feat: add policy client and tests

[nborges-aws]

Issue #, if available: Issue #392

Description of changes:

• Add PolicyEngineClient with__getattr__passthrough
• Control plane allowlisted methods (14):
  • Policy engine CRUD: create_policy_engine, get_policy_engine, list_policy_engines, update_policy_engine, delete_policy_engine
  • Policy CRUD: create_policy, get_policy, list_policies, update_policy, delete_policy
  • Policy generation: start_policy_generation, get_policy_generation, list_policy_generations, list_policy_generation_assets
• Add *_and_wait polling methods using shared wait_until/wait_until_deleted utilities:
  • create_policy_engine_and_wait, update_policy_engine_and_wait, delete_policy_engine_and_wait
  • create_policy_and_wait, delete_policy_and_wait
• Add higher-level orchestration methods:
  • generate_policy_asset_and_wait — starts NL→Cedar generation, polls until complete, optionally fetches generated assets
  • generate_and_create_policy — end-to-end flow: generate asset + create policy from it in one call
  • create_policy_from_generation_asset — creates a policy from a specific generation asset
  • create_or_get_policy_engine / create_or_get_policy — idempotent creates (handles ConflictException by finding existing resource)
• All *_and_wait methods accept WaitConfig for configurable polling behavior and apply convert_kwargs for snake_case support

Test plan:

• Integration tests (10 total):
  • Full CRUD lifecycle: create engine → get (camelCase + snake_case) → update → create policy → get policy → list engines → list policies → delete policy → delete engine
  • Validates passthrough, snake_case conversion, *_and_wait polling, and cleanup
• Unit tests (30 total, all passing):
  • Init: region, region fallback, boto3 client creation, integration_source
  • Passthrough: CP forwarding, snake_case conversion, AttributeError on unknown method, allowlist contents
  • Generate policy: immediate success, fetch assets, polling, failure, timeout
  • Create from generation asset: definition shape, optional params
  • Wait methods: immediate active, polling, failed status, timeout (engine + policy)
  • Idempotent creates: new resource, conflict → find existing, not found → reraise, non-conflict error → reraise

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[github-actions]

✅ No Breaking Changes Detected

No public API breaking changes found in this PR.

[Hweinstock]

Nice! I like the client. Few questions on the integ tests, but otherwise looks good.

[Hweinstock]

should we poll here instead of waiting?

[nborges-aws]

Yep. I added the short delay just as a safeguard, but delete_and_wait method is more robust. I'll change to use that

[Hweinstock]

should we verify that the policy actually updated?

[nborges-aws]

Definitely. I'll assert against the description

[Hweinstock]

is this used anywhere?

[nborges-aws]

Good catch. I previously needed this in the cedar statement for one of the tests, but found a way around it. Leftover artifact that can be removed.

[Hweinstock]

nit: if a gateway exists, but the lookup fails, the user sees a conflict exception here. Not sure how this could happen, but we might want a better error to avoid confusing customers.

[nborges-aws]

Will update error messaging here

[Hweinstock]

should we also test create_or_get methods?

[nborges-aws]

Yep, I'll add these