feat(snapshot-skip B3): cold-start restoreSnapshotState skip gate + CRC verifier + metrics (#934)

## Summary

Implements **Branch 3** of the cold-start snapshot-restore skip
optimisation designed in PR #910, building on PR #915 (B2 —
`metaAppliedIndex` plumbing). This is the **user-visible perf win** of
the series: after this lands, the engine restores the FSM only when the
on-disk state is actually behind the snapshot pointer; the common case
(local restart with a fresh fsm.db) collapses to a header read + CRC
verification, skipping the multi-GiB body restore that PR #909's
`HEALTH_TIMEOUT_SECONDS=300` band-aid was sized to absorb.

## Reading order (6 commits, designed for one-at-a-time review)

| # | commit | scope |
|---|---|---|
| 1 | `8312f4ba` | `raftengine.SnapshotHeaderApplier` two-phase
interface (`ParseSnapshotHeader` + `ApplySnapshotHeader`) |
| 2 | `024eb43c` | `kvFSM` implements both phases + compile-time guard |
| 3 | `933dab86` | `applyHeaderStateOnSkip` (3-step CRC, mirrors
`openAndRestoreFSMSnapshot`) + `restoreSnapshotState` skip gate |
| 4 | (folded into #3) | `fsmAlreadyAtIndex` + skip-gate wiring |
| 5 | (next) | metrics + INFO log: `raftengine.ColdStartObserver` +
`monitoring.ColdStartMetrics` + `Registry.ColdStartObserver()` |
| 6 | `ce277e66` | 9 new tests (skip-gate behaviour ×5 + CRC failure
modes ×3 + kvFSM contract ×1) |

(Commit 5 was merged into the metrics commit; the actual git log is 5
commits.)

## What this does

`restoreSnapshotState` branches on `decideSkipOutcome`:

```go
decision, have := decideSkipOutcome(fsm, tok.Index)
reportColdStart(obs, logger, decision, tok.Index, have)
if decision == coldStartSkip {
    return applyHeaderStateOnSkip(fsm, fsmSnapPath(fsmSnapDir, tok.Index), tok.CRC32C)
}
return openAndRestoreFSMSnapshot(...) // unchanged
```

`decideSkipOutcome` returns one of 5 outcomes:

| outcome | trigger | action |
|---|---|---|
| `skip` | `LastAppliedIndex >= snap.Index` | header-only path |
| `execute` | `LastAppliedIndex < snap.Index` | full restore |
| `fallback_not_reader` | FSM doesn't implement `AppliedIndexReader` |
full restore |
| `fallback_missing_meta` | meta key absent (pre-upgrade fsm.db) | full
restore |
| `fallback_read_err` | `LastAppliedIndex` returned an error | full
restore |

The three fallback paths preserve the strictly-additive guarantee from
the design doc §4: over-restoring is always strictly safer than skipping
incorrectly. Errors from `LastAppliedIndex` **do not abort cold start**
— they collapse to fallback.

## CRC verification (mirrors `openAndRestoreFSMSnapshot`)

`applyHeaderStateOnSkip` runs the same three-step safety contract as the
full restore path. Failure of any step propagates a typed error WITHOUT
mutating FSM state:

| Step | Check | Error |
|---|---|---|
| 1 | `info.Size() < fsmMinFileSize` | `ErrFSMSnapshotTooSmall` |
| 2 | `readFSMFooter` vs `tokenCRC` | `ErrFSMSnapshotTokenCRC` |
| 3 | full-body `crc32.TeeReader` vs footer | `ErrFSMSnapshotFileCRC` |

The FSM's `ApplySnapshotHeader` (HLC ceiling + Stage 8a cutover) only
fires after all three pass.

## Metrics + INFO log

`raftengine.ColdStartObserver` interface lives in the parent
`raftengine` package so monitoring can implement it without circular
import. `monitoring.Registry` gains `ColdStartObserver()`. The engine
receives it through `OpenConfig.ColdStartObserver` — nil disables
metrics, the skip itself still runs.

Two Prometheus series:

```
elastickv_fsm_cold_start_restore_total{outcome,fallback_reason}
elastickv_fsm_cold_start_applied_index_gap{outcome}
```

Plus a structured zap.Info log on every cold-start with fsm_applied /
snapshot_index / gap and (for fallback) the reason enum.

