[Ban AI] Backend: Add override capabilities for cascading settings to ban AI features

Context

The cascading settings framework allows admins to create secure defaults for AI settings and to enforce default values via the locking mechanism.

But, it does not allow the following scenarios:

• An instance admin or root group owner wants to ensure that AI features are off for all projects/groups except for a specific list of projects/groups.
• An instance admin or root group owners wants to ensure that AI features are on for all projects/groups except for a specific list of projects/groups.

Large enterprises want more granular control over AI features and as a result the limitations of cascading settings might not meet their needs.

To meet their needs, we will add an override layer to the duo_features_enabled cascading settings. The override layer will only be controlled by an instance admin or root group owner. Using this setting, the admin/owner can add a specific list of groups/projects to an AI “allow list” or an AI “block list”.

Definition of done

• Ultimate/Premium feature
• Only a root group owner or instance owner can set these lists. Lists can be set at the group level (namespace_settings) or application level (application_settings)
• If a group/project is in the allow list, that takes precedences over the duo_features_enabled setting that is set via cascading settings.
• If a group/project is in the block list, that takes precedences over the duo_features_enabled setting that is set via cascading settings.
• A group or project cannot be in both lists. Raise a validation error if this happens.
• Extremely naive implementation is available in this branch if you are wondering where to hook in for this override.
• This issue is for the backend logic only, the APIs and frontend to set these lists will happen via other issues.