fix(tlon): guard memex upload target (#69794)

* fix(tlon): guard memex upload target

* fix(tlon): harden guarded memex upload

* fix(tlon): validate hosted memex upload targets

* fix(tlon): tighten hosted domain matching

* fix(tlon): reject non-standard memex upload ports

* fix(tlon): disable memex upload redirects

* test(tlon): drop redundant mock resets in memex upload test

* chore(lint): update tlon raw-fetch allowlist for guarded memex upload

* fix(tlon): reject unparseable ship URLs in hosted-ship classifier

* fix(lint): point tlon raw-fetch allowlist at fetch callee lines

* fix(tlon): guard custom-S3 upload through fetchWithSsrFGuard

* fix(tlon): preserve scheme-less hosted ship routing and allow explicit :443

* docs(changelog): note tlon upload guard

* fix(tlon): guard memex lookup and private s3 opt-in

* fix(tlon): validate upload result URLs

scripts/check-no-raw-channel-fetch.mjs

@@ -62,9 +62,6 @@ const allowedRawFetchCallsites = new Set([
   bundledPluginCallsite("slack", "src/monitor/media.ts", 99),
   bundledPluginCallsite("slack", "src/monitor/media.ts", 118),
   bundledPluginCallsite("slack", "src/monitor/media.ts", 123),
-  bundledPluginCallsite("tlon", "src/tlon-api.ts", 185),
-  bundledPluginCallsite("tlon", "src/tlon-api.ts", 235),
-  bundledPluginCallsite("tlon", "src/tlon-api.ts", 289),
   bundledPluginCallsite("venice", "models.ts", 552),
   bundledPluginCallsite("vercel-ai-gateway", "models.ts", 181),
   bundledPluginCallsite("voice-call", "src/providers/twilio/api.ts", 23),