v1.108.73 - Harden: HTTP ingest fails closed without a token + redaction currency

Phase 2 (Harden) of the maintenance PRD. WI-2.1 (F-S01): the HTTP ingest write endpoints (POST /runtime/{otel,sql,stack} and /org/report) now fail closed when enabled without JCODEMUNCH_HTTP_TOKEN. The bearer middleware only enforces the token when it is set, so an enabled endpoint with no token was an unauthenticated write surface guarded only by a startup warning; it now returns 503 and refuses the write, making the documented two-key turn real. The disabled path is unchanged. The other two F-S01 guards were re-verified intact (gzip-bomb decompressed-size check, per-repo write lock). WI-2.3 (F-S03): redaction now covers current token formats the structural patterns missed: GitHub fine-grained PATs (github_pat_), OpenAI project/legacy keys (sk-proj-/sk-), and Anthropic keys (sk-ant-). New tests/test_v1_108_73.py (10). Full suite 4710 passed / 10 skipped.