Add custom types, version command, and restore --verify flag

- Add internal/types package with type-safe wrappers for IDs, hashes,
  paths, and credentials (FileID, BlobID, ChunkHash, etc.)
- Implement driver.Valuer and sql.Scanner for UUID-based types
- Add `vaultik version` command showing version, commit, go version
- Add `--verify` flag to restore command that checksums all restored
  files against expected chunk hashes with progress bar
- Remove fetch.go (dead code, functionality in restore)
- Clean up TODO.md, remove completed items
- Update all database and snapshot code to use new custom types

internal/config/config.go

@@ -4,9 +4,11 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"time"
 
+	"filippo.io/age"
 	"git.eeqj.de/sneak/smartconfig"
 	"github.com/adrg/xdg"
 	"go.uber.org/fx"
@@ -37,24 +39,62 @@ func expandTildeInURL(url string) string {
 	return url
 }
 
+// SnapshotConfig represents configuration for a named snapshot.
+// Each snapshot backs up one or more paths and can have its own exclude patterns
+// in addition to the global excludes.
+type SnapshotConfig struct {
+	Paths   []string `yaml:"paths"`
+	Exclude []string `yaml:"exclude"` // Additional excludes for this snapshot
+}
+
+// GetExcludes returns the combined exclude patterns for a named snapshot.
+// It merges global excludes with the snapshot-specific excludes.
+func (c *Config) GetExcludes(snapshotName string) []string {
+	snap, ok := c.Snapshots[snapshotName]
+	if !ok {
+		return c.Exclude
+	}
+
+	if len(snap.Exclude) == 0 {
+		return c.Exclude
+	}
+
+	// Combine global and snapshot-specific excludes
+	combined := make([]string, 0, len(c.Exclude)+len(snap.Exclude))
+	combined = append(combined, c.Exclude...)
+	combined = append(combined, snap.Exclude...)
+	return combined
+}
+
+// SnapshotNames returns the names of all configured snapshots in sorted order.
+func (c *Config) SnapshotNames() []string {
+	names := make([]string, 0, len(c.Snapshots))
+	for name := range c.Snapshots {
+		names = append(names, name)
+	}
+	// Sort for deterministic order
+	sort.Strings(names)
+	return names
+}
+
 // Config represents the application configuration for Vaultik.
 // It defines all settings for backup operations, including source directories,
 // encryption recipients, storage configuration, and performance tuning parameters.
 // Configuration is typically loaded from a YAML file.
 type Config struct {
-	AgeRecipients     []string      `yaml:"age_recipients"`
-	AgeSecretKey      string        `yaml:"age_secret_key"`
-	BackupInterval    time.Duration `yaml:"backup_interval"`
-	BlobSizeLimit     Size          `yaml:"blob_size_limit"`
-	ChunkSize         Size          `yaml:"chunk_size"`
-	Exclude           []string      `yaml:"exclude"`
-	FullScanInterval  time.Duration `yaml:"full_scan_interval"`
-	Hostname          string        `yaml:"hostname"`
-	IndexPath         string        `yaml:"index_path"`
-	MinTimeBetweenRun time.Duration `yaml:"min_time_between_run"`
-	S3                S3Config      `yaml:"s3"`
-	SourceDirs        []string      `yaml:"source_dirs"`
-	CompressionLevel  int           `yaml:"compression_level"`
+	AgeRecipients     []string                  `yaml:"age_recipients"`
+	AgeSecretKey      string                    `yaml:"age_secret_key"`
+	BackupInterval    time.Duration             `yaml:"backup_interval"`
+	BlobSizeLimit     Size                      `yaml:"blob_size_limit"`
+	ChunkSize         Size                      `yaml:"chunk_size"`
+	Exclude           []string                  `yaml:"exclude"` // Global excludes applied to all snapshots
+	FullScanInterval  time.Duration             `yaml:"full_scan_interval"`
+	Hostname          string                    `yaml:"hostname"`
+	IndexPath         string                    `yaml:"index_path"`
+	MinTimeBetweenRun time.Duration             `yaml:"min_time_between_run"`
+	S3                S3Config                  `yaml:"s3"`
+	Snapshots         map[string]SnapshotConfig `yaml:"snapshots"`
+	CompressionLevel  int                       `yaml:"compression_level"`
 
 	// StorageURL specifies the storage backend using a URL format.
 	// Takes precedence over S3Config if set.
@@ -137,8 +177,13 @@ func Load(path string) (*Config, error) {
 	// Expand tilde in all path fields
 	cfg.IndexPath = expandTilde(cfg.IndexPath)
 	cfg.StorageURL = expandTildeInURL(cfg.StorageURL)
-	for i, dir := range cfg.SourceDirs {
-		cfg.SourceDirs[i] = expandTilde(dir)
+
+	// Expand tildes in snapshot paths
+	for name, snap := range cfg.Snapshots {
+		for i, path := range snap.Paths {
+			snap.Paths[i] = expandTilde(path)
+		}
+		cfg.Snapshots[name] = snap
 	}
 
 	// Check for environment variable override for IndexPath
@@ -148,7 +193,7 @@ func Load(path string) (*Config, error) {
 
 	// Check for environment variable override for AgeSecretKey
 	if envAgeSecretKey := os.Getenv("VAULTIK_AGE_SECRET_KEY"); envAgeSecretKey != "" {
-		cfg.AgeSecretKey = envAgeSecretKey
+		cfg.AgeSecretKey = extractAgeSecretKey(envAgeSecretKey)
 	}
 
