Restrict wildcard allowlist matching to anonymous callers

[winhowes]

Motivation

• The allowlist lookup previously applied the wildcard (*) entry as a global fallback after checking caller-specific rules, which allowed identified callers to match permissive wildcard rules and bypass per-caller restrictions.

Description

• Limit wildcard evaluation in findConstraint so wildcard rules are only considered when the request is anonymous (i.e., callerID == "*" or callerID == "").
• Preserve existing capability expansion behavior by still expanding capabilities for the wildcard when it is permitted to apply.
• Update existing tests in app/allowlist_test.go to reflect the intended semantics and add an assertion to prevent wildcard fallback for identified callers.
• The change is intentionally minimal and keeps the overall lookup logic and APIs unchanged except for the wildcard condition.

Testing

• Ran go test ./app -run 'TestFindConstraint(Wildcard|ExpandsCallerAndWildcardCapabilities|ExpandsCapabilitiesOnLookup)$' -count=1 and it passed.
• Ran go test ./app -run 'TestAllowlist|TestConstraintFailureReasonHeader' -count=1 and it passed.
• Ran the full suite go test ./app which still fails in this environment due to a pre-existing unrelated test failure TestIntegrationPluginTransport (base transport mutated), so the failure is not caused by these changes.

---

Codex Task

[winhowes]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Bravo.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".