Write protect repository only when primary is not on the latest version

Relates to #2717 (comment 356256531)

Our current approach is to put a virtual storage (shard) into read-only mode when a node failure is detected. This is a conservative strategy since some repos may be unaffected by a node failure.

A more focused and optimal approach:

• Only repositories should be designated read-only (not entire storages or shards)
• A repo is considered to be read-only iff the repo's primary replica is stale
  • Clarification: the repo is not considered to be in read-only mode if any of the secondary replicas is stale. Stale secondary replicas are expected in an eventually consistent system.