fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs

Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.

Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.

URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.

State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.

ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.

Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.

Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.

internal/engine/stream_server.go

@@ -56,6 +56,12 @@ type StreamServer struct {
 	// would let any scanner enumerate active downloads. LAN and Tailscale
 	// access keep working without UPnP.
 	enableUPnP bool
+	// corsExtraOrigins are operator-configured origins added to the default
+	// allowlist defined in validate.go. Set before Listen().
+	corsExtraOrigins []string
+	// corsAllowlist is computed at Listen() time and treated as read-only
+	// thereafter so per-request reads need no locking.
+	corsAllowlist map[string]struct{}
 
 	hls *HLSSessionRegistry // HLS sessions served on /hls/<id>/...
 
@@ -86,12 +92,57 @@ func (ss *StreamServer) SetUPnPEnabled(enabled bool) {
 	ss.enableUPnP = enabled
 }
 
+// SetCORSAllowedOrigins replaces the operator-supplied extra origins. The
+// default allowlist (torrentclaw.com / app.torrentclaw.com / localhost dev
+// ports) is always merged in. Call before Listen().
+func (ss *StreamServer) SetCORSAllowedOrigins(origins []string) {
+	ss.corsExtraOrigins = origins
+}
+
+// writeCORSHeaders writes the per-origin CORS response headers when the
+// request carries an Origin header that matches the allowlist. Returns true
+// if the handler must short-circuit (preflight OPTIONS). Media-tag requests
+// (no Origin header) bypass this entirely.
+//
+// `Vary: Origin` is emitted whenever an Origin header is present (matched
+// or not) so any intermediate cache keys the response per-origin and a
+// later request with a different origin cannot be served a stale ACAO.
+func (ss *StreamServer) writeCORSHeaders(w http.ResponseWriter, r *http.Request, expose string) (preflight bool) {
+	origin := r.Header.Get("Origin")
+	if origin == "" {
+		return false
+	}
+	w.Header().Add("Vary", "Origin")
+	if _, ok := ss.corsAllowlist[origin]; !ok {
+		// Unknown origin — do not emit CORS headers so the browser blocks
+		// the response. Still return without short-circuiting so a non-CORS
+		// caller (e.g. curl) keeps working.
+		return false
+	}
+	w.Header().Set("Access-Control-Allow-Origin", origin)
+	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
+	w.Header().Set("Access-Control-Allow-Headers", "Range")
+	if expose != "" {
+		w.Header().Set("Access-Control-Expose-Headers", expose)
+	}
+	if r.Method == http.MethodOptions {
+		w.WriteHeader(http.StatusNoContent)
+		return true
+	}
+	return false
+}
+
 // HLS returns the HLS session registry for this server. Daemon code uses it
 // to register a session when the backend asks for HLS playback.
 func (ss *StreamServer) HLS() *HLSSessionRegistry { return ss.hls }
 
 // Listen starts the HTTP server on the configured port. Call once at daemon startup.
 func (ss *StreamServer) Listen(ctx context.Context) error {
+	// Freeze the CORS allowlist before the first request can land. After
+	// this point the map is treated as read-only so handlers can probe it
+	// without locking.
+	ss.corsAllowlist = buildCORSAllowlist(ss.corsExtraOrigins)
+
 	mux := http.NewServeMux()
 	mux.HandleFunc("/stream", ss.handler)
 	mux.HandleFunc("/health", ss.healthHandler)
@@ -306,16 +357,8 @@ func (ss *StreamServer) HLSURLsJSON(sessionID string) string {
 func (ss *StreamServer) hlsHandler(w http.ResponseWriter, r *http.Request) {
 	ss.lastActivity.Store(time.Now().UnixNano())
 
-	// CORS for app.torrentclaw.com → 127.0.0.1/Tailscale daemon.
-	if origin := r.Header.Get("Origin"); origin != "" {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-		w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
-		w.Header().Set("Access-Control-Allow-Headers", "Range")
-		w.Header().Set("Access-Control-Expose-Headers", "Content-Length, Content-Range, Accept-Ranges")
-		if r.Method == http.MethodOptions {
-			w.WriteHeader(http.StatusNoContent)
-			return
-		}
+	if ss.writeCORSHeaders(w, r, "Content-Length, Content-Range, Accept-Ranges") {
+		return
 	}
 
 	rest := strings.TrimPrefix(r.URL.Path, "/hls/")
@@ -414,6 +457,9 @@ func (ss *StreamServer) serveSubtitlePlaylist(w http.ResponseWriter, r *http.Req
 //
 //	curl http://<tailscale-ip>:<port>/health
 func (ss *StreamServer) healthHandler(w http.ResponseWriter, r *http.Request) {
+	if ss.writeCORSHeaders(w, r, "") {
+		return
+	}
 	ss.mu.RLock()
 	provider := ss.provider
 	taskID := ss.taskID
@@ -470,15 +516,8 @@ func (ss *StreamServer) healthHandler(w http.ResponseWriter, r *http.Request) {
 // VLC fetches this playlist and applies the EXTVLCOPT directives automatically,
 // enabling automatic audio/subtitle track selection on all VLC platforms (desktop + mobile).
 func (ss *StreamServer) playlistHandler(w http.ResponseWriter, r *http.Request) {
-	// CORS — handle preflight before doing any work (consistent with handler)
-	if origin := r.Header.Get("Origin"); origin != "" {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-		w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
-		w.Header().Set("Access-Control-Allow-Headers", "Range")
-		if r.Method == http.MethodOptions {
-			w.WriteHeader(http.StatusNoContent)
-			return
-		}
+	if ss.writeCORSHeaders(w, r, "") {
+		return
 	}
 
 	q := r.URL.Query()
@@ -548,17 +587,8 @@ func (ss *StreamServer) handler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// CORS headers — only when browser sends Origin (HTTPS site → localhost)
-	if origin := r.Header.Get("Origin"); origin != "" {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-		w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
-		w.Header().Set("Access-Control-Allow-Headers", "Range")
-		w.Header().Set("Access-Control-Expose-Headers", "Content-Length, Content-Range, Accept-Ranges")
-
-		if r.Method == http.MethodOptions {
-			w.WriteHeader(http.StatusNoContent)
-			return
-		}
+	if ss.writeCORSHeaders(w, r, "Content-Length, Content-Range, Accept-Ranges") {
+		return
 	}
 
 	rawReader := provider.NewFileReader(r.Context())