fix: rebuild MPD upstream request after provider pooling

[Bladestar2105]

Motivation

• The MPD proxy built upstreamUrl, backup URLs, and request headers from the original provider before provider-pooling could swap in a fallback account, allowing accounting to be charged to a different provider than the one actually contacted.
• The change ensures provider selection and connection-accounting are always aligned with the actual upstream request to prevent provider overuse or bans.

Description

• Moved MPD request construction (headers, upstreamUrl, and backupStreamUrls) in proxyMpd to run after findAvailableProvider and after the channel credentials are overridden, so the actual fetch uses the selected pooled provider account (src/controllers/streamController.js).
• Added a focused regression test should build MPD upstream URL using pooled provider credentials and extended mocks to simulate a saturated provider and an available pooled provider (tests/security/provider_limit.test.js).
• Minor test adjustments include importing fetch and adding a stream_id=202 channel fixture and pooled provider fixtures to the test DB mock.

Testing

• Ran the targeted test: npm exec vitest run tests/security/provider_limit.test.js, and the test file passed (all tests in the file succeeded).
• Ran linters with npm run lint; lint produced pre-existing warnings but no new errors were introduced.
• The targeted test verifies that streamManager.add records the pooled provider id and that the upstream fetch is invoked with the pooled provider credentials and User-Agent as expected.

---

Codex Task