fix(http): configure explicit timeouts and improve connection pooling

[leseb]

Summary

• Configure explicit httpx.Timeout(total, connect=...) on every httpx.AsyncClient in the codebase, replacing bare defaults or per-request timeout= kwargs. Total timeout of 30s for tool runtimes / content fetch and 10s for auth endpoints; connect timeout set shorter (10s / 5s respectively) to fail fast on unreachable hosts.
• Introduce BaseToolRuntimeConfig with user-tunable timeout and connect_timeout fields so operators can adjust HTTP timeouts per tool runtime provider (Bing Search, Brave Search, Tavily Search, Wolfram Alpha) via config YAML.
• Reuse a persistent httpx.AsyncClient in CustomAuthProvider instead of creating a new client per validate_token call, reducing TCP/TLS setup overhead.
• Add validate_url_not_private() SSRF guard to file_search and prompt_adapter image localization paths, blocking requests to loopback, link-local, and RFC 1918 addresses (including IPv4-mapped IPv6).

Test plan

• tests/unit/core/test_client_timeout.py — verifies the API client factory no longer puts timeout inside per-request params (it is set on the AsyncClient constructor instead).
• tests/unit/server/test_auth_http_client.py — verifies CustomAuthProvider creates its client eagerly with the correct connect/read/write/pool timeouts, reuses it, and closes it properly.
• tests/unit/server/test_auth_oauth2_introspection.py — updated assertions to match the new httpx.Timeout object passed to AsyncClient and confirms timeout is no longer passed per-request.
• tests/unit/providers/utils/test_url_validation.py — comprehensive coverage for validate_url_not_private: loopback, RFC 1918, link-local, IPv6 loopback/ULA/link-local, IPv4-mapped IPv6, unresolvable hostnames, mixed DNS results, and public IP allowlisting.
• Run full unit test suite: uv run pytest tests/unit/ -x --tb=short
• Run pre-commit checks: uv run pre-commit run --all-files

🤖 Generated with Claude Code