feat(ops): Sentry error-monitoring (v1-readiness item 2)

Vier config-files volgens Next.js 15+ conventie:
- instrumentation.ts (root) → koppelt server/edge config aan runtime-hook
- instrumentation-client.ts → client-init + onRouterTransitionStart
- sentry.server.config.ts → node-runtime
- sentry.edge.config.ts → edge-runtime (proxy.ts)

next.config.ts gewrapped met withSentryConfig:
- Source-map-upload ALLEEN als SENTRY_AUTH_TOKEN gezet is
- Tunnel /monitoring omzeilt ad-blockers (*.sentry.io)
- Silent buiten CI

SDK is no-op zonder NEXT_PUBLIC_SENTRY_DSN — geen network/overhead in
dev of bij ontbrekende creds. Sample-rates conservatief: errors 100%,
performance 10% in productie / 100% in dev. Geen Replay (privacy-review
nodig + overkill voor MVP). sendDefaultPii uit.

.env.example gedocumenteerd; architectuur-doc bijgewerkt met nieuwe
sleutelbeslissing en file-tree-aanvulling. v1-readiness #1 verschoven
naar 'done', #2 hiermee in flight.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.env.example

@@ -14,3 +14,14 @@ NODE_ENV="development"
 # local dev (the route returns 401 if the Authorization header doesn't match).
 # Generate with: openssl rand -base64 32
 CRON_SECRET=""
+
+# v1-readiness item 2 — Sentry error monitoring.
+# Optional. Without DSN, the SDK is a no-op (no network, no overhead).
+# Get a DSN at https://sentry.io → Project → Settings → Client Keys (DSN).
+NEXT_PUBLIC_SENTRY_DSN=""
+
+# Required ONLY if you want source-map upload during build (production deploy).
+# In Vercel: project settings → Environment Variables → add as encrypted.
+SENTRY_ORG=""
+SENTRY_PROJECT=""
+SENTRY_AUTH_TOKEN=""