feat(sqs): live-queue reaper enumerates partitioned keyspace (Phase 3.D PR 6b) (#736)

## Summary

Phase 3.D PR 6b: live-queue reaper enumerates partitioned keyspace.
Follow-up to PR #735 (6a) — the tombstone-driven sweep already walks
partitioned data on DeleteQueue / PurgeQueue, but the live-queue
retention reaper still only saw the legacy keyspace, so:

- retention-expired messages on partitioned queues leaked their data /
vis / byage / group rows forever (`reapQueue` walked
`sqsMsgByAgePrefixAllGenerations` only),
- expired dedup records on partitioned FIFO queues leaked forever
(`reapExpiredDedup` scanned `SqsMsgDedupPrefix` only — empty for
partitioned queues since `sqsMsgDedupKeyDispatch` routes their writes
under `SqsPartitionedMsgDedupPrefix`).

Closes the live-queue half of the Codex P2 from PR #732 round 0; PR 6a
covered the tombstoned-cohort half.

## What changes

- **`reapQueue`**: legacy byage walk extracted as `reapQueueLegacy`
(byte-identical to pre-PR-6b for non-partitioned queues). Adds
`reapQueuePartition` step that runs once per partition for
`PartitionCount > 1` queues. Per-partition budget per the §6 design
("partitions × budget per cycle"); 30s tick interval comfortably
absorbs.

- **`reapPartitionedPage`**: partitioned twin of `reapPage`. Same
live-vs-orphan classification, but parses each entry with
`parseSqsPartitionedMsgByAgeKey` and routes the dispatch through
`reapOneRecordPartitioned`.

- **`classifyPartitionedByAgeEntry`**: helper extracted from
`reapPartitionedPage` so the loop body stays under the cyclop ceiling.
Returns `(parsedKey, reapable bool)`.

- **`reapExpiredDedup`** (signature changed): now takes `*sqsQueueMeta`
and routes by `PartitionCount`. Legacy meta → `reapExpiredDedupLegacy`
(byte-identical). Partitioned meta → `reapExpiredDedupPartitioned`
(NEW), iterates each partition's dedup prefix under its own
per-partition budget.

## Caller audit

- `reapQueue` — one production caller (`reapAllQueues`); signature
unchanged. Non-partitioned queues byte-identical; partitioned get the
extra per-partition pass.
- `reapExpiredDedup` — signature changed to take `*sqsQueueMeta`; one
production caller (`reapAllQueues`), updated. No tests called it
directly.
- New helpers (`reapQueueLegacy` / `reapQueuePartition` /
`reapPartitionedPage` / `reapExpiredDedupLegacy` /
`reapExpiredDedupPartitioned` / `classifyPartitionedByAgeEntry`) each
have exactly one production caller in the new live-queue reap path.
- `reapOneRecordPartitioned` (existing PR 6a helper): previously called
from `reapDeadByAgePartitionPage` (tombstone path); now also from
`reapPartitionedPage` (live-queue path). Same dispatch semantics.

## Tests

- New `TestSQSServer_PartitionedFIFO_LiveQueueDedupReaperPartitions`:
4-partition queue, send across 6 distinct groups, backdate every
partitioned dedup record's `ExpiresAtMillis`, run `reapAllQueues`,
assert every partitioned dedup row across `[0, 4)` is gone. Pre-PR-6b
reaper would leave every row in place.

## Self-review (CLAUDE.md)

1. **Data loss** — Closes the live-queue dedup leak + partitioned
retention-expired-message leak. Legacy queues unchanged.
2. **Concurrency / distributed failures** — Reaper still runs only on
the leader. Per-partition pass is sequential; per-partition budget
bounds the pass. OCC semantics on each record reap unchanged.
3. **Performance** — Per-tick partitioned-queue cost grows from O(1
walk) to O(partition_count walks) on byage AND dedup. Each partition
bounded by `sqsReaperPerQueueBudget`. 30s tick interval comfortably
absorbs 32-partition × per-queue budget per design.
4. **Data consistency** — Live-vs-orphan classification on partitioned
byage mirrors the legacy branch exactly (`reapPage` /
`reapPartitionedPage` share the rules through
`classifyPartitionedByAgeEntry`). `PartitionCount` immutability means
the meta-driven iteration bound matches the on-disk keys.
5. **Test coverage** — One new wire-level integration test for the
partitioned dedup walk; the partitioned byage walk reuses parsing /
dispatch helpers already covered by PR 6a's tombstone-reap integration
test.

## Test plan
- [x] `make lint` — 0 issues
- [x] Targeted reaper / retention / dedup / HTFIFO / PartitionedFIFO
suites (-race, clean)
- [x] Wider regression on Send/Receive/Delete +
CreateQueue/DeleteQueue/PurgeQueue (-race, clean)
- [ ] CI: full Jepsen + race


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Fixed deduplication record cleanup in partitioned FIFO queues to
properly remove expired records across all partitions.
* Enhanced cleanup mechanism to correctly handle partition-aware
behavior and prevent memory leaks in partitioned queue scenarios.

