docs: document all toolset config options for api, fetch, openapi

[dgageot]

These docs fill gaps in the coverage of fetch, api, and openapi toolset configuration. The updates close missing documentation for recently added config fields and correct a couple of outdated claims.

For fetch, we document the headers option, add a "Custom headers" section with an example, and correct an old callout claiming that fetch has no custom header support. The api toolset docs now clearly structure Properties into toolset-level fields (api_config, timeout, allow_private_ips) and the api_config block itself, document the ${env.VAR} and ${headers.NAME} placeholder support on headers, clarify that output_schema is consumed by MCP/Code Mode while runtime returns raw strings, and fix a claim that ${param} automatically URL-encodes values (it does not). We add an example for reaching internal services with an SSRF callout, and update the Limitations section. The openapi docs get timeout and allow_private_ips in the Properties table, clarified placeholder support with a note that headers are also sent on the spec fetch, and new "Custom timeout" and "Reaching internal services" sections.

These changes were verified against the source of truth in pkg/config/latest/types.go, the tool implementations, pkg/upstream/headers.go, and agent-schema.json.

[docker-agent]

Assessment: 🟢 APPROVE

Reviewed docs/tools/api/index.md, docs/tools/fetch/index.md, and docs/tools/openapi/index.md.

Verified against source of truth:

• pkg/tools/builtin/api/api.go — confirms timeout/allow_private_ips fields, JS expander for ${param} (Goja, full ECMAScript), and upstream.ResolveHeaders for ${headers.NAME} support
• pkg/tools/builtin/fetch/fetch.go — confirms custom headers applied last (override Accept/User-Agent), env-only expansion at startup, and per-redirect header stripping
• pkg/tools/builtin/openapi/openapi.go — confirms timeout applies to both spec fetch and generated tool calls, and ${headers.NAME} is resolved at request time
• pkg/upstream/headers.go — confirms ${headers.NAME} placeholder semantics
• agent-schema.json — confirms api_config required for type: api, timeout/allow_private_ips as toolset-level fields
• Go 1.26.3 stdlib — confirms Www-Authenticate is treated as a sensitive header stripped on cross-domain redirects (consistent with the fetch callout's claim)
• Goja runtime — encodeURIComponent is a standard ECMAScript built-in and works correctly in Goja (confirmed by running the function)

All documented behavior matches the implementation. No issues found in the changed code.