feat: annotation copy-directive condition key and replication actions

[harshavardhana]

Follow-up to #238 (object annotation IAM actions).

• New condition key s3:x-amz-annotation-directive (CopyObject COPY/EXCLUDE), wired into PutObjectAction.
• New actions s3:ReplicateObjectAnnotation and s3:GetObjectVersionAnnotationForReplication for annotation replication, registered in the supported action sets and condition-key map.

Summary by CodeRabbit

• New Features
  • Added S3 replication support for object annotations, including new replication-related actions.
  • Introduced the x-amz-annotation-directive condition key to enable more granular policy control for object operations (including CopyObject).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 13cd0b4a-f9d8-480e-afb7-22cc84c17619

📥 Commits

Reviewing files that changed from the base of the PR and between 27bec3d and ba1adfc.

📒 Files selected for processing (1)

• policy/action.go

---

📝 Walkthrough

Walkthrough

Two new exported Action constants for S3/MinIO replication annotation (ReplicateObjectAnnotationAction, GetObjectVersionAnnotationForReplicationAction) are added to policy/action.go, registered in SupportedActions and SupportedObjectActions maps. A new condition key constant S3XAmzAnnotationDirective is added to policy/condition/keyname.go, included in AllSupportedKeys, and linked to both PutObjectAction and the two new annotation actions in createActionConditionKeyMap.

Changes

S3 Annotation Replication Actions and Condition Key

Layer / File(s)	Summary
S3XAmzAnnotationDirective condition key policy/condition/keyname.go	Declares S3XAmzAnnotationDirective as a new KeyName constant (s3:x-amz-annotation-directive) and appends it to the AllSupportedKeys slice.
Annotation replication action constants and support maps policy/action.go	Adds ReplicateObjectAnnotationAction and GetObjectVersionAnnotationForReplicationAction constants, registers both in SupportedActions and SupportedObjectActions map literals with multi-line aligned reformatting.
Condition key to action wiring policy/action.go	Extends PutObjectAction with S3XAmzAnnotationDirective condition key support, and creates new entries in createActionConditionKeyMap for ReplicateObjectAnnotationAction and GetObjectVersionAnnotationForReplicationAction, each mapped to condition keys based on S3VersionID, ExistingObjectTag, and common keys.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hippity-hop, new actions appear,
Annotation replication is finally here!
A directive key hops into the map,
PutObject and friends fill a new gap.
The rabbit stamps keys with a cheerful tap! 🗝️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and specifically describes the main changes: adding annotation copy-directive condition key and replication actions. It is concise, clear, and directly aligned with the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@policy/action.go`:
- Around line 315-317: The two new actions ReplicateObjectAnnotationAction and
GetObjectVersionAnnotationForReplicationAction are registered as supported
actions but are missing entries in the createActionConditionKeyMap function. Add
condition-key map entries for both ReplicateObjectAnnotationAction and
GetObjectVersionAnnotationForReplicationAction in the
createActionConditionKeyMap function, mapping them to their appropriate
condition keys (following the pattern of similar replication or
annotation-related actions already defined in the map). This ensures these
actions have explicit action-scoped condition keys instead of relying on common
fallback keys, preventing incorrect IAM condition behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f4d037b3-0d4e-41bd-a0c5-339dc95eb9af

📥 Commits

Reviewing files that changed from the base of the PR and between 67c6f0f and 27bec3d.

📒 Files selected for processing (2)

• policy/action.go
• policy/condition/keyname.go