feat(auth): split OIDC_ONLY into granular auth toggles

Replaces the coarse oidc_only + allow_registration settings with four
independent toggles: password_login, password_registration, oidc_login,
oidc_registration. Each can be enabled/disabled individually in
Admin > Settings without affecting the others.

- Add resolveAuthToggles() in authService.ts as the central resolver;
  falls back to legacy oidc_only/allow_registration keys when new keys
  are absent (backward compat)
- OIDC_ONLY env var still works and overrides DB toggles for password_*,
  with a visual lock in the admin UI when active
- Server enforces lockout prevention: cannot disable all login methods
- oidc_login gate added to OIDC /login and /callback routes
- Remove oidc_only toggle from OIDC settings panel; replaced by the
  granular toggles in the Settings tab
- Add 6 new resolveAuthToggles() unit tests; fix AUTH-DB-033 error
  message assertion
- Update OIDC_ONLY descriptions in README, docker-compose, Helm values,
  Unraid template, and .env.example to clarify override semantics

Closes #492

server/src/services/oidcService.ts

@@ -4,6 +4,7 @@ import { db } from '../db/database';
 import { JWT_SECRET } from '../config';
 import { User } from '../types';
 import { decrypt_api_key } from './apiKeyCrypto';
+import { resolveAuthToggles } from './authService';
 
 // ---------------------------------------------------------------------------
 // Types
@@ -269,10 +270,8 @@ export function findOrCreateUser(
   }
 
   if (!isFirstUser && !validInvite) {
-    const setting = db.prepare("SELECT value FROM app_settings WHERE key = 'allow_registration'").get() as
-      | { value: string }
-      | undefined;
-    if (setting?.value === 'false') {
+    const { oidc_registration } = resolveAuthToggles();
+    if (!oidc_registration) {
       return { error: 'registration_disabled' };
     }
   }