fix: suppress URL launch on drag-select and add scheme confirmation

[marshallhumble]

Store press_point in Dragging::Buffer; suppress on_open_hyperlink if cursor moved more than 4px between press and release. Fixes #516.

Add launch_url_scheme_is_safe() with RFC 3986 scheme validation and an allowlist. Unusual schemes (ssh://, git://, file:, etc.) show a confirmation dialog with the full URI.

• I have disclosed use of any AI generated code in my commit messages.
  • If you are using an LLM, and do not fully understand the changes it is making to the code base, do not create a PR.
  • In our experience, AI generated code often results in overly complex code that lacks enough context for a proper fix or feature inclusion. This results in considerably longer code reviews. Due to this, AI authored or partially authored PRs may be closed without comment.
• I understand these changes in full and will be able to respond to review comments.
• My change is accurately described in the commit message.
• My contribution is tested and working as described.
• I have read the Developer Certificate of Origin and certify my contribution under its conditions.

Since I am an Application Security Engineer I wanted to do a security review on the terminal I noticed that there was the possibility for untrusted input to be executed from URI in the term. I looked at issues to see if someone already noticed it and saw #516. This fixes that and adds the security fix.

Summary of changes:

1. URLs no longer open when the user ctrl+drags to select text over a link
2. Safe schemes (http, https, mailto, ftp, gemini, etc.) open as before. Unusual schemes (ssh://, git://, file:, etc.) show a confirmation dialog with the full URI before anything is launched

Detail of Changes:

1. Drag-select suppression (resolves Using mouse to highlight URL results in clicking the link when mouse is released. #516)

ButtonReleased consumed state.dragging with .take() before checking whether to fire on_open_hyperlink, discarding the information that a drag was in progress. So a ctrl+drag+release over a URL was indistinguishable from a ctrl+click.

The fix stores the raw pixel press position in Dragging::Buffer as press_point: Point and compares it against the release position. If the cursor moved more than LINK_CLICK_DRAG_THRESHOLD (4px) on either axis, the release is treated as a drag and the hyperlink handler is suppressed.

1. Scheme confirmation dialog

Message::LaunchUrl passed URIs directly to open::that_detached with no scheme validation. The URL regex matches ssh://, git://, and file: in addition to http(s). Any process writing to the PTY can paint one of these into the buffer. ssh:// URIs can trigger ProxyCommand or LocalCommand from ~/.ssh/config; file: can target a .desktop file. Combined with the drag-select bug above, this could fire without deliberate user intent.

The new launch_url_scheme_is_safe helper validates scheme syntax per RFC 3986 and checks against an allowlist. Safe schemes open immediately. Anything else stores the URL in pending_launch_url and the dialog() method renders a COSMIC confirmation dialog showing the full URI, with Open and Cancel actions. Escape also clears a pending URL, consistent with other dialogs in the app.