feat: improve oidc only mode

lib/accounts/user/validations/oidc_only_blocks_password_registration.ex

@@ -0,0 +1,27 @@
+defmodule Mv.Accounts.User.Validations.OidcOnlyBlocksPasswordRegistration do
+  @moduledoc """
+  Validation that blocks direct registration (register_with_password) when
+  OIDC-only mode is active. In OIDC-only mode, sign-in and registration are
+  only allowed via OIDC (SSO).
+  """
+  use Ash.Resource.Validation
+
+  @impl true
+  def init(opts), do: {:ok, opts}
+
+  @impl true
+  def validate(_changeset, _opts, _context) do
+    if Mv.Config.oidc_only?() do
+      {:error,
+       field: :base,
+       message:
+         Gettext.dgettext(
+           MvWeb.Gettext,
+           "default",
+           "Registration with password is disabled when only OIDC sign-in is active."
+         )}
+    else
+      :ok
+    end
+  end
+end