Previously, the cn_node_new would put the rp0 in the node's
actual c-space, and the reset operation would put it in the node's
secret c-space. Which meant that if the rp0 was fetched *after* the node
was reset, it wouldn't function properly (since the capability would not
be valid in the node's real principal).

This commit fixes the implementation of rp0 to always put the rp0 in
the secret c-space. This is probably a good idea to ensure that CapNet
can always safely revoke the rp0 when the node is reset, but I believe
the previous implementation was still safe. So now, when the node calls
the `rp0` rpc, the node is explicitly granted its own rp0 from its secret
principal.

This commit also fixes an improper-free bug after a principal is
cleared. When the principal is cleared its refcount would be set to zero
(due to a cal to _obj_init) instead of keeping the same refcount it had
before the clear operation.