Harden outbound URL handling

[us]

Summary

• add DNS-resolved URL safety checks for REST/MCP scrape, crawl, map, search enrichment, and crawl discovery paths
• keep a session-lifetime CDP Fetch guard in crw-browse so browser navigations, redirects, clicks, and script-triggered requests are revalidated before continuing
• restrict screenshot file writes to an explicit screenshot directory with single-file relative paths and create-new semantics

Validation

• pre-commit hook: cargo fmt, clippy, and workspace tests
• cargo test -p crw-browse --lib
• cargo test -p crw-core url_safety --lib
• cargo check -p crw-server
• cargo check -p crw-cli

Notes

• DNS preflight cannot prove the browser/socket connect IP against DNS rebinding by itself; managed deployments should still enforce network-layer private/link-local egress denial.

closes #61

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.