feat(encryption): Stage 6D-6c-1 - Applier in-memory accessors for storage envelope state (#821)

## Summary
- Add `Applier.ActiveStorageKeyID() (uint32, bool)` and
`Applier.StorageEnvelopeActive() bool` backed by `atomic.Uint32` /
`atomic.Bool`. These are the per-Put closures main.go will thread into
`store.WithEncryption` and `store.WithStorageEnvelopeGate` in 6D-6c-2; a
`ReadSidecar`-on-every-Put would serialise the hot path through a JSON
parse + fsync barrier.
- Coherence kept by **durable write-then-cache** ordering: `NewApplier`
primes from `ReadSidecar` on construction, and `writeBootstrapSidecar` /
`writeRotationSidecar` / the fresh-success branch of
`applyEnableStorageEnvelope` call `refreshActiveStateCache(sc)` AFTER
`WriteSidecar` succeeds. The §2.1 #3 stale-DEKID and §2.1 #4
already-active no-op branches intentionally skip the refresh — they
don't change the mirrored fields.
- Operator-inert until 6D-6c-2 wires the method values into the storage
layer; 6D-6c-3 then wires the capability fan-out closure and the e2e
integration test.

Design doc updated:
[`docs/design/2026_05_18_partial_6d_enable_storage_envelope.md`](docs/design/2026_05_18_partial_6d_enable_storage_envelope.md)
tracks 6D-6c-1 as shipped and 6D-6c-2 / 6D-6c-3 as open.

## Why an in-memory mirror
The §6.2 storage gate and the §4.1 active storage DEK are read on the
storage hot path. The sidecar JSON is the durable source of truth, but
reading it per Put would dominate latency. `atomic.Uint32` +
`atomic.Bool` give a wait-free single-load read with no allocations and
no syscalls.

The two atomics are deliberately independent (not snapshot-atomic
together): the storage layer consults them independently —
`ActiveStorageKeyID` gates "do we encrypt at all" and
`StorageEnvelopeActive` gates "do we wrap in the §4.1 envelope". The
cross-invariant "envelope-active ⇒ DEK exists" is enforced by apply
ordering (cutover requires a bootstrapped sidecar), not by the cache.

## Crash recovery
Refresh runs AFTER the durable WriteSidecar. A crash between fsync and
atomic store is benign — disk-truth wins and the next startup's
`NewApplier` prime re-syncs the cache. A corrupt sidecar at construction
time surfaces back to the caller so a misconfigured node fails to start
instead of silently serving stale-zero state.

## Self-review (5 lenses)
1. **Data loss** — refresh is purely additive after the existing fsync;
no write path shortened, no error suppressed. Corrupt-sidecar reads at
construction fail the start instead of silently zeroing the cache.
2. **Concurrency / distributed failures** — atomic primitives + a
`-race`-clean concurrent-reads stress test (8 readers × 2000 reads
against a single applier goroutine). Two independent atomics is fine
because the storage layer consults them independently and the
cross-invariant is enforced by apply ordering.
3. **Performance** — hot Put path drops from JSON parse + potential
fsync to a single atomic load (~ns vs ~10–100µs).
4. **Data consistency** — durable write-then-cache ordering everywhere;
no-op apply branches skip the redundant refresh, keeping the invariant
"cache changes only when the mirrored sidecar field changes" explicit.
§2.1 / §6.4 semantics unchanged.
5. **Test coverage** — 5 functional tests (pre-bootstrap,
post-bootstrap, post-rotate-dek, post-cutover,
primed-from-existing-sidecar) + 1 race-stress test, all via the public
API.

## Test plan
- [x] `go test -race ./internal/encryption/...`
- [x] `go test -race ./internal/... ./store/...`
- [x] `golangci-lint --config=.golangci.yaml run
./internal/encryption/... ./store/...`
- [ ] CI green


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Tests**
* Added comprehensive test coverage for storage encryption state
tracking across initialization, operational phases, startup recovery,
and concurrent access scenarios.

