Honor NODE_EXTRA_CA_CERTS in the default fetch path

[raashish1601]

Summary

• merge NODE_EXTRA_CA_CERTS into Node''s default TLS CA store before the SDK adopts the default global fetch
• cover the new default-fetch behavior in tests/index.test.ts
• document the Node custom-CA behavior in the fetch-options section of the README

Fixes #1758.

Testing

• node node_modules/jest/bin/jest.js tests/index.test.ts --runInBand
• node node_modules/prettier/bin/prettier.cjs --check README.md src/internal/shims.ts tests/index.test.ts
• node node_modules/eslint/bin/eslint.js src/internal/shims.ts tests/index.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dcf34cdb73

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Drop env-var gate before applying extra CA certificates

This early return makes the fix dependent on process.env.NODE_EXTRA_CA_CERTS still being present at client construction time, but Node loads extra certs at process start and tls.getCACertificates('extra') can remain populated even after that env var is removed/scrubbed. In that common hardening pattern, the SDK will skip setDefaultCACertificates, so the default-fetch path still won’t trust those extra roots and requests to private/corporate CAs can fail. The merge should be driven by getCACertificates('extra') availability, not a fresh env read.

Useful? React with 👍 / 👎.