feat(wfe-yaml): add HTTP ops, module loader, and npm support via esm.sh

Phase 4 — Permission-gated HTTP fetch op:
- op_fetch with net permission check on every request
- globalThis.fetch() wrapper with .json()/.text() methods
- Supports GET/POST/PUT/DELETE with headers and body

Phase 5 — Module loader:
- WfeModuleLoader resolving npm: → esm.sh, https://, file://, relative paths
- All resolution paths permission-checked
- Bare path resolution (/) for esm.sh sub-module redirects
- Dynamic import rejection unless permissions.dynamic_import: true
- esm.sh auto-added to net allowlist when modules declared

Mandatory npm integration test (is-number via esm.sh).
25 new tests. 133 total deno tests, 326 total workspace tests.

wfe-yaml/Cargo.toml

@@ -6,7 +6,7 @@ description = "YAML workflow definitions for WFE"
 
 [features]
 default = []
-deno = ["deno_core", "url"]
+deno = ["deno_core", "deno_error", "url", "reqwest"]
 
 [dependencies]
 wfe-core = { workspace = true }
@@ -19,7 +19,9 @@ thiserror = { workspace = true }
 tracing = { workspace = true }
 regex = { workspace = true }
 deno_core = { workspace = true, optional = true }
+deno_error = { workspace = true, optional = true }
 url = { workspace = true, optional = true }
+reqwest = { workspace = true, optional = true }
 
 [dev-dependencies]
 pretty_assertions = { workspace = true }
@@ -27,3 +29,5 @@ tokio = { workspace = true, features = ["test-util", "process"] }
 tokio-util = "0.7"
 wfe-core = { workspace = true, features = ["test-support"] }
 wfe = { path = "../wfe" }
+wiremock = { workspace = true }
+tempfile = { workspace = true }