Evaluate RLS joins with the owner identity

[egormanga]

Description of Changes

Fix for a bigger issue brought up in https://github.com/clockworklabs/SpacetimeDB/issues/2830#issuecomment-2942621359.

Additionally, this seems to allow for some extra query optimizations (see tests).

API and ABI breaking changes

None.

Expected complexity level and risk

2:

While the fix seems pretty straightforward, it somehow affected query optimization logic so it might go a bit deeper than that.

Testing

• [x] A simple setup:

  #[table(name=test, public)]
  pub struct Test {
  	owner_id: Identity,
  }
  
  #[client_visibility_filter]
  const TEST_FILTER: Filter = Filter::Sql("SELECT test.* FROM test JOIN access WHERE access.owner_id == :sender AND access.allowed = true");
  
  #[table(name=access, public)]
  pub struct Access {
  	owner_id: Identity,
  	allowed: bool,
  }
  
  #[client_visibility_filter]
  const ACCESS_FILTER: Filter = Filter::Sql("SELECT * FROM access WHERE false");
  
  #[reducer]
  pub fn test_add(ctx: &ReducerContext) {
  	ctx.db.test().insert(Test {
  		owner_id: ctx.sender,
  	});
  }
  

  1. call test_add
  2. add an Access
  3. sql SELECT * FROM test; Result: [] → [0xIDENTITY]
• [x] A personal project where the issue arose
• [x] Added a test
• [ ] Understand why the existing test result changed

[CLAassistant]

All committers have signed the CLA.

[egormanga]

#3525 broke it by removing the .owner identity field from AuthCtx and I don't have an idea on how to reimplement this over it.

@kim I'd love to hear your opinion on this!