storcon: safer manual migration API

[jcsp]

It's too easy to make mistakes like:

• Migrating tenant somewhere the optimiser will immediately move it away from (e.g. wrong AZ, same pageserver as too many other shards in the same tenant
• Cutting over to a secondary that isn't warm enough, so that there are lots of on-demand downloads after cutting over.
• Cutting over to somewhere you don't have a secondary at all

Storage controller already knows how to do pretty safe migrations when the scheduling optimiser drives it, we should enable humans to access the same routine.

We could have a migration API that:

• By default, refuses to migrate somewhere that the optimiser would disagree with, and requires a --force to override that.
• Orchestrates migration by setting a "preferred" pageserver on a shard, and then letting optimize_attachment do its thing (i.e. creating a secondary, waiting for it to warm up, cutting over, removing old secondary).
• Provides some handy way to monitor progress for a human, e.g. call into a per-shard API that tells you how warm each secondary is. (via storcon_cli

[jcsp]

(in case of drains during deploy, we already do not live migrate something if its secondary isn't suitably warm)

[jcsp]

could add preconditions to the API like "I think it's attached at X and Y, please migrate...", so that automation can have greater faith that they're doing what they think they're doing.

• for current migration API refuse request if the source isn't what the request specifies as the source.