fix: mask api_password and access_token in settings page; add List to threshold imports

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

hbd/server/settings.py

@@ -24,7 +24,7 @@ sensitive   bool  True when the raw value must never be shown
 # Credential field names that should always be masked.
 _SECRET_KEYS = frozenset({
     "password", "token", "user_key", "api_key", "secret",
-    "smtp_password", "smtp_user",
+    "smtp_password", "smtp_user", "api_password", "access_token",
 })
 
 _CHANNEL_TYPE_LABELS = {