Route API discovery through tool ACL (prevent direct network probes in find_api)

[cdayAI]

Motivation

• Prevent the learn_capability op=find_api path from performing direct network fetches inside self-learning, which bypassed the tool ACL, rate limits, and hooks.
• Preserve the documented security boundary that allow/deny/max-risk controls apply to registered network/API tools rather than internal helper fetches.

Description

• Changed learn_capability (packages/maverick-core/maverick/tools/learn.py) to generate OpenAPI candidate URLs but validate them by calling the registered openapi_runner tool (via normal agent.tools.run) instead of direct fetches.
• Added openapi_spec_candidates() to packages/maverick-core/maverick/self_learning.py to produce candidate spec URLs from a base_url or search text without performing network I/O.
• Updated docs/self-learning.md to state that find_api generates candidates and uses the registered openapi_runner for validation so ACLs/hooks/rate limits remain in effect.
• Updated tests in packages/maverick-core/tests/test_self_learning.py to assert candidate generation and that find_api does not probe when openapi_runner is unavailable.

Testing

• Ran unit tests for self-learning with PYTHONPATH=packages/maverick-core pytest packages/maverick-core/tests/test_self_learning.py -q, which passed (41 passed).
• Ran integration tests covering OpenAPI and related tools with PYTHONPATH=packages/maverick-core pytest packages/maverick-core/tests/test_q3_2026_batch9.py -q, which passed (31 passed).
• Ran static checks with python -m ruff check packages/maverick-core/maverick/tools/learn.py packages/maverick-core/maverick/self_learning.py packages/maverick-core/tests/test_self_learning.py, which succeeded with no issues.
• Note: initial test runs surfaced missing dev/runtime deps (pytest-asyncio, httpx) in the execution environment; those were installed and the full test suite was re-run successfully.

---

Codex Task