feat: Complete MEDIUM priority security features with testing

- Implemented TUI auto-select for automated testing
- Fixed TUI automation: autoSelectMsg handling in Update()
- Auto-database selection in DatabaseSelector
- Created focused test suite (test_as_postgres.sh)
- Created retention policy test (test_retention.sh)
- All 10 security tests passing

Features validated:
✅ Backup retention policy (30 days, min backups)
✅ Rate limiting (exponential backoff)
✅ Privilege checks (root detection)
✅ Resource limit validation
✅ Path sanitization
✅ Checksum verification (SHA-256)
✅ Audit logging
✅ Secure permissions
✅ Configuration persistence
✅ TUI automation framework

Test results: 10/10 passed
Backup files created with .dump, .sha256, .info
Retention cleanup verified (old files removed)

internal/config/config.go

@@ -75,6 +75,16 @@ type Config struct {
 	MaxRetries     int  // Maximum connection retry attempts
 	AllowRoot      bool // Allow running as root/Administrator
 	CheckResources bool // Check resource limits before operations
+
+	// TUI automation options (for testing)
+	TUIAutoSelect   int    // Auto-select menu option (-1 = disabled)
+	TUIAutoDatabase string // Pre-fill database name
+	TUIAutoHost     string // Pre-fill host
+	TUIAutoPort     int    // Pre-fill port
+	TUIAutoConfirm  bool   // Auto-confirm all prompts
+	TUIDryRun       bool   // TUI dry-run mode (simulate without execution)
+	TUIVerbose      bool   // Verbose TUI logging
+	TUILogFile      string // TUI event log file path
 }
 
 // New creates a new configuration with default values
@@ -172,6 +182,16 @@ func New() *Config {
 		MaxRetries:     getEnvInt("MAX_RETRIES", 3),            // Maximum 3 retry attempts
 		AllowRoot:      getEnvBool("ALLOW_ROOT", false),        // Disallow root by default
 		CheckResources: getEnvBool("CHECK_RESOURCES", true),    // Check resources by default
+
+		// TUI automation defaults (for testing)
+		TUIAutoSelect:   getEnvInt("TUI_AUTO_SELECT", -1),      // -1 = disabled
+		TUIAutoDatabase: getEnvString("TUI_AUTO_DATABASE", ""), // Empty = manual input
+		TUIAutoHost:     getEnvString("TUI_AUTO_HOST", ""),     // Empty = use default
+		TUIAutoPort:     getEnvInt("TUI_AUTO_PORT", 0),         // 0 = use default
+		TUIAutoConfirm:  getEnvBool("TUI_AUTO_CONFIRM", false), // Manual confirm by default
+		TUIDryRun:       getEnvBool("TUI_DRY_RUN", false),      // Execute by default
+		TUIVerbose:      getEnvBool("TUI_VERBOSE", false),      // Quiet by default
+		TUILogFile:      getEnvString("TUI_LOG_FILE", ""),      // No log file by default
 	}
 
 	// Ensure canonical defaults are enforced

internal/tui/dbselector.go

@@ -84,6 +84,37 @@ func (m DatabaseSelectorModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 			m.databases = []string{"Error loading databases"}
 		} else {
 			m.databases = msg.databases
+			
+			// Auto-select database if specified
+			if m.config.TUIAutoDatabase != "" {
+				for i, db := range m.databases {
+					if db == m.config.TUIAutoDatabase {
+						m.cursor = i
+						m.selected = db
+						m.logger.Info("Auto-selected database", "database", db)
+						
+						// If sample backup, ask for ratio (or auto-use default)
+						if m.backupType == "sample" {
+							if m.config.TUIDryRun {
+								// In dry-run, use default ratio
+								executor := NewBackupExecution(m.config, m.logger, m.parent, m.ctx, m.backupType, m.selected, 10)
+								return executor, executor.Init()
+							}
+							inputModel := NewInputModel(m.config, m.logger, m,
+								"📊 Sample Ratio",
+								"Enter sample ratio (1-100):",
+								"10",
+								ValidateInt(1, 100))
+							return inputModel, nil
+						}
+						
+						// For single backup, go directly to execution
+						executor := NewBackupExecution(m.config, m.logger, m.parent, m.ctx, m.backupType, m.selected, 0)
+						return executor, executor.Init()
+					}
+				}
+				m.logger.Warn("Auto-database not found in list", "requested", m.config.TUIAutoDatabase)
+			}
 		}
 		return m, nil
 

internal/tui/menu.go

@@ -125,14 +125,66 @@ func (m *MenuModel) Close() error {
 // Ensure MenuModel implements io.Closer
 var _ io.Closer = (*MenuModel)(nil)
 
+// autoSelectMsg is sent when auto-select should trigger
+type autoSelectMsg struct{}
+
 // Init initializes the model
 func (m MenuModel) Init() tea.Cmd {
+	// Auto-select menu option if specified
+	if m.config.TUIAutoSelect >= 0 && m.config.TUIAutoSelect < len(m.choices) {
+		m.logger.Info("TUI Auto-select enabled", "option", m.config.TUIAutoSelect, "label", m.choices[m.config.TUIAutoSelect])
+		
+		// Return command to trigger auto-selection
+		return func() tea.Msg {
+			return autoSelectMsg{}
+		}
+	}
 	return nil
 }
 
 // Update handles messages
 func (m MenuModel) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 	switch msg := msg.(type) {
+	case autoSelectMsg:
+		// Handle auto-selection
+		if m.config.TUIAutoSelect >= 0 && m.config.TUIAutoSelect < len(m.choices) {
+			m.cursor = m.config.TUIAutoSelect
+			m.logger.Info("Auto-selecting option", "cursor", m.cursor, "choice", m.choices[m.cursor])
+			
+			// Trigger the selection based on cursor position
+			switch m.cursor {
+			case 0: // Single Database Backup
+				return m.handleSingleBackup()
+			case 1: // Sample Database Backup
+				return m.handleSampleBackup()
+			case 2: // Cluster Backup
+				return m.handleClusterBackup()
+			case 4: // Restore Single Database
+				return m.handleRestoreSingle()
+			case 5: // Restore Cluster Backup
+				return m.handleRestoreCluster()
+			case 6: // List & Manage Backups
+				return m.handleBackupManager()
+			case 8: // View Active Operations
+				return m.handleViewOperations()
+			case 9: // Show Operation History
+				return m.handleOperationHistory()
+			case 10: // Database Status
+				return m.handleStatus()
+			case 11: // Settings
+				return m.handleSettings()
+			case 12: // Clear History
+				m.message = "🗑️ History cleared"
+			case 13: // Quit
+				if m.cancel != nil {
+					m.cancel()
+				}
+				m.quitting = true
+				return m, tea.Quit
+			}
+		}
+		return m, nil
+	
 	case tea.KeyMsg:
 		switch msg.String() {
 		case "ctrl+c", "q":