feat(access): strict allowlist + add groups by search

* UnifiPageGrant::userCanAccess no longer falls back to "open" when a
  page has no grants saved. Pages now require an explicit grant for
  every non-super-admin user — either a direct user grant or via a
  group they belong to. Matches the new dashboard-wide access model.
* Route enforcement returns 404 (was 403) so ungranted users can't even
  confirm the page exists.
* New /settings/pages-access/groups/search endpoint mirrors the
  user typeahead. Groups are no longer all listed by default — only
  super-admin groups (locked-on) and groups with at least one existing
  grant show up in the matrix. Operators add more via search.

v1.7.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/routes/unifi.php

@@ -78,6 +78,7 @@ Route::middleware(['web', 'auth', 'app.access:unifi'])
             Route::middleware('super.admin')->group(function () {
                 Route::get('/settings/pages-access',                [UnifiPagesAccessController::class, 'index'])      ->name('settings.pages-access.index');
                 Route::get('/settings/pages-access/users/search',   [UnifiPagesAccessController::class, 'searchUsers'])->name('settings.pages-access.users.search');
+                Route::get('/settings/pages-access/groups/search',  [UnifiPagesAccessController::class, 'searchGroups'])->name('settings.pages-access.groups.search');
                 Route::put('/settings/pages-access/{navItem}',      [UnifiPagesAccessController::class, 'update'])     ->name('settings.pages-access.update');
             });