change: move actual permissions to .status + apply IRAs to consumed permissions

[iwilltry42]

This PR introduces quite a few changes around permissions:

• Some comments and renaming to make permissions stuff clearer
• The actually granted and authorized permissions for every app will now go to AppInstances' .status.permissions field and contain only those permissions required for this specific AppInstance, not for nested Acorns
• Permissions are promoted from .spec to .status along with the staged AppImage when all checks (including ImageRoleAuthorizations) pass
• Permissions consumed from nested Services are added after all that and thus we have a new handler for them that only allows the consuming App to run if it's authorized to hold the permissions consumed from the producing service
  • Those will be merged into the .status.permissions field such that this field reflects truly all permissions given to that AppInstance

Checklist

• The title of this PR would make a good line in Acorn's Release Note's Changelog
• The title of this PR ends with a link to the main issue being address in parentheses, like: This is a title (#1216). Here's an example
• All relevant issues are referenced in the PR description. NOTE: don't use GitHub keywords that auto-close issues
• Commits follow contributing guidance
• Automated tests added to cover the changes. If tests couldn't be added, an explanation is provided in the Verification and Testing section
• Changes to user-facing functionality, API, CLI, and upgrade impacts are clearly called out in PR description
• PR has at least two approvals before merging (or a reasonable exception, like it's just a docs change)

[g-linville]

This is my first pass. Gonna have to wrap my head around this some more, but these are my initial thoughts.