feat: fix enforce_ex() API returning empty explanations for allow rules in deny models

[Copilot]

enforce_ex returns empty explanation arrays for allow decisions when using models with explicit deny rules (e.g., rbac_with_deny_model).

import casbin
e = casbin.Enforcer("examples/rbac_with_deny_model.conf", "examples/rbac_with_deny_policy.csv")
e.enforce_ex("alice", "data2", "read")
# Before: (True, [])
# After:  (True, ['data2_admin', 'data2', 'read', 'allow'])

Changes

• core_enforcer.py: Update explain_index for every matching policy, not just when intermediate effect triggers early break. AllowAndDenyEffector.intermediate_effect() returns INDETERMINATE for allow-only cases (must scan all policies for deny), preventing explain_index from being set.

• test_enforcer.py: Add test_enforce_ex_rbac_with_deny to verify explanations are returned for both allow and deny cases.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Not explaining with deny</issue_title>
<issue_description>```python

import casbin
e = casbin.Enforcer("examples/rbac_with_deny_model.conf", "examples/rbac_with_deny_policy.csv")
e.enforce_ex("alice", "data2", "read")
(True, [])

It should not be `[]`, should have data.</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes Not explaining with deny #411

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}