debug(auth): expose session.debug={hasRefreshToken, expiresIn}

Temporary — verify whether Marius's JWT has a refresh_token. Will
revert once cause is identified.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/core/auth/auth-options.ts

@@ -161,6 +161,16 @@ export const authOptions: NextAuthOptions = {
       (session as any).accessToken = token.accessToken;
       // Surface refresh failure so the client can force a re-login UX.
       if (token.error) (session as any).error = token.error;
+      // Temporary diagnostic — confirms whether jwt callback captured a
+      // refresh_token + expiry on sign-in. Reveal counts/booleans only,
+      // never the actual tokens.
+      (session as any).debug = {
+        hasRefreshToken: !!token.refreshToken,
+        accessTokenExpiresIn:
+          typeof token.accessTokenExpires === "number"
+            ? Math.round((token.accessTokenExpires - Date.now()) / 1000)
+            : null,
+      };
       // Faza C cutover flag — exposed on session so client components can
       // branch the same way server routes do (env-driven, evaluated per
       // request so flag flip + container restart picks up without rebuild).