fix(fetchers): enforce SSRF safeguards in StackOverflow API fetcher

[chaliy]

Motivation

• A specialized StackOverflowFetcher created its own reqwest client and followed redirects without using the repository's DNS/redirect validation, weakening the default SSRF/egress protections for matching Stack Exchange URLs.
• Restore the same resolve-then-validate and redirect constraints used by the DefaultFetcher while preserving the specialized fetcher's behavior.

Description

• Disable automatic redirect following for Stack Exchange API requests by using redirect(reqwest::redirect::Policy::none()) for the API client.
• Add constants for the API host/port (api.stackexchange.com:443) and use options.dns_policy.resolve_and_validate when dns_policy.block_private is enabled.
• Pin the validated DNS result with ClientBuilder::resolve so the client connects only to the checked IP address.
• Keep existing behaviors such as no_proxy() when respect_proxy_env is false and maintain API request/response handling and formatting logic.

Testing

• Ran formatting with cargo fmt --all, which completed successfully.
• Ran targeted tests with cargo test -p fetchkit stackoverflow, and the fetcher tests passed (9 passed; 0 failed).
• Built and ran the test profile used by CI during the change, and the test run finished with no failing tests in the modified area.

---

Codex Task