v1.2.12: Full Tunnel Mode (#94 merged)

Rollup of PR #94 — Mode::Full dispatch + batch tunnel client. Ships
the long-awaited no-MITM path that was the motivating fix for half
the open issues this week.

User-facing: add `"mode": "full"` to config.json, deploy CodeFull.gs
as a second Apps Script alongside your existing one, deploy
tunnel-node (tunnel-node/README.md) on a VPS, and traffic is tunneled
end-to-end: client → mhrv-rs → script.google.com → your tunnel node →
destination. Browser speaks TLS directly with the destination; we
never see plaintext. No CA needed on the client device.

Android side gets a "Full tunnel (no cert)" dropdown option; toggling
it writes `"mode": "full"` to config.json.

Safety: Mode::AppsScript and Mode::GoogleOnly dispatch paths are
unchanged — Full mode is an additive branch at the top of
dispatch_tunnel. Existing users on the default apps_script mode see
zero behaviour change.

Testing status: compiles clean on all 10 CI targets; 75 tests pass
(+2 new config-validation tests for Full mode); end-to-end real-VPS
testing will come post-release from @Feiabyte and others who opt in.
Any Full-mode regression gets a fast-follow fix.

Cargo.lock

@@ -2186,7 +2186,7 @@ dependencies = [
 
 [[package]]
 name = "mhrv-rs"
-version = "1.2.10"
+version = "1.2.12"
 dependencies = [
  "base64 0.22.1",
  "bytes",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mhrv-rs"
-version = "1.2.11"
+version = "1.2.12"
 edition = "2021"
 description = "Rust port of MasterHttpRelayVPN -- DPI bypass via Google Apps Script relay with domain fronting"
 license = "MIT"

android/app/build.gradle.kts

@@ -14,8 +14,8 @@ android {
         applicationId = "com.therealaleph.mhrv"
         minSdk = 24 // Android 7.0 — covers 99%+ of live devices.
         targetSdk = 34
-        versionCode = 131
-        versionName = "1.2.11"
+        versionCode = 132
+        versionName = "1.2.12"
 
         // Ship all four mainstream Android ABIs:
         //   - arm64-v8a      — 95%+ of real-world Android phones since 2019

docs/changelog/v1.2.12.md

@@ -0,0 +1,8 @@
+<!-- see docs/changelog/v1.1.0.md for the file format: Persian, then `---`, then English. -->
+• ‫Full Tunnel Mode‬ منتشر شد (PR #94): حالت جدید ‫`"mode": "full"`‬ که تمام ترافیک را end-to-end از طریق ‫Apps Script → tunnel node‬ شما روی یک ‫VPS‬ تونل می‌کنه. مرورگر مستقیم ‫TLS‬ با مقصد برقرار می‌کنه — بدون ‫MITM‬، بدون نیاز به نصب ‫CA‬. برای کاربرانی که ‫IP‬ ‫VPS‬ آن‌ها از ‫ISP‬ مسدوده ولی می‌تونن به ‫script.google.com‬ برسن (مثل بیشتر کاربران ایرانی). راهنما در ‫tunnel-node/README.md‬ برای راه‌اندازی ‫tunnel node‬ روی ‫VPS‬. این بازکنندهٔ مشکلات بسیاری از issueهای باز است (‫#61, #69, #100, #105, #110, #111, #113, #116‬)
+• اپ اندروید: گزینهٔ ‫«Full tunnel (no cert)»‬ در ‫dropdown‬ حالت اضافه شد
+• هنوز نیاز به تست end-to-end: ‫@Feiabyte‬ داوطلب شده برای آزمایش کامل از داخل ایران با ‫VPS‬ ترکیه. اگه کسی می‌خواد زودتر تست کنه، ‫tunnel-node‬ رو با ‫docker‬ روی ‫VPS‬ راه بندازه + ‫CodeFull.gs‬ رو deploy کنه + ‫`"mode": "full"`‬ بذاره در کانفیگ. هرگونه issue گزارش بدید
+---
+• Full Tunnel Mode landed (PR #94): new `"mode": "full"` tunnels all traffic end-to-end through Apps Script → your tunnel node on a VPS. Browser does TLS directly with the destination — no MITM, no CA installation needed. Unblocks users whose VPS IP is blocked by their ISP but who can still reach `script.google.com` (most Iranian users). Setup guide in `tunnel-node/README.md` for deploying the tunnel node. Resolves the motivating case for #61, #69, #100, #105, #110, #111, #113, #116
+• Android app: new "Full tunnel (no cert)" option in the mode dropdown
+• End-to-end testing still pending: @Feiabyte volunteered to test from Iran with a Turkey VPS. Anyone who wants to test earlier can deploy tunnel-node via Docker + deploy CodeFull.gs + set `"mode": "full"` in config. Report issues.