fix: tighten CSP, fix API key exposure, improve error handling

- Remove 'unsafe-inline' from script-src CSP directive
- Restrict connectSrc and imgSrc to known external domains
- Move Google API key from URL query parameter to X-Goog-Api-Key header
- Sanitize error logging in production (no stack traces)
- Log file link errors instead of silently swallowing them

https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8

server/src/routes/files.ts

@@ -275,7 +275,9 @@ router.post('/:id/link', authenticate, (req: Request, res: Response) => {
     db.prepare('INSERT OR IGNORE INTO file_links (file_id, reservation_id, assignment_id, place_id) VALUES (?, ?, ?, ?)').run(
       id, reservation_id || null, assignment_id || null, place_id || null
     );
-  } catch {}
+  } catch (err) {
+    console.error('[Files] Error creating file link:', err instanceof Error ? err.message : err);
+  }
 
   const links = db.prepare('SELECT * FROM file_links WHERE file_id = ?').all(id);
   res.json({ success: true, links });