docs(docs/ai-coder/agents/platform-controls/mcp-servers): document user-set custom_headers

Adds a "User-set custom headers" subsection under the
custom_headers auth mode covering the admin-side setup
(custom_headers_user_keys and custom_headers_user_key_descriptions),
the user-facing settings page, encryption at rest, and when this
mode is the right choice.

Stack: 6/6 (docs)

docs/ai-coder/agents/platform-controls/mcp-servers.md

@@ -106,6 +106,32 @@ A static key sent as a header on every request.
 Arbitrary key-value header pairs sent on every request. At least one header
 is required when this mode is selected.
 
+#### User-set custom headers
+
+Individual header keys can be marked as **user-set** in the admin form. Coder
+stops storing an admin value for those keys and lists them in
+`custom_headers_user_keys`. Each user then supplies their own value in
+`Agents` > `Settings` > `MCP Servers`. At request time Coder merges the
+user's stored value with the admin-set headers and sends the combined map
+to the MCP server.
+
+Admins can attach an optional **description** to each user-set key (for
+example "Personal access token from your Honcho profile"). Descriptions are
+stored alongside the keys in `custom_headers_user_key_descriptions` and
+rendered above the corresponding input on the user's settings page.
+Descriptions for keys that are not in `custom_headers_user_keys` are
+rejected, and orphaned descriptions are dropped automatically when the
+key list changes.
+
+The values are encrypted at rest with the same key set as the rest of the
+MCP server config. Admins cannot read or list per-user values; clearing a
+user's values is a per-user action from the same settings page or through
+`DELETE /api/experimental/mcp/servers/{id}/user-headers`.
+
+Use this mode when the MCP server identifies callers by a stable header
+name but expects each user to present their own credential (for example,
+a long-lived per-user JWT).
+
 ### User OIDC Identity
 
 Forwards the calling user's OIDC access token (stored in