SDK-166 Modular access control (confine all checks to ServerActor module)

[matthewhammer]

This PR reorganizes the API of the service, and the internal API of the Model class, with respect to the placement and checking of PublicKey parameters and fields:

• The external API uses role-based IDs, not UserIds, for any role-based function
• Each role has an assigned public key when the role is created, either inherited from the associated user, or if created without an associated user, this key is given explicitly as a parameter (see the updated registrarAddProducercall, etc.)
• For the purposes of access control, we associate this public key with each role (e.g., each retailer, producer, transporter); the PX access control logic checks each call's public key against the public key for this role
• Internally, access control happens entirely in the ServerActor module; no checks happen in ServerModel any longer; the bulk of module's API need not use PublicKeys at all now, so they are gone now.
• Internally, access control happens before any CRUD operations happen, i.e., before the ServerActor module performs operations using the ServerModel API

Some future access control could be added (e.g., for retailer reservations) when those features are finished. Based on the existing access control checks in this PR, it should be clear how to continue the idiom for these future checks.