fix: replace O(n²) duplicate detection with map-based O(1) lookups

Replace linear scan deduplication of snapshot IDs in RemoveAllSnapshots()
and PruneBlobs() with map[string]bool for O(1) lookups.

Previously, each new snapshot ID was checked against the entire collected
slice via a linear scan, resulting in O(n²) overall complexity. Now a
'seen' map provides constant-time membership checks while preserving
insertion order in the slice.

closes #12

.dockerignore

@@ -0,0 +1,8 @@
+.git
+.gitea
+*.md
+LICENSE
+vaultik
+coverage.out
+coverage.html
+.DS_Store

.gitea/workflows/check.yml

@@ -0,0 +1,14 @@
+name: check
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      # actions/checkout v4, 2024-09-16
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - name: Build and check
+        run: docker build .

Dockerfile

@@ -0,0 +1,61 @@
+# Lint stage
+# golangci/golangci-lint:v2.11.3-alpine, 2026-03-17
+FROM golangci/golangci-lint:v2.11.3-alpine@sha256:b1c3de5862ad0a95b4e45a993b0f00415835d687e4f12c845c7493b86c13414e AS lint
+
+RUN apk add --no-cache make build-base
+
+WORKDIR /src
+
+# Copy go mod files first for better layer caching
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source code
+COPY . .
+
+# Run formatting check and linter
+RUN make fmt-check
+RUN make lint
+
+# Build stage
+# golang:1.26.1-alpine, 2026-03-17
+FROM golang:1.26.1-alpine@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039 AS builder
+
+# Depend on lint stage passing
+COPY --from=lint /src/go.sum /dev/null
+
+ARG VERSION=dev
+
+# Install build dependencies for CGO (mattn/go-sqlite3) and sqlite3 CLI (tests)
+RUN apk add --no-cache make build-base sqlite
+
+WORKDIR /src
+
+# Copy go mod files first for better layer caching
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source code
+COPY . .
+
+# Run tests
+RUN make test
+
+# Build with CGO enabled (required for mattn/go-sqlite3)
+RUN CGO_ENABLED=1 go build -ldflags "-X 'git.eeqj.de/sneak/vaultik/internal/globals.Version=${VERSION}' -X 'git.eeqj.de/sneak/vaultik/internal/globals.Commit=$(git rev-parse HEAD 2>/dev/null || echo unknown)'" -o /vaultik ./cmd/vaultik
+
+# Runtime stage
+# alpine:3.21, 2026-02-25
+FROM alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
+
+RUN apk add --no-cache ca-certificates sqlite
+
+# Copy binary from builder
+COPY --from=builder /vaultik /usr/local/bin/vaultik
+
+# Create non-root user
+RUN adduser -D -H -s /sbin/nologin vaultik
+
+USER vaultik
+
+ENTRYPOINT ["/usr/local/bin/vaultik"]

Makefile

@@ -1,4 +1,4 @@
-.PHONY: test fmt lint build clean all
+.PHONY: test fmt lint fmt-check check build clean all docker hooks
 
 # Version number
 VERSION := 0.0.1
@@ -14,21 +14,12 @@ LDFLAGS := -X 'git.eeqj.de/sneak/vaultik/internal/globals.Version=$(VERSION)' \
 all: vaultik
 
 # Run tests
-test: lint fmt-check
+test:
-	@echo "Running tests..."
+	go test -race -timeout 30s ./...
-	@if ! go test -v -timeout 10s ./... 2>&1; then \
-		echo ""; \
-		echo "TEST FAILURES DETECTED"; \
-		echo "Run 'go test -v ./internal/database' to see database test details"; \
-		exit 1; \
-	fi
 
-# Check if code is formatted
+# Check if code is formatted (read-only)
 fmt-check:
-	@if [ -n "$$(go fmt ./...)" ]; then \
+	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
-		echo "Error: Code is not formatted. Run 'make fmt' to fix."; \
-		exit 1; \
-	fi
 
