refactor(web-app-mediawiki): unify debug & oidc handling via _ensure_require, introduce host-side prep, switch to bind mounts

- Removed obsolete Installation.md, TODO.md, 02_debug.yml, 05_oidc.yml and legacy debug enable/disable tasks
- Added 01_prep.yml to render debug.php/oidc.php on host side before container start
- Introduced _ensure_require.yml for generic require_once management in LocalSettings.php
- Renamed 01_install.yml -> 02_install.yml to align with new numbering
- Updated docker-compose.yml.j2 to bind-mount mw-local into /opt/mw-local
- Adjusted vars/main.yml to define MEDIAWIKI_LOCAL_MOUNT_DIR and MEDIAWIKI_LOCAL_PATH
- Templates debug.php.j2 and oidc.php.j2 now gated by MODE_DEBUG and MEDIAWIKI_OIDC_ENABLED
- main.yml now orchestrates prep, install, debug, extensions, oidc require, admin consistently

Ref: https://chatgpt.com/share/68b57db2-efcc-800f-a733-aca952298437

roles/web-app-mediawiki/templates/debug.php.j2

@@ -1,9 +1,22 @@
 <?php
+/**
+ * File: debug.php
+ * Note: This file is always present via bind mount.
+ *       Its effect is controlled by MODE_DEBUG at template-render time.
+ */
+if ( !defined( 'MEDIAWIKI' ) ) {
+    exit;
+}
 
-$wgShowExceptionDetails   = true;
-$wgShowDBErrorBacktrace   = true;
-$wgShowSQLErrors          = true;
-$wgDevelopmentWarnings    = true;
+{% if MODE_DEBUG | bool %}
+/**
+ * DEBUG ENABLED (MODE_DEBUG=true)
+ * Verbose error display & debug logs for MediaWiki and OIDC/PluggableAuth.
+ */
+$wgShowExceptionDetails = true;
+$wgShowDBErrorBacktrace = true;
+$wgShowSQLErrors        = true;
+$wgDevelopmentWarnings  = true;
 
 @ini_set('display_errors', '1');
 @ini_set('display_startup_errors', '1');
@@ -19,3 +32,9 @@ $wgDebugLogGroups = array_merge($wgDebugLogGroups ?? [], [
     'PluggableAuth'   => 'php://stderr',
     'OpenIDConnect'   => 'php://stderr',
 ]);
+{% else %}
+/**
+ * DEBUG DISABLED (MODE_DEBUG=false)
+ * Intentionally a no-op. File stays present to keep require_once stable.
+ */
+{% endif %}

roles/web-app-mediawiki/templates/docker-compose.yml.j2

@@ -5,6 +5,7 @@
     image: "{{ MEDIAWIKI_IMAGE }}:{{ MEDIAWIKI_VERSION }}"
     volumes:
       - "data:/var/www/html/"
+      - "{{ MEDIAWIKI_LOCAL_MOUNT_DIR }}:{{ MEDIAWIKI_LOCAL_PATH }}:ro"
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}

roles/web-app-mediawiki/templates/oidc.php.j2

@@ -1,18 +1,19 @@
 <?php
 // ### OIDC (PluggableAuth) – BEGIN (managed by Ansible)
+
+{% if MEDIAWIKI_OIDC_ENABLED | bool %}
+
 wfLoadExtension( 'PluggableAuth' );
 wfLoadExtension( 'OpenIDConnect' );
 
-$wgPluggableAuth_EnableAutoLogin = true;   // don’t auto-redirect to IdP
-$wgPluggableAuth_EnableLocalLogin = false;   // keep local user/pass login
+$wgPluggableAuth_EnableAutoLogin = true;
+$wgPluggableAuth_EnableLocalLogin = false;
 $wgPluggableAuth_ButtonLabel = '{{ MEDIAWIKI_OIDC_BUTTON_TEXT }}';
 
-// PluggableAuth expects a list of providers (numeric array) on REL1_44
 $wgPluggableAuth_Config = [
     [
         'plugin' => 'OpenIDConnect',
         'data' => [
-            // For Keycloak, use the REALM URL, e.g. https://auth.example/realms/<realm>
             'providerURL'  => '{{ MEDIAWIKI_OIDC_ISSUER }}',
             'clientID'     => '{{ MEDIAWIKI_OIDC_CLIENT_ID }}',
             'clientsecret' => '{{ MEDIAWIKI_OIDC_CLIENT_SECRET }}',
@@ -21,7 +22,8 @@ $wgPluggableAuth_Config = [
     ],
 ];
 
-// Helpful defaults
 $wgOpenIDConnect_UseEmailNameAsUserName = true;
 $wgOpenIDConnect_MigrateUsers = true;
 // ### OIDC (PluggableAuth) – END
+
+{% endif %}