feat(retry): honour Retry-After header

Retry loop now waits max(retryWait, Retry-After) on retryable
statuses. Both delay-seconds and HTTP-date are parsed by a new
internal/retryafter package.

Before this the header was ignored, so servers asking for a longer
backoff (429/503 from Cloudflare, GitHub, AWS) got the configured
retryWait instead. Responses without Retry-After behave exactly as
before.

retryWait stays the floor between retries; the ceiling for the whole
cycle is the request context deadline (WithContext). Builder.Timeout
bounds a single cli.Do, not the sleep.

feat: add SecureTLS() and WebSocketGuard() builder methods

SecureTLS() enables TLS certificate verification (InsecureSkipVerify=false).
Default remains insecure for backward compatibility — call SecureTLS() for production.

WebSocketGuard() enables middleware that blocks HTTP 101 Switching Protocols.
Previously enabled by default — now opt-in. This allows surf.Std() to work
as HTTPClient for websocket.Dial without interfering with the upgrade handshake.

Also: ja_roundtripper now reads InsecureSkipVerify from client config instead
of hardcoded true, so SecureTLS() applies to JA3/utls connections too.

fix race

Firefox/148

refactor: rename HTTP3() to ForceHTTP3() and consolidate implementation

- Remove the separate `HTTP3()` method and `http3` field from Builder
  `ForceHTTP3()` is now the single entry point for enabling HTTP/3

Chrome/145

fix(ja): gate http2 transport on negotiated alpn

fix: multiple improvements and bug fixes across the library

Stream support:
- buildBody: early intercept any io.Reader type before type switch
- Body: default ContentLength to -1 (chunked) for streams with unknown size
- Body: use io.ReadCloser directly when available, avoiding double NopCloser wrap

Bug fixes:
- tlsGrabber: guard against empty PeerCertificates to prevent panic
- gzipReadCloser: don't return corrupted reader to sync.Pool on Close error
- dnsovertls: use comma-ok type assert for *net.TCPConn to prevent panic
- basicAuthMW: split on first colon only, preserving colons in passwords
- buildStringBody: stricter isFormEncoded check to avoid false positives
- decodeBodyMW: support stacked Content-Encoding (e.g. gzip, deflate)
- SSE parser: concatenate multi-line data fields per spec instead of overwriting
- SSE parser: skip dispatching events with no accumulated data
- TransportAdapter: set Body on Response so decodeBodyMW applies via Std()
- tlsConfigMW: propagate custom TLS config to existing transport

Improvements:
- Add Options, Connect, Trace HTTP method helpers on Client
- Remove middleware mutex (client is not modified concurrently after Build)