feat(permissions): project member permission filter (#9757)

# Which Problems Are Solved

Add the possibility to filter project resources based on project member
roles.

# How the Problems Are Solved

Extend and refactor existing Pl/PgSQL functions to implement the
following:

- Solve O(n) complexity in returned resources IDs by returning a boolean
filter for instance level permissions.
- Individually permitted orgs are returned only if there was no instance
permission
- Individually permitted projects are returned only if there was no
instance permission
- Because of the multiple filter terms, use `INNER JOIN`s instead of
`WHERE` clauses.

# Additional Changes

- system permission function no longer query the organization view and
therefore can be `immutable`, giving big performance benefits for
frequently reused system users. (like our hosted login in Zitadel cloud)
- The permitted org and project functions are now defined as `stable`
because the don't modify on-disk data. This might give a small
performance gain
- The Pl/PgSQL functions are now tested using Go unit tests.

# Additional Context

- Depends on https://github.com/zitadel/zitadel/pull/9677
- Part of https://github.com/zitadel/zitadel/issues/9188
- Closes https://github.com/zitadel/zitadel/issues/9190

internal/query/query.go

@@ -149,15 +149,15 @@ func triggerBatch(ctx context.Context, handlers ...*handler.Handler) {
 	wg.Wait()
 }
 
-func findTextEqualsQuery(column Column, queries []SearchQuery) string {
+func findTextEqualsQuery(column Column, queries []SearchQuery) (text string, ok bool) {
 	for _, query := range queries {
 		if query.Col() != column {
 			continue
 		}
 		tq, ok := query.(*textQuery)
 		if ok && tq.Compare == TextEquals {
-			return tq.Text
+			return tq.Text, true
 		}
 	}
-	return ""
+	return "", false
 }