Add service admin groups, combined settings pages, single Settings button

- Auto-create {service-id}-admin groups at startup (group_bootstrap.py)
- get_service_admin() dep: grants access to superusers OR service group members
- /api/settings/ai and /api/settings/documents/limits now allow service admins
- AI service exposes /plugin/manifest (ai-service-admin access group)
- DocServiceSettingsPage: combined upload limits + watch directory on one page
- ServiceAdminRoute in frontend guards new /apps/documents/settings and /apps/ai/settings
- Single Settings button per app card (visible to admins and service group members)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/deps.py

@@ -45,6 +45,31 @@ async def get_current_admin(
     return current_user
 
 
+def get_service_admin(service_id: str):
+    """
+    Dependency factory that grants access to service-specific admin endpoints.
+
+    Access is granted if the user is a global superuser OR a member of the
+    '{service_id}-admin' group.  Returns 404 (not 403) to hide both the
+    endpoint existence and the permission model.
+
+    Usage:
+        @router.get("/ai")
+        async def get_ai_settings(_: User = Depends(get_service_admin("ai-service"))):
+    """
+    async def _dep(
+        current_user: User = Depends(get_current_user),
+        db: AsyncSession = Depends(get_db),
+    ) -> User:
+        if current_user.is_superuser:
+            return current_user
+        if await check_plugin_access(service_id, current_user, db):
+            return current_user
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Not found")
+
+    return _dep
+
+
 async def check_plugin_access(
     plugin_id: str,
     current_user: User,