fix: use whitelist for SQL table names in getTableCount (closes #7)

Replace regex-based validation with a strict whitelist of allowed table
names (files, chunks, blobs). The whitelist check now runs before the
nil-DB early return so invalid names are always rejected.

Removes unused regexp import.

internal/vaultik/restore.go

@@ -473,6 +473,53 @@ func (v *Vaultik) restoreRegularFile(
 	return nil
 }
 
+// BlobFetchResult holds the result of fetching and decrypting a blob.
+type BlobFetchResult struct {
+	Data           []byte
+	CompressedSize int64
+}
+
+// FetchAndDecryptBlob downloads a blob from storage, decrypts and decompresses it.
+func (v *Vaultik) FetchAndDecryptBlob(ctx context.Context, blobHash string, expectedSize int64, identity age.Identity) (*BlobFetchResult, error) {
+	// Construct blob path with sharding
+	blobPath := fmt.Sprintf("blobs/%s/%s/%s", blobHash[:2], blobHash[2:4], blobHash)
+
+	reader, err := v.Storage.Get(ctx, blobPath)
+	if err != nil {
+		return nil, fmt.Errorf("downloading blob: %w", err)
+	}
+	defer func() { _ = reader.Close() }()
+
+	// Read encrypted data
+	encryptedData, err := io.ReadAll(reader)
+	if err != nil {
+		return nil, fmt.Errorf("reading blob data: %w", err)
+	}
+
+	// Decrypt and decompress
+	blobReader, err := blobgen.NewReader(bytes.NewReader(encryptedData), identity)
+	if err != nil {
+		return nil, fmt.Errorf("creating decryption reader: %w", err)
+	}
+	defer func() { _ = blobReader.Close() }()
+
+	data, err := io.ReadAll(blobReader)
+	if err != nil {
+		return nil, fmt.Errorf("decrypting blob: %w", err)
+	}
+
+	log.Debug("Downloaded and decrypted blob",
+		"hash", blobHash[:16],
+		"encrypted_size", humanize.Bytes(uint64(len(encryptedData))),
+		"decrypted_size", humanize.Bytes(uint64(len(data))),
+	)
+
+	return &BlobFetchResult{
+		Data:           data,
+		CompressedSize: int64(len(encryptedData)),
+	}, nil
+}
+
 // downloadBlob downloads and decrypts a blob
 func (v *Vaultik) downloadBlob(ctx context.Context, blobHash string, expectedSize int64, identity age.Identity) ([]byte, error) {
 	result, err := v.FetchAndDecryptBlob(ctx, blobHash, expectedSize, identity)

internal/vaultik/snapshot.go

@@ -86,7 +86,7 @@ func (v *Vaultik) CreateSnapshot(opts *SnapshotCreateOptions) error {
 
 	// Print overall summary if multiple snapshots
 	if len(snapshotNames) > 1 {
-		_, _ = fmt.Fprintf(v.Stdout, "\nAll %d snapshots completed in %s\n", len(snapshotNames), time.Since(overallStartTime).Round(time.Second))
+		v.printfStdout("\nAll %d snapshots completed in %s\n", len(snapshotNames), time.Since(overallStartTime).Round(time.Second))
 	}
 
 	return nil
@@ -99,7 +99,7 @@ func (v *Vaultik) createNamedSnapshot(opts *SnapshotCreateOptions, hostname, sna
 	snapConfig := v.Config.Snapshots[snapName]
 
 	if total > 1 {
-		_, _ = fmt.Fprintf(v.Stdout, "\n=== Snapshot %d/%d: %s ===\n", idx, total, snapName)
+		v.printfStdout("\n=== Snapshot %d/%d: %s ===\n", idx, total, snapName)
 	}
 
