fix(auth): authorize DeleteObjects per key

[GatewayJ]

Type of Change

• New Feature
• Bug Fix
• Documentation
• Performance Improvement
• Test/CI
• Refactor
• Other: N/A

Related Issues

Fixes #2766

Summary of Changes

• Remove the whole-request bucket-level s3:DeleteObject authorization from DeleteObjects.
• Keep DeleteObjects authorization in the per-object usecase path so mixed requests return per-key results.
• Preserve s3:BypassGovernanceRetention checks by evaluating the header per object.
• Add an STS inline-policy e2e test that allows deleting only one object prefix and expects per-key AccessDenied outside that prefix.

Checklist

• I have read and followed the CONTRIBUTING.md guidelines
• Passed make pre-commit
• Added/updated necessary tests
• Documentation updated (if needed)
• CI/CD passed (if applicable)

Impact

• Breaking change (compatibility)
• Requires doc/config/deployment update
• Other impact: Aligns DeleteObjects authorization with object-level S3 policy resources. Deployments that relied on non-standard bucket-ARN s3:DeleteObject rules should use object ARNs such as arn:aws:s3:::bucket/*.

Additional Notes

Validation:

• make pre-commit
• cargo test -p e2e_test test_e2e_sts_ -- --nocapture

make pre-commit emitted Cargo jobserver warnings during doctests, but all checks completed successfully.

[github-actions]

CLA requirements are satisfied for this pull request.