bootjp
diff --git a/‎adapter/sqs_capability_gate.go‎
Lines changed: 127 additions & 0 deletions b/‎adapter/sqs_capability_gate.go‎
Lines changed: 127 additions & 0 deletions
diff --git a/‎adapter/sqs_capability_gate_test.go‎
Lines changed: 203 additions & 0 deletions b/‎adapter/sqs_capability_gate_test.go‎
Lines changed: 203 additions & 0 deletions
diff --git a/‎adapter/sqs_catalog.go‎
Lines changed: 9 additions & 7 deletions b/‎adapter/sqs_catalog.go‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎adapter/sqs_partitioned_dispatch_test.go‎
Lines changed: 13 additions & 13 deletions b/‎adapter/sqs_partitioned_dispatch_test.go‎
Lines changed: 13 additions & 13 deletions
@@ -0,0 +1,127 @@
+package adapter
+
+import (
+	"context"
+	"net/http"
+	"sort"
+	"strings"
+)
+
+// validateHTFIFOCapability is the §11 PR 5b-3 gate that replaced the
+// PR 2 dormancy reject. CreateQueue calls this on every request; it
+// is a no-op for legacy / single-partition meta and the full
+// cluster-wide capability check for partitioned FIFO meta.
+//
+// Two-stage check, both fail-closed:
+//
+//  1. Local: this binary must advertise the htfifo capability
+//     (htfifoCapabilityAdvertised). If false, no amount of peer
+//     polling can make the create safe — the leader handling the
+//     request will write the partitioned-shape meta but its own
+//     data plane does not understand the partitioned keyspace.
+//
+//  2. Peers: every entry in s.leaderSQS must report htfifo via
+//     /sqs_health within the poller's per-peer timeout. Any
+//     timeout, HTTP error, malformed body, or missing capability
+//     blocks the create. This catches mid-rolling-upgrade clusters
+//     where the leader is on a new binary but a follower is still
+//     on the old one — the follower would silently store a
+//     partitioned record under the legacy keyspace if it ever won
+//     leadership, so we refuse the create until everyone is on a
+//     binary that handles the new layout.
+//
+// The vacuous case (single-node cluster, leaderSQS empty) is
+// allowed: the local check covers the only node that will ever
+// host the queue. proxyToLeader has already steered the request to
+// the leader, and the leadership-refusal hook (PR 4-B-3b) keeps
+// non-htfifo binaries from acquiring leadership over partitioned-
+// queue Raft groups, so the gate's fail-closed default holds even
+// after the create succeeds.
+func (s *SQSServer) validateHTFIFOCapability(ctx context.Context, requested *sqsQueueMeta) error {
+	if requested == nil || requested.PartitionCount <= 1 {
+		return nil
+	}
+	if !htfifoCapabilityAdvertised {
+		return newSQSAPIError(http.StatusBadRequest, sqsErrInvalidAttributeValue,
+			"PartitionCount > 1 requires the htfifo capability, which this node does not advertise")
+	}
+	peers := s.collectSQSPeers()
+	if len(peers) == 0 {
+		// Single-node deployment: the local check above is the
+		// whole cluster. Vacuously true on the peer side.
+		return nil
+	}
+	report := PollSQSHTFIFOCapability(ctx, peers, PollerConfig{})
+	if report == nil || !report.AllAdvertise {
+		return newSQSAPIError(http.StatusBadRequest, sqsErrInvalidAttributeValue,
+			buildHTFIFOCapabilityRejection(report))
+	}
+	return nil
+}
+
+// collectSQSPeers returns every distinct, non-empty SQS-side address
+// from s.leaderSQS in deterministic (sorted) order. Used by the
+// CreateQueue capability gate so error messages and tests pin a
+// stable peer order. The map may legitimately contain self (the
+// proxy-to-leader path uses the same map to find the leader's SQS
+// address by Raft addr); polling self over loopback is cheap and
+// keeps the "every peer reports htfifo" invariant uniform.
