Fix/security and concurrency bugs

[NEFORCEO]

🚀 Description

fix: security and concurrency bugs

• Fix inverted XSS detection — validate_response now correctly returns
  (False, msg) when XSS is found; previously XSS never blocked anything
• Fix shared request_configs mutation causing header leakage between
  requests — _prepare_config now works on a copy of the config dict
• Fix blocking DNS lookup in async context — socket.gethostbyname is
  now called via asyncio.to_thread in SSRFProtection.check_url
• Fix race condition in Limits semaphore — semaphore is now created
  eagerly in __init__ instead of lazily without a lock
• Fix CacheMiddleware._cached_response race condition — cache hit is
  now stored per-request in the config dict instead of a shared instance
  attribute
• Implement startup_uuid_version="v7" — was documented but never handled
• Fix _log_result crash on non-JSON responses when response_model is set
• Fix _find_route ambiguous substring URL matching — now uses exact match only
• Replace print() debug output with logger.debug in _handle_proxy
• Fix Response.json() return type annotation from dict[str, Any] to Any

---

🧩 Type of Change

Please select one:

• feat: New feature
• fix: Bug fix
• docs: Documentation update
• refactor: Code refactoring
• ci: CI/CD changes
• chore: Maintenance

---

✅ Checklist

• Tests added or updated
• Documentation updated
• No breaking changes
• Code follows project style

---

🔗 Related Issues

Fixes #

---

📸 Additional Context

Screenshots, logs or additional notes.

---

[codspeed-hq]

Merging this PR will not alter performance

✅ 12 untouched benchmarks

---

_{Comparing fix/security-and-concurrency-bugs (24b8fac) with master (631c8fa)}