Snapshots cannot be accepted from a state concurrent with a local agreement

[gsvarovsky]

If a clone has been offline for a long time, say, and enacts an agreement by authority during that time:

1. It will try to recover, with its very old clock.
2. Finding no-one able to rev it up, it will request a snapshot.

The received snapshot clock will be concurrent with the agreement, and so must have concurrent ops voided – but they're not available. If the snapshot is actually applied, no-one in the domain will have a consistent state.

[gsvarovsky]

Model: snapshot request includes minimum clock, which is last-agreement-seen (also works for unbased recovery).

⚠️ This would be a breaking change to the inter-clone protocol.

If local agreement made while offline, and no-one can rev-up:

1. No-one can fulfil the snapshot request – no-one has the local agreement
2. Local clone emits from last-seen – according to some chosen collaborator (how?)
3. Then ask for a snapshot again

[gsvarovsky]

Model: refuse snapshot response if clock is pre-last-agreement-seen.

⚠️ Needs explicit refusal message – breaking change? No, unexpected message will cause receipt to reject anyway.

1. Emit from refused last-seen
2. Wait a while for the world to catch up (soft retry)
3. Ask for a snapshot again