 	// Resolve source directories to absolute paths
@@ -152,7 +152,7 @@ func (v *Vaultik) createNamedSnapshot(opts *SnapshotCreateOptions, hostname, sna
 		return fmt.Errorf("creating snapshot: %w", err)
 	}
 	log.Info("Beginning snapshot", "snapshot_id", snapshotID, "name", snapName)
-	_, _ = fmt.Fprintf(v.Stdout, "Beginning snapshot: %s\n", snapshotID)
+	v.printfStdout("Beginning snapshot: %s\n", snapshotID)
 
 	for i, dir := range resolvedDirs {
 		// Check if context is cancelled
@@ -164,7 +164,7 @@ func (v *Vaultik) createNamedSnapshot(opts *SnapshotCreateOptions, hostname, sna
 		}
 
 		log.Info("Scanning directory", "path", dir)
-		_, _ = fmt.Fprintf(v.Stdout, "Beginning directory scan (%d/%d): %s\n", i+1, len(resolvedDirs), dir)
+		v.printfStdout("Beginning directory scan (%d/%d): %s\n", i+1, len(resolvedDirs), dir)
 		result, err := scanner.Scan(v.ctx, dir, snapshotID)
 		if err != nil {
 			return fmt.Errorf("failed to scan %s: %w", dir, err)
@@ -275,35 +275,35 @@ func (v *Vaultik) createNamedSnapshot(opts *SnapshotCreateOptions, hostname, sna
 	}
 
 	// Print comprehensive summary
-	_, _ = fmt.Fprintf(v.Stdout, "=== Snapshot Complete ===\n")
-	_, _ = fmt.Fprintf(v.Stdout, "ID: %s\n", snapshotID)
-	_, _ = fmt.Fprintf(v.Stdout, "Files: %s examined, %s to process, %s unchanged",
+	v.printfStdout("=== Snapshot Complete ===\n")
+	v.printfStdout("ID: %s\n", snapshotID)
+	v.printfStdout("Files: %s examined, %s to process, %s unchanged",
 		formatNumber(totalFiles),
 		formatNumber(totalFilesChanged),
 		formatNumber(totalFilesSkipped))
 	if totalFilesDeleted > 0 {
-		_, _ = fmt.Fprintf(v.Stdout, ", %s deleted", formatNumber(totalFilesDeleted))
+		v.printfStdout(", %s deleted", formatNumber(totalFilesDeleted))
 	}
-	_, _ = fmt.Fprintln(v.Stdout)
-	_, _ = fmt.Fprintf(v.Stdout, "Data: %s total (%s to process)",
+	v.printlnStdout()
+	v.printfStdout("Data: %s total (%s to process)",
 		humanize.Bytes(uint64(totalBytesAll)),
 		humanize.Bytes(uint64(totalBytesChanged)))
 	if totalBytesDeleted > 0 {
-		_, _ = fmt.Fprintf(v.Stdout, ", %s deleted", humanize.Bytes(uint64(totalBytesDeleted)))
+		v.printfStdout(", %s deleted", humanize.Bytes(uint64(totalBytesDeleted)))
 	}
-	_, _ = fmt.Fprintln(v.Stdout)
+	v.printlnStdout()
 	if totalBlobsUploaded > 0 {
-		_, _ = fmt.Fprintf(v.Stdout, "Storage: %s compressed from %s (%.2fx)\n",
+		v.printfStdout("Storage: %s compressed from %s (%.2fx)\n",
 			humanize.Bytes(uint64(totalBlobSizeCompressed)),
 			humanize.Bytes(uint64(totalBlobSizeUncompressed)),
 			compressionRatio)
-		_, _ = fmt.Fprintf(v.Stdout, "Upload: %d blobs, %s in %s (%s)\n",
+		v.printfStdout("Upload: %d blobs, %s in %s (%s)\n",
 			totalBlobsUploaded,
 			humanize.Bytes(uint64(totalBytesUploaded)),
 			formatDuration(uploadDuration),
 			avgUploadSpeed)
 	}
-	_, _ = fmt.Fprintf(v.Stdout, "Duration: %s\n", formatDuration(snapshotDuration))
+	v.printfStdout("Duration: %s\n", formatDuration(snapshotDuration))
 
