#354 CRITICAL: http_request.py - Add SSRF Protection

## Issue The http_request.py tool has no URL validation, allowing Server-Side Request Forgery (SSRF) attacks. ## Current Behavior - Workflows can make HTTP requests to ANY URL including: - localhost (http://localhost:7822/admin/reset) - Internal IPs (192.168.x, 10.x) - Cloud metadata (169.254.169.254) ## Risk - Attack internal services - Access cloud metadata (AWS credentials) - Scan internal network ## Required Fix 1. Add URL validation in http_request() 2. Block: localhost, 127.0.0.1, private IPs, cloud metadata 3. Add optional allow_internal param for trusted workflows 4. Log blocked attempts ## Location engine/tools/http_request.py:103-271