Add ToolGuard security middleware for safe agent tool execution

[karthikeyavelivela]

This PR introduces ToolGuard, a lightweight security middleware
for validating tool calls before execution.

Motivation
AI agents interacting with external tools are vulnerable to
prompt injection and unintended destructive actions.

Key Features

• optional allowlist for permitted tools
• keyword filtering in tool arguments
• destructive tool protection
• centralized enforcement via ToolRegistry.get_executor()

Design
ToolGuard intercepts tool calls inside ToolRegistry.get_executor(),
ensuring every tool invocation passes through a single validation layer.

Security violations return a structured ToolResult with is_error=True,
allowing agents to handle blocked actions gracefully.

The implementation is configurable through SecurityPolicy and
remains backward-compatible with existing workflows.
micro-fix
Fixes #6066

[github-actions]

PR Requirements Warning

This PR does not meet the contribution requirements.
If the issue is not fixed within ~24 hours, it may be automatically closed.

Missing: No linked issue found.

To fix:

1. Create or find an existing issue for this work
2. Assign yourself to the issue
3. Re-open this PR and add Fixes #123 in the description

Exception: To bypass this requirement, you can:

• Add the micro-fix label or include micro-fix in your PR title for trivial fixes
• Add the documentation label or include doc/docs in your PR title for documentation changes

Micro-fix requirements (must meet ALL):

Qualifies	Disqualifies
< 20 lines changed	Any functional bug fix
Typos & Documentation & Linting	Refactoring for "clean code"
No logic/API/DB changes	New features (even tiny ones)

Why is this required? See #472 for details.