feat(restore): restore-health ingest, alerting & overdue sweep (PR2)

[passcod]

🤖 PR2 of the PGRO restore-verification integration (TAM-6877): the reports-in / health half. Stacked on #293 — review/merge that first.

Closes the lifecycle loop: produced → persisted → restorable. The consumer reports each replica's restore outcome; a failed or overdue restore is a group-level incident that pages regardless of any one server's monitoring state.

What's here

• backup_restore_checks table + database::restore::BackupRestoreCheck. record_report writes the report and raises or recovers a per-(server, type, intent) group-level restore-verification alert (via the existing raise_group_event + the RESTORE_VERIFICATION ref). Per-replica keying means a healthy verify never masks a failing disaster-recovery on the same server; success-and-healthy recovers, anything else (including restored-but-unhealthy) raises.
• Overdue-freshness sweep (sweep_overdue, hooked into database::backup::sweep() — the 60s monitor loop): raises restore-verification for any enabled, capability-supported, freshness-bound replica whose last healthy report is missing or older than its window. Gaps (unsupported intents) are skipped — they're config notices, not health incidents. Recovery is driven by the next healthy report, so the sweep only raises.
• POST /restore-verification (backup-restore role): same declaration-based authz as credentials, records the report, drives the alert. Outcome is success/failure only (no unsupported — that's handled by capability filtering upstream).
• Operator UI: a Recent restore checks panel on /restore-replicas, backed by a restore_replicas/checks admin endpoint.

Wire shapes

RestoreVerification carries server_id, intent, and the optional replica_id (from the worklist entry) on top of the handoff's original fields — frozen now for the bestool Appendix A restatement.

Tests

• database::restore — record_report raise→recover, restored-but-unhealthy still raises, sweep_overdue raises for stale replicas and skips gaps.
• public-server::restore — /restore-verification 403 without a declaration; records a check row and raises an active group issue with one.
• private-web/e2e — the restore-health panel renders a seeded check with its outcome.

[passcod]

🤖 Added a trailing unplan(restore) commit: removes the now-implemented coordination docs docs/plans/pgro-restore-verification-handoff.md and docs/plans/pgro-restore-replicas-canopy-response.md. The durable spec .workhorse/specs/public-server/restore-replicas.md stays. So this PR both ships restore-health and unplans the restore design docs as it lands.