Add service admin groups, combined settings pages, single Settings button

- Auto-create {service-id}-admin groups at startup (group_bootstrap.py)
- get_service_admin() dep: grants access to superusers OR service group members
- /api/settings/ai and /api/settings/documents/limits now allow service admins
- AI service exposes /plugin/manifest (ai-service-admin access group)
- DocServiceSettingsPage: combined upload limits + watch directory on one page
- ServiceAdminRoute in frontend guards new /apps/documents/settings and /apps/ai/settings
- Single Settings button per app card (visible to admins and service group members)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/STATUS.md

@@ -16,8 +16,8 @@ All API calls go through `src/api/client.ts` (single Axios instance, JWT injecte
 | `/` | `DashboardPage` | Required |
 | `/apps` | `AppsPage` | Required |
 | `/apps/documents` | `DocumentsPage` | Required |
-| `/apps/documents/settings/admin` | `DocumentAdminSettingsPage` | Admin only |
-| `/apps/ai/settings/admin` | `AIAdminSettingsPage` | Admin only |
+| `/apps/documents/settings` | `DocServiceSettingsPage` | ServiceAdminRoute (is_admin OR doc-service-admin) |
+| `/apps/ai/settings` | `AIAdminSettingsPage` | ServiceAdminRoute (is_admin OR ai-service-admin) |
 | `/admin` | `AdminPage` (redirects to `/admin/users`) | Admin only |
 | `/admin/users` | `AdminUsersPage` | Admin only |
 | `/admin/groups` | `AdminGroupsPage` | Admin only |
@@ -51,7 +51,7 @@ Cards are rendered dynamically from `GET /api/services` (polled every 30 s via T
 - **healthy=true + app_path set** — clickable card with "Available" badge
 - **healthy=true + no app_path** — non-clickable card (e.g. AI Service — no user UI)
 - **healthy=false** — non-clickable, dimmed card with "Unavailable" badge and explanation text
-- Admin settings link shown for admins regardless of health status
+- Single **Settings** button per card — visible to global admins OR members of the service's admin group (checked via `GET /api/plugins` which backend filters by access). Links to `svc.settings_path`.
 
 ### Sidebar navigation
 
@@ -61,12 +61,6 @@ Cards are rendered dynamically from `GET /api/services` (polled every 30 s via T
 - Sections auto-open when navigating to their route
 - In collapsed (icons-only) mode, clicking the Apps icon navigates to `/apps`
 
-**App cards — Extension button:**
-- `GET /api/plugins` is queried on the Apps page (already user-filtered by backend)
-- If an app's `id` matches a plugin `id`, an "Extension" button is shown on that card
-- Button links to `/settings/plugins/:id` alongside the existing admin "Settings" button
-- Only users with plugin access see the button (backend filters `GET /api/plugins`)
-
 ### Documents page (`/apps/documents`)
 
 **Upload:** PDF file input, 202 response, error display.
@@ -96,17 +90,20 @@ Cards are rendered dynamically from `GET /api/services` (polled every 30 s via T
 - **Categories** — assigned chips with remove; dropdown to assign existing; AI-suggested chips with Accept / Create & Assign / Dismiss
 - **Status polling** — auto-refetches every 3s while status is pending/processing; invalidates document list on done/failed
 
-### AI Admin Settings (`/apps/ai/settings/admin`)
+### AI Service Settings (`/apps/ai/settings`)
 
+Accessible to global admins and `ai-service-admin` group members (`ServiceAdminRoute`).
 - Provider selector (lmstudio / ollama / anthropic)
 - Per-provider fields (base URL, model, API key)
 - Test Connection button (`POST /api/settings/ai/test`)
 - Save button
 
-### Document Admin Settings (`/apps/documents/settings/admin`)
+### Document Service Settings (`/apps/documents/settings`)
 
-- Upload Limits section only (max PDF size in MB)
-- Save button
+Accessible to global admins and `doc-service-admin` group members (`ServiceAdminRoute`).
+Combined settings on one page, accessed via the single "Settings" button on the app card:
+- **Upload Limits** — max PDF size in MB (`GET/PATCH /api/settings/documents/limits`)
+- **Watch Directory** — file watcher config rendered via `PluginSchemaForm` from manifest (`GET/PATCH /api/plugins/doc-service/settings`)
 
 ### Admin — Users page (`/admin/users`)