Mail: Remove temporary debug headers from authentication middleware (QA)

A diagnostic follow-up that removes the temporary X-Debug-* response headers from the Mail app's authentication middleware after they had served their purpose in diagnosing a QA login-redirect issue. A protective code comment was also added to prevent the underlying bug from recurring. This is a cleanup change with no user-facing behavior change.

During an earlier investigation (follow-up to PR #964), temporary debug headers were added to the Mail middleware to surface internal authentication state (session presence, public-path checks, cross-origin detection, resolved API/app hostnames) on every response. These headers confirmed the root cause and the real fix shipped. Leaving them in place would unnecessarily expose internal application state on HTTP responses, so they needed to be removed once diagnosis was complete.

No visible change for Mail users — authentication and page redirects behave exactly as before. The benefit is operational and security hygiene: internal state (auth flags, hostnames) is no longer leaked on responses, and a new in-code WARNING documents a subtle reverse-proxy pitfall so the auth middleware is less likely to be accidentally disabled by future edits.

• Single file changed: apps/mail/src/middleware.ts (+5 / -17).
• Removed six temporary debug response headers: X-Debug-Skip-Auth, X-Debug-Has-Session, X-Debug-Is-Public, X-Debug-Cross-Origin, X-Debug-Api-Host, and X-Debug-App-Host.
• The legitimate Cache-Control: no-store, no-cache, must-revalidate header on the response is retained.
• Added a WARNING comment on isCrossOrigin() noting that request.nextUrl.hostname returns "localhost" behind reverse proxies (Docker/nginx) and that hostname must be read from forwarded/host headers, since a wrong true result silently disables the entire auth middleware.
• Cleanup follow-up to PR #964; no logic or routing behavior changed.

Low risk. The change only deletes diagnostic headers and adds a comment; it does not alter authentication, routing, or caching logic. Theoretical risk is that an external tool or monitor had started keying off the X-Debug-* headers, but these were explicitly temporary and should not be relied upon. Mitigation: verify the redirect/auth flow still works after deploy (see QA focus).

• Confirm curl -sI https://cortex-mailqa.datagainservices.com/inbox still returns a 307 redirect to SSO and that no x-debug-* headers are present in the response.
• Verify the standard Mail login flow on QA: unauthenticated access to a protected path redirects to SSO, and an authenticated session loads the inbox normally.
• Confirm public paths remain reachable without auth and that the Cache-Control no-store header is still present on responses.