fix!(policy/checker): make List and-like (#1217)

* fix!(policy/checker): make List and-like

This has the potential to break user configs.

Anubis lets you stack multiple checks at once with blocks like this:

```yaml
name: allow-prometheus
action: ALLOW
user_agent_regex: ^prometheus-probe$
remote_addresses:
  - 192.168.2.0/24
```

Previously, this only returned ALLOW if _any one_ of the conditions
matched. This behaviour has changed to only return ALLOW if _all_ of the
conditions match.

I have marked this as a potentially breaking change because I'm
absolutely certain that someone is relying on this behaviour due to
spacebar heating. If this bites you, please let me know ASAP.

Signed-off-by: Xe Iaso <me@xeiaso.net>
Assisted-by: GPT-OSS 120b on local hardware

* fix(policy/checker): more explicit short-circuit

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>

lib/policy/checker/checker.go

@@ -16,18 +16,24 @@ type Impl interface {
 
 type List []Impl
 
+// Check runs each checker in the list against the request.
+// It returns true only if *all* checkers return true (AND semantics).
+// If any checker returns an error, the function returns false and the error.
 func (l List) Check(r *http.Request) (bool, error) {
 	for _, c := range l {
 		ok, err := c.Check(r)
 		if err != nil {
-			return ok, err
+			// Propagate the error; overall result is false.
+			return false, err
 		}
-		if ok {
-			return ok, nil
+		if !ok {
+			// One false means the combined result is false. Short-circuit
+			// so we don't waste time.
+			return false, err
 		}
 	}
-
-	return false, nil
+	// Assume success until a checker says otherwise.
+	return true, nil
 }
 
 func (l List) Hash() string {