Fix SSO return-to redirect loop

SetReturnToCookie stored /sso/redirect as the return-to path,
causing a redirect loop after successful SSO login: the callback
would redirect back to /sso/redirect instead of /. Filter all
/sso/* paths, not just /sso/callback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

sso/sso.go

@@ -229,7 +229,7 @@ func ValidateStateCookie(w http.ResponseWriter, r *http.Request, prefix, querySt
 // redirect back to it after SSO login completes.
 func SetReturnToCookie(w http.ResponseWriter, r *http.Request, prefix string) {
 	path := r.URL.Path
-	if path == "" || path == "/login" || path == "/sso/callback" {
+	if path == "" || path == "/login" || strings.HasPrefix(path, "/sso/") {
 		path = "/"
 	}
 	http.SetCookie(w, &http.Cookie{

sso/sso_test.go

@@ -193,7 +193,7 @@ func TestReturnToDefaultsToRoot(t *testing.T) {
 }
 
 func TestReturnToSkipsLoginPaths(t *testing.T) {
-	for _, p := range []string{"/login", "/sso/callback"} {
+	for _, p := range []string{"/login", "/sso/callback", "/sso/redirect"} {
 		rec := httptest.NewRecorder()
 		req := httptest.NewRequest(http.MethodGet, p, nil)
 		SetReturnToCookie(rec, req, "mcr")