Hello Ben,
both options look reasonable from my point of view.

There is also another approach that I plan to pursue in the upcoming
months: Allowing init to dynamically respond to configuration updates.

Right now, init actually responds to configuration changes (e.g., you
can edit the decorator_init.config in the turmvilla scenario). But the
response is quite archaic as it kills all children and starts the entire
scenario from scratch. My idea is to let init apply only the differences
of the change, for example, by starting a new component when a new
<start> node appears, or killing a component when a <start> node disappears.

With this version of init in place, programs for managing children such
as the panel (aka launcher) or CLI monitor would no longer host the
started subsystems as their children but would merely apply
configuration changes to a dynamic init instance. This would also allow
us to dynamically shape a Genode system by live editing an init
configuration via vim (as we currently do with the driver configurations).

I am quite excited about these possibilities. On the other hand,
implementing this idea is not easy, especially because of the
inter-dependencies of clients and servers hosted by the init instance.
So it will take a while (approx. until the second half of the year) to
put the plan into practice.

It probably makes sense for you to follow one of your two ideas in order
to address your current problems in the meanwhile. The first approach is
probably the most flexible as it gives you maximum control over the policy.

Cheers
Norman