* **Chores**
* Updated design documentation to reflect current development milestone
progress.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/bootjp/elastickv/pull/821?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: bootjp

docs/design/2026_05_18_partial_6d_enable_storage_envelope.md

@@ -2,7 +2,7 @@
 
 | Field | Value |
 |---|---|
-| Status | partial — 6D-1 (doc), 6D-2 (startup guards), 6D-3 (capability fan-out helper), 6D-4 (cutover wire + apply dispatch), 6D-5 (storage-layer toggle), 6D-6a (EnableStorageEnvelope server method), 6D-6b (CLI subcommand) shipped; 6D-6c (main.go wiring + integration test) remain |
+| Status | partial — 6D-1 (doc), 6D-2 (startup guards), 6D-3 (capability fan-out helper), 6D-4 (cutover wire + apply dispatch), 6D-5 (storage-layer toggle), 6D-6a (EnableStorageEnvelope server method), 6D-6b (CLI subcommand), 6D-6c-1 (Applier in-memory accessors) shipped; 6D-6c-2 (main.go cipher + gate wiring) and 6D-6c-3 (capability fan-out closure + e2e integration test) remain |
 | Date | 2026-05-18 |
 | Parent design | [`2026_04_29_partial_data_at_rest_encryption.md`](2026_04_29_partial_data_at_rest_encryption.md) |
 | Blockers (now satisfied) | 6B (KEK plumbing), 6C-1 / 6C-2 (startup guards), 6C-2d (`ErrSidecarBehindRaftLog` wiring) |
@@ -71,14 +71,51 @@
   misconfigured shell variable fails fast before the round-trip;
   the server re-validates as the source of truth.
 
+- **6D-6c-1** (Applier in-memory accessors + shared StateCache)
+  — new exported `encryption.StateCache` type backed by
+  `atomic.Uint32` / `atomic.Bool` mirrors of `sidecar.Active.Storage`
+  and `sidecar.StorageEnvelopeActive`. The cache is a **process-
+  wide singleton** (parallel to the shared `*Keystore`) threaded
+  into every per-shard `Applier` via the new `WithStateCache`
+  option. Multi-group encryption FSM entries apply on exactly
+  one shard's leader, so per-Applier-private atomics would leave
+  the remaining shards stuck with pre-apply values; the shared
+  StateCache makes every shard's storage layer observe the update
+  regardless of which shard ran the apply. Coherence with disk
+  is maintained by durable write-then-cache ordering inside
+  `writeBootstrapSidecar`, `writeRotationSidecar`, and the
+  cutover fresh-success branch of `applyEnableStorageEnvelope`.
+  `NewApplier` primes the cache from the sidecar on construction
+  so the storage-layer per-Put closures (wired in 6D-6c-2)
+  observe correct values before the FSM has replayed a single
+  entry after restart. `Applier.ActiveStorageKeyID` /
+  `Applier.StorageEnvelopeActive` remain as delegate methods for
+  tests and single-applier callers; multi-shard wiring in
+  6D-6c-2 must read via `cache.ActiveStorageKeyID` /
+  `cache.StorageEnvelopeActive` directly. Operator-inert by
+  itself — only consumed once main.go threads the cache methods
+  into `store.WithEncryption` and `WithStorageEnvelopeGate` in
+  6D-6c-2.
+
 ## Open milestones
 
-- **6D-6c** — main.go production wiring: cipher + WithEncryption
-  + WithStorageEnvelopeGate threaded from the sidecar, plus the
-  CapabilityFanout closure bound to the live Raft membership
-  view. End-to-end integration test exercises a single-node
-  cluster Bootstrap → EnableStorageEnvelope → Put → read-back-
-  via-envelope.
+- **6D-6c-2** — main.go production wiring: build
+  `encryption.NewCipher(keystore)` and construct a single
+  `encryption.StateCache` at startup (parallel to the shared
+  `*Keystore`). Thread the cache via `WithStateCache` into every
+  per-shard `Applier` inside `buildShardGroups`, and pass
+  `cache.ActiveStorageKeyID` / `cache.StorageEnvelopeActive`
+  (NOT the per-shard `Applier` delegates) into
+  `store.WithEncryption` + `store.WithStorageEnvelopeGate` for
+  each shard's PebbleStore. Reading via the StateCache directly
+  ensures every shard's storage layer sees the post-apply state
+  regardless of which shard's leader accepted the encryption
+  proposal.
+- **6D-6c-3** — main.go CapabilityFanout closure bound to the
+  live Raft membership view (etcd engine route snapshot + admin
+  client DialFunc), and end-to-end integration test exercising
+  a single-node cluster Bootstrap → EnableStorageEnvelope →
+  Put → read-back-via-envelope.
 