+func (s *SQSServer) collectSQSPeers() []string {
+	if len(s.leaderSQS) == 0 {
+		return nil
+	}
+	peers := make([]string, 0, len(s.leaderSQS))
+	seen := make(map[string]struct{}, len(s.leaderSQS))
+	for _, addr := range s.leaderSQS {
+		if addr == "" {
+			continue
+		}
+		if _, ok := seen[addr]; ok {
+			continue
+		}
+		seen[addr] = struct{}{}
+		peers = append(peers, addr)
+	}
+	sort.Strings(peers)
+	return peers
+}
+
+// buildHTFIFOCapabilityRejection composes the operator-facing message
+// for a failed capability poll. Lists the peers that did not
+// advertise htfifo (with the per-peer Error or "missing capability"
+// reason) so the operator can fix the rolling-upgrade lag without
+// rerunning the poll out-of-band. Order matches report.Peers, which
+// matches collectSQSPeers' sorted input order — deterministic.
+func buildHTFIFOCapabilityRejection(report *HTFIFOCapabilityReport) string {
+	var b strings.Builder
+	b.WriteString("PartitionCount > 1 requires every cluster peer to advertise the htfifo capability via /sqs_health; the following peers did not: ")
+	if report == nil {
+		b.WriteString("(no report)")
+		return b.String()
+	}
+	first := true
+	for _, p := range report.Peers {
+		if p.HasHTFIFO {
+			continue
+		}
+		if !first {
+			b.WriteString(", ")
+		}
+		first = false
+		b.WriteString(p.Address)
+		b.WriteString(" (")
+		if p.Error != "" {
+			b.WriteString(p.Error)
+		} else {
+			b.WriteString("missing capability")
+		}
+		b.WriteString(")")
+	}
+	if first {
+		// Defensive: AllAdvertise was false but no peer surfaced a
+		// reason. Should never happen, but emit a non-empty hint
+		// rather than a truncated message ending in a colon.
+		b.WriteString("(unknown peer)")
+	}
+	return b.String()
+}
@@ -0,0 +1,203 @@
+package adapter
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// htfifoCapabilityServer spins up a minimal /sqs_health responder
+// returning HTTP 200 with the given capabilities array. Stand-in
+// for a peer node during the capability-gate tests.
+func htfifoCapabilityServer(t *testing.T, capabilities []string) *httptest.Server {
+	t.Helper()
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != sqsHealthPath {
+			http.NotFound(w, r)
+			return
+		}
+		writeSQSHealthJSONBody(w, r, http.StatusOK, sqsHealthBody{
+			Status:       "ok",
+			Capabilities: capabilities,
+		})
+	}))
+	t.Cleanup(srv.Close)
+	return srv
+}
+
+// TestValidateHTFIFOCapability_ShortCircuitsOnLegacyMeta pins the
+// no-op path: PartitionCount <= 1 must skip the capability poll
+// entirely so legacy and single-partition CreateQueue calls do not
+// pay the cluster-wide poll cost.
+func TestValidateHTFIFOCapability_ShortCircuitsOnLegacyMeta(t *testing.T) {
+	t.Parallel()
+
+	// Wire a peer whose /sqs_health would FAIL the gate, then
+	// verify validateHTFIFOCapability does NOT poll it (the call
+	// would otherwise reject). leaderSQS is non-empty so the
+	// "vacuous empty list" path isn't what's saving us.
+	bad := htfifoCapabilityServer(t, nil)
+	s := &SQSServer{leaderSQS: map[string]string{"raft1": strings.TrimPrefix(bad.URL, "http://")}}
+
+	for _, pc := range []uint32{0, 1} {
+		err := s.validateHTFIFOCapability(context.Background(), &sqsQueueMeta{PartitionCount: pc})
+		require.NoErrorf(t, err, "PartitionCount=%d must skip the poll entirely (gate is HT-FIFO-only)", pc)
+	}
+
+	// Defensive: nil meta also short-circuits — never reach the
+	// poll for an unset/zero meta. Pinned so a future refactor
+	// that added a poll on the nil path would fail loudly here.
