Implements the server-side pieces of Bitwarden's SSO cookie vending flow
(upstream PRs bitwarden/server#6880, #6892, #6903) so the native Bitwarden
mobile and desktop apps work when Vaultwarden sits behind an authenticating
reverse proxy such as Cloudflare Access, Authentik, Authelia, or
oauth2-proxy.
Without this, users behind such a proxy can authenticate the web vault in
a browser but the native apps 404 on /api/sso-cookie-vendor after the
browser-assisted IdP step, leaving the app unable to acquire the proxy's
auth cookie.
What's added:
* New config section `sso_cookie_vendor` (4 fields, default-off) driving
both env-var and admin-UI configuration via the existing make_config!
macro, with startup validation.
* GET /api/sso-cookie-vendor — reads the proxy auth cookie from the
request (including sharded variants CF_Authorization-0..19) and
302-redirects to bitwarden://sso-cookie-vendor?<cookie>=<value>&d=1
so the native app can capture and reuse the cookie. Upstream-compatible
404/400/500 HTML error pages; 8192-byte URI cap.
* communication.bootstrap block in /api/config matching the shape from
bitwarden/server#6892 so clients discover the flow without modification.
* Unit tests covering single/sharded cookies, precedence, missing-cookie
404, URL-encoding, oversize URI, and error HTML format.
See docs/sso-cookie-vendor.md for the full writeup (background, security
considerations, end-to-end flow, and per-proxy configuration notes).
