feat: centralize app base URL — no localhost fallback in production

Introduce getAppBaseUrl() in packages/api/src/lib/app-base-url.ts:
- Reads NEXTAUTH_URL (trimmed, trailing slash stripped)
- production: throws if NEXTAUTH_URL is missing/empty so broken
  localhost links in emails are caught at runtime, not silently sent
- development/test: falls back to http://localhost:3100 with a
  one-time console.warn

Replace the duplicated inline fallback in:
- packages/api/src/router/invite.ts (invite email link)
- packages/api/src/router/auth.ts (password reset email link)

Extend GET /api/health to report:
  "baseUrl": { "configured": bool, "isLocalhost": bool }
so deployment checks can detect a misconfigured NEXTAUTH_URL.

Co-Authored-By: claude-flow <ruv@ruv.net>

apps/web/src/app/api/health/route.ts

@@ -1,11 +1,55 @@
 import { NextResponse } from "next/server";
+import { prisma } from "@capakraken/db";
+import { createConnection } from "net";
 
 export const dynamic = "force-dynamic";
 export const runtime = "nodejs";
 
-export function GET() {
-  return NextResponse.json({
-    status: "ok",
-    timestamp: new Date().toISOString(),
+const REDIS_URL = process.env["REDIS_URL"] ?? "redis://localhost:6380";
+
+async function checkDb(): Promise<"ok" | "error"> {
+  try {
+    await prisma.$queryRaw`SELECT 1`;
+    return "ok";
+  } catch {
+    return "error";
+  }
+}
+
+async function checkRedis(): Promise<"ok" | "error"> {
+  return new Promise((resolve) => {
+    try {
+      const url = new URL(REDIS_URL);
+      const host = url.hostname || "localhost";
+      const port = parseInt(url.port || "6379", 10);
+      const socket = createConnection({ host, port }, () => {
+        socket.write("*1\r\n$4\r\nPING\r\n");
+      });
+      socket.setTimeout(2000);
+      socket.on("data", (data) => {
+        socket.destroy();
+        resolve(data.toString().includes("PONG") ? "ok" : "error");
+      });
+      socket.on("timeout", () => { socket.destroy(); resolve("error"); });
+      socket.on("error", () => { socket.destroy(); resolve("error"); });
+    } catch {
+      resolve("error");
+    }
   });
 }
+
+function checkBaseUrl(): { configured: boolean; isLocalhost: boolean } {
+  const raw = process.env["NEXTAUTH_URL"]?.trim();
+  if (!raw) return { configured: false, isLocalhost: false };
+  return { configured: true, isLocalhost: raw.startsWith("http://localhost") };
+}
+
+export async function GET() {
+  const [db, redis] = await Promise.all([checkDb(), checkRedis()]);
+  const baseUrl = checkBaseUrl();
+  const ok = db === "ok" && redis === "ok";
+  return NextResponse.json(
+    { status: ok ? "ok" : "degraded", db, redis, baseUrl, timestamp: new Date().toISOString() },
+    { status: ok ? 200 : 503 },
+  );
+}