* **Tests**
* Added comprehensive test for deduplication record cleanup across
partitioned FIFO queue partitions.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: bootjp

adapter/sqs_partitioned_dispatch_test.go

@@ -1,6 +1,7 @@
 package adapter
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"net/http"
@@ -648,3 +649,194 @@ func countPartitionedRows(t *testing.T, node Node, queueName string, gen uint64)
 	}
 	return total
 }
+
+// TestSQSServer_PartitionedFIFO_LiveQueueDedupReaperPartitions
+// pins the PR 6b contract for live queues: reapExpiredDedup must
+// walk the partitioned dedup keyspace too, otherwise expired
+// dedup records on partitioned FIFO queues leak forever (the
+// pre-PR-6b reaper only scanned SqsMsgDedupPrefix, which is empty
+// for partitioned queues). Closes the live-queue half of the
+// Codex P2 deferred from PR 5b-2 round 0.
+func TestSQSServer_PartitionedFIFO_LiveQueueDedupReaperPartitions(t *testing.T) {
+	t.Parallel()
+	nodes, _, _ := createNode(t, 1)
+	defer shutdown(nodes)
+	node := sqsLeaderNode(t, nodes)
+
+	const queueName = "live-dedup-reap.fifo"
+	status, out := callSQS(t, node, sqsCreateQueueTarget, map[string]any{
+		"QueueName":  queueName,
+		"Attributes": map[string]string{"FifoQueue": "true"},
+	})
+	require.Equal(t, http.StatusOK, status, "create queue: %v", out)
+	queueURL, _ := out["QueueUrl"].(string)
+	require.NotEmpty(t, queueURL)
+
+	const partitions uint32 = 4
+	installPartitionedMetaForTest(t, node, queueName, partitions, htfifoThroughputPerMessageGroupID)
+
+	// Send across distinct groups so dedup records land on more
+	// than one partition; partitionFor (FNV-1a) gives reasonable
+	// spread for these inputs.
+	groups := []string{"alpha", "beta", "gamma", "delta", "epsilon", "zeta"}
+	for _, g := range groups {
+		status, out := callSQS(t, node, sqsSendMessageTarget, map[string]any{
+			"QueueUrl":               queueURL,
+			"MessageBody":            "body-" + g,
+			"MessageGroupId":         g,
+			"MessageDeduplicationId": "dedup-" + g,
+		})
+		require.Equal(t, http.StatusOK, status, "send (group=%s): %v", g, out)
+	}
+
+	srv := node.sqsServer
+	ctx := t.Context()
+
+	// Sanity: at least one partitioned dedup row exists pre-reap.
+	preReap := countPartitionedDedupRowsAcrossPartitions(t, node, queueName, partitions)
+	require.Positive(t, preReap, "expected partitioned dedup rows after sends")
+
+	// Backdate every partitioned dedup record's ExpiresAtMillis
+	// so the reaper's value-based expiry filter trips on every
+	// row. Same approach as TestSQSServer_RetentionReaperDropsExpiredFifoDedup
+	// for the legacy keyspace; here applied per-partition prefix.
+	readTS := srv.nextTxnReadTS(ctx)
+	now := time.Now().UnixMilli()
+	for partition := uint32(0); partition < partitions; partition++ {
+		prefix := sqsPartitionedMsgDedupKeyPrefix(queueName, partition, 1)
+		rows, err := srv.store.ScanAt(ctx, prefix, prefixScanEnd(prefix), 1024, readTS)
+		require.NoError(t, err)
+		for _, row := range rows {
+			rec, err := decodeFifoDedupRecord(row.Value)
+			require.NoError(t, err)
+			rec.ExpiresAtMillis = now - 1000
+			body, err := encodeFifoDedupRecord(rec)
+			require.NoError(t, err)
+			req := &kv.OperationGroup[kv.OP]{
+				IsTxn:   true,
+				StartTS: readTS,
+				Elems: []*kv.Elem[kv.OP]{
+					{Op: kv.Put, Key: bytes.Clone(row.Key), Value: body},
+				},
+			}
+			_, err = srv.coordinator.Dispatch(ctx, req)
+			require.NoError(t, err)
+		}
+	}
+
+	// Drive one reaper pass — the live-queue dedup walk now
+	// dispatches reapExpiredDedupPartitioned for partitioned
+	// queues (PR 6b).
+	require.NoError(t, srv.reapAllQueues(ctx), "reapAllQueues")
+
+	postReap := countPartitionedDedupRowsAcrossPartitions(t, node, queueName, partitions)
+	require.Zero(t, postReap,
+		"expired partitioned dedup records must be reaped (got %d remaining)",
+		postReap)
+}
+
+// countPartitionedDedupRowsAcrossPartitions sums the rows across
+// every partition's partitioned dedup prefix at gen=1 (the
+// generation a freshly-created queue lands on). Test-helper
+// twin of countPartitionedRows scoped to dedup.
+func countPartitionedDedupRowsAcrossPartitions(t *testing.T, node Node, queueName string, partitions uint32) int {
+	t.Helper()
+	ctx := context.Background()
+	readTS := node.sqsServer.nextTxnReadTS(ctx)
