Security handler

[surendra84]

Disclaimer: Do not include SAP-internal or customer-specific information in this PR (e.g. internal system URLs, customer names, tenant IDs, or confidential configurations). This is a public repository.

Description

Added a new security_handler module to the SAP Cloud SDK for Python. This module provides input validation and sanitization
utilities to help developers protect their applications from injection attacks and malicious input when building AI-powered
applications on SAP BTP.

The module includes:

• SecurityHandler — orchestrator that runs guardrails and injection detection, returning a ScanResult
• InjectionDetector — detects prompt injection, SQL injection, XSS, and path traversal patterns
• ForbiddenPatternGuardrail — configurable regex-based content guardrail
• sanitize() — strips dangerous characters and enforces input length limits
• escape_xml_tags() — escapes XML/HTML tags in user input
• ScanResult, Violation, Severity — result models for structured security scan output

Related Issue

Closes #<issue_number>

(Link to the GitHub issue this PR addresses)

Type of Change

Please check the relevant option:

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Code refactoring
• Dependency update

How to Test

Describe how reviewers can test your changes:

1. Install the SDK locally: uv sync
2. Run the unit tests for the new module:
   uv run pytest tests/security_handler/
3. All 52 tests should pass with no failures.

Checklist

Before submitting your PR, please review and check the following:

• I have read the [Contributing Guidelines]
• I have verified that my changes solve the issue
• I have added/updated automated tests to cover my changes
• All tests pass locally
• I have verified that my code follows the [Code Guidelines]
• I have updated documentation (src/sap_cloud_sdk/security_handler/user-guide.md and README.md)
• I have added type hints for all public APIs
• My code does not contain sensitive information (credentials, tokens, etc.)
• I have followed Conventional Commits for commit messages

Breaking Changes

None. This is a purely additive new module with no changes to existing APIs.

Additional Notes

• The module follows the same structural patterns as other SDK modules (agent_memory, dms, etc.)
• All public APIs are exported via __init__.py with __all__
• A user guide is included at src/sap_cloud_sdk/security_handler/user-guide.md
• Unit tests cover all public classes and edge cases

Add any additional context, screenshots, or information that would help reviewers.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[NicoleMGomes]

if it's AI specific, security handler is too generic.