XWiki: two-phase bootstrap + extension install before enabling auth; add XOR validation

- Add 02_validation.yml to prevent OIDC+LDAP enabled simultaneously
- Introduce _flush_config.yml with switches (OIDC/LDAP/superadmin)
- Bootstrap with native+superadmin → create admin → install extensions (superadmin) → enable final auth
- Refactor REST vars (XWIKI_REST_BASE, XWIKI_REST_XWIKI, XWIKI_REST_EXTENSION_INSTALL)
- Update templates to use switch vars; gate OIDC block in properties
- Idempotent REST readiness waits

Conversation: https://chatgpt.com/share/68c40c1e-2b3c-800f-b59f-8d37baa9ebb2

roles/web-app-xwiki/tasks/02_validation.yml

@@ -0,0 +1,9 @@
+- name: "ASSERT | Only one auth backend (OIDC or LDAP) may be enabled"
+  assert:
+    that:
+      - not ((XWIKI_OIDC_ENABLED | bool) and (XWIKI_LDAP_ENABLED | bool))
+    fail_msg: >-
+      Invalid auth configuration: both OIDC and LDAP are enabled
+      (features.oidc={{ XWIKI_OIDC_ENABLED }}, features.ldap={{ XWIKI_LDAP_ENABLED }}).
+      Enable only one, or disable both to use native/superadmin login.
+    success_msg: "Auth config OK: OIDC={{ XWIKI_OIDC_ENABLED }}, LDAP={{ XWIKI_LDAP_ENABLED }}."