feat(mediawiki): Refactor OIDC + debug; install Composer deps in-container; modularize role

Discussion: https://chatgpt.com/share/68b10c0a-c308-800f-93ac-2ffb386cf58b

- Split tasks into 01_install, 02_debug, 03_admin, 04_extensions, 05_oidc.
- Ensure unzip+git+composer on demand in the container; run Composer as www-data with COMPOSER_HOME=/tmp/composer.
- Idempotently unpack/install PluggableAuth & OpenIDConnect; run composer install only if vendor/ is missing.
- Add sanity check for Jumbojett\OpenIDConnectClient.
- Copy oidc.php only when changed and append a single require_once to LocalSettings.php.
- Use REL1_44-compatible numeric array for $wgPluggableAuth_Config; set $wgPluggableAuth_ButtonLabelMessage.
- Debug: add debug.php that logs to STDERR (visible via docker logs); toggle cleanly with MODE_DEBUG.
- Enable OIDC feature in config; add paths/OIDC/extension vars in vars/main.yml.

fix(services): include SYS_SERVICE_GROUP_CLEANUP in StartPre lock (ssd-hdd, docker-hard).

fix(desktop/joomla): simplify MODE_DEBUG templating.

chore: minor cleanups and renames.

roles/web-app-mediawiki/tasks/_enable_debug.yml

@@ -0,0 +1,45 @@
+- name: "Render debug.php locally"
+  template:
+    src: "debug.php.j2"
+    dest: "{{ MEDIAWIKI_CONFIG_DIR }}/debug.php"
+    mode: "0644"
+
+- name: "Compute local checksum"
+  stat:
+    path: "{{ MEDIAWIKI_CONFIG_DIR }}/debug.php"
+    checksum_algorithm: sha256
+  register: _dbg_local
+
+- name: "Compute container checksum (if exists)"
+  shell: >
+    docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc
+    "test -f {{ MEDIAWIKI_HTML_DIR }}/debug.php &&
+      sha256sum {{ MEDIAWIKI_HTML_DIR }}/debug.php | awk '{print $1}' || echo MISSING"
+  args: { executable: /bin/bash }
+  register: _dbg_remote
+  changed_when: false
+
+- name: "Copy debug.php into container only if different"
+  shell: >
+    if [ "{{ (_dbg_remote.stdout | default('') | trim) }}" != "{{ _dbg_local.stat.checksum }}" ]; then
+      docker cp "{{ MEDIAWIKI_CONFIG_DIR }}/debug.php" "{{ MEDIAWIKI_CONTAINER }}:{{ MEDIAWIKI_HTML_DIR }}/debug.php" &&
+      docker exec {{ MEDIAWIKI_CONTAINER }} bash -lc "chown {{ MEDIAWIKI_USER }}:{{ MEDIAWIKI_USER }} {{ MEDIAWIKI_HTML_DIR }}/debug.php && chmod 0644 {{ MEDIAWIKI_HTML_DIR }}/debug.php" &&
+      echo COPIED;
+    fi
+  args: { executable: /bin/bash }
+  register: _dbg_cp
+  changed_when: "'COPIED' in (_dbg_cp.stdout | default(''))"
+
+- name: "require_once debug.php in LocalSettings.php"
+  shell: |
+    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }} bash -lc '
+      LSP={{ MEDIAWIKI_HTML_DIR }}/LocalSettings.php
+      LINE="require_once __DIR__ . '\''/debug.php'\'';"
+      if ! grep -Fqx -- "$LINE" "$LSP"; then
+        printf "%s\n" "$LINE" >> "$LSP"
+        echo ADDED_DEBUG_REQUIRE
+      fi
+    '
+  args: { executable: /bin/bash }
+  register: _dbg_req
+  changed_when: "'ADDED_DEBUG_REQUIRE' in (_dbg_req.stdout | default(''))"