fix(s3): list bucket via plain fetch to avoid CORS preflight rejection

`@aws-sdk/client-s3` attaches `x-amz-content-sha256`, `x-amz-user-agent`,
`amz-sdk-invocation-id`, and `amz-sdk-request` headers, which force a CORS
preflight. Buckets whose `AllowedHeaders` rule doesn't cover them reject
the preflight, breaking `s3://` URI loading even for public anonymous
buckets (reproduced against IDC's `idc-open-data` and `idc-open-data-two`,
issue #869).

Replace the SDK-driven `ListObjectsV2Command` with a plain `fetch()` of the
same XML endpoint. The request becomes CORS-simple (no preflight), and the
SDK dependency is dropped entirely.

- Adds retry with exponential backoff and jitter (3 attempts) on transient
  5xx / 408 / 429 / network errors.
- Tests cover listing, pagination, retry, retry-exhaustion, and a
  no-custom-headers invariant guarding against regression.
- `@aws-sdk/client-s3` removed from devDependencies.

Author: PaulHax