Harden auth and outbound admin surfaces

backend/app/routers/feedback.py

@@ -3,6 +3,7 @@ import httpx
 from fastapi import APIRouter, Depends, HTTPException
 
 from ..auth import get_current_user
+from ..network_security import validate_notification_target_url
 from ..runtime import get_runtime_settings
 
 router = APIRouter(prefix="/feedback", tags=["feedback"], dependencies=[Depends(get_current_user)])
@@ -17,6 +18,10 @@ async def send_feedback(payload: Dict[str, Any], user: Dict[str, str] = Depends(
     )
     if not webhook_url:
         raise HTTPException(status_code=400, detail="Discord webhook not configured")
+    try:
+        webhook_url = validate_notification_target_url(webhook_url)
+    except ValueError as exc:
+        raise HTTPException(status_code=400, detail=str(exc)) from exc
 
     feedback_type = str(payload.get("type") or "").strip().lower()
     if feedback_type not in {"bug", "feature"}: