fix(Sora): 加固直连安全与下载限制

补充图片输入 SSRF 防护与重定向限制\n增加媒体下载超时/大小上限配置并更新示例\n完善 recent_tasks 轮询回退策略与相关测试\n\n测试: go test ./... -tags=unit

backend/internal/service/sora_client_test.go

@@ -52,3 +52,36 @@ func TestSoraDirectClient_BuildBaseHeaders(t *testing.T) {
 	require.Equal(t, "yes", headers.Get("X-Test"))
 	require.Empty(t, headers.Get("openai-sentinel-token"))
 }
+
+func TestSoraDirectClient_GetImageTaskFallbackLimit(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		limit := r.URL.Query().Get("limit")
+		w.Header().Set("Content-Type", "application/json")
+		switch limit {
+		case "1":
+			_, _ = w.Write([]byte(`{"task_responses":[]}`))
+		case "2":
+			_, _ = w.Write([]byte(`{"task_responses":[{"id":"task-1","status":"completed","progress_pct":1,"generations":[{"url":"https://example.com/a.png"}]}]}`))
+		default:
+			_, _ = w.Write([]byte(`{"task_responses":[]}`))
+		}
+	}))
+	defer server.Close()
+
+	cfg := &config.Config{
+		Sora: config.SoraConfig{
+			Client: config.SoraClientConfig{
+				BaseURL:            server.URL,
+				RecentTaskLimit:    1,
+				RecentTaskLimitMax: 2,
+			},
+		},
+	}
+	client := NewSoraDirectClient(cfg, nil, nil)
+	account := &Account{Credentials: map[string]any{"access_token": "token"}}
+
+	status, err := client.GetImageTask(context.Background(), account, "task-1")
+	require.NoError(t, err)
+	require.Equal(t, "completed", status.Status)
+	require.Equal(t, []string{"https://example.com/a.png"}, status.URLs)
+}