 # Format code
 fmt:
@@ -36,7 +27,7 @@ fmt:
 
 # Run linter
 lint:
-	golangci-lint run
+	golangci-lint run ./...
 
 # Build binary
 vaultik: internal/*/*.go cmd/vaultik/*.go
@@ -47,11 +38,6 @@ clean:
 	rm -f vaultik
 	go clean
 
-# Install dependencies
-deps:
-	go mod download
-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
-
 # Run tests with coverage
 test-coverage:
 	go test -v -coverprofile=coverage.out ./...
@@ -67,3 +53,17 @@ local:
 
 install: vaultik
 	cp ./vaultik $(HOME)/bin/
+
+# Run all checks (formatting, linting, tests) without modifying files
+check: fmt-check lint test
+
+# Build Docker image
+docker:
+	docker build -t vaultik .
+
+# Install pre-commit hook
+hooks:
+	@printf '#!/bin/sh\nset -e\n' > .git/hooks/pre-commit
+	@printf 'go mod tidy\ngo fmt ./...\ngit diff --exit-code -- go.mod go.sum || { echo "go mod tidy changed files; please stage and retry"; exit 1; }\n' >> .git/hooks/pre-commit
+	@printf 'make check\n' >> .git/hooks/pre-commit
+	@chmod +x .git/hooks/pre-commit

go.mod

@@ -1,6 +1,6 @@
 module git.eeqj.de/sneak/vaultik
 
-go 1.24.4
+go 1.26.1
 
 require (
 	filippo.io/age v1.2.1

internal/vaultik/prune.go

@@ -35,6 +35,7 @@ func (v *Vaultik) PruneBlobs(opts *PruneOptions) error {
 	log.Info("Listing remote snapshots")
 	objectCh := v.Storage.ListStream(v.ctx, "metadata/")
 
+	seen := make(map[string]bool)
 	var snapshotIDs []string
 	for object := range objectCh {
 		if object.Err != nil {
@@ -47,15 +48,8 @@ func (v *Vaultik) PruneBlobs(opts *PruneOptions) error {
 			// Check if this is a directory by looking for trailing slash
 			if strings.HasSuffix(object.Key, "/") || strings.Contains(object.Key, "/manifest.json.zst") {
 				snapshotID := parts[1]
-				// Only add unique snapshot IDs
+				if !seen[snapshotID] {
-				found := false
+					seen[snapshotID] = true
-				for _, id := range snapshotIDs {
-					if id == snapshotID {
-						found = true
-						break
-					}
-				}
-				if !found {
 					snapshotIDs = append(snapshotIDs, snapshotID)
 				}
 			}

internal/vaultik/restore.go

@@ -22,6 +22,13 @@ import (
 	"golang.org/x/term"
 )
 
+const (
+	// progressBarWidth is the character width of the progress bar display.
+	progressBarWidth = 40
+	// progressBarThrottle is the minimum interval between progress bar redraws.
+	progressBarThrottle = 100 * time.Millisecond
+)
+
 // RestoreOptions contains options for the restore operation
 type RestoreOptions struct {
 	SnapshotID string
@@ -115,6 +122,15 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 	}
 	defer func() { _ = blobCache.Close() }()
 
+	// Calculate total bytes for progress bar
+	var totalBytesExpected int64
+	for _, file := range files {
+		totalBytesExpected += file.Size
+	}
+
+	// Create progress bar if output is a terminal
+	bar := v.newProgressBar("Restoring", totalBytesExpected)
+
 	for i, file := range files {
 		if v.ctx.Err() != nil {
 			return v.ctx.Err()
@@ -122,11 +138,21 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 
 		if err := v.restoreFile(v.ctx, repos, file, opts.TargetDir, identity, chunkToBlobMap, blobCache, result); err != nil {
 			log.Error("Failed to restore file", "path", file.Path, "error", err)
-			// Continue with other files
+			result.FilesFailed++
+			result.FailedFiles = append(result.FailedFiles, file.Path.String())
+			// Update progress bar even on failure
+			if bar != nil {
+				_ = bar.Add64(file.Size)
+			}
 			continue
 		}
 
