Backup-Audit-Hardening: Dump-Frische-Monitoring und Scope-Konsistenz

Findings aus dem Backup-/Restore-Audit 2026-06-18 umgesetzt:

- Dump-Frische als Prometheus-Metrik (homelab_borg_dump_present /
  homelab_borg_dump_age_seconds) im Host-Exporter; schliesst den
  Blindfleck, dass Borg weiterlaeuft und stale Dumps archiviert, ohne
  Job-Fehler.
- Neue Alerts HomelabBorgDumpMissing / HomelabBorgDumpStale (critical)
  plus ALERT_RULES.md.
- Freshness-Gate (.sh + .ps1) und H:-Nearline-Pull um n8n.sqlite.dump
  und postgresql17-globals.sql ergaenzt.
- Critical-Container-Watch um mail-archiver, n8n, homeassistant,
  smarthome-mosquitto erweitert.
- BACKUP_SCOPE: /mnt/user/projekte und sonstige User-Shares ausserhalb
  App-Scope als bewusste offene Operator-Entscheidung dokumentiert;
  Hermes-data-Pfad als geparkt klargestellt.
- MASTER_TODO: Nearline-Pull-Ueberwachung, Host-Pull-Nachzug und
  projekte-Scope-Entscheidung aufgenommen.

Enthaelt ausserdem die zuvor vorbereiteten Scope-Erweiterungen
(nextcloud html+data, n8n, filebrowser, influxdb3) und Scope-Drift-/
Retention-/Compact-/Check-Alerts.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

ops/restore-tests/check-restore-freshness.ps1

@@ -6,6 +6,7 @@ param(
 )
 
 $checks = @(
+  @{ Name = "postgresql17-globals.sql"; Path = Join-Path $DumpRoot "postgresql17-globals.sql" },
   @{ Name = "postgresql17-paperless.dump"; Path = Join-Path $DumpRoot "postgresql17-paperless.dump" },
   @{ Name = "postgresql17-mailarchiver.dump"; Path = Join-Path $DumpRoot "postgresql17-mailarchiver.dump" },
   @{ Name = "mealie.dump"; Path = Join-Path $DumpRoot "mealie.dump" },
@@ -13,6 +14,7 @@ $checks = @(
   @{ Name = "nextcloud.dump"; Path = Join-Path $DumpRoot "nextcloud.dump" },
   @{ Name = "gitea.sqlite.dump"; Path = Join-Path $DumpRoot "gitea.sqlite.dump" },
   @{ Name = "vaultwarden.sqlite.dump"; Path = Join-Path $DumpRoot "vaultwarden.sqlite.dump" },
+  @{ Name = "n8n.sqlite.dump"; Path = Join-Path $DumpRoot "n8n.sqlite.dump" },
   @{ Name = "speedtest-tracker.sqlite.dump"; Path = Join-Path $DumpRoot "speedtest-tracker.sqlite.dump" },
   @{ Name = "filebrowser.bolt.dump"; Path = Join-Path $DumpRoot "filebrowser.bolt.dump" },
   @{ Name = "unraid-flash-config.tar.gz"; Path = Join-Path $DumpRoot "unraid-flash-config.tar.gz" }

ops/restore-tests/check-restore-freshness.sh

@@ -89,6 +89,7 @@ check_pg_header() {
 }
 
 for dump in \
+  postgresql17-globals.sql \
   postgresql17-paperless.dump \
   postgresql17-mailarchiver.dump \
   mealie.dump \
@@ -96,6 +97,7 @@ for dump in \
   nextcloud.dump \
   gitea.sqlite.dump \
   vaultwarden.sqlite.dump \
+  n8n.sqlite.dump \
   speedtest-tracker.sqlite.dump \
   filebrowser.bolt.dump \
   unraid-flash-config.tar.gz; do