fix: migration atomicity + deploy hardening + Litestream R2

Migration atomicity:
- Remove conn.commit() and executescript() from all up() functions (0000,
  0011, 0012, 0013, 0014, 0015); executescript() issued implicit COMMITs
  which broke the batch-rollback guarantee of the migration runner
- Rewrite 0000 with individual conn.execute() calls (was a single
  executescript block)

Deploy hardening:
- Add pre-migration DB backup step to deploy.sh: saves
  app.db.pre-deploy-<timestamp> in the volume before every migration
- On health-check failure: restore the backup, then stop + exit
- On success: clean up old backups (keep last 3)

Litestream:
- Enable R2 as primary replica in litestream.yml (env-var placeholders)
- Add local /app/data/backups as secondary replica
- docker-compose: add auto-restore on empty volume (sh entrypoint runs
  'litestream restore' before 'litestream replicate' if app.db missing)
- Add LITESTREAM_R2_* vars to .gitlab-ci.yml .env block and .env.example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.prod.yml

@@ -18,7 +18,19 @@ services:
   litestream:
     image: litestream/litestream:latest
     restart: unless-stopped
-    command: replicate -config /etc/litestream.yml
+    # Auto-restore from R2 if DB file is missing, then start continuous replication.
+    # Handles: new server, deleted volume, disaster recovery.
+    entrypoint: /bin/sh
+    command:
+      - -c
+      - |
+        if [ ! -f /app/data/app.db ]; then
+          echo "==> No database found, restoring from R2..."
+          litestream restore -config /etc/litestream.yml /app/data/app.db \
+            || echo "==> No backup found, starting fresh"
+        fi
+        exec litestream replicate -config /etc/litestream.yml
+    env_file: ./padelnomics/.env
     volumes:
       - app-data:/app/data
       - ./padelnomics/litestream.yml:/etc/litestream.yml:ro