-		// Progress logging
+		// Update progress bar
+		if bar != nil {
+			_ = bar.Add64(file.Size)
+		}
+
+		// Progress logging (for non-terminal or structured logs)
 		if (i+1)%100 == 0 || i+1 == len(files) {
 			log.Info("Restore progress",
 				"files", fmt.Sprintf("%d/%d", i+1, len(files)),
@@ -135,6 +161,10 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 		}
 	}
 
+	if bar != nil {
+		_ = bar.Finish()
+	}
+
 	result.Duration = time.Since(startTime)
 
 	log.Info("Restore complete",
@@ -151,6 +181,13 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 		result.Duration.Round(time.Second),
 	)
 
+	if result.FilesFailed > 0 {
+		_, _ = fmt.Fprintf(v.Stdout, "\nWARNING: %d file(s) failed to restore:\n", result.FilesFailed)
+		for _, path := range result.FailedFiles {
+			_, _ = fmt.Fprintf(v.Stdout, "  - %s\n", path)
+		}
+	}
+
 	// Run verification if requested
 	if opts.Verify {
 		if err := v.verifyRestoredFiles(v.ctx, repos, files, opts.TargetDir, result); err != nil {
@@ -171,6 +208,10 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 		)
 	}
 
+	if result.FilesFailed > 0 {
+		return fmt.Errorf("%d file(s) failed to restore", result.FilesFailed)
+	}
+
 	return nil
 }
 
@@ -523,22 +564,7 @@ func (v *Vaultik) verifyRestoredFiles(
 	)
 
 	// Create progress bar if output is a terminal
-	var bar *progressbar.ProgressBar
+	bar := v.newProgressBar("Verifying", totalBytes)
-	if isTerminal() {
-		bar = progressbar.NewOptions64(
-			totalBytes,
-			progressbar.OptionSetDescription("Verifying"),
-			progressbar.OptionSetWriter(v.Stderr),
-			progressbar.OptionShowBytes(true),
-			progressbar.OptionShowCount(),
-			progressbar.OptionSetWidth(40),
-			progressbar.OptionThrottle(100*time.Millisecond),
-			progressbar.OptionOnCompletion(func() {
-				v.printfStderr("\n")
-			}),
-			progressbar.OptionSetRenderBlankState(true),
-		)
-	}
 
 	// Verify each file
 	for _, file := range regularFiles {
@@ -632,7 +658,37 @@ func (v *Vaultik) verifyFile(
 	return bytesVerified, nil
 }
 
-// isTerminal returns true if stdout is a terminal
+// newProgressBar creates a terminal-aware progress bar with standard options.
-func isTerminal() bool {
+// It returns nil if stdout is not a terminal.
-	return term.IsTerminal(int(os.Stdout.Fd()))
+func (v *Vaultik) newProgressBar(description string, total int64) *progressbar.ProgressBar {
+	if !v.isTerminal() {
+		return nil
+	}
+	return progressbar.NewOptions64(
+		total,
+		progressbar.OptionSetDescription(description),
+		progressbar.OptionSetWriter(v.Stderr),
+		progressbar.OptionShowBytes(true),
+		progressbar.OptionShowCount(),
+		progressbar.OptionSetWidth(progressBarWidth),
+		progressbar.OptionThrottle(progressBarThrottle),
+		progressbar.OptionOnCompletion(func() {
+			v.printfStderr("\n")
+		}),
+		progressbar.OptionSetRenderBlankState(true),
+	)
+}
+
+// isTerminal returns true if stdout is a terminal.
+// It checks whether v.Stdout implements Fd() (i.e. is an *os.File),
+// and falls back to false for non-file writers (e.g. in tests).
+func (v *Vaultik) isTerminal() bool {
+	type fder interface {
+		Fd() uintptr
+	}
+	f, ok := v.Stdout.(fder)
+	if !ok {
+		return false
+	}
+	return term.IsTerminal(int(f.Fd()))
 }

internal/vaultik/snapshot.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"regexp"
 	"sort"
 	"strings"
 	"text/tabwriter"
@@ -89,6 +90,24 @@ func (v *Vaultik) CreateSnapshot(opts *SnapshotCreateOptions) error {
 		v.printfStdout("\nAll %d snapshots completed in %s\n", len(snapshotNames), time.Since(overallStartTime).Round(time.Second))
 	}
 
