perf(query): org permission function for resources (#9677)

# Which Problems Are Solved

Classic permission checks execute for every returned row on resource
based search APIs. Complete background and problem definition can be
found here: https://github.com/zitadel/zitadel/issues/9188

# How the Problems Are Solved

- PermissionClause function now support dynamic query building, so it
supports multiple cases.
- PermissionClause is applied to all list resources which support org
level permissions.
- Wrap permission logic into wrapper functions so we keep the business
logic clean.

# Additional Changes

- Handle org ID optimization in the query package, so it is reusable for
all resources, instead of extracting the filter in the API.
- Cleanup and test system user conversion in the authz package. (context
middleware)
- Fix: `core_integration_db_up` make recipe was missing the postgres
service.

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/9190

internal/database/type.go

@@ -225,3 +225,37 @@ func (d *NullDuration) Scan(src any) error {
 	d.Duration, d.Valid = time.Duration(*duration), true
 	return nil
 }
+
+// JSONArray allows sending and receiving JSON arrays to and from the database.
+// It implements the [database/sql.Scanner] and [database/sql/driver.Valuer] interfaces.
+// Values are marshaled and unmarshaled using the [encoding/json] package.
+type JSONArray[T any] []T
+
+// NewJSONArray wraps an existing slice into a JSONArray.
+func NewJSONArray[T any](a []T) JSONArray[T] {
+	return JSONArray[T](a)
+}
+
+// Scan implements the [database/sql.Scanner] interface.
+func (a *JSONArray[T]) Scan(src any) error {
+	if src == nil {
+		*a = nil
+		return nil
+	}
+
+	bytes := src.([]byte)
+	if len(bytes) == 0 {
+		*a = nil
+		return nil
+	}
+
+	return json.Unmarshal(bytes, a)
+}
+
+// Value implements the [database/sql/driver.Valuer] interface.
+func (a JSONArray[T]) Value() (driver.Value, error) {
+	if a == nil {
+		return nil, nil
+	}
+	return json.Marshal(a)
+}