v3.42.36: Fix remaining TUI prefix inconsistencies

- diagnose_view.go: Add [STATS], [LIST], [INFO] section prefixes - status.go: Add [CONN], [INFO] section prefixes - settings.go: [LOG] → [INFO] for configuration summary - menu.go: [DB] → [SELECT]/[CHECK] for selectors
v3.42.35: Standardize TUI title prefixes for consistency
2026-01-14 16:59:24 +01:00 · 2026-01-14 16:36:35 +01:00 · 2026-01-14 16:24:12 +01:00 · 2026-01-14 16:19:40 +01:00 · 2026-01-14 16:13:00 +01:00 · 2026-01-14 16:07:04 +01:00
218 changed files with 50155 additions and 4487 deletions
--- a/.dbbackup.conf
+++ b/.dbbackup.conf
@@ -0,0 +1,25 @@
+# dbbackup configuration
+# This file is auto-generated. Edit with care.
+
+[database]
+type = postgres
+host = 172.20.0.3
+port = 5432
+user = postgres
+database = postgres
+ssl_mode = prefer
+
+[backup]
+backup_dir = /root/source/dbbackup/tmp
+compression = 6
+jobs = 4
+dump_jobs = 2
+
+[performance]
+cpu_workload = balanced
+max_cores = 8
+
+[security]
+retention_days = 30
+min_backups = 5
+max_retries = 3
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,161 @@
+# CI/CD Pipeline for dbbackup
+# Main repo: Gitea (git.uuxo.net)
+# Mirror: GitHub (github.com/PlusOne/dbbackup)
+name: CI/CD
+
+on:
+  push:
+    branches: [main, master, develop]
+    tags: ['v*']
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    container:
+      image: golang:1.24-bookworm
+    steps:
+      - name: Checkout code
+        env:
+          TOKEN: ${{ github.token }}
+        run: |
+          apt-get update && apt-get install -y -qq git ca-certificates
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git init
+          git remote add origin "https://${TOKEN}@git.uuxo.net/${GITHUB_REPOSITORY}.git"
+          git fetch --depth=1 origin "${GITHUB_SHA}"
+          git checkout FETCH_HEAD
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Run tests
+        run: go test -race -coverprofile=coverage.out ./...
+
+      - name: Coverage summary
+        run: go tool cover -func=coverage.out | tail -1
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    container:
+      image: golang:1.24-bookworm
+    steps:
+      - name: Checkout code
+        env:
+          TOKEN: ${{ github.token }}
+        run: |
+          apt-get update && apt-get install -y -qq git ca-certificates
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git init
+          git remote add origin "https://${TOKEN}@git.uuxo.net/${GITHUB_REPOSITORY}.git"
+          git fetch --depth=1 origin "${GITHUB_SHA}"
+          git checkout FETCH_HEAD
+
+      - name: Install and run golangci-lint
+        run: |
+          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.8.0
+          golangci-lint run --timeout=5m ./...
+
+  build-and-release:
+    name: Build & Release
+    runs-on: ubuntu-latest
+    needs: [test, lint]
+    if: startsWith(github.ref, 'refs/tags/v')
+    container:
+      image: golang:1.24-bookworm
+    steps:
+      - name: Checkout code
+        env:
+          TOKEN: ${{ github.token }}
+        run: |
+          apt-get update && apt-get install -y -qq git ca-certificates curl jq
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git init
+          git remote add origin "https://${TOKEN}@git.uuxo.net/${GITHUB_REPOSITORY}.git"
+          git fetch --depth=1 origin "${GITHUB_SHA}"
+          git checkout FETCH_HEAD
+
+      - name: Build all platforms
+        run: |
+          mkdir -p release
+          
+          # Install cross-compilation tools for CGO
+          apt-get update && apt-get install -y -qq gcc-aarch64-linux-gnu
+          
+          # Linux amd64 (with CGO for SQLite)
+          echo "Building linux/amd64 (CGO enabled)..."
+          CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o release/dbbackup-linux-amd64 .
+          
+          # Linux arm64 (with CGO for SQLite)
+          echo "Building linux/arm64 (CGO enabled)..."
+          CC=aarch64-linux-gnu-gcc CGO_ENABLED=1 GOOS=linux GOARCH=arm64 go build -ldflags="-s -w" -o release/dbbackup-linux-arm64 .
+          
+          # Darwin amd64 (no CGO - cross-compile limitation)
+          echo "Building darwin/amd64 (CGO disabled)..."
+          CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" -o release/dbbackup-darwin-amd64 .
+          
+          # Darwin arm64 (no CGO - cross-compile limitation)
+          echo "Building darwin/arm64 (CGO disabled)..."
+          CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags="-s -w" -o release/dbbackup-darwin-arm64 .
+          
+          # FreeBSD amd64 (no CGO - cross-compile limitation)
+          echo "Building freebsd/amd64 (CGO disabled)..."
+          CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -ldflags="-s -w" -o release/dbbackup-freebsd-amd64 .
+          
+          echo "All builds complete:"
+          ls -lh release/
+
+      - name: Create Gitea Release
+        env:
+          GITEA_TOKEN: ${{ github.token }}
+        run: |
+          TAG=${GITHUB_REF#refs/tags/}
+          
+          echo "Creating Gitea release for ${TAG}..."
+          echo "Debug: GITHUB_REPOSITORY=${GITHUB_REPOSITORY}"
+          echo "Debug: TAG=${TAG}"
+          
+          # Simple body without special characters
+          BODY="Download binaries for your platform"
+          
+          # Create release via API with simple inline JSON
+          RESPONSE=$(curl -s -w "\n%{http_code}" -X POST \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d '{"tag_name":"'"${TAG}"'","name":"'"${TAG}"'","body":"'"${BODY}"'","draft":false,"prerelease":false}' \
+            "https://git.uuxo.net/api/v1/repos/${GITHUB_REPOSITORY}/releases")
+          
+          HTTP_CODE=$(echo "$RESPONSE" | tail -1)
+          BODY_RESPONSE=$(echo "$RESPONSE" | sed '$d')
+          
+          echo "HTTP Code: $HTTP_CODE"
+          echo "Response: $BODY_RESPONSE"
+          
+          RELEASE_ID=$(echo "$BODY_RESPONSE" | jq -r '.id')
+          
+          if [ "$RELEASE_ID" = "null" ] || [ -z "$RELEASE_ID" ]; then
+            echo "Failed to create release"
+            exit 1
+          fi
+          
+          echo "Created release ID: $RELEASE_ID"
+          
+          # Upload each binary
+          echo "Files to upload:"
+          ls -la release/
+          
+          for file in release/dbbackup-*; do
+            FILENAME=$(basename "$file")
+            echo "Uploading $FILENAME..."
+            UPLOAD_RESPONSE=$(curl -s -X POST \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -F "attachment=@${file}" \
+              "https://git.uuxo.net/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets?name=${FILENAME}")
+            echo "Upload response: $UPLOAD_RESPONSE"
+          done
+          
+          echo "Gitea release complete!"
+          echo "GitHub mirror complete!"
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,33 @@ logs/
 *.out
 *.trace
 *.err
+
+# Ignore built binaries (built fresh via build_all.sh on release)
+/dbbackup
+/dbbackup_*
+!dbbackup.png
+bin/dbbackup_*
+bin/*.exe
+
+# Ignore development artifacts
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Ignore IDE files
+.vscode/
+.idea/
+*.iml
+
+# Ignore test coverage
+*.cover
+coverage.html
+
+# Ignore temporary files
+tmp/
+temp/
+CRITICAL_BUGS_FIXED.md
+LEGAL_DOCUMENTATION.md
+LEGAL_*.md
+legal/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,21 @@
+# golangci-lint configuration - relaxed for existing codebase
+version: "2"
+
+run:
+  timeout: 5m
+
+linters:
+  default: none
+  enable:
+    # Only essential linters that catch real bugs
+    - govet
+
+settings:
+  govet:
+    disable:
+      - fieldalignment
+      - copylocks
+
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -0,0 +1,160 @@
+# GoReleaser Configuration for dbbackup
+# https://goreleaser.com/customization/
+# Run: goreleaser release --clean
+
+version: 2
+
+project_name: dbbackup
+
+before:
+  hooks:
+    - go mod tidy
+    - go generate ./...
+
+builds:
+  - id: dbbackup
+    main: ./
+    binary: dbbackup
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    goarm:
+      - "7"
+    ignore:
+      - goos: windows
+        goarch: arm
+      - goos: windows
+        goarch: arm64
+    ldflags:
+      - -s -w
+      - -X main.version={{.Version}}
+      - -X main.commit={{.Commit}}
+      - -X main.date={{.Date}}
+      - -X main.builtBy=goreleaser
+    flags:
+      - -trimpath
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+archives:
+  - id: default
+    format: tar.gz
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- .Version }}_
+      {{- .Os }}_
+      {{- .Arch }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - README*
+      - LICENSE*
+      - CHANGELOG*
+      - docs/*
+
+checksum:
+  name_template: 'checksums.txt'
+  algorithm: sha256
+
+snapshot:
+  version_template: "{{ incpatch .Version }}-next"
+
+changelog:
+  sort: asc
+  use: github
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+      - '^ci:'
+      - '^chore:'
+      - Merge pull request
+      - Merge branch
+  groups:
+    - title: '🚀 Features'
+      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
+      order: 0
+    - title: '🐛 Bug Fixes'
+      regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
+      order: 1
+    - title: '📚 Documentation'
+      regexp: '^.*?docs(\([[:word:]]+\))??!?:.+$'
+      order: 2
+    - title: '🧪 Tests'
+      regexp: '^.*?test(\([[:word:]]+\))??!?:.+$'
+      order: 3
+    - title: '🔧 Maintenance'
+      order: 999
+
+sboms:
+  - artifacts: archive
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+      - '--yes'
+    artifacts: checksum
+    output: true
+
+# Gitea Release
+release:
+  gitea:
+    owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}"
+    name: dbbackup
+  # Use Gitea API URL
+  # This is auto-detected from GITEA_TOKEN environment
+  draft: false
+  prerelease: auto
+  mode: replace
+  header: |
+    ## dbbackup {{ .Tag }}
+    
+    Released on {{ .Date }}
+  footer: |
+    ---
+    
+    **Full Changelog**: {{ .PreviousTag }}...{{ .Tag }}
+    
+    ### Installation
+    
+    ```bash
+    # Linux (amd64)
+    curl -LO https://git.uuxo.net/{{ .Env.GITHUB_REPOSITORY_OWNER }}/dbbackup/releases/download/{{ .Tag }}/dbbackup_{{ .Version }}_linux_amd64.tar.gz
+    tar xzf dbbackup_{{ .Version }}_linux_amd64.tar.gz
+    chmod +x dbbackup
+    sudo mv dbbackup /usr/local/bin/
+    
+    # macOS (Apple Silicon)
+    curl -LO https://git.uuxo.net/{{ .Env.GITHUB_REPOSITORY_OWNER }}/dbbackup/releases/download/{{ .Tag }}/dbbackup_{{ .Version }}_darwin_arm64.tar.gz
+    tar xzf dbbackup_{{ .Version }}_darwin_arm64.tar.gz
+    chmod +x dbbackup
+    sudo mv dbbackup /usr/local/bin/
+    ```
+  extra_files:
+    - glob: ./sbom/*.json
+
+# Optional: Upload to Gitea Package Registry
+# gitea_urls:
+#   api: https://git.uuxo.net/api/v1
+#   upload: https://git.uuxo.net/api/packages/{{ .Env.GITHUB_REPOSITORY_OWNER }}/generic/{{ .ProjectName }}/{{ .Version }}
+
+# Announce release (optional)
+announce:
+  skip: true
--- a/AZURE.md
+++ b/AZURE.md
@@ -28,21 +28,16 @@ This guide covers using **Azure Blob Storage** with `dbbackup` for secure, scala

 ```bash
 # Backup PostgreSQL to Azure
-dbbackup backup postgres \
-  --host localhost \
-  --database mydb \
-  --output backup.sql \
-  --cloud "azure://mycontainer/backups/db.sql?account=myaccount&key=ACCOUNT_KEY"
+dbbackup backup single mydb \
+  --cloud "azure://mycontainer/backups/?account=myaccount&key=ACCOUNT_KEY"
 ```

 ### 3. Restore from Azure

 ```bash
-# Restore from Azure backup
-dbbackup restore postgres \
-  --source "azure://mycontainer/backups/db.sql?account=myaccount&key=ACCOUNT_KEY" \
-  --host localhost \
-  --database mydb_restored
+# Download backup from Azure and restore
+dbbackup cloud download "azure://mycontainer/backups/mydb.dump.gz?account=myaccount&key=ACCOUNT_KEY" ./mydb.dump.gz
+dbbackup restore single ./mydb.dump.gz --target mydb_restored --confirm
 ```

 ## URI Syntax
@@ -99,7 +94,7 @@ export AZURE_STORAGE_ACCOUNT="myaccount"
 export AZURE_STORAGE_KEY="YOUR_ACCOUNT_KEY"

 # Use simplified URI (credentials from environment)
-dbbackup backup postgres --cloud "azure://container/path/backup.sql"
+dbbackup backup single mydb --cloud "azure://container/path/"
 ```

 ### Method 3: Connection String
@@ -109,7 +104,7 @@ Use Azure connection string:
 ```bash
 export AZURE_STORAGE_CONNECTION_STRING="DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=YOUR_KEY;EndpointSuffix=core.windows.net"

-dbbackup backup postgres --cloud "azure://container/path/backup.sql"
+dbbackup backup single mydb --cloud "azure://container/path/"
 ```

 ### Getting Your Account Key
@@ -196,11 +191,8 @@ Configure automatic tier transitions:

 ```bash
 # PostgreSQL backup with automatic Azure upload
-dbbackup backup postgres \
-  --host localhost \
-  --database production_db \
-  --output /backups/db.sql \
-  --cloud "azure://prod-backups/postgres/$(date +%Y%m%d_%H%M%S).sql?account=myaccount&key=KEY" \
+dbbackup backup single production_db \
+  --cloud "azure://prod-backups/postgres/?account=myaccount&key=KEY" \
  --compression 6
 ```

@@ -208,10 +200,7 @@ dbbackup backup postgres \

 ```bash
 # Backup entire PostgreSQL cluster to Azure
-dbbackup backup postgres \
-  --host localhost \
-  --all-databases \
-  --output-dir /backups \
+dbbackup backup cluster \
  --cloud "azure://prod-backups/postgres/cluster/?account=myaccount&key=KEY"
 ```

@@ -257,13 +246,9 @@ dbbackup cleanup "azure://prod-backups/postgres/?account=myaccount&key=KEY" --ke
 #!/bin/bash
 # Azure backup script (run via cron)

-DATE=$(date +%Y%m%d_%H%M%S)
-AZURE_URI="azure://prod-backups/postgres/${DATE}.sql?account=myaccount&key=${AZURE_STORAGE_KEY}"
+AZURE_URI="azure://prod-backups/postgres/?account=myaccount&key=${AZURE_STORAGE_KEY}"

-dbbackup backup postgres \
-  --host localhost \
-  --database production_db \
-  --output /tmp/backup.sql \
+dbbackup backup single production_db \
  --cloud "${AZURE_URI}" \
  --compression 9

@@ -289,35 +274,25 @@ For large files (>256MB), dbbackup automatically uses Azure Block Blob staging:

 ```bash
 # Large database backup (automatically uses block blob)
-dbbackup backup postgres \
-  --host localhost \
-  --database huge_db \
-  --output /backups/huge.sql \
-  --cloud "azure://backups/huge.sql?account=myaccount&key=KEY"
+dbbackup backup single huge_db \
+  --cloud "azure://backups/?account=myaccount&key=KEY"
 ```

 ### Progress Tracking

 ```bash
 # Backup with progress display
-dbbackup backup postgres \
-  --host localhost \
-  --database mydb \
-  --output backup.sql \
-  --cloud "azure://backups/backup.sql?account=myaccount&key=KEY" \
-  --progress
+dbbackup backup single mydb \
+  --cloud "azure://backups/?account=myaccount&key=KEY"
 ```

 ### Concurrent Operations

 ```bash
-# Backup multiple databases in parallel
-dbbackup backup postgres \
-  --host localhost \
-  --all-databases \
-  --output-dir /backups \
+# Backup cluster with parallel jobs
+dbbackup backup cluster \
  --cloud "azure://backups/cluster/?account=myaccount&key=KEY" \
-  --parallelism 4
+  --jobs 4
 ```

 ### Custom Metadata
@@ -365,11 +340,8 @@ Endpoint: http://localhost:10000/devstoreaccount1

 ```bash
 # Backup to Azurite
-dbbackup backup postgres \
-  --host localhost \
-  --database testdb \
-  --output test.sql \
-  --cloud "azure://test-backups/test.sql?endpoint=http://localhost:10000&account=devstoreaccount1&key=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
+dbbackup backup single testdb \
+  --cloud "azure://test-backups/?endpoint=http://localhost:10000&account=devstoreaccount1&key=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
 ```

 ### Run Integration Tests
@@ -492,8 +464,8 @@ Tests include:
 Enable debug mode:

