Default-deny access control with group flags and access enumeration

Replaces the implicit "empty allowed_groups means public" rule with
explicit default-deny across both OIDC and ForwardAuth. Adds two boolean
flags on Group — auto_assign (Keycloak-style auto-join on user create)
and admin (members can reach the admin panel) — and drops the
users.admin column entirely. Adds "Users with access" and "Accessible
applications" panels with via-group badges on the application/user show
pages.

BEHAVIOR CHANGE: a ForwardAuth app with no allowed_groups previously
bypassed authentication entirely; it now returns 403 like any other
unauthorized request. The data migration seeds an "everyone" group and
attaches it to all previously group-less apps to preserve behavior on
existing installs. An "admins" group is seeded and backfilled from any
user with the old admin column.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

test/models/api_key_test.rb

@@ -10,6 +10,7 @@ class ApiKeyTest < ActiveSupport::TestCase
       domain_pattern: "webdav.example.com",
       active: true
     )
+    @app.allowed_groups << groups(:everyone)
   end
 
   test "generates clk_ prefixed token on create" do
@@ -78,9 +79,8 @@ class ApiKeyTest < ActiveSupport::TestCase
   end
 
   test "validates user must have access to application" do
-    group = groups(:admin_group)
-    @app.allowed_groups << group
-    # @user (bob) is not in admin_group
+    # Restrict the app to admin_group only — bob is not in admin_group.
+    @app.allowed_groups = [groups(:admin_group)]
     key = @user.api_keys.build(name: "No Access", application: @app)
     assert_not key.valid?
     assert_includes key.errors[:user], "does not have access to this application"