Fix P1 security findings for FRE-4806

- Add DD_API_KEY and DD_SITE to Zod validation schema (config.ts)
- Truncate API key before storing in user.id to prevent Sentry leak (auth.middleware.ts)

packages/api/src/middleware/auth.middleware.ts

@@ -46,9 +46,10 @@ export async function authMiddleware(fastify: FastifyInstance) {
     if (apiKey) {
       // In production, validate API key against database
       authReq.apiKey = apiKey;
+      const apiKeyPrefix = apiKey.slice(0, 8);
       authReq.user = {
-        id: `api-${apiKey}`,
-        email: `api-${apiKey}@services.internal`,
+        id: `api-${apiKeyPrefix}...`,
+        email: `api-${apiKeyPrefix}@services.internal`,
         role: 'service',
       };
       authReq.authType = 'api-key';