fix(plg): allow subpath domains in ASO PLG onboarding validation

[Kanishkavijay39]

Summary

• Replaces HOSTNAME_RE + isValidHostname with DOMAIN_RE + isValidDomain to accept
  hostname/path format (e.g. nba.com/kings, nba.com/us/kings) in addition to plain hostnames
• Updates isSafeDomain to extract the hostname before SSRF pattern matching so a path suffix
  cannot bypass blocked-host checks (e.g. myhost.local/path still fails)
• Schemes (https://), query strings (?), and fragments (#) are still rejected

Part of LLMO-4187 — also requires fixes in spacecat-shared (DOMAIN_PATTERN in
plg-onboarding.model.js) and the ESS UI (getDomainFromUrl.ts).

If the PR is changing the API specification:

• make sure you add a "Not implemented yet" note the endpoint description, if the implementation is not ready
  yet. Ideally, return a 501 status code with a message explaining the feature is not implemented yet.
• make sure you add at least one example of the request and response.

If the PR is changing the API implementation or an entity exposed through the API:

• make sure you update the API specification and the examples to reflect the changes.

If the PR is introducing a new audit type:

• make sure you update the API specification with the type, schema of the audit result and an example

Related Issues

Thanks for contributing!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!