Context
WebScrapeExecutor validates initial URL but allows 3 redirects. Redirect targets bypass SSRF protection.
Solution
Custom redirect policy that calls validate_url and resolve_and_validate on each redirect Location header.
Epic: #857 | Effort: S | Crate: zeph-tools
