Suspend operations when config is invalid
In #612 (closed) we discussed the possible situation of trying to reconfigure arti to use bridges while it doesn't have the state lock. We can't (urrently) use bridges in that situation for Reasons, so we don't have great choices. But this is just one example of "tried to change the config and it didn't work". Another is trying to enable bridges, post-hoc, when they're not compiled in. There will be others.
Our current behaviour is to continue running with the old config. Options are:
- Exit immediately (just as we reject invalid configs at startup); this is annoying because the first time you make a syntax error you have to restart
- Continue with the last good config
- Apply what changes we can, disregard some changes we can't cope withm and carry on (current behaviour)
- Suspend operations, causing new requests (new streams? existing streams?) to fail.
IMO this behaviour should be configurable. I think that 4 is probably the best default. Our internal code structure doesn't readily admit 2 - we would need a two-phase commit (interacting with the operational state, since config can be incompatible with the operational situation as well as simply wrong) for that.