security(infra): redact sensitive data from log output (#2348)

[mrveiss]

Summary

Addresses 43 CodeQL py/clear-text-logging-sensitive-data alerts across infrastructure scripts and backend modules.

Fixes applied (12 files):

• Secret IDs truncated to first 8 chars in log output (migrate_secrets_ownership.py, validate_migration.py, secrets_manager.py)
• Hardcoded password removed from setup_seq_analytics.py — now reads SEQ_PASSWORD env var
• Secret content redacted in validate-security-fixes.py findings output
• CodeQL false-positive comments added for: secret_masking.py (masking operations), metrics.py (Redis key), security_policy_manager.py (policy check), entities.py/relations.py (entity IDs), redis_client.py (config params), seq_auth_setup.py (login API)
• f-string logging converted to %s format in migration scripts

Closes #2348

Test plan

• Verify migration scripts still log truncated IDs correctly
• Verify setup_seq_analytics.py reads password from SEQ_PASSWORD env var
• Verify false-positive suppressions don't mask real issues
• Run CodeQL scan to confirm alert reduction

[github-actions]

✅ SSOT Configuration Compliance: Passing

🎉 No hardcoded values detected that have SSOT config equivalents!