feat: replace reqwest+rustls with rquest (Chrome TLS impersonation via BoringSSL)

crates/bex-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bex-core"
-version = "2.0.0"
+version = "2.1.0"
 edition = "2021"
 
 [dependencies]
@@ -14,19 +14,18 @@ serde = { workspace = true }
 serde_json = { workspace = true }
 serde_yaml = { workspace = true }
 tracing = { workspace = true }
-# CRITICAL: reqwest with full browser-like features
-# - rustls-tls: TLS support
-# - gzip/brotli/deflate: Accept-Encoding decompression (browsers always send these)
-# - cookies: Cookie jar for session persistence (needed for CF challenges)
-# - http2: HTTP/2 support (Chrome always negotiates H2)
-reqwest = { version = "0.12", default-features = false, features = [
-    "rustls-tls",
-    "json",
-    "gzip",
-    "brotli",
-    "deflate",
-    "cookies",
-    "http2",
+# CRITICAL: rquest — Chrome TLS/HTTP2 impersonation via BoringSSL
+# This is the key to bypassing Cloudflare without a WebView.
+# rquest uses a patched BoringSSL that emits a byte-for-byte identical
+# TLS ClientHello to Chrome (JA3, JA4, H2 SETTINGS, GREASE, ALPS, etc.)
+# 
+# Why not reqwest+rustls? rustls has a completely different JA3 fingerprint
+# than Chrome. Cloudflare detects this instantly and blocks the connection.
+#
+# rquest is the successor to reqwest-impersonate, maintained by 0x676e67.
+# API is 99% compatible with reqwest — mostly a find-and-replace migration.
+rquest = { version = "1.0", features = [
+    "full",
 ] }
 wasmtime = { version = "30", features = ["component-model", "cranelift", "parallel-compilation"] }
 wasmtime-wasi = "30"