+	require.NoError(t, s.validateHTFIFOCapability(context.Background(), nil))
+}
+
+// TestValidateHTFIFOCapability_AcceptsWhenAllPeersAdvertise pins
+// the happy path: every peer in leaderSQS reports the htfifo
+// capability via /sqs_health → the gate passes for
+// PartitionCount > 1.
+func TestValidateHTFIFOCapability_AcceptsWhenAllPeersAdvertise(t *testing.T) {
+	t.Parallel()
+
+	caps := []string{sqsCapabilityHTFIFO}
+	good1 := htfifoCapabilityServer(t, caps)
+	good2 := htfifoCapabilityServer(t, caps)
+	s := &SQSServer{leaderSQS: map[string]string{
+		"raft1": strings.TrimPrefix(good1.URL, "http://"),
+		"raft2": strings.TrimPrefix(good2.URL, "http://"),
+	}}
+
+	require.NoError(t, s.validateHTFIFOCapability(context.Background(), &sqsQueueMeta{PartitionCount: 4}))
+}
+
+// TestValidateHTFIFOCapability_AcceptsOnEmptyPeerList pins the
+// vacuous case: a single-node cluster (no peers) with the local
+// htfifo capability advertised must allow PartitionCount > 1.
+// htfifoCapabilityAdvertised is a build-time const = true so the
+// local check passes; the empty peer list short-circuits the
+// poll. This is the path the wire-level
+// TestSQSServer_HTFIFO_CapabilityGate_AcceptsOnSingleNode test
+// exercises end-to-end.
+func TestValidateHTFIFOCapability_AcceptsOnEmptyPeerList(t *testing.T) {
+	t.Parallel()
+	s := &SQSServer{}
+	require.NoError(t, s.validateHTFIFOCapability(context.Background(), &sqsQueueMeta{PartitionCount: 4}))
+}
+
+// TestValidateHTFIFOCapability_RejectsWhenOnePeerLacksCapability
+// pins the rolling-upgrade fail-closed: one peer advertises
+// htfifo, the other doesn't — the gate must reject the create
+// with InvalidAttributeValue and surface the offending peer in
+// the error message so the operator can fix the cluster without
+// re-running the poll out-of-band.
+func TestValidateHTFIFOCapability_RejectsWhenOnePeerLacksCapability(t *testing.T) {
+	t.Parallel()
+
+	good := htfifoCapabilityServer(t, []string{sqsCapabilityHTFIFO})
+	old := htfifoCapabilityServer(t, []string{}) // pre-htfifo binary
+	oldAddr := strings.TrimPrefix(old.URL, "http://")
+	s := &SQSServer{leaderSQS: map[string]string{
+		"raft1": strings.TrimPrefix(good.URL, "http://"),
+		"raft2": oldAddr,
+	}}
+
+	err := s.validateHTFIFOCapability(context.Background(), &sqsQueueMeta{PartitionCount: 8})
+	require.Error(t, err)
+
+	var apiErr *sqsAPIError
+	ok := errors.As(err, &apiErr)
+	require.True(t, ok, "must surface as sqsAPIError so the wire layer maps to InvalidAttributeValue, got %T", err)
+	require.Equal(t, http.StatusBadRequest, apiErr.status)
+	require.Equal(t, sqsErrInvalidAttributeValue, apiErr.errorType)
+	require.Contains(t, apiErr.message, "every cluster peer to advertise the htfifo capability",
+		"message must explain the gate so the operator knows what to fix")
+	require.Contains(t, apiErr.message, oldAddr,
+		"the offending peer must appear in the message, got %q", apiErr.message)
+}
+
+// TestValidateHTFIFOCapability_RejectsWhenPeerUnreachable pins
+// the network-failure fail-closed: a peer whose /sqs_health is
+// unreachable (closed listener) must block the create. A
+// transient network blip during a CreateQueue is exactly the
+// class of partial-cluster state the gate is designed to catch —
+// silently accepting the create here would let a partitioned
+// queue land while a peer is offline and silently drop messages
+// the moment that peer comes back as a non-htfifo binary.
