fix(security): harden cron and API route authentication

- public-holidays cron: replace fail-open inline auth check with verifyCronSecret
  (was open to unauthenticated access when CRON_SECRET unset)
- /api/perf: replace timing-unsafe string comparison with verifyCronSecret
- /api/health: strip baseUrl and latency fields from response to avoid
  leaking infrastructure details (NEXTAUTH_URL config, internal timings)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/web/src/app/api/cron/public-holidays/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
 import { prisma } from "@capakraken/db";
 import { autoImportPublicHolidays } from "@capakraken/api";
 import { logger } from "@capakraken/api/lib/logger";
+import { verifyCronSecret } from "~/lib/cron-auth.js";
 
 export const dynamic = "force-dynamic";
 export const runtime = "nodejs";
@@ -16,17 +17,11 @@ export const runtime = "nodejs";
  * Query params:
  *   - year (optional): defaults to next year
  *
- * Optionally protected with CRON_SECRET environment variable.
- * When set, requests must include `Authorization: Bearer <secret>`.
+ * Protected with CRON_SECRET via `Authorization: Bearer <secret>` header.
  */
 export async function GET(request: Request) {
-  const cronSecret = process.env["CRON_SECRET"];
-  if (cronSecret) {
-    const auth = request.headers.get("authorization");
-    if (auth !== `Bearer ${cronSecret}`) {
-      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-    }
-  }
+  const deny = verifyCronSecret(request);
+  if (deny) return deny;
 
   const { searchParams } = new URL(request.url);
   const yearParam = searchParams.get("year");