fix(mattermost): add SSRF policy for media downloads

Allow fetching attachments from the Mattermost server host, which may
be localhost or a private IP. Without this, SSRF guards block inbound
media downloads silently.

Credit: @webclerk (#22594) for identifying this gap.

extensions/mattermost/src/mattermost/monitor.ts

@@ -674,6 +674,10 @@ export async function monitorMattermostProvider(opts: MonitorMattermostOpts = {}
           },
           filePathHint: fileId,
           maxBytes: mediaMaxBytes,
+          // Allow fetching from the Mattermost server host (may be localhost or
+          // a private IP). Without this, SSRF guards block media downloads.
+          // Credit: #22594 (@webclerk)
+          ssrfPolicy: { allowedHostnames: [new URL(client.baseUrl).hostname] },
         });
         const saved = await core.channel.media.saveMediaBuffer(
           fetched.buffer,