feat: WAL-based RocksDB replication with HTTP streaming and failover

[JackGuslerGit]

This relates to #35.

Summary:

• Adds a primary/secondary replication system using RocksDB's WAL (Write-Ahead Log) streamed over HTTP
• Secondary bootstraps from a full checkpoint on startup, then streams incremental WAL frames
• Failover is triggered via POST /_tuwunel/replication/promote — no process restart needed
• All replication endpoints are protected by a shared secret token

Test plan:

• Ran two Docker containers (primary on :8008, secondary on :8009)
• Secondary bootstrapped from primary checkpoint at seq 281 and began streaming
• Stopped primary with docker stop (graceful SIGTERM)
• Promoted secondary via curl — responded {"status":"promoted"}
• All messages from before the failover were present on the promoted instance
• Measured RPO ~0 on planned failover, RTO = seconds

Relevant config options added:

• rocksdb_primary_url — URL of primary for WAL streaming
• rocksdb_replication_token — shared secret for endpoint auth
• rocksdb_replication_interval_ms — heartbeat interval (default 250ms)

[pschichtel]

this implements async replication, so some dataloss is to be expected after an expected failover (node failure, disk failure process crash, ...), right?

[JackGuslerGit]

@pschichtel yes, that is correct. Under normal write load, RPO is determined just by network RTT.