 	// Get hostname if not set
@@ -178,7 +223,7 @@ func Load(path string) (*Config, error) {
 // Validate checks if the configuration is valid and complete.
 // It ensures all required fields are present and have valid values:
 // - At least one age recipient must be specified
-// - At least one source directory must be configured
+// - At least one snapshot must be configured with at least one path
 // - Storage must be configured (either storage_url or s3.* fields)
 // - Chunk size must be at least 1MB
 // - Blob size limit must be at least the chunk size
@@ -189,8 +234,14 @@ func (c *Config) Validate() error {
 		return fmt.Errorf("at least one age_recipient is required")
 	}
 
-	if len(c.SourceDirs) == 0 {
-		return fmt.Errorf("at least one source directory is required")
+	if len(c.Snapshots) == 0 {
+		return fmt.Errorf("at least one snapshot must be configured")
+	}
+
+	for name, snap := range c.Snapshots {
+		if len(snap.Paths) == 0 {
+			return fmt.Errorf("snapshot %q must have at least one path", name)
+		}
 	}
 
 	// Validate storage configuration
@@ -257,6 +308,21 @@ func (c *Config) validateStorage() error {
 	return nil
 }
 
+// extractAgeSecretKey extracts the AGE-SECRET-KEY from the input using
+// the age library's parser, which handles comments and whitespace.
+func extractAgeSecretKey(input string) string {
+	identities, err := age.ParseIdentities(strings.NewReader(input))
+	if err != nil || len(identities) == 0 {
+		// Fall back to trimmed input if parsing fails
+		return strings.TrimSpace(input)
+	}
+	// Return the string representation of the first identity
+	if id, ok := identities[0].(*age.X25519Identity); ok {
+		return id.String()
+	}
+	return strings.TrimSpace(input)
+}
+
 // Module exports the config module for fx dependency injection.
 // It provides the Config type to other modules in the application.
 var Module = fx.Module("config",

internal/config/config_test.go

@@ -45,12 +45,21 @@ func TestConfigLoad(t *testing.T) {
 		t.Errorf("Expected first age recipient to be %s, got '%s'", TEST_SNEAK_AGE_PUBLIC_KEY, cfg.AgeRecipients[0])
 	}
 
-	if len(cfg.SourceDirs) != 2 {
-		t.Errorf("Expected 2 source dirs, got %d", len(cfg.SourceDirs))
+	if len(cfg.Snapshots) != 1 {
+		t.Errorf("Expected 1 snapshot, got %d", len(cfg.Snapshots))
 	}
 
-	if cfg.SourceDirs[0] != "/tmp/vaultik-test-source" {
-		t.Errorf("Expected first source dir to be '/tmp/vaultik-test-source', got '%s'", cfg.SourceDirs[0])
+	testSnap, ok := cfg.Snapshots["test"]
+	if !ok {
+		t.Fatal("Expected 'test' snapshot to exist")
+	}
+
+	if len(testSnap.Paths) != 2 {
+		t.Errorf("Expected 2 paths in test snapshot, got %d", len(testSnap.Paths))
+	}
+
+	if testSnap.Paths[0] != "/tmp/vaultik-test-source" {
+		t.Errorf("Expected first path to be '/tmp/vaultik-test-source', got '%s'", testSnap.Paths[0])
 	}
 
 	if cfg.S3.Bucket != "vaultik-test-bucket" {
@@ -74,3 +83,65 @@ func TestConfigFromEnv(t *testing.T) {
 		t.Errorf("Config file does not exist at path from VAULTIK_CONFIG: %s", configPath)
 	}
 }
+
+// TestExtractAgeSecretKey tests extraction of AGE-SECRET-KEY from various inputs
+func TestExtractAgeSecretKey(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "plain key",
+			input:    "AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5",
+			expected: "AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5",
+		},
+		{
+			name:     "key with trailing newline",
+			input:    "AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5\n",
+			expected: "AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5",
+		},
+		{
+			name: "full age-keygen output",
+			input: `# created: 2025-01-14T12:00:00Z
+# public key: age1ezrjmfpwsc95svdg0y54mums3zevgzu0x0ecq2f7tp8a05gl0sjq9q9wjg
+AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5
+`,
+			expected: "AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5",
+		},
+		{
+			name: "age-keygen output with extra blank lines",
+			input: `# created: 2025-01-14T12:00:00Z
+# public key: age1ezrjmfpwsc95svdg0y54mums3zevgzu0x0ecq2f7tp8a05gl0sjq9q9wjg
+
+AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5
+
+`,
+			expected: "AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5",
+		},
+		{
+			name:     "key with leading whitespace",
+			input:    "  AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5  ",
+			expected: "AGE-SECRET-KEY-19CR5YSFW59HM4TLD6GXVEDMZFTVVF7PPHKUT68TXSFPK7APHXA2QS2NJA5",
+		},
+		{
+			name:     "empty input",
+			input:    "",
+			expected: "",
+		},
+		{
+			name:     "only comments",
+			input:    "# this is a comment\n# another comment",
+			expected: "# this is a comment\n# another comment",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := extractAgeSecretKey(tt.input)
+			if result != tt.expected {
+				t.Errorf("extractAgeSecretKey(%q) = %q, want %q", tt.input, result, tt.expected)
+			}
+		})
+	}
+}