feat(backup): add dormant /check-backup verifier (ADR-022)

.claude/commands/check-backup.md

@@ -0,0 +1,29 @@
+---
+description: Backup-coverage verification (ADR-022) — proves a service's declared backup state is actually captured.
+---
+
+Verify that a service's **declared** backup data (`backup__*`) is actually captured in
+the backup repo, so the verifier and `BACKUP.md` can never disagree (the ADR-021 pattern,
+applied to backups). Argument: a service/role name (e.g. `/check-backup nextcloud`).
+
+**Dormant until the backup node exists** (Plan 2/3): with no `fisi` repo to query, this
+command reports `not-yet-available` rather than failing.
+
+## Preconditions
+
+- `roles/<name>/` carries `backup__*` data (or `backup__state: false` with a reason).
+- The backup node (`fisi`) is reachable and its restic repo exists. If not → report
+  `not-yet-available` and stop.
+
+## Checks (when live)
+
+Load the `backup__*` data for the resolved role, then:
+
+| Check | How | Green when |
+|---|---|---|
+| snapshot freshness | `restic snapshots --tag <backup__service> --latest 1` | a snapshot ≤ ~24 h old exists |
+| paths present | the latest snapshot contains every `backup__paths` entry | all declared paths present |
+| dumps present | the snapshot contains every `backup__dumps[*].dest` | all declared dumps present |
+| integrity | `restic check --read-data-subset` (sampled) | no errors |
+
+Report per-check pass/fail; a stateless role (`backup__state: false`) reports `n/a (stateless)`.