Apps index access column + summary + admin access checker

The Applications index used to render "All users" whenever an app had
no allowed_groups; under default-deny that's the opposite of the truth.
Replaced with a "No one" badge and, when groups are present, a
"N users · M groups" cell so the access reality is visible at a glance.

Added a small stats strip above the apps table: applications, users
with access, and groups granting access. Backed by preloaded counts in
the controller to avoid N+1.

Added /admin/access — a small "Access check" tool that takes a user
and an application and reports whether the user can reach it, with the
granting group(s) when allowed, and the specific reason when not
(inactive app/user, no allowed groups, or no shared group). Wired into
the admin sidebar.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/controllers/admin/access_checks_controller.rb

@@ -0,0 +1,25 @@
+module Admin
+  class AccessChecksController < BaseController
+    def new
+      load_options
+    end
+
+    def create
+      load_options
+      @user = User.find_by(id: params[:user_id])
+      @application = Application.find_by(id: params[:application_id])
+      return render :new unless @user && @application
+
+      @allowed = @application.user_allowed?(@user)
+      @via = @user.groups & @application.allowed_groups
+      render :new
+    end
+
+    private
+
+    def load_options
+      @users = User.order(:email_address)
+      @applications = Application.order(:name)
+    end
+  end
+end