 ```bash
-dbbackup backup postgres \
-  --cloud "azure://container/backup.sql?account=myaccount&key=KEY" \
+dbbackup backup single mydb \
+  --cloud "azure://container/?account=myaccount&key=KEY" \
  --debug
 ```

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,752 @@ All notable changes to dbbackup will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [3.42.34] - 2026-01-14 "Filesystem Abstraction"
+
+### Added - spf13/afero for Filesystem Abstraction
+- **New `internal/fs` package** for testable filesystem operations
+- **In-memory filesystem** for unit testing without disk I/O
+- **Global FS interface** that can be swapped for testing:
+  ```go
+  fs.SetFS(afero.NewMemMapFs())  // Use memory
+  fs.ResetFS()                    // Back to real disk
+  ```
+- **Wrapper functions** for all common file operations:
+  - `ReadFile`, `WriteFile`, `Create`, `Open`, `Remove`, `RemoveAll`
+  - `Mkdir`, `MkdirAll`, `ReadDir`, `Walk`, `Glob`
+  - `Exists`, `DirExists`, `IsDir`, `IsEmpty`
+  - `TempDir`, `TempFile`, `CopyFile`, `FileSize`
+- **Testing helpers**:
+  - `WithMemFs(fn)` - Execute function with temp in-memory FS
+  - `SetupTestDir(files)` - Create test directory structure
+- **Comprehensive test suite** demonstrating usage
+
+### Changed
+- Upgraded afero from v1.10.0 to v1.15.0
+
+## [3.42.33] - 2026-01-14 "Exponential Backoff Retry"
+
+### Added - cenkalti/backoff for Cloud Operation Retry
+- **Exponential backoff retry** for all cloud operations (S3, Azure, GCS)
+- **Retry configurations**:
+  - `DefaultRetryConfig()` - 5 retries, 500ms→30s backoff, 5 min max
+  - `AggressiveRetryConfig()` - 10 retries, 1s→60s backoff, 15 min max
+  - `QuickRetryConfig()` - 3 retries, 100ms→5s backoff, 30s max
+- **Smart error classification**:
+  - `IsPermanentError()` - Auth/bucket errors (no retry)
+  - `IsRetryableError()` - Timeout/network errors (retry)
+- **Retry logging** - Each retry attempt is logged with wait duration
+
+### Changed
+- S3 simple upload, multipart upload, download now retry on transient failures
+- Azure simple upload, download now retry on transient failures
+- GCS upload, download now retry on transient failures
+- Large file multipart uploads use `AggressiveRetryConfig()` (more retries)
+
+## [3.42.32] - 2026-01-14 "Cross-Platform Colors"
+
+### Added - fatih/color for Cross-Platform Terminal Colors
+- **Windows-compatible colors** - Native Windows console API support
+- **Color helper functions** in `logger` package:
+  - `Success()`, `Error()`, `Warning()`, `Info()` - Status messages with icons
+  - `Header()`, `Dim()`, `Bold()` - Text styling
+  - `Green()`, `Red()`, `Yellow()`, `Cyan()` - Colored text
+  - `StatusLine()`, `TableRow()` - Formatted output
+  - `DisableColors()`, `EnableColors()` - Runtime control
+- **Consistent color scheme** across all log levels
+
+### Changed
+- Logger `CleanFormatter` now uses fatih/color instead of raw ANSI codes
+- All progress indicators use fatih/color for `[OK]`/`[FAIL]` status
+- Automatic color detection (disabled for non-TTY)
+
+## [3.42.31] - 2026-01-14 "Visual Progress Bars"
+
+### Added - schollz/progressbar for Enhanced Progress Display
+- **Visual progress bars** for cloud uploads/downloads with:
+  - Byte transfer display (e.g., `245 MB / 1.2 GB`)
+  - Transfer speed (e.g., `45 MB/s`)
+  - ETA prediction
+  - Color-coded progress with Unicode blocks
+- **Checksum verification progress** - visual progress while calculating SHA-256
+- **Spinner for indeterminate operations** - Braille-style spinner when size unknown
+- New progress types: `NewSchollzBar()`, `NewSchollzBarItems()`, `NewSchollzSpinner()`
+- Progress bar `Writer()` method for io.Copy integration
+
+### Changed
+- Cloud download shows real-time byte progress instead of 10% log messages
+- Cloud upload shows visual progress bar instead of debug logs  
+- Checksum verification shows progress for large files
+
+## [3.42.30] - 2026-01-09 "Better Error Aggregation"
+
+### Added - go-multierror for Cluster Restore Errors
+- **Enhanced error reporting** - Now shows ALL database failures, not just a count
+- Uses `hashicorp/go-multierror` for proper error aggregation
+- Each failed database error is preserved with full context
+- Bullet-pointed error output for readability:
+  ```
+  cluster restore completed with 3 failures:
+  3 database(s) failed:
+    • db1: restore failed: max_locks_per_transaction exceeded
+    • db2: restore failed: connection refused
+    • db3: failed to create database: permission denied
+  ```
+
+### Changed
+- Replaced string slice error collection with proper `*multierror.Error`
+- Thread-safe error aggregation with dedicated mutex
+- Improved error wrapping with `%w` for error chain preservation
+
+## [3.42.10] - 2026-01-08 "Code Quality"
+
+### Fixed - Code Quality Issues
+- Removed deprecated `io/ioutil` usage (replaced with `os`)
+- Fixed `os.DirEntry.ModTime()` → `file.Info().ModTime()`
+- Removed unused fields and variables
+- Fixed ineffective assignments in TUI code
+- Fixed error strings (no capitalization, no trailing punctuation)
+
+## [3.42.9] - 2026-01-08 "Diagnose Timeout Fix"
+
+### Fixed - diagnose.go Timeout Bugs
+
+**More short timeouts that caused large archive failures:**
+
+- `diagnoseClusterArchive()`: tar listing 60s → **5 minutes**
+- `verifyWithPgRestore()`: pg_restore --list 60s → **5 minutes**
+- `DiagnoseClusterDumps()`: archive listing 120s → **10 minutes**
+
+**Impact:** These timeouts caused "context deadline exceeded" errors when
+diagnosing multi-GB backup archives, preventing TUI restore from even starting.
+
+## [3.42.8] - 2026-01-08 "TUI Timeout Fix"
+
+### Fixed - TUI Timeout Bugs Causing Backup/Restore Failures
+
+**ROOT CAUSE of 2-3 month TUI backup/restore failures identified and fixed:**
+
+#### Critical Timeout Fixes:
+- **restore_preview.go**: Safety check timeout increased from 60s → **10 minutes**
+  - Large archives (>1GB) take 2+ minutes to diagnose
+  - Users saw "context deadline exceeded" before backup even started
+- **dbselector.go**: Database listing timeout increased from 15s → **60 seconds**
+  - Busy PostgreSQL servers need more time to respond
+- **status.go**: Status check timeout increased from 10s → **30 seconds**
+  - SSL negotiation and slow networks caused failures
+
+#### Stability Improvements:
+- **Panic recovery** added to parallel goroutines in:
+  - `backup/engine.go:BackupCluster()` - cluster backup workers
+  - `restore/engine.go:RestoreCluster()` - cluster restore workers
+  - Prevents single database panic from crashing entire operation
+
+#### Bug Fix:
+- **restore/engine.go**: Fixed variable shadowing `err` → `cmdErr` for exit code detection
+
+## [3.42.7] - 2026-01-08 "Context Killer Complete"
+
+### Fixed - Additional Deadlock Bugs in Restore & Engine
+
+**All remaining cmd.Wait() deadlock bugs fixed across the codebase:**
+
+#### internal/restore/engine.go:
+- `executeRestoreWithDecompression()` - gunzip/pigz pipeline restore
+- `extractArchive()` - tar extraction for cluster restore
+- `restoreGlobals()` - pg_dumpall globals restore
+
+#### internal/backup/engine.go:
+- `createArchive()` - tar/pigz archive creation pipeline
+
+#### internal/engine/mysqldump.go:
+- `Backup()` - mysqldump backup operation
+- `BackupToWriter()` - streaming mysqldump to writer
+
+**All 6 functions now use proper channel-based context handling with Process.Kill().**
+
+## [3.42.6] - 2026-01-08 "Deadlock Killer"
+
+### Fixed - Backup Command Context Handling
+
+**Critical Bug: pg_dump/mysqldump could hang forever on context cancellation**
+
+The `executeCommand`, `executeCommandWithProgress`, `executeMySQLWithProgressAndCompression`, 
+and `executeMySQLWithCompression` functions had a race condition where:
+
+1. A goroutine was spawned to read stderr
+2. `cmd.Wait()` was called directly
+3. If context was cancelled, the process was NOT killed
+4. The goroutine could hang forever waiting for stderr
+
+**Fix**: All backup execution functions now use proper channel-based context handling:
+```go
+// Wait for command with context handling
+cmdDone := make(chan error, 1)
+go func() {
+    cmdDone <- cmd.Wait()
+}()
+
+select {
+case cmdErr = <-cmdDone:
+    // Command completed
+case <-ctx.Done():
+    // Context cancelled - kill process
+    cmd.Process.Kill()
+    <-cmdDone
+    cmdErr = ctx.Err()
+}
+```
+
+**Affected Functions:**
+- `executeCommand()` - pg_dump for cluster backup
+- `executeCommandWithProgress()` - pg_dump for single backup with progress
+- `executeMySQLWithProgressAndCompression()` - mysqldump pipeline
+- `executeMySQLWithCompression()` - mysqldump pipeline
+
+**This fixes:** Backup operations hanging indefinitely when cancelled or timing out.
+
+## [3.42.5] - 2026-01-08 "False Positive Fix"
+
+### Fixed - Encryption Detection Bug
+
+**IsBackupEncrypted False Positive:**
+- **BUG FIX**: `IsBackupEncrypted()` returned `true` for ALL files, blocking normal restores
+- Root cause: Fallback logic checked if first 12 bytes (nonce size) could be read - always true
+- Fix: Now properly detects known unencrypted formats by magic bytes:
+  - Gzip: `1f 8b`
+  - PostgreSQL custom: `PGDMP`
+  - Plain SQL: starts with `--`, `SET`, `CREATE`
+- Returns `false` if no metadata present and format is recognized as unencrypted
+- Affected file: `internal/backup/encryption.go`
+
+## [3.42.4] - 2026-01-08 "The Long Haul"
+
+### Fixed - Critical Restore Timeout Bug
+
+**Removed Arbitrary Timeouts from Backup/Restore Operations:**
+- **CRITICAL FIX**: Removed 4-hour timeout that was killing large database restores
+- PostgreSQL cluster restores of 69GB+ databases no longer fail with "context deadline exceeded"
+- All backup/restore operations now use `context.WithCancel` instead of `context.WithTimeout`
+- Operations run until completion or manual cancellation (Ctrl+C)
+
+**Affected Files:**
+- `internal/tui/restore_exec.go`: Changed from 4-hour timeout to context.WithCancel
+- `internal/tui/backup_exec.go`: Changed from 4-hour timeout to context.WithCancel  
+- `internal/backup/engine.go`: Removed per-database timeout in cluster backup
+- `cmd/restore.go`: CLI restore commands use context.WithCancel
+
+**exec.Command Context Audit:**
+- Fixed `exec.Command` without Context in `internal/restore/engine.go:730`
+- Added proper context handling to all external command calls
+- Added timeouts only for quick diagnostic/version checks (not restore path):
+  - `restore/version_check.go`: 30s timeout for pg_restore --version check only
+  - `restore/error_report.go`: 10s timeout for tool version detection
+  - `restore/diagnose.go`: 60s timeout for diagnostic functions
+  - `pitr/binlog.go`: 10s timeout for mysqlbinlog --version check
+  - `cleanup/processes.go`: 5s timeout for process listing
+  - `auth/helper.go`: 30s timeout for auth helper commands
+
+**Verification:**
+- 54 total `exec.CommandContext` calls verified in backup/restore/pitr path
+- 0 `exec.Command` without Context in critical restore path
+- All 14 PostgreSQL exec calls use CommandContext (pg_dump, pg_restore, psql)
+- All 15 MySQL/MariaDB exec calls use CommandContext (mysqldump, mysql, mysqlbinlog)
+- All 14 test packages pass
+
+### Technical Details
+- Large Object (BLOB/BYTEA) restores are particularly affected by timeouts
+- 69GB database with large objects can take 5+ hours to restore
+- Previous 4-hour hard timeout was causing consistent failures
+- Now: No timeout - runs until complete or user cancels
+
+## [3.42.1] - 2026-01-07 "Resistance is Futile"
+
+### Added - Content-Defined Chunking Deduplication
+
+**Deduplication Engine:**
+- New `dbbackup dedup` command family for space-efficient backups
+- Gear hash content-defined chunking (CDC) with 92%+ overlap on shifted data
+- SHA-256 content-addressed storage - chunks stored by hash
+- AES-256-GCM per-chunk encryption (optional, via `--encrypt`)
+- Gzip compression enabled by default
+- SQLite index for fast chunk lookups
+- JSON manifests track chunks per backup with full verification
+
+**Dedup Commands:**
+```bash
+dbbackup dedup backup <file>              # Create deduplicated backup
+dbbackup dedup backup <file> --encrypt    # With encryption
+dbbackup dedup restore <id> <output>      # Restore from manifest
+dbbackup dedup list                       # List all backups
+dbbackup dedup stats                      # Show deduplication statistics
+dbbackup dedup delete <id>                # Delete a backup manifest
+dbbackup dedup gc                         # Garbage collect unreferenced chunks
+```
+
+**Storage Structure:**
+```
+<backup-dir>/dedup/
+  chunks/           # Content-addressed chunk files (sharded by hash prefix)
+  manifests/        # JSON manifest per backup
+  chunks.db         # SQLite index for fast lookups
+```
+
+**Test Results:**
+- First 5MB backup: 448 chunks, 5MB stored
+- Modified 5MB file: 448 chunks, only 1 NEW chunk (1.6KB), 100% dedup ratio
+- Restore with SHA-256 verification
+
+### Added - Documentation Updates
+- Prometheus alerting rules added to SYSTEMD.md
+- Catalog sync instructions for existing backups
+
+## [3.41.1] - 2026-01-07
+
+### Fixed
+- Enabled CGO for Linux builds (required for SQLite catalog)
+
+## [3.41.0] - 2026-01-07 "The Operator"
+
+### Added - Systemd Integration & Prometheus Metrics
+
+**Embedded Systemd Installer:**
+- New `dbbackup install` command installs as systemd service/timer
+- Supports single-database (`--backup-type single`) and cluster (`--backup-type cluster`) modes
+- Automatic `dbbackup` user/group creation with proper permissions
+- Hardened service units with security features (NoNewPrivileges, ProtectSystem, CapabilityBoundingSet)
+- Templated timer units with configurable schedules (daily, weekly, or custom OnCalendar)
+- Built-in dry-run mode (`--dry-run`) to preview installation
+- `dbbackup install --status` shows current installation state
+- `dbbackup uninstall` cleanly removes all systemd units and optionally configuration
+
+**Prometheus Metrics Support:**
+- New `dbbackup metrics export` command writes textfile collector format
+- New `dbbackup metrics serve` command runs HTTP exporter on port 9399
+- Metrics: `dbbackup_last_success_timestamp`, `dbbackup_rpo_seconds`, `dbbackup_backup_total`, etc.
+- Integration with node_exporter textfile collector
+- Metrics automatically updated via ExecStopPost in service units
+- `--with-metrics` flag during install sets up exporter as systemd service
+
+**New Commands:**
+```bash
+# Install as systemd service
+sudo dbbackup install --backup-type cluster --schedule daily
+
+# Install with Prometheus metrics
+sudo dbbackup install --with-metrics --metrics-port 9399
+
+# Check installation status
+dbbackup install --status
+
+# Export metrics for node_exporter
+dbbackup metrics export --output /var/lib/dbbackup/metrics/dbbackup.prom
+
+# Run HTTP metrics server
+dbbackup metrics serve --port 9399
+```
+
+### Technical Details
+- Systemd templates embedded with `//go:embed` for self-contained binary
+- Templates use ReadWritePaths for security isolation
+- Service units include proper OOMScoreAdjust (-100) to protect backups
+- Metrics exporter caches with 30-second TTL for performance
+- Graceful shutdown on SIGTERM for metrics server
+
+---
+
+## [3.41.0] - 2026-01-07 "The Pre-Flight Check"
+
+### Added - 🛡️ Pre-Restore Validation
+
+**Automatic Dump Validation Before Restore:**
+- SQL dump files are now validated BEFORE attempting restore
+- Detects truncated COPY blocks that cause "syntax error" failures
+- Catches corrupted backups in seconds instead of wasting 49+ minutes
+- Cluster restore pre-validates ALL dumps upfront (fail-fast approach)
+- Custom format `.dump` files now validated with `pg_restore --list`
+
+**Improved Error Messages:**
+- Clear indication when dump file is truncated
+- Shows which table's COPY block was interrupted
+- Displays sample orphaned data for diagnosis
+- Provides actionable error messages with root cause
+
+### Fixed
+- **P0: SQL Injection** - Added identifier validation for database names in CREATE/DROP DATABASE to prevent SQL injection attacks; uses safe quoting and regex validation (alphanumeric + underscore only)
+- **P0: Data Race** - Fixed concurrent goroutines appending to shared error slice in notification manager; now uses mutex synchronization
+- **P0: psql ON_ERROR_STOP** - Added `-v ON_ERROR_STOP=1` to psql commands to fail fast on first error instead of accumulating millions of errors
+- **P1: Pipe deadlock** - Fixed streaming compression deadlock when pg_dump blocks on full pipe buffer; now uses goroutine with proper context timeout handling
+- **P1: SIGPIPE handling** - Detect exit code 141 (broken pipe) and report compressor failure as root cause
+- **P2: .dump validation** - Custom format dumps now validated with `pg_restore --list` before restore
+- **P2: fsync durability** - Added `outFile.Sync()` after streaming compression to prevent truncation on power loss
+- Truncated `.sql.gz` dumps no longer waste hours on doomed restores
+- "syntax error at or near" errors now caught before restore begins
+- Cluster restores abort immediately if any dump is corrupted
+
+### Technical Details
+- Integrated `Diagnoser` into restore pipeline for pre-validation
+- Added `quickValidateSQLDump()` for fast integrity checks
+- Pre-validation runs on all `.sql.gz` and `.dump` files in cluster archives
+- Streaming compression uses channel-based wait with context cancellation
+- Zero performance impact on valid backups (diagnosis is fast)
+
+---
+
+## [3.40.0] - 2026-01-05 "The Diagnostician"
+
+### Added - 🔍 Restore Diagnostics & Error Reporting
+
+**Backup Diagnosis Command:**
+- `restore diagnose <archive>` - Deep analysis of backup files before restore
+- Detects truncated dumps, corrupted archives, incomplete COPY blocks
+- PGDMP signature validation for PostgreSQL custom format
+- Gzip integrity verification with decompression test
+- `pg_restore --list` validation for custom format archives
+- `--deep` flag for exhaustive line-by-line analysis
+- `--json` flag for machine-readable output
+- Cluster archive diagnosis scans all contained dumps
+
+**Detailed Error Reporting:**
+- Comprehensive error collector captures stderr during restore
+- Ring buffer prevents OOM on high-error restores (2M+ errors)
+- Error classification with actionable hints and recommendations
+- `--save-debug-log <path>` saves JSON report on failure
+- Reports include: exit codes, last errors, line context, tool versions
+- Automatic recommendations based on error patterns
+
+**TUI Restore Enhancements:**
+- **Dump validity** safety check runs automatically before restore
+- Detects truncated/corrupted backups in restore preview
+- Press **`d`** to toggle debug log saving in Advanced Options
+- Debug logs saved to `/tmp/dbbackup-restore-debug-*.json` on failure
+- Press **`d`** in archive browser to run diagnosis on any backup
+
+**New Commands:**
+- `restore diagnose` - Analyze backup file integrity and structure
+
+**New Flags:**
+- `--save-debug-log <path>` - Save detailed JSON error report on failure
+- `--diagnose` - Run deep diagnosis before cluster restore
+- `--deep` - Enable exhaustive diagnosis (line-by-line analysis)
+- `--json` - Output diagnosis in JSON format
+- `--keep-temp` - Keep temporary files after diagnosis
+- `--verbose` - Show detailed diagnosis progress
+
+### Technical Details
+- 1,200+ lines of new diagnostic code
+- Error classification system with 15+ error patterns
+- Ring buffer stderr capture (1MB max, 10K lines)
+- Zero memory growth on high-error restores
+- Full TUI integration for diagnostics
+
+---
+
+## [3.2.0] - 2025-12-13 "The Margin Eraser"
+
+### Added - 🚀 Physical Backup Revolution
+
+**MySQL Clone Plugin Integration:**
+- Native physical backup using MySQL 8.0.17+ Clone Plugin
+- No XtraBackup dependency - pure Go implementation
+- Real-time progress monitoring via performance_schema
+- Support for both local and remote clone operations
+
+**Filesystem Snapshot Orchestration:**
+- LVM snapshot support with automatic cleanup
+- ZFS snapshot integration with send/receive
+- Btrfs subvolume snapshot support
+- Brief table lock (<100ms) for consistency
+- Automatic snapshot backend detection
+
+**Continuous Binlog Streaming:**
+- Real-time binlog capture using MySQL replication protocol
+- Multiple targets: file, compressed file, S3 direct streaming
+- Sub-second RPO without impacting database server
+- Automatic position tracking and checkpointing
+
+**Parallel Cloud Streaming:**
+- Direct database-to-S3 streaming (zero local storage)
+- Configurable worker pool for parallel uploads
+- S3 multipart upload with automatic retry
+- Support for S3, GCS, and Azure Blob Storage
+
+**Smart Engine Selection:**
+- Automatic engine selection based on environment
+- MySQL version detection and capability checking
+- Filesystem type detection for optimal snapshot backend
+- Database size-based recommendations
+
+**New Commands:**
+- `engine list` - List available backup engines
+- `engine info <name>` - Show detailed engine information
+- `backup --engine=<name>` - Use specific backup engine
+
+### Technical Details
+- 7,559 lines of new code
+- Zero new external dependencies
+- 10/10 platform builds successful
+- Full test coverage for new engines
+
+## [3.1.0] - 2025-11-26
+
+### Added - 🔄 Point-in-Time Recovery (PITR)
+
+**Complete PITR Implementation for PostgreSQL:**
+- **WAL Archiving**: Continuous archiving of Write-Ahead Log files with compression and encryption support
+- **Timeline Management**: Track and manage PostgreSQL timeline history with branching support
+- **Recovery Targets**: Restore to specific timestamp, transaction ID (XID), LSN, named restore point, or immediate
+- **PostgreSQL Version Support**: Both modern (12+) and legacy recovery configuration formats
+- **Recovery Actions**: Promote to primary, pause for inspection, or shutdown after recovery
+- **Comprehensive Testing**: 700+ lines of tests covering all PITR functionality with 100% pass rate
+
+**New Commands:**
+
+**PITR Management:**
+- `pitr enable` - Configure PostgreSQL for WAL archiving and PITR
+- `pitr disable` - Disable WAL archiving in PostgreSQL configuration
+- `pitr status` - Display current PITR configuration and archive statistics
+
+**WAL Archive Operations:**
+- `wal archive <wal-file> <filename>` - Archive WAL file (used by archive_command)
+- `wal list` - List all archived WAL files with details
+- `wal cleanup` - Remove old WAL files based on retention policy
+- `wal timeline` - Display timeline history and branching structure
+
+**Point-in-Time Restore:**
+- `restore pitr` - Perform point-in-time recovery with multiple target types:
+  - `--target-time "YYYY-MM-DD HH:MM:SS"` - Restore to specific timestamp
+  - `--target-xid <xid>` - Restore to transaction ID
+  - `--target-lsn <lsn>` - Restore to Log Sequence Number
+  - `--target-name <name>` - Restore to named restore point
+  - `--target-immediate` - Restore to earliest consistent point
+
+**Advanced PITR Features:**
+- **WAL Compression**: gzip compression (70-80% space savings)
+- **WAL Encryption**: AES-256-GCM encryption for archived WAL files
+- **Timeline Selection**: Recover along specific timeline or latest
+- **Recovery Actions**: Promote (default), pause, or shutdown after target reached
+- **Inclusive/Exclusive**: Control whether target transaction is included
+- **Auto-Start**: Automatically start PostgreSQL after recovery setup
+- **Recovery Monitoring**: Real-time monitoring of recovery progress
+
+**Configuration Options:**
+```bash
+# Enable PITR with compression and encryption
+./dbbackup pitr enable --archive-dir /backups/wal_archive \
+  --compress --encrypt --encryption-key-file /secure/key.bin
+
+# Perform PITR to specific time
+./dbbackup restore pitr \
+  --base-backup /backups/base.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-time "2024-11-26 14:30:00" \
+  --target-dir /var/lib/postgresql/14/restored \
+  --auto-start --monitor
+```
+
+**Technical Details:**
+- WAL file parsing and validation (timeline, segment, extension detection)
+- Timeline history parsing (.history files) with consistency validation
+- Automatic PostgreSQL version detection (12+ vs legacy)
+- Recovery configuration generation (postgresql.auto.conf + recovery.signal)
+- Data directory validation (exists, writable, PostgreSQL not running)
+- Comprehensive error handling and validation
+
+**Documentation:**
+- Complete PITR section in README.md (200+ lines)
+- Dedicated PITR.md guide with detailed examples and troubleshooting
+- Test suite documentation (tests/pitr_complete_test.go)
+
+**Files Added:**
+- `internal/pitr/wal/` - WAL archiving and parsing
+- `internal/pitr/config/` - Recovery configuration generation
+- `internal/pitr/timeline/` - Timeline management
+- `cmd/pitr.go` - PITR command implementation
+- `cmd/wal.go` - WAL management commands
+- `cmd/restore_pitr.go` - PITR restore command
+- `tests/pitr_complete_test.go` - Comprehensive test suite (700+ lines)
+- `PITR.md` - Complete PITR guide
+
+**Performance:**
+- WAL archiving: ~100-200 MB/s (with compression)
+- WAL encryption: ~1-2 GB/s (streaming)
+- Recovery replay: 10-100 MB/s (disk I/O dependent)
+- Minimal overhead during normal operations
+
+**Use Cases:**
+- Disaster recovery from accidental data deletion
+- Rollback to pre-migration state
+- Compliance and audit requirements
+- Testing and what-if scenarios
+- Timeline branching for parallel recovery paths
+
+### Changed
+- **Licensing**: Added Apache License 2.0 to the project (LICENSE file)
+- **Version**: Updated to v3.1.0
+- Enhanced metadata format with PITR information
+- Improved progress reporting for long-running operations
+- Better error messages for PITR operations
+
+### Production
+- **Production Validated**: 2 production hosts
+- **Databases backed up**: 8 databases nightly
+- **Retention policy**: 30-day retention with minimum 5 backups
+- **Backup volume**: ~10MB/night
+- **Schedule**: 02:09 and 02:25 CET
+- **Impact**: Resolved 4-day backup failure immediately
+- **User feedback**: "cleanup command is SO gut" | "--dry-run: chef's kiss!" 💋
+
+### Documentation
+- Added comprehensive PITR.md guide (complete PITR documentation)
+- Updated README.md with PITR section (200+ lines)
+- Updated CHANGELOG.md with v3.1.0 details
+- Added NOTICE file for Apache License attribution
+- Created comprehensive test suite (tests/pitr_complete_test.go - 700+ lines)
+
+## [3.0.0] - 2025-11-26
+
+### Added - 🔐 AES-256-GCM Encryption (Phase 4)
+
+**Secure Backup Encryption:**
+- **Algorithm**: AES-256-GCM authenticated encryption (prevents tampering)
+- **Key Derivation**: PBKDF2-SHA256 with 600,000 iterations (OWASP 2024 recommended)
+- **Streaming Encryption**: Memory-efficient for large backups (O(buffer) not O(file))
+- **Key Sources**: File (raw/base64), environment variable, or passphrase
+- **Auto-Detection**: Restore automatically detects and decrypts encrypted backups
+- **Metadata Tracking**: Encrypted flag and algorithm stored in .meta.json
+
+**CLI Integration:**
+- `--encrypt` - Enable encryption for backup operations
+- `--encryption-key-file <path>` - Path to 32-byte encryption key (raw or base64 encoded)
+- `--encryption-key-env <var>` - Environment variable containing key (default: DBBACKUP_ENCRYPTION_KEY)
+- Automatic decryption on restore (no extra flags needed)
+
+**Security Features:**
+- Unique nonce per encryption (no key reuse vulnerabilities)
+- Cryptographically secure random generation (crypto/rand)
+- Key validation (32 bytes required)
+- Authenticated encryption prevents tampering attacks
+- 56-byte header: Magic(16) + Algorithm(16) + Nonce(12) + Salt(32)
+
+**Usage Examples:**
+```bash
+# Generate encryption key
+head -c 32 /dev/urandom | base64 > encryption.key
+
+# Encrypted backup
+./dbbackup backup single mydb --encrypt --encryption-key-file encryption.key
+
+# Restore (automatic decryption)
+./dbbackup restore single mydb_backup.sql.gz --encryption-key-file encryption.key --confirm
+```
+
+**Performance:**
+- Encryption speed: ~1-2 GB/s (streaming, no memory bottleneck)
+- Overhead: 56 bytes header + 16 bytes GCM tag per file
+- Key derivation: ~1.4s for 600k iterations (intentionally slow for security)
+
+**Files Added:**
+- `internal/crypto/interface.go` - Encryption interface and configuration
+- `internal/crypto/aes.go` - AES-256-GCM implementation (272 lines)
+- `internal/crypto/aes_test.go` - Comprehensive test suite (all tests passing)
+- `cmd/encryption.go` - CLI encryption helpers
+- `internal/backup/encryption.go` - Backup encryption operations
+- Total: ~1,200 lines across 13 files
+
+### Added - 📦 Incremental Backups (Phase 3B)
+
+**MySQL/MariaDB Incremental Backups:**
+- **Change Detection**: mtime-based file modification tracking
+- **Archive Format**: tar.gz containing only changed files since base backup
+- **Space Savings**: 70-95% smaller than full backups (typical)
+- **Backup Chain**: Tracks base → incremental relationships with metadata
+- **Checksum Verification**: SHA-256 integrity checking
+- **Auto-Detection**: CLI automatically uses correct engine for PostgreSQL vs MySQL
+
+**MySQL-Specific Exclusions:**
+- Relay logs (relay-log, relay-bin*)
+- Binary logs (mysql-bin*, binlog*)
+- InnoDB redo logs (ib_logfile*)
+- InnoDB undo logs (undo_*)
+- Performance schema (in-memory)
+- Temporary files (#sql*, *.tmp)
+- Lock files (*.lock, auto.cnf.lock)
+- PID files (*.pid, mysqld.pid)
+- Error logs (*.err, error.log)
+- Slow query logs (*slow*.log)
+- General logs (general.log, query.log)
+
+**CLI Integration:**
+- `--backup-type <full|incremental>` - Backup type (default: full)
+- `--base-backup <path>` - Path to base backup (required for incremental)
+- Auto-detects database type (PostgreSQL vs MySQL) and uses appropriate engine
+- Same interface for both database types
+
+**Usage Examples:**
+```bash
+# Full backup (base)
+./dbbackup backup single mydb --db-type mysql --backup-type full
+
+# Incremental backup
+./dbbackup backup single mydb \
+  --db-type mysql \
+  --backup-type incremental \
+  --base-backup /backups/mydb_20251126.tar.gz
+
+# Restore incremental
+./dbbackup restore incremental \
+  --base-backup mydb_base.tar.gz \
+  --incremental-backup mydb_incr_20251126.tar.gz \
+  --target /restore/path
+```
+
+**Implementation:**
+- Copy-paste-adapt from Phase 3A PostgreSQL (95% code reuse)
+- Interface-based design enables sharing tests between engines
+- `internal/backup/incremental_mysql.go` - MySQL incremental engine (530 lines)
+- All existing tests pass immediately (interface compatibility)
+- Development time: 30 minutes (vs 5-6h estimated) - **10x speedup!**
+
+**Combined Features:**
+```bash
+# Encrypted + Incremental backup
+./dbbackup backup single mydb \
+  --backup-type incremental \
+  --base-backup mydb_base.tar.gz \
+  --encrypt \
+  --encryption-key-file key.txt
+```
+
+### Changed
+- **Version**: Bumped to 3.0.0 (major feature release)
+- **Backup Engine**: Integrated encryption and incremental capabilities
+- **Restore Engine**: Added automatic decryption detection
+- **Metadata Format**: Extended with encryption and incremental fields
+
+### Testing
+- ✅ Encryption tests: 4 tests passing (TestAESEncryptionDecryption, TestKeyDerivation, TestKeyValidation, TestLargeData)
+- ✅ Incremental tests: 2 tests passing (TestIncrementalBackupRestore, TestIncrementalBackupErrors)
+- ✅ Roundtrip validation: Encrypt → Decrypt → Verify (data matches perfectly)
+- ✅ Build: All platforms compile successfully
+- ✅ Interface compatibility: PostgreSQL and MySQL engines share test suite
+
+### Documentation
+- Updated README.md with encryption and incremental sections
+- Added PHASE4_COMPLETION.md - Encryption implementation details
+- Added PHASE3B_COMPLETION.md - MySQL incremental implementation report
+- Usage examples for encryption, incremental, and combined workflows
+
+### Performance
+- **Phase 4**: Completed in ~1h (encryption library + CLI integration)
+- **Phase 3B**: Completed in 30 minutes (vs 5-6h estimated)
+- **Total**: 2 major features delivered in 1 day (planned: 6 hours, actual: ~2 hours)
+- **Quality**: Production-ready, all tests passing, no breaking changes
+
+### Commits
+- Phase 4: 3 commits (7d96ec7, f9140cf, dd614dd, 8bbca16)
+- Phase 3B: 2 commits (357084c, a0974ef)
+- Docs: 1 commit (3b9055b)
+
 ## [2.1.0] - 2025-11-26

 ### Added - Cloud Storage Integration
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,295 @@
+# Contributing to dbbackup
+
+Thank you for your interest in contributing to dbbackup! This document provides guidelines and instructions for contributing.
+
+## Code of Conduct
+
+Be respectful, constructive, and professional in all interactions. We're building enterprise software together.
+
+## How to Contribute
+
+### Reporting Bugs
+
+**Before submitting a bug report:**
+- Check existing issues to avoid duplicates
+- Verify you're using the latest version
+- Collect relevant information (version, OS, database type, error messages)
+
+**Bug Report Template:**
+```
+**Version:** dbbackup v3.42.1
+**OS:** Linux/macOS/BSD
+**Database:** PostgreSQL 14 / MySQL 8.0 / MariaDB 10.6
+**Command:** The exact command that failed
+**Error:** Full error message and stack trace
+**Expected:** What you expected to happen
+**Actual:** What actually happened
+```
+
+### Feature Requests
+
+We welcome feature requests! Please include:
+- **Use Case:** Why is this feature needed?
+- **Description:** What should the feature do?
+- **Examples:** How would it be used?
+- **Alternatives:** What workarounds exist today?
+
+### Pull Requests
+
+**Before starting work:**
+1. Open an issue to discuss the change
+2. Wait for maintainer feedback
+3. Fork the repository
+4. Create a feature branch
+
+**PR Requirements:**
+- ✅ All tests pass (`go test -v ./...`)
+- ✅ New tests added for new features
+- ✅ Documentation updated (README.md, comments)
+- ✅ Code follows project style
+- ✅ Commit messages are clear and descriptive
+- ✅ No breaking changes without discussion
+
+## Development Setup
+
+### Prerequisites
+
+```bash
+# Required
+- Go 1.21 or later
+- PostgreSQL 9.5+ (for testing)
+- MySQL 5.7+ or MariaDB 10.3+ (for testing)
+- Docker (optional, for integration tests)
+
+# Install development dependencies
+go mod download
+```
+
+### Building
+
+```bash
+# Build binary
+go build -o dbbackup
+
+# Build all platforms
+./build_all.sh
+
+# Build Docker image
+docker build -t dbbackup:dev .
+```
+
+### Testing
+
+```bash
+# Run all tests
+go test -v ./...
+
+# Run specific test suite
+go test -v ./tests/pitr_complete_test.go
+
+# Run with coverage
+go test -cover ./...
+
+# Run integration tests (requires databases)
+./run_integration_tests.sh
+```
+
+### Code Style
+
+**Follow Go best practices:**
+- Use `gofmt` for formatting
+- Use `go vet` for static analysis
+- Follow [Effective Go](https://golang.org/doc/effective_go.html)
+- Write clear, self-documenting code
+- Add comments for complex logic
+
+**Project conventions:**
+- Package names: lowercase, single word
+- Function names: CamelCase, descriptive
+- Variables: camelCase, meaningful names
+- Constants: UPPER_SNAKE_CASE
+- Errors: Wrap with context using `fmt.Errorf`
+
+**Example:**
+```go
+// Good
+func BackupDatabase(ctx context.Context, config *Config) error {
+    if err := validateConfig(config); err != nil {
+        return fmt.Errorf("invalid config: %w", err)
+    }
+    // ...
+}
+
+// Avoid
+func backup(c *Config) error {
+    // No context, unclear name, no error wrapping
+}
+```
+
+## Project Structure
+
+```
+dbbackup/
+├── cmd/                 # CLI commands (Cobra)
+├── internal/            # Internal packages
+│   ├── backup/         # Backup engine
+│   ├── restore/        # Restore engine
+│   ├── pitr/           # Point-in-Time Recovery
+│   ├── cloud/          # Cloud storage backends
+│   ├── crypto/         # Encryption
+│   └── config/         # Configuration
+├── tests/              # Test suites
+├── bin/                # Compiled binaries
+├── main.go             # Entry point
+└── README.md           # Documentation
+```
+
+## Testing Guidelines
+
+**Unit Tests:**
+- Test public APIs
+- Mock external dependencies
+- Use table-driven tests
+- Test error cases
+
+**Integration Tests:**
+- Test real database operations
+- Use Docker containers for isolation
+- Clean up resources after tests
+- Test all supported database versions
+
+**Example Test:**
+```go
+func TestBackupRestore(t *testing.T) {
+    tests := []struct {
+        name     string
+        dbType   string
+        size     int64
+        expected error
+    }{
+        {"PostgreSQL small", "postgres", 1024, nil},
+        {"MySQL large", "mysql", 1024*1024, nil},
+    }
+    
+    for _, tt := range tests {
+        t.Run(tt.name, func(t *testing.T) {
+            // Test implementation
+        })
+    }
+}
+```
+
+## Documentation
+
+**Update documentation when:**
+- Adding new features
+- Changing CLI flags
+- Modifying configuration options
+- Updating dependencies
+
+**Documentation locations:**
+- `README.md` - Main documentation
+- `PITR.md` - PITR guide
+- `DOCKER.md` - Docker usage
+- Code comments - Complex logic
+- `CHANGELOG.md` - Version history
+
+## Commit Guidelines
+
+**Commit Message Format:**
+```
+<type>: <subject>
+
+<body>
+
+<footer>
+```
+
+**Types:**
+- `feat:` New feature
+- `fix:` Bug fix
+- `docs:` Documentation only
+- `style:` Code style changes (formatting)
+- `refactor:` Code refactoring
+- `test:` Adding or updating tests
+- `chore:` Maintenance tasks
+
+**Examples:**
+```
+feat: Add Azure Blob Storage backend
+
+Implements Azure Blob Storage backend for cloud backups.
+Includes streaming upload/download and metadata preservation.
+
+Closes #42
+
+---
+
+fix: Handle MySQL connection timeout gracefully
+
+Adds retry logic for transient connection failures.
+Improves error messages for timeout scenarios.
+
+Fixes #56
+```
+
+## Pull Request Process
+
+1. **Create Feature Branch**
+   ```bash
+   git checkout -b feature/my-feature
+   ```
+
+2. **Make Changes**
+   - Write code
+   - Add tests
+   - Update documentation
+
+3. **Commit Changes**
+   ```bash
+   git add -A
+   git commit -m "feat: Add my feature"
+   ```
+
+4. **Push to Fork**
+   ```bash
+   git push origin feature/my-feature
+   ```
+
+5. **Open Pull Request**
+   - Clear title and description
+   - Reference related issues
+   - Wait for review
+
+6. **Address Feedback**
+   - Make requested changes
+   - Push updates to same branch
+   - Respond to comments
+
+7. **Merge**
+   - Maintainer will merge when approved
+   - Squash commits if requested
+
+## Release Process (Maintainers)
+
+1. Update version in `main.go`
+2. Update `CHANGELOG.md`
+3. Commit: `git commit -m "Release vX.Y.Z"`
+4. Tag: `git tag -a vX.Y.Z -m "Release vX.Y.Z"`
+5. Push: `git push origin main vX.Y.Z`
+6. Build binaries: `./build_all.sh`
+7. Create GitHub Release with binaries
+
+## Questions?
+
+- **Issues:** https://git.uuxo.net/PlusOne/dbbackup/issues
+- **Discussions:** Use issue tracker for now
+- **Email:** See SECURITY.md for contact
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the Apache License 2.0.
+
+---
+
+**Thank you for contributing to dbbackup!** 🎉
--- a/26
+++ b/26
@@ -1,5 +1,9 @@
 # Multi-stage build for minimal image size
-FROM golang:1.24-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
+
+# Build arguments for cross-compilation
+ARG TARGETOS
+ARG TARGETARCH

 # Install build dependencies
 RUN apk add --no-cache git make
@@ -13,21 +17,21 @@ RUN go mod download
 # Copy source code
 COPY . .

-# Build binary
-RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldflags="-w -s" -o dbbackup .
+# Build binary with cross-compilation support
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -a -installsuffix cgo -ldflags="-w -s" -o dbbackup .

 # Final stage - minimal runtime image
+# Using pinned version 3.19 which has better QEMU compatibility
 FROM alpine:3.19

 # Install database client tools
-RUN apk add --no-cache \
-    postgresql-client \
-    mysql-client \
-    mariadb-client \
-    pigz \
-    pv \
-    ca-certificates \
-    tzdata
+# Split into separate commands for better QEMU compatibility
+RUN apk add --no-cache postgresql-client
+RUN apk add --no-cache mysql-client
+RUN apk add --no-cache mariadb-client
+RUN apk add --no-cache pigz pv
+RUN apk add --no-cache ca-certificates tzdata

 # Create non-root user
 RUN addgroup -g 1000 dbbackup && \
--- a/ENGINES.md
+++ b/ENGINES.md
@@ -0,0 +1,377 @@
+# Go-Native Physical Backup Engines
+
+This document describes the Go-native physical backup strategies for MySQL/MariaDB that match or exceed XtraBackup capabilities without external dependencies.
+
+## Overview
+
+DBBackup now includes a modular backup engine system with multiple strategies:
+
+| Engine | Use Case | MySQL Version | Performance |
+|--------|----------|---------------|-------------|
+| `mysqldump` | Small databases, cross-version | All | Moderate |
+| `clone` | Physical backup | 8.0.17+ | Fast |
+| `snapshot` | Instant backup | Any (with LVM/ZFS/Btrfs) | Instant |
+| `streaming` | Direct cloud upload | All | High throughput |
+
+## Quick Start
+
+```bash
+# List available engines
+dbbackup engine list
+
+# Auto-select best engine for your environment
+dbbackup engine select
+
+# Perform physical backup with auto-selection
+dbbackup physical-backup --output /backups/db.tar.gz
+
+# Stream directly to S3 (no local storage needed)
+dbbackup stream-backup --target s3://bucket/backups/db.tar.gz --workers 8
+```
+
+## Engine Descriptions
+
+### MySQLDump Engine
+
+Traditional logical backup using mysqldump. Works with all MySQL/MariaDB versions.
+
+```bash
+dbbackup physical-backup --engine mysqldump --output backup.sql.gz
+```
+
+Features:
+- Cross-version compatibility
+- Human-readable output
+- Schema + data in single file
+- Compression support
+
+### Clone Engine (MySQL 8.0.17+)
+
+Uses the native MySQL Clone Plugin for physical backup without locking.
+
+```bash
+# Local clone
+dbbackup physical-backup --engine clone --output /backups/clone.tar.gz
+
+# Remote clone (disaster recovery)
+dbbackup physical-backup --engine clone \
+  --clone-remote \
+  --clone-donor-host source-db.example.com \
+  --clone-donor-port 3306
+```
+
+Prerequisites:
+- MySQL 8.0.17 or later
+- Clone plugin installed (`INSTALL PLUGIN clone SONAME 'mysql_clone.so';`)
+- For remote clone: `BACKUP_ADMIN` privilege
+
+Features:
+- Non-blocking operation
+- Progress monitoring via performance_schema
+- Automatic consistency
+- Faster than mysqldump for large databases
+
+### Snapshot Engine
+
+Leverages filesystem-level snapshots for near-instant backups.
+
+```bash
+# Auto-detect filesystem
+dbbackup physical-backup --engine snapshot --output /backups/snap.tar.gz
+
+# Specify backend
+dbbackup physical-backup --engine snapshot \
+  --snapshot-backend zfs \
+  --output /backups/snap.tar.gz
+```
+
+Supported filesystems:
+- **LVM**: Linux Logical Volume Manager
+- **ZFS**: ZFS on Linux/FreeBSD
+- **Btrfs**: B-tree filesystem
+
+Features:
+- Sub-second snapshot creation
+- Minimal lock time (milliseconds)
+- Copy-on-write efficiency
+- Streaming to tar.gz
+
+### Streaming Engine
+
+Streams backup directly to cloud storage without intermediate local storage.
+
+```bash
+# Stream to S3
+dbbackup stream-backup \
+  --target s3://bucket/path/backup.tar.gz \
+  --workers 8 \
+  --part-size 20971520
+
+# Stream to S3 with encryption
+dbbackup stream-backup \
+  --target s3://bucket/path/backup.tar.gz \
+  --encryption AES256
+```
+
+Features:
+- No local disk space required
+- Parallel multipart uploads
+- Automatic retry with exponential backoff
+- Progress monitoring
+- Checksum validation
+
+## Binlog Streaming
+
+Continuous binlog streaming for point-in-time recovery with near-zero RPO.
+
+```bash
+# Stream to local files
+dbbackup binlog-stream --output /backups/binlog/
+
+# Stream to S3
+dbbackup binlog-stream --target s3://bucket/binlog/
+
+# With GTID support
+dbbackup binlog-stream --gtid --output /backups/binlog/
+```
+
+Features:
+- Real-time replication protocol
+- GTID support
+- Automatic checkpointing
+- Multiple targets (file, S3)
+- Event filtering by database/table
+
+## Engine Auto-Selection
+
+The selector analyzes your environment and chooses the optimal engine:
+
+```bash
+dbbackup engine select
+```
+
+Output example:
+```
+Database Information:
+--------------------------------------------------
+Version:        8.0.35
+Flavor:         MySQL
+Data Size:      250.00 GB
+Clone Plugin:   true
+Binlog:         true
+GTID:           true
+Filesystem:     zfs
+Snapshot:       true
+
+Recommendation:
+--------------------------------------------------
+Engine:  clone
+Reason:  MySQL 8.0.17+ with clone plugin active, optimal for 250GB database
+```
+
+Selection criteria:
+1. Database size (prefer physical for > 10GB)
+2. MySQL version and edition
+3. Clone plugin availability
+4. Filesystem snapshot capability
+5. Cloud destination requirements
+
+## Configuration
+
+### YAML Configuration
+
+```yaml
+# config.yaml
+backup:
+  engine: auto  # or: clone, snapshot, mysqldump
+  
+  clone:
+    data_dir: /var/lib/mysql
+    remote:
+      enabled: false
+      donor_host: ""
+      donor_port: 3306
+      donor_user: clone_user
+  
+  snapshot:
+    backend: auto  # or: lvm, zfs, btrfs
+    lvm:
+      volume_group: vg_mysql
+      snapshot_size: "10G"
+    zfs:
+      dataset: tank/mysql
+    btrfs:
+      subvolume: /data/mysql
+  
+  streaming:
+    part_size: 10485760  # 10MB
+    workers: 4
+    checksum: true
+  
+  binlog:
+    enabled: false
+    server_id: 99999
+    use_gtid: true
+    checkpoint_interval: 30s
+    targets:
+      - type: file
+        path: /backups/binlog/
+        compress: true
+        rotate_size: 1073741824  # 1GB
+      - type: s3
+        bucket: my-backups
+        prefix: binlog/
+        region: us-east-1
+```
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                      BackupEngine Interface                   │
+├─────────────┬─────────────┬─────────────┬──────────────────┤
+│  MySQLDump  │    Clone    │  Snapshot   │    Streaming     │
+│   Engine    │   Engine    │   Engine    │     Engine       │
+├─────────────┴─────────────┴─────────────┴──────────────────┤
+│                       Engine Registry                        │
+├─────────────────────────────────────────────────────────────┤
+│                    Engine Selector                           │
+│  (analyzes DB version, size, filesystem, plugin status)     │
+├─────────────────────────────────────────────────────────────┤
+│                   Parallel Cloud Streamer                    │
+│  (multipart upload, worker pool, retry, checksum)           │
+├─────────────────────────────────────────────────────────────┤
+│                     Binlog Streamer                          │
+│  (replication protocol, GTID, checkpointing)                │
+└─────────────────────────────────────────────────────────────┘
+```
+
+## Performance Comparison
+
+Benchmark on 100GB database:
+
+| Engine | Backup Time | Lock Time | Disk Usage | Cloud Transfer |
+|--------|-------------|-----------|------------|----------------|
+| mysqldump | 45 min | Full duration | 100GB+ | Sequential |
+| clone | 8 min | ~0 | 100GB temp | After backup |
+| snapshot (ZFS) | 15 min | <100ms | Minimal (CoW) | After backup |
+| streaming | 12 min | Varies | 0 (direct) | Parallel |
+
+## API Usage
+
+### Programmatic Backup
+
+```go
+import (
+    "dbbackup/internal/engine"
+    "dbbackup/internal/logger"
+)
+
+func main() {
+    log := logger.NewLogger(os.Stdout, os.Stderr)
+    registry := engine.DefaultRegistry
+    
+    // Register engines
+    registry.Register(engine.NewCloneEngine(engine.CloneConfig{
+        DataDir: "/var/lib/mysql",
+    }, log))
+    
+    // Select best engine
+    selector := engine.NewSelector(registry, log, engine.SelectorConfig{
+        PreferPhysical: true,
+    })
+    
+    info, _ := selector.GatherInfo(ctx, db, "/var/lib/mysql")
+    bestEngine, reason := selector.SelectBest(ctx, info)
+    
+    // Perform backup
+    result, err := bestEngine.Backup(ctx, db, engine.BackupOptions{
+        OutputPath: "/backups/db.tar.gz",
+        Compress:   true,
+    })
+}
+```
+
+### Direct Cloud Streaming
+
+```go
+import "dbbackup/internal/engine/parallel"
+
+func streamBackup() {
+    cfg := parallel.Config{
+        Bucket:      "my-bucket",
+        Key:         "backups/db.tar.gz",
+        Region:      "us-east-1",
+        PartSize:    10 * 1024 * 1024,
+        WorkerCount: 8,
+    }
+    
+    streamer, _ := parallel.NewCloudStreamer(cfg)
+    streamer.Start(ctx)
+    
+    // Write data (implements io.Writer)
+    io.Copy(streamer, backupReader)
+    
+    location, _ := streamer.Complete(ctx)
+    fmt.Printf("Uploaded to: %s\n", location)
+}
+```
+
+## Troubleshooting
+
+### Clone Engine Issues
+
+**Clone plugin not found:**
+```sql
+INSTALL PLUGIN clone SONAME 'mysql_clone.so';
+SET GLOBAL clone_valid_donor_list = 'source-db:3306';
+```
+
+**Insufficient privileges:**
+```sql
+GRANT BACKUP_ADMIN ON *.* TO 'backup_user'@'%';
+```
+
+### Snapshot Engine Issues
+
+**LVM snapshot fails:**
+```bash
+# Check free space in volume group
+vgs
+
+# Extend if needed
+lvextend -L +10G /dev/vg_mysql/lv_data
+```
+
+**ZFS permission denied:**
+```bash
+# Grant ZFS permissions
+zfs allow -u mysql create,snapshot,mount,destroy tank/mysql
+```
+
+### Binlog Streaming Issues
+
+**Server ID conflict:**
+- Ensure unique `--server-id` across all replicas
+- Default is 99999, change if conflicts exist
+
+**GTID not enabled:**
+```sql
+SET GLOBAL gtid_mode = ON_PERMISSIVE;
+SET GLOBAL enforce_gtid_consistency = ON;
+SET GLOBAL gtid_mode = ON;
+```
+
+## Best Practices
+
+1. **Auto-selection**: Let the selector choose unless you have specific requirements
+2. **Parallel uploads**: Use `--workers 8` for cloud destinations
+3. **Checksums**: Keep enabled (default) for data integrity
+4. **Monitoring**: Check progress with `dbbackup status`
+5. **Testing**: Verify restores regularly with `dbbackup verify`
+
+## See Also
+
+- [PITR.md](PITR.md) - Point-in-Time Recovery guide
+- [CLOUD.md](CLOUD.md) - Cloud storage integration
+- [DOCKER.md](DOCKER.md) - Container deployment
--- a/GCS.md
+++ b/GCS.md
@@ -28,21 +28,16 @@ This guide covers using **Google Cloud Storage (GCS)** with `dbbackup` for secur

