Implementation of a two-step role transfer at cw_controllers::Admin

[Silverse]

Is there a reason for not implementing a two-step admin transfer at cw_controllers::Admin?

It seems to be a common recommendation among security firms to limit the chances of updating the owner/admin to an incorrect/typo address.

1. Propose new admin, old admin retains privileges.
2. Proposed admin accepts the role, role is actually transferred.

[ueco-jb]

I think this is just an extra step on top of "simply" carefully checking address which you input.
It would have to come with mechanism to revert decision in case of a mistake.

[Silverse]

Yes, being able to drop an existing proposal should be part of the flow too

[ethanfrey]

I agree with this idea, but it is a different API.

Happy to include an "SafeAdmin" controller, that is like Admin, but has the two-step pattern. We need to document it and contracts can choose which one to use.