chore: remove ~50k lines of unreachable dead code (#8913)

* chore: remove unreachable dead code across the codebase

Remove ~50,000 lines of unreachable code identified by static analysis.

Major removals:
- weed/filer/redis_lua: entire unused Redis Lua filer store implementation
- weed/wdclient/net2, resource_pool: unused connection/resource pool packages
- weed/plugin/worker/lifecycle: unused lifecycle plugin worker
- weed/s3api: unused S3 policy templates, presigned URL IAM, streaming copy,
  multipart IAM, key rotation, and various SSE helper functions
- weed/mq/kafka: unused partition mapping, compression, schema, and protocol functions
- weed/mq/offset: unused SQL storage and migration code
- weed/worker: unused registry, task, and monitoring functions
- weed/query: unused SQL engine, parquet scanner, and type functions
- weed/shell: unused EC proportional rebalance functions
- weed/storage/erasure_coding/distribution: unused distribution analysis functions
- Individual unreachable functions removed from 150+ files across admin,
  credential, filer, iam, kms, mount, mq, operation, pb, s3api, server,
  shell, storage, topology, and util packages

* fix(s3): reset shared memory store in IAM test to prevent flaky failure

TestLoadIAMManagerFromConfig_EmptyConfigWithFallbackKey was flaky because
the MemoryStore credential backend is a singleton registered via init().
Earlier tests that create anonymous identities pollute the shared store,
causing LookupAnonymous() to unexpectedly return true.

Fix by calling Reset() on the memory store before the test runs.

* style: run gofmt on changed files

* fix: restore KMS functions used by integration tests

* fix(plugin): prevent panic on send to closed worker session channel

The Plugin.sendToWorker method could panic with "send on closed channel"
when a worker disconnected while a message was being sent. The race was
between streamSession.close() closing the outgoing channel and sendToWorker
writing to it concurrently.

Add a done channel to streamSession that is closed before the outgoing
channel, and check it in sendToWorker's select to safely detect closed
sessions without panicking.

weed/s3api/s3_sse_s3.go

@@ -137,13 +137,6 @@ func CreateSSES3DecryptedReader(reader io.Reader, key *SSES3Key, iv []byte) (io.
 	return decryptReader, nil
 }
 
-// GetSSES3Headers returns the headers for SSE-S3 encrypted objects
-func GetSSES3Headers() map[string]string {
-	return map[string]string{
-		s3_constants.AmzServerSideEncryption: SSES3Algorithm,
-	}
-}
-
 // SerializeSSES3Metadata serializes SSE-S3 metadata for storage using envelope encryption
 func SerializeSSES3Metadata(key *SSES3Key) ([]byte, error) {
 	if err := ValidateSSES3Key(key); err != nil {
@@ -339,7 +332,7 @@ func (km *SSES3KeyManager) InitializeWithFiler(filerClient filer_pb.FilerClient)
 
 	v := util.GetViper()
 	cfgKEK := v.GetString(sseS3KEKConfigKey) // hex-encoded, drop-in for filer file
-	cfgKey := v.GetString(sseS3KeyConfigKey)  // any string, HKDF-derived
+	cfgKey := v.GetString(sseS3KeyConfigKey) // any string, HKDF-derived
 
 	if cfgKEK != "" && cfgKey != "" {
 		return fmt.Errorf("only one of %s and %s may be set, not both", sseS3KEKConfigKey, sseS3KeyConfigKey)
@@ -454,7 +447,6 @@ func (km *SSES3KeyManager) loadSuperKeyFromFiler() error {
 	return nil
 }
 
-
 // GetOrCreateKey gets an existing key or creates a new one
 // With envelope encryption, we always generate a new DEK since we don't store them
 func (km *SSES3KeyManager) GetOrCreateKey(keyID string) (*SSES3Key, error) {
@@ -532,14 +524,6 @@ func (km *SSES3KeyManager) StoreKey(key *SSES3Key) {
 	// The DEK is encrypted with the super key and stored in object metadata
 }
 
-// GetKey is now a no-op since we don't cache keys
-// Keys are retrieved by decrypting the encrypted DEK from object metadata
-func (km *SSES3KeyManager) GetKey(keyID string) (*SSES3Key, bool) {
-	// No-op: With envelope encryption, keys are not cached
-	// Each object's metadata contains the encrypted DEK
-	return nil, false
-}
-
 // GetMasterKey returns a derived key from the master KEK for STS signing
 // This uses HKDF to isolate the STS security domain from the SSE-S3 domain
 func (km *SSES3KeyManager) GetMasterKey() []byte {
@@ -596,47 +580,6 @@ func InitializeGlobalSSES3KeyManager(filerClient *wdclient.FilerClient, grpcDial
 	return globalSSES3KeyManager.InitializeWithFiler(wrapper)
 }
 
-// ProcessSSES3Request processes an SSE-S3 request and returns encryption metadata
-func ProcessSSES3Request(r *http.Request) (map[string][]byte, error) {
-	if !IsSSES3RequestInternal(r) {
-		return nil, nil
-	}
-
-	// Generate or retrieve encryption key
-	keyManager := GetSSES3KeyManager()
-	key, err := keyManager.GetOrCreateKey("")
-	if err != nil {
-		return nil, fmt.Errorf("get SSE-S3 key: %w", err)
-	}
-
-	// Serialize key metadata
-	keyData, err := SerializeSSES3Metadata(key)
-	if err != nil {
-		return nil, fmt.Errorf("serialize SSE-S3 metadata: %w", err)
-	}
-
-	// Store key in manager
-	keyManager.StoreKey(key)
-
-	// Return metadata
-	metadata := map[string][]byte{
-		s3_constants.AmzServerSideEncryption: []byte(SSES3Algorithm),
-		s3_constants.SeaweedFSSSES3Key:       keyData,
-	}
-
-	return metadata, nil
-}
-
-// GetSSES3KeyFromMetadata extracts SSE-S3 key from object metadata
-func GetSSES3KeyFromMetadata(metadata map[string][]byte, keyManager *SSES3KeyManager) (*SSES3Key, error) {
-	keyData, exists := metadata[s3_constants.SeaweedFSSSES3Key]
-	if !exists {
-		return nil, fmt.Errorf("SSE-S3 key not found in metadata")
-	}
-
-	return DeserializeSSES3Metadata(keyData, keyManager)
-}
-
 // GetSSES3IV extracts the IV for single-part SSE-S3 objects
 // Priority: 1) object-level metadata (for inline/small files), 2) first chunk metadata
 func GetSSES3IV(entry *filer_pb.Entry, sseS3Key *SSES3Key, keyManager *SSES3KeyManager) ([]byte, error) {