feat: add SHA-256 checksum verification for backup integrity

Addresses community feedback about 0KB corrupted backup files going
undetected after upload.

Implementation:
- Compute SHA-256 hash of final artifact (after compress/encrypt) before upload
- After each storage target upload, download the file back and verify
  the hash matches the local checksum
- If verification fails: mark that target as failed, auto-delete the
  corrupted remote file, and log detailed mismatch info
- Store checksum in BackupRecord model (new `checksum` column)
- Display truncated SHA-256 with copy button in backup records UI

Verification flow per storage target:
  local SHA-256 → upload → download → remote SHA-256 → compare
  - match: mark success
  - mismatch: mark failed + delete corrupted remote file

web/src/types/backup-records.ts

@@ -19,6 +19,7 @@ export interface BackupRecordSummary {
   status: BackupRecordStatus
   fileName: string
   fileSize: number
+  checksum: string
   storagePath: string
   durationSeconds: number
   errorMessage: string