RBAC: rework Roles page as a permission × role comparison Table (TRI-8904)

Replaces the per-role tables with a single comparison grid: rows are
catalogue permissions grouped by category (Runs, Tasks, Environment,
…), columns are Owner, Admin, Developer, Member, then any
custom roles, then Description. Each cell shows whether that role
grants the permission.

Cell rendering driven by `effectivePermissions(role.rules)` (TRI-8893):

  - No matching rules → ✗ in muted colour
  - Allow rule(s), no inverted → ✓ in success green
  - Allow rule(s) plus a conditional `cannot` → ✓ green + a tier badge
    rendered beneath ("non-prod only" for envType=PRODUCTION etc.)
  - Only inverted unconditional rule → ✗ in error colour

Plan tier hint in column headers — Developer / Member columns get a
small "Pro" Badge on Free/Hobby; custom roles get "Enterprise". Cells
still render the comparison data so users see what they'd unlock.

Loader extended to call `rbac.allPermissions(orgId)` so the catalogue
drives the row enumeration. Owner column ends up with ✓ on every row
(one rendered Permission per catalogue entry, expanded from the
`manage:all` packed rule via CASL's rulesFor walk).

Also: `SYSTEM_ROLE_IDS` updated from `{owner, admin, member, viewer}`
to `{owner, admin, developer, member}` — Viewer was dropped in TRI-8893
when the role ladder finalised; this catches up the OSS-side helper.
account.tokens uses `SYSTEM_ROLE_IDS.member` as the PAT default; the
new (more restricted) Member is the right default for that flow.

Author: matt-aitken