 ## 0. Why this doc exists
 

internal/encryption/applier.go

@@ -3,6 +3,7 @@ package encryption
 import (
 	"bytes"
 	"strconv"
+	"sync/atomic"
 	"time"
 
 	"github.com/bootjp/elastickv/internal/encryption/fsmwire"
@@ -63,17 +64,127 @@ type WriterRegistryStore interface {
 //     ErrKEKNotConfigured marker. Stage 6B will swap these for the
 //     real KEK-unwrap + sidecar mutate + keystore install path.
 //
-// The Applier carries no in-memory state of its own; all state
-// lives in the supplied WriterRegistryStore. This keeps it safe
-// to construct once at FSM startup and share across the lifetime
-// of the process — no per-apply allocation, no locks, no leak
-// path for stale state across snapshot restore.
+// Apart from the shared StateCache pointer (see below), the
+// Applier carries no in-memory state of its own; durable state
+// lives in the supplied WriterRegistryStore and the on-disk
+// sidecar. The StateCache mirrors a small subset of sidecar
+// fields the storage hot path consults on every Put — kept
+// coherent by durable write-then-cache ordering inside each
+// apply path.
 type Applier struct {
 	registry    WriterRegistryStore
 	kek         KEKUnwrapper
 	keystore    *Keystore
 	sidecarPath string
 	now         func() time.Time
+	// stateCache is the process-shared mirror of the sidecar fields
+	// the storage hot path consults on every Put. See StateCache for
+	// the full contract; in short, a single instance is owned by
+	// main.go (parallel to the shared *Keystore) and threaded into
+	// every per-shard Applier via WithStateCache so that an apply
+	// landing on shard A's FSM is immediately visible to shard B's
+	// storage layer. Multi-group encryption applies always land on
+	// exactly one shard's FSM (the one whose engine accepted the
+	// proposal), so a per-Applier cache would leave the remaining
+	// shards stuck with pre-apply atomic values.
+	//
+	// Never nil after NewApplier: when WithStateCache is omitted the
+	// constructor installs a private instance so single-applier
+	// callers and tests keep working unchanged.
+	stateCache *StateCache
+}
+
+// StateCache mirrors the sidecar fields the storage hot path needs
+// to consult on every Put. Two requirements drive its existence:
+//
+//  1. ReadSidecar-on-every-Put would serialise the hot path through
+//     a JSON parse + fsync barrier. atomic.Uint32 / atomic.Bool give
+//     a wait-free single-load read instead.
+//
+//  2. In a multi-group deployment, encryption FSM entries apply on
+//     whichever shard's leader accepted the proposal — not on every
+//     shard. The per-shard storage layers must still observe the
+//     updated state, so the cache MUST be a process-shared singleton
+//     rather than a per-Applier field. main.go constructs one
+//     StateCache at startup (parallel to the shared *Keystore) and
+//     threads it into every per-shard Applier via WithStateCache.
+//
+// Coherence with disk is maintained by **durable write-then-cache**
+// ordering: NewApplier primes the cache from ReadSidecar, and every
+// apply path calls RefreshFromSidecar AFTER WriteSidecar succeeds.
+// A crash between fsync and atomic store is benign because the next
+// process start re-primes from disk.
+//
+// Zero values match the pre-bootstrap posture (no active storage
+// DEK, envelope gate off) so a freshly-constructed StateCache is
+// safe to use before any apply or prime has run.
+type StateCache struct {
+	// activeStorageDEKID mirrors sidecar.Active.Storage. Zero means
+	// "not bootstrapped"; readers surface (0, false) and the storage
+	// layer writes cleartext.
+	activeStorageDEKID atomic.Uint32
+	// storageEnvelopeActive mirrors sidecar.StorageEnvelopeActive
+	// for the §6.2 cutover gate. Lifecycle:
+	//   - false at construction (or primed from disk if a previous
+	//     cutover already fired).
+	//   - flipped to true exactly once by applyEnableStorageEnvelope
+	//     on a fresh-success apply, AFTER WriteSidecar succeeds.
+	//   - never flipped back to false (the cutover is one-way per
+	//     §7.1 Phase 1; rotate-dek under the active envelope keeps
+	//     it true).
+	storageEnvelopeActive atomic.Bool
+}
+
+// NewStateCache returns a zero-initialised StateCache. The
+// pre-bootstrap posture (Active.Storage=0, StorageEnvelopeActive=false)
+// is the correct initial state; RefreshFromSidecar advances it to the
+// current sidecar values when one is supplied.
+func NewStateCache() *StateCache { return &StateCache{} }
+
+// RefreshFromSidecar copies the relevant fields out of sc into the
+// atomic mirrors. Safe to call concurrently with reads; safe to
+// call from multiple goroutines (writers race to the same atomic
+// CAS path, but the only writer in production is the FSM apply
+// goroutine of the shard that accepted the encryption proposal).
+//
+// nil sc is a no-op: matches the pre-bootstrap posture where
+// ReadSidecar returns IsNotExist.
+func (c *StateCache) RefreshFromSidecar(sc *Sidecar) {
+	if c == nil || sc == nil {
+		return
+	}
+	c.activeStorageDEKID.Store(sc.Active.Storage)
+	c.storageEnvelopeActive.Store(sc.StorageEnvelopeActive)
+}
+
+// ActiveStorageKeyID returns the current sidecar.Active.Storage DEK
+// id. Signature matches store.ActiveStorageKeyID so main.go can pass
+// `cache.ActiveStorageKeyID` directly into `store.WithEncryption(...)`
+// as the per-Put activeKeyID closure. A non-zero id with ok=true
+// means the cluster has run BootstrapEncryption; zero with ok=false
+// means the cluster is still pre-bootstrap and the storage layer
+// should write cleartext.
+func (c *StateCache) ActiveStorageKeyID() (uint32, bool) {
+	if c == nil {
+		return 0, false
+	}
+	id := c.activeStorageDEKID.Load()
+	return id, id != 0
+}
+
+// StorageEnvelopeActive returns the in-memory mirror of
+// sidecar.StorageEnvelopeActive. Signature matches
+// store.StorageEnvelopeActive so main.go can pass
+// `cache.StorageEnvelopeActive` directly into
+// `store.WithStorageEnvelopeGate(...)` as the per-Put cutover gate.
+// Once true, the storage layer wraps every new version in the §4.1
+// envelope; flips exactly once per cluster lifetime when the §7.1
+// Phase 1 cutover entry applies.
+func (c *StateCache) StorageEnvelopeActive() bool {
+	if c == nil {
+		return false
+	}
+	return c.storageEnvelopeActive.Load()
 }
 
 // KEKUnwrapper is the abstraction the Applier uses to recover
@@ -132,6 +243,21 @@ func WithNowFunc(now func() time.Time) ApplierOption {
 	return func(a *Applier) { a.now = now }
 }
 
+// WithStateCache installs a shared StateCache so that an apply
+// landing on this Applier (typically the per-shard Applier whose
+// FSM accepted the encryption proposal) updates atomics that every
+// other Applier in the process reads. main.go owns one StateCache
+// for the lifetime of the binary and threads the same pointer into
+// every per-shard Applier and into the storage-layer per-Put
+// closures.
+//
+// If WithStateCache is omitted, NewApplier installs a private
+// instance — preserves the single-applier ergonomics that tests
+// and pre-multi-shard callers rely on.
+func WithStateCache(c *StateCache) ApplierOption {
+	return func(a *Applier) { a.stateCache = c }
+}
+
 // NewApplier wires an Applier against the supplied registry store
 // plus optional KEK / Keystore / sidecar / clock dependencies.
 // Returns an error if registry is nil so misconfiguration is caught
@@ -162,9 +288,59 @@ func NewApplier(registry WriterRegistryStore, opts ...ApplierOption) (*Applier,
 	if a.now == nil {
 		return nil, errors.New("encryption: NewApplier: WithNowFunc(nil) overwrote default time.Now")
 	}
+	// Install a private StateCache when WithStateCache was not
+	// supplied so the apply paths and accessors always have a
+	// non-nil target. Tests rely on this; production main.go is
+	// expected to thread a shared instance in.
+	if a.stateCache == nil {
+		a.stateCache = NewStateCache()
+	}
+	// Prime the in-memory accessors from the on-disk sidecar
+	// (best-effort: a missing sidecar is the pre-bootstrap
+	// posture and leaves both atomics at their zero values,
+	// which is correct). The storage-layer closures may query
+	// these atomics before the FSM has replayed a single entry
+	// after restart, so the priming must happen at construction
+	// rather than lazily on first apply. A read error (corrupt
+	// JSON, bad version) surfaces back to the caller so a
+	// misconfigured node fails to start instead of silently
+	// running with stale-zero state.
+	if a.sidecarPath != "" {
+		switch sc, err := ReadSidecar(a.sidecarPath); {
+		case err == nil:
+			a.stateCache.RefreshFromSidecar(sc)
+		case IsNotExist(err):
+			// Pre-bootstrap; leave atomics at zero.
+		default:
+			return nil, errors.Wrap(err, "encryption: NewApplier: prime in-memory state from sidecar")
+		}
+	}
 	return a, nil
 }
 
+// StateCache returns the shared cache this Applier writes to on
+// every apply path. main.go wires one StateCache across all
+// per-shard Appliers via WithStateCache, but for callers that
+// constructed an Applier without supplying one this accessor
+// returns the privately-installed instance so tests can still
+// reach the atomics directly.
+func (a *Applier) StateCache() *StateCache { return a.stateCache }
+
+// ActiveStorageKeyID delegates to the shared StateCache. Convenience
+// for tests and single-applier callers; multi-shard wiring should
+// prefer reading StateCache().ActiveStorageKeyID directly so the
+// closure target is independent of which shard's Applier received
+// the encryption apply.
+func (a *Applier) ActiveStorageKeyID() (uint32, bool) {
+	return a.stateCache.ActiveStorageKeyID()
+}
+
+// StorageEnvelopeActive delegates to the shared StateCache. Same
+// rationale as ActiveStorageKeyID above.
+func (a *Applier) StorageEnvelopeActive() bool {
+	return a.stateCache.StorageEnvelopeActive()
+}
+
 // bootstrapAndRotationConfigured reports whether WithKEK,
 // WithKeystore, and WithSidecarPath have all been supplied. The
 // three are an indivisible quorum for ApplyBootstrap /
@@ -513,6 +689,7 @@ func (a *Applier) writeBootstrapSidecar(raftIdx uint64, p fsmwire.BootstrapPaylo
 	if err := WriteSidecar(a.sidecarPath, sc); err != nil {
 		return errors.Wrap(err, "applier: write sidecar for bootstrap")
 	}
+	a.stateCache.RefreshFromSidecar(sc)
 	return nil
 }
 
@@ -773,6 +950,7 @@ func (a *Applier) applyEnableStorageEnvelope(raftIdx uint64, p fsmwire.RotationP
 	if err := WriteSidecar(a.sidecarPath, sc); err != nil {
 		return errors.Wrap(err, "applier: write sidecar for cutover")
 	}
+	a.stateCache.RefreshFromSidecar(sc)
 	return nil
 }
 
@@ -809,6 +987,7 @@ func (a *Applier) writeRotationSidecar(raftIdx uint64, p fsmwire.RotationPayload
 	if err := WriteSidecar(a.sidecarPath, sc); err != nil {
 		return errors.Wrap(err, "applier: write sidecar for rotation")
 	}
+	a.stateCache.RefreshFromSidecar(sc)
 	return nil
 }