agent-permissions: various repo and service cleanups

[mschuwalow]

Flows I tried to go for:

get by id:

• read entity + all joined, non-deleted parent entities
• 404 on permission denied

get by name (e.g. /envs/:env_id/components/:component_name):

• read parent using get by id
• 404 on parent not found (which includes denied due to the rules in get by id)
• check permission to access child, 404 on denied
• fetch child without joining parent data
• project into domain model using parent data fetched in (1)

get fixed subresource (e.g. /accounts/:account_id/plan):

• read parent using get by id
• 404 on parent not found (which includes denied due to the rules in get by id)
• check permission to access child, 403 on not found
• fetch child without joining parent data
• project into domain model using parent data fetched in (1)

list subresources (e.g. /accounts/:account_id/applications):

• read parent using get by id
• 404 on parent not found (which includes denied due to the rules in get by id)
• fetch all children without joining parent data
• filter fetched children using auth, skip filtered children
• project into domain model using parent data fetched in (1)

There are few exceptions to this:

• list_visible_environments breaks the usual hierarchy and is implemented by compiling a filter down to sql. That is reasonably tested and works, though I might clean up the compilation / sql later
• the various get agent types. These pass all of our current tests, but I'm not yet 100% sure how I want to handle deleted parents / joining with parent data here. I'll do another pass on these separately and review what is should be done there