feat(authorization): rewrite query_registrations with legacy filtering

Replace the ~1900-line RBAC role-aware queryset registry with a compact
membership-driven set. The Django ORM lookup helper register_auth_filter()
keeps every entry-point name (e.g. "product.get_authorized_products",
"engagement.get_authorized_engagements", "finding.get_authorized_findings")
so per-app queries.py files and the API filter classes that resolve them
via get_auth_filter() keep working unchanged.

Filtering semantics under legacy:

  * Superuser sees every row.
  * Staff sees every row for non-View actions; for View, staff filters
    same as a regular user.
  * Regular users see only rows whose underlying Product / Product_Type
    they are members of (via authorized_users), with the standard
    Product_Type → Product → Engagement → Test → Finding hierarchy
    inheriting authorization from the parent Product.
  * RBAC carrier rows (Product_Member, Product_Type_Group, Global_Role,
    Dojo_Group, Dojo_Group_Member) are visible only to staff/superuser
    under legacy; the underlying tables are dormant data tables.

The dojo-pro plugin re-registers richer Pro implementations of these
filters at startup (via apps.ready()) that consult the RBAC tables and
honor role granularity.

File shrank from 1878 lines to ~620 — the legacy logic is much shorter
because there is no role hierarchy to traverse.

Verified: admin sees all products via the rewritten filter against
bare_bones fixtures.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: devGregA