fix(instance-ai): address security issues in tool inspector, SSE, and SSRF guard

- HTML-escape JSON values in ToolResultJson.vue before v-html rendering
- Re-validate thread ownership on first SSE event for pre-creation subscriptions
- Block IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) in SSRF guard