fix(robot): system robots with wildcard permissions can create project robots

[Quantum-Sicarius]

I'm submitting this fix for issue #21406 where system robots with wildcard project permissions (/project/*/robot) couldn't create project-level robots.

Being new to Harbor development, I want to be transparent about the scope of this change and request thorough review from experienced maintainers.

Main change in src/common/security/robot/context.go:117:

// Added missing filterRobotPolicies parameter for system robots
evaluators = evaluators.Add(rbac_project.NewEvaluator(s.ctl, rbac_project.NewBuilderForPolicies(s.GetUsername(), proPolicies, filterRobotPolicies)))

Root cause: System robots were missing consistent RBAC policy filtering - project-level robots had filterRobotPolicies but system robots didn't, creating permission inconsistencies.

Additional changes:

• Enhanced robot.go with hasWildcardRobotPermission() method for wildcard validation
• Updated requireAccess() to handle system robot wildcard permissions
• Improved CreateRobot() permission validation logic

Testing completed:

• All existing unit tests pass
• Integration tests with PostgreSQL/Redis connectivity pass
• No regressions in test suite
• Validated specific use case from issue Error when creating project Robot Accounts using System Robot Accounts #21406

Areas needing review:

• RBAC changes for unintended permission side effects
• Security implications of the filterRobotPolicies addition
• Validation that wildcard permission logic is sound
• Harbor-specific patterns I may have missed

This is a focused fix addressing the specific permission gap, but given the RBAC implications I'd appreciate careful review.

Fixes #21406

[codecov]

Codecov Report

❌ Patch coverage is 34.37500% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.88%. Comparing base (c8c11b4) to head (f705aac).
⚠️ Report is 568 commits behind head on main.

Files with missing lines	Patch %	Lines
src/server/v2.0/handler/robot.go	27.58%	21 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #22352       +/-   ##
===========================================
+ Coverage   45.36%   65.88%   +20.51%     
===========================================
  Files         244     1072      +828     
  Lines       13333   115962   +102629     
  Branches     2719     2927      +208     
===========================================
+ Hits         6049    76397    +70348     
- Misses       6983    35331    +28348     
- Partials      301     4234     +3933     

Flag	Coverage Δ
unittests	65.88% <34.37%> (+20.51%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/common/security/robot/context.go	93.15% <100.00%> (ø)
src/server/v2.0/handler/robot.go	14.17% <27.58%> (ø)

... and 984 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Quantum-Sicarius]

I've pushed two additional commits:

Commit 952ea2a - Formatting

• Applied gofmt to Go files
• Applied black to Python files
• May have changed Python formatting from project standards - let me know if this should be reverted

Commit 671c112 - Tests

• Added TestHasWildcardRobotPermission unit test with 9 cases covering the new helper function
• Updated integration test test_03_SystemRobotCreatesProjectRobot to include required repository:pull permission

The 163 line increase is mostly test code (155 lines). The original implementation remains unchanged.

[bupd]

Overall LGTM,

Tested, it works I can now create Project Robot Accounts with system robot account

I would suggest to remove the additional formatting in test_robot_account.py