Codex flagged: the --paginate loop rebuilt the next request from the raw
`Link: rel="next"` URL and reattached the bearer token without checking
that the next URL was on the same host. Forgejo emits same-origin next-
links in practice, but a buggy or malicious upstream could redirect us
to a foreign host, at which point the token would leak.
Now the loop:
- url.Parse the Link target.
- Resolve relative URLs against the original base (https://<host>/api/v1).
- Refuse to proceed if the resolved URL's scheme isn't https or its host
doesn't match `host.Hostname`. The error names both the foreign URL
and the expected origin so the user can tell why pagination stopped.
Verified: same-origin pagination still works (`--paginate` against
forgejo.zerova.net commits returns 44 across 22 pages).
155ddb97ba