fix(vminitd): redact environment variable values from debug logs

[cluster2600]

Summary

• Redact environment variable values from vminitd debug log output to prevent secrets from leaking into container boot logs
• Environment variable keys are still logged for debuggability, but values are replaced with <redacted>
• Adds RedactedSpec and RedactedProcess wrapper types with CustomStringConvertible conformance for clean log output

Fixes #518

Context

This is a follow-up to #521 which was closed. The approach is the same: introduce redaction wrappers that replace env var values with <redacted> before logging. This keeps boot logs useful for diagnostics (keys are still visible) while preventing secret values from leaking.

Example output after this change:

env: ["PATH=<redacted>", "MY_SECRET=<redacted>", "HOME=<redacted>"]

Test plan

• Run container run -d --name web --rm --env MY_SECRET=password python:slim python3 -m http.server --bind 0.0.0.0 8000
• Check container logs --boot web | grep SECRET
• Verify that MY_SECRET key appears but password value does not
• Run container exec --env MY_OTHER_SECRET=abc123 web echo hello
• Verify exec process log also redacts env values

[dcantah]

It was closed as I don't think we came to a consensus on how to handle it. The default logging level is no longer debug, so the envvars won't show up by default anyways anymore. Seemed like we were leaning towards only printing the oci spec at trace level, but we don't have anything exposed in container today to set the guests log level.