Sensitive data detection in tool inputs/outputs

## Phase 3 — Structured audit log

Flag tool inputs/outputs that contain patterns matching: API keys, tokens, passwords, PII patterns.

- Emit `sensitive_data_detected` event
- Do NOT log the sensitive content in the audit log — log the detection with redacted context
- Pattern-based detection (configurable regex set)