- hook_qbwc_response is DEPRECATED.  Instead, your hook_qbwc_request should
  include a 'callback' array, which defines the function(s) you want to call
  with the result data.
- Results are passed to these callbacks as arrays, not as the XML response.
  This is more consistent with how you're passing data to the API.
- In keeping with how sarvab is using the API, you can also pass a 'data' element.  Thus, hook_qbwc_request looks like:
function hook_qbwc_request() {
  return array(array(
    'name' => 'CustomerQueryRq',
    'callback' => array('my_qbwc_response'),
    'data' => array('I LIKE BUNNIES' => TRUE),
  ));
}
And your callback looks like:
function my_qbwc_response($response=array(), $data=array(), $status, $message) {}

apparently I'm in the minority.

  - Move infrequently-used admin form and qwc file callbacks to qbwc.admin.inc.
  - Move the qbwc() callback to its class file.

It was a little silly, because your module has to do a bunch of work to decide
whether or not to return TRUE on this function (which indicates that you want
to make requests)  And then, your module is subsequently called upon to do
a similar amount of work to actually make these requests.

Instead, the presence of requests found in the hook_qbwc_request() invocation
is used to determine whether the session should continue. This probably won't
break anything, but any qbwc_authenticate code is unused and should be removed.

Other changes:

- Added qbwc_set() and qbwc_get() functions, which are wrappers for information
  that is stored in the session.  You should use these to stash your goods
  rather than interacting with $_SESSION directly.

- Added qbwc_request_queue() API function.  It is automatically populated with
  the values from the initial call to hook_request.  You can store subsequent
  requests by calling qbwc_request_queue($request), and it will get called
  on the next passthru.

- Things are most likely re-broken.  You can thank me later for that.