feat: Implement file transfer filtering infrastructure

Add a complete filtering infrastructure for SFTP and SCP file transfer operations:

- TransferFilter trait with check() and check_with_dest() methods
- Operation enum: Upload, Download, Delete, Rename, CreateDir, ListDir, Stat, SetStat, Symlink, ReadLink
- FilterResult: Allow, Deny, Log actions
- FilterPolicy engine with first-match-wins rule evaluation
- Matcher trait for extensible path matching

Built-in matchers:
- GlobMatcher: wildcard patterns (*.key, *.pem)
- RegexMatcher: full regex support
- PrefixMatcher: directory tree matching (/etc/*)
- ExactMatcher: specific file matching
- ComponentMatcher: match path components (.git, .ssh)
- ExtensionMatcher: file extension matching
- CombinedMatcher: OR-combine multiple matchers
- NotMatcher: invert matcher results

Configuration:
- Extended FilterConfig with default_action, rule names, operations, and users
- FilterRule supports per-user and per-operation restrictions
- YAML configuration via existing config loader

Closes #138

Author: inureyes

src/server/config/types.rs

@@ -275,6 +275,12 @@ pub struct FilterConfig {
     #[serde(default)]
     pub enabled: bool,
 
+    /// Default action when no rules match.
+    ///
+    /// Default: allow
+    #[serde(default)]
+    pub default_action: Option<FilterAction>,
+
     /// Filter rules to apply.
     ///
     /// Rules are evaluated in order. First matching rule determines action.
@@ -285,25 +291,47 @@ pub struct FilterConfig {
 /// A single file transfer filter rule.
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct FilterRule {
+    /// Rule name (for logging and debugging).
+    ///
+    /// Example: "block-keys"
+    #[serde(default)]
+    pub name: Option<String>,
+
     /// Glob pattern to match against file paths.
     ///
     /// Example: "*.exe" matches all executable files
+    #[serde(default)]
     pub pattern: Option<String>,
 
     /// Path prefix to match.
     ///
     /// Example: "/tmp/" matches all files in /tmp
+    #[serde(default)]
     pub path_prefix: Option<String>,
 
     /// Action to take when rule matches.
     pub action: FilterAction,
+
+    /// Operations this rule applies to.
+    ///
+    /// If not specified, the rule applies to all operations.
+    /// Valid values: upload, download, delete, rename, createdir, listdir
+    #[serde(default)]
+    pub operations: Option<Vec<String>>,
+
+    /// Users this rule applies to.
+    ///
+    /// If not specified, the rule applies to all users.
+    #[serde(default)]
+    pub users: Option<Vec<String>>,
 }
 
 /// Action to take when a filter rule matches.
-#[derive(Debug, Clone, Deserialize, Serialize)]
+#[derive(Debug, Clone, Deserialize, Serialize, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum FilterAction {
     /// Allow the file transfer.
+    #[default]
     Allow,
 
     /// Deny the file transfer.