Issue Description:

Summary

Add support for smart card/hardware token passthrough to remote workspaces, enabling cryptographic operations (like code signing) using physical smart cards from within Kubernetes-based development environments.

Problem Statement

There's no direct support for smart card passthrough to workspaces. Users with smart cards (CACs, PIV cards, etc.) cannot perform hardware-based cryptographic operations in their remote development environments.

Current Limitations

• No built-in support for PKCS#11 interface forwarding
• Smart cards require physical presence and cannot be accessed remotely

Proposed Solution

Implement smart card passthrough functionality using one of these approaches:

Option 1: PKCS#11 Forwarding

• https://coder.com/docs/reference/cli/ssh#-g---forward-gpg exists for some signing methods

Option 2: Extend SSH Agent Forwarding

Build upon existing SSH forwarding capabilities to include PKCS#11 providers

Technical Considerations

• Security: Ensure PIN prompts are handled locally while operations execute remotely
• Kubernetes Integration: Consider how to securely mount device files/sockets into pods
• Cross-platform Support: Support various PKCS#11 libraries (opensc, coolkey)
• Multiple Token Support: Handle different smart card types

Option 3: USB Device Access

Forward the USB device containing the smart card to the Kubernetes pod:

• Significantly more complex - would require USB-over-network protocols
• May require privileged containers or specialized device plugins
• Essentially requires VM-like hardware passthrough capabilities
• Likely not feasible for typical SSH-based remote development workflows

Benefits/Requirements

• Enable secure code signing workflows in remote environments
• Maintain hardware-based private key security
• Expand enterprise adoption potential
• Complement existing GPG forwarding features

Related Work

• https://coder.com/docs/reference/cli/ssh#-g