Reference distributed [DirectiveStore] backed by etcd v3.
A fleet of proxy instances must all see the same diagnostics directives, and
a control-plane flip must reach every instance with no restart (docs/05
§3, NFR-T3, ADR-013). This adapter realizes that over etcd's watch API using
the watch-and-cache model: a background task subscribes to one etcd key and
keeps a locally-cached [DirectiveSet] snapshot fresh, so [DirectiveStore::load]
on the request hot path is a cheap Arc clone, never per-request network I/O.
It deliberately backs only the directive (observability) control plane.
The migration/placement store (osproxy-control::MigrationStore) needs a
linearizable compare-and-swap and a fallible, async seam; wiring it over etcd
is a separate step gated on that seam refactor.
Posture:
- Fail-fast at startup: [
EtcdDirectiveStore::connect] does an initial read, so an unreachable/misconfigured etcd is a loud construction error, not a silent empty directive set. - Fail-safe while running: a transient etcd outage or a malformed publish keeps the last good snapshot rather than blanking diagnostics; the watch task reconnects with a bounded delay.
- One fail-closed decoder: directives are decoded with
[
osproxy_observe::decode_directive_set], the same decoder the adminPOST /admin/directivesendpoint uses, so a directive means the same thing however it is published, and a typo'd key can never widen its blast radius.