NewClient hardcoded its *http.Client, so a server-side caller making
requests to an attacker-influenced baseURL (a tenant's prime_endpoint)
had no way to attach an SSRF policy — the transport followed redirects
and dialed any resolved IP, reachable being the cloud metadata service.
Add NewClientWithHTTPClient + NewDragonchainSDKWithHTTPClient so callers
can supply a client whose transport enforces a dial-time resolved-IP guard
and redirect policy. Existing constructors delegate with the prior default
(30s timeout), so this is backward compatible — the guard itself lives in
the consuming server (e.g. brill-api/pkg/prime), not in this client lib.
Andrew Miller
bc2b622873