feat(download): v2 file download via /files/{fileId}

[jhagberg]

Related issue(s) and PR(s)
Closes #677. Stacks on #685.

Description
Wires v2 file download through GET /files/{fileId} plus the server-provided downloadUrl plus the X-C4GH-Public-Key header, retires the legacy /s3-transfer helpers, and shrinks download/download.go to a downloadOne → writeBodyToDisk flow sitting on apiclient.Client.DownloadFile. Removes the "v2 download is not yet implemented" guard that #685 put in.

Key design points

• Client.DownloadFile(ctx, DownloadRequest) (DownloadResult, error) is the new abstraction. DownloadResult carries the canonical File (authoritative filename — UserArg can be a bare fileId), the response body, and the server's Content-Length.
• V2Client.DownloadFile resolves UserArg via ExactPath (paths) or ListFiles scan (bare ids), then hits the server-provided downloadUrl with X-C4GH-Public-Key. URLs go through url.Parse + ResolveReference so both relative and absolute forms work.
• Bearer-token leakage guard: when the resolved download host differs from BaseURL, the Authorization header is dropped. A pre-signed cross-origin URL is self-authenticating; leaking the bearer to a third-party host is the kind of thing you read about in CVE writeups.
• 403 from either resolve or GET flattens to dataset/file does not exist or access denied: <arg> — existence-leakage contract preserved from v1.
• downloadOne uses result.File.FilePath (anonymized) for the on-disk path. Downloading by fileId now produces a meaningfully-named file instead of outdir/<fileId>. A containment check rejects any outputPath escaping outDir, so a server-provided path with ../ can't write outside the configured output directory.
• Retires downloadFile, getFileIDURL, GetDatasets, GetFilesInfo, getBody, setupCookieJar, the download.File alias, and the cookieJar/cookiePath/appVersion package vars. The apiclient.WithV1CookieJar option also retires here in the same refactor.
• Carries the field rename (Version → ClientVersion) and int64 widening from feat(apiclient): Client interface + V1Client wrapper #679's review-amend into the new V1/V2 DownloadFile sites, and mirrors feat(download): v2 CI harness + minimal ListDatasets #681's SDA-Client-Version + User-Agent header pair on v2.

Out of scope (tracked separately)

• N+1 re-resolve on datasetCase / recursiveCase (separate follow-up).
• RFC 9457 Problem Details — feat(apiclient): RFC 9457 Problem Details on v2 error responses #687.

How to test

Local:

• go build ./..., go vet ./..., gofmt -l .: clean.
• go test ./...: 176 pass.
• golangci-lint run --timeout 5m: 0 issues.

Integration (build tag integration, against the live v2 dev stack):

• TestV2_ListDatasets_Smoke, TestV2_ListFiles_Smoke, TestV2_ListFiles_ExactPath_Smoke, TestV2_ListFiles_PathPrefix_NoMatch, TestV2_DatasetInfo_Smoke, TestV2_DownloadFile_EndToEnd: all pass.

Manual, rebuilt sda-cli against the live dev stack:

• download --api-version v2 --dataset-id EGAD00000000001 --pubkey <pem> test-file.c4gh writes the file (~1.2 kB c4gh bytes).
• download --api-version v2 ... EGAF00000000001 (by fileId) writes test-file.c4gh — the canonical name, not the bare fileId.
• download --api-version v2 without --pubkey errors with v2 downloads require --pubkey.
• download --api-version v2 --dataset-id DOES_NOT_EXIST ... errors with dataset/file does not exist or access denied: <arg> (403 flattened).

Test plan

• go test ./...: 176 pass
• go vet ./...: clean
• golangci-lint run: clean
• gofmt -l .: clean
• Integration: end-to-end v2 download passes
• Manual: by-path, by-fileId, missing pubkey, 403 flatten
• CI: golint, test (ubuntu + windows), integration-v2, integration (s3), codeql-analysis