fix(ssrf): allow IPv6 fake-ip SSRF opt-in

Allow trusted fake-IP proxy stacks to opt into IPv6 unique-local SSRF resolution without opening broader private-network access.

docs/.generated/config-baseline.sha256

@@ -1,4 +1,4 @@
-7436d39dbbe5fb2642f9036198572d021e5a56daaecb207e5a1a21838730bd02  config-baseline.json
-c481235c42b8845c36eb92923bbd4d00ce9e417955f0a4b40a02f5ba0842a432  config-baseline.core.json
+b6640810820e0f54631e8006fa35798f84139b162ee472d150994571b730226a  config-baseline.json
+d63d3aa51c0c38a315cadbff01715844b73ecc35909b6bbb6cd318af59f3d2cc  config-baseline.core.json
 9f5fad66a49fa618d64a963470aa69fed9fe4b4639cc4321f9ec04bfb2f8aa50  config-baseline.channel.json
-0dd6583fafae6c9134e46c4cf9bddee9822d6436436dcb1a6dcba6d012962e51  config-baseline.plugin.json
+c4231c2194206547af8ad94342dc00aadb734f43cb49cc79d4c46bdbb80c3f95  config-baseline.plugin.json

docs/tools/web-fetch.md

@@ -74,6 +74,10 @@ Truncate output to this many characters.
         maxRedirects: 3,
         readability: true, // use Readability extraction
         userAgent: "Mozilla/5.0 ...", // override User-Agent
+        ssrfPolicy: {
+          allowRfc2544BenchmarkRange: true, // opt-in for trusted fake-IP proxies using 198.18.0.0/15
+          allowIpv6UniqueLocalRange: true, // opt-in for trusted fake-IP proxies using fc00::/7
+        },
       },
     },
   },
@@ -140,6 +144,10 @@ Current runtime behavior:
 - Response body is capped at `maxResponseBytes` before parsing; oversized
   responses are truncated with a warning
 - Private/internal hostnames are blocked
+- `tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange` and
+  `tools.web.fetch.ssrfPolicy.allowIpv6UniqueLocalRange` are narrow opt-ins
+  for trusted fake-IP proxy stacks; leave them unset unless your proxy owns
+  those synthetic ranges and enforces its own destination policy
 - Redirects are checked and limited by `maxRedirects`
 - `web_fetch` is best-effort -- some sites need the [Web Browser](/tools/browser)