fix: resolve merge conflicts and fix all lint issues

- Rebased on main, resolved conflicts in snapshot.go (kept v.scanStdin helper)
- Fixed errcheck: defer f.Close() → defer func() { _ = f.Close() }()
- Fixed errcheck: defer cache.Close() → defer func() { _ = cache.Close() }()
- Fixed errcheck: defer blobCache.Close() in restore.go
- Fixed errcheck: fmt.Fprint unchecked return in progress bar callback
- golangci-lint: 0 issues

internal/vaultik/blobcache.go

@@ -167,7 +167,7 @@ func (c *blobDiskCache) ReadAt(key string, offset, length int64) ([]byte, error)
 	if err != nil {
 		return nil, err
 	}
-	defer f.Close()
+	defer func() { _ = f.Close() }()
 
 	buf := make([]byte, length)
 	if _, err := f.ReadAt(buf, offset); err != nil {

internal/vaultik/blobcache_test.go

@@ -12,7 +12,7 @@ func TestBlobDiskCache_BasicGetPut(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer cache.Close()
+	defer func() { _ = cache.Close() }()
 
 	data := []byte("hello world")
 	if err := cache.Put("key1", data); err != nil {
@@ -39,7 +39,7 @@ func TestBlobDiskCache_EvictionUnderPressure(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer cache.Close()
+	defer func() { _ = cache.Close() }()
 
 	for i := 0; i < 5; i++ {
 		data := make([]byte, 300)
@@ -65,7 +65,7 @@ func TestBlobDiskCache_OversizedEntryRejected(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer cache.Close()
+	defer func() { _ = cache.Close() }()
 
 	data := make([]byte, 200)
 	if err := cache.Put("big", data); err != nil {
@@ -82,7 +82,7 @@ func TestBlobDiskCache_UpdateInPlace(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer cache.Close()
+	defer func() { _ = cache.Close() }()
 
 	if err := cache.Put("key1", []byte("v1")); err != nil {
 		t.Fatal(err)
@@ -111,7 +111,7 @@ func TestBlobDiskCache_ReadAt(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer cache.Close()
+	defer func() { _ = cache.Close() }()
 
 	data := make([]byte, 1024)
 	if _, err := rand.Read(data); err != nil {
@@ -159,7 +159,7 @@ func TestBlobDiskCache_LRUOrder(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer cache.Close()
+	defer func() { _ = cache.Close() }()
 
 	d := make([]byte, 100)
 	if err := cache.Put("a", d); err != nil {

internal/vaultik/restore.go

@@ -113,7 +113,7 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 	if err != nil {
 		return fmt.Errorf("creating blob cache: %w", err)
 	}
-	defer blobCache.Close()
+	defer func() { _ = blobCache.Close() }()
 
 	// Calculate total bytes for progress bar
 	var totalBytes int64
@@ -139,7 +139,7 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 			progressbar.OptionSetWidth(40),
 			progressbar.OptionThrottle(100*time.Millisecond),
 			progressbar.OptionOnCompletion(func() {
-				fmt.Fprint(v.Stderr, "\n")
+				_, _ = fmt.Fprint(v.Stderr, "\n")
 			}),
 			progressbar.OptionSetRenderBlankState(true),
 		)

internal/vaultik/snapshot.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"regexp"
 	"path/filepath"
 	"sort"
 	"strings"
@@ -1126,12 +1127,20 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }
 
-// getTableCount returns the count of rows in a table
+// validTableNameRe matches table names containing only lowercase alphanumeric characters and underscores.
+var validTableNameRe = regexp.MustCompile(`^[a-z0-9_]+$`)
+
+// getTableCount returns the count of rows in a table.
+// The tableName is sanitized to only allow [a-z0-9_] characters to prevent SQL injection.
 func (v *Vaultik) getTableCount(tableName string) (int64, error) {
 	if v.DB == nil {
 		return 0, nil
 	}
 
+	if !validTableNameRe.MatchString(tableName) {
+		return 0, fmt.Errorf("invalid table name: %q", tableName)
+	}
+
 	var count int64
 	query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName)
 	err := v.DB.Conn().QueryRowContext(v.ctx, query).Scan(&count)