fix(config): improve auth config errors and print config warnings before failures

[michkot]

Summary

fixes #11298, this MR improves the config/auth failure path for unresolved credential placeholders and makes sure already-collected config warnings are still printed when config loading throws.

What changed

1. Auth config parsing now reports a more descriptive config/auth-specific error when invalid _auth / _password values reach credential parsing, instead of surfacing a low-level decode failure.
2. Config warnings are now printed from the pnpm wrapper in a finally path, so warnings are emitted both on successful config loading and on config-loading failure.

Why

#11298 is the motivation for this MR and contains the full problem statement and reproduction, so this description intentionally does not repeat that analysis here. The key point for this change is that the warning path and the fatal error path were previously disconnected: warnings could be collected during config loading, but they were only printed if getConfig() completed successfully.

The warning-handling change uses a caller-provided warnings array because @pnpm/config.reader.getConfig() already has multiple callers with different output behavior. The main pnpm CLI prints warnings, while another direct caller does not print them. Keeping warning collection in config.reader and warning presentation in the caller preserves that existing boundary, while still allowing the CLI to print collected warnings even when config loading throws.

Important note

If the long-term decision is that this kind of invalid config should not stop the CLI, the warning-printing part of this MR is still relevant.

In that case, the follow-up should not rely on throwing around the atob() path and recovering elsewhere. Instead, auth parsing would need a different policy that treats unresolved / invalid credential input as a warning-only condition and yields no credentials rather than throwing.

[zkochan]

I don't think this solution is correct. The issue is that the env variable is not being replaced in the value here: //registry.example.com/:_auth=${EXAMPLE_TOKEN}. If the env var does not exist, an error should be thrown.

[michkot]

// done with edits

I don't think this solution is correct. The issue is that the env variable is not being replaced in the value here: //registry.example.com/:_auth=${EXAMPLE_TOKEN}. If the env var does not exist, an error should be thrown.

The existing code already treats the situation, but it treats it as warning -- I am okey with changing that existing paradigm, my default was to retain it (once I found that this logic exists).

Pre-existing tests here:
https://github.com/michkot/pnpm/blame/f31e1d4a4cf66ad5469b43307dcdcfdf3267ad1a/pnpm/test/getConfig.test.ts#L18-L31

The logic for warning is
https://github.com/michkot/pnpm/blob/f31e1d4a4cf66ad5469b43307dcdcfdf3267ad1a/config/reader/src/loadNpmrcFiles.ts#L156-L163

https://github.com/pnpm/components/blob/a8ba7794d8e4aef9e2ebf6de77506cc449e064c1/config/env-replace/env-replace.ts#L7-L15

[michkot]

If the env var does not exist, an error should be thrown.

@zkochan I am happy to close this and make another PR where the existing warning semantics is changed to error if that's what you think should be done?