Add input references to runtime and run_prcess_as_root

[mattdean-digicatapult]

Pull Request

Checklist

• Have you read Digital Catapult's Code of Conduct?
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have made corresponding changes to the documentation.
• My changes generate no new warnings.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.

PR Type

Please delete options that are irrelevant.

• Bug Fix
• Chore
• Feature
• Documentation Update
• Code style update (formatting, local variables)
• Breaking Change (fix or feature that would cause existing functionality to change)

Linked tickets

https://digicatapult.atlassian.net/browse/SQNC-166

High level description

Adds the ability to pass referenced tokens that won't be burnt to run_process and the ability to run processes as root through a new run_process_as_root extrinsic. In addition restriction types have been modified to allow us to restrict references and also to limit the sender to being root.

Detailed description

The change here contans several opinionated decisions that need to be considered:

1. we now allow processes to be executed as root and can restrict their execution to root. This allows us to define operations that can only be executed by the system such as creating privileged token types.
2. I've completely refactored the restrictions to deduplicate between input/output restrictions. This was to avoid adding a whole copy of the set of restrictions for references
3. I've changed the way versioning is handled in both the language and in the pallet-process-validation

Finally this PR will be followed up with:

1. update for sqnc-node 13 in process management Update for sqnc-node 13 sqnc-process-management#407
2. update matchmaker to match new extrinsic format Feature/on chain permissions sqnc-matchmaker-api#687

Describe alternatives you've considered

The initial plan assumed some sort of permissions system built into the restrictions that could be role based. After discussons with @rmlearney-digicatapult and @Ellenn-A this felt too restrictive and the decisaion was made to encode these privileges into issuable tokens instead.

We should consider the security implications of this design change as anyone who can now create one of these tokens can change privileges in the system. That said if you can manipulate the process flows you could change anything anyway so this is probably fine.

Operational impact

This change implements two migrations in the runtime that affect the storage of pallet-utxo-nft and pallet-process-validation. These should be removed once this is released.

This change will break matchmaker and will require downtime. This change should not be merged until that change is ready.

Additional context

None

[github-actions]

This PR updates the following pallets - they may also require updates to their extrinsic weights:
organisation-data process-validation

For the author and any reviewers:

• consider whether the changes could significantly affect the weight of any extrinsics
• consider whether benchmarks need updating to correctly cover weight variations over inputs

For a guide on running benchmarks to update weights see calculating weights

[Ellenn-A]

read through, didn't notice anything obvious