nginx auth_request and status-only consumers ignore the body, but the
@features/api monolith's ssoRequired parses it and 401s on an empty/non-JSON
body — the empty 200 was the other half of the my/admin SSO login loop. Return
{ sub, admin } instead.
Mirror the @features/api build stamp on the SSO service: inject __BUILD_INFO__
(version, BUILD_COUNT, short SHA, UTC time) via bun build --define in deploy.sh
and surface it plus service + startedAt from /health. Falls back to env then
'dev' for unbundled runs.
A browser can carry more than one quinn_sso_session (a stale host-only cookie
shadowing the good Domain-scoped one), and the shadow can sort first. Add
extractSessionCookies (all non-empty values) and make validateSession try each
until one verifies, instead of only the first. Root cause of the
my.transquinnftw.com login loop.