fix(test): validate artifact run id default path

[Lexiie]

Summary

Fixes #45.

test artifact get <run-id> used the raw positional runId as the final segment of the default output directory:

./.testsprite/runs/<run-id>/

That made the implicit destination path interpret path-like run IDs as filesystem structure. For example, a value like ../../outside would normalize outside the documented .testsprite/runs/ artifact root when --out was omitted.

This PR treats runId as an opaque identifier for the implicit default path. If callers want a custom filesystem location, the existing explicit --out <dir> path remains the supported mechanism.

Changes

• Add resolveDefaultArtifactDir(runId, cwd) for the implicit artifact output directory.
• Reject path-like run IDs for the default path:
  • . / ..
  • /
  • \
  • NUL bytes
• Keep normal run IDs on the documented path: ./.testsprite/runs/<run-id>/.
• Move HTTP client construction until after local path validation and dry-run handling, so invalid local input fails before credentials, network, or disk work.
• Add regression coverage for unsafe path-like run IDs and the normal default path.

Why

test artifact get writes a multi-file failure bundle. The documented default path implies containment under .testsprite/runs/, while --out is already available for intentional custom paths. Failing closed on path-like positional IDs keeps the default artifact tree predictable and avoids surprising local writes.

Verification

• npx vitest run src/commands/test.artifact.spec.ts
• npm run typecheck