Improve: Make deny_filter robust and add regression test

- Change deny_filter from [id: {:in, []}] to expr(false)
- Add regression test to ensure deny-filter matches 0 records

lib/mv/authorization/checks/has_permission.ex

@@ -179,10 +179,11 @@ defmodule Mv.Authorization.Checks.HasPermission do
 
   # Helper function to return a filter that never matches (deny all records)
   # Used when authorization should be denied (fail-closed)
-  # Returns [id: {:in, []}] which means "id IN []" - never matches (correct deny-all)
-  # NOTE: [id: {:not, {:in, []}}] would be "NOT (id IN [])" = true for all IDs (allow-all) - WRONG!
+  #
+  # Using `expr(false)` avoids depending on the primary key being named `:id`.
+  # This is more robust than [id: {:in, []}] which assumes the primary key is `:id`.
   defp deny_filter do
-    [id: {:in, []}]
+    expr(false)
   end
 
   # Helper to extract action type from authorizer