v1.1.5: merge upstream safety fixes + Telegram default = file + link only (#60)

Contains the three safety fixes from PRs #48/#49/#50 and the Persian
README RTL polishing from #58, all squashed into main. Merge details
already in their individual PR comments; summary:

  #48: reject truncated Content-Length relay responses (previously
       silently accepted whatever bytes arrived before EOF)
  #49: reject truncated or malformed (missing CRLF) chunked-encoding
       relay responses (same class of silent-acceptance bug)
  #50: restrict the SNI-rewrite tunnel dispatch to port 443. Plain
       HTTP (:80) targets that happened to match google.com / hosts
       override were being steered into the TLS tunnel and blocking
       waiting for a ClientHello that would never arrive.
  #58: trailing-whitespace line-breaks on Persian bullet lists in
       README so the RTL rendering doesn't collapse consecutive
       items into a single paragraph.

Test suite grew from 54 to 58 passing (three new negative tests for
the relay-reader correctness fixes + one SNI-rewrite port filter).

Telegram CI notify default switched to file-plus-link:
  - script gains a `--with-changelog` flag; default OFF
  - workflow only passes it when `vars.TELEGRAM_INCLUDE_CHANGELOG=true`
  - every routine release now posts just the APK + short caption
    (title + SHA-256 + repo URL + release URL) with no long body

To include bullets for a given release again:
  gh variable set TELEGRAM_INCLUDE_CHANGELOG --body true
The existing `vars.TELEGRAM_NOTIFY_ENABLED` job-level gate remains —
changelog toggle is orthogonal to enable/disable.

Also closes PR #55 without merging; ads/analytics domains were being
lumped under a YouTube-specific toggle, and the PR committed per-
machine \`.cargo/config.toml\` + zig-cc cross-compile helpers that
would have broken CI on actual Windows / macOS runners.

.github/scripts/telegram_release_notify.py

@@ -159,7 +159,16 @@ def main() -> int:
     ap.add_argument("--apk", required=True)
     ap.add_argument("--version", required=True)
     ap.add_argument("--repo", required=True)
-    ap.add_argument("--changelog", required=True)
+    ap.add_argument("--changelog", required=True,
+                    help="Path to docs/changelog/vX.Y.Z.md; only read when --with-changelog is passed.")
+    # Default: just the APK + short caption (title + SHA-256 + repo URL +
+    # release URL). The per-release Persian/English blockquote reply is
+    # opt-in via `--with-changelog` so routine releases don't flood the
+    # channel with bullet-point bodies. To re-enable for a specific tag:
+    # set the repo variable TELEGRAM_INCLUDE_CHANGELOG=true before pushing
+    # the tag (the workflow converts that into --with-changelog).
+    ap.add_argument("--with-changelog", action="store_true",
+                    help="Include the Persian+English changelog as a reply-threaded message.")
     args = ap.parse_args()
 
     token = os.environ.get("BOT_TOKEN", "")
@@ -180,6 +189,10 @@ def main() -> int:
     doc_mid = send_document(token, chat_id, args.apk, caption)
     print(f"sendDocument OK, message_id={doc_mid}")
 
+    if not args.with_changelog:
+        print("Changelog reply disabled (default). Pass --with-changelog to include.")
+        return 0
+
     fa, en = parse_changelog(args.changelog)
     if not fa and not en:
         print(f"No changelog at {args.changelog}, skipping reply.")

.github/workflows/release.yml

@@ -402,6 +402,7 @@ jobs:
         env:
           BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
           CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }}
+          INCLUDE_CHANGELOG: ${{ vars.TELEGRAM_INCLUDE_CHANGELOG }}
         # Python over curl/bash so we don't have to fight curl's -F
         # value-interpretation rules. curl treats `-F "caption=<..."`
         # as "read the caption from file named ..." when the value
@@ -424,8 +425,18 @@ jobs:
             exit 1
           fi
 
+          # --with-changelog is opt-in. Default post is just the APK
+          # plus a short caption with the SHA-256, repo URL, and release
+          # URL — no long body. To include the Persian/English bullets
+          # for a specific tag, set the repo variable
+          # TELEGRAM_INCLUDE_CHANGELOG=true before pushing that tag.
+          INCLUDE_CHANGELOG_FLAG=""
+          if [ "${INCLUDE_CHANGELOG:-}" = "true" ]; then
+            INCLUDE_CHANGELOG_FLAG="--with-changelog"
+          fi
           python3 .github/scripts/telegram_release_notify.py \
             --apk "$APK" \
             --version "$VER" \
             --repo "$GITHUB_REPOSITORY" \
-            --changelog "docs/changelog/v${VER}.md"
+            --changelog "docs/changelog/v${VER}.md" \
+            $INCLUDE_CHANGELOG_FLAG