Adds internal/backup/snapshot_reader.go: the .fsm file parser that
underpins the cmd/elastickv-snapshot-decode binary (design
docs/design/2026_04_29_proposed_snapshot_logical_decoder.md
lines 440-491). Mirrors the native Pebble snapshot format produced
by store/lsm_store.go::pebbleSnapshotMagic + restoreBatchLoopInto.

File shape consumed:

  [8 bytes]   magic "EKVPBBL1"
  [8 bytes]   lastCommitTS (LittleEndian uint64)
  repeated:
    [8 bytes]   keyLen (LittleEndian uint64)
    [keyLen]    encoded key  = <userKey><invTS(8 BE)>
    [8 bytes]   valLen (LittleEndian uint64)
    [valLen]    encoded value = <flags(1)><expireAt(8 LE)><body>

Per-entry decoding strips:
- The 8-byte inverted-TS suffix from the key (recovers commit_ts
  via XOR-inversion across the math.MaxUint64 boundary).
- The 9-byte value header from the value (surfaces tombstone flag,
  encryption_state, expireAt).

API surface (ReadSnapshot + SnapshotHeader + SnapshotEntry +
sentinel errors). Callback-based so callers can stream
multi-GB snapshots without buffering the whole file in memory; the
emitted SnapshotEntry's byte slices alias scratch buffers and the
caller must bytes.Clone for retention.

Fail-closed contract (matches design 7.1):
- ErrSnapshotBadMagic    - first 8 bytes not "EKVPBBL1" (operator
                           pointed at the wrong file)
- ErrSnapshotTruncated   - EOF mid-entry (a clean inter-entry EOF
                           is the normal terminator and is NOT
                           an error)
- ErrSnapshotShortKey    - encoded key < 8 bytes (no room for TS)
- ErrSnapshotShortValue  - encoded value < 9 bytes (no room for
                           value header)
- ErrSnapshotEncryptedReserved - reserved encryption_state bits
                           (0b10, 0b11) or bits 3-7 set; same
                           fail-closed trip-wire as
                           store.ErrEncryptedValueReservedState
- ErrSnapshotEncryptedEntry - encState=0b01 (encrypted).
                           Phase 0a does not link the decryption
                           keyring; Stage 8 of the encryption
                           rollout adds a keyring-aware variant.

Self-review:
1. Data loss   - tombstone flag surfaced verbatim so callers can
   choose to suppress (default Phase 0a backup behavior) or
   include (a future diagnostic dump might want both). EOF
   distinction between clean terminator and truncation prevents
   silently dropping a partial entry.
2. Concurrency - reader is single-pass over an io.Reader; no
   shared state, no goroutines.
3. Performance - per-entry slices alias a fixed 64 KiB key buffer
   and a growable value buffer. For a 10M-entry snapshot this
   keeps allocs O(1) outside the value-grow boundary. bufio
   wrapper amortises read syscalls.
4. Consistency - encryption_state bits are decoded into the
   identical 4-way switch (cleartext / encrypted / 0b10 / 0b11)
   that store/lsm_store.go::decodeValue uses, so a future
   live-side enum extension fails closed here too.
5. Coverage - 17 table-driven tests in snapshot_reader_test.go
   covering: header-only, single-entry round-trip, tombstone
   flag, multi-entry order preservation, bad magic, truncated
   header, truncated entry, short-key, short-value, encrypted
   entry, all four reserved-encState cases, callback-error
   propagation, MVCC TS XOR-inversion across uint64 boundary,
   empty-value body.

Caller audit (per /loop standing instruction): this PR adds a
NEW public API surface (ReadSnapshot, SnapshotEntry,
SnapshotHeader, PebbleSnapshotMagic, the Err* sentinels). No
prior callers exist. Verified via
'grep -rn "ReadSnapshot|SnapshotEntry|SnapshotHeader" --include=*.go'
- all matches are inside internal/backup/snapshot_reader{,test}.go.
The follow-up PR (cmd/elastickv-snapshot-decode driver +
dispatcher) will be this API's first consumer.

…before-vLen

Three P1+ findings from the first review round:

1. codex P1 (line 278) "Bound snapshot length prefixes before
   allocating"
2. gemini security-high + high (line 180) "Reader lacks bounds
   checking for kLen and vLen — adversarial snapshot can OOM the
   decoder or panic on 32-bit narrowing"
3. gemini high (line 200) "readOneEntry ignores the eof return value
   from readEntryLen on the value-length read — a truncated stream
   surfaces as the wrong error class (ErrSnapshotShortValue instead
   of ErrSnapshotTruncated)"

Findings 1+2 share a root cause: ReadSnapshot trusted the on-disk
length prefix and called make([]byte, n) directly. The live restore
path applies maxPebbleEncodedKeySize / maxSnapshotValueSize guards
before allocation (store/lsm_store.go::readRestoreFieldLen). The
backup-side reader was missing the equivalent. A corrupt or
adversarial snapshot whose length prefix declares 4 GB would either
OOM the operator decoder or, on 32-bit architectures, panic when
narrowing uint64 -> int for the slice length.

