fix(roles): support system permissions in roles permissions add/list and add remove

[chrisaddams]

Summary

System permissions (e.g. `anythink_subscription_plans:*`) are defined globally without a corresponding entity row — their `entity_id` is `null`. Three gaps surfaced when trying to manage them via the CLI:

• `roles permissions add` hard-failed because the entity lookup returned 404, so granting `anythink_subscription_plans:read` was impossible from the CLI.
• `roles permissions list` filtered out any permission whose `entity_id` was `null`, so even when a system permission was assigned through the admin UI it was invisible.
• There was no `roles permissions remove` at all.

Changes

• `add`: catches the 404 from `GetEntityAsync`, then matches by exact name + `entity_id == null` so we only grant true system permissions and not anything that happens to share a name.
• `list`: drops the `entity_id.HasValue` filter — system permissions now appear in the same table as entity-scoped ones.
• `remove`: new command, mirrors `add`'s signature (`<role_id> --actions read,...`) and uses the same shared resolution helpers.

Verified locally

• `anythink roles permissions add 7 anythink_subscription_plans --actions read` → "Added read"
• `anythink roles permissions list 7` → shows `anythink_subscription_plans read`
• `anythink roles permissions remove 7 anythink_subscription_plans --actions read` → "Removed read"
• Round-trip add → list → remove → list all behave correctly against a tenant with no `anythink_subscription_plans` entity row.