fix(metadata-validation): block private fetch targets

[tianpeng-dev]

Summary

This patch adds outbound URL validation before metadata-validation fetches a submitted metadata URL.

It blocks:

• unsupported protocols
• localhost / .localhost
• loopback, private, link-local, carrier-grade NAT, benchmark, multicast, and reserved IPv4 ranges
• IPv6 loopback, unspecified, unique-local, link-local, and IPv4-mapped private addresses
• hostnames that resolve to blocked addresses
• private addresses that appear during the actual HTTP/HTTPS agent lookup

The goal is to prevent the metadata validator from being used as an SSRF proxy for internal or local network targets.

Related issue

Fixes #4142

Verification

• npm test -- --runInBand (7/7 tests)
• npm run build
• git diff --check

I also tried a no-fix ESLint command, but the current project dependency is ESLint 10 while the project still uses .eslintrc.js; ESLint exits before checking files because it expects eslint.config.*.

Notes

No production probing was performed. The new regression tests mock DNS resolution and verify that blocked targets are rejected before HttpService.get is called and again inside the actual request agent lookup.