 ```bash
 # Backup PostgreSQL to GCS (using ADC)
-dbbackup backup postgres \
-  --host localhost \
-  --database mydb \
-  --output backup.sql \
-  --cloud "gs://mybucket/backups/db.sql"
+dbbackup backup single mydb \
+  --cloud "gs://mybucket/backups/"
 ```

 ### 3. Restore from GCS

 ```bash
-# Restore from GCS backup
-dbbackup restore postgres \
-  --source "gs://mybucket/backups/db.sql" \
-  --host localhost \
-  --database mydb_restored
+# Download backup from GCS and restore
+dbbackup cloud download "gs://mybucket/backups/mydb.dump.gz" ./mydb.dump.gz
+dbbackup restore single ./mydb.dump.gz --target mydb_restored --confirm
 ```

 ## URI Syntax
@@ -107,7 +102,7 @@ gcloud auth application-default login
 gcloud auth activate-service-account --key-file=/path/to/key.json

 # Use simplified URI (credentials from environment)
-dbbackup backup postgres --cloud "gs://mybucket/backups/backup.sql"
+dbbackup backup single mydb --cloud "gs://mybucket/backups/"
 ```

 ### Method 2: Service Account JSON
@@ -121,14 +116,14 @@ Download service account key from GCP Console:

 **Use in URI:**
 ```bash
-dbbackup backup postgres \
-  --cloud "gs://mybucket/backup.sql?credentials=/path/to/service-account.json"
+dbbackup backup single mydb \
+  --cloud "gs://mybucket/?credentials=/path/to/service-account.json"
 ```

 **Or via environment:**
 ```bash
 export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
-dbbackup backup postgres --cloud "gs://mybucket/backup.sql"
+dbbackup backup single mydb --cloud "gs://mybucket/"
 ```

 ### Method 3: Workload Identity (GKE)
@@ -147,7 +142,7 @@ metadata:
 Then use ADC in your pod:

 ```bash
-dbbackup backup postgres --cloud "gs://mybucket/backup.sql"
+dbbackup backup single mydb --cloud "gs://mybucket/"
 ```

 ### Required IAM Permissions
@@ -250,11 +245,8 @@ gsutil mb -l eu gs://mybucket/

 ```bash
 # PostgreSQL backup with automatic GCS upload
-dbbackup backup postgres \
-  --host localhost \
-  --database production_db \
-  --output /backups/db.sql \
-  --cloud "gs://prod-backups/postgres/$(date +%Y%m%d_%H%M%S).sql" \
+dbbackup backup single production_db \
+  --cloud "gs://prod-backups/postgres/" \
  --compression 6
 ```

@@ -262,10 +254,7 @@ dbbackup backup postgres \

 ```bash
 # Backup entire PostgreSQL cluster to GCS
-dbbackup backup postgres \
-  --host localhost \
-  --all-databases \
-  --output-dir /backups \
+dbbackup backup cluster \
  --cloud "gs://prod-backups/postgres/cluster/"
 ```

@@ -314,13 +303,9 @@ dbbackup cleanup "gs://prod-backups/postgres/" --keep 7
 #!/bin/bash
 # GCS backup script (run via cron)

-DATE=$(date +%Y%m%d_%H%M%S)
-GCS_URI="gs://prod-backups/postgres/${DATE}.sql"
+GCS_URI="gs://prod-backups/postgres/"

-dbbackup backup postgres \
-  --host localhost \
-  --database production_db \
-  --output /tmp/backup.sql \
+dbbackup backup single production_db \
  --cloud "${GCS_URI}" \
  --compression 9

@@ -360,35 +345,25 @@ For large files, dbbackup automatically uses GCS chunked upload:

 ```bash
 # Large database backup (automatically uses chunked upload)
-dbbackup backup postgres \
-  --host localhost \
-  --database huge_db \
-  --output /backups/huge.sql \
-  --cloud "gs://backups/huge.sql"
+dbbackup backup single huge_db \
+  --cloud "gs://backups/"
 ```

 ### Progress Tracking

 ```bash
 # Backup with progress display
-dbbackup backup postgres \
-  --host localhost \
-  --database mydb \
-  --output backup.sql \
-  --cloud "gs://backups/backup.sql" \
-  --progress
+dbbackup backup single mydb \
+  --cloud "gs://backups/"
 ```

 ### Concurrent Operations

 ```bash
-# Backup multiple databases in parallel
-dbbackup backup postgres \
-  --host localhost \
-  --all-databases \
-  --output-dir /backups \
+# Backup cluster with parallel jobs
+dbbackup backup cluster \
  --cloud "gs://backups/cluster/" \
-  --parallelism 4
+  --jobs 4
 ```

 ### Custom Metadata
@@ -460,11 +435,8 @@ curl -X POST "http://localhost:4443/storage/v1/b?project=test-project" \

 ```bash
 # Backup to fake-gcs-server
-dbbackup backup postgres \
-  --host localhost \
-  --database testdb \
-  --output test.sql \
-  --cloud "gs://test-backups/test.sql?endpoint=http://localhost:4443/storage/v1"
+dbbackup backup single testdb \
+  --cloud "gs://test-backups/?endpoint=http://localhost:4443/storage/v1"
 ```

 ### Run Integration Tests
@@ -593,8 +565,8 @@ Tests include:
 Enable debug mode:

 ```bash
-dbbackup backup postgres \
-  --cloud "gs://bucket/backup.sql" \
+dbbackup backup single mydb \
+  --cloud "gs://bucket/" \
  --debug
 ```

--- a/199
+++ b/199
@@ -0,0 +1,199 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorizing use
+      under this License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (which includes the derivative works thereof).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based upon (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and derivative works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to use, reproduce, prepare Derivative Works of,
+      modify, publicly perform, publicly display, sub license, and distribute
+      the Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, trademark, patent,
+          attribution and other notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the derivative works; and
+
+      (d) If the Work includes a "NOTICE" file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the derivative works, provided that You
+          include in the NOTICE file (included in such Derivative Works) the
+          following attribution notices:
+
+          "This product includes software developed at
+          The Apache Software Foundation (http://www.apache.org/)."
+
+          The text of the attribution notices in the NOTICE file shall be
+          included verbatim. In addition, you must include this notice in
+          the NOTICE file wherever it appears.
+
+      The Apache Software Foundation and its logo, and the "Apache"
+      name, are trademarks of The Apache Software Foundation.  Except as
+      expressly stated in the written permission policy at
+      http://www.apache.org/foundation.html, you may not use the Apache
+      name or logos except to attribute the software to the Apache Software
+      Foundation.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any kind, arising out of the
+      use or inability to use the Work (including but not limited to loss
+      of use, data or profits; or business interruption), however caused
+      and on any theory of liability, whether in contract, strict liability,
+      or tort (including negligence or otherwise) arising in any way out of
+      the use of this software, even if advised of the possibility of such damage.
+
+   9. Accepting Support, Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "page" as the copyright notice for easier identification within
+      third-party archives.
+
+   Copyright 2025 dbbackup Project
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/MYSQL_PITR.md
+++ b/MYSQL_PITR.md
@@ -0,0 +1,403 @@
+# MySQL/MariaDB Point-in-Time Recovery (PITR)
+
+This guide explains how to use dbbackup for Point-in-Time Recovery with MySQL and MariaDB databases.
+
+## Overview
+
+Point-in-Time Recovery (PITR) allows you to restore your database to any specific moment in time, not just to when a backup was taken. This is essential for:
+
+- Recovering from accidental data deletion or corruption
+- Restoring to a state just before a problematic change
+- Meeting regulatory compliance requirements for data recovery
+
+### How MySQL PITR Works
+
+MySQL PITR uses binary logs (binlogs) which record all changes to the database:
+
+1. **Base Backup**: A full database backup with the binlog position recorded
+2. **Binary Log Archiving**: Continuous archiving of binlog files
+3. **Recovery**: Restore base backup, then replay binlogs up to the target time
+
+```
+┌─────────────┐     ┌──────────────┐     ┌──────────────┐     ┌──────────────┐
+│ Base Backup │ --> │ binlog.00001 │ --> │ binlog.00002 │ --> │ binlog.00003 │
+│ (pos: 1234) │     │              │     │              │     │  (current)   │
+└─────────────┘     └──────────────┘     └──────────────┘     └──────────────┘
+       │                   │                    │                    │
+       ▼                   ▼                    ▼                    ▼
+   10:00 AM            10:30 AM             11:00 AM            11:30 AM
+                                                 ↑
+                                          Target: 11:15 AM
+```
+
+## Prerequisites
+
+### MySQL Configuration
+
+Binary logging must be enabled in MySQL. Add to `my.cnf`:
+
+```ini
+[mysqld]
+# Enable binary logging
+log_bin = mysql-bin
+server_id = 1
+
+# Recommended: Use ROW format for PITR
+binlog_format = ROW
+
+# Optional but recommended: Enable GTID for easier replication and recovery
+gtid_mode = ON
+enforce_gtid_consistency = ON
+
+# Keep binlogs for at least 7 days (adjust as needed)
+expire_logs_days = 7
+# Or for MySQL 8.0+:
+# binlog_expire_logs_seconds = 604800
+```
+
+After changing configuration, restart MySQL:
+```bash
+sudo systemctl restart mysql
+```
+
+### MariaDB Configuration
+
+MariaDB configuration is similar:
+
+```ini
+[mysqld]
+log_bin = mariadb-bin
+server_id = 1
+binlog_format = ROW
+
+# MariaDB uses different GTID implementation (auto-enabled with log_slave_updates)
+log_slave_updates = ON
+```
+
+## Quick Start
+
+### 1. Check PITR Status
+
+```bash
+# Check if MySQL is properly configured for PITR
+dbbackup pitr mysql-status
+```
+
+Example output:
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  MySQL/MariaDB PITR Status (mysql)
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+PITR Status:     ❌ NOT CONFIGURED
+Binary Logging:  ✅ ENABLED
+Binlog Format:   ROW
+GTID Mode:       ON
+Current Position: mysql-bin.000042:1234
+
+PITR Requirements:
+  ✅ Binary logging enabled
+  ✅ Row-based logging (recommended)
+```
+
+### 2. Enable PITR
+
+```bash
+# Enable PITR and configure archive directory
+dbbackup pitr mysql-enable --archive-dir /backups/binlog_archive
+```
+
+### 3. Create a Base Backup
+
+```bash
+# Create a backup - binlog position is automatically recorded
+dbbackup backup single mydb
+```
+
+> **Note:** All backups automatically capture the current binlog position when PITR is enabled at the MySQL level. This position is stored in the backup metadata and used as the starting point for binlog replay during recovery.
+
+### 4. Start Binlog Archiving
+
+```bash
+# Run binlog archiver in the background
+dbbackup binlog watch --binlog-dir /var/lib/mysql --archive-dir /backups/binlog_archive --interval 30s
+```
+
+Or set up a cron job for periodic archiving:
+```bash
+# Archive new binlogs every 5 minutes
+*/5 * * * * dbbackup binlog archive --binlog-dir /var/lib/mysql --archive-dir /backups/binlog_archive
+```
+
+### 5. Restore to Point in Time
+
+```bash
+# Restore to a specific time
+dbbackup restore pitr mydb_backup.sql.gz --target-time '2024-01-15 14:30:00'
+```
+
+## Commands Reference
+
+### PITR Commands
+
+#### `pitr mysql-status`
+Show MySQL/MariaDB PITR configuration and status.
+
+```bash
+dbbackup pitr mysql-status
+```
+
+#### `pitr mysql-enable`
+Enable PITR for MySQL/MariaDB.
+
+```bash
+dbbackup pitr mysql-enable \
+  --archive-dir /backups/binlog_archive \
+  --retention-days 7 \
+  --require-row-format \
+  --require-gtid
+```
+
+Options:
+- `--archive-dir`: Directory to store archived binlogs (required)
+- `--retention-days`: Days to keep archived binlogs (default: 7)
+- `--require-row-format`: Require ROW binlog format (default: true)
+- `--require-gtid`: Require GTID mode enabled (default: false)
+
+### Binlog Commands
+
+#### `binlog list`
+List available binary log files.
+
+```bash
+# List binlogs from MySQL data directory
+dbbackup binlog list --binlog-dir /var/lib/mysql
+
+# List archived binlogs
+dbbackup binlog list --archive-dir /backups/binlog_archive
+```
+
+#### `binlog archive`
+Archive binary log files.
+
+```bash
+dbbackup binlog archive \
+  --binlog-dir /var/lib/mysql \
+  --archive-dir /backups/binlog_archive \
+  --compress
+```
+
+Options:
+- `--binlog-dir`: MySQL binary log directory
+- `--archive-dir`: Destination for archived binlogs (required)
+- `--compress`: Compress archived binlogs with gzip
+- `--encrypt`: Encrypt archived binlogs
+- `--encryption-key-file`: Path to encryption key file
+
+#### `binlog watch`
+Continuously monitor and archive new binlog files.
+
+```bash
+dbbackup binlog watch \
+  --binlog-dir /var/lib/mysql \
+  --archive-dir /backups/binlog_archive \
+  --interval 30s \
+  --compress
+```
+
+Options:
+- `--interval`: How often to check for new binlogs (default: 30s)
+
+#### `binlog validate`
+Validate binlog chain integrity.
+
+```bash
+dbbackup binlog validate --binlog-dir /var/lib/mysql
+```
+
+Output shows:
+- Whether the chain is complete (no missing files)
+- Any gaps in the sequence
+- Server ID changes (indicating possible failover)
+- Total size and file count
+
+#### `binlog position`
+Show current binary log position.
+
+```bash
+dbbackup binlog position
+```
+
+Output:
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  Current Binary Log Position
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+File:     mysql-bin.000042
+Position: 123456
+GTID Set: 3E11FA47-71CA-11E1-9E33-C80AA9429562:1-1000
+
+Position String: mysql-bin.000042:123456
+```
+
+## Restore Scenarios
+
+### Restore to Specific Time
+
+```bash
+# Restore to January 15, 2024 at 2:30 PM
+dbbackup restore pitr mydb_backup.sql.gz \
+  --target-time '2024-01-15 14:30:00'
+```
+
+### Restore to Specific Position
+
+```bash
+# Restore to a specific binlog position
+dbbackup restore pitr mydb_backup.sql.gz \
+  --target-position 'mysql-bin.000042:12345'
+```
+
+### Dry Run (Preview)
+
+```bash
+# See what SQL would be replayed without applying
+dbbackup restore pitr mydb_backup.sql.gz \
+  --target-time '2024-01-15 14:30:00' \
+  --dry-run
+```
+
+### Restore to Backup Point Only
+
+```bash
+# Restore just the base backup without replaying binlogs
+dbbackup restore pitr mydb_backup.sql.gz --immediate
+```
+
+## Best Practices
+
+### 1. Archiving Strategy
+
+- Archive binlogs frequently (every 5-30 minutes)
+- Use compression to save disk space
+- Store archives on separate storage from the database
+
+### 2. Retention Policy
+
+- Keep archives for at least as long as your oldest valid base backup
+- Consider regulatory requirements for data retention
+- Use the cleanup command to purge old archives:
+
+```bash
+dbbackup binlog cleanup --archive-dir /backups/binlog_archive --retention-days 30
+```
+
+### 3. Validation
+
+- Regularly validate your binlog chain:
+```bash
+dbbackup binlog validate --binlog-dir /var/lib/mysql
+```
+
+- Test restoration periodically on a test environment
+
+### 4. Monitoring
+
+- Monitor the `dbbackup binlog watch` process
+- Set up alerts for:
+  - Binlog archiver failures
+  - Gaps in binlog chain
+  - Low disk space on archive directory
+
+### 5. GTID Mode
+
+Enable GTID for:
+- Easier tracking of replication position
+- Automatic failover in replication setups
+- Simpler point-in-time recovery
+
+## Troubleshooting
+
+### Binary Logging Not Enabled
+
+**Error**: "Binary logging appears to be disabled"
+
+**Solution**: Add to my.cnf and restart MySQL:
+```ini
+[mysqld]
+log_bin = mysql-bin
+server_id = 1
+```
+
+### Missing Binlog Files
+
+**Error**: "Gaps detected in binlog chain"
+
+**Causes**:
+- `RESET MASTER` was executed
+- `expire_logs_days` is too short
+- Binlogs were manually deleted
+
+**Solution**:
+- Take a new base backup immediately
+- Adjust retention settings to prevent future gaps
+
+### Permission Denied
+
+**Error**: "Failed to read binlog directory"
+
+**Solution**:
+```bash
+# Add dbbackup user to mysql group
+sudo usermod -aG mysql dbbackup_user
+
+# Or set appropriate permissions
+sudo chmod g+r /var/lib/mysql/mysql-bin.*
+```
+
+### Wrong Binlog Format
+
+**Warning**: "binlog_format = STATEMENT (ROW recommended)"
+
+**Impact**: STATEMENT format may not capture all changes accurately
+
+**Solution**: Change to ROW format (requires restart):
+```ini
+[mysqld]
+binlog_format = ROW
+```
+
+### Server ID Changes
+
+**Warning**: "server_id changed from X to Y (possible master failover)"
+
+This warning indicates the binlog chain contains events from different servers, which may happen during:
+- Failover in a replication setup
+- Restoring from a different server's backup
+
+This is usually informational but review your topology if unexpected.
+
+## MariaDB-Specific Notes
+
+### GTID Format
+
+MariaDB uses a different GTID format than MySQL:
+- **MySQL**: `3E11FA47-71CA-11E1-9E33-C80AA9429562:1-5`
+- **MariaDB**: `0-1-100` (domain-server_id-sequence)
+
+### Tool Detection
+
+dbbackup automatically detects MariaDB and uses:
+- `mariadb-binlog` if available (MariaDB 10.4+)
+- Falls back to `mysqlbinlog` for older versions
+
+### Encrypted Binlogs
+
+MariaDB supports binlog encryption. If enabled, ensure the key is available during archive and restore operations.
+
+## See Also
+
+- [PITR.md](PITR.md) - PostgreSQL PITR documentation
+- [DOCKER.md](DOCKER.md) - Running in Docker environments
+- [CLOUD.md](CLOUD.md) - Cloud storage for archives
--- a/22
+++ b/22
@@ -0,0 +1,22 @@
+dbbackup - Multi-database backup tool with PITR support
+Copyright 2025 dbbackup Project
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+---
+
+This software includes contributions from multiple collaborators
+and was developed using advanced human-AI collaboration patterns.
+
+Third-party dependencies and their licenses can be found in go.mod
+and are subject to their respective license terms.
--- a/OPENSOURCE_ALTERNATIVE.md
+++ b/OPENSOURCE_ALTERNATIVE.md
@@ -0,0 +1,206 @@
+# dbbackup: The Real Open Source Alternative
+
+## Killing Two Borgs with One Binary
+
+You have two choices for database backups today:
+
+1. **Pay $2,000-10,000/year per server** for Veeam, Commvault, or Veritas
+2. **Wrestle with Borg/restic** - powerful, but never designed for databases
+
+**dbbackup** eliminates both problems with a single, zero-dependency binary.
+
+## The Problem with Commercial Backup
+
+| What You Pay For | What You Actually Get |
+|------------------|----------------------|
+| $10,000/year | Heavy agents eating CPU |
+| Complex licensing | Vendor lock-in to proprietary formats |
+| "Enterprise support" | Recovery that requires calling support |
+| "Cloud integration" | Upload to S3... eventually |
+
+## The Problem with Borg/Restic
+
+Great tools. Wrong use case.
+
+| Borg/Restic | Reality for DBAs |
+|-------------|------------------|
+| Deduplication | ✅ Works great |
+| File backups | ✅ Works great |
+| Database awareness | ❌ None |
+| Consistent dumps | ❌ DIY scripting |
+| Point-in-time recovery | ❌ Not their problem |
+| Binlog/WAL streaming | ❌ What's that? |
+
+You end up writing wrapper scripts. Then more scripts. Then a monitoring layer. Then you've built half a product anyway.
+
+## What Open Source Really Means
+
+**dbbackup** delivers everything - in one binary:
+
+| Feature | Veeam | Borg/Restic | dbbackup |
+|---------|-------|-------------|----------|
+| Deduplication | ❌ | ✅ | ✅ Native CDC |
+| Database-aware | ✅ | ❌ | ✅ MySQL + PostgreSQL |
+| Consistent snapshots | ✅ | ❌ | ✅ LVM/ZFS/Btrfs |
+| PITR (Point-in-Time) | ❌ | ❌ | ✅ Sub-second RPO |
+| Binlog/WAL streaming | ❌ | ❌ | ✅ Continuous |
+| Direct cloud streaming | ❌ | ✅ | ✅ S3/GCS/Azure |
+| Zero dependencies | ❌ | ❌ | ✅ Single binary |
+| License cost | $$$$ | Free | **Free (Apache 2.0)** |
+
+## Deduplication: We Killed the Borg
+
+Content-defined chunking, just like Borg - but built for database dumps:
+
+```bash
+# First backup: 5MB stored
+dbbackup dedup backup mydb.dump
+
+# Second backup (modified): only 1.6KB new data!
+# 100% deduplication ratio
+dbbackup dedup backup mydb_modified.dump
+```
+
+### How It Works
+- **Gear Hash CDC** - Content-defined chunking with 92%+ overlap detection
+- **SHA-256 Content-Addressed** - Chunks stored by hash, automatic dedup
+- **AES-256-GCM Encryption** - Per-chunk encryption
+- **Gzip Compression** - Enabled by default
+- **SQLite Index** - Fast lookups, portable metadata
+
+### Storage Efficiency
+
+| Scenario | Borg | dbbackup |
+|----------|------|----------|
+| Daily 10GB database | 10GB + ~2GB/day | 10GB + ~2GB/day |
+| Same data, knows it's a DB | Scripts needed | **Native support** |
+| Restore to point-in-time | ❌ | ✅ Built-in |
+
+Same dedup math. Zero wrapper scripts.
+
+## Enterprise Features, Zero Enterprise Pricing
+
+### Physical Backups (MySQL 8.0.17+)
+```bash
+# Native Clone Plugin - no XtraBackup needed
+dbbackup backup single mydb --db-type mysql --cloud s3://bucket/
+```
+
+### Filesystem Snapshots
+```bash
+# <100ms lock, instant snapshot, stream to cloud
+dbbackup backup --engine=snapshot --snapshot-backend=lvm
+```
+
+### Continuous Binlog/WAL Streaming
+```bash
+# Real-time capture to S3 - sub-second RPO
+dbbackup binlog stream --target=s3://bucket/binlogs/
+```
+
+### Parallel Cloud Upload
+```bash
+# Saturate your network, not your patience
+dbbackup backup --engine=streaming --parallel-workers=8
+```
+
+## Real Numbers
+
+**100GB MySQL database:**
+
+| Metric | Veeam | Borg + Scripts | dbbackup |
+|--------|-------|----------------|----------|
+| Backup time | 45 min | 50 min | **12 min** |
+| Local disk needed | 100GB | 100GB | **0 GB** |
+| Recovery point | Daily | Daily | **< 1 second** |
+| Setup time | Days | Hours | **Minutes** |
+| Annual cost | $5,000+ | $0 + time | **$0** |
+
+## Migration Path
+
+### From Veeam
+```bash
+# Day 1: Test alongside existing
+dbbackup backup single mydb --cloud s3://test-bucket/
+
+# Week 1: Compare backup times, storage costs
+# Week 2: Switch primary backups
+# Month 1: Cancel renewal, buy your team pizza
+```
+
+### From Borg/Restic
+```bash
+# Day 1: Replace your wrapper scripts
+dbbackup dedup backup /var/lib/mysql/dumps/mydb.sql
+
+# Day 2: Add PITR
+dbbackup binlog stream --target=/mnt/nfs/binlogs/
+
+# Day 3: Delete 500 lines of bash
+```
+
+## The Commands You Need
+
+```bash
+# Deduplicated backups (Borg-style)
+dbbackup dedup backup <file>
+dbbackup dedup restore <id> <output>
+dbbackup dedup stats
+dbbackup dedup gc
+
+# Database-native backups
+dbbackup backup single <database>
+dbbackup backup all
+dbbackup restore <backup-file>
+
+# Point-in-time recovery
+dbbackup binlog stream
+dbbackup pitr restore --target-time "2026-01-12 14:30:00"
+
+# Cloud targets
+--cloud s3://bucket/path/
+--cloud gs://bucket/path/
+--cloud azure://container/path/
+```
+
+## Who Should Switch
+
+✅ **From Veeam/Commvault**: Same capabilities, zero license fees  
+✅ **From Borg/Restic**: Native database support, no wrapper scripts  
+✅ **From "homegrown scripts"**: Production-ready, battle-tested  
+✅ **Cloud-native deployments**: Kubernetes, ECS, Cloud Run ready  
+✅ **Compliance requirements**: AES-256-GCM, audit logging  
+
+## Get Started
+
+```bash
+# Download (single binary, ~48MB static linked)
+curl -LO https://github.com/PlusOne/dbbackup/releases/latest/download/dbbackup_linux_amd64
+chmod +x dbbackup_linux_amd64
+
+# Your first deduplicated backup
+./dbbackup_linux_amd64 dedup backup /var/lib/mysql/dumps/production.sql
+
+# Your first cloud backup  
+./dbbackup_linux_amd64 backup single production \
+  --db-type mysql \
+  --cloud s3://my-backups/
+```
+
+## The Bottom Line
+
+| Solution | What It Costs You |
+|----------|-------------------|
+| Veeam | Money |
+| Borg/Restic | Time (scripting, integration) |
+| dbbackup | **Neither** |
+
+**This is what open source really means.**
+
+Not just "free as in beer" - but actually solving the problem without requiring you to become a backup engineer.
+
+---
+
+*Apache 2.0 Licensed. Free forever. No sales calls. No wrapper scripts.*
+
+[GitHub](https://github.com/PlusOne/dbbackup) | [Releases](https://github.com/PlusOne/dbbackup/releases) | [Changelog](CHANGELOG.md)
--- a/PITR.md
+++ b/PITR.md
@@ -0,0 +1,733 @@
+# Point-in-Time Recovery (PITR) Guide
+
+Complete guide to Point-in-Time Recovery in dbbackup v3.1.
+
+## Table of Contents
+
+- [Overview](#overview)
+- [How PITR Works](#how-pitr-works)
+- [Setup Instructions](#setup-instructions)
+- [Recovery Operations](#recovery-operations)
+- [Advanced Features](#advanced-features)
+- [Troubleshooting](#troubleshooting)
+- [Best Practices](#best-practices)
+
+## Overview
+
+Point-in-Time Recovery (PITR) allows you to restore your PostgreSQL database to any specific moment in time, not just to the time of your last backup. This is crucial for:
+
+- **Disaster Recovery**: Recover from accidental data deletion, corruption, or malicious changes
+- **Compliance**: Meet regulatory requirements for data retention and recovery
+- **Testing**: Create snapshots at specific points for testing or analysis
+- **Time Travel**: Investigate database state at any historical moment
+
+### Use Cases
+
+1. **Accidental DELETE**: User accidentally deletes important data at 2:00 PM. Restore to 1:59 PM.
+2. **Bad Migration**: Deploy breaks production at 3:00 PM. Restore to 2:55 PM (before deploy).
+3. **Audit Investigation**: Need to see exact database state on Nov 15 at 10:30 AM.
+4. **Testing Scenarios**: Create multiple recovery branches to test different outcomes.
+
+## How PITR Works
+
+PITR combines three components:
+
+### 1. Base Backup
+A full snapshot of your database at a specific point in time.
+
+```bash
+# Take a base backup
+pg_basebackup -D /backups/base.tar.gz -Ft -z -P
+```
+
+### 2. WAL Archives
+PostgreSQL's Write-Ahead Log (WAL) files contain all database changes. These are continuously archived.
+
+```
+Base Backup (9 AM)  →  WAL Files (9 AM - 5 PM)  →  Current State
+        ↓                        ↓
+    Snapshot            All changes since backup
+```
+
+### 3. Recovery Target
+The specific point in time you want to restore to. Can be:
+- **Timestamp**: `2024-11-26 14:30:00`
+- **Transaction ID**: `1000000`
+- **LSN**: `0/3000000` (Log Sequence Number)
+- **Named Point**: `before_migration`
+- **Immediate**: Earliest consistent point
+
+## Setup Instructions
+
+### Prerequisites
+
+- PostgreSQL 9.5+ (12+ recommended for modern recovery format)
+- Sufficient disk space for WAL archives (~10-50 GB/day typical)
+- dbbackup v3.1 or later
+
+### Step 1: Enable WAL Archiving
+
+```bash
+# Configure PostgreSQL for PITR
+./dbbackup pitr enable --archive-dir /backups/wal_archive
+
+# This modifies postgresql.conf:
+# wal_level = replica
+# archive_mode = on
+# archive_command = 'dbbackup wal archive %p %f --archive-dir /backups/wal_archive'
+```
+
+**Manual Configuration** (alternative):
+
+Edit `/etc/postgresql/14/main/postgresql.conf`:
+
+```ini
+# WAL archiving for PITR
+wal_level = replica              # Minimum required for PITR
+archive_mode = on                # Enable WAL archiving
+archive_command = '/usr/local/bin/dbbackup wal archive %p %f --archive-dir /backups/wal_archive'
+max_wal_senders = 3              # For replication (optional)
+wal_keep_size = 1GB              # Retain WAL on server (optional)
+```
+
+**Restart PostgreSQL:**
+
+```bash
+# Restart to apply changes
+sudo systemctl restart postgresql
+
+# Verify configuration
+./dbbackup pitr status
+```
+
+### Step 2: Take a Base Backup
+
+```bash
+# Option 1: pg_basebackup (recommended)
+pg_basebackup -D /backups/base_$(date +%Y%m%d_%H%M%S).tar.gz -Ft -z -P
+
+# Option 2: Regular pg_dump backup
+./dbbackup backup single mydb --output /backups/base.dump.gz
+
+# Option 3: File-level copy (PostgreSQL stopped)
+sudo service postgresql stop
+tar -czf /backups/base.tar.gz -C /var/lib/postgresql/14/main .
+sudo service postgresql start
+```
+
+### Step 3: Verify WAL Archiving
+
+```bash
+# Check that WAL files are being archived
+./dbbackup wal list --archive-dir /backups/wal_archive
+
+# Expected output:
+# 000000010000000000000001  Timeline 1  Segment 0x00000001  16 MB  2024-11-26 09:00
+# 000000010000000000000002  Timeline 1  Segment 0x00000002  16 MB  2024-11-26 09:15
+# 000000010000000000000003  Timeline 1  Segment 0x00000003  16 MB  2024-11-26 09:30
+
+# Check archive statistics
+./dbbackup pitr status
+```
+
+### Step 4: Create Restore Points (Optional)
+
+```sql
+-- Create named restore points before major operations
+SELECT pg_create_restore_point('before_schema_migration');
+SELECT pg_create_restore_point('before_data_import');
+SELECT pg_create_restore_point('end_of_day_2024_11_26');
+```
+
+## Recovery Operations
+
+### Basic Recovery
+
+**Restore to Specific Time:**
+
+```bash
+./dbbackup restore pitr \
+  --base-backup /backups/base_20241126_090000.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-time "2024-11-26 14:30:00" \
+  --target-dir /var/lib/postgresql/14/restored
+```
+
+**What happens:**
+1. Extracts base backup to target directory
+2. Creates recovery configuration (postgresql.auto.conf + recovery.signal)
+3. Provides instructions to start PostgreSQL
+4. PostgreSQL replays WAL files until target time reached
+5. Automatically promotes to primary (default action)
+
+### Recovery Target Types
+
+**1. Timestamp Recovery**
+```bash
+--target-time "2024-11-26 14:30:00"
+--target-time "2024-11-26T14:30:00Z"  # ISO 8601
+--target-time "2024-11-26 14:30:00.123456"  # Microseconds
+```
+
+**2. Transaction ID (XID) Recovery**
+```bash
+# Find XID from logs or pg_stat_activity
+--target-xid 1000000
+
+# Use case: Rollback specific transaction
+# Check transaction ID: SELECT txid_current();
+```
+
+**3. LSN (Log Sequence Number) Recovery**
+```bash
+--target-lsn "0/3000000"
+
+# Find LSN: SELECT pg_current_wal_lsn();
+# Use case: Precise replication catchup
+```
+
+**4. Named Restore Point**
+```bash
+--target-name before_migration
+
+# Use case: Restore to pre-defined checkpoint
+```
+
+**5. Immediate (Earliest Consistent)**
+```bash
+--target-immediate
+
+# Use case: Restore to end of base backup
+```
+
+### Recovery Actions
+
+Control what happens after recovery target is reached:
+
+**1. Promote (default)**
+```bash
+--target-action promote
+
+# PostgreSQL becomes primary, accepts writes
+# Use case: Normal disaster recovery
+```
+
+**2. Pause**
+```bash
+--target-action pause
+
+# PostgreSQL pauses at target, read-only
+# Inspect data before committing
+# Manually promote: pg_ctl promote -D /path
+```
+
+**3. Shutdown**
+```bash
+--target-action shutdown
+
+# PostgreSQL shuts down at target
+# Use case: Take filesystem snapshot
+```
+
+### Advanced Recovery Options
+
+**Skip Base Backup Extraction:**
+```bash
+# If data directory already exists
+./dbbackup restore pitr \
+  --base-backup /backups/base.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-time "2024-11-26 14:30:00" \
+  --target-dir /var/lib/postgresql/14/main \
+  --skip-extraction
+```
+
+**Auto-Start PostgreSQL:**
+```bash
+# Automatically start PostgreSQL after setup
+./dbbackup restore pitr \
+  --base-backup /backups/base.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-time "2024-11-26 14:30:00" \
+  --target-dir /var/lib/postgresql/14/restored \
+  --auto-start
+```
+
+**Monitor Recovery Progress:**
+```bash
+# Monitor recovery in real-time
+./dbbackup restore pitr \
+  --base-backup /backups/base.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-time "2024-11-26 14:30:00" \
+  --target-dir /var/lib/postgresql/14/restored \
+  --auto-start \
+  --monitor
+
+# Or manually monitor logs:
+tail -f /var/lib/postgresql/14/restored/logfile
+```
+
+**Non-Inclusive Recovery:**
+```bash
+# Exclude target transaction/time
+./dbbackup restore pitr \
+  --base-backup /backups/base.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-time "2024-11-26 14:30:00" \
+  --target-dir /var/lib/postgresql/14/restored \
+  --inclusive=false
+```
+
+**Timeline Selection:**
+```bash
+# Recover along specific timeline
+--timeline 2
+
+# Recover along latest timeline (default)
+--timeline latest
+
+# View available timelines:
+./dbbackup wal timeline --archive-dir /backups/wal_archive
+```
+
+## Advanced Features
+
+### WAL Compression
+
+Save 70-80% storage space:
+
+```bash
+# Enable compression in archive_command
+archive_command = 'dbbackup wal archive %p %f --archive-dir /backups/wal_archive --compress'
+
+# Or compress during manual archive:
+./dbbackup wal archive /path/to/wal/file %f \
+  --archive-dir /backups/wal_archive \
+  --compress
+```
+
+### WAL Encryption
+
+Encrypt WAL files for compliance:
+
+```bash
+# Generate encryption key
+openssl rand -hex 32 > /secure/wal_encryption.key
+
+# Enable encryption in archive_command
+archive_command = 'dbbackup wal archive %p %f --archive-dir /backups/wal_archive --encrypt --encryption-key-file /secure/wal_encryption.key'
+
+# Or encrypt during manual archive:
+./dbbackup wal archive /path/to/wal/file %f \
+  --archive-dir /backups/wal_archive \
+  --encrypt \
+  --encryption-key-file /secure/wal_encryption.key
+```
+
+### Timeline Management
+
+PostgreSQL creates a new timeline each time you perform PITR. This allows parallel recovery paths.
+
+**View Timeline History:**
+```bash
+./dbbackup wal timeline --archive-dir /backups/wal_archive
+
+# Output:
+# Timeline Branching Structure:
+# ● Timeline 1
+#    WAL segments: 100 files
+#   ├─ Timeline 2 (switched at 0/3000000)
+#      WAL segments: 50 files
+#     ├─ Timeline 3 [CURRENT] (switched at 0/5000000)
+#        WAL segments: 25 files
+```
+
+**Recover to Specific Timeline:**
+```bash
+# Recover to timeline 2 instead of latest
+./dbbackup restore pitr \
+  --base-backup /backups/base.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-time "2024-11-26 14:30:00" \
+  --target-dir /var/lib/postgresql/14/restored \
+  --timeline 2
+```
+
+### WAL Cleanup
+
+Manage WAL archive growth:
+
+```bash
+# Clean up WAL files older than 7 days
+./dbbackup wal cleanup \
+  --archive-dir /backups/wal_archive \
+  --retention-days 7
+
+# Dry run (preview what would be deleted)
+./dbbackup wal cleanup \
+  --archive-dir /backups/wal_archive \
+  --retention-days 7 \
+  --dry-run
+```
+
+## Troubleshooting
+
+### Common Issues
+
+**1. WAL Archiving Not Working**
+
+```bash
+# Check PITR status
+./dbbackup pitr status
+
+# Verify PostgreSQL configuration
+psql -c "SHOW archive_mode;"
+psql -c "SHOW wal_level;"
+psql -c "SHOW archive_command;"
+
+# Check PostgreSQL logs
+tail -f /var/log/postgresql/postgresql-14-main.log | grep archive
+
+# Test archive command manually
+su - postgres -c "dbbackup wal archive /test/path test_file --archive-dir /backups/wal_archive"
+```
+
+**2. Recovery Target Not Reached**
+
+```bash
+# Check if required WAL files exist
+./dbbackup wal list --archive-dir /backups/wal_archive | grep "2024-11-26"
+
+# Verify timeline consistency
+./dbbackup wal timeline --archive-dir /backups/wal_archive
+
+# Review recovery logs
+tail -f /var/lib/postgresql/14/restored/logfile
+```
+
+**3. Permission Errors**
+
+```bash
+# Fix data directory ownership
+sudo chown -R postgres:postgres /var/lib/postgresql/14/restored
+
+# Fix WAL archive permissions
+sudo chown -R postgres:postgres /backups/wal_archive
+sudo chmod 700 /backups/wal_archive
+```
+
+**4. Disk Space Issues**
+
+```bash
+# Check WAL archive size
+du -sh /backups/wal_archive
+
+# Enable compression to save space
+# Add --compress to archive_command
+
+# Clean up old WAL files
+./dbbackup wal cleanup --archive-dir /backups/wal_archive --retention-days 7
+```
+
+**5. PostgreSQL Won't Start After Recovery**
+
+```bash
+# Check PostgreSQL logs
+tail -50 /var/lib/postgresql/14/restored/logfile
+
+# Verify recovery configuration
+cat /var/lib/postgresql/14/restored/postgresql.auto.conf
+ls -la /var/lib/postgresql/14/restored/recovery.signal
+
+# Check permissions
+ls -ld /var/lib/postgresql/14/restored
+```
+
+### Debugging Tips
+
+**Enable Verbose Logging:**
+```bash
+# Add to postgresql.conf
+log_min_messages = debug2
+log_error_verbosity = verbose
+log_statement = 'all'
+```
+
+**Check WAL File Integrity:**
+```bash
+# Verify compressed WAL
+gunzip -t /backups/wal_archive/000000010000000000000001.gz
+
+# Verify encrypted WAL
+./dbbackup wal verify /backups/wal_archive/000000010000000000000001.enc \
+  --encryption-key-file /secure/key.bin
+```
+
+**Monitor Recovery Progress:**
+```sql
+-- In PostgreSQL during recovery
+SELECT * FROM pg_stat_recovery_prefetch;
+SELECT pg_is_in_recovery();
+SELECT pg_last_wal_replay_lsn();
+```
+
+## Best Practices
+
+### 1. Regular Base Backups
+
+```bash
+# Schedule daily base backups
+0 2 * * * /usr/local/bin/pg_basebackup -D /backups/base_$(date +\%Y\%m\%d).tar.gz -Ft -z
+```
+
+**Why**: Limits WAL archive size, faster recovery.
+
+### 2. Monitor WAL Archive Growth
+
+```bash
+# Add monitoring
+du -sh /backups/wal_archive | mail -s "WAL Archive Size" admin@example.com
+
+# Alert on >100 GB
+if [ $(du -s /backups/wal_archive | cut -f1) -gt 100000000 ]; then
+  echo "WAL archive exceeds 100 GB" | mail -s "ALERT" admin@example.com
+fi
+```
+
+### 3. Test Recovery Regularly
+
+```bash
+# Monthly recovery test
+./dbbackup restore pitr \
+  --base-backup /backups/base_latest.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-immediate \
+  --target-dir /tmp/recovery_test \
+  --auto-start
+
+# Verify database accessible
+psql -h localhost -p 5433 -d postgres -c "SELECT version();"
+
+# Cleanup
+pg_ctl stop -D /tmp/recovery_test
+rm -rf /tmp/recovery_test
+```
+
+### 4. Document Restore Points
+
+```bash
+# Create log of restore points
+echo "$(date '+%Y-%m-%d %H:%M:%S') - before_migration - Schema version 2.5 to 3.0" >> /backups/restore_points.log
+
+# In PostgreSQL
+SELECT pg_create_restore_point('before_migration');
+```
+
+### 5. Compression & Encryption
+
+```bash
+# Always compress (70-80% savings)
+--compress
+
+# Encrypt for compliance
+--encrypt --encryption-key-file /secure/key.bin
+
+# Combined (compress first, then encrypt)
+--compress --encrypt --encryption-key-file /secure/key.bin
+```
+
+### 6. Retention Policy
+
+```bash
+# Keep base backups: 30 days
+# Keep WAL archives: 7 days (between base backups)
+
+# Cleanup script
+#!/bin/bash
+find /backups/base_* -mtime +30 -delete
+./dbbackup wal cleanup --archive-dir /backups/wal_archive --retention-days 7
+```
+
+### 7. Monitoring & Alerting
+
+```bash
+# Check WAL archiving status
+psql -c "SELECT last_archived_wal, last_archived_time FROM pg_stat_archiver;"
+
+# Alert if archiving fails
+if psql -tAc "SELECT last_failed_wal FROM pg_stat_archiver WHERE last_failed_wal IS NOT NULL;"; then
+  echo "WAL archiving failed" | mail -s "ALERT" admin@example.com
+fi
+```
+
+### 8. Disaster Recovery Plan
+
+Document your recovery procedure:
+
+```markdown
+## Disaster Recovery Steps
+
+1. Stop application traffic
+2. Identify recovery target (time/XID/LSN)
+3. Prepare clean data directory
+4. Run PITR restore:
+   ./dbbackup restore pitr \
+     --base-backup /backups/base_latest.tar.gz \
+     --wal-archive /backups/wal_archive \
+     --target-time "YYYY-MM-DD HH:MM:SS" \
+     --target-dir /var/lib/postgresql/14/main
+5. Start PostgreSQL
+6. Verify data integrity
+7. Update application configuration
+8. Resume application traffic
+9. Create new base backup
+```
+
+## Large Database Support (600+ GB)
+
+For databases larger than 600 GB, PITR is the **recommended approach** over full dump/restore.
+
+### Why PITR Works Better for Large DBs
+
+| Approach | 600 GB Database | Recovery Time (RTO) |
+|----------|-----------------|---------------------|
+| Full pg_dump/restore | Hours to dump, hours to restore | 4-12+ hours |
+| PITR (base + WAL) | Incremental WAL only | 30 min - 2 hours |
+
+### Setup for Large Databases
+
+**1. Enable WAL archiving with compression:**
+```bash
+dbbackup pitr enable --archive-dir /backups/wal_archive --compress
+```
+
+**2. Take ONE base backup weekly/monthly (use pg_basebackup):**
+```bash
+# For 600+ GB, use fast checkpoint to minimize impact
+pg_basebackup -D /backups/base_$(date +%Y%m%d).tar.gz \
+  -Ft -z -P --checkpoint=fast --wal-method=none
+
+# Duration: 2-6 hours for 600 GB, but only needed weekly/monthly
+```
+
+**3. WAL files archive continuously** (~1-5 GB/hour typical), capturing every change.
+
+**4. Recover to any point in time:**
+```bash
+dbbackup restore pitr \
+  --base-backup /backups/base_20260101.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-time "2026-01-13 14:30:00" \
+  --target-dir /var/lib/postgresql/16/restored
+```
+
+### PostgreSQL Optimizations for 600+ GB
+
+| Setting | Value | Purpose |
+|---------|-------|---------|
+| `wal_compression = on` | postgresql.conf | 70-80% smaller WAL files |
+| `max_wal_size = 4GB` | postgresql.conf | Reduce checkpoint frequency |
+| `checkpoint_timeout = 30min` | postgresql.conf | Less frequent checkpoints |
+| `archive_timeout = 300` | postgresql.conf | Force archive every 5 min |
+
+### Recovery Optimizations
+
+| Optimization | How | Benefit |
+|--------------|-----|---------|
+| Parallel recovery | PostgreSQL 15+ automatic | 2-4x faster WAL replay |
+| NVMe/SSD for WAL | Hardware | 3-10x faster recovery |
+| Separate WAL disk | Dedicated mount | Avoid I/O contention |
+| `recovery_prefetch = on` | PostgreSQL 15+ | Faster page reads |
+
+### Storage Planning
+
+| Component | Size Estimate | Retention |
+|-----------|---------------|-----------|
+| Base backup | ~200-400 GB compressed | 1-2 copies |
+| WAL per day | 5-50 GB (depends on writes) | 7-14 days |
+| Total archive | 100-400 GB WAL + base | - |
+
+### RTO Estimates for Large Databases
+
+| Database Size | Base Extraction | WAL Replay (1 week) | Total RTO |
+|---------------|-----------------|---------------------|-----------|
+| 200 GB | 15-30 min | 15-30 min | 30-60 min |
+| 600 GB | 45-90 min | 30-60 min | 1-2.5 hours |
+| 1 TB | 60-120 min | 45-90 min | 2-3.5 hours |
+| 2 TB | 2-4 hours | 1-2 hours | 3-6 hours |
+
+**Compare to full restore:** 600 GB pg_dump restore takes 8-12+ hours.
+
+### Best Practices for 600+ GB
+
+1. **Weekly base backups** - Monthly if storage is tight
+2. **Test recovery monthly** - Verify WAL chain integrity
+3. **Monitor WAL lag** - Alert if archive falls behind
+4. **Use streaming replication** - For HA, combine with PITR for DR
+5. **Separate archive storage** - Don't fill up the DB disk
+
+```bash
+# Quick health check for large DB PITR setup
+dbbackup pitr status --verbose
+
+# Expected output:
+# Base Backup: 2026-01-06 (7 days old) - OK
+# WAL Archive: 847 files, 52 GB
+# Recovery Window: 2026-01-06 to 2026-01-13 (7 days)
+# Estimated RTO: ~90 minutes
+```
+
+## Performance Considerations
+
+### WAL Archive Size
+
+- Typical: 16 MB per WAL file
+- High-traffic database: 1-5 GB/hour
+- Low-traffic database: 100-500 MB/day
+
+### Recovery Time
+
+- Base backup restoration: 5-30 minutes (depends on size)
+- WAL replay: 10-100 MB/sec (depends on disk I/O)
+- Total recovery time: backup size / disk speed + WAL replay time
+
+### Compression Performance
+
+- CPU overhead: 5-10%
+- Storage savings: 70-80%
+- Recommended: Use unless CPU constrained
+
+### Encryption Performance
+
+- CPU overhead: 2-5%
+- Storage overhead: ~1% (header + nonce)
+- Recommended: Use for compliance
+
+## Compliance & Security
+
+### Regulatory Requirements
+
+PITR helps meet:
+- **GDPR**: Data recovery within 72 hours
+- **SOC 2**: Backup and recovery procedures
+- **HIPAA**: Data integrity and availability
+- **PCI DSS**: Backup retention and testing
+
+### Security Best Practices
+
+1. **Encrypt WAL archives** containing sensitive data
+2. **Secure encryption keys** (HSM, KMS, or secure filesystem)
+3. **Limit access** to WAL archive directory (chmod 700)
+4. **Audit logs** for recovery operations
+5. **Test recovery** from encrypted backups regularly
+
+## Additional Resources
+
+- PostgreSQL PITR Documentation: https://www.postgresql.org/docs/current/continuous-archiving.html
+- dbbackup GitHub: https://github.com/uuxo/dbbackup
+- Report Issues: https://github.com/uuxo/dbbackup/issues
+
+---
+
+**dbbackup v3.1** | Point-in-Time Recovery for PostgreSQL
--- a/README.md
+++ b/README.md
@@ -1,1081 +1,875 @@
 # dbbackup

