fix(security): enhance SSRF defense-in-depth with monitoring (CWE-918)

- Add CodeQL custom model recognizing ValidateExternalURL as sanitizer
- Enhance validation: hostname length (RFC 1035), IPv6-mapped IPv4 blocking
- Integrate Prometheus metrics (charon_ssrf_blocks_total, charon_url_validation_total)
- Add security audit logging with sanitized error messages
- Fix test race conditions with atomic types
- Update SECURITY.md with 5-layer defense documentation

Related to: #450
Coverage: Backend 86.3%, Frontend 87.27%
Security scans: CodeQL, Trivy, govulncheck all clean

.github/workflows/codeql.yml

@@ -44,6 +44,9 @@ jobs:
         uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4
         with:
           languages: ${{ matrix.language }}
+          # Use custom model for Go to recognize SSRF sanitizers
+          # See: .github/codeql-custom-model.yml
+          config-file: ${{ matrix.language == 'go' && '.github/codeql-custom-model.yml' || '' }}
 
       - name: Setup Go
         if: matrix.language == 'go'