security: add security configuration schema

[notsointresting]

📝 Description

This PR adds the security configuration schema as the foundation for a comprehensive security framework. It introduces a centralized SecurityConfig struct that will be used by all security features.

Changes:

• Add SecurityConfig struct with SSRF, Audit Logging, Rate Limiting, Credential Encryption, and Prompt Injection configs
• Add environment variable support for all security settings
• Add default security settings in defaults.go
• Foundation for comprehensive security framework

🗣️ Type of Change

• 🐞 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 📖 Documentation update
• ⚡ Code refactoring (no functional changes, no api changes)

🤖 AI Code Generation

• 🤖 Fully AI-generated (100% AI, 0% Human)
• 🛠️ Mostly AI-generated (AI draft, Human verified/modified)
• 👨💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

Part of #782

📚 Technical Context (Skip for Docs)

• Reference URL: OWASP Top 10, CWE-918 (SSRF)
• Reasoning: Security configuration needs to be centralized and configurable via both JSON config and environment variables for flexible deployment.

🧪 Test Environment

• Hardware: PC
• OS: Windows 11
• Model/Provider: N/A (configuration only)
• Channels: N/A

📸 Evidence (Optional)

Click to view Configuration Example

{
  "security": {
    "ssrf": {
      "enabled": true,
      "block_private_ips": true,
      "block_metadata_endpoints": true,
      "block_localhost": true,
      "allowed_hosts": [],
      "dns_rebinding_protection": true
    },
    "audit_logging": {
      "enabled": true,
      "log_tool_executions": true,
      "log_auth_events": true,
      "log_config_changes": true,
      "retention_days": 30
    },
    "rate_limiting": {
      "enabled": false,
      "requests_per_minute": 60,
      "tool_executions_per_minute": 30,
      "per_user_limit": true
    },
    "credential_encryption": {
      "enabled": true,
      "use_keychain": true,
      "algorithm": "chacha20-poly1305"
    },
    "prompt_injection": {
      "enabled": true,
      "sanitize_user_input": true,
      "detect_injection_patterns": true,
      "custom_block_patterns": []
    }
  }
}

☑️ Checklist

• My code/docs follow the style of this project.
• I have performed a self-review of my own changes.
• I have updated the documentation accordingly.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}