Fix P1 security findings for FRE-4806

- Add DD_API_KEY and DD_SITE to Zod validation schema (config.ts)
- Truncate API key before storing in user.id to prevent Sentry leak (auth.middleware.ts)

packages/api/src/middleware/auth.middleware.ts

@@ -46,9 +46,10 @@ export async function authMiddleware(fastify: FastifyInstance) {
     if (apiKey) {
       // In production, validate API key against database
       authReq.apiKey = apiKey;
+      const apiKeyPrefix = apiKey.slice(0, 8);
       authReq.user = {
-        id: `api-${apiKey}`,
+        id: `api-${apiKeyPrefix}...`,
-        email: `api-${apiKey}@services.internal`,
+        email: `api-${apiKeyPrefix}@services.internal`,
         role: 'service',
       };
       authReq.authType = 'api-key';

packages/monitoring/src/config.ts

@@ -7,6 +7,8 @@ const monitoringEnvSchema = z.object({
   DD_TRACE_ENABLED: z.string().default('true'),
   DD_TRACE_SAMPLE_RATE: z.string().transform((v) => Number(v)).default('1.0'),
   DD_LOGS_INJECTION: z.string().default('true'),
+  DD_API_KEY: z.string().default(''),
+  DD_SITE: z.string().default('datadoghq.com'),
   DD_AGENT_HOST: z.string().default('localhost'),
   DD_AGENT_PORT: z.string().transform((v) => Number(v)).default('8126'),
   SENTRY_DSN: z.string().default(''),
@@ -25,6 +27,8 @@ export function getMonitoringConfig(): MonitoringConfig {
     DD_TRACE_ENABLED: process.env.DD_TRACE_ENABLED,
     DD_TRACE_SAMPLE_RATE: process.env.DD_TRACE_SAMPLE_RATE,
     DD_LOGS_INJECTION: process.env.DD_LOGS_INJECTION,
+    DD_API_KEY: process.env.DD_API_KEY,
+    DD_SITE: process.env.DD_SITE,
     DD_AGENT_HOST: process.env.DD_AGENT_HOST,
     DD_AGENT_PORT: process.env.DD_AGENT_PORT,
     SENTRY_DSN: process.env.SENTRY_DSN,