Add ecosplay_code OIDC client for Gitea SSO

New confidential client 'ecosplay_code' with PKCE S256, declared
in the realm import JSON for fresh installs and reconciled via
sync.sh (ensure_client + set_client_uris) for existing installs.

Redirect URIs match the Gitea OAuth2 callback format for the
esy_lock provider:
  https://code.e-cosplay.fr/user/oauth2/esy_lock/callback
  https://cos.local/user/oauth2/esy_lock/callback

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

init/sync.sh

@@ -333,6 +333,18 @@ if realm_exists ecosplay; then
         '["https://ticket.e-cosplay.fr/api/auth/login/sso/validate","https://cos.local/api/auth/login/sso/validate","https://ticket.e-cosplay.fr/connection/sso/check","https://cos.local/connection/sso/check"]' \
         '["https://ticket.e-cosplay.fr","https://cos.local"]' \
         'https://ticket.e-cosplay.fr/*##https://cos.local/*'
+
+    log "Reconciling ecosplay_code client"
+    ensure_client ecosplay ecosplay_code "E-Cosplay Code" \
+        "Forge de code (Gitea) - login SSO via esy_lock provider" \
+        "change-me-in-admin-console" \
+        '["https://code.e-cosplay.fr/user/oauth2/esy_lock/callback","https://cos.local/user/oauth2/esy_lock/callback"]' \
+        '["https://code.e-cosplay.fr","https://cos.local"]' \
+        'https://code.e-cosplay.fr/*##https://cos.local/*'
+    set_client_uris ecosplay ecosplay_code \
+        '["https://code.e-cosplay.fr/user/oauth2/esy_lock/callback","https://cos.local/user/oauth2/esy_lock/callback"]' \
+        '["https://code.e-cosplay.fr","https://cos.local"]' \
+        'https://code.e-cosplay.fr/*##https://cos.local/*'
 else
     warn "ecosplay realm not found — will be imported on next boot"
 fi