chore: remove ~50k lines of unreachable dead code (#8913)

* chore: remove unreachable dead code across the codebase

Remove ~50,000 lines of unreachable code identified by static analysis.

Major removals:
- weed/filer/redis_lua: entire unused Redis Lua filer store implementation
- weed/wdclient/net2, resource_pool: unused connection/resource pool packages
- weed/plugin/worker/lifecycle: unused lifecycle plugin worker
- weed/s3api: unused S3 policy templates, presigned URL IAM, streaming copy,
  multipart IAM, key rotation, and various SSE helper functions
- weed/mq/kafka: unused partition mapping, compression, schema, and protocol functions
- weed/mq/offset: unused SQL storage and migration code
- weed/worker: unused registry, task, and monitoring functions
- weed/query: unused SQL engine, parquet scanner, and type functions
- weed/shell: unused EC proportional rebalance functions
- weed/storage/erasure_coding/distribution: unused distribution analysis functions
- Individual unreachable functions removed from 150+ files across admin,
  credential, filer, iam, kms, mount, mq, operation, pb, s3api, server,
  shell, storage, topology, and util packages

* fix(s3): reset shared memory store in IAM test to prevent flaky failure

TestLoadIAMManagerFromConfig_EmptyConfigWithFallbackKey was flaky because
the MemoryStore credential backend is a singleton registered via init().
Earlier tests that create anonymous identities pollute the shared store,
causing LookupAnonymous() to unexpectedly return true.

Fix by calling Reset() on the memory store before the test runs.

* style: run gofmt on changed files

* fix: restore KMS functions used by integration tests

* fix(plugin): prevent panic on send to closed worker session channel

The Plugin.sendToWorker method could panic with "send on closed channel"
when a worker disconnected while a message was being sent. The race was
between streamSession.close() closing the outgoing channel and sendToWorker
writing to it concurrently.

Add a done channel to streamSession that is closed before the outgoing
channel, and check it in sendToWorker's select to safely detect closed
sessions without panicking.

weed/iam/providers/provider_test.go

@@ -1,246 +0,0 @@
-package providers
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// TestIdentityProviderInterface tests the core identity provider interface
-func TestIdentityProviderInterface(t *testing.T) {
-	tests := []struct {
-		name     string
-		provider IdentityProvider
-		wantErr  bool
-	}{
-		// We'll add test cases as we implement providers
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Test provider name
-			name := tt.provider.Name()
-			assert.NotEmpty(t, name, "Provider name should not be empty")
-
-			// Test initialization
-			err := tt.provider.Initialize(nil)
-			if tt.wantErr {
-				assert.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-
-			// Test authentication with invalid token
-			ctx := context.Background()
-			_, err = tt.provider.Authenticate(ctx, "invalid-token")
-			assert.Error(t, err, "Should fail with invalid token")
-		})
-	}
-}
-
-// TestExternalIdentityValidation tests external identity structure validation
-func TestExternalIdentityValidation(t *testing.T) {
-	tests := []struct {
-		name     string
-		identity *ExternalIdentity
-		wantErr  bool
-	}{
-		{
-			name: "valid identity",
-			identity: &ExternalIdentity{
-				UserID:      "user123",
-				Email:       "user@example.com",
-				DisplayName: "Test User",
-				Groups:      []string{"group1", "group2"},
-				Attributes:  map[string]string{"dept": "engineering"},
-				Provider:    "test-provider",
-			},
-			wantErr: false,
-		},
-		{
-			name: "missing user id",
-			identity: &ExternalIdentity{
-				Email:    "user@example.com",
-				Provider: "test-provider",
-			},
-			wantErr: true,
-		},
-		{
-			name: "missing provider",
-			identity: &ExternalIdentity{
-				UserID: "user123",
-				Email:  "user@example.com",
-			},
-			wantErr: true,
-		},
-		{
-			name: "invalid email",
-			identity: &ExternalIdentity{
-				UserID:   "user123",
-				Email:    "invalid-email",
-				Provider: "test-provider",
-			},
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := tt.identity.Validate()
-			if tt.wantErr {
-				assert.Error(t, err)
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}
-
-// TestTokenClaimsValidation tests token claims structure
-func TestTokenClaimsValidation(t *testing.T) {
-	tests := []struct {
-		name   string
-		claims *TokenClaims
-		valid  bool
-	}{
-		{
-			name: "valid claims",
-			claims: &TokenClaims{
-				Subject:   "user123",
-				Issuer:    "https://provider.example.com",
-				Audience:  "seaweedfs",
-				ExpiresAt: time.Now().Add(time.Hour),
-				IssuedAt:  time.Now().Add(-time.Minute),
-				Claims:    map[string]interface{}{"email": "user@example.com"},
-			},
-			valid: true,
-		},
-		{
-			name: "expired token",
-			claims: &TokenClaims{
-				Subject:   "user123",
-				Issuer:    "https://provider.example.com",
-				Audience:  "seaweedfs",
-				ExpiresAt: time.Now().Add(-time.Hour), // Expired
-				IssuedAt:  time.Now().Add(-time.Hour * 2),
-				Claims:    map[string]interface{}{"email": "user@example.com"},
-			},
-			valid: false,
-		},
-		{
-			name: "future issued token",
-			claims: &TokenClaims{
-				Subject:   "user123",
-				Issuer:    "https://provider.example.com",
-				Audience:  "seaweedfs",
-				ExpiresAt: time.Now().Add(time.Hour),
-				IssuedAt:  time.Now().Add(time.Hour), // Future
-				Claims:    map[string]interface{}{"email": "user@example.com"},
-			},
-			valid: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			valid := tt.claims.IsValid()
-			assert.Equal(t, tt.valid, valid)
-		})
-	}
-}
-
-// TestProviderRegistry tests provider registration and discovery
-func TestProviderRegistry(t *testing.T) {
-	// Clear registry for test
-	registry := NewProviderRegistry()
-
-	t.Run("register provider", func(t *testing.T) {
-		mockProvider := &MockProvider{name: "test-provider"}
-
-		err := registry.RegisterProvider(mockProvider)
-		assert.NoError(t, err)
-
-		// Test duplicate registration
-		err = registry.RegisterProvider(mockProvider)
-		assert.Error(t, err, "Should not allow duplicate registration")
-	})
-
-	t.Run("get provider", func(t *testing.T) {
-		provider, exists := registry.GetProvider("test-provider")
-		assert.True(t, exists)
-		assert.Equal(t, "test-provider", provider.Name())
-
-		// Test non-existent provider
-		_, exists = registry.GetProvider("non-existent")
-		assert.False(t, exists)
-	})
-
-	t.Run("list providers", func(t *testing.T) {
-		providers := registry.ListProviders()
-		assert.Len(t, providers, 1)
-		assert.Equal(t, "test-provider", providers[0])
-	})
-}
-
-// MockProvider for testing
-type MockProvider struct {
-	name        string
-	initialized bool
-	shouldError bool
-}
-
-func (m *MockProvider) Name() string {
-	return m.name
-}
-
-func (m *MockProvider) Initialize(config interface{}) error {
-	if m.shouldError {
-		return assert.AnError
-	}
-	m.initialized = true
-	return nil
-}
-
-func (m *MockProvider) Authenticate(ctx context.Context, token string) (*ExternalIdentity, error) {
-	if !m.initialized {
-		return nil, assert.AnError
-	}
-	if token == "invalid-token" {
-		return nil, assert.AnError
-	}
-	return &ExternalIdentity{
-		UserID:      "test-user",
-		Email:       "test@example.com",
-		DisplayName: "Test User",
-		Provider:    m.name,
-	}, nil
-}
-
-func (m *MockProvider) GetUserInfo(ctx context.Context, userID string) (*ExternalIdentity, error) {
-	if !m.initialized || userID == "" {
-		return nil, assert.AnError
-	}
-	return &ExternalIdentity{
-		UserID:      userID,
-		Email:       userID + "@example.com",
-		DisplayName: "User " + userID,
-		Provider:    m.name,
-	}, nil
-}
-
-func (m *MockProvider) ValidateToken(ctx context.Context, token string) (*TokenClaims, error) {
-	if !m.initialized || token == "invalid-token" {
-		return nil, assert.AnError
-	}
-	return &TokenClaims{
-		Subject:   "test-user",
-		Issuer:    "test-issuer",
-		Audience:  "seaweedfs",
-		ExpiresAt: time.Now().Add(time.Hour),
-		IssuedAt:  time.Now(),
-		Claims:    map[string]interface{}{"email": "test@example.com"},
-	}, nil
-}

