Add eticket OIDC client for ticket.e-cosplay.fr

- Declare a new confidential client 'eticket' (PKCE S256, standard
  flow only) in the realm import JSON for fresh installs.
- Add a generic ensure_client helper to sync.sh that creates a
  client with sane defaults if missing, then applies the URIs via
  set_client_uris on every run for idempotent reconciliation.
- Wire the new client up with its four redirect URIs:
    https://ticket.e-cosplay.fr/api/auth/login/sso/validate
    https://cos.local/api/auth/login/sso/validate
    https://ticket.e-cosplay.fr/connection/sso/check
    https://cos.local/connection/sso/check
  and matching webOrigins / post-logout URIs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

realms/ecosplay-realm.json

@@ -116,6 +116,34 @@
         "post.logout.redirect.uris": "https://www.e-cosplay.fr/*##https://cos.local/*",
         "pkce.code.challenge.method": "S256"
       }
+    },
+    {
+      "clientId": "eticket",
+      "name": "E-Ticket",
+      "description": "Application billetterie ticket.e-cosplay.fr",
+      "enabled": true,
+      "publicClient": false,
+      "secret": "change-me-in-admin-console",
+      "redirectUris": [
+        "https://ticket.e-cosplay.fr/api/auth/login/sso/validate",
+        "https://cos.local/api/auth/login/sso/validate",
+        "https://ticket.e-cosplay.fr/connection/sso/check",
+        "https://cos.local/connection/sso/check"
+      ],
+      "webOrigins": [
+        "https://ticket.e-cosplay.fr",
+        "https://cos.local"
+      ],
+      "protocol": "openid-connect",
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "frontchannelLogout": true,
+      "attributes": {
+        "post.logout.redirect.uris": "https://ticket.e-cosplay.fr/*##https://cos.local/*",
+        "pkce.code.challenge.method": "S256"
+      }
     }
   ]
 }