feat: match Go TLS fingerprint for MITM upstream (#11)

* feat: match Go TLS fingerprint for MITM upstream connections

Replace rustls with boring2 (BoringSSL) for all MITM→Google upstream
connections, configured with Go crypto/tls exact defaults:

- Cipher suites: TLS_AES_128_GCM_SHA256 + 14 others in Go order
- Curves: X25519, P-256, P-384
- Signature algorithms: ECDSA+SHA256, RSA-PSS+SHA256, etc.
- HTTP/2 SETTINGS: 4MB stream window, 1GB connection window, 10MB
  header list, no adaptive windowing

Local TLS (LS→MITM) still uses rustls for CA cert presentation.
boring2/tokio-boring2 were already compiled as transitive deps from
wreq — no new build time added.

* chore: fmt + update README TLS description

Cargo.lock

@@ -2366,6 +2366,7 @@ dependencies = [
  "async-stream",
  "axum",
  "base64",
+ "boring2",
  "brotli 7.0.0",
  "bytes",
  "chrono",
@@ -2386,6 +2387,7 @@ dependencies = [
  "serde_json",
  "time",
  "tokio",
+ "tokio-boring2",
  "tokio-rustls",
  "tokio-stream",
  "tower-http",