fix(python): preserve hardened redirect policy

[chaliy]

What

Preserve the hardened same-host redirect policy in the Python binding unless the caller explicitly overrides it.

Closes #96.

Why

FetchKitTool(hardened=True) in Python immediately overwrote the hardened redirect setting with the constructor's default same_host_redirects_only=False, which made the Python hardened profile weaker than the Rust and CLI profiles.

How

• make the Python constructor treat same_host_redirects_only as optional instead of defaulting it to False
• add a shared ToolBuilder::same_host_redirects_only_if_set helper so omission preserves hardened defaults while explicit False still overrides them
• cover the preserve-vs-override semantics with Rust ToolBuilder tests and validate the binding compiles with cargo check -p fetchkit-python

Risk

• Low
• Python callers who relied on the old implicit weakening now get the documented hardened behavior unless they pass same_host_redirects_only=False explicitly

Checklist

• Unit tests are passed
• Smoke tests are passed
• Documentation is updated
• Specs are up to date and not in conflict
• Python binding compiles locally (cargo check -p fetchkit-python)
• Python binding runtime test executed locally (blocked by local Python test binary link environment)