fix(phase-03): use UUID.hex in raw SQL to fix SQLite UUID format mismatch

str(uuid_obj) produces dashed 36-char format; SQLite stores UUID as 32-char
hex without dashes, so WHERE user_id = :uid never matched. Using .hex fixes
confirm_upload (api/documents.py) and delete_document (services/storage.py).
Removes stale xfail from test_delete_decrements_quota — now passes on SQLite.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/api/documents.py

@@ -346,7 +346,7 @@ async def confirm_upload(
             "  AND (used_bytes + :delta) <= limit_bytes "
             "RETURNING used_bytes, limit_bytes"
         ),
-        {"delta": size, "uid": str(doc.user_id)},
+        {"delta": size, "uid": doc.user_id.hex},
     )
     row = result.fetchone()
 
@@ -354,7 +354,7 @@ async def confirm_upload(
         # Quota exceeded — fetch current quota state for the 413 body
         quota_result = await session.execute(
             text("SELECT used_bytes, limit_bytes FROM quotas WHERE user_id = :uid"),
-            {"uid": str(doc.user_id)},
+            {"uid": doc.user_id.hex},
         )
         q = quota_result.fetchone()
         # Delete the pending Document row and best-effort remove the MinIO object