[New Permission 3/4] smartcontract: define topology/resource/index permission flags

[juan-malbeclabs]

Permission rollout — stacked PR series. Review/merge order:

1. #3206 — enforce Permission-based authorization in existing instructions
2. #3942 — define topology/resource/index permission flags (3/4) — stacked on [New Permission 3/3] smartcontract: enforce Permission-based authorization in existing instructions #3206
3. #3943 — enforce topology/resource/index permission flags (4/4) — stacked on [New Permission 3/4] smartcontract: define topology/resource/index permission flags #3942

Retarget each PR's base to main as its upstream merges.
👉 You are here: #3942 (PR 3/4).

Summary

• Adds three permission flags — TOPOLOGY_ADMIN (1<<15), RESOURCE_ADMIN (1<<16), INDEX_ADMIN (1<<17) — so segment-routing topologies, ResourceExtension accounts, and internal Index accounts can be delegated without granting the broad FOUNDATION flag (today they are foundation-only).
• Maps each flag to the foundation_allowlist in authorize()'s legacy path, so authorization behavior is unchanged until a Permission account is supplied.
• Exposes the names (topology-admin / resource-admin / index-admin) in the serviceability CLI for permission set --add / --remove, and adds matching constants to the Go, TypeScript, and Python SDKs.
• Documents the flags in PERMISSION.md and the serviceability README.md.

This PR is definition-only; processor enforcement lands in the follow-up 4/4. Stacked on #3206.

Testing Verification

• authorize() legacy-mapping unit tests for each new flag (allowed via a foundation member, denied for others).
• CLI permission name↔bitmask round-trip tests cover the three new names.

Reference: smartcontract/programs/doublezero-serviceability/PERMISSION.md