Summary

Allow coderd to start with an empty base DERP map when built-in DERP is disabled
and no static DERP map is configured, so DERP can come from workspace proxies
after startup.

Also add a DERP healthcheck warning when no DERP servers are currently available
at runtime.

Why

The current startup path rejects an empty DERP map. That blocks the enterprise
case where:

• built-in DERP is disabled
• no external DERP map is configured
• DERP is expected to be provided by workspace proxies once they register

Relaxing startup fixes that bootstrap path, but it also means a deployment can
start successfully while still having no usable DERP available. The healthcheck
warning closes that visibility gap.

What changed

• Allow an empty base DERP map only when:
  • built-in DERP is disabled
  • --derp-config-url is unset
  • --derp-config-path is unset
• Keep tailnet.NewDERPMap() strict; the exception is only in startup and the
  matching test harness
• Update enterprise bootstrap/test code that assumed BaseDERPMap.RegionIDs()[0]
  always existed
• Update workspace proxy tests to cover registration from a truly empty startup
  DERP map
• Add a startup warning and a transient DERP healthcheck warning when no DERP
  servers are available

Testing

• startup succeeds with built-in DERP disabled and no external DERP map configured
• startup still succeeds with built-in DERP disabled when an external DERP map is
  configured
• workspace proxy registration works from an empty startup DERP map
• DERP healthcheck warns for empty and STUN-only DERP maps
• DERP healthcheck does not warn when a real DERP node is present

Notes

The new healthcheck signal is a warning, not an error, because an empty DERP map
can be a temporary state while a DERP-enabled workspace proxy is coming online.

Related to: https://linear.app/codercom/issue/PLAT-43/bug-coderd-unable-to-be-started-if-built-in-derp-server-disabled-and
Related to: #22324