Don't sample guards until we have a very good directory status
It's okay to build circuits when we have a high fraction of potential paths, but we shouldn't extend the guard sample till we have a very very high fraction of potential guards. Otherwise we risk our directory caches giving us a malicious subset of the possible guards.
Alternatively, we could sample guards based on their routerstatuses only; this would, however, require a change in how we represent guards.
This is a followup from #178 (closed).