security: Implement HIGH priority security improvements

HIGH Priority Security Features:
- Path sanitization with filepath.Clean() for all user paths
- Path traversal attack prevention in backup/restore operations
- Secure config file permissions (0600 instead of 0644)
- SHA-256 checksum generation for all backup archives
- Checksum verification during restore operations
- Comprehensive audit logging for compliance

New Security Module (internal/security/):
- paths.go: ValidateBackupPath() and ValidateArchivePath()
- checksum.go: ChecksumFile(), VerifyChecksum(), LoadAndVerifyChecksum()
- audit.go: AuditLogger with structured event tracking

Integration Points:
- Backup engine: Path validation, checksum generation
- Restore engine: Path validation, checksum verification
- All backup/restore operations: Audit logging
- Configuration saves: Audit logging

Security Enhancements:
- .dbbackup.conf now created with 0600 permissions (owner-only)
- All archive files get .sha256 checksum files
- Restore warns if checksum verification fails but continues
- Audit events logged for all administrative operations
- User tracking via $USER/$USERNAME environment variables

Compliance Features:
- Audit trail for backups, restores, config changes
- Structured logging with timestamps, users, actions, results
- Event details include paths, sizes, durations, errors

Testing:
- All code compiles successfully
- Cross-platform build verified
- Ready for integration testing

internal/security/checksum.go

@@ -0,0 +1,91 @@
+package security
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"os"
+)
+
+// ChecksumFile calculates SHA-256 checksum of a file
+func ChecksumFile(path string) (string, error) {
+	file, err := os.Open(path)
+	if err != nil {
+		return "", fmt.Errorf("failed to open file: %w", err)
+	}
+	defer file.Close()
+
+	hash := sha256.New()
+	if _, err := io.Copy(hash, file); err != nil {
+		return "", fmt.Errorf("failed to calculate checksum: %w", err)
+	}
+
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
+
+// VerifyChecksum verifies a file's checksum against expected value
+func VerifyChecksum(path string, expectedChecksum string) error {
+	actualChecksum, err := ChecksumFile(path)
+	if err != nil {
+		return err
+	}
+
+	if actualChecksum != expectedChecksum {
+		return fmt.Errorf("checksum mismatch: expected %s, got %s", expectedChecksum, actualChecksum)
+	}
+
+	return nil
+}
+
+// SaveChecksum saves checksum to a .sha256 file alongside the archive
+func SaveChecksum(archivePath string, checksum string) error {
+	checksumPath := archivePath + ".sha256"
+	content := fmt.Sprintf("%s  %s\n", checksum, archivePath)
+	
+	if err := os.WriteFile(checksumPath, []byte(content), 0644); err != nil {
+		return fmt.Errorf("failed to save checksum: %w", err)
+	}
+
+	return nil
+}
+
+// LoadChecksum loads checksum from a .sha256 file
+func LoadChecksum(archivePath string) (string, error) {
+	checksumPath := archivePath + ".sha256"
+	
+	data, err := os.ReadFile(checksumPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to read checksum file: %w", err)
+	}
+
+	// Parse "checksum  filename" format
+	parts := []byte{}
+	for i, b := range data {
+		if b == ' ' {
+			parts = data[:i]
+			break
+		}
+	}
+
+	if len(parts) == 0 {
+		return "", fmt.Errorf("invalid checksum file format")
+	}
+
+	return string(parts), nil
+}
+
+// LoadAndVerifyChecksum loads checksum from .sha256 file and verifies the archive
+// Returns nil if checksum file doesn't exist (optional verification)
+// Returns error if checksum file exists but verification fails
+func LoadAndVerifyChecksum(archivePath string) error {
+	expectedChecksum, err := LoadChecksum(archivePath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil // Checksum file doesn't exist, skip verification
+		}
+		return err
+	}
+
+	return VerifyChecksum(archivePath, expectedChecksum)
+}