feat(cli): add --no-sync-policy-roles flag

[EdouardDem]

Summary

• Adds a new CLI flag --no-sync-policy-roles (and matching syncPolicyRoles config option) so role ↔ policy attachments (directus_access entries linking roles and policies) can be left untouched on the target during sync.
• When enabled:
  1. PoliciesDataClient.getQueryCommand omits the roles.* fields, so attachments are never dumped or fetched from the target.
  2. PoliciesDataClient.getUpdateCommand strips diffItem.roles before updating, so existing target attachments are preserved.
• Policy definitions, permissions and other tweaks still sync normally; only the role↔policy assignments become owned by the target environment.

Fixes #199 — addresses the case where end-users (clients) attach policies to roles in production and those assignments were being wiped on every push.

Note on user-policy attachments: directus_access entries that link policies to users (rather than roles) are already not dumped nor modified by the current sync logic, so they remain untouched without any additional flag.

Test plan

• tsc --noEmit clean for packages/cli and packages/e2e
• npm run build succeeds in packages/cli
• New e2e test pushWithNoSyncPolicyRoles covers:
  • target attachments added/removed by an admin are preserved across push when --no-sync-policy-roles is set
  • pull --no-sync-policy-roles does not include roles in the dumped policy file

🤖 Generated with Claude Code

[BorisKamp]

Nice @EdouardDem ! When do you plan to release a new version with this included?

[EdouardDem]

@BorisKamp I'll do it in the next hour, after merging #204