Implement fetch subcommand and internal/fetch package (closes #4)

- Add internal/fetch/fetch.go:
  - HTTP GET with configurable timeout
  - Auth header via env var (--auth-env, never on CLI)
  - Path traversal prevention via internal/safety
  - Redirect control: disabled by default, same-site only when enabled,
    cross-site opt-in via --allow-cross-site-redirects
  - Insecure TLS opt-in via --insecure-tls
- Add internal/fetch/fetch_test.go with 12 tests:
  - success, auth header, empty auth env, missing URL, missing output,
    path traversal, HTTP error, insecure TLS, no-follow redirects,
    same-site redirects, nested output dir, context cancellation
- Add internal/cmd/fetch.go: fetch subcommand with retry integration,
  --url, --output, --workdir, --auth-env, --insecure-tls,
  --follow-redirects, --allow-cross-site-redirects, retry flags
- Add internal/cmd/fetch_test.go with 9 command-level tests
- Register fetch command in cmd/initium/main.go
- Update docs/usage.md with full fetch section
- Update CHANGELOG.md

Author: mikkeldamsgaard

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- `fetch` subcommand and `internal/fetch` package: fetch secrets/config from HTTP(S) endpoints with auth header via env var, retry with backoff, TLS options, redirect control (same-site by default), and path traversal prevention
 - `render` subcommand and `internal/render` package: render templates into config files with `envsubst` (default) and Go `text/template` modes, path traversal prevention, and automatic intermediate directory creation
 - `seed` subcommand: run database seed commands with structured logging and exit code forwarding (no idempotency — distinct from `migrate`)
 - `migrate` subcommand: run database migration commands with structured logging, exit code forwarding, and optional idempotency via `--lock-file`

cmd/initium/main.go

@@ -36,6 +36,7 @@ and security guardrails.`,
 	root.AddCommand(cmd.NewMigrateCmd(log))
 	root.AddCommand(cmd.NewSeedCmd(log))
 	root.AddCommand(cmd.NewRenderCmd(log))
+	root.AddCommand(cmd.NewFetchCmd(log))
 	if err := root.Execute(); err != nil {
 		log.Error(err.Error())
 		os.Exit(1)

docs/usage.md

@@ -196,14 +196,66 @@ initium render --template /tpl/db.conf.tmpl --output config/db.conf --workdir /w
 | `0` | Render succeeded |
 | `1` | Invalid arguments, missing template, template syntax error, or path traversal |
 
-### fetch _(coming soon)_
+### fetch
 
-Fetch secrets or config from HTTP endpoints.
+Fetch a resource from an HTTP(S) endpoint and write the response body to a file.
+
+Supports optional authentication via an environment variable (to avoid leaking
+credentials in process argument lists), TLS verification skipping, redirect
+control, and retries with exponential backoff.
 
 ```bash
-initium fetch --url https://vault:8200/v1/secret/data/app --output secrets.json --workdir /work
+# Fetch a config file
+initium fetch --url http://config-service:8080/app.json --output app.json
+
+# Fetch from Vault with auth token
+initium fetch --url https://vault:8200/v1/secret/data/app --output secrets.json \
+  --auth-env VAULT_TOKEN --insecure-tls
+
+# Fetch with retries
+initium fetch --url http://api:8080/config --output config.json \
+  --max-attempts 10 --initial-delay 2s
+
+# Follow redirects (same-site only by default)
+initium fetch --url http://cdn/config --output config.json --follow-redirects
+
+# Allow cross-site redirects
+initium fetch --url http://cdn/config --output config.json \
+  --follow-redirects --allow-cross-site-redirects
 ```
 
+**Flags:**
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--url` | _(required)_ | Target URL to fetch |
+| `--output` | _(required)_ | Output file path relative to workdir |
+| `--workdir` | `/work` | Working directory for output files |
+| `--auth-env` | _(none)_ | Name of env var containing the Authorization header value |
+| `--insecure-tls` | `false` | Skip TLS certificate verification |
+| `--follow-redirects` | `false` | Follow HTTP redirects |
+| `--allow-cross-site-redirects` | `false` | Allow cross-site redirects (requires `--follow-redirects`) |
+| `--timeout` | `5m` | Overall timeout |
+| `--max-attempts` | `3` | Maximum retry attempts |
+| `--initial-delay` | `1s` | Initial delay between retries |
+| `--max-delay` | `30s` | Maximum delay between retries |
+| `--backoff-factor` | `2.0` | Backoff multiplier |
+| `--jitter` | `0.1` | Jitter fraction (0.0–1.0) |
+| `--json` | `false` | Enable JSON log output |
+
+**Security notes:**
+
+- The `--auth-env` flag takes the **name** of an environment variable, not the token itself, to avoid leaking credentials in process argument lists or shell history.
+- Redirects are disabled by default. When enabled with `--follow-redirects`, cross-site redirects are blocked unless `--allow-cross-site-redirects` is also set.
+- TLS verification is enabled by default; `--insecure-tls` must be explicitly set.
+
+**Exit codes:**
+
+| Code | Meaning |
+|------|---------|
+| `0` | Fetch succeeded |
+| `1` | Invalid arguments, HTTP error, timeout, or path traversal |
+
 ### exec _(coming soon)_
 
 Run arbitrary commands with structured logging.

