The 15-line WalDirectoryPolicy stub doesn't warrant its own file. Move
it to a private static nested class inside WalToParquet so the utility
lives in a single source file, matching the spirit of the other
single-file utilities in the cliutil package.

Builds on the initial single-file utility with the items the original
forensic-recovery plan called for:

Manifest: per-table JSON manifest sits next to the Parquet files and
records every segment the tool saw (written, skipped, or partial), every
structural-change transaction in seqTxn order, the txnlog format/maxTxn
header, and per-segment reasons. The operator now has a machine-readable
trail of what was recovered vs lost.

Per-row shoulder columns: _wal_id, _segment_id, _segment_txn, _seq_txn,
_commit_ts are emitted by default so downstream consumers can dedupe
recovered rows against whatever survives in the base table. The
_segment_txn is derived per-row by replaying the segment's _event,
seq_txn and commit_ts are mapped from the txnlog records. Opt out with
--no-shoulder.

Tier 2 (txnlog corrupt or missing): falls back to a filesystem scan of
wal*/N/ directories. Cross-segment seqTxn ordering is unknown so files
are written as <table>__wal<N>__seg<N>__tier2.parquet and the manifest
reflects it.

Tier 3 (segment _event corrupt or missing): row count is derived from
the timestamp .d file size (16 B/row in WAL), and a direct-mmap
emission path bypasses WalReader (which itself requires _event). SYMBOL
columns are resolved from the WAL's on-disk symbol files - the base
table snapshot at WAL open time - so codes referencing new-in-WAL
symbols (which lived only in _event) are clamped to NULL. The manifest
notes how many rows were affected per column. Files are suffixed
__tier3.parquet.

Tier 4 (segment _meta corrupt): peer-segment schema substitution. The
tool scans other wal*/N/ directories for the same table, finds the
first segment with a readable _meta, and uses that as a schema source.
The schema may not match exactly if columns were added or dropped
between segments; the manifest flags this. Composes with tier 3 so a
segment missing both _meta and _event still recovers.

Partial column file loss: pre-checks every column's .d (and .i for
var-size) before opening WalReader and records each missing file in the
manifest's skippedColumns list. Even if WalReader subsequently fails to
construct because of the loss, the manifest still tells the operator
exactly which column files are gone.

Tests: 10 unit tests for the Args parser, the parquet filename builder
across all tier combinations, and TableInfo.fromDirName parsing.
Integration tests with programmatic WAL construction would need
CairoEngine setup and are left as follow-up.

README: build instructions and a Running section with the Java 17+
module-access flags moved to the top of utils/README.md. A new section
documents WalToParquet with options, output layout, tier suffix
matrix and worked examples.

Tier-3 fallback used to derive a segment's rowCount from the timestamp
column's .d file size on disk. WAL column files are mmap-preallocated,
so the file length reports capacity not committed appends - in the
unreadable-event test setup that meant a 1-row table was being
"recovered" as 65,536 rows of fabricated data. The new behaviour:

- Each txnlog cursor record's getTxnRowCount() is captured into the
  per-segment txnRowCounts list during enumerateSegments. V1
  sequencer format throws UnsupportedOperationException for that
  call, so V1 slots stay at -1.
- The tier-3 fallback now sums those per-txn counts via
  sumTxnRowCounts(). If any referenced segmentTxn lacks a trustworthy
  row count (i.e., V1 format, or tier-2 mode where the txnlog itself
  is unreadable) the helper returns -1 and the segment is marked
  unrecoverable with a new manifest status
  skipped_event_unreadable_no_row_count. No Parquet is written for
  that segment - silent fabrication of capacity-byte rows is worse
  than refusing to emit.
- A zero-row sum gets its own status
  skipped_event_unreadable_zero_rows so operators can tell "no data
  to recover" from "couldn't determine row count".

Event-walk hardening (per-event try/catch). collectNonDataEvents now
uses three nested catches:
- _event file unopenable (er.of() throws): one
  UNKNOWN_EVENT_UNREADABLE entry scoped to the segment is emitted and
  we move on. The WalEventReader is also closed via try-with-resources
  whether construction or of() fails (previously er.of() could leak
  the reader).
- hasNext()/getType()/getTxn() throws: WalEventCursor reads the full
  record - including dispatch on the type byte - inside hasNext(), so
  an unknown OSS-invisible type byte surfaces here as an exception
  with no segmentTxn known. One UNKNOWN_EVENT_UNREADABLE entry is
  recorded with the (walId, segmentId) and error string, then we
  stop - cursor state is undefined past this point.
- SQL body parse failure with valid header: the entry preserves
  type/walId/segmentId/segmentTxn/seqTxn/commitTimestamp and carries
  the parse error in a new "error" field; iteration continues.

