify_ssl=true`. Replaced with `accounts.google.com` which is covered by the `*.google.com` wildcard (PR #92)
+• tunnel-node scaffolding: standalone Rust/axum server + CodeFull.gs for users who want to deploy a remote tunnel node. This is part 1 of 3 of the Full Tunnel Mode feature — all new files, no changes to existing code. The `mode: full` dispatch that activates it will land via PR #94 (PR #93)