v1.2.8: real-IP-leak fix + youtube_via_relay + scan_sni hardening

Rollup of four merged fixes since v1.2.7:

- security: strip identity-revealing forwarding headers in the Apps
  Script relay path. Closes the XFF leak vector from issue #104 —
  users chained behind xray/v2rayNG or running browser extensions
  that inject X-Forwarded-For / Forwarded / Via / CF-Connecting-IP
  etc. would previously have those forwarded to the origin via the
  relay. Now stripped to 16 header variants with a regression test.

- proxy: new `youtube_via_relay` config toggle (#102). Routes
  YouTube family suffixes through Apps Script instead of the
  SNI-rewrite tunnel. Trades SafeSearch-on-SNI for Apps Script's
  fixed User-Agent + quota cost. Off by default.

- scan_sni: decode chunked dns.google DoH responses (#97, from
  @freeinternet865). Without this, PTR lookups always failed and
  scan-sni discovered zero domains.

- scan_sni: verify dns.google TLS with webpki roots (#98, from
  @freeinternet865). The DoH request is a normal public HTTPS call
  — an on-path MITM should not be able to forge PTR answers and
  poison the suggested SNI pool.

73 tests pass (up from 67 — three new chunked-decode tests + one
XFF-filter + two youtube_via_relay branches).

android/app/build.gradle.kts

@@ -14,8 +14,8 @@ android {
         applicationId = "com.therealaleph.mhrv"
         minSdk = 24 // Android 7.0 — covers 99%+ of live devices.
         targetSdk = 34
-        versionCode = 127
-        versionName = "1.2.7"
+        versionCode = 128
+        versionName = "1.2.8"
 
         // Ship all four mainstream Android ABIs:
         //   - arm64-v8a      — 95%+ of real-world Android phones since 2019