chore: protect internal role grants

[tgmendes]

Why

risk_policy:evaluate grants live in principal_grants, but they are internal relation rows, not grants that should be managed by the Roles & Permissions editor.

Without this protection, saving a role through the existing RBAC editor would replace all grants for that role principal and accidentally delete policy audience membership rows. That would make unrelated role edits silently change which risk policies apply.

What changed

• Role grant replacement now deletes only the replaceable scope set.
• Role deletion still deletes all grants for the role principal, including internal relation grants.
• Access-facing grant views filter internal scopes out before returning role/user grant payloads.
• Added DeletePrincipalGrantsByScope as the generic SQLC primitive for deleting a principal's grants by explicit scope list.
• Added coverage for preserving internal grants on role edits, removing them on role deletion, and keeping them hidden from access API views.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 91f9859

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gram-docs-redirect	Ready	Preview, Comment	Jun 1, 2026 9:17am

[cubic-dev-ai]

No issues found across 12 files

_{Re-trigger cubic}