feat(db) resource version cas

[derekwaynecarr]

Summary

Add Compare-And-Swap (CAS) infrastructure for safe concurrent object mutations
and migrate critical paths to use it. This prevents lost updates in HA
deployments with multiple gateway replicas.

Core infrastructure:

• Add resource_version field to ObjectMeta proto (uint64)
• Add resource_version column to objects table (SQLite: INTEGER, Postgres: BIGINT)
• Add WriteCondition enum (MustCreate, MatchResourceVersion, Unconditional)
• Add PersistenceError::Conflict variant for version mismatch
• Add Store::put_if() and Store::delete_if() CAS methods
• Add Store::update_message_cas() with bounded retry for mutations
• Implement CAS operations for both SQLite and Postgres backends
• Hydrate resource_version on all typed reads (defaults to 1 for backfill)

Migrations:

• Migrate policy mutations to CAS (draft operations, settings)
• Migrate provider updates to CAS (credentials, config merging)
• Migrate sandbox updates to CAS (phase transitions, status reconciliation)
• Migrate compute status updates to CAS (driver watch event handling)

Database migrations backfill existing rows with resource_version = 1.
CAS updates increment atomically: resource_version = resource_version + 1.

gRPC handlers map PersistenceError::Conflict to ABORTED status code
to signal clients to retry with fresh data. Server-side retries use
bounded retry (5 attempts) with fresh reads on each iteration.

Test coverage includes concurrent update scenarios and handler-level
resource_version round-trip tests.

Related Issue

Fixes #1255

Changes

Testing

• [x ] mise run pre-commit passes
• [ x] Unit tests added/updated
• [ x] E2E tests added/updated (if applicable)

Checklist

• [ x] Follows Conventional Commits
• [ x] Commits are signed off (DCO)
• [ x] Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[derekwaynecarr]

@johntmyers ptal. updated per prior feedback, also updated all proto paths that required CAS enablement. the recently merged draft chunk work is not covered right now, i would like to leave that as a follow-on.

[derekwaynecarr]

All prior comments are resolved.

• All create/update paths for all objects that have an ObjectMeta with resource version have been updated.
• All list and gets should properly hydrate resource version as well.
• Updated arch docs.

[derekwaynecarr]

/ok to test d65c359

[derekwaynecarr]

failure due to flaky test, fix #1417