feat(form-builder): retry history table + integration (WS-6)

Per-attempt retry history (timestamp, user, outcome, exception detail
if failed) replaces the counter-only retry_count tracking.

Changes:

- New `form_submission_action_failure_retry_attempts` table (cascade on
  parent delete, nullOnDelete on user). Explicit short FK names
  (`fsafra_failure_fk`, `fsafra_user_fk`) — auto-generated names exceed
  MySQL's 64-char identifier limit.
- New FormSubmissionActionFailureRetryAttempt model + factory +
  succeeded() state.
- Parent FormSubmissionActionFailure gets retryAttempts() HasMany
  relation (latest('attempted_at')).
- New FormFailureRetryService centralises the retry-flow logic. Both
  the API controller and the artisan command delegate to it. Service
  writes a retry_attempt record per attempt; parent's retry_count
  stays as denormalised cache for index-view performance.
- Successful retry: attempt(succeeded) + parent.retry_count++ +
  parent.resolved_at + parent.resolved_by_user_id + parent.resolved_note
  ("Geslaagde retry door {actor.name}" or "Geslaagde retry
  (geautomatiseerd)" for command-line invocation without an actor).
- Failed retry: attempt(failed) with NEW exception details +
  parent.retry_count++. Parent's exception_class/_message stay
  audit-immutable — they represent the FIRST failure.
- canBeRetried() now correctly checks both resolved_at AND
  dismissed_at (sessie 2's open question Q2 closure).
- New FailureNotRetriableException (controller → 422) and
  ParentSubmissionGoneException (controller → 410) for cleaner
  flow control.

12 new tests:
- FormSubmissionActionFailureRetryAttemptTest (5 unit tests)
- RetryFlowProducesRetryAttemptsTest (7 integration tests covering
  succeeded path, failed path, resolved/dismissed blocking,
  multiple-retries chronological ordering, canBeRetried truth tables)

Pre-existing tests touched:
- FormSubmissionActionFailureTest::test_can_be_retried_only_for_open_state
  — updated to reflect Q2 closure (resolved now blocks too).
- Ws6FoundationMigrationTest::test_down_methods_clean_up_columns_and_table
  — child table must drop before parent (FK constraint).
- 5 backfill test step-counts bumped +1 (new migration sits at top).

SCHEMA.md → v2.9. Schema dump regenerated.

Refs: RFC-WS-6.md §3 Q5 addendum, sessie 2 Q2

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

dev-docs/SCHEMA.md

@@ -1,10 +1,19 @@
 # Crewli — Core Database Schema
 
 > Source: Design Document v1.3 — Section 3.5  
-> **Version: 2.8** — Updated April 2026
+> **Version: 2.9** — Updated April 2026
 >
 > **Changelog:**
 >
+> - v2.9: WS-6 session 3c — `form_submission_action_failure_retry_attempts`
+>   table added. Per-attempt retry history (timestamp, user, outcome,
+>   exception details if failed) replaces the counter-only `retry_count`
+>   tracking on the parent. Parent's `retry_count` stays as denormalised
+>   cache; service layer (`FormFailureRetryService`) keeps both in sync.
+>   `canBeRetried()` now correctly checks both `resolved_at` AND
+>   `dismissed_at` (sessie 2 Q2 closure).
+>   RFC-WS-6.md §3 Q5 addendum.
+>
 > - v2.8: WS-6 session 3a.5 — `companies.kvk_number` column added
 >   (nullable, indexed). Aligns with the binding-target registry's
 >   B2B identity-key candidate. Registry entries renamed/removed in
@@ -2601,6 +2610,33 @@ that aggregates the user's submitted, non-test `form_submissions`.
 
 ---
 
+### `form_submission_action_failure_retry_attempts`
+
+> **v2.9 — WS-6 sessie 3c (RFC-WS-6.md §3 Q5 addendum)** Per-attempt retry
+> history. Sessie 1's `form_submission_action_failures.retry_count` is a
+> counter only; this table adds per-attempt records (timestamp, user,
+> outcome, exception details if failed) so the admin UI can show retry
+> history with full context. Parent's `retry_count` stays as denormalised
+> cache for index-view performance; the service layer (`FormFailureRetryService`)
+> keeps both in sync per retry.
+
+| Column                                | Type                          | Notes                                                              |
+| ------------------------------------- | ----------------------------- | ------------------------------------------------------------------ |
+| `id`                                  | ULID                          | PK                                                                 |
+| `form_submission_action_failure_id`   | ULID FK                       | → form_submission_action_failures, cascade delete (FK name `fsafra_failure_fk` to fit MySQL's 64-char identifier limit) |
+| `attempted_at`                        | timestamp                     | When the retry was invoked                                         |
+| `attempted_by_user_id`                | ULID FK nullable              | → users, null on delete (FK name `fsafra_user_fk`)                 |
+| `outcome`                             | enum                          | `succeeded` \| `failed`                                            |
+| `exception_class`                     | string(255) nullable          | Captured per-attempt — parent's `exception_class` stays audit-immutable (represents FIRST failure) |
+| `exception_message`                   | text nullable                 | Captured per-attempt                                               |
+| `created_at`, `updated_at`            | timestamps                    |                                                                    |
+
+**Relations:** `belongsTo` failure, attemptedBy (User)  
+**Indexes:** `fsafra_failure_attempt_idx` on `(form_submission_action_failure_id, attempted_at)`  
+**Soft delete:** no — audit table; retention via parent failure cascade-delete
+
+---
+
 **Activity log strategy:** explicit calls via
 `FormSchema::logSchemaChange()` and `FormField::logFieldChange()` — no
 `LogsActivity` trait (would produce noise). Only impactful events