Bug 40876: Handle guard usage restrictions

The primary-guard-to-use list should not grow when we exclude a relay
temporarily for a specific circuit.

1 files changed, 14 insertions, 4 deletions

diff --git a/spec/guard-spec/algorithm.md b/spec/guard-spec/algorithm.md
index 832814a..e63031b 100644
--- a/spec/guard-spec/algorithm.md
+++ b/spec/guard-spec/algorithm.md
@@ -348,10 +348,20 @@ The per-circuit state machine is:
   When we want to build a circuit, and we need to pick a guard:
 
     * If any entry in PRIMARY_GUARDS has {is_reachable} status of
-      <maybe> or <yes>, return one of the first
-      {NUM_USABLE_PRIMARY_GUARDS} or
-      {NUM_USABLE_PRIMARY_DIRECTORY_GUARDS} such guards, chosen
-      uniformly at random. The circuit is <usable_on_completion>.
+      <maybe> or <yes>, check the first {NUM_USABLE_PRIMARY_GUARDS} or
+      {NUM_USABLE_PRIMARY_DIRECTORY_GUARDS} such guards against
+      any path selection restrictions, to build a temporary list of
+      usable guards. If the path restriction is circuit-specific and
+      excludes a primary guard, do not use that guard, but still
+      increment the number of usable guards that were considered.
+      If the restriction causes the number of guards considered to
+      exceed either usable limit count, then proceed to select another
+      primary guard.
+
+      This usable list is temporary, but because the primary guard ordering
+      is persistent, it will be a stable set. At the end of this selection
+      process, chose uniformly at random from this usable list. The
+      circuit is <usable_on_completion>.
 
       [Note: We do not use {is_pending} on primary guards, since we
       are willing to try to build multiple circuits through them