http-quik 0.1.5

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.1.5] - 2026-05-15

### Added
- **Configurable TLS Verification**: Introduced `verify_peer` to `TlsProfile` and `.danger_accept_invalid_certs(bool)` to `ClientBuilder`. This enables developer-friendly bypasses for local debugging and proxying (mitmproxy) while maintaining secure-by-default behavior.
- **Strict Quality Gate**: Implemented a modular, multi-platform CI workflow (`test.yml`) that enforces strict quality checks across Ubuntu, Windows, and macOS.

### Fixed
- **Windows OS Stability**: Resolved persistent `CERTIFICATE_VERIFY_FAILED` errors on Windows environments by updating the integration and doc-test suites to utilize the new verification toggle where system CA stores are inaccessible.
- **Documentation Refinement**: Restored high-level `Client::new()` examples with hidden CI safety hacks and added developer notes for proxying.

## [0.1.4] - 2026-05-14

### Fixed
- **Hotfix:** Reverted the PQ curve string `X25519MLKEM768` back to `X25519Kyber768Draft00`. The v0.1.3 release introduced the new standardized string, but the `boring` crate v4 bindings in use do not yet parse the new string, causing a `TlsBuild` panic on initialization. The underlying network protocol identity (ID `4588`) remains identical to Chrome 134.

## [0.1.3] - 2026-05-14

### Fixed
- **Post-Quantum Group Identity:** Chrome 134 Stable relies on the finalized ML-KEM protocol for its post-quantum hybrid group (Group ID `0x11EC` / `4588`). Previously, this ID was mapped to an outdated draft name (`X25519Kyber768Draft00`). The mapping has been updated to the standardized BoringSSL name (`X25519MLKEM768`), ensuring the ClientHello advertises the exact PQ footprint expected by WAFs.
- **ALPS Injection Stability:** The raw BoringSSL FFI call used to inject Application-Layer Protocol Settings (ALPS) was previously ignoring its return value. `SSL_add_application_settings` is now explicitly checked. If ALPS injection fails (due to memory constraints or invalid state), the connection will safely abort with an `Error::Connect` rather than silently emitting a non-Chrome-compliant handshake.
- **HTTP Port Routing:** The automated redirect state machine and connection pooler previously defaulted to port `443` for all target authorities. The connection pool now inspects the URL scheme, correctly defaulting to port `80` for standard `http://` targets while maintaining `443` for `https://`.
- **User-Agent Patch Version Fidelity:** The OS-specific Chrome 134 profiles previously used a generic `.0.0.0` patch version in the `User-Agent` string. These have been updated to carry the exact Chrome 134 Stable patch version (`134.0.6998.35`), reducing detectability against heuristic analyzers that check for active release channel correlations.

## [0.1.2] - 2026-05-14

### Added
- **Cross-Platform Chrome 134 Profiles:** Added `chrome_134_windows_x64()` and `chrome_134_linux_x64()` profile constructors alongside the existing macOS profile. Each constructor emits the correct OS-specific User-Agent, `sec-ch-ua-platform`, `sec-ch-ua-platform-version`, and ALPS payload.
- **OS Auto-Detection (`profile_auto`):** New compile-time auto-detection via `cfg!(target_os)` selects the Chrome 134 profile matching the host kernel. `Client::new()` and `ClientBuilder::build()` now default to `profile_auto()` instead of hardcoding macOS.
- **`sec-ch-ua-platform-version` Header:** Added the `sec_ch_ua_platform_version` field to `HeaderProfile` and injected it into every outbound request. WAFs cross-check this value against the declared platform to detect spoofing (Windows 11 → `"13.0.0"`, macOS → `"15.0.0"`, Linux → `"0.0.0"`).
- **Platform-Specific ALPS Payload:** Added `alps_extra_settings` to `TlsProfile`. Windows and Linux Chrome append setting `0x7A9A` to the ALPS handshake data, producing a 30-byte payload versus macOS's 24 bytes. The ALPS builder in `connector.rs` now dynamically serializes these extra entries.

### Changed
- Refactored `chrome_134.rs` internals into shared `base_tls()` and `base_h2()` helpers to eliminate duplication across the three platform constructors.
- Updated crate-level and module-level documentation across `lib.rs`, `profile/mod.rs`, `profile/chrome_134.rs`, `client/connector.rs`, `client/request.rs`, and `client/pool.rs`.

## [0.1.1] - 2026-05-14

### Added
- **Dynamic ALPS Generation:** Replaced hardcoded ALPS extension bytes with a dynamic `build_alps_payload()` function that correctly packs HTTP/2 settings from `profile.h2.settings`. This prevents advanced WAFs from correlating stale TLS ALPS data with active HTTP/2 frames.
- **HPACK Validation Test:** Added `tests/hpack_never_indexed.rs` integration test verifying that `cookie` and `authorization` headers can be safely marked as sensitive (`never-indexed`) without panicking the underlying H2 encoder.

### Fixed
- **Missing Origin Header:** Chrome always sends the `Origin` header for state-mutating requests (`POST`, `PUT`, `PATCH`), even when the request is same-origin (to prevent CSRF). The `QuikSession` redirect engine now perfectly mirrors this behavior by automatically injecting the origin string derived from the target URI on mutation methods.

### Changed
- Documented future requirements for intelligent `:path` indexing. Chrome selectively skips indexing the `:path` pseudo-header for high-entropy REST API paths to avoid HPACK dynamic table bloat. A placeholder `TODO` was added to `request.rs` pending an upstream patch to the `http2` fork to support `no_index` on pseudo-headers.

## [0.1.0] - 2026-05-07

### Added
- Initial stable release.
- **Chrome 134 macOS ARM Identity:** Bit-perfect replication of TLS JA3/JA4 fingerprints and HTTP/2 Akamai fingerprints.
- Stateful connection pooling (9-minute lifetime) and stealth redirect mutation machine (`sec-fetch-site` downgrade algorithm).