In order to support non-public projects on the same instance of Tricium, we need to always check ACLs before fetching any potentially non-public data. In most handlers, immediately after the project config is fetched, the user can be checked, and the request must be aborted if the user doesn't have access.

A good source to look at as an example is the way that Milo handles this:
https://chromium.googlesource.com/infra/luci/luci-go/+/master/milo/common/acl.go

For this change, first of all, the project config should include a field specifying access group(s).

All public handlers that could potentially read project-specific data must check ACLs
before fetching anything. It turns out that for Tricium this just includes the RPCs at
https://cs.chromium.org/chromium/infra/go/src/infra/tricium/api/v1/tricium.proto

 - Analyze (request a run to start, given a project and CL/patch details)
 - Progress (read only, takes run ID. Could be changed to require project as well as run ID.)
 - ProjectProgress (read only)
 - Results (read only, takes run ID. Could be changed to require project too.)
 - Feedback (read only, provides only on an aggregate number across projects --
             could be changed to take a project and return results for a project.
             A DB schema change might be required.)
 - ReportNotUseful (read/write; takes a comment ID; could be changed to require project as well as comment ID)

All other handlers are internal routes used for task queues and cron tasks, so there's no external user access for those routes; that should be enforced by requiring "admin" login in app.yaml.