feat: add `ruborg validate repo --repair` for passphrase-injected borg check --repair

[mpantel]

Background

On 2026-05-14, a ruborg backup run was interrupted, leaving a stale lock and three corrupted segments in the Borg repository. Repairing required dropping out of ruborg entirely and running bare borg check --repair, which cannot fetch the passphrase from Passbolt automatically.

The workaround was fragile:

echo YES | BORG_PASSPHRASE=$(passbolt get resource --id <uuid> --json | \
  python3 -c "import sys,json; print(json.load(sys.stdin).get('password',''))") \
  borg check --repair /mnt/borg-repo

Requested Feature

Add a --repair flag to ruborg validate repo so that repairs can be performed without leaving ruborg:

ruborg validate repo -r myrepo --repair --yes

This should:

1. Fetch the passphrase from Passbolt (same as all other ruborg commands).
2. Run borg check --repair with automatic YES confirmation (via --yes flag).
3. Log the outcome (corrupted segments, affected archives) to the ruborg log file.
4. Require an explicit --yes flag to acknowledge the potential data loss of repair.

Additional Notes

• borg check --repair may delete corrupted archives — the --yes guard prevents accidental use.
• With retention_mode: per_file, blast radius per corrupted segment is minimal (at most one archive), but the command should report affected archives after repair.
• A follow-up improvement: if ruborg backup detects a stale lock, break it automatically and warn rather than waiting 300 s and failing.