Add --quiet flag, --json output, and config permission check

- Add global --quiet/-q flag to suppress non-error output
- Add --json flag to verify, snapshot rm, and prune commands
- Add config file permission check (warns if world/group readable)
- Update TODO.md to remove completed items

TODO.md

@@ -2,48 +2,27 @@
 
 Linear list of tasks to complete before 1.0 release.
 
-## Restore Command
-
-1. Write integration tests for restore command
-
-## Daemon Mode
-
-1. Implement inotify file watcher for Linux
-   - Watch source directories for changes
-   - Track dirty paths in memory
-
-1. Implement FSEvents watcher for macOS
-   - Watch source directories for changes
-   - Track dirty paths in memory
-
-1. Implement backup scheduler in daemon mode
-   - Respect backup_interval config
-   - Trigger backup when dirty paths exist and interval elapsed
-   - Implement full_scan_interval for periodic full scans
-
-1. Add proper signal handling for daemon
-   - Graceful shutdown on SIGTERM/SIGINT
-   - Complete in-progress backup before exit
-
-1. Write tests for daemon mode
-
-## CLI Polish
-
-1. Add `--quiet` flag to all commands
-   - Suppress non-error output
-   - Useful for scripting
-
-1. Add `--json` output flag to more commands
-   - `snapshot verify` - output verification results as JSON
-   - `snapshot remove` - output deletion stats as JSON
-   - `prune` - output pruning stats as JSON
+## CLI Polish (Priority)
 
 1. Improve error messages throughout
    - Ensure all errors include actionable context
-   - Add suggestions for common issues
+   - Add suggestions for common issues (e.g., "did you set VAULTIK_AGE_SECRET_KEY?")
+
+## Security (Priority)
+
+1. Audit encryption implementation
+   - Verify age encryption is used correctly
+   - Ensure no plaintext leaks in logs or errors
+   - Verify blob hashes are computed correctly
+
+1. Secure memory handling for secrets
+   - Clear S3 credentials from memory after client init
+   - Document that age_secret_key is env-var only (already implemented)
 
 ## Testing
 
+1. Write integration tests for restore command
+
 1. Write end-to-end integration test
    - Create backup
    - Verify backup
@@ -63,12 +42,6 @@ Linear list of tasks to complete before 1.0 release.
    - Corrupted blobs
    - Missing blobs
 
-## Documentation
-
-1. Add man page or --help improvements
-   - Detailed help for each command
-   - Examples in help output
-
 ## Performance
 
 1. Profile and optimize restore performance
@@ -79,17 +52,11 @@ Linear list of tasks to complete before 1.0 release.
 1. Add bandwidth limiting option
    - `--bwlimit` flag for upload/download speed limiting
 
-## Security
+## Documentation
 
-1. Audit encryption implementation
-   - Verify age encryption is used correctly
-   - Ensure no plaintext leaks in logs or errors
-
-1. Add config file permission check
-   - Warn if config file is world-readable (contains secrets)
-
-1. Secure memory handling for secrets
-   - Clear age_secret_key from memory after use
+1. Add man page or --help improvements
+   - Detailed help for each command
+   - Examples in help output
 
 ## Final Polish
 
@@ -105,3 +72,26 @@ Linear list of tasks to complete before 1.0 release.
    - Ensure consistent code style
 
 1. Tag and release v1.0.0
+
+---
+
+## Post-1.0 (Daemon Mode)
+
+1. Implement inotify file watcher for Linux
+   - Watch source directories for changes
+   - Track dirty paths in memory
+
+1. Implement FSEvents watcher for macOS
+   - Watch source directories for changes
+   - Track dirty paths in memory
+
+1. Implement backup scheduler in daemon mode
+   - Respect backup_interval config
+   - Trigger backup when dirty paths exist and interval elapsed
+   - Implement full_scan_interval for periodic full scans
+
+1. Add proper signal handling for daemon
+   - Graceful shutdown on SIGTERM/SIGINT
+   - Complete in-progress backup before exit
+
+1. Write tests for daemon mode