[P0] Remove token, secret, and raw request-body logging

[jjoonleo]

Problem

The backend logs bearer tokens, Apple client secrets, and raw request bodies. Several DTOs also implement toString, so sensitive request payloads can be emitted through the request logging aspect.

Why this is not production ready

Logs are often copied into third-party systems and retained longer than application data. Logging access tokens, refresh tokens, OAuth secrets, Firebase tokens, passwords, notes, or personal profile data creates account takeover and privacy risk.

Evidence

• JwtTokenProvider.sendAccessToken logs the issued access token.
• JwtTokenProvider.sendAccessAndRefreshToken logs access and refresh tokens.
• AppleLoginService.getAppleAccessTokenAndRefreshToken logs client_secret.
• LoggingAspect.logRequest calls args[i].toString() for every @RequestBody and logs it.
• DTOs such as FirebaseTokenAddDto, FeedbackAddDto, FinishPreparationDto, ScheduleAddDto, and alarm DTOs use Lombok @ToString.

Required work

• Remove all token and secret log statements.
• Add a centralized redaction strategy for request logging.
• Never log raw @RequestBody; log route, actor, status, timing, and a request ID instead.
• If field-level logging is needed, allowlist safe fields only.
• Add tests or static checks that prevent logging sensitive key names such as password, token, secret, authorization, and firebaseToken.

Acceptance criteria

• Login, refresh, Apple OAuth, Firebase registration, password change, and alarm status requests produce no secrets or sensitive payload fields in logs.
• A documented redaction policy exists for future request logging.
• Existing tests or a lightweight scanner fail if sensitive log patterns are reintroduced.