fix(frontend): harden SHOW object visibility

[tabVersion]

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

Replacement PR for #25571 / #25584 / #25585 / #25586. The same-repository replacement branches did not get a usable GitHub synthetic refs/pull/<PR>/head ref, so Buildkite failed during checkout before tests ran. This PR uses the same intended SHOW visibility fix from a fork branch to force GitHub to generate a fresh PR head ref for Buildkite.

What's changed and what's your intention?

This PR hardens user-visible SHOW metadata surfaces so a user with schema visibility alone cannot enumerate object names or secret references that they do not have object-level privilege for.

Changes:

• Switch clear SHOW object-list handlers to ACL-aware schema iterators:
  • SHOW TABLES
  • SHOW INTERNAL TABLES
  • SHOW VIEWS
  • SHOW MATERIALIZED VIEWS
  • SHOW SOURCES
  • SHOW SINKS
  • SHOW SUBSCRIPTIONS
  • SHOW SECRETS
  • SHOW CONNECTIONS
  • SHOW FUNCTIONS
• Make SHOW COLUMNS FROM <table/source> and SHOW INDEXES FROM <table> use the normal batch binder path instead of the system binder path, avoiding known-name metadata probing for hidden relations.
• Add explicit object-visibility checks for SHOW COLUMNS FROM <sink/view> while preserving system-view column introspection.
• Redact referenced secret names from visible connection output when the current user can see the connection but cannot see the referenced secret. In that case the output renders SECRET <redacted> instead of SECRET schema.secret_name.
• Apply the same connection secret-ref redaction to rw_catalog.rw_connections.
• Add targeted SQLLogicTest coverage for hidden object-list results, known-name probing, connection secret-ref redaction, and source/sink/connection SHOW visibility in their corresponding docker-backed e2e suites.

Current limitation / follow-up:

• During audit, rw_catalog.rw_sources was identified as a separate system-catalog surface that can still need visibility/secret-reference hardening. Iceberg-related catalog views should also be triaged in a follow-up pass.

Checklist

• I have written necessary rustdoc comments.
• I have added necessary unit tests and integration tests.
• I have added test labels as necessary.
• I have added fuzzing tests or opened an issue to track them.
• My PR contains breaking changes.
• My PR changes performance-critical code, so I will run (micro) benchmarks and present the results.
• I have checked the Release Timeline and Currently Supported Versions to determine which release branches I need to cherry-pick this PR into.

Documentation

• My PR needs documentation updates.

Release note

RisingWave now avoids exposing unauthorized object names through SHOW object-list commands and known-name SHOW COLUMNS / SHOW INDEXES probes. Visible connection metadata also redacts referenced secret names when the user cannot independently see the secret.

Local verification

Passed:

• git diff --check -- e2e_test/ddl/show_object_privilege.slt e2e_test/source_inline/connection/schema_registry.slt e2e_test/source_inline/kafka/secret_dep.slt e2e_test/sink/blackhole_sink.slt
• cargo fmt --all -- --check
• cargo check -p risingwave_frontend

Attempted but blocked locally:

• ./risedev psql -c "select 1" failed because no RisingWave server was running on 127.0.0.1:4566, so local SLT was not run.

[tabVersion]

Closing this fork-based probe PR in favor of #25585. Even from the tabVersion/risingwave fork branch, GitHub generated refs/pull/25587/merge but not refs/pull/25587/head, so Buildkite failed before tests at checkout. Keeping #25585 as the active tracking PR for the SHOW visibility fix and ref-generation issue.