Write protect repository only when primary is not on the latest version

Relates to #2717 (comment 356256531)

Our current approach is to put a virtual storage (shard) into read-only mode when a node failure is detected. This is a conservative strategy since some repos may be unaffected by a node failure.

A more focused and optimal approach:

Only repositories should be designated read-only (not entire storages or shards)
A repo is considered to be read-only iff the repo's primary replica is stale
- Clarification: the repo is not considered to be in read-only mode if any of the secondary replicas is stale. Stale secondary replicas are expected in an eventually consistent system.

Edited Jul 07, 2020 by Sami Hiltunen

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information