Infra: Keycloak custom login theme

[FadyGergesRezk]

Style the Keycloak hosted auth pages (login, register, reset-password, OTP) to match the app's design system so users never land on the default Keycloak UI.

Context

Currently, main.tsx initialises Keycloak with login-required, which redirects unauthenticated users to Keycloak's built-in hosted pages. These pages are completely unstyled relative to the app and break the visual experience. Keycloak supports custom themes via Freemarker templates + CSS deployed into the Keycloak container.

Tasks

• Scaffold a custom Keycloak theme directory under infra/keycloak/themes/<theme-name>/login/ following the Keycloak theme structure (Freemarker templates + theme.properties + resources/css/)
• Style login.ftl to match the app's typography, color palette, and card-based layout
• Style register.ftl, login-reset-password.ftl, and login-otp.ftl consistently with the login page
• Mount the theme directory into the Keycloak Docker container via a volume in docker-compose.yml
• Set the custom theme as the default login theme for the realm in Keycloak config (via realm import JSON or env var)
• Verify the theme is applied automatically on docker compose up with no manual Keycloak admin steps

Acceptance criteria

• All Keycloak-hosted auth pages (login, register, reset-password, OTP) render with the app's fonts, colors, and layout — not the default Keycloak theme
• Theme is active after a clean docker compose up with no manual steps in the Keycloak admin console
• Existing auth flow wired in main.tsx is unaffected — login, token refresh, and logout all work correctly
• No Keycloak admin credentials or secrets are hardcoded in theme files