-![dbbackup](dbbackup.png)
+Database backup and restore utility for PostgreSQL, MySQL, and MariaDB.

-Professional database backup and restore utility for PostgreSQL, MySQL, and MariaDB.
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![Go Version](https://img.shields.io/badge/Go-1.21+-00ADD8?logo=go)](https://golang.org/)

-## Key Features
+**Repository:** https://git.uuxo.net/UUXO/dbbackup  
+**Mirror:** https://github.com/PlusOne/dbbackup
+
+## Features

 - Multi-database support: PostgreSQL, MySQL, MariaDB
 - Backup modes: Single database, cluster, sample data
- **Cloud storage integration: S3, MinIO, B2, Azure Blob, Google Cloud Storage**
- Restore operations with safety checks and validation
- Automatic CPU detection and parallel processing
- Streaming compression for large databases
- Interactive terminal UI with progress tracking
- Cross-platform binaries (Linux, macOS, BSD, Windows)
+- **Dry-run mode**: Preflight checks before backup execution
+- AES-256-GCM encryption
+- Incremental backups
+- Cloud storage: S3, MinIO, B2, Azure Blob, Google Cloud Storage
+- Point-in-Time Recovery (PITR) for PostgreSQL and MySQL/MariaDB
+- **GFS retention policies**: Grandfather-Father-Son backup rotation
+- **Notifications**: SMTP email and webhook alerts
+- **Systemd integration**: Install as service with scheduled timers
+- **Prometheus metrics**: Textfile collector and HTTP exporter
+- Interactive terminal UI
+- Cross-platform binaries
+
+### Enterprise DBA Features
+
+- **Backup Catalog**: SQLite-based catalog tracking all backups with gap detection
+- **DR Drill Testing**: Automated disaster recovery testing in Docker containers
+- **Smart Notifications**: Batched alerts with escalation policies
+- **Compliance Reports**: SOC2, GDPR, HIPAA, PCI-DSS, ISO27001 report generation
+- **RTO/RPO Calculator**: Recovery objective analysis and recommendations
+- **Replica-Aware Backup**: Automatic backup from replicas to reduce primary load
+- **Parallel Table Backup**: Concurrent table dumps for faster backups

 ## Installation

-### Docker (Recommended)
+### Docker

-**Pull from registry:**
 ```bash
-docker pull git.uuxo.net/uuxo/dbbackup:latest
-```
+docker pull git.uuxo.net/UUXO/dbbackup:latest

-**Quick start:**
-```bash
 # PostgreSQL backup
 docker run --rm \
  -v $(pwd)/backups:/backups \
  -e PGHOST=your-host \
  -e PGUSER=postgres \
  -e PGPASSWORD=secret \
-  git.uuxo.net/uuxo/dbbackup:latest backup single mydb
-
-# Interactive mode
-docker run --rm -it \
-  -v $(pwd)/backups:/backups \
-  git.uuxo.net/uuxo/dbbackup:latest interactive
+  git.uuxo.net/UUXO/dbbackup:latest backup single mydb
 ```

-See [DOCKER.md](DOCKER.md) for complete Docker documentation.
+### Binary Download

-### Download Pre-compiled Binary
-
-Linux x86_64:
+Download from [releases](https://git.uuxo.net/UUXO/dbbackup/releases):

 ```bash
-curl -L https://git.uuxo.net/uuxo/dbbackup/raw/branch/main/bin/dbbackup_linux_amd64 -o dbbackup
-chmod +x dbbackup
+# Linux x86_64
+wget https://git.uuxo.net/UUXO/dbbackup/releases/download/v3.42.35/dbbackup-linux-amd64
+chmod +x dbbackup-linux-amd64
+sudo mv dbbackup-linux-amd64 /usr/local/bin/dbbackup
 ```

-Linux ARM64:
-
-```bash
-curl -L https://git.uuxo.net/uuxo/dbbackup/raw/branch/main/bin/dbbackup_linux_arm64 -o dbbackup
-chmod +x dbbackup
-```
-
-macOS Intel:
-
-```bash
-curl -L https://git.uuxo.net/uuxo/dbbackup/raw/branch/main/bin/dbbackup_darwin_amd64 -o dbbackup
-chmod +x dbbackup
-```
-
-macOS Apple Silicon:
-
-```bash
-curl -L https://git.uuxo.net/uuxo/dbbackup/raw/branch/main/bin/dbbackup_darwin_arm64 -o dbbackup
-chmod +x dbbackup
-```
-
-Other platforms available in `bin/` directory: FreeBSD, OpenBSD, NetBSD.
+Available platforms: Linux (amd64, arm64, armv7), macOS (amd64, arm64), FreeBSD, OpenBSD, NetBSD.

 ### Build from Source

-Requires Go 1.19 or later:
-
 ```bash
-git clone https://git.uuxo.net/uuxo/dbbackup.git
+git clone https://git.uuxo.net/UUXO/dbbackup.git
 cd dbbackup
 go build
 ```

-## Quick Start
+## Usage

 ### Interactive Mode

-PostgreSQL (peer authentication):
-
 ```bash
-sudo -u postgres ./dbbackup interactive
+# PostgreSQL with peer authentication
+sudo -u postgres dbbackup interactive
+
+# MySQL/MariaDB
+dbbackup interactive --db-type mysql --user root --password secret
 ```

-MySQL/MariaDB:
-
-```bash
-./dbbackup interactive --db-type mysql --user root --password secret
-```
-
-Menu-driven interface for all operations. Press arrow keys to navigate, Enter to select.
-
 **Main Menu:**
 ```
-┌─────────────────────────────────────────────┐
-│          Database Backup Tool               │
-├─────────────────────────────────────────────┤
-│ > Backup Database                           │
-│   Restore Database                          │
-│   List Backups                              │
-│   Configuration Settings                    │
-│   Exit                                      │
-├─────────────────────────────────────────────┤
-│ Database: postgres@localhost:5432           │
-│ Type: PostgreSQL                            │
-│ Backup Dir: /var/lib/pgsql/db_backups       │
-└─────────────────────────────────────────────┘
+Database Backup Tool - Interactive Menu
+
+Target Engine: PostgreSQL  |  MySQL  |  MariaDB
+Database: postgres@localhost:5432 (PostgreSQL)
+
+> Single Database Backup
+  Sample Database Backup (with ratio)
+  Cluster Backup (all databases)
+  ────────────────────────────────
+  Restore Single Database
+  Restore Cluster Backup
+  Diagnose Backup File
+  List & Manage Backups
+  ────────────────────────────────
+  View Active Operations
+  Show Operation History
+  Database Status & Health Check
+  Configuration Settings
+  Clear Operation History
+  Quit
 ```

-**Backup Progress:**
+**Database Selection:**
 ```
-Backing up database: production_db
+Single Database Backup

-[=================>              ] 45%
-Elapsed: 2m 15s  |  ETA: 2m 48s
+Select database to backup:

-Current: Dumping table users (1.2M records)
-Speed: 25 MB/s  |  Size: 3.2 GB / 7.1 GB
+> production_db      (245 MB)
+  analytics_db       (1.2 GB)
+  users_db           (89 MB)
+  inventory_db       (456 MB)
+
+Enter: Select | Esc: Back
+```
+
+**Backup Execution:**
+```
+Backup Execution
+
+  Type:      Single Database
+  Database:  production_db
+  Duration:  2m 35s
+
+  Backing up database 'production_db'...
+```
+
+**Backup Complete:**
+```
+Backup Execution
+
+  Type:      Cluster Backup
+  Duration:  8m 12s
+
+  Backup completed successfully!
+
+  Backup created: cluster_20251128_092928.tar.gz
+  Size: 22.5 GB (compressed)
+  Location: /var/backups/postgres/
+  Databases: 7
+  Checksum: SHA-256 verified
+```
+
+**Restore Preview:**
+```
+Cluster Restore Preview
+
+Archive Information
+  File: cluster_20251128_092928.tar.gz
+  Format: PostgreSQL Cluster (tar.gz)
+  Size: 22.5 GB
+
+Cluster Restore Options
+  Host: localhost:5432
+  Existing Databases: 5 found
+  Clean All First: true
+
+Safety Checks
+  [OK] Archive integrity verified
+  [OK] Dump validity verified
+  [OK] Disk space: 140 GB available
+  [OK] Required tools found
+  [OK] Target database accessible
+
+Advanced Options
+  ✗ Debug Log: false (press 'd' to toggle)
+
+c: Toggle cleanup | d: Debug log | Enter: Proceed | Esc: Cancel
+```
+
+**Backup Manager:**
+```
+Backup Archive Manager
+
+Total Archives: 15  |  Total Size: 156.8 GB
+
+FILENAME                              FORMAT                SIZE        MODIFIED
+─────────────────────────────────────────────────────────────────────────────────
+> [OK] cluster_20250115.tar.gz        PostgreSQL Cluster    18.5 GB     2025-01-15
+  [OK] myapp_prod_20250114.dump.gz    PostgreSQL Custom     12.3 GB     2025-01-14
+  [!!] users_db_20241220.dump.gz      PostgreSQL Custom     850 MB      2024-12-20
+
+r: Restore | v: Verify | i: Info | d: Diagnose | D: Delete | R: Refresh | Esc: Back
 ```

 **Configuration Settings:**
 ```
-┌─────────────────────────────────────────────┐
-│        Configuration Settings               │
-├─────────────────────────────────────────────┤
-│ Compression Level: 6                        │
-│ Parallel Jobs: 16                           │
-│ Dump Jobs: 8                                │
-│ CPU Workload: Balanced                      │
-│ Max Cores: 32                               │
-├─────────────────────────────────────────────┤
-│ Auto-saved to: .dbbackup.conf               │
-└─────────────────────────────────────────────┘
+Configuration Settings
+
+> Database Type: postgres
+  CPU Workload Type: balanced
+  Backup Directory: /root/db_backups
+  Work Directory: /tmp
+  Compression Level: 6
+  Parallel Jobs: 16
+  Dump Jobs: 8
+  Database Host: localhost
+  Database Port: 5432
+  Database User: root
+  SSL Mode: prefer
+
+s: Save | r: Reset | q: Menu
 ```

-#### Interactive Features
+**Database Status:**
+```
+Database Status & Health Check

-The interactive mode provides a menu-driven interface for all database operations:
+Connection Status: Connected

- **Backup Operations**: Single database, full cluster, or sample backups
- **Restore Operations**: Database or cluster restoration with safety checks
- **Configuration Management**: Auto-save/load settings per directory (.dbbackup.conf)
- **Backup Archive Management**: List, verify, and delete backup files
- **Performance Tuning**: CPU workload profiles (Balanced, CPU-Intensive, I/O-Intensive)
- **Safety Features**: Disk space verification, archive validation, confirmation prompts
- **Progress Tracking**: Real-time progress indicators with ETA estimation
- **Error Handling**: Context-aware error messages with actionable hints
+Database Type: PostgreSQL
+Host: localhost:5432
+User: postgres
+Version: PostgreSQL 17.2
+Databases Found: 5

-**Configuration Persistence:**
-
-Settings are automatically saved to .dbbackup.conf in the current directory after successful operations and loaded on subsequent runs. This allows per-project configuration without global settings.
-
-Flags available:
- `--no-config` - Skip loading saved configuration
- `--no-save-config` - Prevent saving configuration after operation
-
-### Command Line Mode
-
-Backup single database:
-
-```bash
-./dbbackup backup single myapp_db
+All systems operational
 ```

-Backup entire cluster (PostgreSQL):
+### Command Line

 ```bash
-./dbbackup backup cluster
-```
+# Single database backup
+dbbackup backup single myapp_db

-Restore database:
+# Cluster backup (PostgreSQL)
+dbbackup backup cluster

-```bash
-./dbbackup restore single backup.dump --target myapp_db --create
-```
+# Sample backup (reduced data for testing)
+dbbackup backup sample myapp_db --sample-strategy percent --sample-value 10

-Restore full cluster:
+# Encrypted backup
+dbbackup backup single myapp_db --encrypt --encryption-key-file key.txt

-```bash
-./dbbackup restore cluster cluster_backup.tar.gz --confirm
+# Incremental backup
+dbbackup backup single myapp_db --backup-type incremental --base-backup base.tar.gz
+
+# Restore single database
+dbbackup restore single backup.dump --target myapp_db --create --confirm
+
+# Restore cluster
+dbbackup restore cluster cluster_backup.tar.gz --confirm
+
+# Restore with debug logging (saves detailed error report on failure)
+dbbackup restore cluster backup.tar.gz --save-debug-log /tmp/restore-debug.json --confirm
+
+# Diagnose backup before restore
+dbbackup restore diagnose backup.dump.gz --deep
+
+# Cloud backup
+dbbackup backup single mydb --cloud s3://my-bucket/backups/
+
+# Dry-run mode (preflight checks without execution)
+dbbackup backup single mydb --dry-run
 ```

 ## Commands

-### Global Flags (Available for all commands)
+| Command | Description |
+|---------|-------------|
+| `backup single` | Backup single database |
+| `backup cluster` | Backup all databases (PostgreSQL) |
+| `backup sample` | Backup with reduced data |
+| `restore single` | Restore single database |
+| `restore cluster` | Restore full cluster |
+| `restore pitr` | Point-in-Time Recovery |
+| `restore diagnose` | Diagnose backup file integrity |
+| `verify-backup` | Verify backup integrity |
+| `cleanup` | Remove old backups |
+| `status` | Check connection status |
+| `preflight` | Run pre-backup checks |
+| `list` | List databases and backups |
+| `cpu` | Show CPU optimization settings |
+| `cloud` | Cloud storage operations |
+| `pitr` | PITR management |
+| `wal` | WAL archive operations |
+| `interactive` | Start interactive UI |
+| `catalog` | Backup catalog management |
+| `drill` | DR drill testing |
+| `report` | Compliance report generation |
+| `rto` | RTO/RPO analysis |
+| `install` | Install as systemd service |
+| `uninstall` | Remove systemd service |
+| `metrics export` | Export Prometheus metrics to textfile |
+| `metrics serve` | Run Prometheus HTTP exporter |
+
+## Global Flags

 | Flag | Description | Default |
 |------|-------------|---------|
-| `-d, --db-type` | postgres, mysql, mariadb | postgres |
+| `-d, --db-type` | Database type (postgres, mysql, mariadb) | postgres |
 | `--host` | Database host | localhost |
-| `--port` | Database port | 5432 (postgres), 3306 (mysql) |
-| `--user` | Database user | root |
-| `--password` | Database password | (empty) |
-| `--database` | Database name | postgres |
-| `--backup-dir` | Backup directory | /root/db_backups |
-| `--compression` | Compression level 0-9 | 6 |
-| `--ssl-mode` | disable, prefer, require, verify-ca, verify-full | prefer |
-| `--insecure` | Disable SSL/TLS | false |
+| `--port` | Database port | 5432/3306 |
+| `--user` | Database user | current user |
+| `--password` | Database password | - |
+| `--backup-dir` | Backup directory | ~/db_backups |
+| `--compression` | Compression level (0-9) | 6 |
 | `--jobs` | Parallel jobs | 8 |
-| `--dump-jobs` | Parallel dump jobs | 8 |
-| `--max-cores` | Maximum CPU cores | 16 |
-| `--cpu-workload` | cpu-intensive, io-intensive, balanced | balanced |
-| `--auto-detect-cores` | Auto-detect CPU cores | true |
-| `--no-config` | Skip loading .dbbackup.conf | false |
-| `--no-save-config` | Prevent saving configuration | false |
-| `--cloud` | Cloud storage URI (s3://, azure://, gcs://) | (empty) |
-| `--cloud-provider` | Cloud provider (s3, minio, b2, azure, gcs) | (empty) |
-| `--cloud-bucket` | Cloud bucket/container name | (empty) |
-| `--cloud-region` | Cloud region | (empty) |
+| `--cloud` | Cloud storage URI | - |
+| `--encrypt` | Enable encryption | false |
+| `--dry-run, -n` | Run preflight checks only | false |
 | `--debug` | Enable debug logging | false |
-| `--no-color` | Disable colored output | false |
+| `--save-debug-log` | Save error report to file on failure | - |

-### Backup Operations
+## Encryption

-#### Single Database
-
-Backup a single database to compressed archive:
+AES-256-GCM encryption for secure backups:

 ```bash
-./dbbackup backup single DATABASE_NAME [OPTIONS]
+# Generate key
+head -c 32 /dev/urandom | base64 > encryption.key
+
+# Backup with encryption
+dbbackup backup single mydb --encrypt --encryption-key-file encryption.key
+
+# Restore (decryption is automatic)
+dbbackup restore single mydb_encrypted.sql.gz --encryption-key-file encryption.key --target mydb --confirm
 ```

-**Common Options:**
+## Incremental Backups

- `--host STRING` - Database host (default: localhost)
- `--port INT` - Database port (default: 5432 PostgreSQL, 3306 MySQL)
- `--user STRING` - Database user (default: postgres)
- `--password STRING` - Database password
- `--db-type STRING` - Database type: postgres, mysql, mariadb (default: postgres)
- `--backup-dir STRING` - Backup directory (default: /var/lib/pgsql/db_backups)
- `--compression INT` - Compression level 0-9 (default: 6)
- `--insecure` - Disable SSL/TLS
- `--ssl-mode STRING` - SSL mode: disable, prefer, require, verify-ca, verify-full
-
-**Examples:**
+Space-efficient incremental backups:

 ```bash
-# Basic backup
-./dbbackup backup single production_db
+# Full backup (base)
+dbbackup backup single mydb --backup-type full

-# Remote database with custom settings
-./dbbackup backup single myapp_db \
-  --host db.example.com \
-  --port 5432 \
-  --user backup_user \
-  --password secret \
-  --compression 9 \
-  --backup-dir /mnt/backups
-
-# MySQL database
-./dbbackup backup single wordpress \
-  --db-type mysql \
-  --user root \
-  --password secret
+# Incremental backup
+dbbackup backup single mydb --backup-type incremental --base-backup mydb_base.tar.gz
 ```

-Supported formats:
- PostgreSQL: Custom format (.dump) or SQL (.sql)
- MySQL/MariaDB: SQL (.sql)
+## Cloud Storage

-#### Cluster Backup (PostgreSQL)
-
-Backup all databases in PostgreSQL cluster including roles and tablespaces:
+Supported providers: AWS S3, MinIO, Backblaze B2, Azure Blob Storage, Google Cloud Storage.

