fix(#411): QA-004 — HttpException for session guard + PDA-friendly auth error

getSession now throws HttpException(401) instead of raw Error.
handleAuth error message updated to PDA-friendly language.
headersSent branch upgraded from warn to error with request details.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/auth/auth.config.ts

@@ -116,14 +116,28 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
     return [];
   }
 
+  const clientId = process.env.OIDC_CLIENT_ID;
+  const clientSecret = process.env.OIDC_CLIENT_SECRET;
+  const issuer = process.env.OIDC_ISSUER;
+
+  if (!clientId) {
+    throw new Error("OIDC_CLIENT_ID is required when OIDC is enabled but was not set.");
+  }
+  if (!clientSecret) {
+    throw new Error("OIDC_CLIENT_SECRET is required when OIDC is enabled but was not set.");
+  }
+  if (!issuer) {
+    throw new Error("OIDC_ISSUER is required when OIDC is enabled but was not set.");
+  }
+
   return [
     genericOAuth({
       config: [
         {
           providerId: "authentik",
-          clientId: process.env.OIDC_CLIENT_ID ?? "",
-          clientSecret: process.env.OIDC_CLIENT_SECRET ?? "",
-          discoveryUrl: `${process.env.OIDC_ISSUER ?? ""}.well-known/openid-configuration`,
+          clientId,
+          clientSecret,
+          discoveryUrl: `${issuer}.well-known/openid-configuration`,
           pkce: true,
           scopes: ["openid", "profile", "email"],
         },
@@ -168,8 +182,11 @@ export function getTrustedOrigins(): string[] {
           continue;
         }
         origins.push(origin);
-      } catch {
-        console.warn(`[AUTH] Ignoring invalid URL in TRUSTED_ORIGINS: "${origin}"`);
+      } catch (urlError: unknown) {
+        const detail = urlError instanceof Error ? urlError.message : String(urlError);
+        console.warn(
+          `[AUTH] Ignoring invalid URL in TRUSTED_ORIGINS: "${origin}" (${detail})`
+        );
       }
     }
   }