fix(agent-memory): use secret resolver public API for config loading

[santoshnallur-sap]

Description

The agent_memory module previously resolved its service binding credentials using a
private internal function (_load_from_mount) and reimplemented the environment variable
fallback manually. This PR aligns it with the pattern used by the auditlog module:
credentials are now loaded through the public read_from_mount_and_fallback_to_env_var
API from the secret_resolver module.

What changed:

• BindingData is simplified to two str fields — url and uaa — matching the
  mounted secret file names under /etc/secrets/appfnd/hana-agent-memory/default/.
• extract_config() now parses the uaa JSON blob to derive token_url, client_id,
  and client_secret, rather than reading four separate flat fields.
• AgentMemoryConfig.__post_init__ now validates all optional fields (token_url,
  client_id, client_secret) when provided, rejecting empty strings.
• The custom _ENV_PREFIX, _ENV_VARS, and _load_binding_from_env helpers are removed.
• Environment variable names changed to match the resolver convention:
  • CLOUD_SDK_CFG_HANA_AGENT_MEMORY_DEFAULT_URL
  • CLOUD_SDK_CFG_HANA_AGENT_MEMORY_DEFAULT_UAA (JSON string)

Why it matters: Users deploying on BTP with a hana-agent-memory service binding will
now have credentials resolved automatically and consistently with all other SDK modules,
without any changes to their application code.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

How to Test

Run the unit test suite for the agent memory module:

uv run pytest tests/agent_memory/unit/ -v

Key scenarios covered by the tests:

• BindingData.validate() raises AgentMemoryConfigError when url or uaa is empty
• extract_config() correctly parses the UAA JSON and maps base_url, token_url,
  client_id, and client_secret
• extract_config() strips trailing slashes from the UAA url before appending /oauth/token
• extract_config() ignores extra fields in the UAA JSON (e.g. apiurl, tenantid)
• extract_config() raises AgentMemoryConfigError on invalid JSON or missing required keys
• _load_config_from_env() succeeds when the resolver populates the binding
• _load_config_from_env() falls back to CLOUD_SDK_CFG_HANA_AGENT_MEMORY_DEFAULT_*
  environment variables when the mount path is unavailable
• _load_config_from_env() wraps unexpected resolver failures in AgentMemoryConfigError
• AgentMemoryConfig raises AgentMemoryConfigError for empty strings on any field

For integration tests, set the following in .env_integration_tests:

CLOUD_SDK_CFG_HANA_AGENT_MEMORY_DEFAULT_URL=https://your-agent-memory-api-url
CLOUD_SDK_CFG_HANA_AGENT_MEMORY_DEFAULT_UAA='{"url":"https://your-auth-url","clientid":"your-client-id","clientsecret":"your-client-secret"}'

Then run:

uv run pytest tests/agent_memory/integration/ -v

Checklist

• My code follows the project's Code Guidelines
• I have added type hints for all public APIs
• I have added unit tests covering the new functionality
• I have added or updated the user guide (user-guide.md) in the module directory
• All existing tests pass locally
• My commits follow Conventional Commits format
• No confidential or SAP-internal information is included

Additional Notes

The uaa JSON schema accepted by extract_config() only requires three fields —
url, clientid, clientsecret — and ignores all others. This matches the real BTP
service binding payload, which contains many additional fields (apiurl, tenantid,
zoneid, etc.) that the SDK does not need.

---

Disclaimer: Do not include SAP-internal or customer-specific information in this PR.
This is a public repository.