Require SSO validation at merge step in addition to approval step

Proposal

Currently, the "Require Password to Approve" setting validates SSO/password authentication only at the approval step of a merge request. However, it does not enforce re-authentication before the merge is actually executed.

For stricter security and compliance requirements, we should require SSO validation at the merge step as well to ensure the person merging the MR is the same authenticated user who approved it.

This would provide a complete audit trail and ensure that both approval and merge actions are performed by authenticated users within a valid SSO session.