fix(webapp): preserve preexisting 400 status in two catches, just hide leak

The previous sweep collapsed two existing 400 branches to 500 along with
the leak-sanitization. Keep the 400 status — the inner branches were
catching errors that callers had been informed of via 400, and clients
may depend on that. Just replace the leaky `error.message` body with a
generic per-route message.

- api.v1.orgs.$orgParam.projects.ts (createProject failure): 500 → 400
  with `"Failed to create project"`.
- api.v1.authorization-code.ts (instanceof Error branch): 500 → 400 with
  `"Failed to create authorization code"`.

Both branches probed locally: synthetic failure forces the path and the
response is the documented 400 + generic body.

Author: d-cs

apps/webapp/app/routes/api.v1.authorization-code.ts

@@ -32,7 +32,7 @@ export async function action({ request }: ActionFunctionArgs) {
         error: error.message,
       });
 
-      return json({ error: "Internal Server Error" }, { status: 500 });
+      return json({ error: "Failed to create authorization code" }, { status: 400 });
     }
 
     return json({ error: "Something went wrong" }, { status: 500 });

apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts

@@ -118,7 +118,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
 
   if (error) {
     logger.error("Failed to create project", { error });
-    return json({ error: "Internal Server Error" }, { status: 500 });
+    return json({ error: "Failed to create project" }, { status: 400 });
   }
 
   const result: GetProjectResponseBody = {