fix(security): restrict MEDIA file paths to cache dirs

[AntAISecurityLab]

What does this PR do?

Fix path traversal vulnerability (CWE-22, HIGH) in MEDIA tag file handling.

extract_media() in BasePlatformAdapter accepted any absolute path from LLM output
without validation. An attacker who can influence LLM output (e.g. via prompt injection)
could craft MEDIA: tags pointing to arbitrary files (e.g. /etc/passwd, ~/.hermes/.env),
causing the gateway to read and send those files through the messaging platform.

This PR adds path validation at the media dispatch points, restricting file access
to known cache directories only.

Related Issue

N/A

Type of Change

• 🔒 Security fix

Changes Made

• Added _is_allowed_media_path() in gateway/platforms/base.py — resolves symlinks
  via os.path.realpath() and checks the resolved path is under a known cache root
  (IMAGE_CACHE_DIR, AUDIO_CACHE_DIR, DOCUMENT_CACHE_DIR, browser screenshots dir)
• Added path validation at the two media dispatch points in BasePlatformAdapter
  before files are sent. Blocked paths are logged and skipped.

How to Test

1. pytest tests/ -q — all existing tests pass
2. Verify media sending still works for files in cache directories
3. Verify paths outside cache dirs are blocked (logged as warning, not sent)

[alt-glitch]

Likely duplicate of #12850 — same root cause: extract_local_files()/extract_media() allows arbitrary host file read via prompt injection with no path boundary check.

[teknium1]

Superseded by PR #30432 (merged 41d2c75, credit @egilewski). The merged fix covers all MEDIA delivery sites (not just extract_media in one adapter), resolves symlinks before containment checks, and ships with regression coverage across cron, gateway, weixin, send_message, and yuanbao. Thanks for catching this class early — the four parallel PRs on this issue were what told us this was a real defense gap worth landing.