Fix CSP for OAuth + surface env var names in /api/health

Two bugs surfaced in production deploy:

1. Google/GitHub/LinkedIn OAuth blocked by CSP form-action 'self'
   - The authorization redirect is done via form submission to
     accounts.google.com / github.com / www.linkedin.com. Our CSP
     only allowed 'self', so the browser refused to load the OAuth
     URL.
   - Added the three provider origins plus https://*.our.one to the
     form-action directive (same fix in both Hall and marketing's
     proxy.ts; the cross-subdomain allowance is also needed for the
     SSO proxy flow).

2. /api/health returned {"status":"degraded"} with no detail in
   production, leaving operators to guess which env var was missing
   - Env var NAMES are now exposed always. Names are not secrets —
     they're what an operator needs to fix the config. The actual
     values stay secret.
   - DB error message stays redacted in production because connection
     strings can leak through error text; unredacted on preview and dev.

Next diagnostic step for the Hall deploy: hit /api/health again and
the response will list the specific missing env vars.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: radosukala

src/proxy.ts

@@ -17,7 +17,10 @@ export async function proxy(_request: NextRequest) {
     "object-src 'none'",
     "frame-ancestors 'none'",
     "base-uri 'self'",
-    "form-action 'self'",
+    // form-action allows cross-subdomain form submissions for the SSO
+    // proxy flow (Hall posts OAuth initiations to our.one, etc.) plus
+    // direct OAuth endpoints in case any app ever authenticates locally.
+    "form-action 'self' https://*.our.one https://accounts.google.com https://github.com https://www.linkedin.com",
     ...(isDev ? [] : ["upgrade-insecure-requests"]),
   ].join("; ");