Relay nicknames are always between 1 and 19 characters long, and
they're always ASCII: That means that storing them in a [u8;19] will
always be possible, and always use less resources than storing them
in a String.

Fortunately, the tinystr crate already helps us with this kind of
thing.

If the target directory itself is unreadable by untrusted users,
then its contents can't be read[*] by them regardless of their
permissions.  If the target directory _is_ readable, then _it_ will
be rejected if we are forbidding readable objects.  (And if we
aren't we don't care if the contents are readable.)

A similar argument would apply to writable objects within an
unreadable target directory.  We're not making that argument, since
such contents are likelier to be a mistake.

[*] Unless they're hard-linked; see comments in "Limitations"
section.

I'm doing this per discussion, so that we can have it be part of the
TorConfig later on, and not break stuff as we change the Mistrust
API to have a builder.

This change, unfortunately, results in a little more internal
complexity and duplicated code in arti and arti-client.  I've marked
those points with TODOs.

This is derived from the environment, not the configuration file: We
might not want to trust the configuration file until we've decided
whether we like its permissions.

This includes:

  * a CachedDir::join method.
  * functions to read and write from provided filenames in a
    CachedDir.
  * a method to tell whether a fs-mistrust error is about bad file
    permissions, or failure to inspect file permissions or some other
    kind of IO problem.

NetParams: Document its role as a validated config parameter

See merge request tpo/core/arti!492

export coverage to pages

See merge request tpo/core/arti!489

* Except for safelog and fs-mistrust, which are new.

(This is okay because we haven't published it yet, or any crate that
uses it.)

Switch to derive_builder_arti_fork

Closes #446

See merge request tpo/core/arti!490

For reference, the git source for this crate (and the others in its
workspace) currently lives in my personal github account (ijackson).
If this fork turns out to be long-lived and gains features and/or
users, it would be good to move it to a gitlab somewhere.

I have granted Nick crate ownership on the crates.io system.

Implement a safe-logging facility.

Closes #189

See merge request tpo/core/arti!485

Here we add a config option to disable safe logging, and ensure that
safe logging is disabled when we are formatting an error message on
exit (since we assume it's safe to write sensitive info to stderr.)

This specifically applies the `sensitive` wrapper in the places
where we're logging target addresses at level "info" or higher.

This is a rough first-cut of an API that I think might help us with
keeping limited categories of sensitive information out of our logs.
I'll refine it based on experiences with using it.

see #400 (comment 2800763)

Fix typos (using the typos-cli tool).

See merge request tpo/core/arti!486

The environment where the test runner does its thing seems to want
to run as root with umask 000, which naturally makes the fs
permissions checks freak out.

Make config builders, not validated structs, [de]serialize

See merge request tpo/core/arti!487