 	if opts.Prune {
 		log.Info("Pruning enabled - will delete old snapshots after snapshot")
@@ -422,13 +422,13 @@ func (v *Vaultik) ListSnapshots(jsonOutput bool) error {
 
 	if jsonOutput {
 		// JSON output
-		encoder := json.NewEncoder(os.Stdout)
+		encoder := json.NewEncoder(v.Stdout)
 		encoder.SetIndent("", "  ")
 		return encoder.Encode(snapshots)
 	}
 
 	// Table output
-	w := tabwriter.NewWriter(os.Stdout, 0, 0, 3, ' ', 0)
+	w := tabwriter.NewWriter(v.Stdout, 0, 0, 3, ' ', 0)
 
 	// Show configured snapshots from config file
 	if _, err := fmt.Fprintln(w, "CONFIGURED SNAPSHOTS:"); err != nil {
@@ -527,14 +527,14 @@ func (v *Vaultik) PurgeSnapshots(keepLatest bool, olderThan string, force bool)
 	}
 
 	if len(toDelete) == 0 {
-		fmt.Println("No snapshots to delete")
+		v.printlnStdout("No snapshots to delete")
 		return nil
 	}
 
 	// Show what will be deleted
-	fmt.Printf("The following snapshots will be deleted:\n\n")
+	v.printfStdout("The following snapshots will be deleted:\n\n")
 	for _, snap := range toDelete {
-		fmt.Printf("  %s (%s, %s)\n",
+		v.printfStdout("  %s (%s, %s)\n",
 			snap.ID,
 			snap.Timestamp.Format("2006-01-02 15:04:05"),
 			formatBytes(snap.CompressedSize))
@@ -542,19 +542,19 @@ func (v *Vaultik) PurgeSnapshots(keepLatest bool, olderThan string, force bool)
 
 	// Confirm unless --force is used
 	if !force {
-		fmt.Printf("\nDelete %d snapshot(s)? [y/N] ", len(toDelete))
+		v.printfStdout("\nDelete %d snapshot(s)? [y/N] ", len(toDelete))
 		var confirm string
 		if _, err := fmt.Scanln(&confirm); err != nil {
 			// Treat EOF or error as "no"
-			fmt.Println("Cancelled")
+			v.printlnStdout("Cancelled")
 			return nil
 		}
 		if strings.ToLower(confirm) != "y" {
-			fmt.Println("Cancelled")
+			v.printlnStdout("Cancelled")
 			return nil
 		}
 	} else {
-		fmt.Printf("\nDeleting %d snapshot(s) (--force specified)\n", len(toDelete))
+		v.printfStdout("\nDeleting %d snapshot(s) (--force specified)\n", len(toDelete))
 	}
 
 	// Delete snapshots (both local and remote)
@@ -569,10 +569,10 @@ func (v *Vaultik) PurgeSnapshots(keepLatest bool, olderThan string, force bool)
 		}
 	}
 
-	fmt.Printf("Deleted %d snapshot(s)\n", len(toDelete))
+	v.printfStdout("Deleted %d snapshot(s)\n", len(toDelete))
 
 	// Note: Run 'vaultik prune' separately to clean up unreferenced blobs
-	fmt.Println("\nNote: Run 'vaultik prune' to clean up unreferenced blobs.")
+	v.printlnStdout("\nNote: Run 'vaultik prune' to clean up unreferenced blobs.")
 
 	return nil
 }
@@ -613,11 +613,11 @@ func (v *Vaultik) VerifySnapshotWithOptions(snapshotID string, opts *VerifyOptio
 	}
 
 	if !opts.JSON {
-		fmt.Printf("Verifying snapshot %s\n", snapshotID)
+		v.printfStdout("Verifying snapshot %s\n", snapshotID)
 		if !snapshotTime.IsZero() {
-			fmt.Printf("Snapshot time: %s\n", snapshotTime.Format("2006-01-02 15:04:05 MST"))
+			v.printfStdout("Snapshot time: %s\n", snapshotTime.Format("2006-01-02 15:04:05 MST"))
 		}
-		fmt.Println()
+		v.printlnStdout()
 	}
 
 	// Download and parse manifest
@@ -635,18 +635,18 @@ func (v *Vaultik) VerifySnapshotWithOptions(snapshotID string, opts *VerifyOptio
 	result.TotalSize = manifest.TotalCompressedSize
 
 	if !opts.JSON {
-		fmt.Printf("Snapshot information:\n")
-		fmt.Printf("  Blob count:   %d\n", manifest.BlobCount)
-		fmt.Printf("  Total size:   %s\n", humanize.Bytes(uint64(manifest.TotalCompressedSize)))
+		v.printfStdout("Snapshot information:\n")
+		v.printfStdout("  Blob count:   %d\n", manifest.BlobCount)
+		v.printfStdout("  Total size:   %s\n", humanize.Bytes(uint64(manifest.TotalCompressedSize)))
 		if manifest.Timestamp != "" {
 			if t, err := time.Parse(time.RFC3339, manifest.Timestamp); err == nil {
-				fmt.Printf("  Created:      %s\n", t.Format("2006-01-02 15:04:05 MST"))
+				v.printfStdout("  Created:      %s\n", t.Format("2006-01-02 15:04:05 MST"))
 			}
 		}
-		fmt.Println()
+		v.printlnStdout()
 
 		// Check each blob exists
-		fmt.Printf("Checking blob existence...\n")
+		v.printfStdout("Checking blob existence...\n")
 	}
 
 	missing := 0
@@ -660,7 +660,7 @@ func (v *Vaultik) VerifySnapshotWithOptions(snapshotID string, opts *VerifyOptio
 		_, err := v.Storage.Stat(v.ctx, blobPath)
 		if err != nil {
 			if !opts.JSON {
-				fmt.Printf("  Missing: %s (%s)\n", blob.Hash, humanize.Bytes(uint64(blob.CompressedSize)))
+				v.printfStdout("  Missing: %s (%s)\n", blob.Hash, humanize.Bytes(uint64(blob.CompressedSize)))
 			}
 			missing++
 			missingSize += blob.CompressedSize
@@ -683,20 +683,20 @@ func (v *Vaultik) VerifySnapshotWithOptions(snapshotID string, opts *VerifyOptio
 		return v.outputVerifyJSON(result)
 	}
 
-	fmt.Printf("\nVerification complete:\n")
-	fmt.Printf("  Verified:     %d blobs (%s)\n", verified,
+	v.printfStdout("\nVerification complete:\n")
+	v.printfStdout("  Verified:     %d blobs (%s)\n", verified,
 		humanize.Bytes(uint64(manifest.TotalCompressedSize-missingSize)))
 	if missing > 0 {
-		fmt.Printf("  Missing:      %d blobs (%s)\n", missing, humanize.Bytes(uint64(missingSize)))
+		v.printfStdout("  Missing:      %d blobs (%s)\n", missing, humanize.Bytes(uint64(missingSize)))
 	} else {
-		fmt.Printf("  Missing:      0 blobs\n")
+		v.printfStdout("  Missing:      0 blobs\n")
 	}
-	fmt.Printf("  Status:       ")
+	v.printfStdout("  Status:       ")
 	if missing > 0 {
-		fmt.Printf("FAILED - %d blobs are missing\n", missing)
+		v.printfStdout("FAILED - %d blobs are missing\n", missing)
 		return fmt.Errorf("%d blobs are missing", missing)
 	} else {
-		fmt.Printf("OK - All blobs verified\n")
+		v.printfStdout("OK - All blobs verified\n")
 	}
 
 	return nil
@@ -704,7 +704,7 @@ func (v *Vaultik) VerifySnapshotWithOptions(snapshotID string, opts *VerifyOptio
 
 // outputVerifyJSON outputs the verification result as JSON
 func (v *Vaultik) outputVerifyJSON(result *VerifyResult) error {
-	encoder := json.NewEncoder(os.Stdout)
+	encoder := json.NewEncoder(v.Stdout)
 	encoder.SetIndent("", "  ")
 	if err := encoder.Encode(result); err != nil {
 		return fmt.Errorf("encoding JSON: %w", err)
@@ -830,11 +830,11 @@ func (v *Vaultik) RemoveSnapshot(snapshotID string, opts *RemoveOptions) (*Remov
 	if opts.DryRun {
 		result.DryRun = true
 		if !opts.JSON {
-			_, _ = fmt.Fprintf(v.Stdout, "Would remove snapshot: %s\n", snapshotID)
+			v.printfStdout("Would remove snapshot: %s\n", snapshotID)
 			if opts.Remote {
-				_, _ = fmt.Fprintln(v.Stdout, "Would also remove from remote storage")
+				v.printlnStdout("Would also remove from remote storage")
 			}
-			_, _ = fmt.Fprintln(v.Stdout, "[Dry run - no changes made]")
+			v.printlnStdout("[Dry run - no changes made]")
 		}
 		if opts.JSON {
 			return result, v.outputRemoveJSON(result)
@@ -845,17 +845,17 @@ func (v *Vaultik) RemoveSnapshot(snapshotID string, opts *RemoveOptions) (*Remov
 	// Confirm unless --force is used (skip in JSON mode - require --force)
 	if !opts.Force && !opts.JSON {
 		if opts.Remote {
-			_, _ = fmt.Fprintf(v.Stdout, "Remove snapshot '%s' from local database and remote storage? [y/N] ", snapshotID)
+			v.printfStdout("Remove snapshot '%s' from local database and remote storage? [y/N] ", snapshotID)
 		} else {
-			_, _ = fmt.Fprintf(v.Stdout, "Remove snapshot '%s' from local database? [y/N] ", snapshotID)
+			v.printfStdout("Remove snapshot '%s' from local database? [y/N] ", snapshotID)
 		}
 		var confirm string
-		if _, err := fmt.Fscanln(v.Stdin, &confirm); err != nil {
-			_, _ = fmt.Fprintln(v.Stdout, "Cancelled")
+		if err := v.scanlnStdin(&confirm); err != nil {
+			v.printlnStdout("Cancelled")
 			return result, nil
 		}
 		if strings.ToLower(confirm) != "y" {
-			_, _ = fmt.Fprintln(v.Stdout, "Cancelled")
+			v.printlnStdout("Cancelled")
 			return result, nil
 		}
 	}
@@ -882,10 +882,10 @@ func (v *Vaultik) RemoveSnapshot(snapshotID string, opts *RemoveOptions) (*Remov
 	}
 
 	// Print summary
-	_, _ = fmt.Fprintf(v.Stdout, "Removed snapshot '%s' from local database\n", snapshotID)
+	v.printfStdout("Removed snapshot '%s' from local database\n", snapshotID)
 	if opts.Remote {
-		_, _ = fmt.Fprintln(v.Stdout, "Removed snapshot metadata from remote storage")
-		_, _ = fmt.Fprintln(v.Stdout, "\nNote: Blobs were not removed. Run 'vaultik prune' to remove orphaned blobs.")
+		v.printlnStdout("Removed snapshot metadata from remote storage")
+		v.printlnStdout("\nNote: Blobs were not removed. Run 'vaultik prune' to remove orphaned blobs.")
 	}
 
 	return result, nil
@@ -929,7 +929,7 @@ func (v *Vaultik) RemoveAllSnapshots(opts *RemoveOptions) (*RemoveResult, error)
 
