Allow Herald "diff" rules to reject content before it is written

Summary: Fixes T5915. Occasionally, users derp up and diff private key material. Adding a pre-write Herald phase enables configuration of a partial layer of protection that will reject these changes before they hit disk, provided they can be detected by, e.g., filename.

Test Plan:

• Added a rule with checks on every field, verified they looked fine in the transcript.
• Created some revisions to test those changes (I have a bunch of revision rules locally).
• Verified rejects don't write transcripts to the database.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5915

Differential Revision: https://secure.phabricator.com/D10305