add RBAC integration tests for authorizer

11 new test scenarios validating role-based access control patterns
against a real Keto instance using subject sets:

- Direct role assignment and permission check
- Multiple roles with different permissions
- Role revocation removes access
- Organization-scoped roles (partition namespace)
- Bulk role members verification
- Resource isolation (role grants limited to specific resources)
- Multi-tenant isolation using partition namespace
- Role enumeration via ListRelations/ListSubjectRelations
- Capabilities discovery via BatchCheck
- Role membership transfer (remove + add)
- Cross-namespace role access (default role → partition resource)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: pitabwire