feat: add SSO (OIDC) support for enterprise edition

[softberries]

Summary

• Add generic OIDC-based SSO to the enterprise edition with per-org configuration
• Each org can connect its own identity provider (Google, Azure AD, Okta, Keycloak, etc.)
• JIT user provisioning with configurable email domain allowlist
• SSO enforcement disables password login for non-admin members (break-glass for owners/admins)
• CLI authentication unchanged — existing device auth flow works through SSO in the browser

Changes

Backend:

• SsoProvider trait in core extension system with community stub and enterprise openidconnect implementation
• 6 new API endpoints: SSO status check, config CRUD (get/upsert/delete), OIDC initiate, OIDC callback
• Password login enforcement with break-glass audit logging
• Database migration: org_sso_configs, user_sso_links, sso_auth_requests tables
• Background cleanup of expired SSO auth requests

Frontend:

• Login page detects SSO per org slug, shows "Sign in with SSO" button, hides password form when enforced
• SSO completion page reads token from URL fragment
• SSO settings page under org settings (enterprise-gated)
• Sidebar navigation conditionally shows SSO link

Test plan

• Configure OIDC with a test IdP (e.g. Google Workspace or Keycloak)
• Verify SSO login flow: initiate → IdP redirect → callback → session created
• Verify JIT provisioning creates user + membership + SSO link
• Verify SSO enforcement blocks password login for non-admin members
• Verify break-glass: owner/admin can still use password when SSO enforced
• Verify domain validation rejects emails outside allowed domains
• Verify CLI device auth flow works unchanged through SSO
• Verify SSO settings page CRUD operations
• Verify community edition returns "enterprise feature" for SSO endpoints