SASL authentication orchestrator for KafkaEx.

Coordinates the SASL authentication flow:

1. Fetches API versions (if supported by Kafka version)
2. Performs SASL handshake to negotiate mechanism
3. Executes mechanism-specific authentication
4. Manages packet mode switching between raw and length-prefixed

Entry Point

The authenticate/2 function is called by NetworkClient immediately after socket creation when auth configuration is present.

Version Compatibility

• Kafka 0.9.x - Skips API versions call (not supported)
• Kafka 0.10.0+ - Queries API versions for optimal protocol selection
• Kafka 0.10.2+ - Full SCRAM support available

Internal Flow

1. Check if API versions should be fetched (based on Kafka version)
2. Send handshake request with desired mechanism
3. Delegate to mechanism module for authentication exchange
4. Return :ok or {:error, reason} to NetworkClient

Compatibility

Brokers does not tell you the header mode (legacy vs flexible). Some stacks (older IBP, ZK builds, or auth/proxy layers) still map (apiKey=36, ver=2) to header v1 internally, so we cap at v1 for authentication request.

Another option would be to try v2 and fallback to v1 if we meet such broker.