 ```bash
-./dbbackup backup cluster [OPTIONS]
-```
-
-**Performance Options:**
-
- `--max-cores INT` - Maximum CPU cores (default: auto-detect)
- `--cpu-workload STRING` - Workload type: cpu-intensive, io-intensive, balanced (default: balanced)
- `--jobs INT` - Parallel jobs (default: auto-detect based on workload)
- `--dump-jobs INT` - Parallel dump jobs (default: auto-detect based on workload)
- `--cluster-parallelism INT` - Concurrent database operations (default: 2, configurable via CLUSTER_PARALLELISM env var)
-
-**Examples:**
-
-```bash
-# Standard cluster backup
-sudo -u postgres ./dbbackup backup cluster
-
-# High-performance backup
-sudo -u postgres ./dbbackup backup cluster \
-  --compression 3 \
-  --max-cores 16 \
-  --cpu-workload cpu-intensive \
-  --jobs 16
-```
-
-Output: tar.gz archive containing all databases and globals.
-
-#### Sample Backup
-
-Create reduced-size backup for testing/development:
-
-```bash
-./dbbackup backup sample DATABASE_NAME [OPTIONS]
-```
-
-**Options:**
-
- `--sample-strategy STRING` - Strategy: ratio, percent, count (default: ratio)
- `--sample-value FLOAT` - Sample value based on strategy (default: 10)
-
-**Examples:**
-
-```bash
-# Keep 10% of all rows
-./dbbackup backup sample myapp_db --sample-strategy percent --sample-value 10
-
-# Keep 1 in 100 rows
-./dbbackup backup sample myapp_db --sample-strategy ratio --sample-value 100
-
-# Keep 5000 rows per table
-./dbbackup backup sample myapp_db --sample-strategy count --sample-value 5000
-```
-
-**Warning:** Sample backups may break referential integrity.
-
-### Restore Operations
-
-#### Single Database Restore
-
-Restore database from backup file:
-
-```bash
-./dbbackup restore single BACKUP_FILE [OPTIONS]
-```
-
-**Options:**
-
- `--target STRING` - Target database name (required)
- `--create` - Create database if it doesn't exist
- `--clean` - Drop and recreate database before restore
- `--jobs INT` - Parallel restore jobs (default: 4)
- `--verbose` - Show detailed progress
- `--no-progress` - Disable progress indicators
- `--confirm` - Execute restore (required for safety, dry-run by default)
- `--dry-run` - Preview without executing
- `--force` - Skip safety checks
-
-**Examples:**
-
-```bash
-# Basic restore
-./dbbackup restore single /backups/myapp_20250112.dump --target myapp_restored
-
-# Restore with database creation
-./dbbackup restore single backup.dump \
-  --target myapp_db \
-  --create \
-  --jobs 8
-
-# Clean restore (drops existing database)
-./dbbackup restore single backup.dump \
-  --target myapp_db \
-  --clean \
-  --verbose
-```
-
-Supported formats:
- PostgreSQL: .dump, .dump.gz, .sql, .sql.gz
- MySQL: .sql, .sql.gz
-
-#### Cluster Restore (PostgreSQL)
-
-Restore entire PostgreSQL cluster from archive:
-
-```bash
-./dbbackup restore cluster ARCHIVE_FILE [OPTIONS]
-```
-
-### Verification & Maintenance
-
-#### Verify Backup Integrity
-
-Verify backup files using SHA-256 checksums and metadata validation:
-
-```bash
-./dbbackup verify-backup BACKUP_FILE [OPTIONS]
-```
-
-**Options:**
-
- `--quick` - Quick verification (size check only, no checksum calculation)
- `--verbose` - Show detailed information about each backup
-
-**Examples:**
-
-```bash
-# Verify single backup (full SHA-256 check)
-./dbbackup verify-backup /backups/mydb_20251125.dump
-
-# Verify all backups in directory
-./dbbackup verify-backup /backups/*.dump --verbose
-
-# Quick verification (fast, size check only)
-./dbbackup verify-backup /backups/*.dump --quick
-```
-
-**Output:**
-```
-Verifying 3 backup file(s)...
-
-📁 mydb_20251125.dump
-   ✅ VALID
-   Size: 2.5 GiB
-   SHA-256: 7e166d4cb7276e1310d76922f45eda0333a6aeac...
-   Database: mydb (postgresql)
-   Created: 2025-11-25T19:00:00Z
-
-──────────────────────────────────────────────────
-Total: 3 backups
-✅ Valid: 3
-```
-
-#### Cleanup Old Backups
-
-Automatically remove old backups based on retention policy:
-
-```bash
-./dbbackup cleanup BACKUP_DIRECTORY [OPTIONS]
-```
-
-**Options:**
-
- `--retention-days INT` - Delete backups older than N days (default: 30)
- `--min-backups INT` - Always keep at least N most recent backups (default: 5)
- `--dry-run` - Preview what would be deleted without actually deleting
- `--pattern STRING` - Only clean backups matching pattern (e.g., "mydb_*.dump")
-
-**Retention Policy:**
-
-The cleanup command uses a safe retention policy:
-1. Backups older than `--retention-days` are eligible for deletion
-2. At least `--min-backups` most recent backups are always kept
-3. Both conditions must be met for a backup to be deleted
-
-**Examples:**
-
-```bash
-# Clean up backups older than 30 days (keep at least 5)
-./dbbackup cleanup /backups --retention-days 30 --min-backups 5
-
-# Preview what would be deleted
-./dbbackup cleanup /backups --retention-days 7 --dry-run
-
-# Clean specific database backups
-./dbbackup cleanup /backups --pattern "mydb_*.dump"
-
-# Aggressive cleanup (keep only 3 most recent)
-./dbbackup cleanup /backups --retention-days 1 --min-backups 3
-```
-
-**Output:**
-```
-🗑️  Cleanup Policy:
-   Directory: /backups
-   Retention: 30 days
-   Min backups: 5
-
-📊 Results:
-   Total backups: 12
-   Eligible for deletion: 7
-
-✅ Deleted 7 backup(s):
-   - old_db_20251001.dump
-   - old_db_20251002.dump
-   ...
-
-📦 Kept 5 backup(s)
-
-💾 Space freed: 15.2 GiB
-──────────────────────────────────────────────────
-✅ Cleanup completed successfully
-```
-
-**Options:**
-
- `--confirm` - Confirm and execute restore (required for safety)
- `--dry-run` - Show what would be done without executing
- `--force` - Skip safety checks
- `--jobs INT` - Parallel decompression jobs (default: auto)
- `--verbose` - Show detailed progress
- `--no-progress` - Disable progress indicators
-
-**Examples:**
-
-```bash
-# Standard cluster restore
-sudo -u postgres ./dbbackup restore cluster cluster_backup.tar.gz --confirm
-
-# Dry-run to preview
-sudo -u postgres ./dbbackup restore cluster cluster_backup.tar.gz --dry-run
-
-# High-performance restore
-sudo -u postgres ./dbbackup restore cluster cluster_backup.tar.gz \
-  --confirm \
-  --jobs 16 \
-  --verbose
-```
-
-**Safety Features:**
-
- Archive integrity validation
- Disk space checks (4x archive size recommended)
- Automatic database cleanup detection (interactive mode)
- Progress tracking with ETA estimation
-
-#### Restore List
-
-Show available backup archives in backup directory:
-
-```bash
-./dbbackup restore list
-```
-
-### System Commands
-
-#### Status Check
-
-Check database connection and configuration:
-
-```bash
-./dbbackup status [OPTIONS]
-```
-
-Shows: Database type, host, port, user, connection status, available databases.
-
-#### Preflight Checks
-
-Run pre-backup validation checks:
-
-```bash
-./dbbackup preflight [OPTIONS]
-```
-
-Verifies: Database connection, required tools, disk space, permissions.
-
-#### List Databases
-
-List available databases:
-
-```bash
-./dbbackup list [OPTIONS]
-```
-
-#### CPU Information
-
-Display CPU configuration and optimization settings:
-
-```bash
-./dbbackup cpu
-```
-
-Shows: CPU count, model, workload recommendation, suggested parallel jobs.
-
-#### Version
-
-Display version information:
-
-```bash
-./dbbackup version
-```
-
-## Cloud Storage Integration
-
-dbbackup v2.0 includes native support for cloud storage providers. See [CLOUD.md](CLOUD.md) for complete documentation.
-
-### Quick Start - Cloud Backups
-
-**Configure cloud provider in TUI:**
-```bash
-# Launch interactive mode
-./dbbackup interactive
-
-# Navigate to: Configuration Settings
-# Set: Cloud Storage Enabled = true
-# Set: Cloud Provider = s3 (or azure, gcs, minio, b2)
-# Set: Cloud Bucket/Container = your-bucket-name
-# Set: Cloud Region = us-east-1 (if applicable)
-# Set: Cloud Auto-Upload = true
-```
-
-**Command-line cloud backup:**
-```bash
-# Backup directly to S3
-./dbbackup backup single mydb --cloud s3://my-bucket/backups/
-
-# Backup to Azure Blob Storage
-./dbbackup backup single mydb \
-  --cloud azure://my-container/backups/ \
-  --cloud-access-key myaccount \
-  --cloud-secret-key "account-key"
-
-# Backup to Google Cloud Storage
-./dbbackup backup single mydb \
-  --cloud gcs://my-bucket/backups/ \
-  --cloud-access-key /path/to/service-account.json
-
-# Restore from cloud
-./dbbackup restore single s3://my-bucket/backups/mydb_20251126.dump \
-  --target mydb_restored \
-  --confirm
-```
-
-**Supported Providers:**
- **AWS S3** - `s3://bucket/path`
- **MinIO** - `minio://bucket/path` (self-hosted S3-compatible)
- **Backblaze B2** - `b2://bucket/path`
- **Azure Blob Storage** - `azure://container/path` (native support)
- **Google Cloud Storage** - `gcs://bucket/path` (native support)
-
-**Environment Variables:**
-```bash
-# AWS S3 / MinIO / B2
-export AWS_ACCESS_KEY_ID="your-key"
-export AWS_SECRET_ACCESS_KEY="your-secret"
-export AWS_REGION="us-east-1"
-
-# Azure Blob Storage
-export AZURE_STORAGE_ACCOUNT="myaccount"
-export AZURE_STORAGE_KEY="account-key"
+# AWS S3
+export AWS_ACCESS_KEY_ID="key"
+export AWS_SECRET_ACCESS_KEY="secret"
+dbbackup backup single mydb --cloud s3://bucket/path/
+
+# Azure Blob
+export AZURE_STORAGE_ACCOUNT="account"
+export AZURE_STORAGE_KEY="key"
+dbbackup backup single mydb --cloud azure://container/path/

 # Google Cloud Storage
-export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
+export GOOGLE_APPLICATION_CREDENTIALS="/path/to/credentials.json"
+dbbackup backup single mydb --cloud gcs://bucket/path/
 ```

-**Features:**
- ✅ Streaming uploads (memory efficient)
- ✅ Multipart upload for large files (>100MB)
- ✅ Progress tracking
- ✅ Automatic metadata sync (.sha256, .info files)
- ✅ Restore directly from cloud URIs
- ✅ Cloud backup verification
- ✅ TUI integration for all cloud providers
+See [CLOUD.md](CLOUD.md) for detailed configuration.

-See [CLOUD.md](CLOUD.md) for detailed setup guides, testing with Docker, and advanced configuration.
+## Point-in-Time Recovery
+
+PITR for PostgreSQL allows restoring to any specific point in time:
+
+```bash
+# Enable PITR
+dbbackup pitr enable --archive-dir /backups/wal_archive
+
+# Restore to timestamp
+dbbackup restore pitr \
+  --base-backup /backups/base.tar.gz \
+  --wal-archive /backups/wal_archive \
+  --target-time "2024-11-26 12:00:00" \
+  --target-dir /var/lib/postgresql/14/restored
+```
+
+See [PITR.md](PITR.md) for detailed documentation.
+
+## Backup Cleanup
+
+Automatic retention management:
+
+```bash
+# Delete backups older than 30 days, keep minimum 5
+dbbackup cleanup /backups --retention-days 30 --min-backups 5
+
+# Preview deletions
+dbbackup cleanup /backups --retention-days 7 --dry-run
+```
+
+### GFS Retention Policy
+
+Grandfather-Father-Son (GFS) retention provides tiered backup rotation:
+
+```bash
+# GFS retention: 7 daily, 4 weekly, 12 monthly, 3 yearly
+dbbackup cleanup /backups --gfs \
+  --gfs-daily 7 \
+  --gfs-weekly 4 \
+  --gfs-monthly 12 \
+  --gfs-yearly 3
+
+# Custom weekly day (Saturday) and monthly day (15th)
+dbbackup cleanup /backups --gfs \
+  --gfs-weekly-day Saturday \
+  --gfs-monthly-day 15
+
+# Preview GFS deletions
+dbbackup cleanup /backups --gfs --dry-run
+```
+
+**GFS Tiers:**
+- **Daily**: Most recent N daily backups
+- **Weekly**: Best backup from each week (configurable day)
+- **Monthly**: Best backup from each month (configurable day)
+- **Yearly**: Best backup from January each year
+
+## Dry-Run Mode
+
+Preflight checks validate backup readiness without execution:
+
+```bash
+# Run preflight checks only
+dbbackup backup single mydb --dry-run
+dbbackup backup cluster -n  # Short flag
+```
+
+**Checks performed:**
+- Database connectivity (connect + ping)
+- Required tools availability (pg_dump, mysqldump, etc.)
+- Storage target accessibility and permissions
+- Backup size estimation
+- Encryption configuration validation
+- Cloud storage credentials (if configured)
+
+**Example output:**
+```
+╔══════════════════════════════════════════════════════════════╗
+║             [DRY RUN] Preflight Check Results                ║
+╚══════════════════════════════════════════════════════════════╝
+
+  Database: PostgreSQL PostgreSQL 15.4
+  Target:   postgres@localhost:5432/mydb
+
+  Checks:
+  ─────────────────────────────────────────────────────────────
+  ✅ Database Connectivity: Connected successfully
+  ✅ Required Tools:        pg_dump 15.4 available
+  ✅ Storage Target:        /backups writable (45 GB free)
+  ✅ Size Estimation:       ~2.5 GB required
+  ─────────────────────────────────────────────────────────────
+
+  ✅ All checks passed
+
+  Ready to backup. Remove --dry-run to execute.
+```
+
+## Backup Diagnosis
+
+Diagnose backup files before restore to detect corruption or truncation:
+
+```bash
+# Diagnose a backup file
+dbbackup restore diagnose backup.dump.gz
+
+# Deep analysis (line-by-line COPY block verification)
+dbbackup restore diagnose backup.dump.gz --deep
+
+# JSON output for automation
+dbbackup restore diagnose backup.dump.gz --json
+
+# Diagnose cluster archive (checks all contained dumps)
+dbbackup restore diagnose cluster_backup.tar.gz --deep
+```
+
+**Checks performed:**
+- PGDMP signature validation (PostgreSQL custom format)
+- Gzip integrity verification
+- COPY block termination (detects truncated dumps)
+- `pg_restore --list` validation
+- Archive structure analysis
+
+**Example output:**
+```
+🔍 Backup Diagnosis Report
+══════════════════════════════════════════════════════════════
+
+📁 File: mydb_20260105.dump.gz
+   Format: PostgreSQL Custom (gzip)
+   Size: 2.5 GB
+
+🔬 Analysis Results:
+   ✅ Gzip integrity: Valid
+   ✅ PGDMP signature: Valid
+   ✅ pg_restore --list: Success (245 objects)
+   ❌ COPY block check: TRUNCATED
+
+⚠️  Issues Found:
+   - COPY block for table 'orders' not terminated
+   - Dump appears truncated at line 1,234,567
+
+💡 Recommendations:
+   - Re-run the backup for this database
+   - Check disk space on backup server
+   - Verify network stability during backup
+```
+
+**In Interactive Mode:**
+- Press `d` in archive browser to diagnose any backup
+- Automatic dump validity check in restore preview
+- Toggle debug logging with `d` in restore options
+
+## Notifications
+
+Get alerted on backup events via email or webhooks. Configure via environment variables.
+
+### SMTP Email
+
+```bash
+# Environment variables
+export NOTIFY_SMTP_HOST="smtp.example.com"
+export NOTIFY_SMTP_PORT="587"
+export NOTIFY_SMTP_USER="alerts@example.com"
+export NOTIFY_SMTP_PASSWORD="secret"
+export NOTIFY_SMTP_FROM="dbbackup@example.com"
+export NOTIFY_SMTP_TO="admin@example.com,dba@example.com"
+
+# Run backup (notifications triggered when SMTP is configured)
+dbbackup backup single mydb
+```
+
+### Webhooks
+
+```bash
+# Generic webhook
+export NOTIFY_WEBHOOK_URL="https://api.example.com/webhooks/backup"
+export NOTIFY_WEBHOOK_SECRET="signing-secret"  # Optional HMAC signing
+
+# Slack webhook
+export NOTIFY_WEBHOOK_URL="https://hooks.slack.com/services/T00/B00/XXX"
+
+# Run backup (notifications triggered when webhook is configured)
+dbbackup backup single mydb
+```
+
+**Webhook payload:**
+```json
+{
+  "version": "1.0",
+  "event": {
+    "type": "backup_completed",
+    "severity": "info",
+    "timestamp": "2025-01-15T10:30:00Z",
+    "database": "mydb",
+    "message": "Backup completed successfully",
+    "backup_file": "/backups/mydb_20250115.dump.gz",
+    "backup_size": 2684354560,
+    "hostname": "db-server-01"
+  },
+  "subject": "✅ [dbbackup] Backup Completed: mydb"
+}
+```
+
+**Supported events:**
+- `backup_started`, `backup_completed`, `backup_failed`
+- `restore_started`, `restore_completed`, `restore_failed`
+- `cleanup_completed`
+- `verify_completed`, `verify_failed`
+- `pitr_recovery`
+- `dr_drill_passed`, `dr_drill_failed`
+- `gap_detected`, `rpo_violation`
+
+## Backup Catalog
+
+Track all backups in a SQLite catalog with gap detection and search:
+
+```bash
+# Sync backups from directory to catalog
+dbbackup catalog sync /backups
+
+# List recent backups
+dbbackup catalog list --database mydb --limit 10
+
+# Show catalog statistics
+dbbackup catalog stats
+
+# Detect backup gaps (missing scheduled backups)
+dbbackup catalog gaps --interval 24h --database mydb
+
+# Search backups
+dbbackup catalog search --database mydb --start 2024-01-01 --end 2024-12-31
+
+# Get backup info
+dbbackup catalog info 42
+```
+
+## DR Drill Testing
+
+Automated disaster recovery testing restores backups to Docker containers:
+
+```bash
+# Run full DR drill
+dbbackup drill run /backups/mydb_latest.dump.gz \
+  --database mydb \
+  --db-type postgres \
+  --timeout 30m
+
+# Quick drill (restore + basic validation)
+dbbackup drill quick /backups/mydb_latest.dump.gz --database mydb
+
+# List running drill containers
+dbbackup drill list
+
+# Cleanup old drill containers
+dbbackup drill cleanup --age 24h
+
+# Generate drill report
+dbbackup drill report --format html --output drill-report.html
+```
+
+**Drill phases:**
+1. Container creation
+2. Backup download (if cloud)
+3. Restore execution
+4. Database validation
+5. Custom query checks
+6. Cleanup
+
+## Compliance Reports
+
+Generate compliance reports for regulatory frameworks:
+
+```bash
+# Generate SOC2 report
+dbbackup report generate --type soc2 --days 90 --format html --output soc2-report.html
+
+# HIPAA compliance report
+dbbackup report generate --type hipaa --format markdown
+
+# Show compliance summary
+dbbackup report summary --type gdpr --days 30
+
+# List available frameworks
+dbbackup report list
+
+# Show controls for a framework
+dbbackup report controls soc2
+```
+
+**Supported frameworks:**
+- SOC2 Type II (Trust Service Criteria)
+- GDPR (General Data Protection Regulation)
+- HIPAA (Health Insurance Portability and Accountability Act)
+- PCI-DSS (Payment Card Industry Data Security Standard)
+- ISO 27001 (Information Security Management)
+
+## RTO/RPO Analysis
+
+Calculate and monitor Recovery Time/Point Objectives:
+
+```bash
+# Analyze RTO/RPO for a database
+dbbackup rto analyze mydb
+
+# Show status for all databases
+dbbackup rto status
+
+# Check against targets
+dbbackup rto check --rto 4h --rpo 1h
+
+# Set target objectives
+dbbackup rto analyze mydb --target-rto 4h --target-rpo 1h
+```
+
+**Analysis includes:**
+- Current RPO (time since last backup)
+- Estimated RTO (detection + download + restore + validation)
+- RTO breakdown by phase
+- Compliance status
+- Recommendations for improvement
+
+## Systemd Integration
+
+Install dbbackup as a systemd service for automated scheduled backups:
+
+```bash
+# Install with Prometheus metrics exporter
+sudo dbbackup install --backup-type cluster --with-metrics
+
+# Preview what would be installed
+dbbackup install --dry-run --backup-type cluster
+
+# Check installation status
+dbbackup install --status
+
+# Uninstall
+sudo dbbackup uninstall cluster --purge
+```
+
+**Schedule options:**
+```bash
+--schedule daily                    # Every day at midnight (default)
+--schedule weekly                   # Every Monday at midnight  
+--schedule "*-*-* 02:00:00"         # Every day at 2am
+--schedule "Mon *-*-* 03:00"        # Every Monday at 3am
+```
+
+**What gets installed:**
+- Systemd service and timer units
+- Dedicated `dbbackup` user with security hardening
+- Directories: `/var/lib/dbbackup/`, `/etc/dbbackup/`
+- Optional: Prometheus HTTP exporter on port 9399
+
+📖 **Full documentation:** [SYSTEMD.md](SYSTEMD.md) - Manual setup, security hardening, multiple instances, troubleshooting
+
+## Prometheus Metrics
+
+Export backup metrics for monitoring with Prometheus:
+
+### Textfile Collector
+
+For integration with node_exporter:
+
+```bash
+# Export metrics to textfile
+dbbackup metrics export --output /var/lib/node_exporter/textfile_collector/dbbackup.prom
+
+# Export for specific instance
+dbbackup metrics export --instance production --output /var/lib/dbbackup/metrics/production.prom
+```
+
+Configure node_exporter:
+```bash
+node_exporter --collector.textfile.directory=/var/lib/node_exporter/textfile_collector/
+```
+
+### HTTP Exporter
+
+Run a dedicated metrics HTTP server:
+
+```bash
+# Start metrics server on default port 9399
+dbbackup metrics serve
+
+# Custom port
+dbbackup metrics serve --port 9100
+
+# Run as systemd service (installed via --with-metrics)
+sudo systemctl start dbbackup-exporter
+```
+
+**Endpoints:**
+- `/metrics` - Prometheus exposition format
+- `/health` - Health check (returns 200 OK)
+
+**Available metrics:**
+| Metric | Type | Description |
+|--------|------|-------------|
+| `dbbackup_last_success_timestamp` | gauge | Unix timestamp of last successful backup |
+| `dbbackup_last_backup_duration_seconds` | gauge | Duration of last backup |
+| `dbbackup_last_backup_size_bytes` | gauge | Size of last backup |
+| `dbbackup_backup_total` | counter | Total backups by status (success/failure) |
+| `dbbackup_rpo_seconds` | gauge | Seconds since last successful backup |
+| `dbbackup_backup_verified` | gauge | Whether last backup was verified (1/0) |
+| `dbbackup_scrape_timestamp` | gauge | When metrics were collected |
+
+**Labels:** `instance`, `database`, `engine`
+
+**Example Prometheus query:**
+```promql
+# Alert if RPO exceeds 24 hours
+dbbackup_rpo_seconds{instance="production"} > 86400
+
+# Backup success rate
+sum(rate(dbbackup_backup_total{status="success"}[24h])) / sum(rate(dbbackup_backup_total[24h]))
+```

 ## Configuration

 ### PostgreSQL Authentication

-PostgreSQL uses different authentication methods based on system configuration.
-
-**Peer/Ident Authentication (Linux Default)**
-
-Run as postgres system user:
-
 ```bash
-sudo -u postgres ./dbbackup backup cluster
-```
+# Peer authentication
+sudo -u postgres dbbackup backup cluster

-**Password Authentication**
-
-Option 1: .pgpass file (recommended for automation):
-
-```bash
+# Password file
 echo "localhost:5432:*:postgres:password" > ~/.pgpass
 chmod 0600 ~/.pgpass
-./dbbackup backup single mydb --user postgres
-```

-Option 2: Environment variable:
-
-```bash
-export PGPASSWORD=your_password
-./dbbackup backup single mydb --user postgres
-```
-
-Option 3: Command line flag:
-
-```bash
-./dbbackup backup single mydb --user postgres --password your_password
+# Environment variable
+export PGPASSWORD=password
 ```

 ### MySQL/MariaDB Authentication

-**Option 1: Command line**
-
 ```bash
-./dbbackup backup single mydb --db-type mysql --user root --password secret
-```
+# Command line
+dbbackup backup single mydb --db-type mysql --user root --password secret

-**Option 2: Environment variable**
-
-```bash
-export MYSQL_PWD=your_password
-./dbbackup backup single mydb --db-type mysql --user root
-```
-
-**Option 3: Configuration file**
-
-```bash
+# Configuration file
 cat > ~/.my.cnf << EOF
 [client]
-user=backup_user
-password=your_password
-host=localhost
+user=root
+password=secret
 EOF
 chmod 0600 ~/.my.cnf
 ```

-### Environment Variables
+### Configuration Persistence

-PostgreSQL:
+Settings are saved to `.dbbackup.conf` in the current directory:

 ```bash
-export PG_HOST=localhost
-export PG_PORT=5432
-export PG_USER=postgres
-export PGPASSWORD=password
+--no-config       # Skip loading saved configuration
+--no-save-config  # Prevent saving configuration
 ```

-MySQL/MariaDB:
-
-```bash
-export MYSQL_HOST=localhost
-export MYSQL_PORT=3306
-export MYSQL_USER=root
-export MYSQL_PWD=password
-```
-
-General:
-
-```bash
-export BACKUP_DIR=/var/backups/databases
-export COMPRESS_LEVEL=6
-export CLUSTER_TIMEOUT_MIN=240
-```
-
-### Database Types
-
- `postgres` - PostgreSQL
- `mysql` - MySQL
- `mariadb` - MariaDB
-
-Select via:
- CLI: `-d postgres` or `--db-type postgres`
- Interactive: Arrow keys to cycle through options
-
 ## Performance

 ### Memory Usage

-Streaming architecture maintains constant memory usage:
+Streaming architecture maintains constant memory usage regardless of database size:

 | Database Size | Memory Usage |
 |---------------|--------------|
-| 1-10 GB      | ~800 MB      |
-| 10-50 GB     | ~900 MB      |
-| 50-100 GB    | ~950 MB      |
-| 100+ GB      | <1 GB        |
+| 1-100+ GB | < 1 GB |

-### Large Database Optimization
-
- Databases >5GB automatically use plain format with streaming compression
- Parallel compression via pigz (if available)
- Per-database timeout: 4 hours default
- Automatic format selection based on size
-
-### CPU Optimization
-
-Automatically detects CPU configuration and optimizes parallelism:
+### Optimization

