feat(backup): skip-if-unchanged + scheduled CronJob in the chart

Builds on the dedicated backup (erp#31).

Skip-if-unchanged: each half (DB / documents) carries a content fingerprint at
erp/<env>/.fp-{db,docs} and is dumped+uploaded only if it differs from the last
run — a quiet ERP day re-uploads nothing. Fingerprint = durable BUSINESS content
only: DB = count+max(tms) over tms tables EXCEPT volatile churn (llx_const,
llx_user, session/cron); docs EXCLUDE */temp/* (Dolibarr stats cache) — from both
the fingerprint and the tar. Proven live: 1st run uploads both, immediate 2nd run
skips both (uploaded=0).

Automation: the in-container logic moves to chart/files/backup-job.sh (single
source of truth, read by the orchestrator AND the chart). New
chart/templates/backup-cronjob.yaml renders a daily CronJob + ConfigMap +
VaultStaticSecret, gated by backup.enabled (default false). Helm-verified: off by
default (0 CronJobs), on renders correctly, env-aware (PREFIX erp/prod vs
erp/sandbox), script embedded.

Activation (documented): store GCS HMAC creds at kvv2/<backup.vaultS3Path>
(default erp/backup), grant the erp `auth` Vault role read on it (tools change),
set backup.enabled=true. Until then the orchestrator runs on demand.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

chart/values.yaml

@@ -132,3 +132,15 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+# Dedicated offsite backup of the Dolibarr DB + documents (see ops/backup/README.md).
+# DISABLED by default — enable once the S3 creds VaultStaticSecret resolves (the
+# `auth` Vault role must be granted read on kvv2/<vaultS3Path>). The manual
+# orchestrator ops/backup/dolibarr-backup.sh works today without this.
+backup:
+  enabled: false
+  schedule: "0 3 * * *"        # daily 03:00 UTC
+  bucket: arcodange-backup
+  pgHost: "192.168.1.202"      # direct Postgres host (matches ops/sandbox + ops/backup)
+  image: postgres:16-alpine
+  vaultS3Path: erp/backup      # kvv2/<this> → AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_ENDPOINTS