[Access] Document plaintext HTTP private app L7 auth flow

[kennyj42]

Summary

Documents the change in AUTH-8615: plaintext HTTP private apps now use the L7 (browser-redirect) auth flow instead of the L4 (Cloudflare One Client notification) flow.

Tracking MRs (already merged):

• access-edge-engine!360 — Support HTTP private apps in L7 auth flow
• oxy-teams!3639 — Route plaintext HTTP private apps through L7 auth flow (gate, in review)

Pending release in access-engine:2026.6.2.

Changes

• self-hosted-private-app.mdx — splits the existing "HTTPS" / "Non-HTTPS" authentication flow sections into three: HTTPS, plaintext HTTP (new behavior), and other non-HTTP (SSH/RDP/TCP — unchanged client-notification flow). Anchor #non-https-applications -> #other-non-http-applications (verified no inbound links).
• New changelog — 2026-06-09-http-private-apps-l7-auth.mdx.

Draft - review needed

Holding as a draft for product/eng review:

• @egomes — please confirm:
  • Is this gated by an account-level flag at release in access-engine:2026.6.2, or rolled out to all accounts at once? (Affects whether the changelog should mention a gradual rollout.)
  • Does the L7 flow match all plaintext HTTP ports or only port 80? Docs currently say port 80 only based on the MR description.
• @jroyal — sanity check on the framing.

Validation

• Internal links verified (all 4 link targets exist).
• LF line endings.
• No new components used; Render already imported.
• Anchor rename has no inbound references in repo.