fix(media): gate the media API on CDN activation (cdn_enabled)

[ABB65]

Gate the media API on CDN activation

The miss you caught: the media API (/api/media/v1/...) didn't check whether CDN/media is activated for the project. So an upload to an un-activated project (cdn_enabled = false) skipped straight to R2 and leaked a raw NotEntitled error as a 500, instead of a clean, actionable 403.

The CDN delivery route already gates on cdn_enabled (cdn.not_enabled); the media surface should too. Added the same gate to resolveMediaApiContext so it covers all 6 media routes:

const project = await db.getProjectById(keyData.projectId, 'id, workspace_id, cdn_enabled')
if (!project.cdn_enabled)
  throw createError({ statusCode: 403, message: errorMessage('cdn.not_enabled') })

Evidence

• astro-blog.cdn_enabled = false → media not activated.
• Staging upload 500 root cause (from logs): NotEntitled: Please enable R2 through the Cloudflare Dashboard.
• Now an un-activated project returns 403 cdn.not_enabled (activate CDN in project settings) instead of a 500.

Two layers to a working upload (after this)

1. Per-project activation — cdn_enabled = true (the CDN toggle). ← this PR gates on it.
2. Deployment R2 entitlement — the Cloudflare account behind the deployment must have R2 enabled. The NotEntitled is account-level, so staging's R2 isn't enabled yet.

typecheck + lint clean; media-api gate test added (6 pass). Companion to #67/#69/#70/#71.