Expands Query ACL implementation to add support for specifying userEmail and groupId. Also adds some decorations to the query objects returned from REST API to indicate the permissions the user has that is calling GET on /queries.

userEmail is being added as it is more config-friendly for seed data than userId, which isn't really exposed to end users. userEmail is also used as the "foreign key" on queries, as well as the primary lookup for users, so this is somewhat consistent with the rest of SQLPad.

groupId is added to store the special __EVERYONE__ value, as it isn't a userId. This is primarily to help bring clarity to database, and potentially get to a place for userId can be a FK to users at some point in the future.

This PR adds a lot of migrations to make this happen, all broken up into atomic operations. Sequelize's QueryInterface does not support running operations within a transaction, so a failure could leave a migration half implemented if these operations are not broken up.

This is kind of a pain, so we may want to start using hand-written SQL for migrations and run that within a transaction if SQLite supports it. The downside here is we lose on cross-db support if SQLPad eventually is to support other databases like postgres for a backend, but I don't know how realistic that is at this point. (Maybe just focus on SQLite for now?)