feat(tool/bigquery-execute-sql)!: add allowed datasets support (googleapis#1443)

## Description
This introduces a breaking change. The bigquery-execute-sql tool will
now enforce the allowed datasets setting from its BigQuery source
configuration. Previously, this setting had no effect on the tool.

---
> Should include a concise description of the changes (bug or feature),
it's
> impact, along with a summary of the solution

## PR Checklist

---
> Thank you for opening a Pull Request! Before submitting your PR, there
are a
> few things you can do to make sure it goes smoothly:

- [ ] Make sure you reviewed

[CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md)
- [ ] Make sure to open an issue as a

[bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose)
before writing your code! That way we can discuss the change, evaluate
  designs, and agree on the general idea
- [ ] Ensure the tests and linter pass
- [ ] Code coverage does not decrease (if any source code was changed)
- [ ] Appropriate docs were updated (if necessary)
- [ ] Make sure to add `!` if this involve a breaking change

🛠️ Fixes googleapis#873

---------

Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>

Author: Genesis929

docs/en/resources/tools/bigquery/bigquery-execute-sql.md

@@ -15,9 +15,23 @@ It's compatible with the following sources:
 
 - [bigquery](../../sources/bigquery.md)
 
-`bigquery-execute-sql` takes a required `sql` input parameter and runs the SQL
-statement against the configured `source`. It also supports an optional `dry_run`
-parameter to validate a query without executing it.
+`bigquery-execute-sql` accepts the following parameters:
+- **`sql`** (required): The GoogleSQL statement to execute.
+- **`dry_run`** (optional): If set to `true`, the query is validated but not run,
+  returning information about the execution instead. Defaults to `false`.
+
+The tool's behavior is influenced by the `allowedDatasets` restriction on the
+`bigquery` source:
+- **Without `allowedDatasets` restriction:** The tool can execute any valid GoogleSQL
+  query.
+- **With `allowedDatasets` restriction:** Before execution, the tool performs a dry run
+  to analyze the query.
+  It will reject the query if it attempts to access any table outside the
+  allowed `datasets` list. To enforce this restriction, the following operations
+  are also disallowed:
+  - **Dataset-level operations** (e.g., `CREATE SCHEMA`, `ALTER SCHEMA`).
+  - **Unanalyzable operations** where the accessed tables cannot be determined
+    statically (e.g., `EXECUTE IMMEDIATE`, `CREATE PROCEDURE`, `CALL`).
 
 ## Example