Registry SSRF defense and snapshot validation

Hardened the registry HTTP surface against SSRF across the IDP-config, webhook, and snapshot endpoints. `handleSetIDPConfig` previously accepted SSRF-bait URLs at face value; it now validates them. Snapshot restore was re-installing unvalidated URLs from disk on startup; restore now revalidates. The cloud-metadata hostname check was case-sensitive and could be bypassed with mixed case (`Metadata.google.internal`); now case-insensitive.

Resource caps added on `lastRekeyReq`, `relayPeers`, and the unauth crypto-map so flood traffic can't grow them unbounded. Stale tunnel packets are now classified separately from nonce replay (previously conflated in metrics).