 ```bash
-./dbbackup cpu
-```
-
-Manual override:
-
-```bash
-./dbbackup backup cluster \
+# High-performance backup
+dbbackup backup cluster \
  --max-cores 32 \
  --jobs 32 \
-  --cpu-workload cpu-intensive
+  --cpu-workload cpu-intensive \
+  --compression 3
 ```

-### Parallelism
-
-```bash
-./dbbackup backup cluster --jobs 16 --dump-jobs 16
-```
-
- `--jobs` - Compression/decompression parallel jobs
- `--dump-jobs` - Database dump parallel jobs
- `--max-cores` - Limit CPU cores (default: 16)
- Cluster operations use worker pools with configurable parallelism (default: 2 concurrent databases)
- Set `CLUSTER_PARALLELISM` environment variable to adjust concurrent database operations
-
-### CPU Workload
-
-```bash
-./dbbackup backup cluster --cpu-workload cpu-intensive
-```
-
-Options: `cpu-intensive`, `io-intensive`, `balanced` (default)
-
-Workload types automatically adjust Jobs and DumpJobs:
- **Balanced**: Jobs = PhysicalCores, DumpJobs = PhysicalCores/2 (min 2)
- **CPU-Intensive**: Jobs = PhysicalCores×2, DumpJobs = PhysicalCores (more parallelism)
- **I/O-Intensive**: Jobs = PhysicalCores/2 (min 1), DumpJobs = 2 (less parallelism to avoid I/O contention)
-
-Configure in interactive mode via Configuration Settings menu.
-
-### Compression
-
-```bash
-./dbbackup backup single mydb --compression 9
-```
-
- Level 0 = No compression (fastest)
- Level 6 = Balanced (default)
- Level 9 = Maximum compression (slowest)
-
-### SSL/TLS Configuration
-
-SSL modes: `disable`, `prefer`, `require`, `verify-ca`, `verify-full`
-
-```bash
-# Disable SSL
-./dbbackup backup single mydb --insecure
-
-# Require SSL
-./dbbackup backup single mydb --ssl-mode require
-
-# Verify certificate
-./dbbackup backup single mydb --ssl-mode verify-full
-```
-
-## Disaster Recovery
-
-Complete automated disaster recovery test:
-
-```bash
-sudo ./disaster_recovery_test.sh
-```
-
-This script:
-
-1. Backs up entire cluster with maximum performance
-2. Documents pre-backup state
-3. Destroys all user databases (confirmation required)
-4. Restores full cluster from backup
-5. Verifies restoration success
-
-**Warning:** Destructive operation. Use only in test environments.
-
-## Troubleshooting
-
-### Connection Issues
-
-**Test connectivity:**
-
-```bash
-./dbbackup status
-```
-
-**PostgreSQL peer authentication error:**
-
-```bash
-sudo -u postgres ./dbbackup status
-```
-
-**SSL/TLS issues:**
-
-```bash
-./dbbackup status --insecure
-```
-
-### Out of Memory
-
-**Check memory:**
-
-```bash
-free -h
-dmesg | grep -i oom
-```
-
-**Add swap space:**
-
-```bash
-sudo fallocate -l 16G /swapfile
-sudo chmod 600 /swapfile
-sudo mkswap /swapfile
-sudo swapon /swapfile
-```
-
-**Reduce parallelism:**
-
-```bash
-./dbbackup backup cluster --jobs 4 --dump-jobs 4
-```
-
-### Debug Mode
-
-Enable detailed logging:
-
-```bash
-./dbbackup backup single mydb --debug
-```
-
-### Common Errors
-
- **"Ident authentication failed"** - Run as matching OS user or configure password authentication
- **"Permission denied"** - Check database user privileges
- **"Disk space check failed"** - Ensure 4x archive size available
- **"Archive validation failed"** - Backup file corrupted or incomplete
-
-## Building
-
-Build for all platforms:
-
-```bash
-./build_all.sh
-```
-
-Binaries created in `bin/` directory.
+Workload types:
+- `balanced` - Default, suitable for most workloads
+- `cpu-intensive` - Higher parallelism for fast storage
+- `io-intensive` - Lower parallelism to avoid I/O contention

 ## Requirements

-### System Requirements
-
+**System:**
 - Linux, macOS, FreeBSD, OpenBSD, NetBSD
- 1 GB RAM minimum (2 GB recommended for large databases)
- Disk space: 30-50% of database size for backups
-
-### Software Requirements
+- 1 GB RAM minimum
+- Disk space: 30-50% of database size

 **PostgreSQL:**
- Client tools: psql, pg_dump, pg_dumpall, pg_restore
- PostgreSQL 10 or later
+- psql, pg_dump, pg_dumpall, pg_restore
+- PostgreSQL 10+

 **MySQL/MariaDB:**
- Client tools: mysql, mysqldump
+- mysql, mysqldump
 - MySQL 5.7+ or MariaDB 10.3+

-**Optional:**
- pigz (parallel compression)
- pv (progress monitoring)
+## Documentation

-## Best Practices
-
-1. **Test restores regularly** - Verify backups work before disasters occur
-2. **Monitor disk space** - Maintain 4x archive size free space for restore operations
-3. **Use appropriate compression** - Balance speed and space (level 3-6 for production)
-4. **Leverage configuration persistence** - Use .dbbackup.conf for consistent per-project settings
-5. **Automate backups** - Schedule via cron or systemd timers
-6. **Secure credentials** - Use .pgpass/.my.cnf with 0600 permissions, never save passwords in config files
-7. **Maintain multiple versions** - Keep 7-30 days of backups for point-in-time recovery
-8. **Store backups off-site** - Remote copies protect against site-wide failures
-9. **Validate archives** - Run verification checks on backup files periodically
-10. **Document procedures** - Maintain runbooks for restore operations and disaster recovery
-
-## Project Structure
-
-```
-dbbackup/
-├── main.go                      # Entry point
-├── cmd/                         # CLI commands
-├── internal/
-│   ├── backup/                  # Backup engine
-│   ├── restore/                 # Restore engine
-│   ├── config/                  # Configuration
-│   ├── database/                # Database drivers
-│   ├── cpu/                     # CPU detection
-│   ├── logger/                  # Logging
-│   ├── progress/                # Progress tracking
-│   └── tui/                     # Interactive UI
-├── bin/                         # Pre-compiled binaries
-├── disaster_recovery_test.sh    # DR testing script
-└── build_all.sh                 # Multi-platform build
-```
-
-## Support
-
- Repository: https://git.uuxo.net/uuxo/dbbackup
- Issues: Use repository issue tracker
+- [SYSTEMD.md](SYSTEMD.md) - Systemd installation & scheduling
+- [DOCKER.md](DOCKER.md) - Docker deployment
+- [CLOUD.md](CLOUD.md) - Cloud storage configuration
+- [PITR.md](PITR.md) - Point-in-Time Recovery
+- [AZURE.md](AZURE.md) - Azure Blob Storage
+- [GCS.md](GCS.md) - Google Cloud Storage
+- [SECURITY.md](SECURITY.md) - Security considerations
+- [CONTRIBUTING.md](CONTRIBUTING.md) - Contribution guidelines
+- [CHANGELOG.md](CHANGELOG.md) - Version history

 ## License

-MIT License
+Apache License 2.0 - see [LICENSE](LICENSE).

-## Testing
-
-### Automated QA Tests
-
-Comprehensive test suite covering all functionality:
-
-```bash
-./run_qa_tests.sh
-```
-
-**Test Coverage:**
- ✅ 24/24 tests passing (100%)
- Basic functionality (CLI operations, help, version)
- Backup file creation and validation
- Checksum and metadata generation
- Configuration management
- Error handling and edge cases
- Data integrity verification
-
-**CI/CD Integration:**
-```bash
-# Quick validation
-./run_qa_tests.sh
-
-# Full test suite with detailed output
-./run_qa_tests.sh 2>&1 | tee qa_results.log
-```
-
-The test suite validates:
- Single database backups
- File creation (.dump, .sha256, .info)
- Checksum validation
- Configuration loading/saving
- Retention policy enforcement
- Error handling for invalid inputs
- PostgreSQL dump format verification
-
-## Recent Improvements
-
-### v2.0 - Production-Ready Release (November 2025)
-
-**Quality Assurance:**
- ✅ **100% Test Coverage**: All 24 automated tests passing
- ✅ **Zero Critical Issues**: Production-validated and deployment-ready
- ✅ **Configuration Bug Fixed**: CLI flags now correctly override config file values
-
-**Reliability Enhancements:**
- **Context Cleanup**: Proper resource cleanup with sync.Once and io.Closer interface prevents memory leaks
- **Process Management**: Thread-safe process tracking with automatic cleanup on exit
- **Error Classification**: Regex-based error pattern matching for robust error handling
- **Performance Caching**: Disk space checks cached with 30-second TTL to reduce syscall overhead
- **Metrics Collection**: Structured logging with operation metrics for observability
-
-**Configuration Management:**
- **Persistent Configuration**: Auto-save/load settings to .dbbackup.conf in current directory
- **Per-Directory Settings**: Each project maintains its own database connection parameters
- **Flag Priority Fixed**: Command-line flags always take precedence over saved configuration
- **Security**: Passwords excluded from saved configuration files
-
-**Performance Optimizations:**
- **Parallel Cluster Operations**: Worker pool pattern for concurrent database backup/restore
- **Memory Efficiency**: Streaming command output eliminates OOM errors on large databases
- **Optimized Goroutines**: Ticker-based progress indicators reduce CPU overhead
- **Configurable Concurrency**: Control parallel database operations via CLUSTER_PARALLELISM
-
-**Cross-Platform Support:**
- **Platform-Specific Implementations**: Separate disk space and process management for Unix/Windows/BSD
- **Build Constraints**: Go build tags ensure correct compilation for each platform
- **Tested Platforms**: Linux (x64/ARM), macOS (x64/ARM), Windows (x64/ARM), FreeBSD, OpenBSD
-
-## Why dbbackup?
-
- **Production-Ready**: 100% test coverage, zero critical issues, fully validated
- **Reliable**: Thread-safe process management, comprehensive error handling, automatic cleanup
- **Efficient**: Constant memory footprint (~1GB) regardless of database size via streaming architecture
- **Fast**: Automatic CPU detection, parallel processing, streaming compression with pigz
- **Intelligent**: Context-aware error messages, disk space pre-flight checks, configuration persistence
- **Safe**: Dry-run by default, archive verification, confirmation prompts, backup validation
- **Flexible**: Multiple backup modes, compression levels, CPU workload profiles, per-directory configuration
- **Complete**: Full cluster operations, single database backups, sample data extraction
- **Cross-Platform**: Native binaries for Linux, macOS, Windows, FreeBSD, OpenBSD
- **Scalable**: Tested with databases from megabytes to 100+ gigabytes
- **Observable**: Structured logging, metrics collection, progress tracking with ETA
-
-dbbackup is production-ready for backup and disaster recovery operations on PostgreSQL, MySQL, and MariaDB databases. Successfully tested with 42GB databases containing 35,000 large objects.
+Copyright 2025 dbbackup Project
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -0,0 +1,108 @@
+# v3.42.1 Release Notes
+
+## What's New in v3.42.1
+
+### Deduplication - Resistance is Futile
+
+Content-defined chunking deduplication for space-efficient backups. Like restic/borgbackup but with **native database dump support**.
+
+```bash
+# First backup: 5MB stored
+dbbackup dedup backup mydb.dump
+
+# Second backup (modified): only 1.6KB new data stored!
+# 100% deduplication ratio
+dbbackup dedup backup mydb_modified.dump
+```
+
+#### Features
+- **Gear Hash CDC** - Content-defined chunking with 92%+ overlap on shifted data
+- **SHA-256 Content-Addressed** - Chunks stored by hash, automatic deduplication
+- **AES-256-GCM Encryption** - Optional per-chunk encryption
+- **Gzip Compression** - Optional compression (enabled by default)
+- **SQLite Index** - Fast chunk lookups and statistics
+
+#### Commands
+```bash
+dbbackup dedup backup <file>              # Create deduplicated backup
+dbbackup dedup backup <file> --encrypt    # With AES-256-GCM encryption
+dbbackup dedup restore <id> <output>      # Restore from manifest
+dbbackup dedup list                       # List all backups
+dbbackup dedup stats                      # Show deduplication statistics
+dbbackup dedup delete <id>                # Delete a backup
+dbbackup dedup gc                         # Garbage collect unreferenced chunks
+```
+
+#### Storage Structure
+```
+<backup-dir>/dedup/
+  chunks/           # Content-addressed chunk files
+    ab/cdef1234...  # Sharded by first 2 chars of hash
+  manifests/        # JSON manifest per backup
+  chunks.db         # SQLite index
+```
+
+### Also Included (from v3.41.x)
+- **Systemd Integration** - One-command install with `dbbackup install`
+- **Prometheus Metrics** - HTTP exporter on port 9399
+- **Backup Catalog** - SQLite-based tracking of all backup operations
+- **Prometheus Alerting Rules** - Added to SYSTEMD.md documentation
+
+### Installation
+
+#### Quick Install (Recommended)
+```bash
+# Download for your platform
+curl -LO https://git.uuxo.net/UUXO/dbbackup/releases/download/v3.42.1/dbbackup-linux-amd64
+
+# Install with systemd service
+chmod +x dbbackup-linux-amd64
+sudo ./dbbackup-linux-amd64 install --config /path/to/config.yaml
+```
+
+#### Available Binaries
+| Platform | Architecture | Binary |
+|----------|--------------|--------|
+| Linux | amd64 | `dbbackup-linux-amd64` |
+| Linux | arm64 | `dbbackup-linux-arm64` |
+| macOS | Intel | `dbbackup-darwin-amd64` |
+| macOS | Apple Silicon | `dbbackup-darwin-arm64` |
+| FreeBSD | amd64 | `dbbackup-freebsd-amd64` |
+
+### Systemd Commands
+```bash
+dbbackup install --config config.yaml   # Install service + timer
+dbbackup install --status               # Check service status
+dbbackup install --uninstall            # Remove services
+```
+
+### Prometheus Metrics
+Available at `http://localhost:9399/metrics`:
+
+| Metric | Description |
+|--------|-------------|
+| `dbbackup_last_backup_timestamp` | Unix timestamp of last backup |
+| `dbbackup_last_backup_success` | 1 if successful, 0 if failed |
+| `dbbackup_last_backup_duration_seconds` | Duration of last backup |
+| `dbbackup_last_backup_size_bytes` | Size of last backup |
+| `dbbackup_backup_total` | Total number of backups |
+| `dbbackup_backup_errors_total` | Total number of failed backups |
+
+### Security Features
+- Hardened systemd service with `ProtectSystem=strict`
+- `NoNewPrivileges=true` prevents privilege escalation
+- Dedicated `dbbackup` system user (optional)
+- Credential files with restricted permissions
+
+### Documentation
+- [SYSTEMD.md](SYSTEMD.md) - Complete systemd installation guide
+- [README.md](README.md) - Full documentation
+- [CHANGELOG.md](CHANGELOG.md) - Version history
+
+### Bug Fixes
+- Fixed SQLite time parsing in dedup stats
+- Fixed function name collision in cmd package
+
+---
+
+**Full Changelog**: https://git.uuxo.net/UUXO/dbbackup/compare/v3.41.1...v3.42.1
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,523 +0,0 @@
-# dbbackup Version 2.0 Roadmap
-
-## Current Status: v1.1 (Production Ready)
- ✅ 24/24 automated tests passing (100%)
- ✅ PostgreSQL, MySQL, MariaDB support
- ✅ Interactive TUI + CLI
- ✅ Cluster backup/restore
- ✅ Docker support
- ✅ Cross-platform binaries
-
---
-
-## Version 2.0 Vision: Enterprise-Grade Features
-
-Transform dbbackup into an enterprise-ready backup solution with cloud storage, incremental backups, PITR, and encryption.
-
-**Target Release:** Q2 2026 (3-4 months)
-
---
-
-## Priority Matrix
-
-```
-                    HIGH IMPACT
-                         │
-    ┌────────────────────┼────────────────────┐
-    │                    │                    │
-    │  Cloud Storage ⭐  │ Incremental ⭐⭐⭐ │
-    │  Verification      │ PITR ⭐⭐⭐       │
-    │  Retention         │ Encryption ⭐⭐   │
-LOW │                    │                    │ HIGH
-EFFORT ─────────────────┼──────────────────── EFFORT
-    │                    │                    │
-    │  Metrics           │ Web UI (optional)  │
-    │  Remote Restore    │ Replication Slots  │
-    │                    │                    │
-    └────────────────────┼────────────────────┘
-                         │
-                    LOW IMPACT
-```
-
---
-
-## Development Phases
-
-### Phase 1: Foundation (Weeks 1-4)
-
-**Sprint 1: Verification & Retention (2 weeks)**
-
-**Goals:**
- Backup integrity verification with SHA-256 checksums
- Automated retention policy enforcement
- Structured backup metadata
-
-**Features:**
- ✅ Generate SHA-256 checksums during backup
- ✅ Verify backups before/after restore
- ✅ Automatic cleanup of old backups
- ✅ Retention policy: days + minimum count
- ✅ Backup metadata in JSON format
-
-**Deliverables:**
-```bash
-# New commands
-dbbackup verify backup.dump
-dbbackup cleanup --retention-days 30 --min-backups 5
-
-# Metadata format
-{
-  "version": "2.0",
-  "timestamp": "2026-01-15T10:30:00Z",
-  "database": "production",
-  "size_bytes": 1073741824,
-  "sha256": "abc123...",
-  "db_version": "PostgreSQL 15.3",
-  "compression": "gzip-9"
-}
-```
-
-**Implementation:**
- `internal/verification/` - Checksum calculation and validation
- `internal/retention/` - Policy enforcement
- `internal/metadata/` - Backup metadata management
-
---
-
-**Sprint 2: Cloud Storage (2 weeks)**
-
-**Goals:**
- Upload backups to cloud storage
- Support multiple cloud providers
- Download and restore from cloud
-
-**Providers:**
- ✅ AWS S3
- ✅ MinIO (S3-compatible)
- ✅ Backblaze B2
- ✅ Azure Blob Storage (optional)
- ✅ Google Cloud Storage (optional)
-
-**Configuration:**
-```toml
-[cloud]
-enabled = true
-provider = "s3"  # s3, minio, azure, gcs, b2
-auto_upload = true
-
-[cloud.s3]
-bucket = "db-backups"
-region = "us-east-1"
-endpoint = "s3.amazonaws.com"  # Custom for MinIO
-access_key = "..."  # Or use IAM role
-secret_key = "..."
-```
-
-**New Commands:**
-```bash
-# Upload existing backup
-dbbackup cloud upload backup.dump
-
-# List cloud backups
-dbbackup cloud list
-
-# Download from cloud
-dbbackup cloud download backup_id
-
-# Restore directly from cloud
-dbbackup restore single s3://bucket/backup.dump --target mydb
-```
-
-**Dependencies:**
-```go
-"github.com/aws/aws-sdk-go-v2/service/s3"
-"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
-"cloud.google.com/go/storage"
-```
-
---
-
-### Phase 2: Advanced Backup (Weeks 5-10)
-
-**Sprint 3: Incremental Backups (3 weeks)**
-
-**Goals:**
- Reduce backup time and storage
- File-level incremental for PostgreSQL
- Binary log incremental for MySQL
-
-**PostgreSQL Strategy:**
-```
-Full Backup (Base)
-    ├─ Incremental 1 (changed files since base)
-    ├─ Incremental 2 (changed files since inc1)
-    └─ Incremental 3 (changed files since inc2)
-```
-
-**MySQL Strategy:**
-```
-Full Backup
-    ├─ Binary Log 1 (changes since full)
-    ├─ Binary Log 2
-    └─ Binary Log 3
-```
-
-**Implementation:**
-```bash
-# Create base backup
-dbbackup backup single mydb --mode full
-
-# Create incremental
-dbbackup backup single mydb --mode incremental
-
-# Restore (automatically applies incrementals)
-dbbackup restore single backup.dump --apply-incrementals
-```
-
-**File Structure:**
-```
-backups/
-├── mydb_full_20260115.dump
-├── mydb_full_20260115.meta
-├── mydb_incr_20260116.dump      # Contains only changes
-├── mydb_incr_20260116.meta      # Points to base: mydb_full_20260115
-└── mydb_incr_20260117.dump
-```
-
---
-
-**Sprint 4: Security & Encryption (2 weeks)**
-
-**Goals:**
- Encrypt backups at rest
- Secure key management
- Encrypted cloud uploads
-
-**Features:**
- ✅ AES-256-GCM encryption
- ✅ Argon2 key derivation
- ✅ Multiple key sources (file, env, vault)
- ✅ Encrypted metadata
-
-**Configuration:**
-```toml
-[encryption]
-enabled = true
-algorithm = "aes-256-gcm"
-key_file = "/etc/dbbackup/encryption.key"
-
-# Or use environment variable
-# DBBACKUP_ENCRYPTION_KEY=base64key...
-```
-
-**Commands:**
-```bash
-# Generate encryption key
-dbbackup keys generate
-
-# Encrypt existing backup
-dbbackup encrypt backup.dump
-
-# Decrypt backup
-dbbackup decrypt backup.dump.enc
-
-# Automatic encryption
-dbbackup backup single mydb --encrypt
-```
-
-**File Format:**
-```
-+------------------+
-| Encryption Header|  (IV, algorithm, key ID)
-+------------------+
-| Encrypted Data   |  (AES-256-GCM)
-+------------------+
-| Auth Tag         |  (HMAC for integrity)
-+------------------+
-```
-
---
-
-**Sprint 5: Point-in-Time Recovery - PITR (4 weeks)**
-
-**Goals:**
- Restore to any point in time
- WAL archiving for PostgreSQL
- Binary log archiving for MySQL
-
-**PostgreSQL Implementation:**
-
-```toml
-[pitr]
-enabled = true
-wal_archive_dir = "/backups/wal_archive"
-wal_retention_days = 7
-
-# PostgreSQL config (auto-configured by dbbackup)
-# archive_mode = on
-# archive_command = '/usr/local/bin/dbbackup archive-wal %p %f'
-```
-
-**Commands:**
-```bash
-# Enable PITR
-dbbackup pitr enable
-
-# Archive WAL manually
-dbbackup archive-wal /var/lib/postgresql/pg_wal/000000010000000000000001
-
-# Restore to point-in-time
-dbbackup restore single backup.dump \
-  --target-time "2026-01-15 14:30:00" \
-  --target mydb
-
-# Show available restore points
-dbbackup pitr timeline
-```
-
-**WAL Archive Structure:**
-```
-wal_archive/
-├── 000000010000000000000001
-├── 000000010000000000000002
-├── 000000010000000000000003
-└── timeline.json
-```
-
-**MySQL Implementation:**
-```bash
-# Archive binary logs
-dbbackup binlog archive --start-datetime "2026-01-15 00:00:00"
-
-# PITR restore
-dbbackup restore single backup.sql \
-  --target-time "2026-01-15 14:30:00" \
-  --apply-binlogs
-```
-
---
-
-### Phase 3: Enterprise Features (Weeks 11-16)
-
-**Sprint 6: Observability & Integration (3 weeks)**
-
-**Features:**
-
-1. **Prometheus Metrics**
-```go
-# Exposed metrics
-dbbackup_backup_duration_seconds
-dbbackup_backup_size_bytes
-dbbackup_backup_success_total
-dbbackup_restore_duration_seconds
-dbbackup_last_backup_timestamp
-dbbackup_cloud_upload_duration_seconds
-```
-
-**Endpoint:**
-```bash
-# Start metrics server
-dbbackup metrics serve --port 9090
-
-# Scrape endpoint
-curl http://localhost:9090/metrics
-```
-
-2. **Remote Restore**
-```bash
-# Restore to remote server
-dbbackup restore single backup.dump \
-  --remote-host db-replica-01 \
-  --remote-user postgres \
-  --remote-port 22 \
-  --confirm
-```
-
-3. **Replication Slots (PostgreSQL)**
-```bash
-# Create replication slot for continuous WAL streaming
-dbbackup replication create-slot backup_slot
-
-# Stream WALs via replication
-dbbackup replication stream backup_slot
-```
-
-4. **Webhook Notifications**
-```toml
-[notifications]
-enabled = true
-webhook_url = "https://slack.com/webhook/..."
-notify_on = ["backup_complete", "backup_failed", "restore_complete"]
-```
-
---
-
-## Technical Architecture
-
-### New Directory Structure
-
-```
-internal/
-├── cloud/              # Cloud storage backends
-│   ├── interface.go
-│   ├── s3.go
-│   ├── azure.go
-│   └── gcs.go
-├── encryption/         # Encryption layer
-│   ├── aes.go
-│   ├── keys.go
-│   └── vault.go
-├── incremental/        # Incremental backup engine
-│   ├── postgres.go
-│   └── mysql.go
-├── pitr/              # Point-in-time recovery
-│   ├── wal.go
-│   ├── binlog.go
-│   └── timeline.go
-├── verification/      # Backup verification
-│   ├── checksum.go
-│   └── validate.go
-├── retention/         # Retention policy
-│   └── cleanup.go
-├── metrics/           # Prometheus metrics
-│   └── exporter.go
-└── replication/       # Replication management
-    └── slots.go
-```
-
-### Required Dependencies
-
-```go
-// Cloud storage
-"github.com/aws/aws-sdk-go-v2/service/s3"
-"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
-"cloud.google.com/go/storage"
-
-// Encryption
-"crypto/aes"
-"crypto/cipher"
-"golang.org/x/crypto/argon2"
-
-// Metrics
-"github.com/prometheus/client_golang/prometheus"
-"github.com/prometheus/client_golang/prometheus/promhttp"
-
-// PostgreSQL replication
-"github.com/jackc/pgx/v5/pgconn"
-
-// Fast file scanning for incrementals
-"github.com/karrick/godirwalk"
-```
-
---
-
-## Testing Strategy
-
-### v2.0 Test Coverage Goals
- Minimum 90% code coverage
- Integration tests for all cloud providers
- End-to-end PITR scenarios
- Performance benchmarks for incremental backups
- Encryption/decryption validation
- Multi-database restore tests
-
-### New Test Suites
-```bash
-# Cloud storage tests
-./run_qa_tests.sh --suite cloud
-
-# Incremental backup tests
-./run_qa_tests.sh --suite incremental
-
-# PITR tests
-./run_qa_tests.sh --suite pitr
-
-# Encryption tests
-./run_qa_tests.sh --suite encryption
-
-# Full v2.0 suite
-./run_qa_tests.sh --suite v2
-```
-
---
-
-## Migration Path
-
-### v1.x → v2.0 Compatibility
- ✅ All v1.x backups readable in v2.0
- ✅ Configuration auto-migration
- ✅ Metadata format upgrade
- ✅ Backward-compatible commands
-
-### Deprecation Timeline
- v2.0: Warning for old config format
- v2.1: Full migration required
- v3.0: Old format no longer supported
-
---
-
-## Documentation Updates
-
-### New Docs
- `CLOUD.md` - Cloud storage configuration
- `INCREMENTAL.md` - Incremental backup guide
- `PITR.md` - Point-in-time recovery
- `ENCRYPTION.md` - Encryption setup
- `METRICS.md` - Prometheus integration
-
---
-
-## Success Metrics
-
-### v2.0 Goals
- 🎯 95%+ test coverage
- 🎯 Support 1TB+ databases with incrementals
- 🎯 PITR with <5 minute granularity
- 🎯 Cloud upload/download >100MB/s
- 🎯 Encryption overhead <10%
- 🎯 Full compatibility with pgBackRest for PostgreSQL
- 🎯 Industry-leading MySQL PITR solution
-
---
-
-## Release Schedule
-
- **v2.0-alpha** (End Sprint 3): Cloud + Verification
- **v2.0-beta** (End Sprint 5): + Incremental + PITR
- **v2.0-rc1** (End Sprint 6): + Enterprise features
- **v2.0 GA** (Q2 2026): Production release
-
---
-
-## What Makes v2.0 Unique
-
-After v2.0, dbbackup will be:
-
-✅ **Only multi-database tool** with full PITR support  
-✅ **Best-in-class UX** (TUI + CLI + Docker + K8s)  
-✅ **Feature parity** with pgBackRest (PostgreSQL)  
-✅ **Superior to mysqldump** with incremental + PITR  
-✅ **Cloud-native** with multi-provider support  
-✅ **Enterprise-ready** with encryption + metrics  
-✅ **Zero-config** for 80% of use cases  
-
---
-
-## Contributing
-
-Want to contribute to v2.0? Check out:
- [CONTRIBUTING.md](CONTRIBUTING.md)
- [Good First Issues](https://git.uuxo.net/uuxo/dbbackup/issues?labels=good-first-issue)
- [v2.0 Milestone](https://git.uuxo.net/uuxo/dbbackup/milestone/2)
-
---
-
-## Questions?
-
-Open an issue or start a discussion:
- Issues: https://git.uuxo.net/uuxo/dbbackup/issues
- Discussions: https://git.uuxo.net/uuxo/dbbackup/discussions
-
---
-
-**Next Step:** Sprint 1 - Backup Verification & Retention (January 2026)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,201 @@
+# Security Policy
+
+## Supported Versions
+
+We release security updates for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.1.x   | :white_check_mark: |
+| 3.0.x   | :white_check_mark: |
+| < 3.0   | :x:                |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+### Preferred Method: Private Disclosure
+
+**Email:** security@uuxo.net
+
+**Include in your report:**
+1. **Description** - Clear description of the vulnerability
+2. **Impact** - What an attacker could achieve
+3. **Reproduction** - Step-by-step instructions to reproduce
+4. **Version** - Affected dbbackup version(s)
+5. **Environment** - OS, database type, configuration
+6. **Proof of Concept** - Code or commands demonstrating the issue (if applicable)
+
+### Response Timeline
+
+- **Initial Response:** Within 48 hours
+- **Status Update:** Within 7 days
+- **Fix Timeline:** Depends on severity
+  - **Critical:** 1-3 days
+  - **High:** 1-2 weeks
+  - **Medium:** 2-4 weeks
+  - **Low:** Next release cycle
+
+### Severity Levels
+
+**Critical:**
+- Remote code execution
+- SQL injection
+- Arbitrary file read/write
+- Authentication bypass
+- Encryption key exposure
+
+**High:**
+- Privilege escalation
+- Information disclosure (sensitive data)
+- Denial of service (easily exploitable)
+
+**Medium:**
+- Information disclosure (non-sensitive)
+- Denial of service (requires complex conditions)
+- CSRF attacks
+
+**Low:**
+- Information disclosure (minimal impact)
+- Issues requiring local access
+
+## Security Best Practices
+
+### For Users
+
+**Encryption Keys:**
+- ✅ Generate strong 32-byte keys: `head -c 32 /dev/urandom | base64 > key.file`
+- ✅ Store keys securely (KMS, HSM, or encrypted filesystem)
+- ✅ Use unique keys per environment
+- ❌ Never commit keys to version control
+- ❌ Never share keys over unencrypted channels
+
+**Database Credentials:**
+- ✅ Use read-only accounts for backups when possible
+- ✅ Rotate credentials regularly
+- ✅ Use environment variables or secure config files
+- ❌ Never hardcode credentials in scripts
+- ❌ Avoid using root/admin accounts
+
+**Backup Storage:**
+- ✅ Encrypt backups with `--encrypt` flag
+- ✅ Use secure cloud storage with encryption at rest
+- ✅ Implement proper access controls (IAM, ACLs)
+- ✅ Enable backup retention and versioning
+- ❌ Never store unencrypted backups on public storage
+
+**Docker Usage:**
+- ✅ Use specific version tags (`:v3.2.0` not `:latest`)
+- ✅ Run as non-root user (default in our image)
+- ✅ Mount volumes read-only when possible
+- ✅ Use Docker secrets for credentials
+- ❌ Don't run with `--privileged` unless necessary
+
+### For Developers
+
+**Code Security:**
+- Always validate user input
+- Use parameterized queries (no SQL injection)
+- Sanitize file paths (no directory traversal)
+- Handle errors securely (no sensitive data in logs)
+- Use crypto/rand for random generation
+
+**Dependencies:**
+- Keep dependencies updated
+- Review security advisories for Go packages
+- Use `go mod verify` to check integrity
+- Scan for vulnerabilities with `govulncheck`
+
+**Secrets in Code:**
+- Never commit secrets to git
+- Use `.gitignore` for sensitive files
+- Rotate any accidentally exposed credentials
+- Use environment variables for configuration
+
+## Known Security Considerations
+
+### Encryption
+
+**AES-256-GCM:**
+- Uses authenticated encryption (prevents tampering)
+- PBKDF2 with 600,000 iterations (OWASP 2023 recommendation)
+- Unique nonce per encryption operation
+- Secure random generation (crypto/rand)
+
+**Key Management:**
+- Keys are NOT stored by dbbackup
+- Users responsible for key storage and management
+- Support for multiple key sources (file, env, passphrase)
+
+### Database Access
+
+**Credential Handling:**
+- Credentials passed via environment variables
+- Connection strings support sslmode/ssl options
+- Support for certificate-based authentication
+
+**Network Security:**
+- Supports SSL/TLS for database connections
+- No credential caching or persistence
+- Connections closed immediately after use
+
+### Cloud Storage
+
+**Cloud Provider Security:**
+- Uses official SDKs (AWS, Azure, Google)
+- Supports IAM roles and managed identities
+- Respects provider encryption settings
+- No credential storage (uses provider auth)
+
+## Security Audit History
+
+| Date       | Auditor          | Scope                    | Status |
+|------------|------------------|--------------------------|--------|
+| 2025-11-26 | Internal Review  | Initial release audit    | ✅ Pass |
+
+## Vulnerability Disclosure Policy
+
+**Coordinated Disclosure:**
+1. Reporter submits vulnerability privately
+2. We confirm and assess severity
+3. We develop and test a fix
+4. We prepare security advisory
+5. We release patched version
+6. We publish security advisory
+7. Reporter receives credit (if desired)
+
+**Public Disclosure:**
+- Security advisories published after fix is available
+- CVE requested for critical/high severity issues
+- Credit given to reporter (unless anonymity requested)
+
+## Security Updates
+
+**Notification Channels:**
+- Security advisories on repository
+- Release notes for patched versions
+- Email notification (for enterprise users)
+
+**Updating:**
+```bash
+# Check current version
+./dbbackup --version
+
+# Download latest version
+wget https://git.uuxo.net/PlusOne/dbbackup/releases/latest
+
+# Or pull latest Docker image
+docker pull git.uuxo.net/PlusOne/dbbackup:latest
+```
+
+## Contact
+
+**Security Issues:** security@uuxo.net  
+**General Issues:** https://git.uuxo.net/PlusOne/dbbackup/issues  
+**Repository:** https://git.uuxo.net/PlusOne/dbbackup
+
+---
+
+**We take security seriously and appreciate responsible disclosure.** 🔒
+
+Thank you for helping keep dbbackup and its users safe!
--- a/SPRINT4_COMPLETION.md
+++ b/SPRINT4_COMPLETION.md
@@ -1,575 +0,0 @@
-# Sprint 4 Completion Summary
-
-**Sprint 4: Azure Blob Storage & Google Cloud Storage Native Support**  
-**Status:** ✅ COMPLETE  
-**Commit:** e484c26  
-**Tag:** v2.0-sprint4  
-**Date:** November 25, 2025
-
---
-
-## Overview
-
-Sprint 4 successfully implements **full native support** for Azure Blob Storage and Google Cloud Storage, closing the architectural gap identified during Sprint 3 evaluation. The URI parser previously accepted `azure://` and `gs://` URIs but the backend factory could not instantiate them. Sprint 4 delivers complete Azure and GCS backends with production-grade features.
-
---
-
-## What Was Implemented
-
-### 1. Azure Blob Storage Backend (`internal/cloud/azure.go`) - 410 lines
-
-**Native Azure SDK Integration:**
- Uses `github.com/Azure/azure-sdk-for-go/sdk/storage/azblob` v1.6.3
- Full Azure Blob Storage client with shared key authentication
- Support for both production Azure and Azurite emulator
-
-**Block Blob Upload for Large Files:**
- Automatic block blob staging for files >256MB
- 100MB block size with sequential upload
- Base64-encoded block IDs for Azure compatibility
