fix(observability): redact sink-specific API key headers in debug logs (#25516)

* fix(observability): redact sink-specific API key headers in debug logs

Expand the sensitive header list in `remove_sensitive()` to cover
`DD-API-KEY`, `X-Honeycomb-Team`, `x-api-key`, and `Api-Key`, which
are injected by Vector's own sinks and were previously logged in
plaintext when debug logging was enabled.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(observability): mark all duplicate sensitive header values in debug logs

`HeaderMap::get_mut` only returned the first value for a header name,
leaving any duplicates (added via `append` or injected by a proxy)
unredacted. Switch to `iter_mut` so every entry matching a sensitive
name is marked.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: apply rustfmt to http_client tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* test(observability): add case-insensitive header name test

HeaderName normalizes to lowercase, confirming that mixed-case variants
like X-Api-Key are redacted by the same path as x-api-key.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(observability): add Proxy-Authenticate, WWW-Authenticate, and Cookie2 to sensitive headers

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: update changelog to include newly redacted headers

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>