[client] Add RDP token passthrough for passwordless Windows Remote Desktop

Implement sideband authorization and credential provider architecture for
passwordless RDP access to Windows peers via NetBird.

Go components:
- Sideband RDP auth server (TCP on WG interface, port 3390/22023)
- Pending session store with TTL expiry and replay protection
- Named pipe IPC server (\\.\pipe\netbird-rdp-auth) for credential provider
- Sideband client for connecting peer to request authorization
- CLI command `netbird rdp [user@]host` with JWT auth flow
- Engine integration with DNAT port redirection

Rust credential provider DLL (client/rdp/credprov/):
- COM DLL implementing ICredentialProvider + ICredentialProviderCredential
- Loaded by Windows LogonUI.exe at the RDP login screen
- Queries NetBird agent via named pipe for pending sessions
- Performs S4U logon (LsaLogonUser) for passwordless Windows token creation
- Self-registration via regsvr32 (DllRegisterServer/DllUnregisterServer)

https://claude.ai/code/session_01C38bCDyYzLgxYLVwJkcUng

client/rdp/credprov/src/guid.rs

@@ -0,0 +1,11 @@
+use windows::core::GUID;
+
+/// CLSID for the NetBird RDP Credential Provider.
+/// Generated UUID: {7B3A8E5F-1C4D-4F8A-B2E6-9D0F3A7C5E1B}
+pub const CLSID_NETBIRD_CREDENTIAL_PROVIDER: GUID = GUID::from_u128(
+    0x7B3A8E5F_1C4D_4F8A_B2E6_9D0F3A7C5E1B,
+);
+
+/// Registry path for credential providers.
+pub const CREDENTIAL_PROVIDER_REGISTRY_PATH: &str =
+    r"SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers";