[AZ-320] Add C11 IdempotentRetryTileUploader decorator

Wraps HttpTileUploader (AZ-319) with two bounded retry budgets:

- In-call (per-batch) — re-invokes inner on PARTIAL outcome up to
  `max_in_call_retries` times with capped exponential backoff
  (`min(base ** attempt_number, cap)`). On exhaustion: surfaces an
  operator hint via `next_retry_at_s = now + backoff_cap_s`.
- Per-tile (cross-call) — atomically increments c6's
  `tiles.upload_attempts` counter for every rejection; once a tile
  hits `max_per_tile_attempts` it is forward-only transitioned to
  `voting_status = upload_giveup` (excluded from `pending_uploads`).
  Each transition emits FDR `kind="c11.upload.giveup"` plus an
  ERROR log.

C6 contract changes (AZ-303 v1.3.0):
- VotingStatus.UPLOAD_GIVEUP added (forward-only from PENDING/TRUSTED).
- TileMetadataStore.increment_upload_attempts(tile_id) -> int added
  with NotImplementedError default for backwards-compat.
- Migration 0003_c11_upload_attempts: additive column +
  widened ck_tiles_voting_status (preserves IS NULL clause).

C11 wiring:
- C11RetryConfig + disable_retry_decorator on C11Config.
- build_tile_uploader wraps in decorator by default; bypass flag
  returns the bare HttpTileUploader. New `clock` keyword.

Cross-component isolation honoured (AZ-507): the decorator declares
`_RetryMetadataStoreLike` Protocol cut over c6's TileMetadataStore
and references `UPLOAD_GIVEUP` via a local string constant — no c6
imports.

Tests: 13 decorator + 1 conformance + 2 factory bypass + AC-6 enum
update + alembic head bump + AZ-272 schema fixture. 238 passed across
c11/c6/fdr suites; pre-existing perf microbenches unrelated.

Code review: PASS_WITH_WARNINGS (5 Low/Informational findings,
docs-level or downstream-CI-blocked). See
_docs/03_implementation/reviews/batch_41_review.md.

Co-authored-by: Cursor <cursoragent@cursor.com>

db/migrations/versions/0003_c11_upload_attempts.py

@@ -0,0 +1,83 @@
+"""C11 upload retry — additive ``upload_attempts`` counter on tiles.
+
+Per ``_docs/02_tasks/todo/AZ-320_c11_idempotent_retry.md``. The migration:
+
+- adds the ``tiles.upload_attempts INTEGER NOT NULL DEFAULT 0`` column
+  (per-tile retry budget for the C11 ``IdempotentRetryTileUploader``);
+- widens the ``tiles.voting_status`` CHECK to also accept the new
+  ``upload_giveup`` enum value (terminal state for a tile that
+  exhausted its per-tile retry budget — see ``VotingStatus`` v1.3.0).
+
+The migration is strictly additive on ``0002_c6_tile_identity_and_lru``.
+Existing rows default to ``upload_attempts = 0``; existing voting_status
+values (``pending``, ``trusted``, ``rejected``) remain valid. Reverse
+``downgrade()`` drops the column and restores the legacy CHECK to its
+v1.2.0 vocabulary; downgrade is destructive for any rows that hold
+``upload_giveup`` and is documented operator-only.
+
+Revision ID: 0003_c11_upload_attempts
+Revises: 0002_c6_tile_identity_and_lru
+Create Date: 2026-05-13
+"""
+
+from __future__ import annotations
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+from alembic import op
+
+revision: str = "0003_c11_upload_attempts"
+down_revision: str | None = "0002_c6_tile_identity_and_lru"
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+_VOTING_STATUS_LEGACY = (
+    "voting_status IS NULL OR voting_status IN ('pending','trusted','rejected')"
+)
+_VOTING_STATUS_UNION = (
+    "voting_status IS NULL OR "
+    "voting_status IN ('pending','trusted','rejected','upload_giveup')"
+)
+_VOTING_STATUS_CHECK = "ck_tiles_voting_status"
+
+
+def upgrade() -> None:
+    op.add_column(
+        "tiles",
+        sa.Column(
+            "upload_attempts",
+            sa.Integer(),
+            nullable=False,
+            server_default=sa.text("0"),
+        ),
+    )
+    op.create_check_constraint(
+        "ck_tiles_upload_attempts_nonneg",
+        "tiles",
+        "upload_attempts >= 0",
+    )
+    # Voting-status CHECK: drop-and-recreate. AZ-263's 0001 created the
+    # constraint under the legacy vocabulary; widening to include
+    # 'upload_giveup' keeps the constraint as the SQL-level enforcement
+    # of the VotingStatus enum.
+    op.execute(f"ALTER TABLE tiles DROP CONSTRAINT IF EXISTS {_VOTING_STATUS_CHECK}")
+    op.create_check_constraint(
+        _VOTING_STATUS_CHECK,
+        "tiles",
+        _VOTING_STATUS_UNION,
+    )
+
+
+def downgrade() -> None:
+    op.execute(f"ALTER TABLE tiles DROP CONSTRAINT IF EXISTS {_VOTING_STATUS_CHECK}")
+    op.create_check_constraint(
+        _VOTING_STATUS_CHECK,
+        "tiles",
+        _VOTING_STATUS_LEGACY,
+    )
+    op.drop_constraint(
+        "ck_tiles_upload_attempts_nonneg", "tiles", type_="check"
+    )
+    op.drop_column("tiles", "upload_attempts")