@papra/webhooks SSRF Protection Bypass via Redirect Following

The webhook delivery HTTP client follows redirects without validating the redirect target against the blocklist, enabling authenticated org members to reach internal addresses.

All Papra instances with authenticated organization members (no admin role required).

Apply the fix by adding `redirect: 'manual'` to the `ofetch.raw()` call in `packages/webhooks/src/webhooks.services.ts` and treat 3xx responses as delivery failures.