+	// Prune old snapshots and unreferenced blobs if --prune was specified
+	if opts.Prune {
+		log.Info("Pruning enabled - deleting old snapshots and unreferenced blobs")
+		v.printlnStdout("\nPruning old snapshots (keeping latest)...")
+
+		if err := v.PurgeSnapshots(true, "", true); err != nil {
+			return fmt.Errorf("prune: purging old snapshots: %w", err)
+		}
+
+		v.printlnStdout("Pruning unreferenced blobs...")
+
+		if err := v.PruneBlobs(&PruneOptions{Force: true}); err != nil {
+			return fmt.Errorf("prune: removing unreferenced blobs: %w", err)
+		}
+
+		log.Info("Pruning complete")
+	}
+
 	return nil
 }
 
@@ -305,11 +324,6 @@ func (v *Vaultik) createNamedSnapshot(opts *SnapshotCreateOptions, hostname, sna
 	}
 	v.printfStdout("Duration: %s\n", formatDuration(snapshotDuration))
 
-	if opts.Prune {
-		log.Info("Pruning enabled - will delete old snapshots after snapshot")
-		// TODO: Implement pruning
-	}
-
 	return nil
 }
 
@@ -899,6 +913,7 @@ func (v *Vaultik) RemoveAllSnapshots(opts *RemoveOptions) (*RemoveResult, error)
 	log.Info("Listing all snapshots")
 	objectCh := v.Storage.ListStream(v.ctx, "metadata/")
 
+	seen := make(map[string]bool)
 	var snapshotIDs []string
 	for object := range objectCh {
 		if object.Err != nil {
@@ -913,14 +928,8 @@ func (v *Vaultik) RemoveAllSnapshots(opts *RemoveOptions) (*RemoveResult, error)
 			}
 			if strings.HasSuffix(object.Key, "/") || strings.Contains(object.Key, "/manifest.json.zst") {
 				sid := parts[1]
-				found := false
+				if !seen[sid] {
-				for _, id := range snapshotIDs {
+					seen[sid] = true
-					if id == sid {
-						found = true
-						break
-					}
-				}
-				if !found {
 					snapshotIDs = append(snapshotIDs, sid)
 				}
 			}
@@ -1003,16 +1012,16 @@ func (v *Vaultik) deleteSnapshotFromLocalDB(snapshotID string) error {
 
 	// Delete related records first to avoid foreign key constraints
 	if err := v.Repositories.Snapshots.DeleteSnapshotFiles(v.ctx, snapshotID); err != nil {
-		log.Error("Failed to delete snapshot files", "snapshot_id", snapshotID, "error", err)
+		return fmt.Errorf("deleting snapshot files for %s: %w", snapshotID, err)
 	}
 	if err := v.Repositories.Snapshots.DeleteSnapshotBlobs(v.ctx, snapshotID); err != nil {
-		log.Error("Failed to delete snapshot blobs", "snapshot_id", snapshotID, "error", err)
+		return fmt.Errorf("deleting snapshot blobs for %s: %w", snapshotID, err)
 	}
 	if err := v.Repositories.Snapshots.DeleteSnapshotUploads(v.ctx, snapshotID); err != nil {
-		log.Error("Failed to delete snapshot uploads", "snapshot_id", snapshotID, "error", err)
+		return fmt.Errorf("deleting snapshot uploads for %s: %w", snapshotID, err)
 	}
 	if err := v.Repositories.Snapshots.Delete(v.ctx, snapshotID); err != nil {
-		log.Error("Failed to delete snapshot record", "snapshot_id", snapshotID, "error", err)
+		return fmt.Errorf("deleting snapshot record %s: %w", snapshotID, err)
 	}
 
 	return nil
@@ -1126,27 +1135,20 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }
 
