fix(security): isolate proxy env in shared runtimes

[chaliy]

What

Harden FetchKit for multi-tenant and clustered deployments by isolating proxy environment inheritance by default and documenting the security posture.

Why

Shared runtimes can carry ambient HTTP_PROXY / HTTPS_PROXY configuration that silently reroutes fetch traffic through operator-provided or compromised proxies. That weakens deployment isolation and makes threat-model assumptions less reliable.

How

• add respect_proxy_env(false) as the default tool/fetch option
• call reqwest::ClientBuilder::no_proxy() in built-in fetchers unless the caller opts in
• extend Python bindings to expose the proxy-env control
• add regression coverage for proxy-env behavior and response truncation
• update the threat model, specs, README, and add public security notes

Risk

• Low
• Requests that previously relied on implicit proxy environment variables will now need explicit opt-in via respect_proxy_env(true).

Checklist

• Unit tests are passed
• Smoke tests are passed
• Documentation is updated
• Specs are up to date and not in conflict
• cargo fmt --all -- --check passed
• cargo clippy --workspace --all-targets -- -D warnings passed
• cargo test --workspace passed
• RUSTDOCFLAGS="-D warnings" cargo doc --workspace --no-deps passed