[persist] Compatibility versioning

[bkirwi]

This PR:

• changes the semantics of the Persist shard's version field... instead of indicating the highest version that has ever touched a bit of state, it indicates the lowest version which is guaranteed to be compatible with the existing state.
• changes the version checks: we now disallow versions from the future, and cap the number of versions from the past we will maintain write compatibility with.
• moves the version field into StateCollections, to make it available to individual Persist commands. This will allow future Persist changes to check the version before making changes, which is essential for flexible backwards compatibility.
• adds a new command to upgrade the compatibility version of the shard. This is not yet invoked everywhere it should be; I intend to add the full set of usages in a followup PR.
• adds metrics that report whether we're interacting with an older version of state or not, which (among other things) will help me track whether we're reliably upgrading shards or not.

Motivation

https://github.com/MaterializeInc/database-issues/issues/9870

[teskje]

This looks good to me, at least as far as I'm grokking the persist details. There is still the piece missing where we call upgrade_version on all existing shards in the environment during leader startup, right?

[teskje]

Should we instead use a soft assert here? Debug asserts are less useful because they don't run in CI.

[bkirwi]

This adds a whole other set of network roundtrips, which seems too expensive even for a soft assert - it can add brand new failure modes to the code even when the check succeeds. I found this helpful when developing the unit tests, but we can delete it entirely now if it feels awkward...

[teskje]

For checks we don't want to run in production, the _no_log soft assert variants are appropriate. But deleting is also fine with me!

[bkirwi]

Totally... I just eg. don't want to have to debug a benchmark regression if this code happens to be invoked somewhere where an extra roundtrip matters, for example, or generate extra load on CRDB in Staging. Sounds like it's best to delete then!

[teskje]

Ooc, what's the reason for doing a halt! here instead of a panic!? Are there cases in normal operation where we'd expect to see incompatible readers/writers?

[bkirwi]

It looks like this was introduced in the original halt! PR. I don't see explicit discussion, but it's true that it's possible for this to happen without a bug... for example, a zombie process after an upgrade.

[def-]

I think this Cargo test failure might be caused by this PR? At least I haven't seen it before: https://buildkite.com/materialize/test/builds/111438:

        FAIL [   4.451s] mz-catalog::open test_persist_open
thread 'test_persist_open' panicked at src/catalog/tests/open.rs:549:9:
assertion `left == right` failed

[bkirwi]

I think this Cargo test failure might be caused by this PR?

Probably related and probably not concerning - looks like a snapshot test that doesn't fully reflect the state of the merged branch - but thanks for linking; will keep an eye on it!

[bkirwi]

This doesn't yet include all the necessary upgrade_version calls, but it seems to contain enough to make CI happy. Hunting down everywhere that we open a shard may take a while, though, so I'd love to get the first batch merged and unblock some other folks.