feat(sqs): partition resolver for HT-FIFO routing (Phase 3.D PR 4-B-2) (#715)

## Summary

Routing-layer half of PR 4-B. Adds a `PartitionResolver` that
`ShardRouter` consults BEFORE falling through to the byte-range engine.
SQS HT-FIFO needs partition-aware dispatch, but the engine's
non-overlapping-cover model can't express overlay routes — the
resolver-first dispatch sidesteps this cleanly.

Stacks on top of #708 (PR 4-B-1, capability JSON). Next is PR 4-B-3
(leadership-refusal + catalog polling + flip
`htfifoCapabilityAdvertised` to `true`).

## What's added

- `kv.PartitionResolver` interface — `ResolveGroup([]byte) (uint64,
bool)`.
- `kv.ShardRouter.WithPartitionResolver(...)` — fluent option, nil-safe.
- `kv.ShardRouter.resolveGroup(...)` — unified dispatch path: resolver
first, engine fallback. Both `groupRequests` (Commit/Abort) and `Get`
route through it.
- `kv.ShardedCoordinator.WithPartitionResolver(...)` — delegates to the
router so `main.go` can install via the existing fluent-construction
style.
- `adapter.SQSPartitionResolver` — parses `(queue, partition)` from the
partitioned key shape, looks up the operator-chosen group. Defensive
copy at construction, nil-safe `ResolveGroup`, returns `(0, false)` for
legacy / non-matching keys.
- `main.go` — builds the resolver from
`runtimeConfig.sqsFifoPartitionMap` and installs it. Resolver is `nil`
on a non-partitioned cluster — hot path stays engine-only.

## What's NOT added (deferred to PR 4-B-3)

- §8 leadership-refusal hook in `kv` (refuses leadership for an SQS Raft
group hosting a partitioned queue when the binary lacks `htfifo`).
- Catalog-polling helper for the CreateQueue capability gate (PR 5
starts using it).
- Flipping `htfifoCapabilityAdvertised` from `false` to `true`.

The design's "advertise htfifo only when both routing AND
leadership-refusal are in place" rule keeps the constant `false` in this
PR — PR 4-B-3 flips it.

## Test plan

- [x] `adapter/sqs_partition_resolver_test.go` — 9 top-level tests:
nil-on-empty, defensive-copy, partition dispatch across all 5 families,
queue-name prefix isolation (`"queue"` vs `"queue1"`), legacy
fall-through (8 sub-cases), unknown queue, out-of-range partition, nil
receiver, prefix alignment with `sqs_keys.go` constants.
- [x] `kv/shard_router_partition_test.go` — 4 tests: resolver wins over
engine, engine fallthrough on resolver-miss, nil resolver no-op, `Get`
path also routes through the resolver.
- [x] `go test -race ./kv/...` pass.
- [x] `go test -race ./adapter/...` pass.
- [x] `golangci-lint ./kv/... ./adapter/... .` clean.

## Self-review (per CLAUDE.md)

1. **Data loss** — routing layer only; no FSM/Pebble/retention path. No
issue.
2. **Concurrency** — `partitionResolver` is set once at startup before
any request. `ResolveGroup` reads a constructor-time defensive copy, so
a future hot-reload of `--sqsFifoPartitionMap` cannot perturb in-flight
requests. No issue.
3. **Performance** — one map lookup + 4-byte BigEndian decode per
resolver hit (only on partitioned-prefix matches). Engine-only path adds
a single `if s.partitionResolver != nil` branch. No issue.
4. **Data consistency** — resolver output strictly OVERRIDES the engine
for partitioned keys; legacy keys flow through unchanged. "queue not
found" / "partition out of range" branches return `(0, false)` so the
router surfaces an explicit error rather than silently mis-routing. No
issue.
5. **Test coverage** — 13 tests across two new files; existing
`TestShardRouter*` tests unchanged. Both override and fall-through paths
pinned, plus the queue-name prefix-isolation invariant from PR #703.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added partition-based routing for distributed coordination. Requests
are now directed to specific nodes based on configured partition
mappings.
* Enhanced SQS queue handling with optional partition-aware routing.
When partition information is unavailable or unconfigured, the system
automatically falls back to the existing routing mechanism.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: bootjp

