fix(weread): use same-origin web API instead of i.weread.qq.com private API

[lw-yang]

Summary

• Add fetchWebApiWithCookies() to utils.js — same-origin GET with cookies to weread.qq.com/web/*
• Migrate book, highlights, notes, shelf from fetchPrivateApi (hits i.weread.qq.com) to fetchWebApiWithCookies
• Root cause: wr_skey is a host-only cookie on weread.qq.com, never sent to subdomain i.weread.qq.com

Problem

All commands using fetchPrivateApi fail with AUTH_REQUIRED even when the user is logged in:

$ opencli weread book 855812
error: AUTH_REQUIRED — Not logged in to WeRead

Verified the browser itself cannot authenticate to i.weread.qq.com:

// Same-origin — works
fetch('https://weread.qq.com/web/book/info?bookId=855812', {credentials:'include'})
// → {title: "人类简史", ...}

// Cross-subdomain — fails
fetch('https://i.weread.qq.com/book/info?bookId=855812', {credentials:'include'})
// → {errcode: -2012}

Why ai-outline was unaffected

ai-outline.js already uses its own postWebApiWithCookies() hitting weread.qq.com/web/book/chapterInfos (same-origin), which correctly receives cookies.

Not fixed: notebooks

/user/notebooks only exists on i.weread.qq.com — there is no /web/user/notebooks equivalent (returns 404). This command cannot be fixed with the same-origin approach and remains affected.

Local verification

All migrated commands tested successfully after patching:

• ✅ opencli weread book 855812 — returns full metadata
• ✅ opencli weread shelf — returns shelf without fallback warning
• ✅ opencli weread highlights 855812 — returns highlights
• ✅ opencli weread notes 855812 — returns notes

Fixes #1709