fix: make safe_url_for_log public, add SSRF redirect guards to base.py cache helpers

Follow-up to Dusk1e's PR #7120 (Slack send_image redirect guard):
- Rename _safe_url_for_log -> safe_url_for_log (drop underscore) since
  it is now imported cross-module by the Slack adapter
- Add _ssrf_redirect_guard httpx event hook to cache_image_from_url()
  and cache_audio_from_url() in base.py — same pattern as vision_tools
  and the Slack adapter fix
- Update url_safety.py docstring to reflect broader coverage
- Add regression tests for image/audio redirect blocking + safe passthrough

tools/url_safety.py

@@ -10,9 +10,10 @@ Limitations (documented, not fixable at pre-flight level):
     can return a public IP for the check, then a private IP for the actual
     connection. Fixing this requires connection-level validation (e.g.
     Python's Champion library or an egress proxy like Stripe's Smokescreen).
-  - Redirect-based bypass in vision_tools is mitigated by an httpx event
-    hook that re-validates each redirect target. Web tools use third-party
-    SDKs (Firecrawl/Tavily) where redirect handling is on their servers.
+  - Redirect-based bypass is mitigated by httpx event hooks that re-validate
+    each redirect target in vision_tools, gateway platform adapters, and
+    media cache helpers. Web tools use third-party SDKs (Firecrawl/Tavily)
+    where redirect handling is on their servers.
 """
 
 import ipaddress