- SHA-256 checksum stored as blob metadata
-
-**Authentication Methods:**
- Account name + account key (primary/secondary)
- Custom endpoint for Azurite emulator
- Default Azurite credentials: `devstoreaccount1`
-
-**Core Operations:**
- `Upload()`: Streaming upload with progress tracking, automatic block staging
- `Download()`: Streaming download with progress tracking
- `List()`: Paginated blob listing with metadata
- `Delete()`: Blob deletion
- `Exists()`: Blob existence check with proper 404 handling
- `GetSize()`: Blob size retrieval
- `Name()`: Returns "azure"
-
-**Progress Tracking:**
- Uses `NewProgressReader()` for consistent progress reporting
- Updates every 100ms during transfers
- Supports both simple and block blob uploads
-
-### 2. Google Cloud Storage Backend (`internal/cloud/gcs.go`) - 270 lines
-
-**Native GCS SDK Integration:**
- Uses `cloud.google.com/go/storage` v1.57.2
- Full GCS client with multiple authentication methods
- Support for both production GCS and fake-gcs-server emulator
-
-**Chunked Upload for Large Files:**
- Automatic chunking with 16MB chunk size
- Streaming upload with `NewWriter()`
- SHA-256 checksum stored as object metadata
-
-**Authentication Methods:**
- Application Default Credentials (ADC) - recommended
- Service account JSON key file
- Custom endpoint for fake-gcs-server emulator
- Workload Identity for GKE
-
-**Core Operations:**
- `Upload()`: Streaming upload with automatic chunking
- `Download()`: Streaming download with progress tracking
- `List()`: Paginated object listing with metadata
- `Delete()`: Object deletion
- `Exists()`: Object existence check with `ErrObjectNotExist`
- `GetSize()`: Object size retrieval
- `Name()`: Returns "gcs"
-
-**Progress Tracking:**
- Uses `NewProgressReader()` for consistent progress reporting
- Supports large file streaming without memory bloat
-
-### 3. Backend Factory Updates (`internal/cloud/interface.go`)
-
-**NewBackend() Switch Cases Added:**
-```go
-case "azure", "azblob":
-    return NewAzureBackend(cfg)
-case "gs", "gcs", "google":
-    return NewGCSBackend(cfg)
-```
-
-**Updated Error Message:**
- Now includes Azure and GCS in supported providers list
- Was: `"unsupported cloud provider: %s (supported: s3, minio, b2)"`
- Now: `"unsupported cloud provider: %s (supported: s3, minio, b2, azure, gcs)"`
-
-### 4. Configuration Updates (`internal/config/config.go`)
-
-**Updated Field Comments:**
- `CloudProvider`: Now documents "s3", "minio", "b2", "azure", "gcs"
- `CloudBucket`: Changed to "Bucket/container name"
- `CloudRegion`: Added "(for S3, GCS)"
- `CloudEndpoint`: Added "Azurite, fake-gcs-server"
- `CloudAccessKey`: Added "Account name (Azure) / Service account file (GCS)"
- `CloudSecretKey`: Added "Account key (Azure)"
-
-### 5. Azure Testing Infrastructure
-
-**docker-compose.azurite.yml:**
- Azurite emulator on ports 10000-10002
- PostgreSQL 16 on port 5434
- MySQL 8.0 on port 3308
- Health checks for all services
- Automatic Azurite startup with loose mode
-
-**scripts/test_azure_storage.sh - 8 Test Scenarios:**
-1. PostgreSQL backup to Azure
-2. MySQL backup to Azure
-3. List Azure backups
-4. Verify backup integrity
-5. Restore from Azure (with data verification)
-6. Large file upload (300MB with block blob)
-7. Delete backup from Azure
-8. Cleanup old backups (retention policy)
-
-**Test Features:**
- Colored output (red/green/yellow/blue)
- Exit code tracking (pass/fail counters)
- Service startup with health checks
- Database test data creation
- Cleanup on success, debug mode on failure
-
-### 6. GCS Testing Infrastructure
-
-**docker-compose.gcs.yml:**
- fake-gcs-server emulator on port 4443
- PostgreSQL 16 on port 5435
- MySQL 8.0 on port 3309
- Health checks for all services
- HTTP mode for emulator (no TLS)
-
-**scripts/test_gcs_storage.sh - 8 Test Scenarios:**
-1. PostgreSQL backup to GCS
-2. MySQL backup to GCS
-3. List GCS backups
-4. Verify backup integrity
-5. Restore from GCS (with data verification)
-6. Large file upload (200MB with chunked upload)
-7. Delete backup from GCS
-8. Cleanup old backups (retention policy)
-
-**Test Features:**
- Colored output (red/green/yellow/blue)
- Exit code tracking (pass/fail counters)
- Automatic bucket creation via curl
- Service startup with health checks
- Database test data creation
- Cleanup on success, debug mode on failure
-
-### 7. Azure Documentation (`AZURE.md` - 600+ lines)
-
-**Comprehensive Coverage:**
- Quick start guide with 3-step setup
- URI syntax and examples
- 3 authentication methods (URI params, env vars, connection string)
- Container setup and configuration
- Access tiers (Hot/Cool/Archive)
- Lifecycle management policies
- Usage examples (backup, restore, verify, list, cleanup)
- Advanced features (block blob upload, progress tracking, concurrent ops)
- Azurite emulator setup and testing
- Best practices (security, performance, cost, reliability, organization)
- Troubleshooting guide with 6 problem categories
- Additional resources and support links
-
-**Key Examples:**
- Production Azure backup with account key
- Azurite local testing
- Scheduled backups with cron
- Large file handling (>256MB)
- Metadata and checksums
-
-### 8. GCS Documentation (`GCS.md` - 600+ lines)
-
-**Comprehensive Coverage:**
- Quick start guide with 3-step setup
- URI syntax and examples (supports both gs:// and gcs://)
- 3 authentication methods (ADC, service account, Workload Identity)
- IAM permissions and roles
- Bucket setup and configuration
- Storage classes (Standard/Nearline/Coldline/Archive)
- Lifecycle management policies
- Regional configuration
- Usage examples (backup, restore, verify, list, cleanup)
- Advanced features (chunked upload, progress tracking, versioning, CMEK)
- fake-gcs-server emulator setup and testing
- Best practices (security, performance, cost, reliability, organization)
- Monitoring and alerting with Cloud Monitoring
- Troubleshooting guide with 6 problem categories
- Additional resources and support links
-
-**Key Examples:**
- ADC authentication (recommended)
- Service account JSON key file
- Workload Identity for GKE
- Scheduled backups with cron and systemd timer
- Large file handling (chunked upload)
- Object versioning and CMEK
-
-### 9. Updated Main Cloud Documentation (`CLOUD.md`)
-
-**Supported Providers List Updated:**
- Added "Azure Blob Storage (native support)"
- Added "Google Cloud Storage (native support)"
-
-**URI Syntax Section Updated:**
- `azure://` or `azblob://` - Azure Blob Storage (native support)
- `gs://` or `gcs://` - Google Cloud Storage (native support)
-
-**Provider-Specific Setup:**
- Replaced GCS S3-compatibility section with native GCS section
- Added Azure Blob Storage section with quick start
- Both sections link to comprehensive guides (AZURE.md, GCS.md)
-
-**Features Documented:**
- Azure: Block blob upload, Azurite support, native SDK
- GCS: Chunked upload, fake-gcs-server support, ADC
-
-**FAQ Updated:**
- Added Azure and GCS to cost comparison table
-
-**Related Documentation:**
- Added links to AZURE.md and GCS.md
- Added links to docker-compose files and test scripts
-
---
-
-## Code Statistics
-
-### Files Created:
-1. `internal/cloud/azure.go` - 410 lines (Azure backend)
-2. `internal/cloud/gcs.go` - 270 lines (GCS backend)
-3. `AZURE.md` - 600+ lines (Azure documentation)
-4. `GCS.md` - 600+ lines (GCS documentation)
-5. `docker-compose.azurite.yml` - 68 lines
-6. `docker-compose.gcs.yml` - 62 lines
-7. `scripts/test_azure_storage.sh` - 350+ lines
-8. `scripts/test_gcs_storage.sh` - 350+ lines
-
-### Files Modified:
-1. `internal/cloud/interface.go` - Added Azure/GCS cases to NewBackend()
-2. `internal/config/config.go` - Updated field comments
-3. `CLOUD.md` - Added Azure/GCS sections
-4. `go.mod` - Added Azure and GCS dependencies
-5. `go.sum` - Dependency checksums
-
-### Total Impact:
- **Lines Added:** 2,990
- **Lines Modified:** 28
- **New Files:** 8
- **Modified Files:** 6
- **New Dependencies:** ~50 packages (Azure SDK + GCS SDK)
- **Binary Size:** 68MB (includes Azure/GCS SDKs)
-
---
-
-## Dependencies Added
-
-### Azure SDK:
-```
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2
-```
-
-### Google Cloud SDK:
-```
-cloud.google.com/go/storage v1.57.2
-google.golang.org/api v0.256.0
-cloud.google.com/go/auth v0.17.0
-cloud.google.com/go/iam v1.5.2
-google.golang.org/grpc v1.76.0
-golang.org/x/oauth2 v0.33.0
-```
-
-### Transitive Dependencies:
- ~50 additional packages for Azure and GCS support
- OpenTelemetry instrumentation
- gRPC and protobuf
- OAuth2 and authentication libraries
-
---
-
-## Testing Verification
-
-### Build Verification:
-```bash
-$ go build -o dbbackup_sprint4 .
-BUILD SUCCESSFUL
-$ ls -lh dbbackup_sprint4
-rwxr-xr-x. 1 root root 68M Nov 25 21:30 dbbackup_sprint4
-```
-
-### Test Scripts Created:
-1. **Azure:** `./scripts/test_azure_storage.sh`
-   - 8 comprehensive test scenarios
-   - PostgreSQL and MySQL backup/restore
-   - 300MB large file upload (block blob verification)
-   - Retention policy testing
-
-2. **GCS:** `./scripts/test_gcs_storage.sh`
-   - 8 comprehensive test scenarios
-   - PostgreSQL and MySQL backup/restore
-   - 200MB large file upload (chunked upload verification)
-   - Retention policy testing
-
-### Integration Test Coverage:
- Upload operations with progress tracking
- Download operations with verification
- Large file handling (block/chunked upload)
- Backup integrity verification (SHA-256)
- Restore operations with data validation
- Cleanup and retention policies
- Container/bucket management
- Error handling and edge cases
-
---
-
-## URI Support Comparison
-
-### Before Sprint 4:
-```bash
-# These URIs would parse but fail with "unsupported cloud provider"
-azure://container/backup.sql
-gs://bucket/backup.sql
-```
-
-### After Sprint 4:
-```bash
-# Azure URI - FULLY SUPPORTED
-azure://container/backups/db.sql?account=myaccount&key=ACCOUNT_KEY
-
-# Azure with Azurite
-azure://test-backups/db.sql?endpoint=http://localhost:10000
-
-# GCS URI - FULLY SUPPORTED  
-gs://bucket/backups/db.sql
-
-# GCS with service account
-gs://bucket/backups/db.sql?credentials=/path/to/key.json
-
-# GCS with fake-gcs-server
-gs://test-backups/db.sql?endpoint=http://localhost:4443/storage/v1
-```
-
---
-
-## Multi-Cloud Feature Parity
-
-| Feature | S3 | MinIO | B2 | Azure | GCS |
-|---------|----|----|----|----|-----|
-| Native SDK | ✅ | ✅ | ✅ | ✅ | ✅ |
-| Multipart Upload | ✅ | ✅ | ✅ | ✅ (Block) | ✅ (Chunked) |
-| Progress Tracking | ✅ | ✅ | ✅ | ✅ | ✅ |
-| SHA-256 Checksums | ✅ | ✅ | ✅ | ✅ | ✅ |
-| Emulator Support | ✅ | ✅ | ❌ | ✅ (Azurite) | ✅ (fake-gcs) |
-| Test Suite | ✅ | ✅ | ❌ | ✅ (8 tests) | ✅ (8 tests) |
-| Documentation | ✅ | ✅ | ✅ | ✅ (600+ lines) | ✅ (600+ lines) |
-| Large Files | ✅ | ✅ | ✅ | ✅ (>256MB) | ✅ (16MB chunks) |
-| Auto-detect | ✅ | ✅ | ✅ | ✅ | ✅ |
-
---
-
-## Example Usage
-
-### Azure Backup:
-```bash
-# Production Azure
-dbbackup backup postgres \
-  --host localhost \
-  --database mydb \
-  --cloud "azure://prod-backups/postgres/db.sql?account=myaccount&key=KEY"
-
-# Azurite emulator
-dbbackup backup postgres \
-  --host localhost \
-  --database mydb \
-  --cloud "azure://test-backups/db.sql?endpoint=http://localhost:10000"
-```
-
-### GCS Backup:
-```bash
-# Using Application Default Credentials
-dbbackup backup postgres \
-  --host localhost \
-  --database mydb \
-  --cloud "gs://prod-backups/postgres/db.sql"
-
-# With service account
-dbbackup backup postgres \
-  --host localhost \
-  --database mydb \
-  --cloud "gs://prod-backups/db.sql?credentials=/path/to/key.json"
-
-# fake-gcs-server emulator
-dbbackup backup postgres \
-  --host localhost \
-  --database mydb \
-  --cloud "gs://test-backups/db.sql?endpoint=http://localhost:4443/storage/v1"
-```
-
---
-
-## Git History
-
-```bash
-Commit: e484c26
-Author: [Your Name]
-Date: November 25, 2025
-
-feat: Sprint 4 - Azure Blob Storage and Google Cloud Storage support
-
-Tag: v2.0-sprint4
-Files Changed: 14
-Insertions: 2,990
-Deletions: 28
-```
-
-**Push Status:**
- ✅ Pushed to remote: git.uuxo.net:uuxo/dbbackup
- ✅ Tag v2.0-sprint4 pushed
- ✅ All changes synchronized
-
---
-
-## Architecture Impact
-
-### Before Sprint 4:
-```
-URI Parser ──────► Backend Factory
-     │                   │
-     ├─ s3://           ├─ S3Backend ✅
-     ├─ minio://        ├─ S3Backend (MinIO mode) ✅
-     ├─ b2://           ├─ S3Backend (B2 mode) ✅
-     ├─ azure://        └─ ERROR ❌
-     └─ gs://               ERROR ❌
-```
-
-### After Sprint 4:
-```
-URI Parser ──────► Backend Factory
-     │                   │
-     ├─ s3://           ├─ S3Backend ✅
-     ├─ minio://        ├─ S3Backend (MinIO mode) ✅
-     ├─ b2://           ├─ S3Backend (B2 mode) ✅
-     ├─ azure://        ├─ AzureBackend ✅
-     └─ gs://           └─ GCSBackend ✅
-```
-
-**Gap Closed:** URI parser and backend factory now fully aligned.
-
---
-
-## Best Practices Implemented
-
-### Azure:
-1. **Security:** Account key in URI params, support for connection strings
-2. **Performance:** Block blob staging for files >256MB
-3. **Reliability:** SHA-256 checksums in metadata
-4. **Testing:** Azurite emulator with full test suite
-5. **Documentation:** 600+ lines covering all use cases
-
-### GCS:
-1. **Security:** ADC preferred, service account JSON support
-2. **Performance:** 16MB chunked upload for large files
-3. **Reliability:** SHA-256 checksums in metadata
-4. **Testing:** fake-gcs-server emulator with full test suite
-5. **Documentation:** 600+ lines covering all use cases
-
---
-
-## Sprint 4 Objectives - COMPLETE ✅
-
-| Objective | Status | Notes |
-|-----------|--------|-------|
-| Azure backend implementation | ✅ | 410 lines, block blob support |
-| GCS backend implementation | ✅ | 270 lines, chunked upload |
-| Backend factory integration | ✅ | NewBackend() updated |
-| Azure testing infrastructure | ✅ | Azurite + 8 tests |
-| GCS testing infrastructure | ✅ | fake-gcs-server + 8 tests |
-| Azure documentation | ✅ | AZURE.md 600+ lines |
-| GCS documentation | ✅ | GCS.md 600+ lines |
-| Configuration updates | ✅ | config.go comments |
-| Build verification | ✅ | 68MB binary |
-| Git commit and tag | ✅ | e484c26, v2.0-sprint4 |
-| Remote push | ✅ | git.uuxo.net |
-
---
-
-## Known Limitations
-
-1. **Container/Bucket Creation:**
-   - Disabled in code (CreateBucket not in Config struct)
-   - Users must create containers/buckets manually
-   - Future enhancement: Add CreateBucket to Config
-
-2. **Authentication:**
-   - Azure: Limited to account key (no managed identity)
-   - GCS: No metadata server support for GCE VMs
-   - Future enhancement: Support for managed identities
-
-3. **Advanced Features:**
-   - No support for Azure SAS tokens
-   - No support for GCS signed URLs
-   - No support for lifecycle policies via API
-   - Future enhancement: Policy management
-
---
-
-## Performance Characteristics
-
-### Azure:
- **Small files (<256MB):** Single request upload
- **Large files (>256MB):** Block blob staging (100MB blocks)
- **Download:** Streaming with progress (no size limit)
- **Network:** Efficient with Azure SDK connection pooling
-
-### GCS:
- **All files:** Chunked upload with 16MB chunks
- **Upload:** Streaming with `NewWriter()` (no memory bloat)
- **Download:** Streaming with progress (no size limit)
- **Network:** Efficient with GCS SDK connection pooling
-
---
-
-## Next Steps (Post-Sprint 4)
-
-### Immediate:
-1. Run integration tests: `./scripts/test_azure_storage.sh`
-2. Run integration tests: `./scripts/test_gcs_storage.sh`
-3. Update README.md with Sprint 4 achievements
-4. Create Sprint 4 demo video (optional)
-
-### Future Enhancements:
-1. Add managed identity support (Azure, GCS)
-2. Implement SAS token support (Azure)
-3. Implement signed URL support (GCS)
-4. Add lifecycle policy management
-5. Add container/bucket creation to Config
-6. Optimize block/chunk sizes based on file size
-7. Add progress reporting to CLI output
-8. Create performance benchmarks
-
-### Sprint 5 Candidates:
- Cloud-to-cloud transfers
- Multi-region replication
- Backup encryption at rest
- Incremental backups
- Point-in-time recovery
-
---
-
-## Conclusion
-
-Sprint 4 successfully delivers **complete multi-cloud support** for dbbackup v2.0. With native Azure Blob Storage and Google Cloud Storage backends, users can now seamlessly backup to all major cloud providers. The implementation includes production-grade features (block/chunked uploads, progress tracking, integrity verification), comprehensive testing infrastructure (emulators + 16 tests), and extensive documentation (1,200+ lines).
-
-**Sprint 4 closes the architectural gap** identified during Sprint 3 evaluation, where URI parsing supported Azure and GCS but the backend factory could not instantiate them. The system now provides **consistent** cloud storage experience across S3, MinIO, Backblaze B2, Azure Blob Storage, and Google Cloud Storage.
-
-**Total Sprint 4 Impact:** 2,990 lines of code, 1,200+ lines of documentation, 16 integration tests, 50+ new dependencies, and **zero** API gaps remaining.
-
-**Status:** Production-ready for Azure and GCS deployments. ✅
-
---
-
-**Sprint 4 Complete - November 25, 2025**
--- a/STATISTICS.md
+++ b/STATISTICS.md
@@ -1,268 +0,0 @@
-# Backup and Restore Performance Statistics
-
-## Test Environment
-
-**Date:** November 19, 2025
-
-**System Configuration:**
- CPU: 16 cores
- RAM: 30 GB
- Storage: 301 GB total, 214 GB available
- OS: Linux (CentOS/RHEL)
- PostgreSQL: 16.10 (target), 13.11 (source)
-
-## Cluster Backup Performance
-
-**Operation:** Full cluster backup (17 databases)
-
-**Start Time:** 04:44:08 UTC  
-**End Time:** 04:56:14 UTC  
-**Duration:** 12 minutes 6 seconds (726 seconds)
-
-### Backup Results
-
-| Metric | Value |
-|--------|-------|
-| Total Databases | 17 |
-| Successful | 17 (100%) |
-| Failed | 0 (0%) |
-| Uncompressed Size | ~50 GB |
-| Compressed Archive | 34.4 GB |
-| Compression Ratio | ~31% reduction |
-| Throughput | ~47 MB/s |
-
-### Database Breakdown
-
-| Database | Size | Backup Time | Special Notes |
-|----------|------|-------------|---------------|
-| d7030 | 34.0 GB | ~36 minutes | 35,000 large objects (BLOBs) |
-| testdb_50gb.sql.gz.sql.gz | 465.2 MB | ~5 minutes | Plain format + streaming compression |
-| testdb_restore_performance_test.sql.gz.sql.gz | 465.2 MB | ~5 minutes | Plain format + streaming compression |
-| 14 smaller databases | ~50 MB total | <1 minute | Custom format, minimal data |
-
-### Backup Configuration
-
-```
-Compression Level: 6
-Parallel Jobs: 16
-Dump Jobs: 8
-CPU Workload: Balanced
-Max Cores: 32 (detected: 16)
-Format: Automatic selection (custom for <5GB, plain+gzip for >5GB)
-```
-
-### Key Features Validated
-
-1. **Parallel Processing:** Multiple databases backed up concurrently
-2. **Automatic Format Selection:** Large databases use plain format with external compression
-3. **Large Object Handling:** 35,000 BLOBs in d7030 backed up successfully
-4. **Configuration Persistence:** Settings auto-saved to .dbbackup.conf
-5. **Metrics Collection:** Session summary generated (17 operations, 100% success rate)
-
-## Cluster Restore Performance
-
-**Operation:** Full cluster restore from 34.4 GB archive
-
-**Start Time:** 04:58:27 UTC  
-**End Time:** ~06:10:00 UTC (estimated)  
-**Duration:** ~72 minutes (in progress)
-
-### Restore Progress
-
-| Metric | Value |
-|--------|-------|
-| Archive Size | 34.4 GB (35 GB on disk) |
-| Extraction Method | tar.gz with streaming decompression |
-| Databases to Restore | 17 |
-| Databases Completed | 16/17 (94%) |
-| Current Status | Restoring database 17/17 |
-
-### Database Restore Breakdown
-
-| Database | Restored Size | Restore Method | Duration | Special Notes |
-|----------|---------------|----------------|----------|---------------|
-| d7030 | 42 GB | psql + gunzip | ~48 minutes | 35,000 large objects restored without errors |
-| testdb_50gb.sql.gz.sql.gz | ~6.7 GB | psql + gunzip | ~15 minutes | Streaming decompression |
-| testdb_restore_performance_test.sql.gz.sql.gz | ~6.7 GB | psql + gunzip | ~15 minutes | Final database (in progress) |
-| 14 smaller databases | <100 MB each | pg_restore | <5 seconds each | Custom format dumps |
-
-### Restore Configuration
-
-```
-Method: Sequential (automatic detection of large objects)
-Jobs: Reduced to prevent lock contention
-Safety: Clean restore (drop existing databases)
-Validation: Pre-flight disk space checks
-Error Handling: Ignorable errors allowed, critical errors fail fast
-```
-
-### Critical Fixes Validated
-
-1. **No Lock Exhaustion:** d7030 with 35,000 large objects restored successfully
-   - Previous issue: --single-transaction held all locks simultaneously
-   - Fix: Removed --single-transaction flag
-   - Result: Each object restored in separate transaction, locks released incrementally
-
-2. **Proper Error Handling:** No false failures
-   - Previous issue: --exit-on-error treated "already exists" as fatal
-   - Fix: Removed flag, added isIgnorableError() classification with regex patterns
-   - Result: PostgreSQL continues on ignorable errors as designed
-
-3. **Process Cleanup:** Zero orphaned processes
-   - Fix: Parent context propagation + explicit cleanup scan
-   - Result: All pg_restore/psql processes terminated cleanly
-
-4. **Memory Efficiency:** Constant ~1GB usage regardless of database size
-   - Method: Streaming command output
-   - Result: 42GB database restored with minimal memory footprint
-
-## Performance Analysis
-
-### Backup Performance
-
-**Strengths:**
- Fast parallel backup of small databases (completed in seconds)
- Efficient handling of large databases with streaming compression
- Automatic format selection optimizes for size vs. speed
- Perfect success rate (17/17 databases)
-
-**Throughput:**
- Overall: ~47 MB/s average
- d7030 (42GB database): ~19 MB/s sustained
-
-### Restore Performance
-
-**Strengths:**
- Smart detection of large objects triggers sequential restore
- No lock contention issues with 35,000 large objects
- Clean database recreation ensures consistent state
- Progress tracking with accurate ETA
-
-**Throughput:**
- Overall: ~8 MB/s average (decompression + restore)
- d7030 restore: ~15 MB/s sustained
- Small databases: Near-instantaneous (<5 seconds each)
-
-### Bottlenecks Identified
-
-1. **Large Object Restore:** Sequential processing required to prevent lock exhaustion
-   - Impact: d7030 took ~48 minutes (single-threaded)
-   - Mitigation: Necessary trade-off for data integrity
-
-2. **Decompression Overhead:** gzip decompression is CPU-intensive
-   - Impact: ~40% slower than uncompressed restore
-   - Mitigation: Using pigz for parallel compression where available
-
-## Reliability Improvements Validated
-
-### Context Cleanup
- **Implementation:** sync.Once + io.Closer interface
- **Result:** No memory leaks, proper resource cleanup on exit
-
-### Error Classification
- **Implementation:** Regex-based pattern matching (6 error categories)
- **Result:** Robust error handling, no false positives
-
-### Process Management
- **Implementation:** Thread-safe ProcessManager with mutex
- **Result:** Zero orphaned processes on Ctrl+C
-
-### Disk Space Caching
- **Implementation:** 30-second TTL cache
- **Result:** ~90% reduction in syscall overhead for repeated checks
-
-### Metrics Collection
- **Implementation:** Structured logging with operation metrics
- **Result:** Complete observability with success rates, throughput, error counts
-
-## Real-World Test Results
-
-### Production Database (d7030)
-
-**Characteristics:**
- Size: 42 GB
- Large Objects: 35,000 BLOBs
- Schema: Complex with foreign keys, indexes, constraints
-
-**Backup Results:**
- Time: 36 minutes
- Compressed Size: 31.3 GB (25.7% compression)
- Success: 100%
- Errors: None
-
-**Restore Results:**
- Time: 48 minutes
- Final Size: 42 GB
- Large Objects Verified: 35,000
- Success: 100%
- Errors: None (all "already exists" warnings properly ignored)
-
-### Configuration Persistence
-
-**Feature:** Auto-save/load settings per directory
-
-**Test Results:**
- Config saved after successful backup: Yes
- Config loaded on next run: Yes
- Override with flags: Yes
- Security (passwords excluded): Yes
-
-**Sample .dbbackup.conf:**
-```ini
-[database]
-type = postgres
-host = localhost
-port = 5432
-user = postgres
-database = postgres
-ssl_mode = prefer
-
-[backup]
-backup_dir = /var/lib/pgsql/db_backups
-compression = 6
-jobs = 16
-dump_jobs = 8
-
-[performance]
-cpu_workload = balanced
-max_cores = 32
-```
-
-## Cross-Platform Compatibility
-
-**Platforms Tested:**
- Linux x86_64: Success
- Build verification: 9/10 platforms compile successfully
-
-**Supported Platforms:**
- Linux (Intel/AMD 64-bit, ARM64, ARMv7)
- macOS (Intel 64-bit, Apple Silicon ARM64)
- Windows (Intel/AMD 64-bit, ARM64)
- FreeBSD (Intel/AMD 64-bit)
- OpenBSD (Intel/AMD 64-bit)
-
-## Conclusion
-
-The backup and restore system demonstrates production-ready performance and reliability:
-
-1. **Scalability:** Successfully handles databases from megabytes to 42+ gigabytes
-2. **Reliability:** 100% success rate across 17 databases, zero errors
-3. **Efficiency:** Constant memory usage (~1GB) regardless of database size
-4. **Safety:** Comprehensive validation, error handling, and process management
-5. **Usability:** Configuration persistence, progress tracking, intelligent defaults
-
-**Critical Fixes Verified:**
- Large object restore works correctly (35,000 objects)
- No lock exhaustion issues
- Proper error classification
- Clean process cleanup
- All reliability improvements functioning as designed
-
-**Recommended Use Cases:**
- Production database backups (any size)
- Disaster recovery operations
- Database migration and cloning
- Development/staging environment synchronization
- Automated backup schedules via cron/systemd
-
-The system is production-ready for PostgreSQL clusters of any size.
--- a/SYSTEMD.md
+++ b/SYSTEMD.md
@@ -0,0 +1,621 @@
+# Systemd Integration Guide
+
+This guide covers installing dbbackup as a systemd service for automated scheduled backups.
+
+## Quick Start (Installer)
+
+The easiest way to set up systemd services is using the built-in installer:
+
+```bash
+# Install as cluster backup service (daily at midnight)
+sudo dbbackup install --backup-type cluster --schedule daily
+
+# Check what would be installed (dry-run)
+dbbackup install --dry-run --backup-type cluster
+
+# Check installation status
+dbbackup install --status
+
+# Uninstall
+sudo dbbackup uninstall cluster --purge
+```
+
+## Installer Options
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `--instance NAME` | Instance name for named backups | - |
+| `--backup-type TYPE` | Backup type: `cluster`, `single`, `sample` | `cluster` |
+| `--schedule SPEC` | Timer schedule (see below) | `daily` |
+| `--with-metrics` | Install Prometheus metrics exporter | false |
+| `--metrics-port PORT` | HTTP port for metrics exporter | 9399 |
+| `--dry-run` | Preview changes without applying | false |
+
+### Schedule Format
+
+The `--schedule` option accepts systemd OnCalendar format:
+
+| Value | Description |
+|-------|-------------|
+| `daily` | Every day at midnight |
+| `weekly` | Every Monday at midnight |
+| `hourly` | Every hour |
+| `*-*-* 02:00:00` | Every day at 2:00 AM |
+| `*-*-* 00/6:00:00` | Every 6 hours |
+| `Mon *-*-* 03:00` | Every Monday at 3:00 AM |
+| `*-*-01 00:00:00` | First day of every month |
+
+Test schedule with: `systemd-analyze calendar "Mon *-*-* 03:00"`
+
+## What Gets Installed
+
+### Directory Structure
+
+```
+/etc/dbbackup/
+├── dbbackup.conf           # Main configuration
+└── env.d/
+    └── cluster.conf        # Instance credentials (mode 0600)
+
+/var/lib/dbbackup/
+├── catalog/
+│   └── backups.db          # SQLite backup catalog
+├── backups/                # Default backup storage
+└── metrics/                # Prometheus textfile metrics
+
+/var/log/dbbackup/          # Log files
+
+/usr/local/bin/dbbackup     # Binary copy
+```
+
+### Systemd Units
+
+**For cluster backups:**
+- `/etc/systemd/system/dbbackup-cluster.service` - Backup service
+- `/etc/systemd/system/dbbackup-cluster.timer` - Backup scheduler
+
+**For named instances:**
+- `/etc/systemd/system/dbbackup@.service` - Template service
+- `/etc/systemd/system/dbbackup@.timer` - Template timer
+
+**Metrics exporter (optional):**
+- `/etc/systemd/system/dbbackup-exporter.service`
+
+### System User
+
+A dedicated `dbbackup` user and group are created:
+- Home: `/var/lib/dbbackup`
+- Shell: `/usr/sbin/nologin`
+- Purpose: Run backup services with minimal privileges
+
+## Manual Installation
+
+If you prefer to set up systemd services manually without the installer:
+
+### Step 1: Create User and Directories
+
+```bash
+# Create system user
+sudo useradd --system --home-dir /var/lib/dbbackup --shell /usr/sbin/nologin dbbackup
+
+# Create directories
+sudo mkdir -p /etc/dbbackup/env.d
+sudo mkdir -p /var/lib/dbbackup/{catalog,backups,metrics}
+sudo mkdir -p /var/log/dbbackup
+
+# Set ownership
+sudo chown -R dbbackup:dbbackup /var/lib/dbbackup /var/log/dbbackup
+sudo chown root:dbbackup /etc/dbbackup
+sudo chmod 750 /etc/dbbackup
+
+# Copy binary
+sudo cp dbbackup /usr/local/bin/
+sudo chmod 755 /usr/local/bin/dbbackup
+```
+
+### Step 2: Create Configuration
+
+```bash
+# Main configuration in working directory (where service runs from)
+# dbbackup reads .dbbackup.conf from WorkingDirectory
+sudo tee /var/lib/dbbackup/.dbbackup.conf << 'EOF'
+# DBBackup Configuration
+db-type=postgres
+host=localhost
+port=5432
+user=postgres
+backup-dir=/var/lib/dbbackup/backups
+compression=6
+retention-days=30
+min-backups=7
+EOF
+sudo chown dbbackup:dbbackup /var/lib/dbbackup/.dbbackup.conf
+sudo chmod 600 /var/lib/dbbackup/.dbbackup.conf
+
+# Instance credentials (secure permissions)
+sudo tee /etc/dbbackup/env.d/cluster.conf << 'EOF'
+PGPASSWORD=your_secure_password
+# Or for MySQL:
+# MYSQL_PWD=your_secure_password
+EOF
+sudo chmod 600 /etc/dbbackup/env.d/cluster.conf
+sudo chown dbbackup:dbbackup /etc/dbbackup/env.d/cluster.conf
+```
+
+### Step 3: Create Service Unit
+
+```bash
+sudo tee /etc/systemd/system/dbbackup-cluster.service << 'EOF'
+[Unit]
+Description=DBBackup Cluster Backup
+Documentation=https://github.com/PlusOne/dbbackup
+After=network.target postgresql.service mysql.service
+Wants=network.target
+
+[Service]
+Type=oneshot
+User=dbbackup
+Group=dbbackup
+
+# Load configuration
+EnvironmentFile=-/etc/dbbackup/env.d/cluster.conf
+
+# Working directory (config is loaded from .dbbackup.conf here)
+WorkingDirectory=/var/lib/dbbackup
+
+# Execute backup (reads .dbbackup.conf from WorkingDirectory)
+ExecStart=/usr/local/bin/dbbackup backup cluster \
+    --backup-dir /var/lib/dbbackup/backups \
+    --host localhost \
+    --port 5432 \
+    --user postgres \
+    --allow-root
+
+# Security hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+
+# Allow write to specific paths
+ReadWritePaths=/var/lib/dbbackup /var/log/dbbackup
+
+# Capability restrictions
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_CONNECT
+AmbientCapabilities=
+
+# Resource limits
+MemoryMax=4G
+CPUQuota=80%
+
+# Prevent OOM killer from terminating backups
+OOMScoreAdjust=-100
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=dbbackup
+
+[Install]
+WantedBy=multi-user.target
+EOF
+```
+
+### Step 4: Create Timer Unit
+
+```bash
+sudo tee /etc/systemd/system/dbbackup-cluster.timer << 'EOF'
+[Unit]
+Description=DBBackup Cluster Backup Timer
+Documentation=https://github.com/PlusOne/dbbackup
+
+[Timer]
+# Run daily at midnight
+OnCalendar=daily
+
+# Randomize start time within 15 minutes to avoid thundering herd
+RandomizedDelaySec=900
+
+# Run immediately if we missed the last scheduled time
+Persistent=true
+
+# Run even if system was sleeping
+WakeSystem=false
+
+[Install]
+WantedBy=timers.target
+EOF
+```
+
+### Step 5: Enable and Start
+
+```bash
+# Reload systemd
+sudo systemctl daemon-reload
+
+# Enable timer (auto-start on boot)
+sudo systemctl enable dbbackup-cluster.timer
+
+# Start timer
+sudo systemctl start dbbackup-cluster.timer
+
+# Verify timer is active
+sudo systemctl status dbbackup-cluster.timer
+
+# View next scheduled run
+sudo systemctl list-timers dbbackup-cluster.timer
+```
+
+### Step 6: Test Backup
+
+```bash
+# Run backup manually
+sudo systemctl start dbbackup-cluster.service
+
+# Check status
+sudo systemctl status dbbackup-cluster.service
+
+# View logs
+sudo journalctl -u dbbackup-cluster.service -f
+```
+
+## Prometheus Metrics Exporter (Manual)
+
+### Service Unit
+
+```bash
+sudo tee /etc/systemd/system/dbbackup-exporter.service << 'EOF'
+[Unit]
+Description=DBBackup Prometheus Metrics Exporter
+Documentation=https://github.com/PlusOne/dbbackup
+After=network.target
+
+[Service]
+Type=simple
+User=dbbackup
+Group=dbbackup
+
+# Working directory
+WorkingDirectory=/var/lib/dbbackup
+
+# Start HTTP metrics server
+ExecStart=/usr/local/bin/dbbackup metrics serve --port 9399
+
+# Restart on failure
+Restart=on-failure
+RestartSec=10
+
+# Security hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+
+# Catalog access
+ReadWritePaths=/var/lib/dbbackup
+
+# Capability restrictions
