storage: lease transfer must be persisted to disk

[tbg]

Or a node which transfers its lease away might restart rapidly and use a tail end of its lease while its lease was really shortened.

The naive fix (which might well be the right one) is to persist the expiration date of the transferred lease to disk (keyed by RangeID) and, when starting the process, sitting ducks until the local HLC clock - max_offset reports a higher timestamp.

There is also the somewhat related issue that the hlc clock itself may jump backwards. For that reason alone, we should already sleep max_offset when starting the process.