feat(T6/T7): supervizare worker (healthcheck+autoheal) + backup online + cheie partajata

T6 — worker supravegheat:
- app/worker/healthcheck.py: probe pe heartbeat-ul din DB (beat invechit -> exit 1).
  Prinde worker-ul agatat (proces viu, beat inghetat) pe care restart:always nu-l
  vede. Cablat ca healthcheck pe serviciul worker in compose.
- sidecar autoheal: restarteaza efectiv containerul unhealthy (compose simplu doar
  marcheaza, nu restarteaza la unhealthy).

T7 — deploy:
- tools/backup.py: backup ONLINE via Connection.backup (WAL nu se copiaza sigur cu
  cp); --keep N roteste snapshot-urile.
- .env.example documenteaza env-urile; volum persistent numit deja in compose.

Fix critic (split api/worker in 2 containere): AUTOPASS_CREDS_KEY trebuie PARTAJATA
api<->worker, altfel worker nu decripteaza creds-urile criptate de API -> submission
blocate. Acum impusa in compose (${...:?} -> fail explicit daca lipseste).
.gitignore: exceptie !.env.example.

5 teste noi (tests/test_deploy.py). 100 pass total.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.env.example

@@ -0,0 +1,21 @@
+# Gateway RAR AUTOPASS — variabile de mediu (copiaza in .env; .env NU se comite).
+# Compose citeste .env automat. Prefix AUTOPASS_ pentru toate.
+
+# --- CRITIC: cheie criptare creds RAR (Fernet) ---
+# PARTAJATA intre api si worker (API cripteaza, worker decripteaza). Genereaza:
+#   python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+AUTOPASS_CREDS_KEY=
+
+# --- Auth API-key ---
+# true = orice /v1/* cere cheie valida (prod). false = dev (fara cheie -> cont id=1).
+AUTOPASS_REQUIRE_API_KEY=false
+
+# --- Worker ---
+# Send catre RAR. false = nu trimite (default, sigur pentru probe). true = end-to-end.
+AUTOPASS_WORKER_SEND_ENABLED=false
+# Dev: foloseste creds <test> din settings.xml cand submission-ul nu are creds criptate.
+AUTOPASS_WORKER_USE_TEST_CREDS=false
+
+# --- RAR ---
+# test | prod
+AUTOPASS_RAR_ENV=test