## Design constraints honoured

- **§4 strictly-additive fallback**: `decideSkipOutcome` collapses every
uncertainty to a fallback variant; `LastAppliedIndex` errors do NOT
abort cold start.
- **§5 two-phase seam (round-7)**: `ParseSnapshotHeader` reads the v1/v2
header from a caller-supplied reader and drains the rest;
`ApplySnapshotHeader` is pure assignment. Splits the parse from the
side-effect so the engine can verify the CRC between them.
- **§5 CRC mirroring (round-6)**: 3-step verification (size +
footer-vs-tokenCRC + full-body-CRC) exactly matches
`openAndRestoreFSMSnapshot`. The full-body CRC pass IS the slow part of
this PR (~6s for a 6 GiB FSM at 1 GiB/s SSD read) — but still strictly
cheaper than the restore it replaces, which also reads the file once AND
writes a temp Pebble database via `restoreBatchLoopInto`.
- **§9 observability**: three outcomes + gap label; the design's
`not_reporter` label is named `not_reader` in the actual impl (matching
the round-5 PR #915 rename).
- **Non-Goals respected**: `Engine.applySnapshot` (engine.go:1641
InstallSnapshot hot path) is untouched. The TODO sentinel added in PR
#915 round-6 still names B3 as the follow-up site for the
peer-after-InstallSnapshot bump — that's not in scope here either.

## Test results

```text
go vet ./internal/raftengine/etcd/ ./internal/raftengine/ ./kv/ ./store/ ./monitoring/   → exit 0
golangci-lint run ... (same packages)                                                     → 0 issues
go test ./internal/raftengine/etcd/ ./kv/ ./store/ ./monitoring/ -short                   → ok ~57s total
go test ./internal/raftengine/etcd/ -run 'TestSkipGate|TestApplyHeaderStateOnSkip'        → ok 0.028s
```

## What this does NOT do

- **Does NOT change** `HEALTH_TIMEOUT_SECONDS=300`. That's Branch 4,
gated on production data showing steady-state skip rate ≥ 90%.
- **Does NOT** wire `Engine.applySnapshot` to populate
`metaAppliedIndex` for peers receiving InstallSnapshot. The TODO
sentinel from PR #915 round-6 still flags this; addressing it requires a
separate design pass.
- **Does NOT** add an idle-cluster integration test
(`ELASTICKV_RAFT_SNAPSHOT_COUNT=10` end-to-end). The unit tests cover
the gate decision matrix; an integration test would prove the codex
round-3 P2 scenario is closed end-to-end in production-like setup, which
is most valuable as a follow-up after B3 has soaked.

## Soak plan

Same as B2: deploy and observe
`elastickv_fsm_cold_start_restore_total{outcome="skipped"}` ramp up
across cold starts. The design target is steady-state skip rate ≥ 90%;
the per-outcome label distribution and gap distribution are the primary
signals.

After one release of soak, Branch 4 can lower `HEALTH_TIMEOUT_SECONDS`.

## Refs

- PR #910 — design doc (rounds 1-7)
- PR #915 — Branch 2 plumbing (merged); this PR depends on
`metaAppliedIndex` being populated
- PR #909 — `HEALTH_TIMEOUT_SECONDS` band-aid this series eventually
obviates


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Cold-start lifecycle callbacks added and wired through the raft engine
to report skip/execute/fallback outcomes and applied-index gaps.
  * Prometheus metrics for cold-start outcomes and applied-index gap.
* Snapshot-header read/apply contract introduced; KV FSM implements
header apply and volatile-entry classification to support header-only
skips and volatile-only replay on duplicates.

