util.roles: Add a :policies() method to iterate through available policies
We don't expose the policies directly, to force people to go through :may().
However, there are times when we really just need to know what policies a
role has inside it (e.g. for reporting or debugging purposes).