Shared Kafka-ACL authorization evaluator (broker + gateway).
Holds the [Authorizer] trait + ACL evaluator ([SimpleAclAuthorizer] /
[AllowAllAuthorizer]) plus an [AclSource] abstraction so one evaluator
serves both the broker (a MetadataImage snapshot) and the gateway (an
[AclCache] over a Vec<AclEntry> fetched via DescribeAcls). The decision
logic (super-user bypass, deny-wins, operation implication) lives here once
so the two callers can never drift.