Fixes #47356

Loading large password denylist files from plaintext on every server startup or reload rebuilds the Bloom filter from scratch, which can take several seconds for multi-million-line lists.

This PR introduces a pre-computed binary (.bloom) file that the server loads
instead of rebuilding from plaintext, significantly reducing startup and reload time.

Performance (manually verified): loading a 14M-entry denylist (~133 MB plaintext)
dropped from ~2-3 seconds to ~2 ms after pre-computing the .bloom file. Given
this improvement, background/async loading does not appear necessary at this time.

Changes

• New kc.sh tools build-password-denylist command generates a .bloom file alongside the plaintext denylist.
• On startup and reload, the server automatically picks up the .bloom file when present, falling back to plaintext if the file is missing or corrupt.
• Change detection watches the .bloom file when present, so the server reloads correctly when the denylist is updated and re-precomputed.

Usage

# Pre-compute the Bloom filter
kc.sh tools build-password-denylist /path/to/denylist.txt

This generates denylist.txt.bloom in the same directory. Place both files in the password-blacklists folder and start the server as usual: kc.sh start --spi-password-policy-password-blacklist-blacklists-path=/path/to/password-blacklists

The server looks for .bloom alongside the configured plaintext file and loads it automatically if found. The plaintext file must remain present.

Naming note

New code intentionally uses denylist instead of blacklist. Existing identifiers (class names, SPI config keys, folder names) are left unchanged to avoid a breaking change - a separate issue can be raised to track that cleanup.