The AWS SQS backend behind the MirrorQueue handle.

Maps the handle's receive → process → ack shape onto SQS:

• enqueue → SendMessage (the MirrorJob encoded as the message body),
• receive → one long-poll ReceiveMessage (a batch, [] on an empty poll),
• ack → DeleteMessage (the message is gone, never redelivered),
• extendVisibility → ChangeMessageVisibility (hold a long publish).

The provider differences SQS embodies — the visibility timeout, the long-poll window, the batch limit — are SqsConfig knobs with sane defaults, and the SQS receipt handle is carried opaquely in a ReceiptHandle (via mkReceiptHandle), so none of it leaks past the handle. Retry is "don't ack": a job whose processing fails is simply not acked, and SQS redelivers it once the visibility timeout lapses; persistent failures fall to the queue's native dead-letter (max-receive-count), so there is no nack (see Ecluse.Queue).

The amazonka Env is built once at newSqsQueue and captured by the handle's closures, so the backend's state never reaches the proxy's Env/App (see docs/architecture/technology-stack.md → "Key Decisions"). The MirrorJob wire mapping is a plain JSON object, decoded on receive; a body that fails to parse is dropped rather than yielded as a partial, so — like any message left unprocessed — it is not acked and SQS redelivers it, ultimately to the dead-letter queue.

The SQS queue is a trusted, operator-declared destination (the configured queue URL, or an endpoint override): like the OTLP telemetry endpoint (see Ecluse.Telemetry.Resolve), it is reached through amazonka's own client and is not subject to the data-plane egress controls (the host allowlist, the internal-range block, or the resolved-IP recheck of Ecluse.Security.Egress), which guard only untrusted package downloads — never a destination the operator configured.