fix(workers): yt-dlp argv injection — scheme check + -- separator

The url passed to yt-dlp is user-controllable (via /api/capture). Any
string starting with '-' would be parsed as a flag (e.g.
--config-location=/etc/passwd). Mitigations:
1. Validate scheme is http(s) and hostname is present before subprocess.
2. Pass `--` to yt-dlp so it stops flag parsing before the positional
   URL.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

workers/tests/test_video.py

@@ -1,6 +1,7 @@
+import pytest
 import subprocess
 from unittest.mock import patch
-from void_workers.handlers.video import handle as handle_video
+from void_workers.handlers.video import handle as handle_video, _validate_url
 
 
 def _reset_void_schema(conn):
@@ -48,6 +49,17 @@ def test_video_creates_ref_with_transcript_and_metadata(conn):
     assert row[2] == "youtube"
 
 
+def test_validate_url_rejects_non_http():
+    with pytest.raises(ValueError):
+        _validate_url("file:///etc/passwd")
+    with pytest.raises(ValueError):
+        _validate_url("javascript:alert(1)")
+
+
+def test_validate_url_accepts_https():
+    assert _validate_url("https://youtu.be/abc") == "https://youtu.be/abc"
+
+
 def test_video_skipped_when_yt_dlp_fails(conn):
     _reset_void_schema(conn)
     _run_node_migrations()