SSRFSafeTransport

httpx async transport that validates DNS results against an SSRF policy.

For every outgoing request the transport:

1. Checks the URL scheme against policy.allowed_schemes.
2. Validates the hostname against blocked patterns.
3. Resolves DNS and validates all returned IPs.
4. Rewrites the request to connect to the first valid IP while preserving the original Host header and TLS SNI hostname.

Redirects are re-validated on each hop because follow_redirects is set on the client, causing handle_async_request to be called again for each redirect target.