Refactor: Move Vaultik struct and methods to internal/vaultik package

- Created new internal/vaultik package with unified Vaultik struct
- Moved all command methods (snapshot, info, prune, verify) from CLI to vaultik package
- Implemented single constructor that handles crypto capabilities automatically
- Added CanDecrypt() method to check if decryption is available
- Updated all CLI commands to use the new vaultik.Vaultik struct
- Removed old fragmented App structs and WithCrypto wrapper
- Fixed context management - Vaultik now owns its context lifecycle
- Cleaned up package imports and dependencies

This creates a cleaner separation between CLI/Cobra code and business logic,
with all vaultik operations now centralized in the internal/vaultik package.

internal/cli/verify.go

@@ -2,85 +2,93 @@ package cli
 
 import (
 	"context"
-	"fmt"
 	"os"
 
-	"git.eeqj.de/sneak/vaultik/internal/globals"
+	"git.eeqj.de/sneak/vaultik/internal/log"
+	"git.eeqj.de/sneak/vaultik/internal/vaultik"
 	"github.com/spf13/cobra"
 	"go.uber.org/fx"
 )
 
-// VerifyOptions contains options for the verify command
-type VerifyOptions struct {
-	Bucket     string
-	Prefix     string
-	SnapshotID string
-	Quick      bool
-}
-
 // NewVerifyCommand creates the verify command
 func NewVerifyCommand() *cobra.Command {
-	opts := &VerifyOptions{}
+	opts := &vaultik.VerifyOptions{}
 
 	cmd := &cobra.Command{
-		Use:   "verify",
-		Short: "Verify backup integrity",
-		Long:  `Check that all referenced blobs exist and verify metadata integrity`,
-		Args:  cobra.NoArgs,
+		Use:   "verify <snapshot-id>",
+		Short: "Verify snapshot integrity",
+		Long: `Verifies that all blobs referenced in a snapshot exist and optionally verifies their contents.
+
+Shallow verification (default):
+- Downloads and decompresses manifest
+- Checks existence of all blobs in S3
+- Reports missing blobs
+
+Deep verification (--deep):
+- Downloads and decrypts database
+- Verifies blob lists match between manifest and database
+- Downloads, decrypts, and decompresses each blob
+- Verifies SHA256 hash of each chunk matches database
+- Ensures chunks are ordered correctly
+
+The command will fail immediately on any verification error and exit with non-zero status.`,
+		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			// Validate required flags
-			if opts.Bucket == "" {
-				return fmt.Errorf("--bucket is required")
+			snapshotID := args[0]
+
+			// Use unified config resolution
+			configPath, err := ResolveConfigPath()
+			if err != nil {
+				return err
 			}
-			if opts.Prefix == "" {
-				return fmt.Errorf("--prefix is required")
-			}
-			return runVerify(cmd.Context(), opts)
+
+			// Use the app framework for all verification
+			rootFlags := GetRootFlags()
+			return RunWithApp(cmd.Context(), AppOptions{
+				ConfigPath: configPath,
+				LogOptions: log.LogOptions{
+					Verbose: rootFlags.Verbose,
+					Debug:   rootFlags.Debug,
+				},
+				Modules: []fx.Option{},
+				Invokes: []fx.Option{
+					fx.Invoke(func(v *vaultik.Vaultik, lc fx.Lifecycle) {
+						lc.Append(fx.Hook{
+							OnStart: func(ctx context.Context) error {
+								// Run the verify operation directly
+								go func() {
+									var err error
+									if opts.Deep {
+										err = v.RunDeepVerify(snapshotID, opts)
+									} else {
+										err = v.VerifySnapshot(snapshotID, false)
+									}
+
+									if err != nil {
+										if err != context.Canceled {
+											log.Error("Verification failed", "error", err)
+											os.Exit(1)
+										}
+									}
+									if err := v.Shutdowner.Shutdown(); err != nil {
+										log.Error("Failed to shutdown", "error", err)
+									}
+								}()
+								return nil
+							},
+							OnStop: func(ctx context.Context) error {
+								log.Debug("Stopping verify operation")
+								v.Cancel()
+								return nil
+							},
+						})
+					}),
+				},
+			})
 		},
 	}
 
-	cmd.Flags().StringVar(&opts.Bucket, "bucket", "", "S3 bucket name")
-	cmd.Flags().StringVar(&opts.Prefix, "prefix", "", "S3 prefix")
-	cmd.Flags().StringVar(&opts.SnapshotID, "snapshot", "", "Snapshot ID to verify (optional, defaults to latest)")
-	cmd.Flags().BoolVar(&opts.Quick, "quick", false, "Perform quick verification by checking blob existence and S3 content hashes without downloading")
+	cmd.Flags().BoolVar(&opts.Deep, "deep", false, "Perform deep verification by downloading and verifying all blob contents")
 
 	return cmd
 }
-
-func runVerify(ctx context.Context, opts *VerifyOptions) error {
-	if os.Getenv("VAULTIK_PRIVATE_KEY") == "" {
-		return fmt.Errorf("VAULTIK_PRIVATE_KEY environment variable must be set")
-	}
-
-	app := fx.New(
-		fx.Supply(opts),
-		fx.Provide(globals.New),
-		// Additional modules will be added here
-		fx.Invoke(func(g *globals.Globals) error {
-			// TODO: Implement verify logic
-			if opts.SnapshotID == "" {
-				fmt.Printf("Verifying latest snapshot in bucket %s with prefix %s\n", opts.Bucket, opts.Prefix)
-			} else {
-				fmt.Printf("Verifying snapshot %s in bucket %s with prefix %s\n", opts.SnapshotID, opts.Bucket, opts.Prefix)
-			}
-			if opts.Quick {
-				fmt.Println("Performing quick verification")
-			} else {
-				fmt.Println("Performing deep verification")
-			}
-			return nil
-		}),
-		fx.NopLogger,
-	)
-
-	if err := app.Start(ctx); err != nil {
-		return fmt.Errorf("failed to start verify: %w", err)
-	}
-	defer func() {
-		if err := app.Stop(ctx); err != nil {
-			fmt.Printf("error stopping app: %v\n", err)
-		}
-	}()
-
-	return nil
-}