fix: restore production-safe cross-platform reqwest backend after impersonation API audit

crates/bex-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bex-core"
-version = "2.1.0"
+version = "2.1.1"
 edition = "2021"
 
 [dependencies]
@@ -14,19 +14,27 @@ serde = { workspace = true }
 serde_json = { workspace = true }
 serde_yaml = { workspace = true }
 tracing = { workspace = true }
-# CRITICAL: rquest — Chrome TLS/HTTP2 impersonation via BoringSSL
-# This is the key to bypassing Cloudflare without a WebView.
-# rquest uses a patched BoringSSL that emits a byte-for-byte identical
-# TLS ClientHello to Chrome (JA3, JA4, H2 SETTINGS, GREASE, ALPS, etc.)
-# 
-# Why not reqwest+rustls? rustls has a completely different JA3 fingerprint
-# than Chrome. Cloudflare detects this instantly and blocks the connection.
+
+# Production-safe default HTTP backend.
+#
+# IMPORTANT:
+# - This is the portable/cross-platform default for Linux/macOS/Windows and most app embedding.
+# - It does browser-like HTTP headers, cookies, HTTP/2, compression, and session persistence.
+# - It does NOT provide byte-identical Chrome TLS JA3/JA4. For advanced CF/DataDome-level
+#   bypass you need a BoringSSL/curl-impersonate backend, which must be validated per target.
 #
-# rquest is the successor to reqwest-impersonate, maintained by 0x676e67.
-# API is 99% compatible with reqwest — mostly a find-and-replace migration.
-rquest = { version = "1.0", features = [
-    "full",
+# The previous experimental rquest dependency was intentionally removed because the exact
+# crate version/API was not verified in this environment and could make the repo fail to build.
+reqwest = { version = "0.12", default-features = false, features = [
+    "rustls-tls",
+    "json",
+    "gzip",
+    "brotli",
+    "deflate",
+    "cookies",
+    "http2",
 ] }
+
 wasmtime = { version = "30", features = ["component-model", "cranelift", "parallel-compilation"] }
 wasmtime-wasi = "30"
 wasmtime-wasi-io = "30"