Passes spent on failed operations could be saved and re-spent later

See #108 (closed) for the general context.

With #151 (closed) resolved, clients now know which passes out of the complete list sent with a request the server takes issue with. Once #108 (closed) is resolved, the client implementation will have a single choke-point (call_with_passes) which is in charge of getting passes from the database, supplying them to an operation, and handling errors from that operation.

That choke-point should now be augmented to "unspend" passes when the operation fails with a reason that can't be known to certainly have spent the tokens (this should pretty much be all failures, I think).

Thanks to the retry logic in #108 (closed) if passes really were spent before the operation failed, they won't cause problems for future operations if they are reused by the client. The server can report the attempted double-spend and the client can just pick out some new passes to try.