feat(auth): split OIDC_ONLY into granular auth toggles

Replaces the coarse oidc_only + allow_registration settings with four
independent toggles: password_login, password_registration, oidc_login,
oidc_registration. Each can be enabled/disabled individually in
Admin > Settings without affecting the others.

- Add resolveAuthToggles() in authService.ts as the central resolver;
  falls back to legacy oidc_only/allow_registration keys when new keys
  are absent (backward compat)
- OIDC_ONLY env var still works and overrides DB toggles for password_*,
  with a visual lock in the admin UI when active
- Server enforces lockout prevention: cannot disable all login methods
- oidc_login gate added to OIDC /login and /callback routes
- Remove oidc_only toggle from OIDC settings panel; replaced by the
  granular toggles in the Settings tab
- Add 6 new resolveAuthToggles() unit tests; fix AUTH-DB-033 error
  message assertion
- Update OIDC_ONLY descriptions in README, docker-compose, Helm values,
  Unraid template, and .env.example to clarify override semantics

Closes #492

server/.env.example

@@ -20,7 +20,7 @@ OIDC_ISSUER=https://auth.example.com # OpenID Connect provider URL
 OIDC_CLIENT_ID=trek # OpenID Connect client ID
 OIDC_CLIENT_SECRET=supersecret # OpenID Connect client secret
 OIDC_DISPLAY_NAME=SSO # Label shown on the SSO login button
-OIDC_ONLY=true # Disable local password auth entirely (SSO only)
+OIDC_ONLY=true # Disable local password auth entirely (SSO only). Equivalent to setting password_login=false and password_registration=false in Admin > Settings.
 OIDC_ADMIN_CLAIM=groups # OIDC claim used to identify admin users
 OIDC_ADMIN_VALUE=app-trek-admins # Value of the OIDC claim that grants admin role
 OIDC_DISCOVERY_URL= # Override the auto-constructed OIDC discovery endpoint. Useful for providers (e.g. Authentik) that expose it at a non-standard path. Example: https://auth.example.com/application/o/trek/.well-known/openid-configuration