feat: enhance AccessDeniedError with detailed context and improve exception handling

• Enhanced AccessDeniedError class to include user, action, and resource context
  - Added constructor parameters for action, resource, and user
  - Generate detailed error messages showing user principal, attributes, and attempted resource
  - Backward compatible with existing usage (falls back to generic message)

• Updated exception handling in server.py
  - Import AccessDeniedError from access_control module
  - Return proper 403 status codes with detailed error messages
  - Separate handling for PermissionError (generic) vs AccessDeniedError (detailed)

• Enhanced error context at raise sites
  - Updated routing_tables/common.py to pass action, resource, and user context
  - Updated agents persistence to include context in access denied errors
  - Provides better debugging information for access control issues

• Added comprehensive unit tests
  - Created tests/unit/server/test_server.py with 13 test cases
  - Covers AccessDeniedError with and without context
  - Tests all exception types (ValidationError, BadRequestError, AuthenticationRequiredError, etc.)
  - Validates proper HTTP status codes and error message formats

Resolves access control error visibility issues where 500 errors were returned
instead of proper 403 responses with actionable error messages.

Signed-off-by: Akram Ben Aissi <<akram.benaissi@gmail.com>>

llama_stack/providers/inline/agents/meta_reference/persistence.py

@@ -53,7 +53,7 @@ class AgentPersistence:
             identifier=name,  # should this be qualified in any way?
         )
         if not is_action_allowed(self.policy, "create", session_info, user):
-            raise AccessDeniedError()
+            raise AccessDeniedError("create", session_info, user)
 
         await self.kvstore.set(
             key=f"session:{self.agent_id}:{session_id}",