fix(provisioning): preserve policy document semantics

[GatewayJ]

Type of Change

• New Feature
• Bug Fix
• Documentation
• Performance Improvement
• Test/CI
• Refactor
• Other:

Related Issues

N/A

Summary of Changes

• Preserve the raw ConfigMap policy document when applying RustFS canned policies so write semantics are not changed by hash normalization.
• Keep policy hash comparison non-destructive while normalizing RustFS default empty fields and sorted action/resource arrays.
• Preserve RustFS-supported NotAction and NotResource fields, plus non-empty optional fields such as ID, Sid, and Condition.
• Add regression coverage for raw policy apply payloads and stale policy status metadata updates when live and desired hashes match.

Checklist

• I have read and followed the CONTRIBUTING.md guidelines
• Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
• Added/updated necessary tests
• Documentation updated (if needed)
• CHANGELOG.md updated under [Unreleased] (if user-visible change)
• CI/CD passed (if applicable)

Impact

• Breaking change (CRD/API compatibility)
• Requires doc/config/deployment update
• Other impact: fixes policy provisioning drift handling without changing CRD shape

Verification

cargo test --lib provisioning
make pre-commit

Additional Notes

Follow-up fix for the policy normalization behavior introduced around RustFS provisioning drift detection. The previous implementation reused the normalized document for writes, which could drop supported policy fields before calling the RustFS admin API.

---

Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.