Allow package_manager to work with non-web-writable directory permissions

Problem/Motivation

Package manager currently requires code directories to be writable by the webserver. This creates a larger attack surface than we would otherwise like - e.g. if someone is able to upload a .php file to a web-accessible directory, or even worse, overwrite an existing file, it could result in RCE.

There are currently two main ways that package_manager currently gets invoked:

1. Something in the web interface (project browser or automatic updates) triggers a composer command directly.
2. Something on cron triggers a composer command, usually automatic updates. Issues related to this are 📌 Create documentation for using the auto-update terminal command Active and 📌 Create documentation for using the auto-update terminal command Active .

I'm wondering if package_manager could provide a mode where it doesn't require web-writable directories, instead, only the cli would need write access.

With this mode, sites could set up cron-based unattended updates (e.g. for updating to security releases quickly) without allowing any other package_manager operations on a site.

We could potentially allow attended updates and project browser operations to run via cron too - e.g. add the commands to a queue from the UI, have a fairly frequent queue runner set to run on cron, set something in state when the items are completed, and notify the admin on the front end when it's done.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet