HLS proxy: empty BRIDGE_TUNNEL_SECRET is sent as a literal empty bearer

[NewCoder3294]

Where

`apps/web/app/api/hls/route.ts` around line 235

Problem

The HLS proxy attaches `x-bridge-auth: ${env.BRIDGE_TUNNEL_SECRET ?? ""}` to the upstream request. If the env var is unset (local dev, broken deploy config, contributor's first `pnpm dev`), the request still goes out — just with an empty auth header. The bridge tunnel decides whether to accept that or not; from the web app's side, "secret is missing" is silently indistinguishable from "secret was sent".

Why it matters

• A misconfigured deploy could be silently proxying without auth and nobody would notice in logs.
• A contributor running locally has no signal that they're missing config until something downstream fails opaquely.

Suggested fix

Fail fast and visibly when the secret is missing in production:

```ts
if (!env.BRIDGE_TUNNEL_SECRET) {
if (process.env.NODE_ENV === "production") {
return NextResponse.json({ error: "tunnel_secret_missing" }, { status: 503 });
}
console.warn("[hls] BRIDGE_TUNNEL_SECRET not set — upstream will reject");
}
```

Better yet, add it to the Zod schema in `lib/env.ts` so the process refuses to boot without it in production.

Severity

Med — not exploitable on its own, but it hides a misconfiguration that could become exploitable.