+func TestValidateHTFIFOCapability_RejectsWhenPeerUnreachable(t *testing.T) {
+	t.Parallel()
+
+	// Bind a port, capture its address, then close the listener
+	// so dials fail immediately rather than waiting on the
+	// per-peer timeout.
+	srv := htfifoCapabilityServer(t, []string{sqsCapabilityHTFIFO})
+	deadAddr := strings.TrimPrefix(srv.URL, "http://")
+	srv.Close()
+
+	s := &SQSServer{leaderSQS: map[string]string{"raft1": deadAddr}}
+
+	err := s.validateHTFIFOCapability(context.Background(), &sqsQueueMeta{PartitionCount: 2})
+	require.Error(t, err)
+	var apiErr *sqsAPIError
+	ok := errors.As(err, &apiErr)
+	require.True(t, ok)
+	require.Equal(t, http.StatusBadRequest, apiErr.status)
+	require.Equal(t, sqsErrInvalidAttributeValue, apiErr.errorType)
+	require.Contains(t, apiErr.message, deadAddr,
+		"unreachable peer must be named in the rejection message")
+}
+
+// TestCollectSQSPeers_Deterministic pins the helper's order +
+// dedup contract: leaderSQS is a map (random Go iteration order),
+// but the gate's error message and the poller's per-peer index
+// must be deterministic so test assertions, log lines, and
+// operator triage are stable across runs.
+func TestCollectSQSPeers_Deterministic(t *testing.T) {
+	t.Parallel()
+
+	s := &SQSServer{leaderSQS: map[string]string{
+		"r1": "node3:9000",
+		"r2": "node1:9000",
+		"r3": "node2:9000",
+		"r4": "node1:9000", // duplicate (two Raft nodes pointing at one SQS endpoint)
+		"r5": "",           // empty string must be skipped
+	}}
+
+	got := s.collectSQSPeers()
+	require.Equal(t, []string{"node1:9000", "node2:9000", "node3:9000"}, got,
+		"peers must be sorted, deduped, and free of empty strings")
+
+	// Empty leaderSQS: caller relies on len()==0 to skip the
+	// poll on single-node deployments.
+	require.Empty(t, (&SQSServer{}).collectSQSPeers())
+}
+
+// TestBuildHTFIFOCapabilityRejection_ShapesOperatorMessage pins the
+// rejection-message shape so a future refactor cannot accidentally
+// truncate the per-peer detail. Each failing peer must contribute
+// a "(reason)" suffix; peers that pass do not appear at all.
+func TestBuildHTFIFOCapabilityRejection_ShapesOperatorMessage(t *testing.T) {
+	t.Parallel()
+
+	report := &HTFIFOCapabilityReport{
+		Peers: []HTFIFOCapabilityPeerStatus{
+			{Address: "ok:9000", HasHTFIFO: true},
+			{Address: "old:9000", HasHTFIFO: false, Capabilities: []string{}},
+			{Address: "down:9000", HasHTFIFO: false, Error: "dial tcp: refused"},
+		},
+	}
+
+	msg := buildHTFIFOCapabilityRejection(report)
+	require.Contains(t, msg, "every cluster peer to advertise the htfifo capability")
+	require.NotContains(t, msg, "ok:9000", "advertising peers must NOT appear in the rejection")
+	require.Contains(t, msg, "old:9000 (missing capability)")
+	require.Contains(t, msg, "down:9000 (dial tcp: refused)")
+
+	// Defensive: nil report and "all-passing-but-AllAdvertise-false" path.