-// allowedTableNames is the exhaustive whitelist of table names that may be
+// validTableNameRe matches table names containing only lowercase alphanumeric characters and underscores.
-// passed to getTableCount. Any name not in this set is rejected, preventing
+var validTableNameRe = regexp.MustCompile(`^[a-z0-9_]+$`)
-// SQL injection even if caller-controlled input is accidentally supplied.
-var allowedTableNames = map[string]struct{}{
-	"files":  {},
-	"chunks": {},
-	"blobs":  {},
-}
 
-// getTableCount returns the number of rows in the given table.
+// getTableCount returns the count of rows in a table.
-// tableName must appear in the allowedTableNames whitelist; all other values
+// The tableName is sanitized to only allow [a-z0-9_] characters to prevent SQL injection.
-// are rejected with an error, preventing SQL injection.
 func (v *Vaultik) getTableCount(tableName string) (int64, error) {
-	if _, ok := allowedTableNames[tableName]; !ok {
-		return 0, fmt.Errorf("table name not allowed: %q", tableName)
-	}
-
 	if v.DB == nil {
 		return 0, nil
 	}
 
+	if !validTableNameRe.MatchString(tableName) {
+		return 0, fmt.Errorf("invalid table name: %q", tableName)
+	}
+
 	var count int64
 	query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName)
 	err := v.DB.Conn().QueryRowContext(v.ctx, query).Scan(&count)

internal/vaultik/snapshot_prune_test.go

@@ -0,0 +1,23 @@
+package vaultik
+
+import (
+	"testing"
+)
+
+// TestSnapshotCreateOptions_PruneFlag verifies the Prune field exists on
+// SnapshotCreateOptions and can be set.
+func TestSnapshotCreateOptions_PruneFlag(t *testing.T) {
+	opts := &SnapshotCreateOptions{
+		Prune: true,
+	}
+	if !opts.Prune {
+		t.Error("Expected Prune to be true")
+	}
+
+	opts2 := &SnapshotCreateOptions{
+		Prune: false,
+	}
+	if opts2.Prune {
+		t.Error("Expected Prune to be false")
+	}
+}

internal/vaultik/table_count_test.go

@@ -1,51 +0,0 @@
-package vaultik
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestAllowedTableNames(t *testing.T) {
-	// Verify the whitelist contains exactly the expected tables
-	expected := []string{"files", "chunks", "blobs"}
-	assert.Len(t, allowedTableNames, len(expected))
-	for _, name := range expected {
-		_, ok := allowedTableNames[name]
-		assert.True(t, ok, "expected %q in allowedTableNames", name)
-	}
-}
-
-func TestGetTableCount_RejectsInvalidNames(t *testing.T) {
-	v := &Vaultik{} // DB is nil, but rejection happens before DB access
-	v.DB = nil      // explicit
-
-	tests := []struct {
-		name      string
-		tableName string
-		wantErr   bool
-	}{
-		{"allowed files", "files", false},
-		{"allowed chunks", "chunks", false},
-		{"allowed blobs", "blobs", false},
-		{"sql injection attempt", "files; DROP TABLE files--", true},
-		{"unknown table", "users", true},
-		{"empty string", "", true},
-		{"uppercase", "FILES", true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			count, err := v.getTableCount(tt.tableName)
-			if tt.wantErr {
-				assert.Error(t, err)
-				assert.Contains(t, err.Error(), "not allowed")
-				assert.Equal(t, int64(0), count)
-			} else {
-				// DB is nil so returns 0, nil for allowed names
-				assert.NoError(t, err)
-				assert.Equal(t, int64(0), count)
-			}
-		})
-	}
-}