fix(query): respect wildcard ExcludedSubjects in LookupSubjects intersection

[matte1782]

Fixes #3135.

Problem

In the experimental query-plan engine, intersectSubjectSets (pkg/query/intersection.go) admits a concrete subject matched by the other operand's wildcard without consulting that wildcard's ExcludedSubjects. So a subject explicitly excluded from a wildcard (viewer:* - banned) is re-admitted when the exclusion feeds an intersection ((viewer:* - banned) & reader), and LookupSubjects enumerates a banned subject as authorized. Check is unaffected (it resolves the wildcard ban at the leaf), so this is a Check vs LookupSubjects consistency violation under --experimental-query-plan ls (default off).

This is reachable through the real schema compiler, not just hand-built iterators. For the schema in #3135 the plan compiles to:

Intersection
  Alias(limited) -> Exclusion[ Alias(viewer)->Union(*, ...), Alias(banned)->bob ]
  Alias(reader)  -> {alice, bob, charlie}

Before: IterSubjects(viewable) = [alice, bob, charlie]. After: [alice, charlie].

Fix

intersectSubjectSets now:

• builds an index of the matching wildcard's ExcludedSubjects and, when admitting a concrete subject matched by that wildcard, applies the exclusion via combineExclusionCaveats — dropping the subject for an absolute exclusion, or conditioning it on the negated exclusion caveat. Reusing combineExclusionCaveats keeps caveated exclusions consistent with how ExclusionIterator already treats them.
• unions both sides' ExcludedSubjects in the wildcard ∩ wildcard case, since (* - E1) ∩ (* - E2) = * - (E1 ∪ E2) (OR-combining caveats when the same subject is excluded on both sides; an unconditional exclusion dominates).

When neither wildcard carries exclusions the behavior is byte-for-byte unchanged.

Tests

• pkg/query/wildcard_intersection_test.go: unit subtests in TestIntersectSubjectSets for excluded-concrete dropping (both wildcard sides), caveated exclusion conditioning, and exclusion union in wildcard ∩ wildcard; plus an end-to-end (viewer:* - banned) & reader subtest in TestIntersectionIterator_WildcardBehavior. Each new test fails on main and passes with this change.
• internal/services/integrationtesting/testconfigs/wildcardmainexclusionintersect.yaml: companion consistency config. The existing wildcardintersectionexclusion.yaml only covers an exclusion whose main set is concrete ((viewer & reader) - banned); this one exercises a wildcard main set ((viewer:* - banned) & reader). It passes the default TestConsistency (stable engine) suite.

go test ./pkg/query/... and go vet ./pkg/query/ pass.

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[matte1782]

I have read the CLA Document and I hereby sign the CLA

[codecov]

Codecov Report

❌ Patch coverage is 86.27451% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.50%. Comparing base (9a71382) to head (2214eb7).

Files with missing lines	Patch %	Lines
pkg/query/intersection.go	86.28%	6 Missing and 1 partial ⚠️

❌ Your project check has failed because the head coverage (74.50%) is below the target coverage (75.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3136      +/-   ##
==========================================
- Coverage   75.97%   74.50%   -1.46%     
==========================================
  Files         566      566              
  Lines       64236    64287      +51     
==========================================
- Hits        48797    47891     -906     
- Misses      11770    12782    +1012     
+ Partials     3669     3614      -55     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.