feat: fix escapeAssertion to preserve string literals

[Copilot]

escapeAssertion was blindly replacing r. and p. patterns everywhere, including inside string literals. This broke policy rules containing strings like "r.my_resource", which became "r_my_resource".

// Before: fails because "r.my_resource" → "r_my_resource"
enforcer.addPolicy("alice", "r.my_resource", `p.obj == "r.my_resource"`);
await enforcer.enforce("alice", "r.my_resource"); // false ❌

// After: works correctly
await enforcer.enforce("alice", "r.my_resource"); // true ✅

Changes

src/util/util.ts

• Replaced escapeAssertion implementation with Go Casbin's exact implementation
• Uses regex /([()\s|&,=!><+\-*/]|^)((r|p)[0-9]*)\./g which naturally avoids string literals
• Quotes (" and ') are not in the character class, so patterns inside strings are never matched
• Preserved existing behavior for nested properties: r.obj.owner.id → r_obj.owner.id

Tests

• Replaced test cases with Go Casbin's exact test suite from util_test.go
• Includes all 20 test cases covering string literals, various operators, and edge cases
• Added integration test reproducing the reported issue

Fixes #473

Original prompt

---

This section details on the original issue you should resolve

<issue_title>escapeAssertion does not respect string literals</issue_title>
<issue_description>Currently escapeAssertion does a rather brutal regex replace operation to convert r.*/p.* into r_*/p_* respectively. However it does not consider the case where the expression could contain a string literal. So if you have a rule that have some sort of string literal like p.obj == "r.something" it will fail in a very subtle manner.

const { newEnforcer, newModel } = require("casbin");

const MY_RESOURCE_NAME = "r.my_resource"; // change this to e.g. "a.my_resource" and it will work

(async function () {
  const model = newModel();
  model.addDef("r", "r", "act, obj");
  model.addDef("p", "p", "act, obj, rule");
  model.addDef("e", "e", "some(where (p.eft == allow))");
  model.addDef("m", "m", "r.act == p.act && r.obj == p.obj && eval(p.rule)");

  const enforcer = await newEnforcer(model);
  enforcer.addPolicy(
    "alice",
    MY_RESOURCE_NAME,
    `p.obj == "${MY_RESOURCE_NAME}"`
  );

  // does not work because internally it becomes `p_obj == "r_my_resource"`
  console.log(await enforcer.enforce("alice", MY_RESOURCE_NAME));
})();
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
<comment_new><author>@hsluoyz</author><body>
@kevinresol can you see that if Go Casbin has already fixed this?</body></comment_new>
</comments>

• Fixes escapeAssertion does not respect string literals #473

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[nomeguy]

@copilot

• for escapeAssertion function, refer to Go Casbin's implementation exactly
• for the new test cases, also use Go Casbin's implementation exactly
• don't modify yarn.lock

[Copilot]

@copilot

• for escapeAssertion function, refer to Go Casbin's implementation exactly
  ...

Done in commit c67e086:

• Replaced escapeAssertion with Go Casbin's exact implementation using regex /([()\s|&,=!><+\-*/]|^)((r|p)[0-9]*)\./g
• Replaced test cases with Go Casbin's exact test suite from util_test.go
• Reverted yarn.lock to original state

The Go implementation naturally handles string literals correctly because quotes are not in the regex character class, so patterns like "r. are never matched.