feat(sqs): Phase 3.B — XML query-protocol support (3-verb proof) (#662)

## Summary

Phase **3.B** of
[`docs/design/2026_04_24_partial_sqs_compatible_adapter.md`](https://github.com/bootjp/elastickv/blob/main/docs/design/2026_04_24_partial_sqs_compatible_adapter.md)
§16.4. Adds the AWS SQS **query protocol** (form-encoded request, XML
response) alongside the existing JSON protocol on the same listener —
older `aws-sdk-java` v1, `boto < 1.34`, and AWS CLI clients can now talk
to elastickv without modification. Detection happens per-request via
`Content-Type` / `X-Amz-Target` / `Action` presence; no flag, no
separate port. See the new proposal doc committed alongside.

This is an **architectural proof PR**: dispatch + decoding + encoding +
error envelope + the `*Core` refactor pattern are all in place, with
**three verbs** wired end-to-end as concrete proof. Each follow-up verb
is a parser + response struct + one switch arm — no further design work
needed.

### Verbs in this PR

| Verb | Why it's in the proof set |
|---|---|
| `CreateQueue` | Exercises the `Attribute.N.{Name,Value}`
indexed-collection parser. |
| `ListQueues` | Exercises the repeated-element XML response shape. |
| `GetQueueUrl` | Exercises the `<ErrorResponse>` envelope path via
`QueueDoesNotExist`. |

Every other verb returns a structured **501 `NotImplementedYet`** XML
envelope so operators see the gap explicitly. `SendMessage` /
`ReceiveMessage` / `DeleteMessage` are the highest-priority follow-ups
(they need the same `*Core` refactor on the FIFO send loop).

### Key design points

- **No new listener / no flag.** `pickSqsProtocol(*http.Request)`
decides per request. JSON and Query share the SQS port and the SigV4
path.
- **Wire-format-free cores.** `createQueue` / `listQueues` /
`getQueueUrl` are now `decode → core → encode` with `core(ctx, in) (out,
error)`. The JSON wrappers are unchanged in behavior; existing JSON
tests pass without modification.
- **DoS protection inherited.** Body read is bounded by the same
`sqsMaxRequestBodyBytes` the JSON path uses.
- **SigV4 unchanged.** The signed canonical request includes the
form-encoded body, so the existing SigV4 middleware verifies query
requests without code changes.
- **Error parity.** `<Code>` reuses the existing `sqsErr*` constants.
HTTP status mirrors what the JSON path returns, so SDK retry classifiers
work across protocols.
- **Cyclomatic budget honoured.** `handle()` was refactored to extract
`handleQueryProtocol` — `cyclop ≤ 10` per project rules, no `//nolint`.

### Known limitation (design §11.4)

`proxyToLeader`'s error writer always emits the JSON envelope, so a
query-protocol client hitting a follower during a leader flip sees one
JSON error before retry lands on the new leader. Follow-up PR threads
the detected protocol onto the request context so the proxy emits
matching XML.

## Test plan

- [x] `go build ./...` — clean
- [x] `go test -count=1 -race -run
"TestSQS|QueryProtocol|TestPickSqs|TestCollectIndexedKV|TestWriteSQSQueryError"
./adapter/` — passes
- [x] `golangci-lint run ./adapter/...` — `0 issues.`
- [x] `pickSqsProtocol` table tests cover documented edge cases (header
precedence, charset suffix, GET with Action, missing Action, nil
request).
- [x] `collectIndexedKVPairs` tests cover happy path, orphan Name, empty
input, unrelated prefix.
- [x] End-to-end via the in-process listener: CreateQueue / ListQueues /
GetQueueUrl round-trip on the query side.
- [x] **Cross-protocol parity**: a queue created via Query is visible
via JSON `GetQueueUrl` with the same URL.
- [x] Error envelope: 4xx maps to `<Type>Sender</Type>`, 5xx to
`<Type>Receiver</Type>`, namespace pinned, `x-amzn-ErrorType` header
set.
- [x] Unknown verb returns 501 with the `NotImplementedYet` XML
envelope.
- [x] Missing `Action` parameter returns 400 (per design §3).

## Self-review (5 lenses)

1. **Data loss** — Wire-format change only. Cores are byte-for-byte
identical to the previous handler bodies; no Raft / OCC / MVCC code is
touched.
2. **Concurrency** — No new shared state. Detection is request-local.
Body parsing is bounded.
3. **Performance** — One additional `Content-Type` string compare per
request on the dispatch hot path. Negligible.
4. **Data consistency** — `*Core` returns the same business-logic
outputs as before; the JSON tests are the regression net for parity.
Cross-protocol parity test pins behaviour.
5. **Test coverage** — 10 new test cases cover detection, parsing,
envelope shape, and three end-to-end verbs. Existing `TestSQS*` race
suite passes on the refactor.

