fix: correct README inconsistencies and add TORRENTCLAW_ALLOW_PRIVATE

- Rename get_torrent_download_url → get_torrent_url in README tools table
- Add TORRENTCLAW_ALLOW_PRIVATE env var to bypass SSRF checks for
  self-hosted setups (localhost, private IPs)
- Update self-hosted config example with TORRENTCLAW_ALLOW_PRIVATE=true
- Add Prompts section to README
- Add 3 tests for ALLOW_PRIVATE behavior (88 tests total)

tests/config.test.ts

@@ -1,7 +1,20 @@
-import { describe, it, expect } from "vitest";
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
 import { validateApiUrl } from "../src/config.js";
 
 describe("validateApiUrl", () => {
+  const originalEnv = process.env.TORRENTCLAW_ALLOW_PRIVATE;
+
+  beforeEach(() => {
+    delete process.env.TORRENTCLAW_ALLOW_PRIVATE;
+  });
+
+  afterEach(() => {
+    if (originalEnv !== undefined) {
+      process.env.TORRENTCLAW_ALLOW_PRIVATE = originalEnv;
+    } else {
+      delete process.env.TORRENTCLAW_ALLOW_PRIVATE;
+    }
+  });
   it("accepts valid https URL", () => {
     expect(validateApiUrl("https://torrentclaw.com")).toBe(
       "https://torrentclaw.com",
@@ -82,4 +95,21 @@ describe("validateApiUrl", () => {
   it("rejects IPv6 loopback ::1", () => {
     expect(() => validateApiUrl("http://[::1]")).toThrow("private/reserved");
   });
+
+  it("allows localhost when TORRENTCLAW_ALLOW_PRIVATE=true", () => {
+    process.env.TORRENTCLAW_ALLOW_PRIVATE = "true";
+    expect(validateApiUrl("http://localhost:3030")).toBe(
+      "http://localhost:3030",
+    );
+  });
+
+  it("allows 192.168.x.x when TORRENTCLAW_ALLOW_PRIVATE=true", () => {
+    process.env.TORRENTCLAW_ALLOW_PRIVATE = "true";
+    expect(validateApiUrl("http://192.168.1.1")).toBe("http://192.168.1.1");
+  });
+
+  it("still rejects ftp even when TORRENTCLAW_ALLOW_PRIVATE=true", () => {
+    process.env.TORRENTCLAW_ALLOW_PRIVATE = "true";
+    expect(() => validateApiUrl("ftp://localhost")).toThrow("only http/https");
+  });
 });