2843790cef
Some checks failed
The Applications index used to render "All users" whenever an app had no allowed_groups; under default-deny that's the opposite of the truth. Replaced with a "No one" badge and, when groups are present, a "N users · M groups" cell so the access reality is visible at a glance. Added a small stats strip above the apps table: applications, users with access, and groups granting access. Backed by preloaded counts in the controller to avoid N+1. Added /admin/access — a small "Access check" tool that takes a user and an application and reports whether the user can reach it, with the granting group(s) when allowed, and the specific reason when not (inactive app/user, no allowed groups, or no shared group). Wired into the admin sidebar. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>