fix(fidelity): inject sec-ch-ua headers in extractor

- Derive sec-ch-ua from Browser UA using HandoverValidator
- Closes gap in modern Chrome impersonation fidelity
- Verified with verify_tls.py

src/extractor/client.py

@@ -1,5 +1,6 @@
 from curl_cffi.requests import AsyncSession
 from src.core.session import SessionState
+from src.core.handover import HandoverValidator
 import logging
 
 # Configure logging
@@ -53,6 +54,9 @@ class CurlClient:
             "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
             "Accept-Language": "en-US,en;q=0.9",
             # Add sec-ch-ua derivation here if strict mode
+            "sec-ch-ua": HandoverValidator.derive_sec_ch_ua(self.session_state.user_agent),
+            "sec-ch-ua-mobile": "?0",
+            "sec-ch-ua-platform": '"Windows"',
         }
         
         logger.info(f"CurlClient initialized with impersonation: {self.session_state.tls_fingerprint}")