test(services/keycloak): split into 5 per-family tests

  - keycloak (VM, with specialisation): core boot -> bootstrap ->
    reconcile chain + a config-change reroll. Minimal fixture: one
    realm. The only test that needs full QEMU (specialisation only
    works in nodes.<n>).
  - keycloak-rbac (container): roles, groups (with nesting), users,
    role + group bindings via managed-key list refs. ~25 lines of
    runtime config, ~30 lines of test script.
  - keycloak-clients (container): openid_client_scopes,
    openid_clients, default-scope binding, a protocol mapper.
  - keycloak-realm-extras (container): extended realm attrs,
    smtp_server with nested-secret indirection, security_defenses
    nested-in-nested wrap, otp_policy, realm_keystore_rsa_generated,
    required_action, realm_localization, realm_user_profile
    (nested-in-list-element block wrap).
  - keycloak-idp (container): google IdP + secret indirection,
    attribute_importer IdP mapper, authentication_flow.

Containers boot via systemd-nspawn rather than QEMU, so the 4
non-specialisation tests start faster and the test driver pushes them
in parallel (start_all). Each test is self-contained and uses the
shared mkHost helper for the common keycloak service config plus
pyHelpers (admin_token / admin_get / get_realm) so the assertions stay
focused on what's being tested.

Treefmt also reformatted the README's Resources table to even column
widths (no content change); folding it into this commit.

Author: kmein