chore: remove ~50k lines of unreachable dead code (#8913)

* chore: remove unreachable dead code across the codebase

Remove ~50,000 lines of unreachable code identified by static analysis.

Major removals:
- weed/filer/redis_lua: entire unused Redis Lua filer store implementation
- weed/wdclient/net2, resource_pool: unused connection/resource pool packages
- weed/plugin/worker/lifecycle: unused lifecycle plugin worker
- weed/s3api: unused S3 policy templates, presigned URL IAM, streaming copy,
  multipart IAM, key rotation, and various SSE helper functions
- weed/mq/kafka: unused partition mapping, compression, schema, and protocol functions
- weed/mq/offset: unused SQL storage and migration code
- weed/worker: unused registry, task, and monitoring functions
- weed/query: unused SQL engine, parquet scanner, and type functions
- weed/shell: unused EC proportional rebalance functions
- weed/storage/erasure_coding/distribution: unused distribution analysis functions
- Individual unreachable functions removed from 150+ files across admin,
  credential, filer, iam, kms, mount, mq, operation, pb, s3api, server,
  shell, storage, topology, and util packages

* fix(s3): reset shared memory store in IAM test to prevent flaky failure

TestLoadIAMManagerFromConfig_EmptyConfigWithFallbackKey was flaky because
the MemoryStore credential backend is a singleton registered via init().
Earlier tests that create anonymous identities pollute the shared store,
causing LookupAnonymous() to unexpectedly return true.

Fix by calling Reset() on the memory store before the test runs.

* style: run gofmt on changed files

* fix: restore KMS functions used by integration tests

* fix(plugin): prevent panic on send to closed worker session channel

The Plugin.sendToWorker method could panic with "send on closed channel"
when a worker disconnected while a message was being sent. The race was
between streamSession.close() closing the outgoing channel and sendToWorker
writing to it concurrently.

Add a done channel to streamSession that is closed before the outgoing
channel, and check it in sendToWorker's select to safely detect closed
sessions without panicking.

weed/s3api/s3_iam_middleware.go

@@ -13,7 +13,6 @@ import (
 	"github.com/seaweedfs/seaweedfs/weed/iam/integration"
 	"github.com/seaweedfs/seaweedfs/weed/iam/providers"
 	"github.com/seaweedfs/seaweedfs/weed/iam/sts"
-	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
 )
 
@@ -381,52 +380,6 @@ func buildS3ResourceArn(bucket string, objectKey string) string {
 	return "arn:aws:s3:::" + bucket + "/" + objectKey
 }
 
-// mapLegacyActionToIAM provides fallback mapping for legacy actions
-// This ensures backward compatibility while the system transitions to granular actions
-func mapLegacyActionToIAM(legacyAction Action) string {
-	switch legacyAction {
-	case s3_constants.ACTION_READ:
-		return "s3:GetObject" // Fallback for unmapped read operations
-	case s3_constants.ACTION_WRITE:
-		return "s3:PutObject" // Fallback for unmapped write operations
-	case s3_constants.ACTION_LIST:
-		return "s3:ListBucket" // Fallback for unmapped list operations
-	case s3_constants.ACTION_TAGGING:
-		return "s3:GetObjectTagging" // Fallback for unmapped tagging operations
-	case s3_constants.ACTION_READ_ACP:
-		return "s3:GetObjectAcl" // Fallback for unmapped ACL read operations
-	case s3_constants.ACTION_WRITE_ACP:
-		return "s3:PutObjectAcl" // Fallback for unmapped ACL write operations
-	case s3_constants.ACTION_DELETE_BUCKET:
-		return "s3:DeleteBucket" // Fallback for unmapped bucket delete operations
-	case s3_constants.ACTION_ADMIN:
-		return "s3:*" // Fallback for unmapped admin operations
-
-	// Handle granular multipart actions (already correctly mapped)
-	case s3_constants.S3_ACTION_CREATE_MULTIPART:
-		return s3_constants.S3_ACTION_CREATE_MULTIPART
-	case s3_constants.S3_ACTION_UPLOAD_PART:
-		return s3_constants.S3_ACTION_UPLOAD_PART
-	case s3_constants.S3_ACTION_COMPLETE_MULTIPART:
-		return s3_constants.S3_ACTION_COMPLETE_MULTIPART
-	case s3_constants.S3_ACTION_ABORT_MULTIPART:
-		return s3_constants.S3_ACTION_ABORT_MULTIPART
-	case s3_constants.S3_ACTION_LIST_MULTIPART_UPLOADS:
-		return s3_constants.S3_ACTION_LIST_MULTIPART_UPLOADS
-	case s3_constants.S3_ACTION_LIST_PARTS:
-		return s3_constants.S3_ACTION_LIST_PARTS
-
-	default:
-		// If it's already a properly formatted S3 action, return as-is
-		actionStr := string(legacyAction)
-		if strings.HasPrefix(actionStr, "s3:") {
-			return actionStr
-		}
-		// Fallback: convert to S3 action format
-		return "s3:" + actionStr
-	}
-}
-
 // extractRequestContext extracts request context for policy conditions
 func extractRequestContext(r *http.Request) map[string]interface{} {
 	context := make(map[string]interface{})
@@ -553,79 +506,6 @@ type EnhancedS3ApiServer struct {
 	iamIntegration IAMIntegration
 }
 
