feat(astrolabe): add admin search settings and enhanced UI

Add comprehensive admin controls for the unified search provider and enhance the frontend UI with filtering and visualization improvements.

**Admin Settings:**
- Configure default search algorithm (hybrid, semantic, bm25)
- Set fusion method for hybrid search (rrf, dbsf)
- Adjust minimum score threshold (0-100%)
- Set result limit (1-100 results)

**Frontend Enhancements:**
- Add score-based result filtering with slider control
- Add expandable excerpts for search results
- Improve result visualization and formatting
- Add algorithm badge to show search method used

**API Changes:**
- Add `/api/admin/search-settings` POST endpoint
- Add `searchForUnifiedSearch()` method to McpServerClient
- Load and apply admin settings in SemanticSearchProvider

**Technical Details:**
- Settings stored in app config table
- Defaults: hybrid algorithm, rrf fusion, 0% threshold, 20 results
- SemanticSearchProvider respects admin-configured limits

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

third_party/astroglobe/lib/Controller/OAuthController.php

@@ -367,6 +367,10 @@ class OAuthController extends Controller {
 			'astroglobe.oauth.oauthCallback'
 		);
 
+		// Get public MCP server URL for token audience (RFC 8707 Resource Indicator)
+		// Use public URL that clients/browsers see, not internal Docker URL
+		$mcpServerPublicUrl = $this->config->getSystemValue('mcp_server_public_url', $mcpServerUrl);
+
 		// Build authorization URL with PKCE
 		$params = [
 			'client_id' => 'nextcloudMcpServerUIPublicClient',  // Public client ID (32+ chars required by NC OIDC)
@@ -376,6 +380,7 @@ class OAuthController extends Controller {
 			'state' => $state,
 			'code_challenge' => $codeChallenge,
 			'code_challenge_method' => 'S256',
+			'resource' => $mcpServerPublicUrl,  // RFC 8707 Resource Indicator - request token with MCP server audience
 		];
 
 		return $authEndpoint . '?' . http_build_query($params);