Runner Controller scoping - Internal API for Job Router admission control

Overview

Update the internal Job Router API to consider Runner Controller scopings when determining which admission controllers apply to a job.

Context

The Job Router internal API at ee/lib/ee/api/internal/ci/job_router.rb#L70 needs to be updated to:

1. Query applicable Runner Controllers based on scopings
2. Return the list of controllers that must pass for job admission

Runner Controller Behavior

Runner Controllers function like a "service":

• Can have any and multiple types of scope (cell, group, project, runner)
• Created without scope has no effect
• Has an enabled state
• Scopes always apply "downward"
• "Cell" scope should be explicit
• Scopes on a "disabled" controller do not have effect

Behavior Model

When a job is dequeued for execution on a runner:

1. Query all applicable admission controllers from scoping tables:
   • Instance-level controllers (always included)
   • Runner-specific controllers (if runner has scoped controllers)
2. Return controller list to the Job Router with the job response
3. All returned controllers MUST pass before job execution

Acceptance Criteria

• Internal API queries instance scopings
• Internal API queries runner scopings
• Only enabled controllers are returned
• Performance-optimized queries with proper indexes
• Integration tests with Job Router