[AZ-316] Implement C11 HttpTileDownloader (batch 40)

Lands the operator-side pre-flight download path: authenticated
httpx GETs against satellite-provider, RESTRICT-SAT-4 (>= 0.5 m/px)
enforcement at the C11 boundary, c6 writes via consumer-side cuts
(_TileWriterLike, _BudgetEnforcerLike), per-(flight_id, request_hash)
journal under cache_root/.c11/journal/ for idempotent re-runs (AC-8,
AC-12), 429 Retry-After + 5xx exponential backoff handling, fail-fast
on TLS / 401 / 403, and a redacted-bearer auth-header policy.

Architecture:
- AZ-507 cross-component rule held: tile_downloader.py imports zero
  c6 symbols; the composition-root _C6DownloadAdapter in
  runtime_root/c11_factory.py absorbs c6's TileMetadata / TileSource /
  FreshnessLabel / VotingStatus enum assembly.
- Sleep-callable injection (not full Clock) per Batch 39 precedent;
  default routes through WallClock.sleep_until_ns to keep the AZ-398
  invariant intact.
- No FDR records on the download path; spec mandates structured logs
  only (8 log kinds wired: session.start/end, resolution_rejected,
  freshness_rejected_summary, freshness_downgraded, batch.retry,
  provider.failed, budget.exceeded, idempotent_no_op).

Tests: 14 new downloader unit tests covering AC-1..AC-9, AC-11, AC-12
plus throughput NFR + 429 HTTP-date + 429 budget exhaustion; 2 new
TileDownloader Protocol conformance tests (AC-10). Full unit suite:
1420 passed, 80 skipped (env-gated), 0 failed.

Code review: PASS_WITH_WARNINGS (5 Low findings, all documentation
or downstream-blocked). See _docs/03_implementation/reviews/
batch_40_review.md and batch_40_cycle1_report.md.

Co-authored-by: Cursor <cursoragent@cursor.com>

tests/unit/c11_tile_manager/test_protocol_conformance.py

@@ -1,8 +1,8 @@
-"""AZ-319 AC-12 — `HttpTileUploader` satisfies the `TileUploader` Protocol.
+"""C11 protocol conformance — uploader (AZ-319 AC-12) + downloader (AZ-316 AC-10).
 
-Smoke-test that the concrete impl exposes every method the Protocol
-requires (positive case) and that a partial fake omitting one of the
-three required methods is correctly rejected (negative case).
+Smoke-tests that each concrete impl exposes every method its Protocol
+requires (positive cases) and that partial fakes omitting one of the
+required methods are correctly rejected (negative cases).
 """
 
 from __future__ import annotations
@@ -13,9 +13,13 @@ import httpx
 
 from gps_denied_onboard.components.c11_tile_manager import (
     C11Config,
+    HttpTileDownloader,
     HttpTileUploader,
 )
-from gps_denied_onboard.components.c11_tile_manager.interface import TileUploader
+from gps_denied_onboard.components.c11_tile_manager.interface import (
+    TileDownloader,
+    TileUploader,
+)
 from gps_denied_onboard.fdr_client.fakes import FakeFdrSink
 
 _PRODUCER_ID = "c11_tile_manager.tile_uploader"
@@ -38,6 +42,13 @@ class _PartialFakeMissingConfirm:
         return []
 
 
+class _PartialDownloaderMissingEnumerate:
+    """Conformance counterexample: missing ``enumerate_remote_coverage``."""
+
+    def download_tiles_for_area(self, request: object) -> object:  # noqa: ARG002
+        return None
+
+
 def test_ac12_concrete_uploader_satisfies_protocol() -> None:
     # Arrange — supply minimal-yet-valid dependencies; the Protocol
     # check only inspects method names, not their behaviour.
@@ -68,3 +79,32 @@ def test_ac12_concrete_uploader_satisfies_protocol() -> None:
 def test_ac12_partial_fake_is_not_protocol_conformant() -> None:
     # Assert
     assert not isinstance(_PartialFakeMissingConfirm(), TileUploader)
+
+
+def test_ac10_concrete_downloader_satisfies_protocol() -> None:
+    # Arrange
+    cfg = C11Config(
+        satellite_provider_url="https://parent-suite.test",
+        service_api_key="conformance-test-key",
+        download_http_timeout_s=5.0,
+        download_max_5xx_retries=4,
+        download_max_retry_after_s=600,
+        download_resolution_floor_m_per_px=0.5,
+    )
+    transport = httpx.MockTransport(lambda r: httpx.Response(200, json={"tiles": []}))
+    downloader = HttpTileDownloader(
+        http_client=httpx.Client(transport=transport, base_url="https://parent-suite.test"),
+        tile_writer=object(),  # type: ignore[arg-type]
+        budget_enforcer=object(),  # type: ignore[arg-type]
+        logger=logging.getLogger("test_az316_conformance"),
+        config=cfg,
+        sleep=_NullSleep(),
+    )
+
+    # Assert
+    assert isinstance(downloader, TileDownloader)
+
+
+def test_ac10_partial_downloader_is_not_protocol_conformant() -> None:
+    # Assert
+    assert not isinstance(_PartialDownloaderMissingEnumerate(), TileDownloader)