Raise a setup warning when locked configuration has a configuration value stored in the database

Summary:
Ref T13249. See https://discourse.phabricator-community.org/t/configuring-the-number-of-taskmaster-daemons/2394/.

Today, when a configuration value is "locked", we prevent writes to the database. However, we still perform reads. When you upgrade, we generally don't want a bunch of your configuration to change by surprise.

Some day, I'd like to stop reading locked configuration from the database. This would defuse an escalation where an attacker finds a way to write to locked configuration despite safeguards, e.g. through SQL injection or policy bypass. Today, they could write to cluster.mailers or similar and substantially escalate access. A better behavior would be to ignore database values for cluster.mailers and other locked config, so that these impermissible writes have no effect.

Doing this today would break a lot of installs, but we can warn them about it now and then make the change at a later date.

Test Plan:

• Forced a phd.taskmasters config value into the database.
• Saw setup warning.
• Used bin/config delete --database phd.taskmasters to clear the warning.
• Reviewed documentation changes.
• Reviewed phd.taskmasters documentation adjustment.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13249

Differential Revision: https://secure.phabricator.com/D20159