OF-3037: Expose failed outbound S2S sessions in admin console with diagnostics
This change extends server session administration to include failed outbound S2S connection attempts alongside active sessions.
Failed domains are now shown in the server session overview with clear visual indication, and selecting one opens a dedicated diagnostics page (instead of normal session details) that supports quick retry and block workflows by redirecting to existing admin pages with the failed domain pre-populated.
Under the hood, `OutgoingSessionPromise` now records the latest failed attempt per remote domain in a new clustered cache using a serializable diagnostics payload, and clears that failure state after a successful reconnect. The diagnostics page also includes roster-domain usage search for impacted local users, backed by a new domain-targeted roster lookup API with an optimized implementation in `DefaultRosterItemProvider` (plus compatible fallback behavior for custom providers).
OF-3268: Refactor SASL EXTERNAL S2S success path to remove duplicate checks
Remove redundant inbound S2S post-auth verification from `SASLAuthentication.handle(...)` after `saslServer.isComplete()`.
For SASL EXTERNAL, certificate/domain verification is already performed by `ExternalServerSaslServer.evaluateResponse(...)`, while authentication method assignment is already handled in `authenticationSuccessful(...)`.
This change simplifies control flow and clarifies responsibility without intended behavior change.
Set incoming server auth method from negotiated SASL mechanism
Stop assuming inbound s2s SASL authentication always uses EXTERNAL. When SASL succeeds, derive `ServerSession.AuthenticationMethod` from the actual negotiated mechanism name instead:
- EXTERNAL -> SASL_EXTERNAL
- any other mechanism -> OTHER
This makes session state reflect the real authentication method used and removes brittle coupling to current mechanism availability.
Optimize SASL mechanism validation by avoiding unnecessary XML conversions
Replace Element-based mechanism lookups with direct set operations. Eliminates redundant dom4j manipulation.
Adds unit test coverage
None of this is expected to introduce functional changes. Pre-existing public method signatures are left intact for backwards compatibility.
