kanidm: don't log provisioned passwords via instrumentation

This also make sure to test this in the related nixos test.

Fixes: CVE-2025-30205
Reported-By: Katherina Walshe-Grey <qenya@qenya.tel>

nixos/tests/kanidm-provisioning.nix

@@ -306,6 +306,10 @@ import ./make-test-python.nix (
             provision.succeed('${specialisations}/credentialProvision/bin/switch-to-configuration test')
             provision_login("${provisionIdmAdminPassword}")
 
+            # Make sure neither password is logged
+            provision.fail("journalctl --since -10m --unit kanidm.service --grep '${provisionAdminPassword}'")
+            provision.fail("journalctl --since -10m --unit kanidm.service --grep '${provisionIdmAdminPassword}'")
+
             # Test provisioned admin pw
             out = provision.succeed("KANIDM_PASSWORD=${provisionAdminPassword} kanidm login -D admin")
             assert_contains(out, "Login Success for admin")

pkgs/by-name/ka/kanidm/patches/1_3/recover-account.patch

@@ -19,7 +19,8 @@ index 40c18777f..40d553b40 100644
  
      #[instrument(
          level = "info",
-         skip(self, eventid),
+-        skip(self, eventid),
++        skip(self, password, eventid),
          fields(uuid = ?eventid)
      )]
      pub(crate) async fn handle_admin_recover_account(

pkgs/by-name/ka/kanidm/patches/1_4/recover-account.patch

@@ -19,7 +19,8 @@ index 420e72c6c..5c4353116 100644
  
      #[instrument(
          level = "info",
-         skip(self, eventid),
+-        skip(self, eventid),
++        skip(self, password, eventid),
          fields(uuid = ?eventid)
      )]
      pub(crate) async fn handle_admin_recover_account(

pkgs/by-name/ka/kanidm/patches/1_5/recover-account.patch

@@ -19,7 +19,8 @@ index 420e72c6c..5c4353116 100644
  
      #[instrument(
          level = "info",
-         skip(self, eventid),
+-        skip(self, eventid),
++        skip(self, password, eventid),
          fields(uuid = ?eventid)
      )]
      pub(crate) async fn handle_admin_recover_account(