v1.2.8: real-IP-leak fix + youtube_via_relay + scan_sni hardening

Rollup of four merged fixes since v1.2.7:

- security: strip identity-revealing forwarding headers in the Apps
  Script relay path. Closes the XFF leak vector from issue #104 —
  users chained behind xray/v2rayNG or running browser extensions
  that inject X-Forwarded-For / Forwarded / Via / CF-Connecting-IP
  etc. would previously have those forwarded to the origin via the
  relay. Now stripped to 16 header variants with a regression test.

- proxy: new `youtube_via_relay` config toggle (#102). Routes
  YouTube family suffixes through Apps Script instead of the
  SNI-rewrite tunnel. Trades SafeSearch-on-SNI for Apps Script's
  fixed User-Agent + quota cost. Off by default.

- scan_sni: decode chunked dns.google DoH responses (#97, from
  @freeinternet865). Without this, PTR lookups always failed and
  scan-sni discovered zero domains.

- scan_sni: verify dns.google TLS with webpki roots (#98, from
  @freeinternet865). The DoH request is a normal public HTTPS call
  — an on-path MITM should not be able to forge PTR answers and
  poison the suggested SNI pool.

73 tests pass (up from 67 — three new chunked-decode tests + one
XFF-filter + two youtube_via_relay branches).

Cargo.lock

@@ -2186,7 +2186,7 @@ dependencies = [
 
 [[package]]
 name = "mhrv-rs"
-version = "1.2.7"
+version = "1.2.8"
 dependencies = [
  "base64 0.22.1",
  "bytes",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mhrv-rs"
-version = "1.2.7"
+version = "1.2.8"
 edition = "2021"
 description = "Rust port of MasterHttpRelayVPN -- DPI bypass via Google Apps Script relay with domain fronting"
 license = "MIT"

android/app/build.gradle.kts

@@ -14,8 +14,8 @@ android {
         applicationId = "com.therealaleph.mhrv"
         minSdk = 24 // Android 7.0 — covers 99%+ of live devices.
         targetSdk = 34
-        versionCode = 127
-        versionName = "1.2.7"
+        versionCode = 128
+        versionName = "1.2.8"
 
         // Ship all four mainstream Android ABIs:
         //   - arm64-v8a      — 95%+ of real-world Android phones since 2019

docs/changelog/v1.2.8.md

@@ -0,0 +1,10 @@
+<!-- see docs/changelog/v1.1.0.md for the file format: Persian, then `---`, then English. -->
+• رفع نشت ‫IP‬ واقعی (issue #104): فیلتر هدرهای ‫forwarded‬ در مسیر ‫Apps Script‬ گسترش یافت تا همهٔ هدرهای هویت‌افشاگر (`X-Forwarded-For`, `X-Real-IP`, `Forwarded`, `Via`, `CF-Connecting-IP`, `True-Client-IP`, `Fastly-Client-IP`، و ۱۰ مورد دیگر) را قبل از ارسال به ‫Apps Script‬ حذف کند. اگر کاربر پشت یک پروکسی محلی (xray/v2rayNG) یا ‫extension‬ مرورگر باشد که این هدرها را اضافه می‌کند، ‫IP‬ واقعی از طریق مسیر ‫relay‬ به سرور مقصد نشت نمی‌کند
+• گزینهٔ ‫`youtube_via_relay`‬ (issue #102): پورت شده از ‫Python‬ بالادست. وقتی فعال شود، ترافیک یوتیوب از مسیر ‫SNI-rewrite‬ خارج می‌شود و از طریق ‫Apps Script‬ می‌رود تا فیلتر ‫SafeSearch-on-SNI‬ گوگل دور زده شود. ترید-آف: ‫User-Agent‬ ثابت می‌شود روی ‫Google-Apps-Script‬ و سهمیهٔ روزانهٔ شما مصرف می‌شود. پیش‌فرض خاموش
+• رفع دستور ‫scan-sni‬ (PR #97): پاسخ‌های ‫dns.google‬ با ‫Transfer-Encoding: chunked‬ برمی‌گردند و قبل از JSON decode باید ‫unchunk‬ شوند. بدون این پچ هیچ دامنه‌ای کشف نمی‌شد
+• اعتبارسنجی ‫TLS‬ در ‫scan-sni‬ (PR #98): درخواست ‫DoH‬ به ‫dns.google‬ از ‫NoVerify‬ به ‫webpki roots‬ سوئیچ شد تا یک ‫on-path MITM‬ نتواند ‫PTR‬های جعلی برگرداند و pool ‫SNI‬ را مسموم کند
+---
+• Real-IP leak fix (issue #104): extended the forwarded-headers filter in the Apps Script relay path to strip every identity-revealing header (`X-Forwarded-For`, `X-Real-IP`, `Forwarded`, `Via`, `CF-Connecting-IP`, `True-Client-IP`, `Fastly-Client-IP` and 10 more) before we ship the request to Apps Script. If a user sits behind a local proxy (xray/v2rayNG) or a browser extension that inserts any of these, the real IP no longer leaks through the relay path to the origin
+• `youtube_via_relay` config toggle (issue #102): ported from upstream Python. When enabled, YouTube traffic opts out of the SNI-rewrite tunnel and goes through Apps Script instead, bypassing Google's SafeSearch-on-SNI filter that sometimes marks normal videos as "restricted." Trade-off: adds the fixed `Google-Apps-Script` User-Agent and counts YouTube against your daily quota. Off by default
+• scan-sni chunked-DoH fix (PR #97): `dns.google` replies with `Transfer-Encoding: chunked`; the raw payload was going to serde_json with chunk framing still embedded, so every PTR parse failed and scan-sni discovered nothing. Proper HTTP-body parsing now (chunked + Content-Length), plus unit tests
+• scan-sni TLS verification (PR #98): the DoH client to `dns.google` was using `NoVerify` — an on-path MITM could forge PTR answers and poison the discovered SNI pool. Switched to the normal webpki root store; the rest of the scan flow is unchanged