- Remove JWT-extracted username from ValueError message in auth.py to
avoid CodeQL py/clear-text-logging-sensitive-data; log at DEBUG instead
- Log count of invalid FAB_API_KEY_PREFIXES entries rather than values to
avoid the same CodeQL rule in composite_token_verifier.py
- Add regression test asserting "ApiKey" in ADMIN_ONLY_VIEW_MENUS so a
future rename cannot silently re-open the FAB ApiKeyApi to non-Admin roles