refactor(mesi): split fetchUrl.go into fetch.go + ssrf.go

[s2x]

Summary

• Split mesi/fetchUrl.go into mesi/ssrf.go (SSRF validation) and mesi/fetch.go (HTTP fetching)
• Split mesi/fetchUrl_test.go into mesi/ssrf_test.go and mesi/fetch_test.go
• No public API changes
• All 285 tests pass, go vet clean

Closes #120

[s2x]

Two minor findings:

1. Removed inline comments in singleFetchUrlWithContext

A few explanatory comments were stripped from the function body that documented non-obvious decisions:

• Line ~74: // Allowed host with private-IP bypass opt-in - use standard client without SSRF protection. — explains why AllowPrivateIPsForAllowedHosts skips dial-time IP blocking
• Line ~82: // Note: When HTTPClient is provided, callers are responsible for setting appropriate timeouts and SSRF protection on the client. Use NewSSRFSafeTransport(config) to create a transport with dial-time private IP blocking. — important gotcha for external users
• Line ~126: // Use LimitReader to cap response size — explains the +1 buffer on MaxResponseSize
• Line ~134: // No limit - backward compatibility — explains the zero-limit default behavior

Consider restoring these — they help future contributors understand the branching logic at a glance.

2. Redundant error wrapping at fetch.go:68

if err := isURLSafe(requestedURL, config); err != nil {
    return "", false, fmt.Errorf("%w: %s", ErrSSRFBlocked, err.Error())
}

isURLSafe already wraps its errors with ErrSSRFBlocked (see ssrf.go:49), so this creates ErrSSRFBlocked: ErrSSRFBlocked: ... chains. Harmless for errors.Is, but makes error messages unnecessarily verbose. Worth a follow-up cleanup — not blocking.

---

Otherwise the split looks clean, all tests pass, no API changes. LGTM.