Add SSO login support

- Add [sso] config section with redirect_uri
- Create mcdsl/sso client when SSO is configured
- Add /login (landing page), /sso/redirect, /sso/callback routes
- Add /logout route
- Update login template with SSO landing page variant
- Bump mcdsl to v1.6.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/webserver/server.go

@@ -17,6 +17,7 @@ import (
 
 	mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
 	"git.wntrmute.dev/mc/mcdsl/csrf"
+	mcdsso "git.wntrmute.dev/mc/mcdsl/sso"
 	"git.wntrmute.dev/mc/mcdsl/web"
 	"git.wntrmute.dev/mc/metacrypt/internal/config"
 	webui "git.wntrmute.dev/mc/metacrypt/web"
@@ -115,10 +116,11 @@ type cachedUsername struct {
 type WebServer struct {
 	cfg       *config.Config
 	vault     vaultBackend
-	logger *slog.Logger
+	logger    *slog.Logger
 	httpSrv   *http.Server
 	staticFS  fs.FS
 	csrf      *csrf.Protect
+	ssoClient *mcdsso.Client
 	tgzCache  sync.Map // key: UUID string → *tgzEntry
 	userCache sync.Map // key: UUID string → *cachedUsername
 }
@@ -169,6 +171,21 @@ func New(cfg *config.Config, logger *slog.Logger) (*WebServer, error) {
 		csrf:     csrf.New(secret, "metacrypt_csrf", "csrf_token"),
 	}
 
+	// Create SSO client if the service has an SSO redirect_uri configured.
+	if cfg.SSO.RedirectURI != "" {
+		ssoClient, ssoErr := mcdsso.New(mcdsso.Config{
+			MciasURL:    cfg.MCIAS.ServerURL,
+			ClientID:    "metacrypt",
+			RedirectURI: cfg.SSO.RedirectURI,
+			CACert:      cfg.MCIAS.CACert,
+		})
+		if ssoErr != nil {
+			return nil, fmt.Errorf("webserver: create SSO client: %w", ssoErr)
+		}
+		ws.ssoClient = ssoClient
+		logger.Info("SSO enabled: redirecting to MCIAS for login", "mcias_url", cfg.MCIAS.ServerURL)
+	}
+
 	if tok := cfg.MCIAS.ServiceToken; tok != "" {
 		a, err := mcdslauth.New(mcdslauth.Config{
 			ServerURL: cfg.MCIAS.ServerURL,