Fix capacity calculation

This fixes a problem where we'd hit the panic capacity potential below zero (which is designed to panic because it should be an impossible situation).

However, it turns out there were 3 routes to get there:

• Acquisitions and removing of reservations were not atomic, occasionally leading to a miscalculation because they were not in sync
• Out-of-band/unexpected instances would push the instance capacity past max instances
• Reservations should chip away at both immediate availability first, and then the remainder chip away at potential capacity

In addition, we fix a case where unavailable capacity wasn't being reported correctly when an instance was being removed.

This situation is quite hard to write a test for, but was easy to detect in a real stress test. We can probably do the same with some mock designed for stress testing, but this can be done in a follow-up.