Add ecosplay_code OIDC client for Gitea SSO

New confidential client 'ecosplay_code' with PKCE S256, declared
in the realm import JSON for fresh installs and reconciled via
sync.sh (ensure_client + set_client_uris) for existing installs.

Redirect URIs match the Gitea OAuth2 callback format for the
esy_lock provider:
  https://code.e-cosplay.fr/user/oauth2/esy_lock/callback
  https://cos.local/user/oauth2/esy_lock/callback

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

init/sync.sh

@@ -333,6 +333,18 @@ if realm_exists ecosplay; then
         '["https://ticket.e-cosplay.fr/api/auth/login/sso/validate","https://cos.local/api/auth/login/sso/validate","https://ticket.e-cosplay.fr/connection/sso/check","https://cos.local/connection/sso/check"]' \
         '["https://ticket.e-cosplay.fr","https://cos.local"]' \
         'https://ticket.e-cosplay.fr/*##https://cos.local/*'
+
+    log "Reconciling ecosplay_code client"
+    ensure_client ecosplay ecosplay_code "E-Cosplay Code" \
+        "Forge de code (Gitea) - login SSO via esy_lock provider" \
+        "change-me-in-admin-console" \
+        '["https://code.e-cosplay.fr/user/oauth2/esy_lock/callback","https://cos.local/user/oauth2/esy_lock/callback"]' \
+        '["https://code.e-cosplay.fr","https://cos.local"]' \
+        'https://code.e-cosplay.fr/*##https://cos.local/*'
+    set_client_uris ecosplay ecosplay_code \
+        '["https://code.e-cosplay.fr/user/oauth2/esy_lock/callback","https://cos.local/user/oauth2/esy_lock/callback"]' \
+        '["https://code.e-cosplay.fr","https://cos.local"]' \
+        'https://code.e-cosplay.fr/*##https://cos.local/*'
 else
     warn "ecosplay realm not found — will be imported on next boot"
 fi

realms/ecosplay-realm.json

@@ -117,6 +117,32 @@
         "pkce.code.challenge.method": "S256"
       }
     },
+    {
+      "clientId": "ecosplay_code",
+      "name": "E-Cosplay Code",
+      "description": "Forge de code (Gitea) - login SSO via esy_lock provider",
+      "enabled": true,
+      "publicClient": false,
+      "secret": "change-me-in-admin-console",
+      "redirectUris": [
+        "https://code.e-cosplay.fr/user/oauth2/esy_lock/callback",
+        "https://cos.local/user/oauth2/esy_lock/callback"
+      ],
+      "webOrigins": [
+        "https://code.e-cosplay.fr",
+        "https://cos.local"
+      ],
+      "protocol": "openid-connect",
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "frontchannelLogout": true,
+      "attributes": {
+        "post.logout.redirect.uris": "https://code.e-cosplay.fr/*##https://cos.local/*",
+        "pkce.code.challenge.method": "S256"
+      }
+    },
     {
       "clientId": "eticket",
       "name": "E-Ticket",