v0.2.0 (9/N): pre-migration auto-backup of var/data.sqlite

PLAN.md §12 *Migrations on schema change* flagged this as a v1.0
prereq. SQLite has no transactional DDL — a half-applied migration
can corrupt the user's data with no rollback path. Cheapest defence
is a copy-aside before each migrate.

backupDatabase() runs at the head of runMigrations() in bundled
mode:
- skipped on first launch (no data.sqlite yet)
- copies var/data.sqlite to var/data.sqlite.<unix-timestamp>.bak
- trims to kMaxDatabaseBackups=5 most recent (mtime sort, oldest
  go first)
- copy failure logs a warning and continues; a missing safety-net
  is not a reason to refuse to boot

Dev mode is unaffected — developers own their var/data.sqlite
lifecycle and don't want a backup written every time `make dev`
restarts.

Integration test: bundled-supervisor.sh gained an assertion after
the 2nd-launch /healthz check that at least one
data.sqlite.*.bak file appears under the user data dir. Verified
locally — backup landed at the expected path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

examples/todo/tests/bundled-supervisor.sh

@@ -192,6 +192,18 @@ done
 echo "$HEALTHZ2_BODY" | grep -q '"status":"ok"' \
     || fail "2nd-launch /healthz didn't return status:ok"
 
+# ── Pre-migration auto-backup ─────────────────────────────────────────
+# Launch 1 created data.sqlite; launch 2 should have copied it to
+# data.sqlite.<unix-timestamp>.bak before re-running migrations.
+step "verify pre-migration backup of data.sqlite was written"
+shopt -s nullglob
+backups=( "$USER_DATA"/var/data.sqlite.*.bak )
+shopt -u nullglob
+if [ "${#backups[@]}" -eq 0 ]; then
+    fail "expected at least one data.sqlite.*.bak under $USER_DATA/var after 2nd launch"
+fi
+step "found backup: ${backups[0]}"
+
 # ── Clean shutdown: SIGTERM the host, assert no Qt warning + no orphan frankenphp ──
 step "graceful shutdown — assert the supervisor kills its frankenphp child"
 SHUTDOWN_PID="$PID"