feat(ai-lakera-guard): scan LLM responses (direction output/both, non-streaming + streaming)

[janiussyafiq]

Description

PR-2 of ai-lakera-guard, following the input-scanning MVP (#13570). Adds response (output) scanning for non-streaming and streaming (SSE) traffic. Back-compatible: direction still defaults to input.

• Schema: direction extended to input/output/both; adds response_failure_message.
• Response path (lua_body_filter, the same dispatch ai-aliyun-content-moderation uses):
  • Non-streaming: scans ctx.var.llm_response_text; a flagged response is replaced with a provider-compatible deny.
  • Streaming: buffers the SSE response, scans the assembled completion once, then releases it verbatim (clean) or replaces it with a deny SSE terminated by [DONE] (flagged). Because the stream's 200/text/event-stream headers are already committed when buffering begins, a streamed block is delivered as the deny body — deny_code does not apply to streams.
• Docs (en + zh) and tests added.

Which issue(s) this PR fixes:

Part of #13291.

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible