Merge branch 'main' into fix/sql-injection-whitelist

Replace regex-based validation with a strict whitelist of allowed table
names (files, chunks, blobs). The whitelist check now runs before the
nil-DB early return so invalid names are always rejected.

Removes unused regexp import.

.dockerignore

@@ -1,8 +0,0 @@
-.git
-.gitea
-*.md
-LICENSE
-vaultik
-coverage.out
-coverage.html
-.DS_Store

.gitea/workflows/check.yml

@@ -1,14 +0,0 @@
-name: check
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      # actions/checkout v4, 2024-09-16
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-      - name: Build and check
-        run: docker build .

Dockerfile

@@ -1,61 +0,0 @@
-# Lint stage
-# golangci/golangci-lint:v2.11.3-alpine, 2026-03-17
-FROM golangci/golangci-lint:v2.11.3-alpine@sha256:b1c3de5862ad0a95b4e45a993b0f00415835d687e4f12c845c7493b86c13414e AS lint
-
-RUN apk add --no-cache make build-base
-
-WORKDIR /src
-
-# Copy go mod files first for better layer caching
-COPY go.mod go.sum ./
-RUN go mod download
-
-# Copy source code
-COPY . .
-
-# Run formatting check and linter
-RUN make fmt-check
-RUN make lint
-
-# Build stage
-# golang:1.26.1-alpine, 2026-03-17
-FROM golang:1.26.1-alpine@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039 AS builder
-
-# Depend on lint stage passing
-COPY --from=lint /src/go.sum /dev/null
-
-ARG VERSION=dev
-
-# Install build dependencies for CGO (mattn/go-sqlite3) and sqlite3 CLI (tests)
-RUN apk add --no-cache make build-base sqlite
-
-WORKDIR /src
-
-# Copy go mod files first for better layer caching
-COPY go.mod go.sum ./
-RUN go mod download
-
-# Copy source code
-COPY . .
-
-# Run tests
-RUN make test
-
-# Build with CGO enabled (required for mattn/go-sqlite3)
-RUN CGO_ENABLED=1 go build -ldflags "-X 'git.eeqj.de/sneak/vaultik/internal/globals.Version=${VERSION}' -X 'git.eeqj.de/sneak/vaultik/internal/globals.Commit=$(git rev-parse HEAD 2>/dev/null || echo unknown)'" -o /vaultik ./cmd/vaultik
-
-# Runtime stage
-# alpine:3.21, 2026-02-25
-FROM alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
-
-RUN apk add --no-cache ca-certificates sqlite
-
-# Copy binary from builder
-COPY --from=builder /vaultik /usr/local/bin/vaultik
-
-# Create non-root user
-RUN adduser -D -H -s /sbin/nologin vaultik
-
-USER vaultik
-
-ENTRYPOINT ["/usr/local/bin/vaultik"]

Makefile

@@ -1,4 +1,4 @@
-.PHONY: test fmt lint fmt-check check build clean all docker hooks
+.PHONY: test fmt lint build clean all
 
 # Version number
 VERSION := 0.0.1
@@ -14,12 +14,21 @@ LDFLAGS := -X 'git.eeqj.de/sneak/vaultik/internal/globals.Version=$(VERSION)' \
 all: vaultik
 
 # Run tests
-test:
-	go test -race -timeout 30s ./...
+test: lint fmt-check
+	@echo "Running tests..."
+	@if ! go test -v -timeout 10s ./... 2>&1; then \
+		echo ""; \
+		echo "TEST FAILURES DETECTED"; \
+		echo "Run 'go test -v ./internal/database' to see database test details"; \
+		exit 1; \
+	fi
 
-# Check if code is formatted (read-only)
+# Check if code is formatted
 fmt-check:
-	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
+	@if [ -n "$$(go fmt ./...)" ]; then \
+		echo "Error: Code is not formatted. Run 'make fmt' to fix."; \
+		exit 1; \
+	fi
 
 # Format code
 fmt:
@@ -27,7 +36,7 @@ fmt:
 
 # Run linter
 lint:
-	golangci-lint run ./...
+	golangci-lint run
 
 # Build binary
 vaultik: internal/*/*.go cmd/vaultik/*.go
@@ -38,6 +47,11 @@ clean:
 	rm -f vaultik
 	go clean
 
+# Install dependencies
+deps:
+	go mod download
+	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+
 # Run tests with coverage
 test-coverage:
 	go test -v -coverprofile=coverage.out ./...
@@ -53,17 +67,3 @@ local:
 
 install: vaultik
 	cp ./vaultik $(HOME)/bin/
-
-# Run all checks (formatting, linting, tests) without modifying files
-check: fmt-check lint test
-
-# Build Docker image
-docker:
-	docker build -t vaultik .
-
-# Install pre-commit hook
-hooks:
-	@printf '#!/bin/sh\nset -e\n' > .git/hooks/pre-commit
-	@printf 'go mod tidy\ngo fmt ./...\ngit diff --exit-code -- go.mod go.sum || { echo "go mod tidy changed files; please stage and retry"; exit 1; }\n' >> .git/hooks/pre-commit
-	@printf 'make check\n' >> .git/hooks/pre-commit
-	@chmod +x .git/hooks/pre-commit

go.mod

@@ -1,6 +1,6 @@
 module git.eeqj.de/sneak/vaultik
 
-go 1.26.1
+go 1.24.4
 
 require (
 	filippo.io/age v1.2.1
@@ -24,7 +24,6 @@ require (
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
-	golang.org/x/sync v0.18.0
 	golang.org/x/term v0.37.0
 	gopkg.in/yaml.v3 v3.0.1
 	modernc.org/sqlite v1.38.0
@@ -267,6 +266,7 @@ require (
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
 	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.33.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.14.0 // indirect

internal/vaultik/restore.go

@@ -22,13 +22,6 @@ import (
 	"golang.org/x/term"
 )
 
-const (
-	// progressBarWidth is the character width of the progress bar display.
-	progressBarWidth = 40
-	// progressBarThrottle is the minimum interval between progress bar redraws.
-	progressBarThrottle = 100 * time.Millisecond
-)
-
 // RestoreOptions contains options for the restore operation
 type RestoreOptions struct {
 	SnapshotID string
@@ -122,15 +115,6 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 	}
 	defer func() { _ = blobCache.Close() }()
 
-	// Calculate total bytes for progress bar
-	var totalBytesExpected int64
-	for _, file := range files {
-		totalBytesExpected += file.Size
-	}
-
-	// Create progress bar if output is a terminal
-	bar := v.newProgressBar("Restoring", totalBytesExpected)
-
 	for i, file := range files {
 		if v.ctx.Err() != nil {
 			return v.ctx.Err()
@@ -138,21 +122,11 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 
 		if err := v.restoreFile(v.ctx, repos, file, opts.TargetDir, identity, chunkToBlobMap, blobCache, result); err != nil {
 			log.Error("Failed to restore file", "path", file.Path, "error", err)
-			result.FilesFailed++
-			result.FailedFiles = append(result.FailedFiles, file.Path.String())
-			// Update progress bar even on failure
-			if bar != nil {
-				_ = bar.Add64(file.Size)
-			}
+			// Continue with other files
 			continue
 		}
 
-		// Update progress bar
-		if bar != nil {
-			_ = bar.Add64(file.Size)
-		}
-
-		// Progress logging (for non-terminal or structured logs)
+		// Progress logging
 		if (i+1)%100 == 0 || i+1 == len(files) {
 			log.Info("Restore progress",
 				"files", fmt.Sprintf("%d/%d", i+1, len(files)),
@@ -161,10 +135,6 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 		}
 	}
 
-	if bar != nil {
-		_ = bar.Finish()
-	}
-
 	result.Duration = time.Since(startTime)
 
 	log.Info("Restore complete",
@@ -181,13 +151,6 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 		result.Duration.Round(time.Second),
 	)
 
-	if result.FilesFailed > 0 {
-		_, _ = fmt.Fprintf(v.Stdout, "\nWARNING: %d file(s) failed to restore:\n", result.FilesFailed)
-		for _, path := range result.FailedFiles {
-			_, _ = fmt.Fprintf(v.Stdout, "  - %s\n", path)
-		}
-	}
-
 	// Run verification if requested
 	if opts.Verify {
 		if err := v.verifyRestoredFiles(v.ctx, repos, files, opts.TargetDir, result); err != nil {
@@ -208,10 +171,6 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 		)
 	}
 
-	if result.FilesFailed > 0 {
-		return fmt.Errorf("%d file(s) failed to restore", result.FilesFailed)
-	}
-
 	return nil
 }
 
@@ -564,7 +523,22 @@ func (v *Vaultik) verifyRestoredFiles(
 	)
 
 	// Create progress bar if output is a terminal
-	bar := v.newProgressBar("Verifying", totalBytes)
+	var bar *progressbar.ProgressBar
+	if isTerminal() {
+		bar = progressbar.NewOptions64(
+			totalBytes,
+			progressbar.OptionSetDescription("Verifying"),
+			progressbar.OptionSetWriter(v.Stderr),
+			progressbar.OptionShowBytes(true),
+			progressbar.OptionShowCount(),
+			progressbar.OptionSetWidth(40),
+			progressbar.OptionThrottle(100*time.Millisecond),
+			progressbar.OptionOnCompletion(func() {
+				v.printfStderr("\n")
+			}),
+			progressbar.OptionSetRenderBlankState(true),
+		)
+	}
 
 	// Verify each file
 	for _, file := range regularFiles {
@@ -658,37 +632,7 @@ func (v *Vaultik) verifyFile(
 	return bytesVerified, nil
 }
 
-// newProgressBar creates a terminal-aware progress bar with standard options.
-// It returns nil if stdout is not a terminal.
-func (v *Vaultik) newProgressBar(description string, total int64) *progressbar.ProgressBar {
-	if !v.isTerminal() {
-		return nil
-	}
-	return progressbar.NewOptions64(
-		total,
-		progressbar.OptionSetDescription(description),
-		progressbar.OptionSetWriter(v.Stderr),
-		progressbar.OptionShowBytes(true),
-		progressbar.OptionShowCount(),
-		progressbar.OptionSetWidth(progressBarWidth),
-		progressbar.OptionThrottle(progressBarThrottle),
-		progressbar.OptionOnCompletion(func() {
-			v.printfStderr("\n")
-		}),
-		progressbar.OptionSetRenderBlankState(true),
-	)
-}
-
-// isTerminal returns true if stdout is a terminal.
-// It checks whether v.Stdout implements Fd() (i.e. is an *os.File),
-// and falls back to false for non-file writers (e.g. in tests).
-func (v *Vaultik) isTerminal() bool {
-	type fder interface {
-		Fd() uintptr
-	}
-	f, ok := v.Stdout.(fder)
-	if !ok {
-		return false
-	}
-	return term.IsTerminal(int(f.Fd()))
+// isTerminal returns true if stdout is a terminal
+func isTerminal() bool {
+	return term.IsTerminal(int(os.Stdout.Fd()))
 }

internal/vaultik/snapshot.go

@@ -5,10 +5,8 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"regexp"
 	"sort"
 	"strings"
-	"sync"
 	"text/tabwriter"
 	"time"
 
@@ -17,7 +15,6 @@ import (
 	"git.eeqj.de/sneak/vaultik/internal/snapshot"
 	"git.eeqj.de/sneak/vaultik/internal/types"
 	"github.com/dustin/go-humanize"
-	"golang.org/x/sync/errgroup"
 )
 
 // SnapshotCreateOptions contains options for the snapshot create command
@@ -92,24 +89,6 @@ func (v *Vaultik) CreateSnapshot(opts *SnapshotCreateOptions) error {
 		v.printfStdout("\nAll %d snapshots completed in %s\n", len(snapshotNames), time.Since(overallStartTime).Round(time.Second))
 	}
 
-	// Prune old snapshots and unreferenced blobs if --prune was specified
-	if opts.Prune {
-		log.Info("Pruning enabled - deleting old snapshots and unreferenced blobs")
-		v.printlnStdout("\nPruning old snapshots (keeping latest)...")
-
-		if err := v.PurgeSnapshots(true, "", true); err != nil {
-			return fmt.Errorf("prune: purging old snapshots: %w", err)
-		}
-
-		v.printlnStdout("Pruning unreferenced blobs...")
-
-		if err := v.PruneBlobs(&PruneOptions{Force: true}); err != nil {
-			return fmt.Errorf("prune: removing unreferenced blobs: %w", err)
-		}
-
-		log.Info("Pruning complete")
-	}
-
 	return nil
 }
 
@@ -326,6 +305,11 @@ func (v *Vaultik) createNamedSnapshot(opts *SnapshotCreateOptions, hostname, sna
 	}
 	v.printfStdout("Duration: %s\n", formatDuration(snapshotDuration))
 
+	if opts.Prune {
+		log.Info("Pruning enabled - will delete old snapshots after snapshot")
+		// TODO: Implement pruning
+	}
+
 	return nil
 }
 
@@ -390,19 +374,17 @@ func (v *Vaultik) ListSnapshots(jsonOutput bool) error {
 		}
 	}
 
-	// Build final snapshot list.
-	// Separate local (cheap DB lookup) from remote-only (needs manifest download).
+	// Build final snapshot list
 	snapshots := make([]SnapshotInfo, 0, len(remoteSnapshots))
 
-	// remoteOnly collects snapshot IDs that need a manifest download.
-	var remoteOnly []string
-
 	for snapshotID := range remoteSnapshots {
+		// Check if we have this snapshot locally
 		if localSnap, exists := localSnapshotMap[snapshotID]; exists && localSnap.CompletedAt != nil {
 			// Get total compressed size of all blobs referenced by this snapshot
 			totalSize, err := v.Repositories.Snapshots.GetSnapshotTotalCompressedSize(v.ctx, snapshotID)
 			if err != nil {
 				log.Warn("Failed to get total compressed size", "id", snapshotID, "error", err)
+				// Fall back to stored blob size
 				totalSize = localSnap.BlobSize
 			}
 
@@ -412,78 +394,24 @@ func (v *Vaultik) ListSnapshots(jsonOutput bool) error {
 				CompressedSize: totalSize,
 			})
 		} else {
+			// Remote snapshot not in local DB - fetch manifest to get size
 			timestamp, err := parseSnapshotTimestamp(snapshotID)
 			if err != nil {
 				log.Warn("Failed to parse snapshot timestamp", "id", snapshotID, "error", err)
 				continue
 			}
-			// Pre-add with zero size; will be filled by concurrent downloads.
+
+			// Try to download manifest to get size
+			totalSize, err := v.getManifestSize(snapshotID)
+			if err != nil {
+				return fmt.Errorf("failed to get manifest size for %s: %w", snapshotID, err)
+			}
+
 			snapshots = append(snapshots, SnapshotInfo{
 				ID:             types.SnapshotID(snapshotID),
 				Timestamp:      timestamp,
-				CompressedSize: 0,
+				CompressedSize: totalSize,
 			})
-			remoteOnly = append(remoteOnly, snapshotID)
-		}
-	}
-
-	// Download manifests concurrently for remote-only snapshots.
-	if len(remoteOnly) > 0 {
-		// maxConcurrentManifestDownloads bounds parallel manifest fetches to
-		// avoid overwhelming the S3 endpoint while still being much faster
-		// than serial downloads.
-		const maxConcurrentManifestDownloads = 10
-
-		type manifestResult struct {
-			snapshotID string
-			size       int64
-		}
-
-		var (
-			mu      sync.Mutex
-			results []manifestResult
-		)
-
-		g, gctx := errgroup.WithContext(v.ctx)
-		g.SetLimit(maxConcurrentManifestDownloads)
-
-		for _, sid := range remoteOnly {
-			g.Go(func() error {
-				manifestPath := fmt.Sprintf("metadata/%s/manifest.json.zst", sid)
-				reader, err := v.Storage.Get(gctx, manifestPath)
-				if err != nil {
-					return fmt.Errorf("downloading manifest for %s: %w", sid, err)
-				}
-				defer func() { _ = reader.Close() }()
-
-				manifest, err := snapshot.DecodeManifest(reader)
-				if err != nil {
-					return fmt.Errorf("decoding manifest for %s: %w", sid, err)
-				}
-
-				mu.Lock()
-				results = append(results, manifestResult{
-					snapshotID: sid,
-					size:       manifest.TotalCompressedSize,
-				})
-				mu.Unlock()
-				return nil
-			})
-		}
-
-		if err := g.Wait(); err != nil {
-			return fmt.Errorf("fetching manifest sizes: %w", err)
-		}
-
-		// Build a lookup from results and patch the pre-added entries.
-		sizeMap := make(map[string]int64, len(results))
-		for _, r := range results {
-			sizeMap[r.snapshotID] = r.size
-		}
-		for i := range snapshots {
-			if sz, ok := sizeMap[string(snapshots[i].ID)]; ok {
-				snapshots[i].CompressedSize = sz
-			}
 		}
 	}
 
@@ -789,6 +717,23 @@ func (v *Vaultik) outputVerifyJSON(result *VerifyResult) error {
 
 // Helper methods that were previously on SnapshotApp
 
+func (v *Vaultik) getManifestSize(snapshotID string) (int64, error) {
+	manifestPath := fmt.Sprintf("metadata/%s/manifest.json.zst", snapshotID)
+
+	reader, err := v.Storage.Get(v.ctx, manifestPath)
+	if err != nil {
+		return 0, fmt.Errorf("downloading manifest: %w", err)
+	}
+	defer func() { _ = reader.Close() }()
+
+	manifest, err := snapshot.DecodeManifest(reader)
+	if err != nil {
+		return 0, fmt.Errorf("decoding manifest: %w", err)
+	}
+
+	return manifest.TotalCompressedSize, nil
+}
+
 func (v *Vaultik) downloadManifest(snapshotID string) (*snapshot.Manifest, error) {
 	manifestPath := fmt.Sprintf("metadata/%s/manifest.json.zst", snapshotID)
 
@@ -1058,16 +1003,16 @@ func (v *Vaultik) deleteSnapshotFromLocalDB(snapshotID string) error {
 
 	// Delete related records first to avoid foreign key constraints
 	if err := v.Repositories.Snapshots.DeleteSnapshotFiles(v.ctx, snapshotID); err != nil {
-		return fmt.Errorf("deleting snapshot files for %s: %w", snapshotID, err)
+		log.Error("Failed to delete snapshot files", "snapshot_id", snapshotID, "error", err)
 	}
 	if err := v.Repositories.Snapshots.DeleteSnapshotBlobs(v.ctx, snapshotID); err != nil {
-		return fmt.Errorf("deleting snapshot blobs for %s: %w", snapshotID, err)
+		log.Error("Failed to delete snapshot blobs", "snapshot_id", snapshotID, "error", err)
 	}
 	if err := v.Repositories.Snapshots.DeleteSnapshotUploads(v.ctx, snapshotID); err != nil {
-		return fmt.Errorf("deleting snapshot uploads for %s: %w", snapshotID, err)
+		log.Error("Failed to delete snapshot uploads", "snapshot_id", snapshotID, "error", err)
 	}
 	if err := v.Repositories.Snapshots.Delete(v.ctx, snapshotID); err != nil {
-		return fmt.Errorf("deleting snapshot record %s: %w", snapshotID, err)
+		log.Error("Failed to delete snapshot record", "snapshot_id", snapshotID, "error", err)
 	}
 
 	return nil
@@ -1181,18 +1126,25 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }
 
