Default-deny access control with group flags and access enumeration

Replaces the implicit "empty allowed_groups means public" rule with
explicit default-deny across both OIDC and ForwardAuth. Adds two boolean
flags on Group — auto_assign (Keycloak-style auto-join on user create)
and admin (members can reach the admin panel) — and drops the
users.admin column entirely. Adds "Users with access" and "Accessible
applications" panels with via-group badges on the application/user show
pages.

BEHAVIOR CHANGE: a ForwardAuth app with no allowed_groups previously
bypassed authentication entirely; it now returns 403 like any other
unauthorized request. The data migration seeds an "everyone" group and
attaches it to all previously group-less apps to preserve behavior on
existing installs. An "admins" group is seeded and backfilled from any
user with the old admin column.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/controllers/users_controller.rb

@@ -8,12 +8,16 @@ class UsersController < ApplicationController
 
   def create
     @user = User.new(user_params)
-
-    # First user becomes admin automatically
-    @user.admin = true if User.count.zero?
     @user.status = "active"
+    first_user = User.count.zero?
 
     if @user.save
+      # First user automatically becomes a member of every admin group, so they
+      # can reach the admin panel without an existing admin to grant access.
+      if first_user
+        Group.where(admin: true).each { |g| @user.groups << g }
+      end
+
       start_new_session_for @user
       redirect_to root_path, notice: "Welcome to Clinch! Your account has been created."
     else