fix(web): harden observability env handling and Sentry log redaction

[gildesmarais]

Summary

• add runtime env parsing and validation for web boot
• initialize Sentry in web boot with explicit enablement controls
• redact sensitive log payloads before Sentry forwarding
• add focused specs for app logger and sentry log forwarding

Validation

• make ready
• attempted make dev smoke (blocked by existing port 4000 usage in local env)

[Copilot]

Pull request overview

This PR hardens html2rss-web boot-time environment handling by capturing required runtime configuration once, scrubbing sensitive env vars from the process environment, and integrating Sentry initialization plus a log-forwarding bridge with redaction.

Changes:

• Introduces RuntimeEnv capture + sensitive env scrubbing, and updates auth/health codepaths to read secrets from RuntimeEnv.
• Adds boot-time Sentry configuration (with explicit log enablement) and forwards structured logs into Sentry with PII filtering.
• Expands specs to cover env validation, boot setup behavior, Sentry log forwarding/redaction, and post-scrub request flows.

Reviewed changes

Copilot reviewed 22 out of 23 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
spec/support/runtime_env_helpers.rb	Test helper to capture/scrub runtime env for production-style scenarios.
spec/spec_helper.rb	Ensures runtime env + secret key are reset/stable between tests.
spec/html2rss/web/sentry_logs_spec.rb	Verifies Sentry log forwarding and redaction behavior.
spec/html2rss/web/environment_validator_spec.rb	Adds coverage for production build metadata validation.
spec/html2rss/web/boot/setup_spec.rb	Validates boot sequencing, env scrubbing, and Sentry configuration behaviors.
spec/html2rss/web/app_logger_spec.rb	Covers Sentry forwarding and resilience when Sentry forwarding fails.
spec/html2rss/web/app_integration_spec.rb	Ensures feed token auth still works after env scrubbing.
spec/html2rss/web/api/v1_spec.rb	Ensures health endpoint works after env scrubbing.
public/openapi.yaml	Updates /health response description.
frontend/src/api/generated/types.gen.ts	Regenerated API types/comments from OpenAPI changes.
docs/README.md	Documents new managed env keys including build metadata + Sentry log enablement.
docker-compose.yml	Requires BUILD_TAG/GIT_SHA; adds Sentry env wiring.
config.ru	Switches Sentry rack middleware enablement to boot setup flag.
app/web/telemetry/sentry_logs.rb	New Sentry log bridge with payload sanitization.
app/web/telemetry/app_logger.rb	Emits structured log payloads to Sentry bridge during formatting.
app/web/security/auth.rb	Uses RuntimeEnv.secret_key instead of ENV.
app/web/config/runtime_env.rb	New runtime env capture/scrub module + boolean parsing.
app/web/config/environment_validator.rb	Enforces production build metadata presence; rubocop length disables.
app/web/boot/setup.rb	Captures runtime env, configures Sentry, sets Rack::Timeout, logs startup metadata.
app/web/boot/sentry.rb	New boot-time Sentry initializer reading from RuntimeEnv.
app/web/api/v1/health.rb	Uses RuntimeEnv.health_check_token instead of ENV.
README.md	Mentions optional Sentry env vars in docker-compose quickstart.