P1 security: extravars JSONB column stores and returns secrets in plaintext via API

[hellodk]

Summary

PlaybookRunRequest.extravars is stored verbatim in ansible_jobs.extravars (JSONB) and returned in AnsibleJobResponse to any authenticated viewer. A caller can pass ansible_ssh_pass as an extravar and have it persisted and leaked through the jobs list/detail API.

Root cause

fleet_platform/models/ansible_job.py:20 — extravars = mapped_column(JSONB)
fleet_platform/api/routes/ansible.py:1268-1280 — returned verbatim in response

Definition of Ready (DoR)

• Branch: fix/security-extravars-scrub
• Agree on sensitive key list: ansible_ssh_pass, ansible_become_password, password, secret, token

Acceptance criteria

• Extravars are scrubbed of sensitive keys before write using the existing _scrub() pattern from audit.py
• OR: sensitive extravar keys rejected at API layer with 422
• AnsibleJobResponse.extravars never contains a sensitive key value
• Existing rows in DB not retroactively scrubbed (out of scope; document in PR)

Tests required

• Unit: test_extravars_sensitive_keys_scrubbed_before_storage
• Integration: POST run with ansible_ssh_pass extravar; GET job response does not contain it

Definition of Done (DoD)

• Scrubbing applied before write
• Tests pass
• Closes #N