-// NewEnhancedS3ApiServer creates an S3 API server with IAM integration
-func NewEnhancedS3ApiServer(baseServer *S3ApiServer, iamManager *integration.IAMManager) *EnhancedS3ApiServer {
-	// Set the IAM integration on the base server
-	baseServer.SetIAMIntegration(iamManager)
-
-	return &EnhancedS3ApiServer{
-		S3ApiServer:    baseServer,
-		iamIntegration: NewS3IAMIntegration(iamManager, "localhost:8888"),
-	}
-}
-
-// AuthenticateJWTRequest handles JWT authentication for S3 requests
-func (enhanced *EnhancedS3ApiServer) AuthenticateJWTRequest(r *http.Request) (*Identity, s3err.ErrorCode) {
-	ctx := r.Context()
-
-	// Use our IAM integration for JWT authentication
-	iamIdentity, errCode := enhanced.iamIntegration.AuthenticateJWT(ctx, r)
-	if errCode != s3err.ErrNone {
-		return nil, errCode
-	}
-
-	// Convert IAMIdentity to the existing Identity structure
-	identity := &Identity{
-		Name:    iamIdentity.Name,
-		Account: iamIdentity.Account,
-		// Note: Actions will be determined by policy evaluation
-		Actions:     []Action{}, // Empty - authorization handled by policy engine
-		PolicyNames: iamIdentity.PolicyNames,
-	}
-
-	// Store session token for later authorization
-	r.Header.Set("X-SeaweedFS-Session-Token", iamIdentity.SessionToken)
-	r.Header.Set("X-SeaweedFS-Principal", iamIdentity.Principal)
-
-	return identity, s3err.ErrNone
-}
-
-// AuthorizeRequest handles authorization for S3 requests using policy engine
-func (enhanced *EnhancedS3ApiServer) AuthorizeRequest(r *http.Request, identity *Identity, action Action) s3err.ErrorCode {
-	ctx := r.Context()
-
-	// Get session info from request headers (set during authentication)
-	sessionToken := r.Header.Get("X-SeaweedFS-Session-Token")
-	principal := r.Header.Get("X-SeaweedFS-Principal")
-
-	if sessionToken == "" || principal == "" {
-		glog.V(3).Info("No session information available for authorization")
-		return s3err.ErrAccessDenied
-	}
-
-	// Extract bucket and object from request
-	bucket, object := s3_constants.GetBucketAndObject(r)
-	prefix := s3_constants.GetPrefix(r)
-
-	// For List operations, use prefix for permission checking if available
-	if action == s3_constants.ACTION_LIST && object == "" && prefix != "" {
-		object = prefix
-	} else if (object == "/" || object == "") && prefix != "" {
-		object = prefix
-	}
-
-	// Create IAM identity for authorization
-	iamIdentity := &IAMIdentity{
-		Name:         identity.Name,
-		Principal:    principal,
-		SessionToken: sessionToken,
-		Account:      identity.Account,
-	}
-
-	// Use our IAM integration for authorization
-	return enhanced.iamIntegration.AuthorizeAction(ctx, iamIdentity, action, bucket, object, r)
-}
-
 // OIDCIdentity represents an identity validated through OIDC
 type OIDCIdentity struct {
 	UserID      string