AGX1-356: Invalidate authz cache for changed principal

[deepthi-rao-scale]

Summary

• evict cached authorization checks only for the changed resource and effective principal after Agentex-mediated authz mutations: grant, revoke, register_resource, and deregister_resource
• keep cached authorization checks for other principals on the same resource intact
• bypass authorization-check cache lookups and writes for API-key auth contexts, where Spark AuthZ changes can happen outside Agentex
• avoid logging principal context or secret-bearing values from cache invalidation paths

Why

AGX1-323 deployment authz e2e found that actor permissions can be changed while Agentex still has a positive authorization decision cached. The authorization cache TTL is 300 seconds, so stale allows can persist until expiry.

For grant changes made through Agentex, this PR now evicts only the cache entries for the changed resource/effective-principal pair. For direct Spark AuthZ changes that bypass Agentex, there is no Agentex invalidation signal, so API-key auth contexts skip the local authz cache and re-check AuthZ on each request.

Linear: https://linear.app/scale-epd/issue/AGX1-356/invalidate-agentex-authz-cache-immediately-after-grant-changes

Test Plan

• uv run --group test pytest tests/unit/services/test_authorization_service_cache.py::test_authorization_mutations_only_clear_checks_for_mutated_principal -q
• uv run --group test pytest tests/unit/api/test_authentication_cache_metrics.py tests/unit/services/test_authorization_service_cache.py tests/unit/services/test_authorization_service_logging.py -q
• uv run --group test pytest tests/unit/api/test_agents_authz.py tests/unit/api/test_tasks_authz.py -q