fix: Sanitize middleware logging and add tracing headers

[thostetler]

Tracing headers (X-Original-Uri, X-Forwarded-For, X-Amzn-Trace-Id) were not being forwarded from middleware to the bootstrap API, breaking distributed tracing. Additionally, middleware logs were exposing raw usernames and were vulnerable to log injection.

• Forward TRACING_HEADERS to bootstrap API calls in initSession
• Add src/utils/logging.ts with getUserLogId() for privacy-safe user correlation (hashed)
• Add sanitizeHeaderValue() to prevent log injection attacks
• Enhanced structured logging throughout middleware with timing info
• Added tests for tracing header forwarding

[codecov]

Codecov Report

❌ Patch coverage is 87.55556% with 28 lines in your changes missing coverage. Please review.
✅ Project coverage is 61.0%. Comparing base (1467923) to head (39498ef).

Files with missing lines	Patch %	Lines
src/utils/logging.ts	63.3%	18 Missing ⚠️
src/middleware.ts	93.4%	10 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##           master    #754     +/-   ##
========================================
+ Coverage    60.8%   61.0%   +0.2%     
========================================
  Files         300     300             
  Lines       34871   34965     +94     
  Branches     1486    1506     +20     
========================================
+ Hits        21193   21317    +124     
+ Misses      13644   13614     -30     
  Partials       34      34             

Files with missing lines	Coverage Δ
src/middlewares/initSession.ts	91.4% <100.0%> (+0.8%)	⬆️
src/middleware.ts	93.9% <93.4%> (-0.7%)	⬇️
src/utils/logging.ts	63.3% <63.3%> (ø)

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.