## Why
The OpenAI-compatible API endpoints (`openai-http.ts`, `openresponses-http.ts`)
were returning raw `String(err)` in error responses. This can leak sensitive
internal information to HTTP clients:
- Stack traces revealing code structure
- File paths exposing server directory layout
- Internal error messages from dependencies
This is the same class of vulnerability that was fixed in #2387 for
`server-http.ts`, but these OpenAI-compatible endpoints were missed.
## What
Replace `String(err)` with safe error messages:
- **500 errors (api_error)**: Return generic "Internal server error"
- **400 errors (invalid_request_error)**: Return `err.message` only
(no stack trace), with fallback to "Invalid request"
## Changes
- `src/gateway/openai-http.ts`: 2 catch blocks sanitized
- `src/gateway/openresponses-http.ts`: 4 catch blocks sanitized
