From 82dcafbad1e68ed09feb276d5c132e90e4ec413e Mon Sep 17 00:00:00 2001
From: Renz <renz@uuxo.net>
Date: Fri, 28 Nov 2025 16:10:01 +0000
Subject: [PATCH] fix: Improve encryption detection for cluster backups

- Check cluster metadata first before single DB metadata
- For cluster backups, mark as encrypted only if ANY database is encrypted
- Remove double confirmation requirement for --workdir in dry-run mode
- Fixes false positive 'encrypted backup detected' for unencrypted cluster backups

This allows --clean-cluster and --workdir flags to work correctly with unencrypted backups.
---
 cmd/restore.go                |  8 --------
 internal/backup/encryption.go | 18 +++++++++++++++---
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/cmd/restore.go b/cmd/restore.go
index 4a1671d..3974af7 100755
--- a/cmd/restore.go
+++ b/cmd/restore.go
@@ -503,14 +503,6 @@ func runRestoreCluster(cmd *cobra.Command, args []string) error {
 			log.Warn("⚠️  Using alternative working directory for extraction")
 			log.Warn("    This is recommended when system disk space is limited")
 			log.Warn("    Location: " + restoreWorkdir)
-			
-			// Interactive confirmation required
-			if !restoreConfirm {
-				fmt.Printf("\n⚠️  Alternative extraction directory: %s\n", restoreWorkdir)
-				fmt.Printf("   This location will be used for temporary extraction.\n")
-				fmt.Printf("   Add --confirm flag to proceed.\n\n")
-				return fmt.Errorf("confirmation required for --workdir usage")
-			}
 		}
 
 		log.Info("Checking disk space...")
diff --git a/internal/backup/encryption.go b/internal/backup/encryption.go
index 5ee116e..b31c7b2 100644
--- a/internal/backup/encryption.go
+++ b/internal/backup/encryption.go
@@ -69,9 +69,21 @@ func EncryptBackupFile(backupPath string, key []byte, log logger.Logger) error {
 
 // IsBackupEncrypted checks if a backup file is encrypted
 func IsBackupEncrypted(backupPath string) bool {
-	// Check metadata first
-	metaPath := backupPath + ".meta.json"
-	if meta, err := metadata.Load(metaPath); err == nil {
+	// Check metadata first - try cluster metadata (for cluster backups)
+	// Try cluster metadata first
+	if clusterMeta, err := metadata.LoadCluster(backupPath); err == nil {
+		// For cluster backups, check if ANY database is encrypted
+		for _, db := range clusterMeta.Databases {
+			if db.Encrypted {
+				return true
+			}
+		}
+		// All databases are unencrypted
+		return false
+	}
+	
+	// Try single database metadata
+	if meta, err := metadata.Load(backupPath); err == nil {
 		return meta.Encrypted
 	}