feat(permission0): implement re-delegation for namespaces (#127)

This patch introduces the first version of namespace permission
re-delegation.

Closes CHAIN-107.
# Interface Changes: Permission Redelegation and Cascading Revocation

## Extrinsic Signature Changes

### `delegate_namespace_permission` - BREAKING CHANGE
```rust
// BEFORE
pub fn delegate_namespace_permission(
    origin: OriginFor<T>,
    recipient: T::AccountId,
    paths: BoundedBTreeSet<NamespacePathInner, T::MaxNamespacesPerPermission>,
    duration: PermissionDuration<T>,
    revocation: RevocationTerms<T>,
) -> DispatchResult

// AFTER
pub fn delegate_namespace_permission(
    origin: OriginFor<T>,
    recipient: T::AccountId,
    paths: BoundedBTreeMap<
        Option<PermissionId>,  // Parent permission (None for root)
        BoundedBTreeSet<NamespacePathInner, T::MaxNamespacesPerPermission>,
        T::MaxNamespacesPerPermission,
    >,  // Now supports inheritance from parent permissions
    duration: PermissionDuration<T>,
    revocation: RevocationTerms<T>,
    instances: u32,  // ADDED: Max re-delegation capacity
) -> DispatchResult
```

## Structure Changes

### `PermissionContract<T>` - BREAKING CHANGES
```rust
// BEFORE
pub struct PermissionContract<T: Config> {
    ...
    pub parent: Option<PermissionId>,  // REMOVED
}

// AFTER
pub struct PermissionContract<T: Config> {
    ...
    pub max_instances: u32,                         // ADDED: Controls re-delegation capacity
    pub children: BoundedBTreeSet<H256, T::MaxChildrenPerPermission>, // ADDED: Enables cascading revocation
}
```

### `NamespaceScope<T>` - BREAKING CHANGE
```rust
// BEFORE
pub struct NamespaceScope<T: Config> {
    pub paths: BoundedBTreeSet<NamespacePath, T::MaxNamespacesPerPermission>,
}

// AFTER
pub struct NamespaceScope<T: Config> {
    pub paths: BoundedBTreeMap<
        Option<PermissionId>,      // Parent permission that granted these paths.
                                   // None if path belongs to delegator itself
        BoundedBTreeSet<NamespacePath, T::MaxNamespacesPerPermission>,
        T::MaxNamespacesPerPermission,
    >,
}
```

## Behavioral Changes

### Instance Management
- `max_instances` controls how many child permissions can be created
- Each child consumes instances from parent, preventing unlimited
delegation

### Inheritance Validation
- Child permissions must have weaker or equal revocation terms than
parent
- Namespace paths must be accessible through parent permissions
- Supports granular delegation of more specific namespaces

### Cascading Revocation
- Revoking a permission automatically revokes ALL child permissions
recursively
- Multiple `PermissionRevoked` events emitted for each revoked
permission

## Migration Impact
- All existing permissions get `max_instances = 1` and empty `children`
set

## Client SDK Requirements
1. Update `delegate_namespace_permission` call construction
2. Handle new error variants in error handling
3. Update struct parsing for `PermissionContract` and `NamespaceScope`
4. Change event listening from `Permissiondelegated` to
`PermissionDelegated`
5. Use accessor methods instead of direct field access
6. Implement cascading revocation event handling
7. Add hierarchy validation using `RevocationTerms::is_weaker()`

Author: saiintbrisson

.zed/settings.json

@@ -21,13 +21,36 @@ Torus is a stake-driven peer-to-peer network built on Substrate. The blockchain
 - **`governance`**: Proposals, voting, treasury, roles (allocators, curators)
 - **`permission0`**: Permission and access control
 
+### Permission0 Pallet Structure
+
+The `permission0` pallet manages delegated permissions and access control within the Torus network. Key components:
+
+**Core Permission Types** (`pallets/permission0/src/permission.rs`):
+- `PermissionContract<T>` - Main permission structure with delegator, recipient, scope, duration, and enforcement
+- `PermissionId` - Unique permission identifier (H256 hash)
+- `PermissionScope<T>` - Defines what actions the permission covers
+- `NamespaceScope<T>` - Defines namespace path permissions for delegation
+
+**Permission Scopes** (`pallets/permission0/src/permission/`):
+- `pallets/permission0/src/permission/curator.rs` - `CuratorPermissions` and `CuratorScope` types
+- `pallets/permission0/src/permission/emission.rs` - `EmissionAllocation`, `DistributionControl`, and `EmissionScope` types
+
+**Implementation Handlers** (`pallets/permission0/src/ext/`):
+- `pallets/permission0/src/ext/curator_impl.rs` - Functions for curator permission enforcement
+- `pallets/permission0/src/ext/emission_impl.rs` - Functions for emission permission enforcement  
+- `pallets/permission0/src/ext/namespace_impl.rs` - Functions for namespace permission enforcement
+
 ## Architecture Principles
 
 - **API-first design**: Each pallet has separate `api` crate to prevent circular dependencies
 - **Domain separation**: Complex logic split into focused modules (agent.rs, stake.rs, etc.)
 - **Storage efficiency**: Use container types to minimize state size
 - **Zero-panic policy**: Runtime code must NEVER panic under any circumstances
 
+## Project Structure
+
+- All pallet tests are located within the /tests folder in each pallet's folder
+
 ## Essential Commands
 
 ```sh
@@ -152,4 +175,4 @@ cargo build --release                # Build the node
 2. **MUST** run `just check` and fix all warnings
 3. **MUST** run `just test` and ensure all pass
 4. **MUST** run `cargo xtask coverage` to verify coverage
-5. **MUST** test runtime upgrades if storage changed
+5. **MUST** test runtime upgrades if storage changed