Add service to resolve the service account for a Duo flow for a container

This MR was extracted from Use group-level service account to start founda... (!215813) to be reused by Add service account validation for Duo Code Rev... (!213555) and the code is not being used yet.

This change adds support for AI catalog items to work with groups (teams/organizations) in addition to projects.

The main updates include:

• Added a new database query method to find items associated with specific groups
• Created a new service that helps locate the correct service account (automated user) when someone tries to use an AI catalog item, whether they're working within a project or a group
• The service intelligently searches for permissions by first checking the specific container (project/group) and then falling back to parent groups if needed
• Added comprehensive tests to ensure the new functionality works correctly across different scenarios: top-level groups, subgroups, and projects within those groups

This enhancement allows AI catalog items to be shared and used more flexibly across different organizational structures, making it easier for teams to access AI tools regardless of whether they're organized by projects or groups.