fix: security vulnerability in attachment downloads

[hmnd]

Currently, the CLI attempts to download any url that merely contains uploads.linear.app, doing so with an authenticated fetch(). This means a threat actor can add a url like https://myevilurl.com/uploads.linear.app somewhere in the issue in order to steal a user's credentials.

This PR explicitly checks the hostname of the url, and only passes the api token when downloading from uploads.linear.app, rather than both uploads.linear.app and public.linear.app.

I've also taken the liberty of centralizing all Linear url usage in a const.ts, rather than having them scattered around.

[schpet]

@hmnd thanks! can you confirm this works with both images and attachments? forget if they are on the same endpoint or not. i also sometimes upload stuff to my own domains, wonder if i should support that at all... via flag or config perhaps. mostly thinking out loud here. i'll do a proper review at some point, likely next week.

[hmnd]

@schpet yes, works for both! Your note on other domains brings up a gap though... In this change, I've only hardened against including credentials in non-Linear domain fetches, but it doesn't stop fetching image urls from non-Linear hosts. I figured that would likely be best for a separate PR once the UX is figured out.