feat: match Go TLS fingerprint for MITM upstream (#11)

* feat: match Go TLS fingerprint for MITM upstream connections

Replace rustls with boring2 (BoringSSL) for all MITM→Google upstream
connections, configured with Go crypto/tls exact defaults:

- Cipher suites: TLS_AES_128_GCM_SHA256 + 14 others in Go order
- Curves: X25519, P-256, P-384
- Signature algorithms: ECDSA+SHA256, RSA-PSS+SHA256, etc.
- HTTP/2 SETTINGS: 4MB stream window, 1GB connection window, 10MB
  header list, no adaptive windowing

Local TLS (LS→MITM) still uses rustls for CA cert presentation.
boring2/tokio-boring2 were already compiled as transitive deps from
wreq — no new build time added.

* chore: fmt + update README TLS description

src/bin/zg.rs

@@ -325,9 +325,7 @@ fn svc_stop() -> bool {
     }
     #[cfg(not(windows))]
     {
-        let _ = Command::new("pkill")
-            .args(["-f", "zerogravity"])
-            .status();
+        let _ = Command::new("pkill").args(["-f", "zerogravity"]).status();
     }
     true
 }
@@ -517,9 +515,8 @@ fn do_test(msg: &str) {
         .replace('\n', "\\n")
         .replace('\r', "\\r")
         .replace('\t', "\\t");
-    let body = format!(
-        r#"{{"model":"gemini-3-flash","input":"{escaped}","stream":false,"timeout":30}}"#
-    );
+    let body =
+        format!(r#"{{"model":"gemini-3-flash","input":"{escaped}","stream":false,"timeout":30}}"#);
     match curl_post("/v1/responses", &body) {
         Some(json) => jq_print(&json),
         None => {