* **Tests**
* Extensive unit/integration tests covering skip/execute/fallback
decisions, header verification, volatile duplicate replay, and updated
restore-call signatures.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: bootjp

internal/raftengine/cold_start.go

@@ -0,0 +1,40 @@
+package raftengine
+
+// ColdStartObserver receives cold-start snapshot-restore lifecycle
+// events from restoreSnapshotState. Implementations live in the
+// monitoring package and wire to Prometheus counters/gauges; the
+// engine receives a value through OpenConfig and treats nil as
+// "no metrics emitted" (preserves the byte-for-byte cold-start
+// behaviour for tests and callers that do not wire monitoring).
+//
+// Three outcomes match the design's strictly-additive policy
+// (docs/design/2026_06_02_idempotent_snapshot_restore.md §9):
+//
+//   - RestoreSkipped: the gate fired. `gap = haveAppliedIndex -
+//     snapshot.Metadata.Index` (how far ahead the live store was).
+//     This is the user-visible perf win.
+//
+//   - RestoreExecuted: the gate did NOT fire because the live store
+//     was genuinely stale (haveAppliedIndex < snapshot.Metadata.Index).
+//     `gap = snapshot.Metadata.Index - haveAppliedIndex` (the work
+//     the full restore re-did).
+//
+//   - RestoreFallback: the strictly-additive fallback path — the
+//     FSM did not expose AppliedIndexReader, LastAppliedIndex
+//     reported the meta key missing, or it returned an error. The
+//     full restore runs but the skip was never even attempted.
+//     `reason` carries a stable short label so Prometheus can
+//     surface why the optimisation could not engage:
+//
+//     not_reader   — FSM does not implement AppliedIndexReader
+//     missing_meta — meta key absent (pre-upgrade fsm.db)
+//     read_err     — LastAppliedIndex returned an error
+//
+// Implementations MUST NOT block; the engine calls these on the
+// cold-start critical path. Treat all label/string arguments as
+// untrusted enum values from the engine's enumeration above.
+type ColdStartObserver interface {
+	RestoreSkipped(snapIndex, haveAppliedIndex uint64)
+	RestoreExecuted(snapIndex, haveAppliedIndex uint64)
+	RestoreFallback(snapIndex uint64, reason string)
+}

internal/raftengine/etcd/cold_start_volatile_replay_test.go

@@ -0,0 +1,199 @@
+package etcd
+
+import (
+	"bytes"
+	"io"
+	"sync/atomic"
+	"testing"
+
+	"github.com/bootjp/elastickv/internal/raftengine"
+	raftpb "go.etcd.io/raft/v3/raftpb"
+)
+
+// volatileTagFakeFSM is a StateMachine that classifies payloads by
+// their leading byte: 0x02 (kv.raftEncodeHLCLease) is volatile, every
+// other tag is data-mutating. Mirrors the kvFSM contract closely
+// enough that the engine's cold-start duplicate guard can be tested
+// without pulling in the full kv package.
+type volatileTagFakeFSM struct {
+	calls       atomic.Int32
+	lastPayload []byte
+}
+
+func (f *volatileTagFakeFSM) Apply(data []byte) any {
+	f.calls.Add(1)
+	cp := make([]byte, len(data))
+	copy(cp, data)
+	f.lastPayload = cp
+	return nil
+}
+
+func (f *volatileTagFakeFSM) Snapshot() (Snapshot, error) { return nil, nil }
+func (f *volatileTagFakeFSM) Restore(_ io.Reader) error   { return nil }
+
+func (f *volatileTagFakeFSM) IsVolatileOnlyPayload(payload []byte) bool {
+	return len(payload) > 0 && payload[0] == 0x02
+}
+
+var _ raftengine.VolatileEntryClassifier = (*volatileTagFakeFSM)(nil)
+
+// TestApplyNormalCommitted_VolatileEntryReplayedOnDuplicate pins the
+// codex P1 #934 round 7 fix: after the cold-start skip gate seeds
+// e.applied at the WAL committed tail, entries delivered by Raft at
+// indices <= e.applied that are volatile-only (HLC lease, tag 0x02)
+// MUST still reach fsm.Apply so the post-snapshot ceiling raise is
+// reconstructed. Data-mutating duplicates (any other tag) MUST NOT
+// reach fsm.Apply (OCC re-validation; ceiling regression). A
+// regression would either silently drop the lease (the bug) or
+// silently re-execute KV writes (idempotency violation).
+func TestApplyNormalCommitted_VolatileEntryReplayedOnDuplicate(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name      string
+		tag       byte
+		wantApply bool
+	}{
+		{"volatile HLC lease (tag 0x02) replays past e.applied", 0x02, true},
+		{"data-mutating single KV (tag 0x00) is dropped", 0x00, false},
+		{"data-mutating batch KV (tag 0x01) is dropped", 0x01, false},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			t.Parallel()
+			fsm := &volatileTagFakeFSM{}
+			e := newTestEngine(fsm, nil, nil)
+			e.applied = 200
+
+			payload := []byte{c.tag, 0xde, 0xad, 0xbe, 0xef, 0x00, 0x00, 0x00, 0x00}
+			entry := raftpb.Entry{
+				Type:  raftpb.EntryNormal,
+				Index: 150, // <= e.applied → duplicate path
+				Data:  encodeProposalEnvelope(42, payload),
+			}
+
+			if err := e.applyNormalCommitted(entry); err != nil {
+				t.Fatalf("applyNormalCommitted: %v", err)
+			}
+
+			got := fsm.calls.Load()
+			switch {
+			case c.wantApply && got != 1:
+				t.Fatalf("volatile duplicate: fsm.Apply call count = %d, want 1 (lost in-memory effect)", got)
+			case !c.wantApply && got != 0:
+				t.Fatalf("data-mutating duplicate: fsm.Apply call count = %d, want 0 (re-applied; OCC will re-validate against post-tail state)", got)
+			}
+
+			// In every case e.applied must NOT advance — the entry's
+			// index is below the gate-seeded value and resolveProposal
+			// is intentionally not called either.
+			if e.applied != 200 {
+				t.Fatalf("e.applied advanced to %d, want it pinned at 200 for duplicate-path entries", e.applied)
+			}
+		})
+	}
+}
+
+// TestApplyNormalCommitted_FreshEntryAlwaysAppliesAndAdvances pins the
+// non-duplicate path: entries past e.applied always reach fsm.Apply
+// regardless of the volatile/data classification, and e.applied
+// advances. Locks in the asymmetry — the classifier ONLY gates the
+// duplicate arm.
+func TestApplyNormalCommitted_FreshEntryAlwaysAppliesAndAdvances(t *testing.T) {
+	t.Parallel()
+	for _, tag := range []byte{0x00, 0x01, 0x02} {
+		t.Run("tag=0x0"+string("0123"[tag])+"_fresh", func(t *testing.T) {
+			t.Parallel()
+			fsm := &volatileTagFakeFSM{}
+			e := newTestEngine(fsm, nil, nil)
+			e.applied = 100
+
+			entry := raftpb.Entry{
+				Type:  raftpb.EntryNormal,
+				Index: 150,
+				Data:  encodeProposalEnvelope(7, []byte{tag, 0x99}),
+			}
+
+			if err := e.applyNormalCommitted(entry); err != nil {
+				t.Fatalf("applyNormalCommitted: %v", err)
+			}
+			if got := fsm.calls.Load(); got != 1 {
+				t.Fatalf("fsm.Apply call count = %d, want 1 (fresh entry, all tags)", got)
+			}
+			if e.applied != 150 {
+				t.Fatalf("e.applied = %d, want 150 (fresh entry must advance)", e.applied)
+			}
+		})
+	}
+}
+
+// TestApplyNormalCommitted_VolatileDuplicate_PostCutoverEncrypted pins
+// the post-Stage-8a cutover path: encrypted HLC lease entries past
+// e.applied MUST be decrypted FIRST, then classified as volatile, then
+// replayed for their in-memory effect. The wire-format reality is
+// that a post-cutover HLC lease's `payload[0]` is encrypted bytes;
+// only the cleartext (after WrapRaftPayload unwrap) carries the 0x02
+// tag, so the classifier must see the cleartext or the lease drops.
+// Claude #934 round 7 finding R7-F2 — pre-cutover-only coverage was
+// insufficient.
+func TestApplyNormalCommitted_VolatileDuplicate_PostCutoverEncrypted(t *testing.T) {
+	t.Parallel()
+	c, kid := raftCipherFixture(t)
+	const cutover uint64 = 100
+	fsm := &volatileTagFakeFSM{}
+	e := newTestEngine(fsm, c, func() uint64 { return cutover })
+	e.applied = 200
+
+	// HLC lease cleartext: tag 0x02 + 8-byte big-endian ceiling.
+	plain := []byte{0x02, 0, 0, 0, 0, 0, 0, 0, 0x01}
+	// Index above cutover → triggers WrapRaftPayload path inside
+	// applyNormalEntry; index below e.applied → duplicate arm.
+	entry := envelopeEntry(t, c, kid, 150, plain)
+
+	if err := e.applyNormalCommitted(entry); err != nil {
+		t.Fatalf("applyNormalCommitted: %v", err)
+	}
+	if got := fsm.calls.Load(); got != 1 {
+		t.Fatalf("encrypted volatile duplicate: fsm.Apply call count = %d, want 1 — decryption must run before classification or the lease drops", got)
+	}
+	if !bytes.Equal(fsm.lastPayload, plain) {
+		t.Fatalf("FSM received %x, want cleartext %x — classifier must see post-decrypt bytes", fsm.lastPayload, plain)
+	}
+	if e.applied != 200 {
+		t.Fatalf("e.applied advanced to %d, want pinned at 200 for duplicate-arm replay", e.applied)
+	}
+}
+
+// TestApplyNormalCommitted_DuplicateWithoutClassifier_DropsAll guards
+// the FSM-doesn't-opt-in path: a StateMachine that does NOT implement
+// VolatileEntryClassifier (existing FSMs, third-party engines) must
+// keep the pre-PR behavior — every duplicate is dropped, including
+// any that happen to be volatile. The strictly-additive opt-in keeps
+// the engine compatible with FSMs that have not been updated.
+func TestApplyNormalCommitted_DuplicateWithoutClassifier_DropsAll(t *testing.T) {
+	t.Parallel()
+	// fakeStateMachine (from encryption_test.go) does NOT implement
+	// VolatileEntryClassifier — that absence is the contract under
+	// test.
+	fsm := &fakeStateMachine{}
+	if _, ok := any(fsm).(raftengine.VolatileEntryClassifier); ok {
+		t.Fatal("fakeStateMachine unexpectedly implements VolatileEntryClassifier; test contract broken")
+	}
+	e := newTestEngine(fsm, nil, nil)
+	e.applied = 200
+
+	entry := raftpb.Entry{
+		Type:  raftpb.EntryNormal,
+		Index: 150,
+		Data:  encodeProposalEnvelope(13, []byte{0x02, 0xff}), // would-be volatile
+	}
+
+	if err := e.applyNormalCommitted(entry); err != nil {
+		t.Fatalf("applyNormalCommitted: %v", err)
+	}
+	if got := fsm.calls.Load(); got != 0 {
+		t.Fatalf("FSM without classifier: fsm.Apply call count = %d, want 0 (drop-all on duplicate, no opt-in)", got)
+	}
+	if e.applied != 200 {
+		t.Fatalf("e.applied advanced unexpectedly: %d, want 200", e.applied)
+	}
+}

internal/raftengine/etcd/encryption_test.go

@@ -133,7 +133,7 @@ func TestApplyNormalEntry_CutoverActive_NoCipher_FailsClosed(t *testing.T) {
 		Index: cutover + 1,
 		Data:  encodeProposalEnvelope(99, []byte("would-be wrapped payload")),
 	}
-	_, err := e.applyNormalEntry(entry)
+	_, err := e.applyNormalEntry(entry, false)
 	if !errors.Is(err, ErrRaftUnwrapFailed) {
 		t.Fatalf("expected ErrRaftUnwrapFailed for cutover-active+no-cipher misconfig, got %v", err)
 	}
@@ -151,7 +151,7 @@ func TestApplyNormalEntry_CutoverActive_NoCipher_FailsClosed(t *testing.T) {
 		Index: cutover,
 		Data:  encodeProposalEnvelope(11, []byte("legacy cleartext")),
 	}
-	if _, err := e.applyNormalEntry(belowCutoverEntry); err != nil {
+	if _, err := e.applyNormalEntry(belowCutoverEntry, false); err != nil {
 		t.Fatalf("below-cutover should pass through, got %v", err)
 	}
 	if got := fsm.calls.Load(); got != 1 {
@@ -169,7 +169,7 @@ func TestApplyNormalEntry_NoCipher_PassThrough(t *testing.T) {
 	e := newTestEngine(fsm, nil, nil)
 	plain := []byte("op=put key=k1 v=hello")
 	entry := raftpb.Entry{Type: raftpb.EntryNormal, Data: encodeProposalEnvelope(42, plain)}
-	if _, err := e.applyNormalEntry(entry); err != nil {
+	if _, err := e.applyNormalEntry(entry, false); err != nil {
 		t.Fatalf("applyNormalEntry: %v", err)
 	}
 	if got := fsm.calls.Load(); got != 1 {
@@ -200,7 +200,7 @@ func TestApplyNormalEntry_BelowCutover_PassThrough(t *testing.T) {
 			Index: idx,
 			Data:  encodeProposalEnvelope(11, cleartextPayload),
 		}
-		if _, err := e.applyNormalEntry(entry); err != nil {
+		if _, err := e.applyNormalEntry(entry, false); err != nil {
 			t.Fatalf("idx=%d: applyNormalEntry: %v", idx, err)
 		}
 		if got := fsm.calls.Load(); got != 1 {
@@ -226,7 +226,7 @@ func TestApplyNormalEntry_AboveCutover_Unwraps(t *testing.T) {
 		fsm.calls.Store(0)
 		plaintext := []byte("op=put key=k1 v=secret")
 		entry := envelopeEntry(t, c, kid, idx, plaintext)
-		if _, err := e.applyNormalEntry(entry); err != nil {
+		if _, err := e.applyNormalEntry(entry, false); err != nil {
 			t.Fatalf("idx=%d: applyNormalEntry: %v", idx, err)
 		}
 		if got := fsm.calls.Load(); got != 1 {
@@ -258,7 +258,7 @@ func TestApplyNormalEntry_UnwrapFailure_Halts(t *testing.T) {
 	// last byte.
 	entry.Data[len(entry.Data)-1] ^= 0xff
 
-	_, err := e.applyNormalEntry(entry)
+	_, err := e.applyNormalEntry(entry, false)
 	if !errors.Is(err, ErrRaftUnwrapFailed) {
 		t.Fatalf("expected ErrRaftUnwrapFailed, got %v", err)
 	}
@@ -326,7 +326,7 @@ func TestApplyNormalEntry_BoundaryCutover(t *testing.T) {
 		Index: cutover,
 		Data:  encodeProposalEnvelope(13, cleartext),
 	}
-	if _, err := e.applyNormalEntry(atCutover); err != nil {
+	if _, err := e.applyNormalEntry(atCutover, false); err != nil {
 		t.Fatalf("at-cutover: %v", err)
 	}
 	if string(fsm.last) != string(cleartext) {
@@ -335,7 +335,7 @@ func TestApplyNormalEntry_BoundaryCutover(t *testing.T) {
 
 	// cutover+1: wrapped payload — MUST be unwrapped.
 	above := envelopeEntry(t, c, kid, cutover+1, []byte("first encrypted"))
-	if _, err := e.applyNormalEntry(above); err != nil {
+	if _, err := e.applyNormalEntry(above, false); err != nil {
 		t.Fatalf("above-cutover: %v", err)
 	}
 	if string(fsm.last) != "first encrypted" {
@@ -365,7 +365,7 @@ func TestApplyNormalEntry_ProposalIDStillResolvable(t *testing.T) {
 	}
 	data := encodeProposalEnvelope(wantID, wrapped)
 	entry := raftpb.Entry{Type: raftpb.EntryNormal, Index: cutover + 1, Data: data}
-	if _, err := e.applyNormalEntry(entry); err != nil {
+	if _, err := e.applyNormalEntry(entry, false); err != nil {
 		t.Fatalf("applyNormalEntry: %v", err)
 	}
 	gotID, _, ok := decodeProposalEnvelope(entry.Data)
@@ -396,7 +396,7 @@ func TestApplyNormalEntry_NoCutoverDefault(t *testing.T) {
 			Index: idx,
 			Data:  encodeProposalEnvelope(7, cleartext),
 		}
-		if _, err := e.applyNormalEntry(entry); err != nil {
+		if _, err := e.applyNormalEntry(entry, false); err != nil {
 			t.Fatalf("idx=%d: %v", idx, err)
 		}
 		if string(fsm.last) != string(cleartext) {