feat(sdk): route all DDP method traffic (login resume, logout, setUserStatus) through DDPSDK

Trim the remaining ddpOverSDK bypass list to only the structural cases:
- msg !== 'method' (subs etc. still native)
- method starts with 'stream-' (stream-prefixed RPCs — sdk.publish already
  handles these directly when DDPSDK is ready)

Everything else now flows through our SDK's WebSocket:
- setUserStatus: plain mutation, no per-connection state
- logout: the result still propagates back to Meteor's invoker machinery
  via our processResult(), so Accounts.onLogout / userId cleanup run as
  before. No more bypass needed.
- login with {resume}: the Meteor.loginWithToken dance that re-queues a
  resume login after non-resume logins is guarded with wasResumeLogin so
  it doesn't recurse when the response we're processing *is* a resume.

Net effect: the only DDP messages that still ride Meteor's WS are
non-method frames (subscribes, heartbeats) and the rare stream-* RPC.

Author: ggazzo

apps/meteor/client/meteor/overrides/ddpOverREST.ts

@@ -5,22 +5,15 @@ import { sdk } from '../../../app/utils/client/lib/SDKClient';
 import { getDdpSdk } from '../../lib/sdk/ddpSdk';
 import { getUserId } from '../../lib/user';
 
-const bypassMethods: string[] = ['setUserStatus', 'logout'];
+const bypassMethods: string[] = [];
 
-const shouldBypass = ({ msg, method, params }: Meteor.IDDPMessage): boolean => {
-	if (msg !== 'method') {
-		return true;
-	}
+const isResumeLogin = ({ method, params }: Meteor.IDDPMessage): boolean => method === 'login' && Boolean(params?.[0]?.resume);
 
-	if (method === 'login' && params[0]?.resume) {
+const shouldBypass = ({ msg, method }: Meteor.IDDPMessage): boolean => {
+	if (msg !== 'method') {
 		return true;
 	}
 
-	// `logout` mutates per-connection auth state on Meteor's side; keeping it on
-	// Meteor.connection ensures the subsequent Accounts.onLogout chain (userId
-	// cleanup, ServerContext status flip, etc.) fires as before.
-	// `setUserStatus` toggles `_updatedAt` and presence fields that the Meteor
-	// user stream is still expected to drive while it remains the auth anchor.
 	if (bypassMethods.includes(method)) {
 		return true;
 	}
@@ -60,14 +53,16 @@ const withDDPOverSDK = (_send: (this: Meteor.IMeteorConnection, message: Meteor.
 		// Meteor's own WS.
 		if (isDdpSdkReady()) {
 			const params = Array.isArray(message.params) ? message.params : [];
+			const wasResumeLogin = isResumeLogin(message);
 			getDdpSdk()
 				.client.callAsync(message.method, ...params)
 				.then((result: unknown) => {
 					// Keep the Meteor.loginWithToken dance the REST version did so the
 					// Accounts state (userId, token, onLogin callbacks) updates the same
-					// way post-login. See the previous ddp-over-REST implementation for
-					// the detailed ordering of onLogin / loginWithToken interplay.
+					// way post-login. Skip it on resume-login responses — the dance
+					// itself calls Meteor.loginWithToken again and would recurse.
 					if (
+						!wasResumeLogin &&
 						message.method === 'login' &&
 						typeof result === 'object' &&
 						result !== null &&