feat: add security features

[babeuloula]

Breaking Changes

PHP API changes

Storage::setDecoder() removed

The setDecoder(UriDecoder $decoder): self method has been removed.
The domain was previously injected via this mutable setter; it is now passed explicitly as a parameter to fetchImage().

Before:

$storage->setDecoder($decoder);
$storage->fetchImage($decoder->getImageUrl());

After:

$storage->fetchImage($decoder->getImageUrl(), $decoder->getDomain());

---

Storage::fetchImage() signature changed

The $domain parameter has been added as the second positional argument.
The $force parameter is now third (was second).

Before:

public function fetchImage(string $imageUrl, bool $force = false): string

After:

public function fetchImage(string $imageUrl, string $domain, bool $force = false): string

---

UrlFilesystemAdapter constructor changed

The constructor no longer accepts Symfony\Component\Filesystem\Filesystem.
It now requires BaBeuloula\CdnPhp\Http\HttpFetcher.

Before:

new UrlFilesystemAdapter(new SymfonyFilesystem());

After:

new UrlFilesystemAdapter(new HttpFetcher(timeout: 10, maxBytes: 52428800));

---

Behavioral changes

HTTP redirects disabled by default

file_get_contents previously followed HTTP redirects unconditionally, which was an SSRF
vector (a redirect from an allowed domain could reach internal services).
Redirects are now disabled by default.

Migration: if your image origins serve content via HTTP redirects, set:

FETCH_ALLOW_REDIRECTS=1

Security note: enabling redirects means the destination URL is not re-validated
against ALLOWED_DOMAINS. Only enable this if you fully trust all origins.

---

Watermark URLs validated against ALLOWED_DOMAINS

A request with wu=https://external-domain.com/wm.jpg where external-domain.com is not
in ALLOWED_DOMAINS now returns HTTP 403 instead of processing the watermark.

Migration: add any watermark domain you intend to use to ALLOWED_DOMAINS.

---

Image dimensions clamped at 5 000 px

w and h values above 5000 are silently clamped to 5000.
Previously, arbitrarily large dimensions were honored, which could cause excessive
memory and CPU usage.

Migration: no action required unless your clients intentionally request dimensions
above 5 000 px.

---

Malformed DOMAINS_ALIASES entries now throw at boot

An entry that does not follow the alias=domain format (missing =) previously caused
silent undefined behavior. It now throws \InvalidArgumentException at container boot,
preventing the application from starting with a misconfigured alias list.

Migration: review your DOMAINS_ALIASES value and ensure every entry uses the
alias=domain format.

---

New environment variables

The following variables are new. They all have safe defaults and will not cause a hard
failure if absent, but they change runtime behavior:

Variable	Default	Description
FETCH_TIMEOUT	10	HTTP request timeout in seconds
FETCH_MAX_SIZE	52428800	Maximum response size in bytes (50 MB)
FETCH_ALLOW_REDIRECTS	0	Set to 1 to follow HTTP redirects
FORCE_TOKEN	(empty)	Secret token required for ?force=true; empty = no protection

Add them to your .env or SSM Parameter Store as needed.