feat!: enforce headers parameter on setAll cookie method

[mandarini]

Summary

Adds a runtime check that throws at client creation time if the user-provided setAll callback declares fewer than two parameters. This enforces that users accept the headers second argument introduced in v0.10.0, which carries cache-control headers (Cache-Control, Expires, Pragma) that must be forwarded to the HTTP response after token refreshes.

Without this enforcement, TypeScript silently allows setAll(cookies) { ... } to satisfy the (cookies, headers) => void type, so users who copy an outdated snippet or skip the changelog never apply the cache headers. CDNs can then cache authenticated responses and serve one user's session token to another.

What changed

• src/cookies.ts -- Added Function.length arity check at the single point where user-provided setAll enters the system. If setAll.length < 2, an error with a clear message and docs link is thrown immediately. Library-controlled setAll implementations (deprecated get/set/remove wrapper, warning stubs, document.cookie adapter) are not checked.
• src/cookies.spec.ts -- Updated 14 test mocks to declare both parameters. Added 5 new tests covering: zero-param throws (server), one-param throws (server), zero-param throws (browser), two-param passes, deprecated get/set/remove path is unaffected.
• src/createServerClient.spec.ts -- Updated 10 test mocks to declare both parameters.

Breaking change

setAll must now declare two parameters (cookies, headers). Existing implementations that only declare one parameter will throw on upgrade. Since the package is on 0.x, this ships as a minor bump (0.11.0) per semver conventions.

Context

• Root cause: supabase/supabase-js#1682
• Feature PR that introduced the headers param: supabase/ssr#176
• Docs update: supabase/supabase#44240
• UI library update (open): supabase/supabase#44351