`DownloadManager.download_url` currently prints the full request URL three
times per download (start, finished, exception path), plus the entire
response headers dict. That's useful debug output for the typical callers
fetching public URLs (app icons, OS updates, weather data) — but it
silently leaks any auth secret embedded in a URL's path or query string.

Two real cases discovered in the wild:

  1. Lightning Piggy's on-chain wallet (LightningPiggyApp PR MicroPythonOS#25) queries
     `https://btc1.trezor.io/api/v2/xpub/zpub6q...?details=txs&tokens=derived`
     to fetch balance + transactions for a watch-only xpub. The xpub
     itself is in the path. A leaked xpub exposes the wallet's entire
     past + future address derivation tree to whoever reads the log —
     non-recoverable confidentiality damage even though funds custody
     is unaffected.

  2. Any future caller using API-key-in-URL or OAuth-token-in-URL
     authentication. Pattern is common enough (LNBits, BlueWallet's
     LNDHub, some HTTPS RPC endpoints) that the leak surface is wider
     than just Lightning Piggy.

The Lightning Piggy app already scrubs xpubs from its own print() calls,
but DownloadManager's prints sit below that and re-leak the URL on
every poll.

This PR adds a `redact_url=False` kwarg (default preserves current
behaviour). When set True:

- The URL is logged as `scheme://host[:port]/...REDACTED...` instead of
  full. The host is intentionally kept so failure triage (DNS,
  connectivity, wrong endpoint) is still possible.
- The response-headers dump is suppressed entirely (replaced with
  `<redacted>`). Response headers often contain `set-cookie`, `cf-ray`,
  and other correlatable session tokens.
- Exception messages have the URL substring scrubbed before printing
  (aiohttp's ClientConnectorError typically embeds the URL).

Default False is deliberate — most callers fetch public URLs and want
the full log line for diagnostics. Callers opt in:

    await DownloadManager.download_url(url, redact_url=True)

Tests (`tests/test_download_manager.py`):
- 6 unit tests for the new `_safe_url` helper (path-with-query strip,
  port handling, naked-host pass-through, malformed-URL placeholder,
  belt-and-braces "secret substrings never appear in output" guard).
- 2 mock-surface tests confirming the kwarg flows through correctly
  and defaults to False.
- All 22 existing tests continue to pass (default behaviour unchanged).

  $ bash tests/unittest.sh tests/test_download_manager.py
  Ran 30 tests
  OK

The Lightning Piggy on-chain wallet PR will follow up on its side to
pass `redact_url=True` once this lands; that's a one-line change in
`onchain_wallet.py:fetch_balance_and_payments()`.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

PR MicroPythonOS#136 added URL scrubbing to the `except Exception as e:` handler in
`_download_url_async`, but the verification of that branch was deferred
to a hardware smoke-test. Move it under unit-test coverage:

- Install a fake `aiohttp` into `sys.modules` so the function-local
  `import aiohttp` resolves to a stub whose `ClientSession.get()`
  raises a `RuntimeError(message)` where `message` contains the full
  request URL (mimicking aiohttp's `ClientConnectorError` behaviour
  without needing the network).
- Capture `print(...)` via builtins monkey-patch, then assert:
  - `redact_url=True` strips the secret-bearing URL substring from
    the printed exception line and substitutes the
    `scheme://host/...REDACTED...` form
  - `redact_url=False` preserves the full URL in the printed line
    (regression guard for the default behaviour)
- Use a plain class instance for the fake module — MicroPython's
  unittest port doesn't support `type(sys)(...)` to mint a new
  module object, but `sys.modules[name]` accepts any object.

`bash tests/unittest.sh tests/test_download_manager.py` → 32 tests OK
(was 30).

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>