fix: mitigate TOCTOU DNS rebinding gap in git clone SSRF prevention

[Aureliolo]

Summary

The SSRF prevention in git_url_validator.py resolves DNS and validates all IPs are public, but there is an inherent TOCTOU gap: git clone resolves the hostname again independently. A DNS rebinding attack could serve a public IP to the validator, then a private IP when git resolves.

Context

Documented in #505 (module docstring + call-site comment). The current implementation is significantly better than nothing but does not fully close the rebinding vector for hostname-based URLs (literal IP URLs are immune).

Mitigation options (priority order)

1. git -c http.curloptResolve=host:port:ip — pin git to the validated IP. Requires git >= 2.34 and only works for HTTPS (not SSH/SCP)
2. Short TTL + double-resolve — re-resolve immediately before execution and compare. Narrows the window but doesn't eliminate it
3. Network-level egress controls — Docker network: none + allowlisted egress proxy (already planned in sandbox design)

Design Spec Reference

• §11.1.1 Built-in git tools — SSRF prevention
• Sandbox design page — network isolation

Notes

Option 3 (network-level controls) is the most robust defense-in-depth and is already planned. Option 1 is the most complete application-layer fix for HTTPS URLs.