Route scanner output through writer, fix S3 error handling, improve error messages

Scanner now writes all user-facing output to an io.Writer (os.Stdout
when progress is enabled, io.Discard in --cron mode). This fixes the
long-standing issue where --cron still printed progress lines.

S3 HeadObject now properly distinguishes not-found from other errors
instead of swallowing all errors as not-found.

Config/CLI error messages include actionable hints (where to find the
config, how to generate keys, what storage options exist).

TODO.md

@@ -1,105 +1,44 @@
 # Vaultik 1.0 TODO
 
-Linear list of tasks to complete before 1.0 release.
+Remaining tasks before 1.0 release.
 
-## Rclone Storage Backend (Complete)
+## Must-fix
 
-Add rclone as a storage backend via Go library import, allowing vaultik to use any of rclone's 70+ supported cloud storage providers.
+1. Scanner uses bare `fmt.Printf` (bypasses `--cron` silence)
+   - Route all user-facing output through a writer gated by progress/cron flags
+   - Affects `internal/snapshot/scanner.go` (~24 bare print calls)
 
-**Configuration:**
-```yaml
-storage_url: "rclone://myremote/path/to/backups"
-```
-User must have rclone configured separately (via `rclone config`).
+1. S3 client error type checking
+   - `internal/s3/client.go:207` has a TODO for proper error type checking
 
-**Implementation Steps:**
-1. [x] Add rclone dependency to go.mod
-2. [x] Create `internal/storage/rclone.go` implementing `Storer` interface
-   - `NewRcloneStorer(remote, path)` - init with `configfile.Install()` and `fs.NewFs()`
-   - `Put` / `PutWithProgress` - use `operations.Rcat()`
-   - `Get` - use `fs.NewObject()` then `obj.Open()`
-   - `Stat` - use `fs.NewObject()` for size/metadata
-   - `Delete` - use `obj.Remove()`
-   - `List` / `ListStream` - use `operations.ListFn()`
-   - `Info` - return remote name
-3. [x] Update `internal/storage/url.go` - parse `rclone://remote/path` URLs
-4. [x] Update `internal/storage/module.go` - add rclone case to `storerFromURL()`
-5. [x] Test with real rclone remote
+1. Error message polish
+   - Add actionable suggestions for common failures (missing config, bad
+     storage URL, failed S3 auth, missing age key on restore/verify)
+   - Only `restore.go` currently has the "did you set VAULTIK_AGE_SECRET_KEY?" hint
 
-**Error Mapping:**
-- `fs.ErrorObjectNotFound` → `ErrNotFound`
-- `fs.ErrorDirNotFound` → `ErrNotFound`
-- `fs.ErrorNotFoundInConfigFile` → `ErrRemoteNotFound` (new)
+## Done
 
----
+- [x] Rclone storage backend
+- [x] Release process (goreleaser, CGO-free cross-compile, checksums)
+- [x] End-to-end integration test (backup → restore → verify → byte-compare)
+- [x] Restore integration tests
+- [x] `--prune` flag on `snapshot create` (per-name retention + orphan blob cleanup)
+- [x] Per-name purge retention (`--keep-latest` per snapshot name, `--snapshot` filter)
+- [x] CLI surface dedup (removed top-level `purge` and `verify` duplicates)
+- [x] Exit codes (create/restore now exit non-zero on failure)
+- [x] Deep verify implemented and wired up
+- [x] Shallow verify timestamp parsing fixed
+- [x] Daemon mode removed
+- [x] Makefile targets separated (`lint`/`test`/`fmt`/`check`)
+- [x] CGO eliminated (pure-Go SQLite via modernc.org/sqlite)
+- [x] Version set correctly in releases via goreleaser ldflags
 
-## CLI Polish (Priority)
-
-1. Improve error messages throughout
-   - Ensure all errors include actionable context
-   - Add suggestions for common issues (e.g., "did you set VAULTIK_AGE_SECRET_KEY?")
-
-## Security (Priority)
-
-1. Audit encryption implementation
-   - Verify age encryption is used correctly
-   - Ensure no plaintext leaks in logs or errors
-   - Verify blob hashes are computed correctly
-
-1. Secure memory handling for secrets
-   - Clear S3 credentials from memory after client init
-   - Document that age_secret_key is env-var only (already implemented)
-
-## Testing
-
-1. Write integration tests for restore command
-
-1. Write end-to-end integration test
-   - Create backup
-   - Verify backup
-   - Restore backup
-   - Compare restored files to originals
-
-1. Add tests for edge cases
-   - Empty directories
-   - Symlinks
-   - Special characters in filenames
-   - Very large files (multi-GB)
-   - Many small files (100k+)
-
-1. Add tests for error conditions
-   - Network failures during upload
-   - Disk full during restore
-   - Corrupted blobs
-   - Missing blobs
-
-## Performance
-
-1. Profile and optimize restore performance
-   - Parallel blob downloads
-   - Streaming decompression/decryption
-   - Efficient chunk reassembly
-
-1. Add bandwidth limiting option
-   - `--bwlimit` flag for upload/download speed limiting
-
-## Documentation
-
-1. Add man page or --help improvements
-   - Detailed help for each command
-   - Examples in help output
-
-## Final Polish
-
-1. Ensure version is set correctly in releases
-
-1. Create release process
-   - Binary releases for supported platforms
-   - Checksums for binaries
-   - Release notes template
-
-1. Final code review
-   - Remove debug statements
-   - Ensure consistent code style
+## Post-1.0
 
+1. Edge-case tests (empty dirs, symlinks, special chars, multi-GB files, 100k+ small files)
+1. Error-condition tests (network failures, disk full, corrupted/missing blobs)
+1. Parallel blob downloads during restore
+1. Bandwidth limiting (`--bwlimit`)
+1. Security audit of encryption (verify no plaintext leaks, correct hash computation)
+1. Man pages / richer `--help` examples
 1. Tag and release v1.0.0