internal/cmd/fetch.go

@@ -0,0 +1,130 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/kitstream/initium/internal/fetch"
+	"github.com/kitstream/initium/internal/logging"
+	"github.com/kitstream/initium/internal/retry"
+	"github.com/spf13/cobra"
+)
+
+func NewFetchCmd(log *logging.Logger) *cobra.Command {
+	var (
+		urlFlag                string
+		output                 string
+		workdir                string
+		authEnv                string
+		insecureTLS            bool
+		followRedirects        bool
+		allowCrossSiteRedirect bool
+		timeout                time.Duration
+		maxAttempts            int
+		initialDelay           time.Duration
+		maxDelay               time.Duration
+		backoffFactor          float64
+		jitterFraction         float64
+		jsonLogs               bool
+	)
+
+	cmd := &cobra.Command{
+		Use:   "fetch",
+		Short: "Fetch secrets or config from HTTP(S) endpoints",
+		Long: `Fetch a resource from an HTTP(S) endpoint and write the response body to a
+file within the working directory.
+
+Supports optional authentication via an environment variable (to avoid leaking
+credentials in process argument lists), TLS verification skipping, redirect
+control, and retries with exponential backoff.`,
+		Example: `  # Fetch a config file
+  initium fetch --url http://config-service:8080/app.json --output app.json
+
+  # Fetch from Vault with auth token
+  initium fetch --url https://vault:8200/v1/secret/data/app --output secrets.json \
+    --auth-env VAULT_TOKEN --insecure-tls
+
+  # Fetch with retries
+  initium fetch --url http://api:8080/config --output config.json \
+    --max-attempts 10 --initial-delay 2s
+
+  # Follow redirects (same-site only by default)
+  initium fetch --url http://cdn/config --output config.json --follow-redirects`,
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if jsonLogs {
+				log.SetJSON(true)
+			}
+
+			if urlFlag == "" {
+				return fmt.Errorf("--url is required")
+			}
+			if output == "" {
+				return fmt.Errorf("--output is required")
+			}
+
+			retryCfg := retry.Config{
+				MaxAttempts:    maxAttempts,
+				InitialDelay:   initialDelay,
+				MaxDelay:       maxDelay,
+				BackoffFactor:  backoffFactor,
+				JitterFraction: jitterFraction,
+			}
+			if err := retryCfg.Validate(); err != nil {
+				return fmt.Errorf("invalid retry config: %w", err)
+			}
+
+			fetchCfg := fetch.Config{
+				URL:                    urlFlag,
+				OutputPath:             output,
+				Workdir:                workdir,
+				AuthEnv:                authEnv,
+				InsecureTLS:            insecureTLS,
+				FollowRedirects:        followRedirects,
+				AllowCrossSiteRedirect: allowCrossSiteRedirect,
+				Timeout:                timeout,
+			}
+
+			if err := fetchCfg.Validate(); err != nil {
+				return err
+			}
+
+			ctx, cancel := context.WithTimeout(cmd.Context(), timeout)
+			defer cancel()
+
+			log.Info("fetching", "url", urlFlag, "output", output)
+
+			result := retry.Do(ctx, retryCfg, func(ctx context.Context, attempt int) error {
+				log.Debug("fetch attempt", "attempt", fmt.Sprintf("%d", attempt+1))
+				return fetch.Do(ctx, fetchCfg)
+			})
+
+			if result.Err != nil {
+				log.Error("fetch failed", "url", urlFlag, "error", result.Err.Error())
+				return fmt.Errorf("fetch %s failed: %w", urlFlag, result.Err)
+			}
+
+			log.Info("fetch completed", "url", urlFlag, "output", output, "attempts", fmt.Sprintf("%d", result.Attempt+1))
+			return nil
+		},
+	}
+
+	cmd.Flags().StringVar(&urlFlag, "url", "", "Target URL to fetch (required)")
+	cmd.Flags().StringVar(&output, "output", "", "Output file path relative to workdir (required)")
+	cmd.Flags().StringVar(&workdir, "workdir", "/work", "Working directory for output files")
+	cmd.Flags().StringVar(&authEnv, "auth-env", "", "Name of env var containing the Authorization header value")
+	cmd.Flags().BoolVar(&insecureTLS, "insecure-tls", false, "Skip TLS certificate verification")
+	cmd.Flags().BoolVar(&followRedirects, "follow-redirects", false, "Follow HTTP redirects")
+	cmd.Flags().BoolVar(&allowCrossSiteRedirect, "allow-cross-site-redirects", false, "Allow cross-site redirects (requires --follow-redirects)")
+	cmd.Flags().DurationVar(&timeout, "timeout", 5*time.Minute, "Overall timeout")
+	cmd.Flags().IntVar(&maxAttempts, "max-attempts", 3, "Maximum retry attempts")
+	cmd.Flags().DurationVar(&initialDelay, "initial-delay", time.Second, "Initial delay between retries")
+	cmd.Flags().DurationVar(&maxDelay, "max-delay", 30*time.Second, "Maximum delay between retries")
+	cmd.Flags().Float64Var(&backoffFactor, "backoff-factor", 2.0, "Backoff multiplier")
+	cmd.Flags().Float64Var(&jitterFraction, "jitter", 0.1, "Jitter fraction (0.0-1.0)")
+	cmd.Flags().BoolVar(&jsonLogs, "json", false, "Enable JSON log output")
+
+	return cmd
+}