#6916: fix(slack): add timeout to file download to prevent DoS (CWE-400)

## Summary Add `AbortSignal.timeout()` to both fetch calls in `fetchWithSlackAuth()` to prevent indefinite hangs when Slack CDN is slow or unresponsive. - **Initial auth request**: 30s timeout - **Redirect follow**: 30s timeout - Optional `timeoutMs` parameter for configurability while maintaining backward compatibility ## Security - **CWE**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) - Uncontrolled Resource Consumption - **CVSS**: 7.5 (High) - Network-based DoS vector - **Impact**: Without timeouts, a slow/malicious Slack CDN can hang the gateway indefinitely, exhausting connections and blocking threads ## Changes | File | Change | |------|--------| | `src/slack/monitor/media.ts` | Add optional `timeoutMs` parameter with `AbortSignal.timeout()` to both fetch calls | | `src/slack/monitor/media.test.ts` | Update assertions to use `expect.objectContaining()` for new signal property | ## Test Plan - [x] `pnpm vitest run src/slack/monitor/media.test.ts` - 11 tests pass - [x] `pnpm lint src/slack/monitor/media.ts` - No warnings/errors - [ ] Manual: Verify timeout behavior with slow/hanging server (simulated) ## Related Fixes #6851 --- 🤖 Generated with [Claude Code](https://claude.ai/claude-code) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Adds explicit request timeouts to Slack media download flow by attaching `AbortSignal.timeout()` to both the initial authenticated request (manual redirect handling) and the follow-up CDN fetch. Tests were updated to assert fetch options via `expect.objectContaining()` to accommodate the new `signal` field. This change fits into the existing Slack media ingestion pipeline (`resolveSlackMedia` -> `fetchRemoteMedia` -> custom `fetchImpl` -> `fetchWithSlackAuth`) by ensuring outbound Slack CDN fetches don't hang indefinitely under slow/unresponsive conditions. <h3>Confidence Score: 3/5</h3> - This PR is likely safe to merge, but runtime compatibility depends on the minimum supported Node version for AbortSignal.timeout(). - The change is small and well-tested at the unit level, but it introduces a dependency on `AbortSignal.timeout()` existing at runtime; if the project supports older Node runtimes, this can cause a hard runtime failure. - src/slack/monitor/media.ts (runtime compatibility / Node version support) <!-- greptile_other_comments_section --> <!-- /greptile_comment -->