feat(projects): support contributor registry for default project role rules

[EronWright]

Summary

• Adds GetAll() to the PredicateBasedRegistry interface (and listBasedRegistry implementation) in pkg/component, enabling "apply all matching" semantics in addition to the existing "find first" semantics.
• Introduces a RoleRulesContributorRegistration registry in pkg/controller/management/projects that allows callers to inject additional PolicyRules into the default project roles (kargo-admin, kargo-viewer, kargo-promoter) at startup time.
• The ensureDefaultUserRoles function applies all registered contributors when creating default roles for a new project.

Companion EE PR: akuityio/kargo-enterprise#460

Test plan

• Unit tests for GetAll() in pkg/component/list_based_registry_test.go
• Unit tests for contributor mechanism in pkg/controller/management/projects/projects_test.go

[netlify]

✅ Deploy Preview for docs-kargo-io ready!

Name	Link
🔨 Latest commit	fe40d89
🔍 Latest deploy log	https://app.netlify.com/projects/docs-kargo-io/deploys/69ceb7f18b89ec000839a8af
😎 Deploy Preview	https://deploy-preview-6034.docs.kargo.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 91.30435% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.07%. Comparing base (8fdd7f4) to head (fe40d89).
⚠️ Report is 55 commits behind head on main.

Files with missing lines	Patch %	Lines
...ller/management/projects/role_rules_contributor.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6034      +/-   ##
==========================================
+ Coverage   57.03%   57.07%   +0.03%     
==========================================
  Files         463      464       +1     
  Lines       39112    39135      +23     
==========================================
+ Hits        22309    22335      +26     
+ Misses      15474    15472       -2     
+ Partials     1329     1328       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[fuskovic]

I think GetMatches is a more suitable name than GetAll but not a hill I wanna die on.

[krancour]

@EronWright can this replace ensureExtendedPermissions()?

[EronWright]

Yes — confirmed effective, and I'd like to handle it in a follow-up PR to keep the blast radius small here.

The follow-up would introduce two additional registries modeled on the same PredicateBasedRegistry + GetAll() pattern, with *kargoapi.Project as the predicate arg (so a contributor can opt out for certain projects if needed):

ProjectSetupContributorRegistration  // called during reconciliation
ProjectCleanupContributorRegistration // called on deletion

ensureExtendedPermissions moves to the EE as a ProjectSetupContributorRegistration, and the Argo CD CRB deletion becomes a ProjectCleanupContributorRegistration. All the EE-specific fields currently in ReconcilerConfig go away from OSS.

One ordering note worth capturing: setup contributors run after the OSS base resources are created (OSS → EE), while cleanup contributors run before the OSS base resources are deleted (EE → OSS), so that EE resources referencing OSS ClusterRoles are removed first. That symmetry wasn't present in the original cleanupProject (which used a map, giving non-deterministic order).

[hairyhum]

If that's a new registry, why use list with predicates and function with lookup by name instead of map registry?
Am I missing something?

[EronWright]

The main thing is that there's numerous registered contributors for a given key, and you want all of the contributors.