Refactor: Move Vaultik struct and methods to internal/vaultik package

- Created new internal/vaultik package with unified Vaultik struct
- Moved all command methods (snapshot, info, prune, verify) from CLI to vaultik package
- Implemented single constructor that handles crypto capabilities automatically
- Added CanDecrypt() method to check if decryption is available
- Updated all CLI commands to use the new vaultik.Vaultik struct
- Removed old fragmented App structs and WithCrypto wrapper
- Fixed context management - Vaultik now owns its context lifecycle
- Cleaned up package imports and dependencies

This creates a cleaner separation between CLI/Cobra code and business logic,
with all vaultik operations now centralized in the internal/vaultik package.

TODO-verify.md

@@ -0,0 +1,86 @@
+# TODO: Implement Verify Command
+
+## Overview
+Implement the `verify` command to check snapshot integrity. Both shallow and deep verification require the age_secret_key from config to decrypt the database index.
+
+## Implementation Steps
+
+### 1. Update Config Structure
+- Add `AgeSecretKey string` field to the Config struct in `internal/config/config.go`
+- Add corresponding `age_secret_key` YAML tag
+- Ensure the field is properly loaded from config file
+
+### 2. Remove Command Line Flags
+- Remove --bucket, --prefix, and --snapshot flags from:
+  - `internal/cli/verify.go`
+  - `internal/cli/restore.go` 
+  - `internal/cli/fetch.go`
+- Update all commands to use bucket/prefix from config instead of flags
+- Update verify command to take snapshot ID as first positional argument
+
+### 3. Implement Shallow Verification
+**Requires age_secret_key from config**
+
+1. Download from S3:
+   - `metadata/{snapshot-id}/manifest.json.zst` 
+   - `metadata/{snapshot-id}/db.zst.age`
+
+2. Process files:
+   - Decompress manifest (not encrypted)
+   - Decrypt db.zst.age using age_secret_key
+   - Decompress decrypted database
+   - Load SQLite database from dump
+
+3. Verify integrity:
+   - Query snapshot_blobs table for all blobs in this snapshot
+   - Compare DB blob list against manifest blob list
+   - **FAIL IMMEDIATELY** if lists don't match exactly
+   
+4. For each blob in manifest:
+   - Use S3 HeadObject to check existence
+   - **FAIL IMMEDIATELY** if blob is missing
+   - Verify blob hash matches filename
+   - **FAIL IMMEDIATELY** if hash mismatch
+
+5. Only report success if ALL checks pass
+
+### 4. Implement Deep Verification  
+**Requires age_secret_key from config**
+
+1. Run all shallow verification first (fail on any error)
+
+2. For each blob referenced in snapshot:
+   - Download blob from S3
+   - Decrypt using age_secret_key (streaming)
+   - Decompress (streaming)
+   - Parse blob structure to extract chunks
+
+3. For each chunk in blob:
+   - Calculate SHA256 of chunk data
+   - Query database for expected chunk hash
+   - **FAIL IMMEDIATELY** if calculated != expected
+   - Verify chunks are ordered correctly by offset
+   - **FAIL IMMEDIATELY** if chunks out of order
+
+4. Progress reporting:
+   - Show blob-by-blob progress
+   - Show chunk verification within each blob
+   - But continue only if no errors
+
+5. Only report success if ALL blobs and ALL chunks verify
+
+### 5. Error Handling
+
+- **FAIL IMMEDIATELY** if age_secret_key missing from config
+- **FAIL IMMEDIATELY** on decryption failure
+- **FAIL IMMEDIATELY** on any verification mismatch
+- Use log.Fatal() or return error to ensure non-zero exit code
+- Provide clear error messages indicating exactly what failed
+
+## Success Criteria
+
+- Verify command exits with code 0 only if ALL checks pass
+- Any failure results in non-zero exit code
+- Clear error messages for each failure type
+- Progress reporting during verification
+- Works with remote-only snapshots (not in local DB)