fix: resolve CSP violations and React hydration issues

- Fix Permissions-Policy header: change ambient-light-sensor to ambient-light
- Add Google Fonts domain to font-src CSP for Leaflet map tiles
- Allow unsafe-inline for style-src to support third-party libraries (Sonner, Leaflet)
- Fix React hydration mismatch by conditionally adding nonce attribute
- Add debug logging for nonce retrieval issues

These changes resolve all CSP violations while maintaining security best practices.

middleware.ts

@@ -78,7 +78,7 @@ export function middleware(request: NextRequest) {
       "accelerometer=()",
       "gyroscope=()",
       "magnetometer=()",
-      "ambient-light-sensor=()",
+      "ambient-light=()",
       "encrypted-media=()",
       "autoplay=(self)",
     ].join(", ")