+	total := 0
+	for partition := uint32(0); partition < partitions; partition++ {
+		prefix := sqsPartitionedMsgDedupKeyPrefix(queueName, partition, 1)
+		rows, err := node.sqsServer.store.ScanAt(ctx, prefix, prefixScanEnd(prefix), 1024, readTS)
+		require.NoError(t, err)
+		total += len(rows)
+	}
+	return total
+}
+
+// TestClassifyPartitionedByAgeEntry pins every branch of the
+// classify helper that decides which partitioned byage rows the
+// live-queue reaper sweeps. The integration tests above cover
+// the orphan-gen path (tombstoned cohort) and the dedup-expiry
+// path; this unit test fills in the two live-queue paths that
+// have no integration coverage today: the retention-cutoff branch
+// (live gen, sendTs <= cutoff → reapable) and the future-gen
+// guard (parsed.gen > currentGen → not reapable, defensive
+// against a meta-vs-byage race).
+func TestClassifyPartitionedByAgeEntry(t *testing.T) {
+	t.Parallel()
+	const (
+		queueName  = "live-byage.fifo"
+		partition  = uint32(2)
+		currentGen = uint64(5)
+		cutoff     = int64(1_000_000)
+		messageID  = "msg-classify"
+	)
+
+	type want struct {
+		reapable        bool
+		expectedGen     uint64
+		expectedPartn   uint32
+		expectedSendTs  int64
+		expectedMsgID   string
+		assertParsedSet bool // expectedGen / Partition / SendTs / MsgID checked only when true
+	}
+	cases := []struct {
+		name string
+		key  []byte
+		want want
+	}{
+		{
+			name: "live gen within retention window — not reapable",
+			key:  sqsPartitionedMsgByAgeKey(queueName, partition, currentGen, cutoff+1, messageID),
+			want: want{reapable: false, expectedGen: currentGen, expectedPartn: partition, expectedSendTs: cutoff + 1, expectedMsgID: messageID, assertParsedSet: true},
+		},
+		{
+			name: "live gen past retention window — reapable (cutoff branch)",
+			key:  sqsPartitionedMsgByAgeKey(queueName, partition, currentGen, cutoff-1, messageID),
+			want: want{reapable: true, expectedGen: currentGen, expectedPartn: partition, expectedSendTs: cutoff - 1, expectedMsgID: messageID, assertParsedSet: true},
+		},
+		{
+			name: "live gen exactly at cutoff — reapable (>, not >=)",
+			key:  sqsPartitionedMsgByAgeKey(queueName, partition, currentGen, cutoff, messageID),
+			want: want{reapable: true, expectedGen: currentGen, expectedPartn: partition, expectedSendTs: cutoff, expectedMsgID: messageID, assertParsedSet: true},
+		},
+		{
+			name: "orphan generation (gen < currentGen) — reapable unconditionally",
+			key:  sqsPartitionedMsgByAgeKey(queueName, partition, currentGen-1, cutoff+1_000_000, messageID),
+			want: want{reapable: true, expectedGen: currentGen - 1, expectedPartn: partition, expectedSendTs: cutoff + 1_000_000, expectedMsgID: messageID, assertParsedSet: true},
+		},
+		{
+			name: "future generation (gen > currentGen) — not reapable (gen-race guard)",
+			key:  sqsPartitionedMsgByAgeKey(queueName, partition, currentGen+1, cutoff-1, messageID),
+			want: want{reapable: false, expectedGen: currentGen + 1, expectedPartn: partition, expectedSendTs: cutoff - 1, expectedMsgID: messageID, assertParsedSet: true},
+		},
+		{
+			name: "wrong partition — not reapable (page bleed defense)",
+			key:  sqsPartitionedMsgByAgeKey(queueName, partition+1, currentGen, cutoff-1, messageID),
+			want: want{reapable: false, assertParsedSet: false},
+		},
+		{
+			name: "wrong queue prefix — not reapable (parse fails)",
+			key:  sqsPartitionedMsgByAgeKey("different.fifo", partition, currentGen, cutoff-1, messageID),
+			want: want{reapable: false, assertParsedSet: false},
+		},
+		{
+			name: "legacy byage key — not reapable (parse fails)",
+			key:  sqsMsgByAgeKey(queueName, currentGen, cutoff-1, messageID),
+			want: want{reapable: false, assertParsedSet: false},
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			parsed, reapable := classifyPartitionedByAgeEntry(tc.key, queueName, partition, currentGen, cutoff)
+			require.Equal(t, tc.want.reapable, reapable, "reapable")
+			if tc.want.assertParsedSet {
+				require.Equal(t, tc.want.expectedGen, parsed.Generation, "Generation")
+				require.Equal(t, tc.want.expectedPartn, parsed.Partition, "Partition")
+				require.Equal(t, tc.want.expectedSendTs, parsed.SendTimestampMs, "SendTimestampMs")
+				require.Equal(t, tc.want.expectedMsgID, parsed.MessageID, "MessageID")
+			}
+		})
+	}
+}