## Stacking

This PR is **independent** — branched from current `main` (which has
#638 + #649 merged). It does not depend on PR #650 / PR #659. Merge
whenever ready.

Author: bootjp

adapter/sqs.go

@@ -154,6 +154,20 @@ func (s *SQSServer) handle(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// pickSqsProtocol decides between the JSON path (X-Amz-Target +
+	// JSON body, the existing default) and the query path (form-
+	// encoded body, XML response) on a per-request basis. See
+	// docs/design/2026_04_26_proposed_sqs_query_protocol.md for the
+	// detection rules.
+	if pickSqsProtocol(r) == sqsProtocolQuery {
+		s.handleQueryProtocol(w, r)
+		return
+	}
+	// JSON / Unknown both fall through to the JSON path: the JSON-
+	// style 400 is the most informative error for a client that
+	// has not picked a codec yet (§3 of the design doc). The
+	// dispatch table below stays the single decision point.
+
 	if r.Method != http.MethodPost {
 		w.Header().Set("Allow", http.MethodPost)
 		writeSQSError(w, http.StatusMethodNotAllowed, sqsErrMalformedRequest, "SQS JSON protocol requires POST")
@@ -174,6 +188,27 @@ func (s *SQSServer) handle(w http.ResponseWriter, r *http.Request) {
 	handler(w, r)
 }
 
+// handleQueryProtocol owns the query-protocol leg of handle(): method
+// gating, SigV4 authorisation against the form body, and dispatch
+// into per-verb handlers. Pulled out of handle() so the dispatcher
+// stays under cyclop=10 even as more wire formats are added.
+func (s *SQSServer) handleQueryProtocol(w http.ResponseWriter, r *http.Request) {
+	// GET is legal for query (some legacy ListQueues callers).
+	// POST is the common case. Anything else (PUT/DELETE) is
+	// outside the SQS surface entirely.
+	if r.Method != http.MethodGet && r.Method != http.MethodPost {
+		w.Header().Set("Allow", "GET, POST")
+		writeSQSQueryError(w, newSQSAPIError(http.StatusMethodNotAllowed, sqsErrMalformedRequest,
+			"SQS query protocol requires GET or POST"))
+		return
+	}
+	if authErr := s.authorizeSQSRequest(r); authErr != nil {
+		writeSQSQueryError(w, newSQSAPIError(authErr.Status, authErr.Code, authErr.Message))
+		return
+	}
+	s.handleQuery(w, r)
+}
+
 func (s *SQSServer) serveHealthz(w http.ResponseWriter, r *http.Request) bool {
 	if r == nil || r.URL == nil {
 		return false

adapter/sqs_catalog.go

@@ -508,30 +508,41 @@ func (s *SQSServer) createQueue(w http.ResponseWriter, r *http.Request) {
 		writeSQSErrorFromErr(w, err)
 		return
 	}
-	if err := validateQueueName(in.QueueName); err != nil {
+	queueName, err := s.createQueueCore(r.Context(), &in)
+	if err != nil {
 		writeSQSErrorFromErr(w, err)
 		return
 	}
+	writeSQSJSON(w, map[string]string{"QueueUrl": s.queueURL(r, queueName)})
+}
+
+// createQueueCore is the wire-format-free worker shared by the JSON
+// handler above and the query-protocol handler in
+// sqs_query_protocol.go (Phase 3.B). Returns the canonical queue
+// name on success so each wire wrapper can build its own QueueUrl
+// shape (the URL host comes from the request, which is a wire-layer
+// concern). Errors keep their typed sqsAPIError so both the JSON and
+// XML error envelopes reuse the existing classification path.
+func (s *SQSServer) createQueueCore(ctx context.Context, in *sqsCreateQueueInput) (string, error) {
+	if err := validateQueueName(in.QueueName); err != nil {
+		return "", err
+	}
 	requested, err := parseAttributesIntoMeta(in.QueueName, in.Attributes)
 	if err != nil {
-		writeSQSErrorFromErr(w, err)
-		return
+		return "", err
 	}
 	if len(in.Tags) > sqsMaxTagsPerQueue {
 		// AWS caps tags per queue at 50. CreateQueue must reject
 		// over-cap tag bundles up front; a silent slice-and-store
 		// would let queues land with more tags than TagQueue would
 		// ever accept on the same queue.
-		writeSQSError(w, http.StatusBadRequest, sqsErrInvalidAttributeValue, "queue tag count exceeds 50")
-		return
+		return "", newSQSAPIError(http.StatusBadRequest, sqsErrInvalidAttributeValue, "queue tag count exceeds 50")
 	}
 	requested.Tags = in.Tags
-
-	if err := s.createQueueWithRetry(r.Context(), requested); err != nil {
-		writeSQSErrorFromErr(w, err)
-		return
+	if err := s.createQueueWithRetry(ctx, requested); err != nil {
+		return "", err
 	}
-	writeSQSJSON(w, map[string]string{"QueueUrl": s.queueURL(r, in.QueueName)})
+	return in.QueueName, nil
 }
 
