[New Permission 2a/5] smartcontract: implement authorize() mechanism

[juan-malbeclabs]

PR 2 of 5. Review order: PR 1: scaffold → PR 2 (this) → PR 3 → PR 4 → PR 5.
This diff is against jo/permission-scaffolding.

Summary of Changes

• Introduces authorize(), the central authorization function for all privileged instructions in the serviceability program
• Accepts the caller's Permission PDA as an optional trailing account. If present, validates PDA derivation, program ownership, Activated status, and OR-matches the provided permission_flags bitmask
• If no Permission account is provided, falls back to legacy GlobalState allowlists/authority keys — unless FeatureFlag::RequirePermissionAccounts is set, in which case the legacy path is disabled (with a carve-out: foundation members can always manage Permission accounts to prevent lockout)
• Full legacy flag→allowlist mapping is documented in the function's doc comment

Diff Breakdown

Category	Files	Lines (+/-)	Net
Core logic	2	+1059 / -0	+1059

A single focused module with no scaffolding, tests, or other changes.

Key files (click to expand)

• smartcontract/programs/doublezero-serviceability/src/authorize.rs — new authorize() function: Permission account path + legacy GlobalState fallback; 15-role flag→allowlist mapping table documented inline
• smartcontract/programs/doublezero-serviceability/src/lib.rs — adds pub mod authorize;

Testing Verification

• authorize() is covered by the Permission processor integration tests added in the next PR
• make rust-build passes with the new module in place

[elitegreg]

Most of these errors we typically use assertions for. Why do things different?