weed/iam/providers/registry.go

@@ -1,109 +0,0 @@
-package providers
-
-import (
-	"fmt"
-	"sync"
-)
-
-// ProviderRegistry manages registered identity providers
-type ProviderRegistry struct {
-	mu        sync.RWMutex
-	providers map[string]IdentityProvider
-}
-
-// NewProviderRegistry creates a new provider registry
-func NewProviderRegistry() *ProviderRegistry {
-	return &ProviderRegistry{
-		providers: make(map[string]IdentityProvider),
-	}
-}
-
-// RegisterProvider registers a new identity provider
-func (r *ProviderRegistry) RegisterProvider(provider IdentityProvider) error {
-	if provider == nil {
-		return fmt.Errorf("provider cannot be nil")
-	}
-
-	name := provider.Name()
-	if name == "" {
-		return fmt.Errorf("provider name cannot be empty")
-	}
-
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	if _, exists := r.providers[name]; exists {
-		return fmt.Errorf("provider %s is already registered", name)
-	}
-
-	r.providers[name] = provider
-	return nil
-}
-
-// GetProvider retrieves a provider by name
-func (r *ProviderRegistry) GetProvider(name string) (IdentityProvider, bool) {
-	r.mu.RLock()
-	defer r.mu.RUnlock()
-
-	provider, exists := r.providers[name]
-	return provider, exists
-}
-
-// ListProviders returns all registered provider names
-func (r *ProviderRegistry) ListProviders() []string {
-	r.mu.RLock()
-	defer r.mu.RUnlock()
-
-	var names []string
-	for name := range r.providers {
-		names = append(names, name)
-	}
-	return names
-}
-
-// UnregisterProvider removes a provider from the registry
-func (r *ProviderRegistry) UnregisterProvider(name string) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	if _, exists := r.providers[name]; !exists {
-		return fmt.Errorf("provider %s is not registered", name)
-	}
-
-	delete(r.providers, name)
-	return nil
-}
-
-// Clear removes all providers from the registry
-func (r *ProviderRegistry) Clear() {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	r.providers = make(map[string]IdentityProvider)
-}
-
-// GetProviderCount returns the number of registered providers
-func (r *ProviderRegistry) GetProviderCount() int {
-	r.mu.RLock()
-	defer r.mu.RUnlock()
-
-	return len(r.providers)
-}
-
-// Default global registry
-var defaultRegistry = NewProviderRegistry()
-
-// RegisterProvider registers a provider in the default registry
-func RegisterProvider(provider IdentityProvider) error {
-	return defaultRegistry.RegisterProvider(provider)
-}
-
-// GetProvider retrieves a provider from the default registry
-func GetProvider(name string) (IdentityProvider, bool) {
-	return defaultRegistry.GetProvider(name)
-}
-
-// ListProviders returns all provider names from the default registry
-func ListProviders() []string {
-	return defaultRegistry.ListProviders()
-}