feat(BA-2476): add RBAC validators to project action processors

Add RBAC validators to ScopeActionProcessor and SingleEntityActionProcessor
for project-related actions in the group service.

Changes:
- Pass validators.rbac.scope to ScopeActionProcessor for:
  - create_group, search_projects_by_domain, search_projects_by_user
- Pass validators.rbac.single_entity to SingleEntityActionProcessor for:
  - modify_group, delete_group, purge_group, get_project
- Internal/admin actions (usage_per_month, usage_per_period, search_projects)
  remain on plain ActionProcessor without RBAC validators

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: fregataa

src/ai/backend/manager/services/group/processors.py

@@ -64,20 +64,34 @@ def __init__(
         action_monitors: list[ActionMonitor],
         validators: ActionValidators,
     ) -> None:
-        self.create_group = ScopeActionProcessor(group_service.create_group, action_monitors)
-        self.modify_group = SingleEntityActionProcessor(group_service.modify_group, action_monitors)
-        self.delete_group = SingleEntityActionProcessor(group_service.delete_group, action_monitors)
-        self.purge_group = SingleEntityActionProcessor(group_service.purge_group, action_monitors)
+        self.create_group = ScopeActionProcessor(
+            group_service.create_group, action_monitors, validators=[validators.rbac.scope]
+        )
+        self.modify_group = SingleEntityActionProcessor(
+            group_service.modify_group, action_monitors, validators=[validators.rbac.single_entity]
+        )
+        self.delete_group = SingleEntityActionProcessor(
+            group_service.delete_group, action_monitors, validators=[validators.rbac.single_entity]
+        )
+        self.purge_group = SingleEntityActionProcessor(
+            group_service.purge_group, action_monitors, validators=[validators.rbac.single_entity]
+        )
         self.usage_per_month = ActionProcessor(group_service.usage_per_month, action_monitors)
         self.usage_per_period = ActionProcessor(group_service.usage_per_period, action_monitors)
         self.search_projects = ActionProcessor(group_service.search_projects, action_monitors)
         self.search_projects_by_domain = ScopeActionProcessor(
-            group_service.search_projects_by_domain, action_monitors
+            group_service.search_projects_by_domain,
+            action_monitors,
+            validators=[validators.rbac.scope],
         )
         self.search_projects_by_user = ScopeActionProcessor(
-            group_service.search_projects_by_user, action_monitors
+            group_service.search_projects_by_user,
+            action_monitors,
+            validators=[validators.rbac.scope],
+        )
+        self.get_project = SingleEntityActionProcessor(
+            group_service.get_project, action_monitors, validators=[validators.rbac.single_entity]
         )
-        self.get_project = SingleEntityActionProcessor(group_service.get_project, action_monitors)
 
     @override
     def supported_actions(self) -> list[ActionSpec]: