Default-deny access control with group flags and access enumeration

Replaces the implicit "empty allowed_groups means public" rule with
explicit default-deny across both OIDC and ForwardAuth. Adds two boolean
flags on Group — auto_assign (Keycloak-style auto-join on user create)
and admin (members can reach the admin panel) — and drops the
users.admin column entirely. Adds "Users with access" and "Accessible
applications" panels with via-group badges on the application/user show
pages.

BEHAVIOR CHANGE: a ForwardAuth app with no allowed_groups previously
bypassed authentication entirely; it now returns 403 like any other
unauthorized request. The data migration seeds an "everyone" group and
attaches it to all previously group-less apps to preserve behavior on
existing installs. An "admins" group is seeded and backfilled from any
user with the old admin column.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

test/controllers/admin/groups_controller_test.rb

@@ -48,5 +48,23 @@ module Admin
 
       assert_equal [app], Group.find_by(name: "new group").applications
     end
+
+    test "can mark a group as auto_assign and admin" do
+      patch admin_group_path(@group), params: {
+        group: {name: @group.name, auto_assign: "1", admin: "1"}
+      }
+
+      @group.reload
+      assert @group.auto_assign?
+      assert @group.admin?
+    end
+
+    test "cannot delete the last admin group" do
+      admins = groups(:admin_group)
+
+      delete admin_group_path(admins)
+      # Destroy was aborted by the before_destroy guard
+      assert Group.exists?(admins.id), "admin group should not have been deleted"
+    end
   end
 end