fix(worker): forward DATABASE_SSL and DATABASE_CA_CERT to worker containers

[zbigniewsobiecki]

Summary

• Root cause: buildWorkerEnvWithProjectId() forwarded DATABASE_URL but not DATABASE_SSL / DATABASE_CA_CERT, so every worker container started with rejectUnauthorized: true regardless of the router's SSL config — causing self-signed certificate in certificate chain crashes during loadConfig() at worker startup.
• Fix: conditionally forward both vars, following the same pattern used for SENTRY_DSN, CLAUDE_CODE_OAUTH_TOKEN, etc.
• Refactor: extracted all conditional env-var forwarding into a appendOptionalEnvVars() helper to resolve a pre-existing noExcessiveCognitiveComplexity lint warning (score was 15, now 16 with our additions — extracting to a helper drops the main function to ~9).

Call chain fixed

Router (DATABASE_SSL=false) ──spawns──► Worker
                                         getDb() → getSslConfig()
                                                   DATABASE_SSL → undefined  ← was the bug
                                                   rejectUnauthorized: true → SSL error

Test plan

• 3 new unit tests: forwards DATABASE_SSL when set, omits DATABASE_SSL when not set, forwards DATABASE_CA_CERT when set
• All 6295 unit tests pass (npm test)
• npm run lint — no warnings
• npm run typecheck — clean
• After deploy: trigger a manual worker job and confirm no self-signed certificate Sentry event fires
• Check worker logs: [Worker] Loaded projects config should appear (indicating loadConfig() succeeded)

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 76.92308% with 3 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/router/worker-env.ts	76.92%	3 Missing ⚠️

📢 Thoughts on this report? Let us know!