Add service admin groups, combined settings pages, single Settings button

- Auto-create {service-id}-admin groups at startup (group_bootstrap.py)
- get_service_admin() dep: grants access to superusers OR service group members
- /api/settings/ai and /api/settings/documents/limits now allow service admins
- AI service exposes /plugin/manifest (ai-service-admin access group)
- DocServiceSettingsPage: combined upload limits + watch directory on one page
- ServiceAdminRoute in frontend guards new /apps/documents/settings and /apps/ai/settings
- Single Settings button per app card (visible to admins and service group members)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

features/ai-service/app/routers/plugin.py

@@ -0,0 +1,31 @@
+"""
+Plugin manifest endpoint for the AI service.
+
+Exposes GET /plugin/manifest so the backend health-poller can discover the
+service's access rules and register it in the plugin system.
+
+No settings schema is exposed here — the AI service settings are complex
+(provider selection, conditional fields) and are rendered by a bespoke page
+rather than the generic PluginSchemaForm.
+"""
+from fastapi import APIRouter
+
+router = APIRouter()
+
+_MANIFEST = {
+    "id": "ai-service",
+    "name": "AI Service",
+    "icon": "cpu",
+    "version": "1.0",
+    "access": {
+        "allow_superuser": True,
+        "required_groups": ["ai-service-admin"],
+    },
+    # No settings_schema — the frontend uses a custom settings page
+    "settings_schema": None,
+}
+
+
+@router.get("/plugin/manifest")
+async def get_manifest() -> dict:
+    return _MANIFEST