add SSRF protection and security documentation for MCP client

[bug-ops]

Summary

• Add SSRF validation in McpClient::connect_url blocking private/reserved IP ranges (loopback, RFC 1918, link-local) with DNS resolution check
• Add SsrfBlocked and InvalidUrl error variants to McpError
• Add docs/src/security/mcp.md covering safe MCP server configuration, SSRF risks, command allowlists, and secrets management
• Add 9 unit tests for SSRF IP blocking

Closes #309

Test plan

• All 60 zeph-mcp tests pass including 9 new SSRF tests
• Clippy clean with -D warnings
• CI gate passes

[codecov-commenter]

Codecov Report

❌ Patch coverage is 88.75000% with 9 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
crates/zeph-mcp/src/client.rs	88.15%	9 Missing ⚠️

@@            Coverage Diff             @@
##             main     #323      +/-   ##
==========================================
+ Coverage   79.96%   80.01%   +0.05%     
==========================================
  Files          98       98              
  Lines       23964    24005      +41     
==========================================
+ Hits        19163    19208      +45     
+ Misses       4801     4797       -4     

Files with missing lines	Coverage Δ
crates/zeph-mcp/src/error.rs	100.00% <ø> (ø)
crates/zeph-mcp/src/manager.rs	84.47% <100.00%> (+0.16%)	⬆️
crates/zeph-mcp/src/client.rs	47.56% <88.15%> (+21.87%)	⬆️

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.