-// validTableNameRe matches table names containing only lowercase alphanumeric characters and underscores.
-var validTableNameRe = regexp.MustCompile(`^[a-z0-9_]+$`)
+// allowedTableNames is the exhaustive whitelist of table names that may be
+// passed to getTableCount. Any name not in this set is rejected, preventing
+// SQL injection even if caller-controlled input is accidentally supplied.
+var allowedTableNames = map[string]struct{}{
+	"files":  {},
+	"chunks": {},
+	"blobs":  {},
+}
 
-// getTableCount returns the count of rows in a table.
-// The tableName is sanitized to only allow [a-z0-9_] characters to prevent SQL injection.
+// getTableCount returns the number of rows in the given table.
+// tableName must appear in the allowedTableNames whitelist; all other values
+// are rejected with an error, preventing SQL injection.
 func (v *Vaultik) getTableCount(tableName string) (int64, error) {
-	if v.DB == nil {
-		return 0, nil
+	if _, ok := allowedTableNames[tableName]; !ok {
+		return 0, fmt.Errorf("table name not allowed: %q", tableName)
 	}
 
-	if !validTableNameRe.MatchString(tableName) {
-		return 0, fmt.Errorf("invalid table name: %q", tableName)
+	if v.DB == nil {
+		return 0, nil
 	}
 
 	var count int64

internal/vaultik/snapshot_prune_test.go

@@ -1,23 +0,0 @@
-package vaultik
-
-import (
-	"testing"
-)
-
-// TestSnapshotCreateOptions_PruneFlag verifies the Prune field exists on
-// SnapshotCreateOptions and can be set.
-func TestSnapshotCreateOptions_PruneFlag(t *testing.T) {
-	opts := &SnapshotCreateOptions{
-		Prune: true,
-	}
-	if !opts.Prune {
-		t.Error("Expected Prune to be true")
-	}
-
-	opts2 := &SnapshotCreateOptions{
-		Prune: false,
-	}
-	if opts2.Prune {
-		t.Error("Expected Prune to be false")
-	}
-}

internal/vaultik/table_count_test.go

@@ -0,0 +1,51 @@
+package vaultik
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAllowedTableNames(t *testing.T) {
+	// Verify the whitelist contains exactly the expected tables
+	expected := []string{"files", "chunks", "blobs"}
+	assert.Len(t, allowedTableNames, len(expected))
+	for _, name := range expected {
+		_, ok := allowedTableNames[name]
+		assert.True(t, ok, "expected %q in allowedTableNames", name)
+	}
+}
+
+func TestGetTableCount_RejectsInvalidNames(t *testing.T) {
+	v := &Vaultik{} // DB is nil, but rejection happens before DB access
+	v.DB = nil      // explicit
+
+	tests := []struct {
+		name      string
+		tableName string
+		wantErr   bool
+	}{
+		{"allowed files", "files", false},
+		{"allowed chunks", "chunks", false},
+		{"allowed blobs", "blobs", false},
+		{"sql injection attempt", "files; DROP TABLE files--", true},
+		{"unknown table", "users", true},
+		{"empty string", "", true},
+		{"uppercase", "FILES", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			count, err := v.getTableCount(tt.tableName)
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "not allowed")
+				assert.Equal(t, int64(0), count)
+			} else {
+				// DB is nil so returns 0, nil for allowed names
+				assert.NoError(t, err)
+				assert.Equal(t, int64(0), count)
+			}
+		})
+	}
+}