This will help implement #466.

I need this so that I can expose the skew time for the directory
that a circuit will use, when I only have the circuit.

If we're happy with a directory from 3 days ago, we should say
"if-modified-since 3 days ago".

This patch is larger than I'd like, since I had to add &DirMgrConfig
as an argument to the functions that make a  consensus request.

Closes #467.

In our status reporting code, we consider an
expired-but-still-usable directory still bootstrapped, but not 100%
bootstrapped.

Since we want to be willing to use older consensuses, we don't
necessarily want to reset a download just because the consensus is
expired.

This new behavior isn't ideal either; I've added a TODO that relates
to #433.

Related of #412

This new section describes how much variance we accept when it comes
to expired and not-yet-valid directory documents.  (Currently, the
only ones where this matters for are consensus documents and
authority certificates.)  A document that is invalid by no more than
these tolerances is not _live_, but it can still be used.

These tolerances serve two purposes:

 * First, they allow clients to run with a little more clock skew
   than they would tolerate otherwise.
 * Second, they allow clients to survive the situation where the
   authorities are unable to reach a consensus for a day or two.

Compare with Tor's REASONABLY_LIVE_TIME and NETWORKSTATUS_ALLOW_SKEW
constants; also compare with proposal 212.

Closes #412.

Refactor the tor-dirmgr bootstrapping code more gracefully

See merge request tpo/core/arti!488

Disable fs-mistrust in coverage CI.

See merge request tpo/core/arti!493

Remove cargo-husky, and replace with manual instructions

See merge request tpo/core/arti!494

A build script reaching into your .git/hooks/ and modifying them
nonconsensually was a bit of a horrifying concept, and also made it hard
to build arti with the feature disabled. Remove this crate, and replace
it with manual instructions on how to install the hooks in
CONTRIBUTING.md.

- Some FIXMEs got removed or amended.
- AddMicrodescs now yields a mutable reference, so we can use .drain()
  and reuse the allocation.
- Some panics were downgraded to debug_asserts.

- We don't want to inadvertently replace our netdir with one that's
  actually older, so detect and error on this condition.
- Also, print a debug line when we get a new netdir without enough
  guards.
- (An unrelated TODO was also added.)

- Taking a previous netdir directly and keeping it around before we need
  it is a bit of a waste of memory, and also doesn't mesh well with how
  SharedMutArc works.
- To remedy this, introduce a new trait `PreviousNetDir` and have the
  state machines take that instead. (I was a bit tempted to just pass in
  the SharedMutArc directly. Maybe I should've done that.)

The CI runners like to run as root with umask 000, which our code
rightly freaks out about.

- (Also fixes up some dirfilter stuff, whoops.)

- The only purpose of WriteNetDir was to provide a filter, which isn't
  necessary any more. Refactor to provide the filter directly.

- GetMicrodescsState now uses the NetDirChange API to propagate netdir
  changes, instead of modifying the netdir directly.
- PendingNetDir was refactored in order to support this use case.
- As a result, the netdir-related methods in WriteNetDir can be removed,
  leaving only the DirFilter for now.
- add_from_cache() no longer takes a store, because nothing uses it.
- (bodge: apply_netdir_changes() was put in a few places missed
  previously)

- The new DirState::get_netdir_change() API lets the state machine
  export a NetDirChange: a request to either replace the current netdir,
  or add microdescs to it.
- bootstrap.rs now consumes this new API, even though nothing implements
  it yet.
- This will let us implement GetMicrodescsState without having to
  directly mutate the netdir. The calling code also handles checking the
  netdir against the circmgr for sufficiency, and updating the consensus
  metadata in the store, meaning the revised GetMicrodescsState will not
  have to perform these tasks.

- The additional parameters passed to GetConsensusState are now passed
  through all the states, and used as well.
- WriteNetDir doesn't have a now() or config() method any more, since
  the states now get this from the runtime or the config parameters.
- This required modifying the tests to make a mocked runtime and custom
  config directly, instead of using DirRcv for this purpose.
- Additionally, because we don't have to upgrade a weak reference for
  DirState::dl_config(), that function no longer wraps its return value
  in Result.
- (A bunch of the FIXMEs from the previous commit that introduced the
  additional parameters have now been rectified as a result.)

Previously, CompoundRuntime would use the default implementations of
SleepProvider::now() and ::wallclock(), instead of using its wrapped
SleepProvider. This mildly embarrassing omission has been rectified.

- GetConsensusState::new now takes a set of parameters matching what it
  actually needs, instead of just taking a writedir. (It still *does*
  take a writedir, and indeed still uses it for basically everything,
  but that will eventually go away.)
- Its call sites were updated.
  - Some tests now need to take a runtime, and got indented a lot as a
    result.
  - Resetting was made non-functional, because we need to thread through
    the parameters passed to GetConsensusState to all of the other
    states, too. This will happen in a later commit.

- Given that this is effectively an implementation detail, it doesn't
  really make sense to have it be in the crate root...
- (also, we're going to change it a bunch now)

- fetch_single now takes what it needs, instead of an Arc<DirMgr<R>>.
- This required refactoring the CANNED_RESPONSE mechanism, given the
  test would otherwise fail due to not having a CircMgr to pass to
  fetch_single.

- DirMgr::note_request_outcome and friends are now just standalone
  functions, taking a CircMgr.

- query_into_requests is now called make_requests_for_documents, and
  does the &[DocId] -> DocQuery conversion internally instead.
- DirMgr::make_consensus_request and DirMgr::query_into_requests are now
  gone. The tests use the new functions, as does fetch_multiple.

- There's no good reason these functions needed to be part of the
  dirmgr, apart from needing a runtime and a store.
- However, we can just add those as arguments and copy them over. This
  commit does that.

- Function renamed & docs tidied up a bit
- Function signature now takes what it needs (immutable &dyn Store
  instead of mutex, slice instead of Vec) and nothing more
- DocQuery::load_documents_into was also renamed
  DocQuery::load_from_store_into and given similar treatment

Annoyingly, Rust doesn't automatically generate this sort of `impl` for
you, and I'd like to reduce the usage of Mutex<DynStore> everywhere else
in favour of either &dyn Store or &mut dyn Store.

(This is for two reasons: firstly, we might have a Store implementation
that doesn't use a mutex as above, or similar refactors; secondly,
passing the raw trait object reference lets us encode mutability into
the function signature, which I believe is quite valuable.)

Move the function out of DirMgr, giving it a new &Mutex<DynStore>
argument instead.

netdoc: add a new type for Nicknames

See merge request tpo/core/arti!405

Relay nicknames are always between 1 and 19 characters long, and
they're always ASCII: That means that storing them in a [u8;19] will
always be possible, and always use less resources than storing them
in a String.

Fortunately, the tinystr crate already helps us with this kind of
thing.

If the target directory itself is unreadable by untrusted users,
then its contents can't be read[*] by them regardless of their
permissions.  If the target directory _is_ readable, then _it_ will
be rejected if we are forbidding readable objects.  (And if we
aren't we don't care if the contents are readable.)

A similar argument would apply to writable objects within an
unreadable target directory.  We're not making that argument, since
such contents are likelier to be a mistake.

[*] Unless they're hard-linked; see comments in "Limitations"
section.

I'm doing this per discussion, so that we can have it be part of the
TorConfig later on, and not break stuff as we change the Mistrust
API to have a builder.

This change, unfortunately, results in a little more internal
complexity and duplicated code in arti and arti-client.  I've marked
those points with TODOs.

This is derived from the environment, not the configuration file: We
might not want to trust the configuration file until we've decided
whether we like its permissions.