feat(feature-store): Auto-apply S3 bucket policy in Lake Formation setup

- Add Phase 4 to enable_lake_formation() that automatically applies
  S3 deny bucket policy for Lake Formation governance
- Remove show_s3_policy and disable_hybrid_access_mode parameters
  in favor of always-on behavior
- Refactor _generate_s3_deny_policy to _generate_s3_deny_statements
  returning a list for easier policy merging
- Add _get_s3_client with caching pattern matching _get_lake_formation_client
- Add _apply_bucket_policy with idempotent Sid-based deduplication
- Improve _revoke_iam_allowed_principal to check permissions via
  list_permissions before attempting revocation
- Remove LakeFormationConfig.show_s3_policy and disable_hybrid_access_mode
- Add e2e integration test for put_record + Athena query flow
- Update unit tests for new behavior

Author: BassemHalim