 func (s *SQSServer) createQueueWithRetry(ctx context.Context, requested *sqsQueueMeta) error {
@@ -684,33 +695,46 @@ func (s *SQSServer) listQueues(w http.ResponseWriter, r *http.Request) {
 		writeSQSErrorFromErr(w, err)
 		return
 	}
-	maxResults := clampListQueuesMaxResults(in.MaxResults)
-
-	names, err := s.scanQueueNames(r.Context())
+	page, nextToken, err := s.listQueuesCore(r.Context(), &in)
 	if err != nil {
 		writeSQSErrorFromErr(w, err)
 		return
 	}
+	urls := make([]string, 0, len(page))
+	for _, n := range page {
+		urls = append(urls, s.queueURL(r, n))
+	}
+	resp := map[string]any{"QueueUrls": urls}
+	if nextToken != "" {
+		resp["NextToken"] = nextToken
+	}
+	writeSQSJSON(w, resp)
+}
+
+// listQueuesCore is the wire-format-free worker shared by the JSON
+// handler and the query-protocol handler. Returns the page of queue
+// *names* plus the next-page token (empty when not truncated); URL
+// construction is a wire-layer concern handled by each wrapper.
+func (s *SQSServer) listQueuesCore(ctx context.Context, in *sqsListQueuesInput) ([]string, string, error) {
+	maxResults := clampListQueuesMaxResults(in.MaxResults)
+	names, err := s.scanQueueNames(ctx)
+	if err != nil {
+		return nil, "", err
+	}
 	sort.Strings(names)
 	filtered := filterByPrefix(names, in.QueueNamePrefix)
 	start := resolveListQueuesStart(filtered, in.NextToken)
-
 	end := start + maxResults
 	truncated := end < len(filtered)
 	if !truncated {
 		end = len(filtered)
 	}
 	page := filtered[start:end]
-
-	urls := make([]string, 0, len(page))
-	for _, n := range page {
-		urls = append(urls, s.queueURL(r, n))
-	}
-	resp := map[string]any{"QueueUrls": urls}
+	var nextToken string
 	if truncated && len(page) > 0 {
-		resp["NextToken"] = encodeSQSSegment(page[len(page)-1])
+		nextToken = encodeSQSSegment(page[len(page)-1])
 	}
-	writeSQSJSON(w, resp)
+	return page, nextToken, nil
 }
 
 func clampListQueuesMaxResults(requested int) int {
@@ -796,20 +820,29 @@ func (s *SQSServer) getQueueUrl(w http.ResponseWriter, r *http.Request) {
 		writeSQSErrorFromErr(w, err)
 		return
 	}
-	if err := validateQueueName(in.QueueName); err != nil {
+	queueName, err := s.getQueueUrlCore(r.Context(), &in)
+	if err != nil {
 		writeSQSErrorFromErr(w, err)
 		return
 	}
-	_, exists, err := s.loadQueueMetaAt(r.Context(), in.QueueName, s.nextTxnReadTS(r.Context()))
+	writeSQSJSON(w, map[string]string{"QueueUrl": s.queueURL(r, queueName)})
+}
+
+// getQueueUrlCore is the wire-format-free worker shared by the JSON
+// handler and the query-protocol handler. Returns the validated
+// queue name on success; URL construction is a wire-layer concern.
+func (s *SQSServer) getQueueUrlCore(ctx context.Context, in *sqsGetQueueUrlInput) (string, error) {
+	if err := validateQueueName(in.QueueName); err != nil {
+		return "", err
+	}
+	_, exists, err := s.loadQueueMetaAt(ctx, in.QueueName, s.nextTxnReadTS(ctx))
 	if err != nil {
-		writeSQSErrorFromErr(w, err)
-		return
+		return "", err
 	}
 	if !exists {
-		writeSQSError(w, http.StatusBadRequest, sqsErrQueueDoesNotExist, "queue does not exist")
-		return
+		return "", newSQSAPIError(http.StatusBadRequest, sqsErrQueueDoesNotExist, "queue does not exist")
 	}
-	writeSQSJSON(w, map[string]string{"QueueUrl": s.queueURL(r, in.QueueName)})
+	return in.QueueName, nil
 }
 
 func (s *SQSServer) getQueueAttributes(w http.ResponseWriter, r *http.Request) {