Defer media body downloads during refresh

[tripledoublev]

Summary

• make group refresh metadata-only after the remote collection is available, so one slow media body no longer blocks file-list discovery
• keep refreshed_files for API compatibility while deferring body refreshes to explicit media endpoints
• add a bounded media download helper for /media endpoints with per-peer and overall request budgets
• report is_downloaded from the local group blob store instead of asking a remote peer

Verification

• cargo check
• cargo test test_refresh_group_with_file -- --nocapture
• cargo test test_refresh_member_joined_before_owner_uploads -- --nocapture
• git diff --check

Review notes

• Spawned review agents before opening the PR.
• First review found is_downloaded was still using the remote-repo hash check and route lookup was outside the timeout; both were fixed.
• Second review found writable repos with missing local blobs would skip explicit body recovery; fixed by removing the !repo.can_write() gate for file-body downloads.
• Added regression coverage asserting first and repeated refreshes expose all_files without media bodies, keep refreshed_files empty, keep is_downloaded false until explicit media GET, then flip it true after download.

[tripledoublev]

Follow-up on the download_file can_write review note: the dropped guard is intentional. In the backend, Group::has_hash checks the local blob store directly, so writable repos that still have the local body skip peer download. If the body is genuinely missing, the endpoint now attempts bounded peer recovery before falling through to Repo::get_file_stream, which only reads local blobs and does not perform a hidden unbounded download. The collection-hash guard remains read-only-only because writable repos own their collection metadata locally.