fix: enforce browser SSRF guard at webview boundary

[nullxnothing]

Reopened during repo cleanup pass. Branch was 4 weeks stale with no open PR but contains real unmerged work:

src/panels/BrowserMode/BrowserWebview.tsx | 20 ++++---
test/services/BrowserService.test.ts | 44 +++++++++++++++
14 files changed, 267 insertions(+), 55 deletions(-)

CI will indicate whether this still applies cleanly against current main (post v3.1 reworks).

[nullxnothing]

Conflict scope: 7 files including BrowserService.ts, BrowserMode.tsx, BlockScanner.tsx. Security-critical (SSRF guard) — author should resolve.

[nullxnothing]

Cleanup pass — needs author rebase:

7-file conflict, SSRF security primitive. Same pattern as #150 — main has divergent BrowserService + browser UI changes.

File	Why conflict	Recommended owner
electron/services/BrowserService.ts	This branch's CIDR/SSRF guards (isIpv4InCidr, network range checks) vs main's BrowserService	Author — keep CIDR additions
electron/main/index.ts	Branch adds protocol handlers, main has different changes	Author
src/panels/BrowserMode/BrowserMode.tsx	URL validation hooks vs main UI	Author
src/panels/BrowserMode/BrowserWebview.tsx	Webview boundary checks	Author
src/panels/BlockScanner/BlockScanner.tsx	URL guard updates	Author
test/services/BrowserService.test.ts	New tests vs main's tests	Merge both test sets
package.json	Version drift	Accept main

Net-new value: the isIpv4InCidr helper and SSRF range guard logic. That code is a real security primitive worth shipping.

Recommend: cherry-pick the SSRF guard code into a fresh PR against current main.