client: allow injecting a custom *http.Client (SSRF-guardable)

NewClient hardcoded its *http.Client, so a server-side caller making
requests to an attacker-influenced baseURL (a tenant's prime_endpoint)
had no way to attach an SSRF policy — the transport followed redirects
and dialed any resolved IP, reachable being the cloud metadata service.

Add NewClientWithHTTPClient + NewDragonchainSDKWithHTTPClient so callers
can supply a client whose transport enforces a dial-time resolved-IP guard
and redirect policy. Existing constructors delegate with the prior default
(30s timeout), so this is backward compatible — the guard itself lives in
the consuming server (e.g. brill-api/pkg/prime), not in this client lib.

client/client.go

@@ -23,14 +23,23 @@ type Client struct {
 }
 
 func NewClient(publicID, authKeyID, authKey, baseURL string) *Client {
+	return NewClientWithHTTPClient(publicID, authKeyID, authKey, baseURL, nil)
+}
+
+// NewClientWithHTTPClient is like NewClient but uses a caller-supplied
+// *http.Client — e.g. one whose transport is SSRF-guarded, or one with a
+// non-default timeout. A nil hc falls back to the package default (30s
+// timeout, default transport), so existing callers are unaffected.
+func NewClientWithHTTPClient(publicID, authKeyID, authKey, baseURL string, hc *http.Client) *Client {
+	if hc == nil {
+		hc = &http.Client{Timeout: 30 * time.Second}
+	}
 	return &Client{
-		publicID:  publicID,
-		authKeyID: authKeyID,
-		authKey:   authKey,
-		baseURL:   strings.TrimSuffix(baseURL, "/"),
-		httpClient: &http.Client{
-			Timeout: 30 * time.Second,
-		},
+		publicID:   publicID,
+		authKeyID:  authKeyID,
+		authKey:    authKey,
+		baseURL:    strings.TrimSuffix(baseURL, "/"),
+		httpClient: hc,
 	}
 }