#16990: fix(media): strip auth headers on cross-origin redirect in downloadToFile

## Summary - **Security fix**: `downloadToFile` in `src/media/store.ts` forwarded all headers (including `Authorization`, `Cookie`) unchanged when following HTTP redirects to a different origin. An attacker controlling a media URL could redirect to their server and capture leaked credentials. - Strip `Authorization`, `Cookie`, and `Set-Cookie` headers when the redirect target has a different origin than the original request. Same-origin redirects preserve all headers. - Follows the same pattern already used by the Slack media handler (`src/slack/monitor/media.ts`), which drops auth on redirect. ## Test plan - Added test: cross-origin redirect strips `Authorization` but keeps `User-Agent` - Added test: same-origin redirect preserves `Authorization` - All existing redirect tests continue to pass (`npx vitest run src/media/store.redirect.test.ts` — 4/4 passing) <!-- greptile_comment --> <h3>Greptile Summary</h3> Security fix that strips sensitive headers (`Authorization`, `Cookie`, `Set-Cookie`) from HTTP requests when `downloadToFile` follows a redirect to a different origin, preventing credential leakage to attacker-controlled servers. - Adds origin comparison logic in `src/media/store.ts` to detect cross-origin redirects and filter sensitive headers before the recursive `downloadToFile` call - Same-origin redirects continue to preserve all headers - Follows the same defensive pattern already used by the Slack media handler (`src/slack/monitor/media.ts`), which drops auth on redirect - SSRF protection via `resolvePinnedHostname` is correctly applied to redirect targets since the recursive call goes through the full `downloadToFile` flow - Two new tests cover the cross-origin stripping and same-origin preservation cases <h3>Confidence Score: 5/5</h3> - This PR is safe to merge — it's a well-scoped security hardening with correct logic and good test coverage. - The change is minimal and surgical: 13 lines of production code that add a header-stripping guard on cross-origin redirects. The origin comparison uses the standard URL.origin API correctly. The case-insensitive header matching covers the relevant sensitive headers. The recursive nature of downloadToFile ensures multi-hop redirects remain protected. Two targeted tests verify both the cross-origin and same-origin paths. Existing tests continue to pass. No regressions are possible for the no-headers case since the guard short-circuits when headers is undefined. - No files require special attention. _{Last reviewed commit: bb4a0b6} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->