Fix: add MaxSnapshotEncodedKeySize (1 MiB + 8) and
MaxSnapshotEncodedValueSize (256 MiB + 9 + 34) bounds, check
before each allocation, fail closed with new sentinel errors
ErrSnapshotKeyTooLarge / ErrSnapshotValueTooLarge. Mirrors the
live store's constants; duplicated here so the backup package
keeps the offline-tool adapter-independence required by the design.

Finding 3 fix: refactor readOneEntry into readEntryKey +
readEntryValue helpers. readEntryKey distinguishes between
"natural inter-entry EOF" (kEof=true at the very first read of an
entry) and a truncated tail mid-entry (any other point). readEntryValue
treats any EOF as truncation — there is no valid clean-EOF state
after the key has been consumed. This also drops the readOneEntry
function under the cyclop budget.

Caller audit (per /loop standing instruction): the semantic change
in question is the error class returned when the snapshot truncates
between key and value-length. Previously: ErrSnapshotShortValue.
Now: ErrSnapshotTruncated. Callers of ReadSnapshot:

  grep -rn 'ReadSnapshot|SnapshotEntry|SnapshotHeader' --include=*.go
  -> all matches are inside internal/backup/snapshot_reader{,_test}.go

The dispatcher / cmd driver that will consume this API (Phase 0a
follow-up, not yet built) will see ErrSnapshotTruncated for any
mid-entry truncation regardless of which length-prefix the
truncation occurred before — a more correct semantic that matches
the docstring contract. No existing caller exists, so no caller
audit gap.

New tests:
- TestReadSnapshot_RejectsTruncatedBeforeValueLength pins gemini
  high finding (key-then-no-vLen -> ErrSnapshotTruncated)
- TestReadSnapshot_RejectsKeyLengthOverBudget pins codex P1 (key
  length-prefix > MaxSnapshotEncodedKeySize fails closed BEFORE
  allocation)
- TestReadSnapshot_RejectsValueLengthOverBudget pins the same for
  value side
- TestReadSnapshot_AcceptsKeyLengthAtBudgetBoundary pins off-by-one
  (length == budget is accepted; only > budget rejected)

Self-review:
1. Data loss - the bound rejects only over-budget entries the live
   store would never have written; legitimate entries up to the
   limits are still accepted (boundary test pins this).
2. Concurrency - no shared state; reader is single-pass over
   io.Reader as before.
3. Performance - one extra comparison per entry, far cheaper than
   the prevented OOM allocation.
4. Consistency - matches the live restore path's bounds and error
   shape. Mid-entry EOF now consistently surfaces as
   ErrSnapshotTruncated regardless of where in the entry the
   truncation occurred.
5. Coverage - 4 new tests in addition to the 17 existing ones.
   All pass with -race.

…ic + boundary test

coderabbit raised 2 Major findings on round 1:

1. line 105 "Avoid exporting mutable magic bytes as a package
   variable" - PebbleSnapshotMagic was a `var [8]byte`, so any
   importer could mutate it and break parsing globally
   (`backup.PebbleSnapshotMagic[0] = 0xff` is legal Go).
2. line 329 "Boundary test name/intent doesn't match what it
   verifies" - TestReadSnapshot_AcceptsKeyLengthAtBudgetBoundary
   used a 1 KiB key, which is nowhere near the 1 MiB+8
   MaxSnapshotEncodedKeySize budget. A regression flipping `>` to
   `>=` would not be caught by the existing test.

Fixes:

1. Change `PebbleSnapshotMagic` from a `var [PebbleSnapshotMagicLen]byte`
   to an untyped `const string` carrying the same bytes. Strings are
   immutable in Go, so this closes the package-variable mutation
   surface. Update the only consumers (readSnapshotHeader's bytes
   comparison and the test snapBuilder) to use the new type.

2. Resize the boundary test's user key so the ENCODED key
   (userKey + 8-byte TS suffix) lands at EXACTLY
   MaxSnapshotEncodedKeySize, then assert successful round-trip.
   A `>=` vs `>` regression now surfaces.

Caller audit (per /loop standing instruction): the type change to
PebbleSnapshotMagic from `[8]byte` to `string` is a public API
shape change. PR #792 introduces this symbol; no external caller
exists yet (`grep -rn PebbleSnapshotMagic --include=*.go` shows
matches only inside the two files in this PR). Caller audit clean.

Self-review:
1. Data loss - none. The byte content of the magic is unchanged.
2. Concurrency - the previous shape was technically race-prone if
   importers wrote concurrently. The string const cannot race.
3. Performance - one tiny allocation per call (`[]byte(string)` for
   the comparison). Bounded; called once per snapshot file open.
4. Consistency - immutable-magic pattern matches the live store's
   `pebbleSnapshotMagic` (which is package-private, also immutable
   in practice). The new boundary test now actually exercises the
   budget threshold.
5. Coverage - existing 21 snapshot tests still pass with the new
   type. The boundary test is now a real off-by-one guard
   (allocates 1 MiB instead of 1 KiB during the test — still
   well within go test memory budget).