client: allow injecting a custom *http.Client (SSRF-guardable)

NewClient hardcoded its *http.Client, so a server-side caller making
requests to an attacker-influenced baseURL (a tenant's prime_endpoint)
had no way to attach an SSRF policy — the transport followed redirects
and dialed any resolved IP, reachable being the cloud metadata service.

Add NewClientWithHTTPClient + NewDragonchainSDKWithHTTPClient so callers
can supply a client whose transport enforces a dial-time resolved-IP guard
and redirect policy. Existing constructors delegate with the prior default
(30s timeout), so this is backward compatible — the guard itself lives in
the consuming server (e.g. brill-api/pkg/prime), not in this client lib.

dragonchain.go

@@ -50,6 +50,8 @@
 package sdk
 
 import (
+	"net/http"
+
 	"git.dragonchain.com/dragonchain/prime-sdk-go/block"
 	"git.dragonchain.com/dragonchain/prime-sdk-go/client"
 	"git.dragonchain.com/dragonchain/prime-sdk-go/contract"
@@ -80,7 +82,15 @@ type DragonchainSDK struct {
 // Returns a configured SDK client ready to make API calls.
 // All API methods on the returned client require a context.Context parameter.
 func NewDragonchainSDK(publicID, authKeyID, authKey, baseURL string) *DragonchainSDK {
-	c := client.NewClient(publicID, authKeyID, authKey, baseURL)
+	return NewDragonchainSDKWithHTTPClient(publicID, authKeyID, authKey, baseURL, nil)
+}
+
+// NewDragonchainSDKWithHTTPClient is like NewDragonchainSDK but routes every
+// request through the caller-supplied *http.Client. Pass a client whose
+// transport enforces an SSRF policy (guarded dialer + redirect checks) when
+// the baseURL is attacker-influenced. A nil hc falls back to the SDK default.
+func NewDragonchainSDKWithHTTPClient(publicID, authKeyID, authKey, baseURL string, hc *http.Client) *DragonchainSDK {
+	c := client.NewClientWithHTTPClient(publicID, authKeyID, authKey, baseURL, hc)
 	return &DragonchainSDK{
 		client:          c,
 		Transaction:     transaction.NewTransactionClient(c),