New "error" field on ManifestSqlStatement keeps error context
separate from the "sql" text so downstream consumers can tell "we
have SQL" from "we couldn't read it".

Schemas mapping per segment. ManifestSegment.structureVersion was
populated only in the early recordMissingColumnFiles() pass. When
that pass failed but tier-3 later recovered the metadata via
peer-segment fallback, the manifest still carried -1 for the
segment's structureVersion, making __schemas.json unable to map
back to the file. Now writeSegmentToParquetTier3 sets
entry.structureVersion = meta.getMetadataVersion() right after the
metadata it will actually use is selected, covering the peer-fallback
path.

Schemas sorted by numeric structureVersion. The byVersion map was
populated by File.listFiles() which has no guaranteed order, so the
schemas file's emission order was filesystem-dependent. Now keys are
collected, sorted with Collections.sort, and re-inserted into the
output LinkedHashMap so the file is deterministic across runs.

Gson HTML-escaping disabled across all three sidecars. SQL log
previously printed >= for ">=" and ' for "'", making
the file barely readable by hand. New output writes the literal
characters.

Tests bring the count to 18 (10 unit + 8 integration). The
unreadable-event test now asserts no Parquet is emitted, the
manifest's segment carries the unrecoverable status, rowsWritten=0
and outputFile=null - the silent 65k fabrication is gone.

README updated to: clarify the tier-3 row in the suffix matrix
(V2-only recovery via txnlog row counts, V1 marked unrecoverable),
spell out the UNKNOWN_EVENT_UNREADABLE failure shapes accurately,
describe the schemas-version-to-segment join, and list
_recovery_status_ as the sixth shoulder column.

Closes the partial-malloc-leak windows around the new
trackNativeAllocation helper by wrapping the three-call
registration sequences with flag-tracked orphan cleanup so a
LongList resize-OOM mid-sequence cannot orphan the tail buffers.

Tightens tier-3 fixes from prior rounds:
- int clampedSize widened to long to avoid overflow at rowCount
  near Integer.MAX_VALUE
- SymbolMapReaderImpl is registered into the cleanup pool before
  sr.of() runs so a corrupt-symbol-files throw cannot leak the
  reader
- columnMemories.add for mem and aux moved inside the inner try
  so a resize-OOM during registration cannot leak the mmap
- per-row recovery status reconstructed from txnlog row counts
  (previously a single segment-wide constant) so multi-txn
  segments get correct per-row applied/unapplied attribution
- reconciliation note in the manifest if the txnlog row counts
  cover fewer rows than rowCount
- Path try/finally around Vm.getCMRInstance calls
- maxTxn watermark refreshed from observed seqTxn after the walk
- discoverTables filter loosened so user tables starting with
  underscore are not silently dropped
- recordMissingColumnFiles deferred to the WalReader-failure
  path, with a cheap recordSegmentStructureVersion called on the
  happy path
- RECOVERY_STATUS dictionary pinned to its index constants by a
  runtime check that fires even without -ea

Adds defensive infrastructure:
- TestUtils.assertMemoryLeak harness with named 8 KB slack for
  pool warmup; 8 of 14 main integration tests wrapped
- trackNativeAllocation helper that frees its pair's buffer on a
  resize-OOM and rolls back the addr list

Adds coverage for paths previously uncovered:
- testV2Tier3PerRowRecoveryStatusAcrossTxns regression for the
  multi-txn per-row recovery status
- testV2Tier3RecoversFromCorruptEvent for the V2 tier-3 happy
  path
- testTier2CorruptTxnlog in its own class to isolate
  engine.clear() blast radius
- testTier4PeerMetaFallback for the corrupt-_meta peer fallback
  via V2 tier-3
- testPartialColumnFileLoss in its own class for missing .d
  files
- testNullValuePreservation across LONG, DOUBLE, SYMBOL, VARCHAR
- testDropColumnSchemaEvolution and testRenameColumnSchemaEvolution
  verifying recovered Parquet content per structureVersion
- testMultiSegmentRecovery exercising ALTER-driven segment rolls
- testUnderscorePrefixedUserTable regression for discoverTables

Fixes a pre-existing UUID/LONG128 comparison bug in
TestUtils.assertColumnValues (lr.getLong128Hi swapped to
getLong128Lo for the low-half comparison).

Adjusts utils/pom.xml to keep Java compiler target at 17
matching the rest of the project. README documents the
manifest's tier-2 sqlStatements/structuralChanges gap and the
Gson rationale.

All 30 tests pass.