Long-awaited userspace permission PR.

This is one of three fully separate prongs that aim to provide better privacy & security within userspace. This prong aims to restrict the effects Gall agents may emit based on permissions they have requested either statically as prerequisites (in a /desk.seal file), or dynamically as opt-in during runtime.

The other prongs are: 2) some form of userspace provenance (of which #6499 is a proposal), and 3) a permissioning scheme for Eyre/frontends. We intentionally exclude those two prongs here, because they can and should be implemented fully independently.

For the initial release, userspace permissions will only be warned about, but they will not block agent installation.

The latest announcement for this work was made here, but some changes have been made since then. A brief summary of the current form of this work follows:

• All %pass cards emitted by agents, and all .^ scries made by agents are now subject to permission control. Only agents running on the %base desk are fully exempt from this.
• Permissions are granted to desks. All agents running from that desk have the same permissions.
• There are no implicit permissions. Every %pass and .^ requires a corresponding permission. Even when %passing to an agent that runs off the same desk.
• An app may require that it be granted certain permissions in order to be installed or run. These are defined in the /desk.seal file on an app's desk. When agents run off that desk, they are guaranteed to have these permissions.
• An app may request optional permissions at runtime by %passing a %pine to Clay. Users may grant or revoke optional permissions at any time.
• The bowl given to Gall agents when they run now contains the set of permissions they have been granted. +cred:gall and +rite:gall may be used by agents to check for permission on a card or scry, respectively.
• For the initial release, failure of an agent to comply with its un/granted permissions will simply cause a printf, but let the %pass or scry through as normal. In a future, this will become a crash. Developers are encouraged to adopt permissions for their apps as soon as possible. The urbit-dev announcement contains instructions on how to find the permissions your app needs, those remain accurate.

The %treaty agent has already been updated to propagate the required permissions as part of apps' metadata, see tloncorp/landscape#164.

Differences from the now-defunct #6560: resolve merge conflicts with develop (mostly gall/clay state migration functions), fix tests and add missing arvo tasks to perms:

• ames %snub: create new [%ames %block ~] perm to allow
  blocking/unblocking ships
• clay %crew and %crow: add to [%clay %creds ~] perm
• clay %park: add to [%clay %write `desk ~] - can't rive this into
  paths unfortunately cos of complexity with the unified rang. Can
  only set by desk.
• clay %rein: add to [%clay %liven `desk]
• clay %tomb: create new [%clay %grave ship=(unit ship) desk=(unit desk)]. For the clue: %lobe, %all, %seek %pick and %seek
  require [%clay %grave ~ ~] global tombstoning perms, while
  %norm and %worn can be take specific ship and desk if
  desired.
• clay %wick: add to [%clay %liven ~]. Can't only bump a
  particular desk so require null desk.
• ames %keen: create new [%ames %order ship=(unit ship) =path]. Can remote-scry any ship if ship
  is null, otherwise specified ship. Simple all-subpaths of given path logic is applied to the
  path.
• ames %yawn: always allowed as you an only cancel on original duct so you always requested it
  in the first place.
• ames %wham: add [%ames %whack ship=(unit ship) =path], same
  behaviour as %keen.
• %grow/%tomb/cull note:agent: add [%press =spur] to
  $perm-gall with all-subpaths of given path logic applied to
  spur.

TODOs before merge:

• Check to make sure this PR is compatible with the next/kelvin/412 branch.
• add optional arg to |free generator to grant all requested perms
• make perm printing in vats just a number and add a separate generator to prettily list perms for a desk.
• pre-release testing checklist, i.e. what features need to be exercised before we can determine that this is safe to release?
  • test default desks with appropriate desk.seals. This fork/branch of %garden has one and should work. Will upload for other default desks shortly.
  • test |free and |lock generators
  • test migration from non-perms to perms
  • test remote app install
  • test %pine (set app-desired permissions) and %curb (set user-approved permissions) clay tasks
  • test %ward (subscribe to receive permission diffs) and %wink (unsubscribe from receiving permission diffs) gall tasks.
  • actual enforcement of perms is currently disabled, gall only warns. Edit gall in the two places it says ::TODO PERM to enable enforcement and test it correctly crashes on unapproved scries & tasks.
  • also test with enforcement disabled, make sure it warns but allows
  • run normal kernel /tests suite, make sure all pass.
  • enable enforcement as described above then edit the tests/sys/vane/gall test where it says ::TODO PERM so it'll test enforcement correctly.