docs: update Phase 10 defaults, add Phase 11 (Groups) design

Phase 10 changes:

- Default provider switched from SearXNG to Brave Search per
  decision. SearXNG remains as an alternative for operators who
  prefer self-hosted.
- Blocklist is now the primary filtering mechanism with a seeded
  starter list (paste sites, *.onion, unmoderated forums). Allowlist
  demoted to "advanced" use for tightly scoped configurations.
- Migration default for web_search_provider flipped to 'brave'.
- Compose changes are now SearXNG-only and opt-in via profile.
- Open question reframed to Brave plan choice (commercial use).

Phase 11 (Groups and granular permissions) added:

- Four new tables: groups, group_members, permissions (catalogue),
  group_permissions.
- project_members and review_members extended with nullable group_id
  alongside user_id, enforced by check constraint.
- Two auto-managed system groups per workspace (All members,
  Admins) maintained by triggers on workspace_members.
- Capability set seeded by migration with default_for_role mapping
  and admin_locked flags.
- Effective permissions resolved per request via lib/access.ts and
  exposed as req.can('capability.key').
- Sharing modal accepts users or groups via a unified principal
  search endpoint.
- Audit events for group lifecycle and share/unshare with principal
  kind metadata.
- Single migration 0024_groups.sql; columns added are nullable
  (metadata-only in PG16), indexes built concurrently.
- Rollout in four steps with feature-flag option for behavioural
  rollback.

Open questions parked for review: owner-locked capabilities, cross-
workspace group sharing, residual shared_with JSONB cleanup, perf
of req.can() in chat tool dispatch.