Switch admin to jovann@e-cosplay.fr + disable default admin

- Rename the bootstrap human admin from jovann@siteconseil.fr to
  jovann@e-cosplay.fr in docker-compose env vars and in the realm
  import JSON. Keycloak identifies users by username so a new user
  is created on the next sync run; the old jovann@siteconseil.fr
  is left in place and can be deleted manually from the admin UI.
- Introduce a service account client `sync-bot` in the master
  realm (confidential, service accounts enabled, direct grants off)
  granted the `admin` realm role. sync.sh now authenticates via
  client_credentials, falling back to the bootstrap admin only on
  the very first run — so reconciliation keeps working after the
  default admin is disabled.
- Add disable_default_admin() at the end of the sync script. It
  first verifies that sync-bot can authenticate, then flips the
  `admin` user's `enabled` flag to false. Idempotent and safe:
  refuses to run if sync-bot auth is broken, and is a no-op if
  admin is already disabled.
- SYNC_BOT_CLIENT / SYNC_BOT_SECRET env vars added to the init
  container for both bootstrap authentication and service client
  secret reconciliation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

realms/ecosplay-realm.json

@@ -69,8 +69,8 @@
 
   "users": [
     {
-      "username": "jovann@siteconseil.fr",
-      "email": "jovann@siteconseil.fr",
+      "username": "jovann@e-cosplay.fr",
+      "email": "jovann@e-cosplay.fr",
       "firstName": "Jovann",
       "lastName": "Serreau",
       "enabled": true,