feat: add SHA-256 checksum verification for backup integrity

Addresses community feedback about 0KB corrupted backup files going
undetected after upload.

Implementation:
- Compute SHA-256 hash of final artifact (after compress/encrypt) before upload
- After each storage target upload, download the file back and verify
  the hash matches the local checksum
- If verification fails: mark that target as failed, auto-delete the
  corrupted remote file, and log detailed mismatch info
- Store checksum in BackupRecord model (new `checksum` column)
- Display truncated SHA-256 with copy button in backup records UI

Verification flow per storage target:
  local SHA-256 → upload → download → remote SHA-256 → compare
  - match: mark success
  - mismatch: mark failed + delete corrupted remote file

web/src/pages/backup-records/BackupRecordsPage.tsx

@@ -98,6 +98,11 @@ export function BackupRecordsPage() {
         <Space direction="vertical" size={2}>
           <Typography.Text>{record.fileName || '-'}</Typography.Text>
           <Typography.Text type="secondary">{formatBytes(record.fileSize)}</Typography.Text>
+          {record.checksum && (
+            <Typography.Text type="secondary" copyable style={{ fontSize: 11 }}>
+              SHA-256: {record.checksum.substring(0, 16)}...
+            </Typography.Text>
+          )}
         </Space>
       ),
     },

web/src/types/backup-records.ts

@@ -19,6 +19,7 @@ export interface BackupRecordSummary {
   status: BackupRecordStatus
   fileName: string
   fileSize: number
+  checksum: string
   storagePath: string
   durationSeconds: number
   errorMessage: string