 	if len(snapshotIDs) == 0 {
 		if !opts.JSON {
-			_, _ = fmt.Fprintln(v.Stdout, "No snapshots found")
+			v.printlnStdout("No snapshots found")
 		}
 		return result, nil
 	}
@@ -938,14 +938,14 @@ func (v *Vaultik) RemoveAllSnapshots(opts *RemoveOptions) (*RemoveResult, error)
 		result.DryRun = true
 		result.SnapshotsRemoved = snapshotIDs
 		if !opts.JSON {
-			_, _ = fmt.Fprintf(v.Stdout, "Would remove %d snapshot(s):\n", len(snapshotIDs))
+			v.printfStdout("Would remove %d snapshot(s):\n", len(snapshotIDs))
 			for _, id := range snapshotIDs {
-				_, _ = fmt.Fprintf(v.Stdout, "  %s\n", id)
+				v.printfStdout("  %s\n", id)
 			}
 			if opts.Remote {
-				_, _ = fmt.Fprintln(v.Stdout, "Would also remove from remote storage")
+				v.printlnStdout("Would also remove from remote storage")
 			}
-			_, _ = fmt.Fprintln(v.Stdout, "[Dry run - no changes made]")
+			v.printlnStdout("[Dry run - no changes made]")
 		}
 		if opts.JSON {
 			return result, v.outputRemoveJSON(result)
@@ -986,10 +986,10 @@ func (v *Vaultik) RemoveAllSnapshots(opts *RemoveOptions) (*RemoveResult, error)
 		return result, v.outputRemoveJSON(result)
 	}
 
-	_, _ = fmt.Fprintf(v.Stdout, "Removed %d snapshot(s)\n", len(result.SnapshotsRemoved))
+	v.printfStdout("Removed %d snapshot(s)\n", len(result.SnapshotsRemoved))
 	if opts.Remote {
-		_, _ = fmt.Fprintln(v.Stdout, "Removed snapshot metadata from remote storage")
-		_, _ = fmt.Fprintln(v.Stdout, "\nNote: Blobs were not removed. Run 'vaultik prune' to remove orphaned blobs.")
+		v.printlnStdout("Removed snapshot metadata from remote storage")
+		v.printlnStdout("\nNote: Blobs were not removed. Run 'vaultik prune' to remove orphaned blobs.")
 	}
 
 	return result, nil
@@ -1043,7 +1043,7 @@ func (v *Vaultik) deleteSnapshotFromRemote(snapshotID string) error {
 
 // outputRemoveJSON outputs the removal result as JSON
 func (v *Vaultik) outputRemoveJSON(result *RemoveResult) error {
-	encoder := json.NewEncoder(os.Stdout)
+	encoder := json.NewEncoder(v.Stdout)
 	encoder.SetIndent("", "  ")
 	return encoder.Encode(result)
 }
@@ -1117,17 +1117,32 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	)
 
 	// Print summary
-	_, _ = fmt.Fprintf(v.Stdout, "Local database prune complete:\n")
-	_, _ = fmt.Fprintf(v.Stdout, "  Incomplete snapshots removed: %d\n", result.SnapshotsDeleted)
-	_, _ = fmt.Fprintf(v.Stdout, "  Orphaned files removed: %d\n", result.FilesDeleted)
-	_, _ = fmt.Fprintf(v.Stdout, "  Orphaned chunks removed: %d\n", result.ChunksDeleted)
-	_, _ = fmt.Fprintf(v.Stdout, "  Orphaned blobs removed: %d\n", result.BlobsDeleted)
+	v.printfStdout("Local database prune complete:\n")
+	v.printfStdout("  Incomplete snapshots removed: %d\n", result.SnapshotsDeleted)
+	v.printfStdout("  Orphaned files removed: %d\n", result.FilesDeleted)
+	v.printfStdout("  Orphaned chunks removed: %d\n", result.ChunksDeleted)
+	v.printfStdout("  Orphaned blobs removed: %d\n", result.BlobsDeleted)
 
