refactor(deps): replace url-parse with native URL API

[Kyzgor]

• What kind of change does this PR introduce?

  Refactor (removes a runtime dependency) + test coverage.

• What is the current behavior? (link: url-parser is an unnecessary dependency #106)

  The SDK depends on url-parse (^1.5.10) and @types/url-parse (^1.4.11) solely to build the
  OPA client base URL in src/enforcement/enforcer.ts. Node's built-in WHATWG URL has been
  available since Node 10, and package.json already declares engines.node: ">=10", so the
  dependency is redundant. There is also no test guarding the OPA URL construction, so a regression
  in that logic would go undetected.

• What is the new behavior (if this is a feature change)?

  • The OPA base URL is built with the native URL API; url-parse and @types/url-parse are removed.
  • The construction logic is extracted into a small pure helper buildOpaBaseUrl(pdp: string): string
    so it is unit-testable without instantiating axios or a live PDP.
  • A hermetic ava unit test (yarn test:unit → src/tests/enforcer.spec.ts) asserts the produced
    URL for the default PDP and edge cases (trailing slash, https-without-port, explicit-port
    override, path-prefixed PDP). The test would FAIL if the construction logic regressed (verified by
    mutation: changing the appended path makes all 5 assertions fail).

  Behaviour is proven equivalent to the old url-parse path:

  PDP	old url-parse →	new native URL →
  http://localhost:7766	http://localhost:8181/v1/data/permit/	(identical)
  http://localhost:7766/	http://localhost:8181/v1/data/permit/	(identical)
  https://pdp.example.com	https://pdp.example.com:8181/v1/data/permit/	(identical)
  https://pdp.example.com:1234	https://pdp.example.com:8181/v1/data/permit/	(identical)
  http://localhost:7766/prefix	http://localhost:8181/prefixv1/data/permit/	(identical)

• Other information:

  Validated with yarn lint, yarn build, yarn test:unit (5 tests) and yarn test:module-imports
  (9 tests) on Node 18 and 20.

  What's NOT in this PR: the main REST client baseURL (a plain string concat, never used
  url-parse) is untouched; no engines.node bump; no src/openapi/ changes. The large yarn.lock
  diff is expected lockfile regeneration for the dependency removal. A pre-existing quirk is
  intentionally preserved (and now documented in the test): a path-prefixed PDP without a trailing
  slash yields .../prefixv1/data/permit/ — identical under both implementations; worth a separate
  follow-up if it's a real concern.

  Equivalence holds for every PDP value with a scheme (the default http://localhost:7766 and all
  realistic configs). A scheme-less PDP (e.g. localhost:7766) is not a supported input and produces
  an invalid OPA URL under both the old url-parse and the new URL implementations — neither
  regresses the other.

  The security/snyk (permit) check is in an ERROR state due to an org quota condition on fork
  PRs ("You have used your limit of private tests"), not a vulnerability — this PR removes a
  dependency and adds none. A maintainer re-run/waiver would clear it.

  Fixes url-parser is an unnecessary dependency #106

[Kyzgor]

Heads-up on CI: the security/snyk (permit) check is in an ERROR state with the message "You have used your limit of private tests" — i.e. an org Snyk quota/billing condition on fork PRs, not a vulnerability finding. This PR actually removes a runtime dependency (url-parse) and its types, adding none. Could a maintainer re-run Snyk from a trusted context (or reset the quota)? Happy to help if anything is needed.