Implement `fetch` subcommand and `internal/fetch` package

[mikkeldamsgaard]

Summary

Implement the fetch subcommand and internal/fetch package for fetching secrets/config from HTTP(S) endpoints and writing them to files.

Requirements

• internal/fetch package:
  • HTTP GET with configurable timeout
  • Optional Authorization header sourced from an environment variable (not a flag, to avoid leaking in process lists)
  • Response body written to file within workdir
  • Integration with internal/retry for retries
  • Integration with internal/safety for path validation
• fetch subcommand:
  • --url flag: target URL (required)
  • --output flag: relative output path within workdir (required)
  • --workdir flag: output directory (default /work)
  • --auth-env flag: name of env var containing the Authorization header value (e.g., VAULT_TOKEN)
  • --insecure-tls flag: skip TLS verification
  • --follow-redirects flag: follow redirects, but dont allow cross site redirect
  • --allow-cross-site-redirects flag: allow cross site redirect, only usable with --follow-redirects
  • Retry support with same flags as wait-for

Acceptance Criteria

• internal/fetch/fetch.go with HTTP client, auth header, file writing
• internal/fetch/fetch_test.go with tests for: success, auth header, missing URL, path traversal, TLS
• internal/cmd/fetch.go with full subcommand implementation
• internal/cmd/fetch_test.go with command-level tests
• Registered in cmd/initium/main.go
• docs/usage.md updated
• CHANGELOG.md updated
• All tests pass

[mikkeldamsgaard]

Implemented in commit d858aeb. All acceptance criteria met:

• ✅ internal/fetch/fetch.go with HTTP client, auth header via env var, path traversal prevention, redirect control (same-site by default), insecure TLS opt-in
• ✅ internal/fetch/fetch_test.go with 12 tests (success, auth header, empty auth env, missing URL, missing output, path traversal, HTTP error, insecure TLS, no-follow redirects, same-site redirects, nested output dir, context cancellation)
• ✅ internal/cmd/fetch.go with full subcommand implementation including retry integration
• ✅ internal/cmd/fetch_test.go with 9 command-level tests (no URL, no output, success, auth, path traversal, HTTP error, JSON output, invalid retry config, cross-site without follow-redirects)
• ✅ Registered in cmd/initium/main.go
• ✅ docs/usage.md updated with full fetch section
• ✅ CHANGELOG.md updated
• ✅ All tests pass (go test ./... -> all ok)