feat(access): strict allowlist + add groups by search

* UnifiPageGrant::userCanAccess no longer falls back to "open" when a
  page has no grants saved. Pages now require an explicit grant for
  every non-super-admin user — either a direct user grant or via a
  group they belong to. Matches the new dashboard-wide access model.
* Route enforcement returns 404 (was 403) so ungranted users can't even
  confirm the page exists.
* New /settings/pages-access/groups/search endpoint mirrors the
  user typeahead. Groups are no longer all listed by default — only
  super-admin groups (locked-on) and groups with at least one existing
  grant show up in the matrix. Operators add more via search.

v1.7.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Http/Controllers/UnifiPagesAccessController.php

@@ -40,6 +40,15 @@ class UnifiPagesAccessController extends Controller
         $grantedUserIds = $grants->flatten(1)->where('grantee_type', 'user')->pluck('grantee_id')->unique();
         $users = User::whereIn('id', $grantedUserIds)->orderBy('name')->get(['id', 'name', 'email']);
 
+        // Groups: always include super-admin groups (locked-on across all
+        // pages) plus any group with at least one grant. Other groups are
+        // added via searchGroups.
+        $grantedGroupIds = $grants->flatten(1)->where('grantee_type', 'group')->pluck('grantee_id')->unique();
+        $groups = Group::where(function ($q) use ($grantedGroupIds) {
+            $q->where('is_super', true)
+              ->orWhereIn('id', $grantedGroupIds);
+        })->orderBy('name')->get(['id', 'name', 'is_super']);
+
         return response()->json([
             'pages' => $pages->map(fn ($p) => [
                 'id'         => $p->id,
@@ -49,7 +58,7 @@ class UnifiPagesAccessController extends Controller
                 'group_ids'  => $grants->get($p->id, collect())->where('grantee_type', 'group')->pluck('grantee_id')->all(),
             ])->values(),
             'users'  => $users,
-            'groups' => Group::orderBy('name')->get(['id', 'name', 'is_super']),
+            'groups' => $groups,
         ]);
     }
 
@@ -76,6 +85,27 @@ class UnifiPagesAccessController extends Controller
         return response()->json(['users' => $users]);
     }
 
+    /**
+     * Typeahead-style search for groups to add to the access matrix.
+     * Excludes super-admin groups (they're already in the matrix and
+     * locked-on across every page).
+     */
+    public function searchGroups(Request $request)
+    {
+        $q = trim((string) $request->query('q', ''));
+        if (strlen($q) < 2) {
+            return response()->json(['groups' => []]);
+        }
+
+        $groups = Group::where('name', 'like', '%' . $q . '%')
+            ->where(function ($w) { $w->where('is_super', false)->orWhereNull('is_super'); })
+            ->orderBy('name')
+            ->limit(20)
+            ->get(['id', 'name', 'is_super']);
+
+        return response()->json(['groups' => $groups]);
+    }
+
     public function update(Request $request, NavItem $navItem)
     {
         $app = DashboardApp::where('slug', 'unifi')->first();