feat(cluster): wire multi-shard cross-shard communication for server-ng

[hubcio]

core/server-ng bootstrapped exactly one shard with SHARD_ID=0 and
senders=vec![sender] hardcoded; the multi-shard path was dead code.
Cross-shard primitives copied from legacy core/server also did not
fit core/shard's crossfire model (bounded MTx + try_send-or-drop,
fd-transfer coordinator instead of SO_REUSEPORT).

bootstrap() now spawns N OS threads from sharding.cpu_allocation,
each pinned via nix::sched + hwlocality and running its own compio
runtime + IggyMessageBus + IggyShard for the partitions hashed to
that shard. Cross-thread shutdown rides an Arc polled by
a per-shard watchdog, since the bus' Shutdown is !Send and cannot be
triggered from the main thread directly. Partial shard-spawn failure
and shard-thread panic now signal cluster-wide shutdown instead of
hanging; the shutdown watchdog is detached from the bus drain.

ShardFrame becomes a concrete enum (Consensus + Lifecycle); the R
generic is lifted off IggyShard. Named routers (route_metadata /
route_partition / route_consensus_control) replace the duplicated
MessageBag match blocks, and a debug_assert at pump entry catches
receiver-thread mis-binding that the ctor's assert_sender_ordering
cannot see.

ShardMetrics records frame_drops_total (counter, variant+reason
labels), bumped at every inter-shard try_send rejection; without it,
drop-and-recover under VSR retransmit is operationally
indistinguishable from a livelock. The counter is atomic, so it is
safe to bump from !Send compio reactor contexts.

The legacy shard-mapping broadcast subsystem (periodic snapshot
refresh task, three-state MappingSlot table, ReplicaMappingUpdate /
ReplicaMappingClear frames) is retired entirely. Cross-shard replica
routing now flows through the cluster-shared ReplicaOwnerTable: the
owning shard's installer stamps its slot on a successful registry
insert and CAS-clears it on disconnect, so every bus' send_to_replica
slow path reads authoritative state with no broadcast or reconcile
loop. Builder accepts the coordinator at ctor; IggyShard stays
immutable post-construction.

message_bus forward-fn types widen to carry replica/client id, and
send_to_replica routes via the shared owner table so non-zero shards
reconcile against shared state rather than shard 0's private bus.

WAL recovery is serialized across shards: non-zero shards open the
WAL read-only, reject mutating ops (drain, set_snapshot_op) on a
read-only storage, route an invalid WAL header to truncate_or_fail,
and close the read-only fd once recovery completes.

Storage milestones (durable PartitionJournal, durable
(view, commit_op) watermark) and SDK (client_id, request_id)
durability across reconnect remain out of scope; tracked separately.

[codecov]

Codecov Report

❌ Patch coverage is 50.89392% with 824 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.27%. Comparing base (eff697f) to head (e0067ca).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
core/server-ng/src/bootstrap.rs	20.00%	464 Missing and 4 partials ⚠️
core/shard/src/router.rs	0.00%	111 Missing ⚠️
core/shard/src/builder.rs	0.00%	57 Missing ⚠️
core/shard/src/lib.rs	41.93%	36 Missing ⚠️
core/message_bus/src/lib.rs	82.58%	22 Missing and 5 partials ⚠️
core/server-ng/src/main.rs	0.00%	27 Missing ⚠️
core/journal/src/prepare_journal.rs	88.18%	17 Missing and 9 partials ⚠️
core/metadata/src/stm/mod.rs	72.72%	18 Missing ⚠️
core/shard/src/coordinator.rs	83.65%	17 Missing ⚠️
core/simulator/src/bus.rs	0.00%	12 Missing ⚠️
... and 7 more

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3269      +/-   ##
============================================
- Coverage     74.18%   71.27%   -2.91%     
  Complexity      943      943              
============================================
  Files          1200     1201       +1     
  Lines        109645   105567    -4078     
  Branches      86535    82472    -4063     
============================================
- Hits          81340    75246    -6094     
- Misses        25567    27371    +1804     
- Partials       2738     2950     +212     

Components	Coverage Δ
Rust Core	71.74% <50.89%> (-3.68%)	⬇️
Java SDK	58.44% <ø> (ø)
C# SDK	69.13% <ø> (-0.31%)	⬇️
Python SDK	81.43% <ø> (ø)
Node SDK	91.44% <ø> (-0.10%)	⬇️
Go SDK	39.91% <ø> (ø)

Files with missing lines	Coverage Δ
core/common/src/sharding/namespace.rs	95.69% <100.00%> (+0.69%)	⬆️
core/configs/src/server_config/sharding.rs	85.06% <100.00%> (+2.58%)	⬆️
core/consensus/src/impls.rs	78.15% <100.00%> (+0.03%)	⬆️
core/journal/src/file_storage.rs	70.58% <ø> (ø)
core/message_bus/src/client_listener/tcp.rs	80.00% <ø> (ø)
core/message_bus/src/client_listener/tcp_tls.rs	84.61% <ø> (ø)
core/message_bus/src/client_listener/ws.rs	80.76% <ø> (ø)
core/message_bus/src/connector.rs	94.31% <ø> (ø)
core/message_bus/src/installer/mod.rs	62.50% <ø> (+9.86%)	⬆️
core/message_bus/src/installer/tcp_tls.rs	90.00% <ø> (ø)
... and 24 more

... and 124 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jayakasadev]

All threads resolved. LGTM.

[krishvishal]

Commit, StartViewChange, DoViewChange, StartView (and Register requests) all carry Operation::Reserved / Operation::Register. Neither is in is_metadata() nor is_partition(), so route_typed falls through to route_consensus_control and hashes header.namespace. Metadata's consensus group is initialized with namespace = 0 (bootstrap.rs:1032), and Murmur3(0u64) >> 16 = 25477, so for every shard_count > 1, the frame is dispatched to a non-zero shard whose IggyMetadata.consensus is None. The receiver hits the fall-through arm and tracing::warn!-drops. VSR retransmit re-routes via the same hash and cluster wedges permanently.

[hubcio]

good catch @krishvishal , should be fixed now. I added a sentinel METADATA_CONSENSUS_NAMESPACE = 1u64 << 63 in core/common/src/sharding/namespace.rs (it's above PACKED_NAMESPACE_MAX so it can't collide with a real partition namespace), and bootstrap now inits the metadata group with that constant at bootstrap.rs:1106 instead of 0.

router got an is_vsr_reserved arm in route_typed that short-circuits any frame with namespace == METADATA_CONSENSUS_NAMESPACE straight to shard 0 at router.rs:172, so metadata consensus traffic never touches the murmur path. per-partition consensus groups still hash through route_consensus_control like before.

I think its good enough for now.