Skip context creation for bypassed IPs

[bitterpanda63]

Summary

Mirrors the firewall-java approach in AikidoSec/firewall-java#284. For requests from a bypassed IP, the framework entry point now produces no request context and a thread-local BypassedContextStore flag instead. Every per-request blocking site already short-circuits on `if not context: return`, so:

• Geo blocking, IP blocklists, and bot blocking
• Route-level `allowedIPAddresses`
• Blocked user IDs
• Rate limiting
• Attack detection (SQLi / NoSQLi / shell injection / path traversal / SSRF / wave attack)
• Heartbeat stats (request hits, route info, API spec)

…all skip naturally — no need to scatter `is_bypassed_ip` checks across each call site.

Context-less checks consult the `BypassedContextStore` flag directly:

• `should_block_outbound_domain` (no hostname pollution + no DNS block for bypassed traffic).
• `run_vulnerability_scan` (covers stored-SSRF which runs without a context).
• `inspect_getaddrinfo_result` (defensive; the bypass check inside this file moves up to short-circuit stored-SSRF too).

Implementation

• New `aikido_zen/storage/bypassed_context_store.py` — `contextvars`-backed flag with `set_bypassed`, `is_bypassed`, `clear`.
• New `aikido_zen/context/apply_or_bypass.py` — replaces `context.set_as_current_context()` at the top of each framework entry point.
• Wiring in flask, quart, starlette, django (sync + async).
• Outbound DNS sink and vulnerability dispatcher consult the flag.

Tests fixed in QA suite

• `test_bypassed_ip`
• `test_bypassed_ip_for_geo_blocking`
• `test_block_traffic_by_countries`
• `test_outbound_domain_blocking`

Test plan

• New unit tests for `BypassedContextStore` (incl. thread isolation).
• New unit tests for `apply_context_or_bypass` (bypass / non-bypass / no remote address / bypass-then-non-bypass reset).
• New unit tests for `should_block_outbound_domain` (blocked / unknown / bypassed-no-record).
• Existing `test_lifecycle_cache_bypassed_ip` and `test_ssrf_vulnerability_scan_bypassed_ip` updated to use the new flag.
• Full unit suite passes locally.
• QA suite: verify the four tests above pass once merged.

Merge notes

Conflicts with the `skip_tests:` line in `.github/workflows/qa-tests.yml` are expected — also touched by #622 (URL query string) and the wave-attack PR. Resolve by keeping the union of removals.

🤖 Generated with Claude Code

Summary by Aikido

Security Issues: 0	Quality Issues: 0	Resolved Issues: 0

🚀 New Features

• Added contextvars-backed BypassedContextStore to record bypassed request flag
• Added apply_context_or_bypass helper to set or bypass request context

⚡ Enhancements

• Prevented vulnerability scans and outbound DNS reporting for bypassed IPs

🔧 Refactors

• Replaced direct context setting with apply_or_bypass in framework entrypoints
• Modified QA workflow to stop skipping several bypass-related tests

^{More info}