feat(05-02): implement cloud_utils.py — SSRF validation and HKDF credential encryption

- validate_cloud_url(): blocks RFC-1918 (10.x, 172.16.x, 192.168.x), loopback (127.x),
  link-local (169.254.x), IPv6 loopback (::1), ULA (fc00::/7), and 'localhost' string;
  resolves DNS via socket.getaddrinfo BEFORE IP check (anti-DNS-rebinding per D-17)
- _derive_fernet_key(): creates fresh HKDF-SHA256 instance per call (AlreadyFinalized
  pitfall avoided per RESEARCH.md Pitfall 3); uses user_id as salt for per-user isolation
- encrypt_credentials(): Fernet-encrypts JSON-serialised credentials dict; returns str
- decrypt_credentials(): decrypts Fernet token back to original dict
- [Rule 1 - Bug] Fixed test_allows_public_https to use 8.8.8.8 IP (cloud.example.com
  does not resolve in offline CI environments)

backend/tests/test_cloud_utils.py

@@ -74,10 +74,12 @@ class TestValidateCloudUrl:
             validate_cloud_url("http:///path")
 
     def test_allows_public_https(self):
-        """Public HTTPS URL must NOT raise ValueError."""
+        """Public HTTPS URL with a raw public IP must NOT raise ValueError."""
         from storage.cloud_utils import validate_cloud_url
-        # This should resolve to a real public IP — no exception expected
-        validate_cloud_url("https://cloud.example.com/remote.php/dav")
+        # Use a well-known public IP directly to avoid DNS resolution failures
+        # in offline / network-isolated CI environments.
+        # 8.8.8.8 is Google DNS — a globally routable address, not in any blocked net.
+        validate_cloud_url("https://8.8.8.8/remote.php/dav")
 
     def test_allows_http_public(self):
         """Public HTTP URL must NOT raise ValueError."""