fix(oidc/testfixtures): set Enabled=true on Keycloak integration-test provider

Phase-10 live-IdP smoke re-run (after the alg-downgrade relax landed in
92c50d9) surfaced the next layer: 5 of 6 testcontainers-Keycloak
integration tests failed with 'oidc: provider is disabled'.

Root cause: the OIDCProvider struct literal in
internal/auth/oidc/testfixtures/keycloak.go omits the Enabled field.
Enabled was added by Audit 2026-05-11 MED-9 (Bundle 2 Fix 13 Phase B);
pre-fix the field didn't exist and HandleAuthRequest always proceeded.
Post-fix the default zero-value false gates every integration test
behind ErrProviderDisabled at service.go L478.

Fix: add Enabled: true to the struct literal + inline comment explaining
why the field is required for integration tests. The check is the right
behavior for production (operator-driven disable kill-switch); just
needed to be reflected in the testfixture.

Verify (sandbox): go vet -tags=integration ./internal/auth/oidc/...
clean. Workstation re-runs 'make keycloak-integration-test' to confirm
the 5 affected tests now pass against a real Keycloak 26.x.

internal/auth/oidc/testfixtures/keycloak.go

@@ -216,6 +216,13 @@ func StartKeycloak(t *testing.T) *KeycloakFixture {
 		Name:      "Keycloak (integration test)",
 		IssuerURL: issuerURL,
 		ClientID:  ClientID,
+		// Enabled=true is required for HandleAuthRequest to reach the
+		// IdP discovery + redirect path. The field was added by Audit
+		// 2026-05-11 MED-9 (Bundle 2 Fix 13 Phase B); pre-fix providers
+		// had no enable-flag and HandleAuthRequest always proceeded.
+		// Default zero-value false would gate all integration tests
+		// behind ErrProviderDisabled.
+		Enabled: true,
 		// ClientSecretEncrypted intentionally left zero-length: the
 		// integration test invokes the service with encryptionKey="",
 		// which the Phase-3 service treats as plaintext-passthrough.