fix(vidmoly): strip vidmoly.me cookies on cross-origin transit POST + add XFS fields

Upload stalled at 99% because we were sending vidmoly.me cookies to
*.vmwesa.online (transit server rejects them silently). Browsers never
send those cross-origin. Now we omit the Cookie header and match the
Origin/Referer the browser uses. Also added the full classic XFS field
set (upload_type, sess_id, srv_tmp_url, utype) in the order the
server's handler expects.

lib/vidmoly-upload.js

@@ -141,7 +141,8 @@ class VidmolyUploader {
     }
     return {
       uploadUrl: payload.upload_url,
-      params: { sess_id: payload.sess_id, utype: 'reg' },
+      // Classic XFS upload fields in the order the server expects.
+      params: { upload_type: 'file', sess_id: payload.sess_id, srv_tmp_url: '', utype: 'reg' },
       fileFieldName: 'file_0'
     };
   }
@@ -200,17 +201,20 @@ class VidmolyUploader {
       yield epilogueBuf;
     }
 
-    // Use undici.request for the upload (streaming body for progress)
+    // Transit server lives on a different domain (*.vmwesa.online). Browsers
+    // don't send vidmoly.me cookies across origins, so we don't either.
+    // Origin + Referer match the browser's actual upload headers.
     const { body, statusCode, headers } = await request(uploadUrl, {
       method: 'POST',
       body: generate(),
       signal,
       headers: {
         'User-Agent': USER_AGENT,
-        'Cookie': this._cookieHeader(),
+        'Accept': '*/*',
+        'Origin': BASE_URL,
+        'Referer': `${BASE_URL}/`,
         'Content-Type': `multipart/form-data; boundary=${boundary}`,
-        'Content-Length': String(totalSize),
-        'Referer': `${BASE_URL}/upload.html`
+        'Content-Length': String(totalSize)
       },
       headersTimeout: UPLOAD_TIMEOUT,
       bodyTimeout: UPLOAD_TIMEOUT