diag(cf-intern): instrument the proxy with session + upstream logging

Adds three log lines on the cf-intern route so we can pin down what
the live "Unauthorized" message means without grepping for it:
  - "[cf-intern] in session=true hasAccess=… userEmail=…" at entry
  - "[cf-intern] forwarding to gis-api: …" before the upstream call
  - "[cf-intern] gis-api error status=… code=… body=…" on GisApiError
  - "[cf-intern] internal error: …" on anything else

No behavioural change — purely diagnostic until we know whether the 401
originates in the architools session check, in the gis-api bearer
validation, or in gis-api's enrichment_scope gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/api/cf-intern/order/route.ts

@@ -17,10 +17,22 @@ type Body = { nrCadastral?: string; siruta?: string };
 
 export async function POST(request: Request) {
   const session = await getAuthSession();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  if (!session) {
+    console.warn("[cf-intern] no session → 401");
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const hasAccess = Boolean(
+    (session as { accessToken?: string } | null)?.accessToken,
+  );
+  console.log(
+    "[cf-intern] in session=true hasAccess=%s userEmail=%s",
+    hasAccess,
+    session.user?.email,
+  );
 
   const body = (await request.json()) as Body;
   if (!body.nrCadastral?.trim() || !body.siruta?.trim()) {
+    console.warn("[cf-intern] missing params:", body);
     return NextResponse.json(
       { error: "missing_params", message: "Necesare: nrCadastral, siruta." },
       { status: 400 },
@@ -28,10 +40,16 @@ export async function POST(request: Request) {
   }
 
   try {
+    console.log(
+      "[cf-intern] forwarding to gis-api: siruta=%s cad=%s",
+      body.siruta,
+      body.nrCadastral,
+    );
     const upstream = await gisApi.exports.cfIntern({
       nrCadastral: body.nrCadastral.trim(),
       siruta: body.siruta.trim(),
     });
+    console.log("[cf-intern] gis-api ok status=%d", upstream.status);
     const headers = new Headers();
     headers.set("Content-Type", upstream.headers.get("Content-Type") ?? "application/pdf");
     const cd = upstream.headers.get("Content-Disposition");
@@ -39,6 +57,12 @@ export async function POST(request: Request) {
     return new NextResponse(upstream.body, { status: 200, headers });
   } catch (err) {
     if (err instanceof GisApiError) {
+      console.warn(
+        "[cf-intern] gis-api error status=%d code=%s body=%j",
+        err.status,
+        err.code,
+        err.body,
+      );
       if (err.status === 404) {
         return NextResponse.json(
           {
@@ -55,6 +79,7 @@ export async function POST(request: Request) {
       );
     }
     const msg = err instanceof Error ? err.message : String(err);
+    console.error("[cf-intern] internal error:", msg);
     return NextResponse.json({ error: "internal_error", hint: msg.slice(0, 200) }, { status: 500 });
   }
 }