 	return result, nil
 }
 
-// getTableCount returns the count of rows in a table
+// allowedTableNames is the exhaustive whitelist of table names that may be
+// passed to getTableCount. Any name not in this set is rejected, preventing
+// SQL injection even if caller-controlled input is accidentally supplied.
+var allowedTableNames = map[string]struct{}{
+	"files":  {},
+	"chunks": {},
+	"blobs":  {},
+}
+
+// getTableCount returns the number of rows in the given table.
+// tableName must appear in the allowedTableNames whitelist; all other values
+// are rejected with an error, preventing SQL injection.
 func (v *Vaultik) getTableCount(tableName string) (int64, error) {
+	if _, ok := allowedTableNames[tableName]; !ok {
+		return 0, fmt.Errorf("table name not allowed: %q", tableName)
+	}
+
 	if v.DB == nil {
 		return 0, nil
 	}

internal/vaultik/table_count_test.go

@@ -0,0 +1,51 @@
+package vaultik
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAllowedTableNames(t *testing.T) {
+	// Verify the whitelist contains exactly the expected tables
+	expected := []string{"files", "chunks", "blobs"}
+	assert.Len(t, allowedTableNames, len(expected))
+	for _, name := range expected {
+		_, ok := allowedTableNames[name]
+		assert.True(t, ok, "expected %q in allowedTableNames", name)
+	}
+}
+
+func TestGetTableCount_RejectsInvalidNames(t *testing.T) {
+	v := &Vaultik{} // DB is nil, but rejection happens before DB access
+	v.DB = nil      // explicit
+
+	tests := []struct {
+		name      string
+		tableName string
+		wantErr   bool
+	}{
+		{"allowed files", "files", false},
+		{"allowed chunks", "chunks", false},
+		{"allowed blobs", "blobs", false},
+		{"sql injection attempt", "files; DROP TABLE files--", true},
+		{"unknown table", "users", true},
+		{"empty string", "", true},
+		{"uppercase", "FILES", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			count, err := v.getTableCount(tt.tableName)
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "not allowed")
+				assert.Equal(t, int64(0), count)
+			} else {
+				// DB is nil so returns 0, nil for allowed names
+				assert.NoError(t, err)
+				assert.Equal(t, int64(0), count)
+			}
+		})
+	}
+}

internal/vaultik/vaultik.go

@@ -135,6 +135,34 @@ func (v *Vaultik) Outputf(format string, args ...any) {
 	_, _ = fmt.Fprintf(v.Stdout, format, args...)
 }
 
+// printfStdout writes formatted output to stdout.
+func (v *Vaultik) printfStdout(format string, args ...any) {
+	_, _ = fmt.Fprintf(v.Stdout, format, args...)
+}
+
+// printlnStdout writes a line to stdout.
+func (v *Vaultik) printlnStdout(args ...any) {
+	_, _ = fmt.Fprintln(v.Stdout, args...)
+}
+
+// scanlnStdin reads a line from stdin into the provided string pointer.
+func (v *Vaultik) scanlnStdin(s *string) error {
+	_, err := fmt.Fscanln(v.Stdin, s)
+	return err
+}
+
+// FetchBlob downloads a blob from storage and returns a reader for the encrypted data.
+func (v *Vaultik) FetchBlob(ctx context.Context, blobHash string, expectedSize int64) (io.ReadCloser, int64, error) {
+	blobPath := fmt.Sprintf("blobs/%s/%s/%s", blobHash[:2], blobHash[2:4], blobHash)
+
+	reader, err := v.Storage.Get(ctx, blobPath)
+	if err != nil {
+		return nil, 0, fmt.Errorf("downloading blob: %w", err)
+	}
+
+	return reader, expectedSize, nil
+}
+
 // TestVaultik wraps a Vaultik with captured stdout/stderr for testing
 type TestVaultik struct {
 	*Vaultik