Low: attrd, controller: Ignore CIB diff if client is safe

Instead of if the operation replaced the CIB.

The question "Was the CIB replaced?" has always (9e9453f) been a proxy
for "Has there been an important change that we weren't in control of?"

Especially now that every CIB transaction includes a CIB replacement, we
need a new approach. There are two transactions in our code currently
and one more is concretely planned. There may be many more in the
future.

It seems more appropriate to ask, "Did this CIB update come from a
trusted source?" If so, then we can assume that the CIB is still
accurate. Otherwise, we must write out our relevant state to the CIB to
ensure that the CIB is accurate.

• In the case of the controller, our relevant state is the node list and resource history.
• In the case of the attribute manager, it's transient attributes.

It doesn't even matter whether the operation replaced the CIB. If an
outside client uses cib_api_operations_t:modify() to alter the status
section, we still need to make sure the status section is correct, and
we do that by rewriting it from relevant daemons.

Note that if a CIB client spoofs safety by signing on using a known
safe client name, we'll get a false positive and ignore the diff.
There's probably no straightforward way around that. We might eventually
hide the cib_api_operations_t API behind libpacemaker, which would solve
it.

Signed-off-by: Reid Wahl <nrwahl@protonmail.com>