Security: clear-text-logging in infrastructure scripts (CodeQL follow-up)

[mrveiss]

Problem

43 py/clear-text-logging-sensitive-data CodeQL alerts remain in infrastructure scripts that log passwords, secret IDs, and credentials in plain text:

Affected files (alert count)

• autobot-infrastructure/autobot-backend/scripts/migrations/migrate_secrets_ownership.py — 12 alerts
• autobot-infrastructure/shared/scripts/secrets_manager.py — 12 alerts
• autobot-infrastructure/shared/scripts/security_scan.py — 4 alerts
• autobot-infrastructure/autobot-backend/scripts/migrations/validate_migration.py — 3 alerts
• autobot-infrastructure/shared/scripts/setup/analytics/setup_seq_analytics.py — 1 alert (password)
• autobot-infrastructure/shared/scripts/setup/analytics/seq_auth_setup.py — 1 alert (password)
• autobot-infrastructure/shared/scripts/utilities/validate-security-fixes.py — 2 alerts
• autobot-npu-worker/resources/windows-npu-worker/app/utils/redis_client.py — 2 alerts
• autobot-backend/extensions/builtin/secret_masking.py — 2 alerts
• autobot-backend/project_state_tracking/metrics.py — 1 alert (false positive on Redis key)
• autobot-backend/security/enterprise/security_policy_manager.py — 1 alert
• autobot-backend/autobot_memory_graph/entities.py — 1 alert (false positive on entity ID)
• autobot-backend/autobot_memory_graph/relations.py — 2 alerts (false positive on entity IDs)

Patterns to fix

• logger.info(json.dumps({"secret_id": secret_id, ...})) — log full secret IDs
• logger.info("password: %s", password) — log passwords in setup scripts
• logger.info(json.dumps(result)) — dump full secret/migration results

Fix approach

• Add redact_sensitive() helper to mask passwords/tokens before logging
• Truncate secret IDs to first 8 chars in JSON log output
• Replace password logging with "***REDACTED***" in setup scripts
• Triage false positives on entity IDs and Redis keys

Discovered During

Working on #1733 (CodeQL fixes). PR #2335 addressed ~50 stack-trace-exposure + 4 clear-text-logging alerts in the backend runtime. These infra script alerts were deferred.

Impact

Medium — these scripts run during migrations and setup, not in the hot path. But log files could contain plaintext credentials.

[mrveiss]

Merged in PR #2531. Redacted sensitive data from 12 files: truncated secret_ids in logs, removed hardcoded password, added CodeQL false-positive comments. Audit trail preserved with full IDs.