Readonly Rootcap

[crwood]

This PR offers a few changes to Gridsync's "Recovery Key" subsystem in order to reduce the likelihood of multiple devices writing to the same Tahoe-LAFS directories at the same time (thereby, hopefully helping to avoid data-loss situations stemming from uncoordinated writers). This is achieved by a rather rudimentary "capability rotation" scheme:

• When exporting/creating a Recovery Key, include only the "diminished" (i.e., read-only) form of the root capability (rather than the fully "augmented" read-write capability) -- in other words, ensure that the possessor of a given Recovery Key can read -- and copy from -- but not write to or modify the contents of the associated root directory.
• When importing/restoring from a Recovery Key, first create a new (read-write) root capability and then reconstruct/copy the directory contents from the imported (read-only) rootcap into the new (read-write) one -- in other words, ensure that each device has its own read-write root capability (i.e., that only that device is configured to write to) while still making it possible, e.g., to re-join previously-joined magic-folders.
• In the case of a ZKAPAuthorizer-enabled grids, restore the state of the ZKAPAuthorizer database before creating a new rootcap (since the act of creating a new rootcap requires ZKAPs) and configure ZKAPAuthorizer replication immediately after the import/restore process completes -- in other words, rotate the ZKAPAuthorizer "recovery-capability" too, and ensure that ZKAPAuthorizer backups/snapshots continue to be created by the new device.

In addition to the above changes, this PR increments the the "base directory" inside the rootcap from "v0" to "v1", signalling both a period of stability and a(n unfortunate) break from past compatibility guarantees. Attempting to import/restore from an old Recovery Key will display an error message to users, informing them that their old Recovery Key is no longer compatible with the current version of the software.