fix(ssrf): use async event-hook for AsyncClient SSRF redirect check

[hoootan]

Summary

_check_redirect is a plain def registered as a response event hook on both httpx.Client (sync) and httpx.AsyncClient (async). httpx awaits the return value of every async-client event hook on every response; a sync function returns None, and await None raises:

TypeError: object NoneType can't be used in 'await' expression

This fires on every webhook-tool invocation through the inline executor:

agent → InlineExecutor._execute_webhook_tool
     → AsyncClient.request(...)
     → _check_redirect(response) returns None
     → httpx awaits None → TypeError

The exception bubbles up as the LLM's tool-result string "Error executing tool: object NoneType can't be used in 'await' expression", so the agent never gets a real answer from any webhook tool and the inline pipeline stalls / fails.

This blocks any inline function whose tools are tool_type='webhook'.

Reproduce on main

# 1. Create a webhook tool pointing at any public URL that returns 200 JSON
curl -X POST http://localhost:8000/api/v1/tools \
  -H "X-FlowForge-API-Key: ff_..." -H "Content-Type: application/json" \
  -d '{"name":"echo","description":"echo","parameters":{"type":"object","properties":{"x":{"type":"string"}},"required":["x"]},
       "tool_type":"webhook","webhook_url":"https://httpbin.org/post","webhook_method":"POST"}'

# 2. Inline function that uses it
curl -X POST http://localhost:8000/api/v1/functions/inline \
  -H "X-FlowForge-API-Key: ff_..." -H "Content-Type: application/json" \
  -d '{"id":"smoke","name":"Smoke","trigger":{"type":"event","value":"smoke.start"},
       "system_prompt":"Call echo(x=hi) and stop.","tools":["echo"],
       "agent_config":{"model":"claude-haiku-4-5","max_iterations":3,"max_tool_calls":3}}'

# 3. Trigger
curl -X POST http://localhost:8000/api/v1/events \
  -H "X-FlowForge-API-Key: ff_..." -H "Content-Type: application/json" \
  -d '{"name":"smoke.start","data":{"prompt":"call echo with hi"}}'

# 4. The completed run's output.messages contains:
#    {"role":"tool","content":"Error executing tool: object NoneType can't be used in 'await' expression"}

Fix

Split _check_redirect into two wrappers — _async_check_redirect (async) and _sync_check_redirect (sync) — over a shared _check_redirect_impl. Register the async one on AsyncClient and the sync one on Client. The original _check_redirect name is kept as an alias to the sync version for backward compatibility with any external callers.

Test plan

• _check_redirect_impl unchanged behaviour for redirects (still raises ValueError when target resolves to a private IP)
• Webhook tool invoked from an inline function returns a real response body to the LLM (no more NoneType TypeError)
• Sync Client from create_ssrf_safe_sync_client still works
• Optional follow-up: regression test that constructs a real AsyncClient from create_ssrf_safe_client and calls httpbin.org to verify no event-hook error

[Copilot]

Pull request overview

Fixes SSRF-safe httpx client behavior by ensuring the redirect-check response event hook is compatible with httpx.AsyncClient (async hooks must be awaitable), preventing webhook tool invocations from failing with TypeError: object NoneType can't be used in 'await' expression.

Changes:

• Refactors redirect validation into _check_redirect_impl with dedicated async/sync wrappers.
• Registers _async_check_redirect for httpx.AsyncClient and _sync_check_redirect for httpx.Client.
• Keeps _check_redirect as an alias to the sync wrapper for backwards compatibility.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Add a regression test to cover the async event-hook path (the original bug was await None when a sync hook was registered on AsyncClient). You can unit-test this without real network by using httpx.MockTransport with an AsyncClient created via create_ssrf_safe_client() and asserting a request/redirect does not raise TypeError and still enforces the SSRF redirect validation.