docs(backup): add BACKUP.md step to new-role runbook (ADR-022)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/runbooks/new-role.md

@@ -103,7 +103,18 @@ rendered from that data; the admin-API path must `firewall_ref` an entry in the
 `/check-access <rolename>` proves the documented paths are live — part of the
 service-clearance gate (`docs/security/service-checklist.md`).
 
-### 12. Commit
+### 12. Write the per-service backup record (stateful services)
+
+For a **stateful** service role, copy `docs/backup/service-backup-template.md` to
+`roles/<rolename>/BACKUP.md` and populate the role's `backup__*` data (`backup__service`,
+`backup__paths`, `backup__dumps` — `cmd` + `dest` per logical dump — and `backup__quiesce`;
+ADR-022). Prefer logical dumps (`pg_dump`/`mysqldump`) over file-level DB copies. `BACKUP.md`
+is rendered from that data. A **stateless** service sets `backup__state: false` with a
+reason and gets no `BACKUP.md`. Once the backup node exists, `/check-backup <rolename>`
+proves the declared state is captured — part of the service-clearance gate
+(`docs/security/service-checklist.md`).
+
+### 13. Commit
 
 ```bash
 git checkout -b role/<rolename>