fix(security): resolve CWE-918 SSRF vulnerability in notification service

- Apply URL validation using security.ValidateWebhookURL() to all webhook
  HTTP request paths in notification_service.go
- Block private IPs (RFC 1918), cloud metadata endpoints, and loopback
- Add comprehensive SSRF test coverage
- Add CodeQL VS Code tasks for local security scanning
- Update Definition of Done to include CodeQL scans
- Clean up stale SARIF files from repo root

Resolves CI security gate failure for CWE-918.

.vscode/tasks.json

@@ -149,6 +149,20 @@
             "group": "test",
             "problemMatcher": []
         },
+        {
+            "label": "Security: CodeQL Go Scan",
+            "type": "shell",
+            "command": "codeql database create codeql-db-go --language=go --source-root=backend --overwrite && codeql database analyze codeql-db-go /projects/codeql/codeql/go/ql/src/codeql-suites/go-security-extended.qls --format=sarif-latest --output=codeql-results-go.sarif",
+            "group": "test",
+            "problemMatcher": []
+        },
+        {
+            "label": "Security: CodeQL JS Scan",
+            "type": "shell",
+            "command": "codeql database create codeql-db-js --language=javascript --source-root=frontend --overwrite && codeql database analyze codeql-db-js /projects/codeql/codeql/javascript/ql/src/codeql-suites/javascript-security-extended.qls --format=sarif-latest --output=codeql-results-js.sarif",
+            "group": "test",
+            "problemMatcher": []
+        },
         {
             "label": "Security: Go Vulnerability Check",
             "type": "shell",