Parent query filters not checked when resolving variant queries

[syrull]

Bug Description

When a parent query has both filters: and variants:, the parent's filters are not evaluated during variant resolution. Only the variant's own filters are checked, which means the parent's filter conditions are effectively ignored.

Root Cause

In policy/resolved_policy_builder.go, the addQuery function handles variant queries at line ~903. When len(query.Variants) != 0, it iterates through variants and recursively calls addQuery() on each. However, it never checks b.anyFilterMatches(query.Filters) for the parent query first.

Compare with the non-variant code path (line ~937) which correctly calls b.anyFilterMatches(query.Filters) before proceeding.

Impact

Any parent query with a filter + variants will have its filter ignored. The variant runs based solely on its own filter, potentially executing on assets where the parent filter would have excluded it.

Example

# Parent query - filter should prevent execution when GDM not installed
- uid: parent-query
  filters: package("gdm").installed || package("gdm3").installed
  variants:
    - uid: variant-static
    - uid: variant-live

# Variant - only checks capability, not GDM installation
- uid: variant-live
  filters: mondoo.capabilities.contains("run-command") == true
  mql: |
    # This runs even when GDM is not installed

Suggested Fix

Add parent filter check before iterating variants:

if len(query.Variants) != 0 {
    // Check parent filters first
        return "", false
    }
    // ... existing variant iteration
}

Workaround

Duplicate the parent's filter in each variant's filters: block.