[AAP-64061] Add nginx log markers for direct API access detection (#2100)

Add map directives for X-Trusted-Proxy and X-DAB-JW-TOKEN headers to
log the presence of these headers as trusted_proxy_present and
dab_jwt_present fields in the nginx access log.

These markers enable the detection tool (aap-detect-direct-component-access)
to identify direct API access that bypasses AAP Gateway.

Also add explicit error_log /dev/stderr warn; instead of relying on
container base image symlinks.

Part of ANSTRAT-1840: Remove direct API access to platform components.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

roles/installer/templates/configmaps/config.yaml.j2

@@ -111,11 +111,23 @@ data:
         server_tokens off;
         client_max_body_size {{ nginx_client_max_body_size }}M;
 
+        map $http_x_trusted_proxy $trusted_proxy_present {
+            default "trusted-proxy";
+            ""      "-";
+        }
+
+        map $http_x_dab_jw_token $dab_jwt_present {
+            default "dab-jwt";
+            ""      "-";
+        }
+
         log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                           '$status $body_bytes_sent "$http_referer" '
-                          '"$http_user_agent" "$http_x_forwarded_for"';
+                          '"$http_user_agent" "$http_x_forwarded_for" '
+                          '$trusted_proxy_present $dab_jwt_present';
 
         access_log /dev/stdout main;
+        error_log /dev/stderr warn;
 
         map $http_upgrade $connection_upgrade {
             default upgrade;