Description

This PR hardens the legacy pipe receiver file-transfer path and aligns its RPC access checks with normal client-
session expectations.

Changes

• Validate legacy pipe receiver file names before any file I/O.
• Reject empty names, path separators, .., and normalized paths outside the receiver file-data directory.
• Apply the same file-name validation when handling received TsFilePipeData.
• Require an authenticated session with USE_PIPE privilege for legacy handshake, sendFile, and sendPipeData.
• Make the legacy pipe sink open a normal client session before invoking legacy pipe RPCs, preserving built-in
  connector behavior.
• Add focused unit coverage for rejected unsafe names and accepted normal file writes.

Tests

• mvn '-Ddevelocity.off=true' '-Dscan=false' '-pl' 'iotdb-core/datanode' 'spotless:apply'
• git diff --check
• mvn '-Ddevelocity.off=true' '-Dscan=false' '-pl' 'iotdb-core/datanode' '-Dtest=IoTDBLegacyPipeReceiverAgentTest' 'test'

This PR has:

• been self-reviewed.
  • concurrent read
  • concurrent write
  • concurrent read and write
• added documentation for new or modified features or behaviors.
• added Javadocs for most classes and all non-trivial methods.
• added or updated version, license, or notice information
• added comments explaining the "why" and the intent of the code wherever would not be obvious
  for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold
  for code coverage.
• added integration tests.
• been tested in a test IoTDB cluster.

Key changed/added classes (or packages if there are too many classes) in this PR