…_update_sync

In test_resource_update_sync, the --filter argument was appended to
diff_cmd instead of sync_cmd due to a copy-paste error. This caused
the sync step to run unfiltered in live integration tests (RECORD=none),
potentially syncing resources outside the test scope. Cassette-based
tests masked the issue since VCR replays fixed responses regardless.

Adds regression tests validating that command-building logic places
filter arguments in the correct command lists.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

When syncing roles cross-DC, permissions gated behind feature flags
(e.g. bits_dev_write) may exist in the source org but not the
destination. Previously, remap_permissions left the unresolved
permission name as a raw string in the payload, causing the Roles API
to reject it with "invalid UUID [permission_name]".

Now, permissions that exist in the source but have no match in the
destination are dropped from the role payload with a warning log.
This prevents a single missing permission from breaking the entire
role sync — and by extension every integration test teardown.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

The Notebooks API now injects ai_generated, ai_edited, and human_edited
tags on every write based on request characteristics. Since the sync CLI
uses API key auth (not MCP), every PUT is classified as a human edit,
causing human_edited:true to be added server-side. This creates a
non-converging diff because the source notebook lacks the tag while the
destination always gets it re-injected.

Strip these server-managed tags in handle_special_case_attr so they are
ignored on both sides during import, sync, and diff. Legitimate user
tags (team:*, llm-observability:*) are unaffected.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>