security: implement prompt injection defense and credential encryption

[notsointresting]

📝 Description

This PR implements prompt injection defense and credential encryption with OS keychain integration.

Prompt Injection Defense (pkg/injection/defender.go):

• Detection of 40+ injection patterns
• Role manipulation detection
• Delimiter injection detection
• Special token detection
• Input sanitization with XML escaping
• Structured boundary wrapping for user content

Credential Encryption (pkg/auth/encryption.go, keychain.go, secure_store.go):

• ChaCha20-Poly1305 (default) and AES-256-GCM encryption algorithms
• OS keychain integration:
  • Windows Credential Manager
  • macOS Keychain
  • Linux Secret Service
• Automatic fallback to encrypted file storage
• Backward compatible with existing plain-text credentials
• Migration support from plain-text to secure storage
• Added zalando/go-keyring dependency

🗣️ Type of Change

• 🐞 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 📖 Documentation update
• ⚡ Code refactoring (no functional changes, no api changes)

🤖 AI Code Generation

• 🤖 Fully AI-generated (100% AI, 0% Human)
• 🛠️ Mostly AI-generated (AI draft, Human verified/modified)
• 👨💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

Part of #782

📚 Technical Context (Skip for Docs)

• Reference URL: OWASP Prompt Injection Guidelines, NIST Cryptographic Standards
• Reasoning: Prompt injection can manipulate AI behavior. Credential encryption protects sensitive tokens/keys at rest using OS-native secure storage.

🧪 Test Environment

• Hardware: PC
• OS: Windows 11
• Model/Provider: Multiple providers supported
• Channels: All channels

📸 Evidence (Optional)

Click to view Test Results

$ go test ./pkg/auth/... ./pkg/injection/...
ok      github.com/sipeed/picoclaw/pkg/auth
ok      github.com/sipeed/picoclaw/pkg/injection

☑️ Checklist

• My code/docs follow the style of this project.
• I have performed a self-review of my own changes.
• I have updated the documentation accordingly.

---

Summary Table

PR	Branch	Title	Depends On
1	security-config	Security Configuration Schema	None
2	security-ssrf-redaction	SSRF Protection + Privacy Redaction	PR 1
3	security-audit-ratelimit	Audit Logging + Rate Limiting	PR 1
4	security-injection-credentials	Prompt Injection + Credential Encryption	PR 1

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}