adapter/sqs_partition_resolver.go

@@ -0,0 +1,165 @@
+package adapter
+
+import (
+	"bytes"
+	"encoding/binary"
+)
+
+// SQSPartitionResolver maps a partitioned-SQS key to the operator-
+// chosen Raft group for the (queue, partition) tuple. Implements
+// kv.PartitionResolver via duck typing — see the integration in
+// main.go where the resolver is installed on ShardedCoordinator.
+//
+// The byte-range engine cannot route partitioned queues because
+// adding per-partition routes would break its non-overlapping-cover
+// invariant (a partition route for partition K of one queue would
+// leave a gap for legacy keys that fall lexicographically between
+// partitions K and K+1). The resolver-first dispatch path avoids
+// this — it answers only for keys that match a partitioned family
+// prefix and otherwise lets the engine handle dispatch.
+type SQSPartitionResolver struct {
+	routes map[string][]uint64
+}
+
+// NewSQSPartitionResolver builds a resolver from the operator-
+// supplied partition map. routes[queue][k] is the Raft group ID
+// that owns partition k of queue, with len(routes[queue]) equal to
+// the queue's PartitionCount.
+//
+// Returns nil when routes is empty so callers can keep the resolver
+// out of the request path entirely on a non-partitioned cluster
+// (kv.ShardRouter.WithPartitionResolver(nil) is a documented no-op).
+//
+// The constructor takes a defensive copy so a later caller mutation
+// to the input map does not leak into the resolver's view at
+// runtime.
+func NewSQSPartitionResolver(routes map[string][]uint64) *SQSPartitionResolver {
+	if len(routes) == 0 {
+		return nil
+	}
+	cp := make(map[string][]uint64, len(routes))
+	for queue, groups := range routes {
+		ids := make([]uint64, len(groups))
+		copy(ids, groups)
+		cp[queue] = ids
+	}
+	return &SQSPartitionResolver{routes: cp}
+}
+
+// sqsResolverFamilyPrefixes is the set of partitioned-SQS family
+// prefixes ResolveGroup recognises. Pre-converted to []byte so the
+// hot-path bytes.HasPrefix call avoids an allocation per check
+// (gemini medium on PR #715). Kept package-internal so any future
+// renamed prefix touches both this list and the constant
+// declaration in sqs_keys.go — TestSQSPartitionResolver_PrefixesAlign
+// pins the alignment.
+var sqsResolverFamilyPrefixes = [][]byte{
+	[]byte(SqsPartitionedMsgDataPrefix),
+	[]byte(SqsPartitionedMsgVisPrefix),
+	[]byte(SqsPartitionedMsgDedupPrefix),
+	[]byte(SqsPartitionedMsgGroupPrefix),
+	[]byte(SqsPartitionedMsgByAgePrefix),
+}
+
+// ResolveGroup decodes the (queue, partition) embedded in a
+// partitioned-SQS key and returns the operator-chosen Raft group.
+//
+// Returns (0, false) for any key that does not match a partitioned
+// family prefix (legacy SQS, KV, S3, DynamoDB, queue-meta records,
+// …) so kv.ShardRouter falls through to its byte-range engine for
+// default routing.
+//
+// Returns (0, false) for a partitioned-shaped key whose queue is
+// not in the routes map or whose partition index is beyond
+// len(routes[queue]). The router pairs this with
+// RecognisesPartitionedKey to fail closed instead of falling
+// through — silently routing through the engine's
+// !sqs|route|global default would mis-route HT-FIFO traffic during
+// partition-map drift (codex P1 round 2 on PR #715).
+func (r *SQSPartitionResolver) ResolveGroup(key []byte) (uint64, bool) {
+	if r == nil || len(key) == 0 {
+		return 0, false
+	}
+	queue, partition, ok := parsePartitionedSQSKey(key)
+	if !ok {
+		return 0, false
+	}
+	groups, found := r.routes[queue]
+	if !found {
+		return 0, false
+	}
+	// Defensive: a partition value outside the slice is a config /
+	// upstream-bug signal, not a routable key. Returning false
+	// surfaces it as "no route" at the router boundary, which is
+	// the correct fail-closed behaviour.
+	if uint64(partition) >= uint64(len(groups)) {
+		return 0, false
+	}
+	return groups[partition], true
+}
+
+// RecognisesPartitionedKey reports whether key has the structural
+// shape of a partitioned-SQS key — i.e. starts with one of the
+// partitioned family prefixes. The check is PREFIX-ONLY, not a
+// full parse: a key with a partitioned prefix followed by a
+// malformed queue / partition segment still answers true, so the
+// router fails closed via kv.PartitionResolver semantics instead
+// of falling through to the engine and silently routing to the
+// SQS catalog default group via routeKey's !sqs|route|global
+// collapse (round 5 review nit on PR #715).
+//
+// A nil receiver returns false so kv.ShardRouter's typed-nil case
+// (ResolveGroup(nil) == (0, false)) pairs with an honest "I don't
+// recognise anything" answer instead of falsely claiming a shape.
+func (r *SQSPartitionResolver) RecognisesPartitionedKey(key []byte) bool {
+	if r == nil || len(key) == 0 {
+		return false
+	}
+	_, ok := stripPartitionedFamilyPrefix(key)
+	return ok
+}
+
+// parsePartitionedSQSKey extracts the (queue, partition) pair from
+// a partitioned-SQS key. Returns ok=false for any key that does not
+// match a partitioned family prefix or that has a malformed queue /
+// partition segment. Exposed at package-internal scope so the
+// adapter's reaper / fanout reader can share the same parser
+// (Phase 3.D PR 5).
+func parsePartitionedSQSKey(key []byte) (string, uint32, bool) {
+	rest, matched := stripPartitionedFamilyPrefix(key)
+	if !matched {
+		return "", 0, false
+	}
+	// After the family prefix, the variable-length encoded queue
+	// segment is terminated by '|' (sqsPartitionedQueueTerminator).
+	// base64.RawURLEncoding never emits '|', so the first '|' in
+	// rest is unambiguously the queue terminator.
+	pipeIdx := bytes.IndexByte(rest, sqsPartitionedQueueTerminator)
+	if pipeIdx <= 0 {
+		return "", 0, false
+	}
+	encQueue := rest[:pipeIdx]
+	rest = rest[pipeIdx+1:]
+	const partitionLen = 4
+	if len(rest) < partitionLen {
+		return "", 0, false
+	}
+	partition := binary.BigEndian.Uint32(rest[:partitionLen])
+	queue, err := decodeSQSSegment(string(encQueue))
+	if err != nil {
+		return "", 0, false
+	}
+	return queue, partition, true
+}
+
+// stripPartitionedFamilyPrefix returns the bytes after the matched
+// family prefix. matched=false if key has none of the known
+// partitioned family prefixes.
+func stripPartitionedFamilyPrefix(key []byte) ([]byte, bool) {
+	for _, prefix := range sqsResolverFamilyPrefixes {
+		if bytes.HasPrefix(key, prefix) {
+			return key[len(prefix):], true
+		}
+	}
+	return nil, false
+}