feat #127: acid test security settings — apiConfig wiring, improved errors, expanded tests

[sigvardt]

Summary

Apply the acid test pattern to the Security Settings module, matching conventions established by 20+ prior acid tests (most recently campaign settings #125).

Changes

Core (bloomreachSecuritySettings.ts)

• Import BloomreachApiConfig type and add requireApiConfig helper for future API support
• Update all 6 action executors with apiConfig constructor parameter and descriptive UI-only error messages
• Update createSecuritySettingsActionExecutors() factory to accept and propagate apiConfig
• Update BloomreachSecuritySettingsService constructor to accept optional apiConfig
• Update 3 read methods (listSshTunnels, viewSshTunnel, viewTwoStepVerification) with input validation guards and descriptive error messages explaining Bloomreach API limitations

Tests (bloomreachSecuritySettings.test.ts) — 46 new tests (61 → 107)

• Validation edge cases: tabs, newlines, unicode, single-char, NaN port for all 5 validators
• URL encoding: unicode and hash characters in project names
• Constructor encoding: spaces, unicode, hash
• Executor UI-only availability messages (bulk + individual for all 6 executors)
• apiConfig acceptance tests for factory and service
• Read method descriptive UI-only error assertions
• Read method input validation (empty project rejection)
• Token expiry consistency across all 5 prepare* methods

CLI

No changes — apiConfig is an optional second parameter, all existing call sites continue to work.

Quality Gates

• ✅ Typecheck: Only pre-existing vitest module resolution errors (same as all other test files)
• ✅ Lint: Clean
• ✅ Tests: 8730/8730 passing (72 test files)
• ✅ Build: Success

Closes #127

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None