+	require.Contains(t, buildHTFIFOCapabilityRejection(nil), "no report")
+	allPass := &HTFIFOCapabilityReport{Peers: []HTFIFOCapabilityPeerStatus{{Address: "x", HasHTFIFO: true}}}
+	require.Contains(t, buildHTFIFOCapabilityRejection(allPass), "unknown peer",
+		"never emit a truncated 'did not: ' tail when no peer details surface")
+}
@@ -903,13 +903,15 @@ func (s *SQSServer) createQueueCore(ctx context.Context, in *sqsCreateQueueInput
 	if err != nil {
 		return "", err
 	}
-	// Temporary dormancy gate (Phase 3.D §11 PR 2). PartitionCount > 1
-	// must reject until PR 5 wires the data plane atomically with the
-	// gate-lift. Without this, accepting a partitioned-queue create
-	// would let SendMessage write under the legacy single-partition
-	// prefix; the PR 5 reader would never find those messages and the
-	// reaper would not enumerate them — silent message loss.
-	if err := validatePartitionDormancyGate(requested); err != nil {
+	// Cluster-wide htfifo capability gate (Phase 3.D §11 PR 5b-3,
+	// replaces the PR 2 dormancy reject). PartitionCount > 1 is
+	// rejected unless this binary AND every peer in s.leaderSQS
+	// advertise the htfifo capability via /sqs_health. The gate
+	// fails closed on any peer timeout, HTTP error, malformed body,
+	// or missing capability so a partitioned queue cannot land in a
+	// partially-upgraded cluster where some peer would silently
+	// store its records under the legacy single-partition keyspace.
+	if err := s.validateHTFIFOCapability(ctx, requested); err != nil {
 		return "", err
 	}
 	if len(in.Tags) > sqsMaxTagsPerQueue {
 
@@ -14,14 +14,12 @@ import (
 )
 
 // Integration tests for the PR 5b-2 partitioned-FIFO data plane
-// wiring. The §11 PR 2 dormancy gate still rejects PartitionCount
-// > 1 at CreateQueue (lifted atomically with the capability check
-// in PR 5b-3), so these tests reach below the public CreateQueue
-// surface to install a partitioned meta record directly. That
-// short-circuits the dormancy gate for the duration of the test
-// without disabling it for production CreateQueue calls — which
-// is the exact split the design doc envisaged for "data plane
-// landed but not user-creatable yet."
+// wiring. PR 5b-3 has since lifted the §11 PR 2 dormancy gate, so
+// CreateQueue with PartitionCount > 1 succeeds on a single-node
+// cluster. The helper below predates that gate-lift and overrides
+// the meta record directly to keep these tests independent of the
+// CreateQueue capability path; new partitioned-FIFO tests should
+// prefer the public CreateQueue surface.
 
 // installPartitionedMetaForTest overwrites the queue's meta record
 // with a partitioned shape (PartitionCount > 1) by dispatching a
@@ -30,11 +28,13 @@ import (
 // counters and the catalog index are populated correctly); only
 // the partition-shape attributes are mutated.
 //
-// The dormancy gate intercepts CreateQueue, not the data plane,
-// so once the meta record carries PartitionCount > 1 every
-// SendMessage / ReceiveMessage / DeleteMessage call routes
-// through the partitioned dispatch helpers exactly as it would
-// after PR 5b-3 lifts the gate.
+// Predates the PR 5b-3 gate-lift; still useful for tests that want
+// to bypass the capability poll (e.g. when CreateQueue would have
+// to negotiate over a fake peer list). Once the meta record
+// carries PartitionCount > 1, every SendMessage / ReceiveMessage /
+// DeleteMessage call routes through the partitioned dispatch
+// helpers exactly as it would after a normal partitioned-queue
+// CreateQueue.
 func installPartitionedMetaForTest(t *testing.T, node Node, queueName string, partitionCount uint32, throughputLimit string) {
 	t.Helper()
 	s := node.sqsServer