feat(settings): restrict AI readiness checks to admins

docs/route-access-matrix.md

@@ -79,6 +79,15 @@ Reasoning:
 
 - system role defaults define the effective permission model and therefore belong to the smallest operational audience
 
+### `packages/api/src/router/settings.ts`
+
+- `getSystemSettings`, `updateSystemSettings`, connection tests, `getAiConfigured`: `admin-only`
+
+Reasoning:
+
+- even the boolean AI readiness check leaks whether admin-managed infrastructure is wired and available
+- the route has no current web consumer outside admin operations, so narrowing it does not block normal user workflows
+
 ### `packages/api/src/router/country.ts`
 
 - `list`, `resolveByIdentifier`, `getCityById`: `authenticated-safe-lookup`