docs: document redact_secrets agent flag

[dgageot]

Documents the redact_secrets agent flag introduced in #2577.

That PR added a single agent-level switch that wires up two complementary defenses:

1. A pre_tool_use builtin hook that scrubs detected secrets from every tool call's arguments before the tool runs.
2. A before_llm_call message transform that scrubs the same patterns from outgoing chat messages (content, multi-part text, prior reasoning content, and JSON-encoded tool-call arguments) before they reach the model provider.

Detection uses the docker-agent secretsscan ruleset (GitHub PATs, AWS keys, Stripe / Slack / GitLab / Hugging Face tokens, JWTs, PEM private keys, Docker Hub PATs, …); each detected span is replaced with the literal [REDACTED].

Changes

• docs/configuration/agents/index.md — added redact_secrets to the YAML schema example and the properties reference table, plus a new Redacting Secrets section with example YAML, ruleset coverage, and callouts about false negatives and the equivalent manual hook entry.
• docs/configuration/hooks/index.md — added the redact_secrets (pre_tool_use) row to the Available built-ins table, and updated the Auto-injected built-ins callout to mention redact_secrets: true and that the agent flag also wires up the chat-side message transform.
• docs/guides/secrets/index.md — added a Preventing Secret Leaks section pointing readers to redact_secrets for defense-in-depth against secrets leaking through the conversation itself, with a cross-link to the agent configuration page.