Make csprintf() return an object, not a string

Summary:
See discussion in D6364. This didn't turn out to be as bad as I thought.

Make csprintf() return an object which implements __toString(), but renders in either masked or unmasked modes.

The only downside to this approach is that you must use "%P". It is otherwise completey effective in masking sensitive information, even from logs and traces:

>>> [25] <exec> $ echo 'xxxxx'
<<< [25] <exec> 3,246 us
>>> [26] <exec> $ sh -c 'sh -c '\''sh -c '\''\'\'''\''echo '\''\'\'''\''\'\''\'\'''\'''\''\'\'''\''xxxxx'\''\'\'''\''\'\''\'\'''\'''\''\'\'''\'''\''\'\'''\'''\'''
<<< [26] <exec> 6,922 us
   PASS   13ms★  testPasswords

This also works in the command-which-runs-a-command case, as above.

Test Plan:

• Added unit tests.
• Ran arc unit --everything in libphutil, arcanist and phabricator.
• Browsed around Diffusion.

Reviewers: btrahan, mbishopim3

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D6366