Add service admin groups, combined settings pages, single Settings button

- Auto-create {service-id}-admin groups at startup (group_bootstrap.py)
- get_service_admin() dep: grants access to superusers OR service group members
- /api/settings/ai and /api/settings/documents/limits now allow service admins
- AI service exposes /plugin/manifest (ai-service-admin access group)
- DocServiceSettingsPage: combined upload limits + watch directory on one page
- ServiceAdminRoute in frontend guards new /apps/documents/settings and /apps/ai/settings
- Single Settings button per app card (visible to admins and service group members)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/STATUS.md

@@ -66,14 +66,18 @@ A background task (`service_health.py`) polls each service's `/health` endpoint
 
 | Method | Path | Description |
 |--------|------|-------------|
-| `GET` | `/api/settings/ai` | AI service config (masked — API keys redacted) |
-| `PATCH` | `/api/settings/ai` | Update AI provider / credentials |
-| `POST` | `/api/settings/ai/test` | Test AI connection (proxies a minimal /chat call) |
-| `GET` | `/api/settings/documents/limits` | Doc service upload limits |
-| `PATCH` | `/api/settings/documents/limits` | Update max PDF size |
+| `GET` | `/api/settings/ai` | AI service config (masked) — superuser OR `ai-service-admin` member |
+| `PATCH` | `/api/settings/ai` | Update AI provider / credentials — same access |
+| `POST` | `/api/settings/ai/test` | Test AI connection — same access |
+| `GET` | `/api/settings/documents/limits` | Doc service upload limits — superuser OR `doc-service-admin` member |
+| `PATCH` | `/api/settings/documents/limits` | Update max PDF size — same access |
+| `GET` | `/api/settings/system-prompts` | All editable system prompts — superuser OR `ai-service-admin` member |
+| `PATCH` | `/api/settings/system-prompts/{id}` | Update system prompt — same access |
 
 Settings are persisted to JSON files on the `app_config` Docker named volume and read by the respective feature services.
 
+Access to service-specific settings endpoints is enforced by `get_service_admin(service_id)` in `deps.py` — grants access to superusers OR members of the `{service_id}-admin` group.
+
 ### Feature proxies
 
 All `/api/documents/*` and `/api/documents/categories/*` requests are transparently proxied to `doc-service:8001` via `httpx.AsyncClient`. The proxy:
@@ -95,7 +99,9 @@ Generic extension/plugin infrastructure — **zero feature-specific code in back
 
 Access is controlled by the manifest: `allow_superuser` for admins; `required_groups` for group members. `check_plugin_access(plugin_id, user, db)` in `deps.py` enforces this.
 
-During each health poll, `service_health.py` also fetches `GET /plugin/manifest` from healthy services and caches it. New feature containers that expose `/plugin/manifest` automatically appear in the Extensions sidebar — no backend code changes required.
+During each health poll, `service_health.py` also fetches `GET /plugin/manifest` from healthy services and caches it. New feature containers that expose `/plugin/manifest` automatically appear in the plugin list — no backend code changes required.
+
+**Service admin group bootstrap:** On every startup, `group_bootstrap.py` creates a `{service-id}-admin` group for every registered service (idempotent). Admins add users to these groups via the Admin → Groups UI to delegate service-level administration.
 
 ### Database models