fix(#411): QA-004 — HttpException for session guard + PDA-friendly auth error

getSession now throws HttpException(401) instead of raw Error.
handleAuth error message updated to PDA-friendly language.
headersSent branch upgraded from warn to error with request details.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/auth/auth.controller.ts

@@ -44,7 +44,7 @@ export class AuthController {
   getSession(@Request() req: RequestWithSession): AuthSession {
     if (!req.user || !req.session) {
       // This should never happen after AuthGuard, but TypeScript needs the check
-      throw new Error("User session not found");
+      throw new HttpException("User session not found", HttpStatus.UNAUTHORIZED);
     }
 
     return {
@@ -141,11 +141,14 @@ export class AuthController {
       );
 
       if (!res.headersSent) {
-        throw new HttpException("Internal auth error", HttpStatus.INTERNAL_SERVER_ERROR);
+        throw new HttpException(
+          "Unable to complete authentication. Please try again in a moment.",
+          HttpStatus.INTERNAL_SERVER_ERROR,
+        );
       }
 
-      this.logger.warn(
-        `Cannot send error response for ${req.method} ${req.url} - headers already sent`
+      this.logger.error(
+        `Headers already sent for failed auth request ${req.method} ${req.url} — client may have received partial response`,
       );
     }
   }