fix: classify /tools/invoke errors and sanitize 500s (#13185) (thanks @davidrudduck)

docs/gateway/tools-invoke-http-api.md

@@ -89,11 +89,12 @@ To help group policies resolve context, you can optionally set:
 ## Responses
 
 - `200` → `{ ok: true, result }`
-- `400` → `{ ok: false, error: { type, message } }` (invalid request or tool error)
+- `400` → `{ ok: false, error: { type, message } }` (invalid request or tool input error)
 - `401` → unauthorized
 - `429` → auth rate-limited (`Retry-After` set)
 - `404` → tool not available (not found or not allowlisted)
 - `405` → method not allowed
+- `500` → `{ ok: false, error: { type, message } }` (unexpected tool execution error; sanitized message)
 
 ## Example