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=dbbackup-exporter
+
+[Install]
+WantedBy=multi-user.target
+EOF
+```
+
+### Enable Exporter
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl enable dbbackup-exporter
+sudo systemctl start dbbackup-exporter
+
+# Test
+curl http://localhost:9399/health
+curl http://localhost:9399/metrics
+```
+
+### Prometheus Configuration
+
+Add to `prometheus.yml`:
+
+```yaml
+scrape_configs:
+  - job_name: 'dbbackup'
+    static_configs:
+      - targets: ['localhost:9399']
+    scrape_interval: 60s
+```
+
+## Security Hardening
+
+The systemd units include comprehensive security hardening:
+
+| Setting | Purpose |
+|---------|---------|
+| `NoNewPrivileges=yes` | Prevent privilege escalation |
+| `ProtectSystem=strict` | Read-only filesystem except allowed paths |
+| `ProtectHome=yes` | Block access to /home, /root, /run/user |
+| `PrivateTmp=yes` | Isolated /tmp namespace |
+| `PrivateDevices=yes` | No access to physical devices |
+| `RestrictAddressFamilies` | Only Unix and IP sockets |
+| `MemoryDenyWriteExecute=yes` | Prevent code injection |
+| `CapabilityBoundingSet` | Minimal Linux capabilities |
+| `OOMScoreAdjust=-100` | Protect backup from OOM killer |
+
+### Database Access
+
+For PostgreSQL with peer authentication:
+```bash
+# Add dbbackup user to postgres group
+sudo usermod -aG postgres dbbackup
+
+# Or create a .pgpass file
+sudo -u dbbackup tee /var/lib/dbbackup/.pgpass << EOF
+localhost:5432:*:postgres:password
+EOF
+sudo chmod 600 /var/lib/dbbackup/.pgpass
+```
+
+For PostgreSQL with password authentication:
+```bash
+# Store password in environment file
+echo "PGPASSWORD=your_password" | sudo tee /etc/dbbackup/env.d/cluster.conf
+sudo chmod 600 /etc/dbbackup/env.d/cluster.conf
+```
+
+## Multiple Instances
+
+Run different backup configurations as separate instances:
+
+```bash
+# Install multiple instances
+sudo dbbackup install --instance production --schedule "*-*-* 02:00:00"
+sudo dbbackup install --instance staging --schedule "*-*-* 04:00:00"
+sudo dbbackup install --instance analytics --schedule "weekly"
+
+# Manage individually
+sudo systemctl status dbbackup@production.timer
+sudo systemctl start dbbackup@staging.service
+```
+
+Each instance has its own:
+- Configuration: `/etc/dbbackup/env.d/<instance>.conf`
+- Timer schedule
+- Journal logs: `journalctl -u dbbackup@<instance>.service`
+
+## Troubleshooting
+
+### View Logs
+
+```bash
+# Real-time logs
+sudo journalctl -u dbbackup-cluster.service -f
+
+# Last backup run
+sudo journalctl -u dbbackup-cluster.service -n 100
+
+# All dbbackup logs
+sudo journalctl -t dbbackup
+
+# Exporter logs
+sudo journalctl -u dbbackup-exporter -f
+```
+
+### Timer Not Running
+
+```bash
+# Check timer status
+sudo systemctl status dbbackup-cluster.timer
+
+# List all timers
+sudo systemctl list-timers --all | grep dbbackup
+
+# Check if timer is enabled
+sudo systemctl is-enabled dbbackup-cluster.timer
+```
+
+### Service Fails to Start
+
+```bash
+# Check service status
+sudo systemctl status dbbackup-cluster.service
+
+# View detailed error
+sudo journalctl -u dbbackup-cluster.service -n 50 --no-pager
+
+# Test manually as dbbackup user (run from working directory with .dbbackup.conf)
+cd /var/lib/dbbackup && sudo -u dbbackup /usr/local/bin/dbbackup backup cluster
+
+# Check permissions
+ls -la /var/lib/dbbackup/
+ls -la /var/lib/dbbackup/.dbbackup.conf
+```
+
+### Permission Denied
+
+```bash
+# Fix ownership
+sudo chown -R dbbackup:dbbackup /var/lib/dbbackup
+
+# Check SELinux (if enabled)
+sudo ausearch -m avc -ts recent
+
+# Check AppArmor (if enabled)
+sudo aa-status
+```
+
+### Exporter Not Accessible
+
+```bash
+# Check if running
+sudo systemctl status dbbackup-exporter
+
+# Check port binding
+sudo ss -tlnp | grep 9399
+
+# Test locally
+curl -v http://localhost:9399/health
+
+# Check firewall
+sudo ufw status
+sudo iptables -L -n | grep 9399
+```
+
+## Prometheus Alerting Rules
+
+Add these alert rules to your Prometheus configuration for backup monitoring:
+
+```yaml
+# /etc/prometheus/rules/dbbackup.yml
+groups:
+  - name: dbbackup
+    rules:
+      # Alert if no successful backup in 24 hours
+      - alert: DBBackupMissing
+        expr: time() - dbbackup_last_success_timestamp > 86400
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "No backup in 24 hours on {{ $labels.instance }}"
+          description: "Database {{ $labels.database }} has not had a successful backup in over 24 hours."
+
+      # Alert if backup verification failed
+      - alert: DBBackupVerificationFailed
+        expr: dbbackup_backup_verified == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Backup verification failed on {{ $labels.instance }}"
+          description: "Last backup for {{ $labels.database }} failed verification check."
+
+      # Alert if RPO exceeded (48 hours)
+      - alert: DBBackupRPOExceeded
+        expr: dbbackup_rpo_seconds > 172800
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "RPO exceeded on {{ $labels.instance }}"
+          description: "Recovery Point Objective exceeded 48 hours for {{ $labels.database }}."
+
+      # Alert if exporter is down
+      - alert: DBBackupExporterDown
+        expr: up{job="dbbackup"} == 0
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "DBBackup exporter down on {{ $labels.instance }}"
+          description: "Cannot scrape metrics from dbbackup-exporter."
+
+      # Alert if backup size dropped significantly (possible truncation)
+      - alert: DBBackupSizeAnomaly
+        expr: dbbackup_last_backup_size_bytes < (dbbackup_last_backup_size_bytes offset 1d) * 0.5
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Backup size anomaly on {{ $labels.instance }}"
+          description: "Backup size for {{ $labels.database }} dropped by more than 50%."
+```
+
+### Loading Alert Rules
+
+```bash
+# Test rules syntax
+promtool check rules /etc/prometheus/rules/dbbackup.yml
+
+# Reload Prometheus
+sudo systemctl reload prometheus
+# or via API:
+curl -X POST http://localhost:9090/-/reload
+```
+
+## Catalog Sync for Existing Backups
+
+If you have existing backups created before installing v3.41+, sync them to the catalog:
+
+```bash
+# Sync existing backups to catalog
+dbbackup catalog sync /path/to/backup/directory --allow-root
+
+# Verify catalog contents
+dbbackup catalog list --allow-root
+
+# Show statistics
+dbbackup catalog stats --allow-root
+```
+
+## Uninstallation
+
+### Using Installer
+
+```bash
+# Remove cluster backup (keeps config)
+sudo dbbackup uninstall cluster
+
+# Remove and purge configuration
+sudo dbbackup uninstall cluster --purge
+
+# Remove named instance
+sudo dbbackup uninstall production --purge
+```
+
+### Manual Removal
+
+```bash
+# Stop and disable services
+sudo systemctl stop dbbackup-cluster.timer dbbackup-cluster.service dbbackup-exporter
+sudo systemctl disable dbbackup-cluster.timer dbbackup-exporter
+
+# Remove unit files
+sudo rm /etc/systemd/system/dbbackup-cluster.service
+sudo rm /etc/systemd/system/dbbackup-cluster.timer
+sudo rm /etc/systemd/system/dbbackup-exporter.service
+sudo rm /etc/systemd/system/dbbackup@.service
+sudo rm /etc/systemd/system/dbbackup@.timer
+
+# Reload systemd
+sudo systemctl daemon-reload
+
+# Optional: Remove user and directories
+sudo userdel dbbackup
+sudo rm -rf /var/lib/dbbackup
+sudo rm -rf /etc/dbbackup
+sudo rm -rf /var/log/dbbackup
+sudo rm /usr/local/bin/dbbackup
+```
+
+## See Also
+
+- [README.md](README.md) - Main documentation
+- [DOCKER.md](DOCKER.md) - Docker deployment
+- [CLOUD.md](CLOUD.md) - Cloud storage configuration
+- [PITR.md](PITR.md) - Point-in-Time Recovery
--- a/bin/README.md
+++ b/bin/README.md
@@ -0,0 +1,87 @@
+# DB Backup Tool - Pre-compiled Binaries
+
+This directory contains pre-compiled binaries for the DB Backup Tool across multiple platforms and architectures.
+
+## Build Information
+- **Version**: 3.42.34
+- **Build Time**: 2026-01-14_15:37:04_UTC
+- **Git Commit**: e24d7ab
+
+## Recent Updates (v1.1.0)
+- ✅ Fixed TUI progress display with line-by-line output
+- ✅ Added interactive configuration settings menu
+- ✅ Improved menu navigation and responsiveness  
+- ✅ Enhanced completion status handling
+- ✅ Better CPU detection and optimization
+- ✅ Silent mode support for TUI operations
+
+## Available Binaries
+
+### Linux
+- `dbbackup_linux_amd64` - Linux 64-bit (Intel/AMD)
+- `dbbackup_linux_arm64` - Linux 64-bit (ARM)
+- `dbbackup_linux_arm_armv7` - Linux 32-bit (ARMv7)
+
+### macOS
+- `dbbackup_darwin_amd64` - macOS 64-bit (Intel)
+- `dbbackup_darwin_arm64` - macOS 64-bit (Apple Silicon)
+
+### Windows
+- `dbbackup_windows_amd64.exe` - Windows 64-bit (Intel/AMD)
+- `dbbackup_windows_arm64.exe` - Windows 64-bit (ARM)
+
+### BSD Systems
+- `dbbackup_freebsd_amd64` - FreeBSD 64-bit
+- `dbbackup_openbsd_amd64` - OpenBSD 64-bit
+- `dbbackup_netbsd_amd64` - NetBSD 64-bit
+
+## Usage
+
+1. Download the appropriate binary for your platform
+2. Make it executable (Unix-like systems): `chmod +x dbbackup_*`
+3. Run: `./dbbackup_* --help`
+
+## Interactive Mode
+
+Launch the interactive TUI menu for easy configuration and operation:
+
+```bash
+# Interactive mode with TUI menu
+./dbbackup_linux_amd64
+
+# Features:
+# - Interactive configuration settings
+# - Real-time progress display
+# - Operation history and status
+# - CPU detection and optimization
+```
+
+## Command Line Mode
+
+Direct command line usage with line-by-line progress:
+
+```bash
+# Show CPU information and optimization settings
+./dbbackup_linux_amd64 cpu
+
+# Auto-optimize for your hardware
+./dbbackup_linux_amd64 backup cluster --auto-detect-cores
+
+# Manual CPU configuration  
+./dbbackup_linux_amd64 backup single mydb --jobs 8 --dump-jobs 4
+
+# Line-by-line progress output
+./dbbackup_linux_amd64 backup cluster --progress-type line
+```
+
+## CPU Detection
+
+All binaries include advanced CPU detection capabilities:
+- Automatic core detection for optimal parallelism
+- Support for different workload types (CPU-intensive, I/O-intensive, balanced)
+- Platform-specific optimizations for Linux, macOS, and Windows
+- Interactive CPU configuration in TUI mode
+
+## Support
+
+For issues or questions, please refer to the main project documentation.
--- a/build_all.sh
+++ b/build_all.sh
@@ -15,7 +15,7 @@ echo "🔧 Using Go version: $GO_VERSION"

 # Configuration
 APP_NAME="dbbackup"
-VERSION="1.1.0"
+VERSION=$(grep 'version.*=' main.go | head -1 | sed 's/.*"\(.*\)".*/\1/')
 BUILD_TIME=$(date -u '+%Y-%m-%d_%H:%M:%S_UTC')
 GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null || echo "unknown")
 BIN_DIR="bin"
@@ -82,8 +82,10 @@ for platform_config in "${PLATFORMS[@]}"; do
    
    echo -e "${YELLOW}[$current/$total_platforms]${NC} Building for ${BOLD}$description${NC} (${platform})"
    
-    # Set environment and build
-    if env GOOS=$GOOS GOARCH=$GOARCH go build -ldflags "$LDFLAGS" -o "${BIN_DIR}/${binary_name}" . 2>/dev/null; then
+    # Set environment and build (using export for better compatibility)
+    # CGO_ENABLED=0 creates static binaries without glibc dependency
+    export CGO_ENABLED=0 GOOS GOARCH
+    if go build -ldflags "$LDFLAGS" -o "${BIN_DIR}/${binary_name}" . 2>/dev/null; then
        # Get file size
        if [[ "$OSTYPE" == "darwin"* ]]; then
            size=$(stat -f%z "${BIN_DIR}/${binary_name}" 2>/dev/null || echo "0")
--- a/cmd/backup.go
+++ b/cmd/backup.go
@@ -4,6 +4,7 @@ import (
 	"fmt"

 	"dbbackup/internal/cloud"
+
 	"github.com/spf13/cobra"
 )

@@ -40,10 +41,31 @@ var clusterCmd = &cobra.Command{
 	},
 }

+// Global variables for backup flags (to avoid initialization cycle)
+var (
+	backupTypeFlag    string
+	baseBackupFlag    string
+	encryptBackupFlag bool
+	encryptionKeyFile string
+	encryptionKeyEnv  string
+	backupDryRun      bool
+)
+
 var singleCmd = &cobra.Command{
 	Use:   "single [database]",
 	Short: "Create single database backup",
-	Long:  `Create a backup of a single database with all its data and schema`,
+	Long: `Create a backup of a single database with all its data and schema.
+
+Backup Types:
+  --backup-type full         - Complete full backup (default)
+  --backup-type incremental  - Incremental backup (only changed files since base) [NOT IMPLEMENTED]
+
+Examples:
+  # Full backup (default)
+  dbbackup backup single mydb
+  
+  # Incremental backup (requires previous full backup) [COMING IN v2.2.1]
+  dbbackup backup single mydb --backup-type incremental --base-backup mydb_20250126.tar.gz`,
 	Args: cobra.MaximumNArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		dbName := ""
@@ -91,6 +113,22 @@ func init() {
 	backupCmd.AddCommand(singleCmd)
 	backupCmd.AddCommand(sampleCmd)

+	// Incremental backup flags (single backup only) - using global vars to avoid initialization cycle
+	singleCmd.Flags().StringVar(&backupTypeFlag, "backup-type", "full", "Backup type: full or incremental [incremental NOT IMPLEMENTED]")
+	singleCmd.Flags().StringVar(&baseBackupFlag, "base-backup", "", "Path to base backup (required for incremental)")
+
+	// Encryption flags for all backup commands
+	for _, cmd := range []*cobra.Command{clusterCmd, singleCmd, sampleCmd} {
+		cmd.Flags().BoolVar(&encryptBackupFlag, "encrypt", false, "Encrypt backup with AES-256-GCM")
+		cmd.Flags().StringVar(&encryptionKeyFile, "encryption-key-file", "", "Path to encryption key file (32 bytes)")
+		cmd.Flags().StringVar(&encryptionKeyEnv, "encryption-key-env", "DBBACKUP_ENCRYPTION_KEY", "Environment variable containing encryption key/passphrase")
+	}
+
+	// Dry-run flag for all backup commands
+	for _, cmd := range []*cobra.Command{clusterCmd, singleCmd, sampleCmd} {
+		cmd.Flags().BoolVarP(&backupDryRun, "dry-run", "n", false, "Validate configuration without executing backup")
+	}
+
 	// Cloud storage flags for all backup commands
 	for _, cmd := range []*cobra.Command{clusterCmd, singleCmd, sampleCmd} {
 		cmd.Flags().String("cloud", "", "Cloud storage URI (e.g., s3://bucket/path) - takes precedence over individual flags")
--- a/cmd/backup_impl.go
+++ b/cmd/backup_impl.go
@@ -3,8 +3,13 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"

 	"dbbackup/internal/backup"
+	"dbbackup/internal/checks"
 	"dbbackup/internal/config"
 	"dbbackup/internal/database"
 	"dbbackup/internal/security"
@@ -13,7 +18,7 @@ import (
 // runClusterBackup performs a full cluster backup
 func runClusterBackup(ctx context.Context) error {
 	if !cfg.IsPostgreSQL() {
-		return fmt.Errorf("cluster backup is only supported for PostgreSQL")
+		return fmt.Errorf("cluster backup requires PostgreSQL (detected: %s). Use 'backup single' for individual database backups", cfg.DisplayDatabaseType())
 	}

 	// Update config from environment
@@ -24,6 +29,11 @@ func runClusterBackup(ctx context.Context) error {
 		return fmt.Errorf("configuration error: %w", err)
 	}

+	// Handle dry-run mode
+	if backupDryRun {
+		return runBackupPreflight(ctx, "")
+	}
+
 	// Check privileges
 	privChecker := security.NewPrivilegeChecker(log)
 	if err := privChecker.CheckAndWarn(cfg.AllowRoot); err != nil {
@@ -51,7 +61,7 @@ func runClusterBackup(ctx context.Context) error {
 	host := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)
 	if err := rateLimiter.CheckAndWait(host); err != nil {
 		auditLogger.LogBackupFailed(user, "all_databases", err)
-		return fmt.Errorf("rate limit exceeded: %w", err)
+		return fmt.Errorf("rate limit exceeded for %s. Too many connection attempts. Wait 60s or check credentials: %w", host, err)
 	}

 	// Create database instance
@@ -66,7 +76,7 @@ func runClusterBackup(ctx context.Context) error {
 	if err := db.Connect(ctx); err != nil {
 		rateLimiter.RecordFailure(host)
 		auditLogger.LogBackupFailed(user, "all_databases", err)
-		return fmt.Errorf("failed to connect to database: %w", err)
+		return fmt.Errorf("failed to connect to %s@%s:%d. Check: 1) Database is running 2) Credentials are correct 3) pg_hba.conf allows connection: %w", cfg.User, cfg.Host, cfg.Port, err)
 	}
 	rateLimiter.RecordSuccess(host)

@@ -79,6 +89,15 @@ func runClusterBackup(ctx context.Context) error {
 		return err
 	}

+	// Apply encryption if requested
+	if isEncryptionEnabled() {
+		if err := encryptLatestClusterBackup(); err != nil {
+			log.Error("Failed to encrypt backup", "error", err)
+			return fmt.Errorf("backup completed successfully but encryption failed. Unencrypted backup remains in %s: %w", cfg.BackupDir, err)
+		}
+		log.Info("Cluster backup encrypted successfully")
+	}
+
 	// Audit log: backup success
 	auditLogger.LogBackupComplete(user, "all_databases", cfg.BackupDir, 0)

@@ -116,6 +135,35 @@ func runSingleBackup(ctx context.Context, databaseName string) error {
 		return fmt.Errorf("configuration error: %w", err)
 	}

+	// Handle dry-run mode
+	if backupDryRun {
+		return runBackupPreflight(ctx, databaseName)
+	}
+
+	// Get backup type and base backup from command line flags (set via global vars in PreRunE)
+	// These are populated by cobra flag binding in cmd/backup.go
+	backupType := "full" // Default to full backup if not specified
+	baseBackup := ""     // Base backup path for incremental backups
+
+	// Validate backup type
+	if backupType != "full" && backupType != "incremental" {
+		return fmt.Errorf("invalid backup type: %s (must be 'full' or 'incremental')", backupType)
+	}
+
+	// Validate incremental backup requirements
+	if backupType == "incremental" {
+		if !cfg.IsPostgreSQL() && !cfg.IsMySQL() {
+			return fmt.Errorf("incremental backups require PostgreSQL or MySQL/MariaDB (detected: %s). Use --backup-type=full for other databases", cfg.DisplayDatabaseType())
+		}
+		if baseBackup == "" {
+			return fmt.Errorf("incremental backup requires --base-backup flag pointing to initial full backup archive")
+		}
+		// Verify base backup exists
+		if _, err := os.Stat(baseBackup); os.IsNotExist(err) {
+			return fmt.Errorf("base backup file not found at %s. Ensure path is correct and file exists", baseBackup)
+		}
+	}
+
 	// Check privileges
 	privChecker := security.NewPrivilegeChecker(log)
 	if err := privChecker.CheckAndWarn(cfg.AllowRoot); err != nil {
@@ -125,10 +173,15 @@ func runSingleBackup(ctx context.Context, databaseName string) error {
 	log.Info("Starting single database backup",
 		"database", databaseName,
 		"db_type", cfg.DatabaseType,
+		"backup_type", backupType,
 		"host", cfg.Host,
 		"port", cfg.Port,
 		"backup_dir", cfg.BackupDir)

+	if backupType == "incremental" {
+		log.Info("Incremental backup", "base_backup", baseBackup)
+	}
+
 	// Audit log: backup start
 	user := security.GetCurrentUser()
 	auditLogger.LogBackupStart(user, databaseName, "single")
@@ -171,10 +224,60 @@ func runSingleBackup(ctx context.Context, databaseName string) error {
 	// Create backup engine
 	engine := backup.New(cfg, log, db)

-	// Perform single database backup
-	if err := engine.BackupSingle(ctx, databaseName); err != nil {
-		auditLogger.LogBackupFailed(user, databaseName, err)
-		return err
+	// Perform backup based on type
+	var backupErr error
+	if backupType == "incremental" {
+		// Incremental backup - supported for PostgreSQL and MySQL
+		log.Info("Creating incremental backup", "base_backup", baseBackup)
+
+		// Create appropriate incremental engine based on database type
+		var incrEngine interface {
+			FindChangedFiles(context.Context, *backup.IncrementalBackupConfig) ([]backup.ChangedFile, error)
+			CreateIncrementalBackup(context.Context, *backup.IncrementalBackupConfig, []backup.ChangedFile) error
+		}
+
+		if cfg.IsPostgreSQL() {
+			incrEngine = backup.NewPostgresIncrementalEngine(log)
+		} else {
+			incrEngine = backup.NewMySQLIncrementalEngine(log)
+		}
+
+		// Configure incremental backup
+		incrConfig := &backup.IncrementalBackupConfig{
+			BaseBackupPath:   baseBackup,
+			DataDirectory:    cfg.BackupDir, // Note: This should be the actual data directory
+			CompressionLevel: cfg.CompressionLevel,
+		}
+
+		// Find changed files
+		changedFiles, err := incrEngine.FindChangedFiles(ctx, incrConfig)
+		if err != nil {
+			return fmt.Errorf("failed to find changed files: %w", err)
+		}
+
+		// Create incremental backup
+		if err := incrEngine.CreateIncrementalBackup(ctx, incrConfig, changedFiles); err != nil {
+			return fmt.Errorf("failed to create incremental backup: %w", err)
+		}
+
+		log.Info("Incremental backup completed", "changed_files", len(changedFiles))
+	} else {
+		// Full backup
+		backupErr = engine.BackupSingle(ctx, databaseName)
+	}
+
+	if backupErr != nil {
+		auditLogger.LogBackupFailed(user, databaseName, backupErr)
+		return backupErr
+	}
+
+	// Apply encryption if requested
+	if isEncryptionEnabled() {
+		if err := encryptLatestBackup(databaseName); err != nil {
+			log.Error("Failed to encrypt backup", "error", err)
+			return fmt.Errorf("backup succeeded but encryption failed: %w", err)
+		}
+		log.Info("Backup encrypted successfully")
 	}

 	// Audit log: backup success
@@ -214,6 +317,11 @@ func runSampleBackup(ctx context.Context, databaseName string) error {
 		return fmt.Errorf("configuration error: %w", err)
 	}

+	// Handle dry-run mode
+	if backupDryRun {
+		return runBackupPreflight(ctx, databaseName)
+	}
+
 	// Check privileges
 	privChecker := security.NewPrivilegeChecker(log)
 	if err := privChecker.CheckAndWarn(cfg.AllowRoot); err != nil {
@@ -297,6 +405,15 @@ func runSampleBackup(ctx context.Context, databaseName string) error {
 		return err
 	}

+	// Apply encryption if requested
+	if isEncryptionEnabled() {
+		if err := encryptLatestBackup(databaseName); err != nil {
+			log.Error("Failed to encrypt backup", "error", err)
+			return fmt.Errorf("backup succeeded but encryption failed: %w", err)
+		}
+		log.Info("Sample backup encrypted successfully")
+	}
+
 	// Audit log: backup success
 	auditLogger.LogBackupComplete(user, databaseName, cfg.BackupDir, 0)

@@ -313,3 +430,147 @@ func runSampleBackup(ctx context.Context, databaseName string) error {

 	return nil
 }
+
+// encryptLatestBackup finds and encrypts the most recent backup for a database
+func encryptLatestBackup(databaseName string) error {
+	// Load encryption key
+	key, err := loadEncryptionKey(encryptionKeyFile, encryptionKeyEnv)
+	if err != nil {
+		return err
+	}
+
+	// Find most recent backup file for this database
+	backupPath, err := findLatestBackup(cfg.BackupDir, databaseName)
+	if err != nil {
+		return err
+	}
+
+	// Encrypt the backup
+	return backup.EncryptBackupFile(backupPath, key, log)
+}
+
+// encryptLatestClusterBackup finds and encrypts the most recent cluster backup
+func encryptLatestClusterBackup() error {
+	// Load encryption key
+	key, err := loadEncryptionKey(encryptionKeyFile, encryptionKeyEnv)
+	if err != nil {
+		return err
+	}
+
+	// Find most recent cluster backup
+	backupPath, err := findLatestClusterBackup(cfg.BackupDir)
+	if err != nil {
+		return err
+	}
+
+	// Encrypt the backup
+	return backup.EncryptBackupFile(backupPath, key, log)
+}
+
+// findLatestBackup finds the most recently created backup file for a database
+func findLatestBackup(backupDir, databaseName string) (string, error) {
+	entries, err := os.ReadDir(backupDir)
+	if err != nil {
+		return "", fmt.Errorf("failed to read backup directory: %w", err)
+	}
+
+	var latestPath string
+	var latestTime time.Time
+
+	prefix := "db_" + databaseName + "_"
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+
+		name := entry.Name()
+		// Skip metadata files and already encrypted files
+		if strings.HasSuffix(name, ".meta.json") || strings.HasSuffix(name, ".encrypted") {
+			continue
+		}
+
+		// Match database backup files
+		if strings.HasPrefix(name, prefix) && (strings.HasSuffix(name, ".dump") ||
+			strings.HasSuffix(name, ".dump.gz") || strings.HasSuffix(name, ".sql.gz")) {
+			info, err := entry.Info()
+			if err != nil {
+				continue
+			}
+
+			if info.ModTime().After(latestTime) {
+				latestTime = info.ModTime()
+				latestPath = filepath.Join(backupDir, name)
+			}
+		}
+	}
+
+	if latestPath == "" {
+		return "", fmt.Errorf("no backup found for database: %s", databaseName)
+	}
+
+	return latestPath, nil
+}
+
+// findLatestClusterBackup finds the most recently created cluster backup
+func findLatestClusterBackup(backupDir string) (string, error) {
+	entries, err := os.ReadDir(backupDir)
+	if err != nil {
+		return "", fmt.Errorf("failed to read backup directory: %w", err)
+	}
+
+	var latestPath string
+	var latestTime time.Time
+
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+
+		name := entry.Name()
+		// Skip metadata files and already encrypted files
+		if strings.HasSuffix(name, ".meta.json") || strings.HasSuffix(name, ".encrypted") {
+			continue
+		}
+
+		// Match cluster backup files
+		if strings.HasPrefix(name, "cluster_") && strings.HasSuffix(name, ".tar.gz") {
+			info, err := entry.Info()
+			if err != nil {
+				continue
+			}
+
+			if info.ModTime().After(latestTime) {
+				latestTime = info.ModTime()
+				latestPath = filepath.Join(backupDir, name)
+			}
+		}
+	}
+
+	if latestPath == "" {
+		return "", fmt.Errorf("no cluster backup found")
+	}
+
+	return latestPath, nil
+}
+
+// runBackupPreflight runs preflight checks without executing backup
+func runBackupPreflight(ctx context.Context, databaseName string) error {
+	checker := checks.NewPreflightChecker(cfg, log)
+	defer checker.Close()
+
+	result, err := checker.RunAllChecks(ctx, databaseName)
+	if err != nil {
+		return fmt.Errorf("preflight check error: %w", err)
+	}
+
+	// Format and print report
+	report := checks.FormatPreflightReport(result, databaseName, true)
+	fmt.Print(report)
+
+	// Return appropriate exit code
+	if !result.AllPassed {
+		return fmt.Errorf("preflight checks failed")
+	}
+
+	return nil
+}
--- a/cmd/catalog.go
+++ b/cmd/catalog.go
@@ -0,0 +1,725 @@
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"dbbackup/internal/catalog"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	catalogDBPath    string
+	catalogFormat    string
+	catalogLimit     int
+	catalogDatabase  string
+	catalogStartDate string
+	catalogEndDate   string
+	catalogInterval  string
+	catalogVerbose   bool
+)
+
+// catalogCmd represents the catalog command group
+var catalogCmd = &cobra.Command{
+	Use:   "catalog",
+	Short: "Backup catalog management",
+	Long: `Manage the backup catalog - a SQLite database tracking all backups.
+
+The catalog provides:
+  - Searchable history of all backups
+  - Gap detection for backup schedules
+  - Statistics and reporting
+  - Integration with DR drill testing
+
+Examples:
+  # Sync backups from a directory
+  dbbackup catalog sync /backups
+
+  # List all backups
+  dbbackup catalog list
+
+  # Show catalog statistics
+  dbbackup catalog stats
+
+  # Detect gaps in backup schedule
+  dbbackup catalog gaps mydb --interval 24h
+
+  # Search backups
+  dbbackup catalog search --database mydb --after 2024-01-01`,
+}
+
+// catalogSyncCmd syncs backups from directory
+var catalogSyncCmd = &cobra.Command{
+	Use:   "sync [directory]",
+	Short: "Sync backups from directory into catalog",
+	Long: `Scan a directory for backup files and import them into the catalog.
+
+This command:
+  - Finds all .meta.json files
+  - Imports backup metadata into SQLite catalog
+  - Detects removed backups
+  - Updates changed entries
+
+Examples:
+  # Sync from backup directory
+  dbbackup catalog sync /backups
+
+  # Sync with verbose output
+  dbbackup catalog sync /backups --verbose`,
+	Args: cobra.MinimumNArgs(1),
+	RunE: runCatalogSync,
+}
+
+// catalogListCmd lists backups
+var catalogListCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List backups in catalog",
+	Long: `List all backups in the catalog with optional filtering.
+
+Examples:
+  # List all backups
+  dbbackup catalog list
+
+  # List backups for specific database
+  dbbackup catalog list --database mydb
+
+  # List last 10 backups
+  dbbackup catalog list --limit 10
+
+  # Output as JSON
+  dbbackup catalog list --format json`,
+	RunE: runCatalogList,
+}
+
+// catalogStatsCmd shows statistics
+var catalogStatsCmd = &cobra.Command{
+	Use:   "stats",
+	Short: "Show catalog statistics",
+	Long: `Display comprehensive backup statistics.
+
+Shows:
+  - Total backup count and size
+  - Backups by database
+  - Backups by type and status
+  - Verification and drill test coverage
+
+Examples:
+  # Show overall stats
+  dbbackup catalog stats
+
+  # Stats for specific database
+  dbbackup catalog stats --database mydb
+
+  # Output as JSON
+  dbbackup catalog stats --format json`,
+	RunE: runCatalogStats,
+}
+
+// catalogGapsCmd detects schedule gaps
+var catalogGapsCmd = &cobra.Command{
+	Use:   "gaps [database]",
+	Short: "Detect gaps in backup schedule",
+	Long: `Analyze backup history and detect schedule gaps.
+
+This helps identify:
+  - Missed backups
+  - Schedule irregularities
+  - RPO violations
+
+Examples:
+  # Check all databases for gaps (24h expected interval)
+  dbbackup catalog gaps
+
+  # Check specific database with custom interval
+  dbbackup catalog gaps mydb --interval 6h
+
+  # Check gaps in date range
+  dbbackup catalog gaps --after 2024-01-01 --before 2024-02-01`,
+	RunE: runCatalogGaps,
+}
+
+// catalogSearchCmd searches backups
+var catalogSearchCmd = &cobra.Command{
+	Use:   "search",
+	Short: "Search backups in catalog",
+	Long: `Search for backups matching specific criteria.
+
+Examples:
+  # Search by database name (supports wildcards)
+  dbbackup catalog search --database "prod*"
+
+  # Search by date range
+  dbbackup catalog search --after 2024-01-01 --before 2024-02-01
+
+  # Search verified backups only
+  dbbackup catalog search --verified
+
+  # Search encrypted backups
+  dbbackup catalog search --encrypted`,
+	RunE: runCatalogSearch,
+}
+
+// catalogInfoCmd shows entry details
+var catalogInfoCmd = &cobra.Command{
+	Use:   "info [backup-path]",
+	Short: "Show detailed info for a backup",
+	Long: `Display detailed information about a specific backup.
+
+Examples:
+  # Show info by path
+  dbbackup catalog info /backups/mydb_20240115.dump.gz`,
+	Args: cobra.ExactArgs(1),
+	RunE: runCatalogInfo,
+}
+
+func init() {
+	rootCmd.AddCommand(catalogCmd)
+
+	// Default catalog path
+	defaultCatalogPath := filepath.Join(getDefaultConfigDir(), "catalog.db")
+
+	// Global catalog flags
+	catalogCmd.PersistentFlags().StringVar(&catalogDBPath, "catalog-db", defaultCatalogPath,
+		"Path to catalog SQLite database")
+	catalogCmd.PersistentFlags().StringVar(&catalogFormat, "format", "table",
+		"Output format: table, json, csv")
+
+	// Add subcommands
+	catalogCmd.AddCommand(catalogSyncCmd)
+	catalogCmd.AddCommand(catalogListCmd)
+	catalogCmd.AddCommand(catalogStatsCmd)
+	catalogCmd.AddCommand(catalogGapsCmd)
+	catalogCmd.AddCommand(catalogSearchCmd)
+	catalogCmd.AddCommand(catalogInfoCmd)
+
+	// Sync flags
+	catalogSyncCmd.Flags().BoolVarP(&catalogVerbose, "verbose", "v", false, "Show detailed output")
+
+	// List flags
+	catalogListCmd.Flags().IntVar(&catalogLimit, "limit", 50, "Maximum entries to show")
+	catalogListCmd.Flags().StringVar(&catalogDatabase, "database", "", "Filter by database name")
+
+	// Stats flags
+	catalogStatsCmd.Flags().StringVar(&catalogDatabase, "database", "", "Show stats for specific database")
+
+	// Gaps flags
+	catalogGapsCmd.Flags().StringVar(&catalogInterval, "interval", "24h", "Expected backup interval")
+	catalogGapsCmd.Flags().StringVar(&catalogStartDate, "after", "", "Start date (YYYY-MM-DD)")
+	catalogGapsCmd.Flags().StringVar(&catalogEndDate, "before", "", "End date (YYYY-MM-DD)")
+
+	// Search flags
+	catalogSearchCmd.Flags().StringVar(&catalogDatabase, "database", "", "Filter by database name (supports wildcards)")
+	catalogSearchCmd.Flags().StringVar(&catalogStartDate, "after", "", "Backups after date (YYYY-MM-DD)")
+	catalogSearchCmd.Flags().StringVar(&catalogEndDate, "before", "", "Backups before date (YYYY-MM-DD)")
+	catalogSearchCmd.Flags().IntVar(&catalogLimit, "limit", 100, "Maximum results")
+	catalogSearchCmd.Flags().Bool("verified", false, "Only verified backups")
+	catalogSearchCmd.Flags().Bool("encrypted", false, "Only encrypted backups")
+	catalogSearchCmd.Flags().Bool("drill-tested", false, "Only drill-tested backups")
+}
+
+func getDefaultConfigDir() string {
+	home, _ := os.UserHomeDir()
+	return filepath.Join(home, ".dbbackup")
+}
+
+func openCatalog() (*catalog.SQLiteCatalog, error) {
+	return catalog.NewSQLiteCatalog(catalogDBPath)
+}
+
+func runCatalogSync(cmd *cobra.Command, args []string) error {
+	dir := args[0]
+
+	// Validate directory
+	info, err := os.Stat(dir)
+	if err != nil {
+		return fmt.Errorf("directory not found: %s", dir)
+	}
+	if !info.IsDir() {
+		return fmt.Errorf("not a directory: %s", dir)
+	}
+
+	absDir, _ := filepath.Abs(dir)
+
+	cat, err := openCatalog()
+	if err != nil {
+		return err
+	}
+	defer cat.Close()
+
+	fmt.Printf("[DIR] Syncing backups from: %s\n", absDir)
+	fmt.Printf("[STATS] Catalog database: %s\n\n", catalogDBPath)
+
+	ctx := context.Background()
+	result, err := cat.SyncFromDirectory(ctx, absDir)
+	if err != nil {
+		return err
+	}
+
+	// Update last sync time
+	cat.SetLastSync(ctx)
+
+	// Show results
+	fmt.Printf("=====================================================\n")
+	fmt.Printf("  Sync Results\n")
+	fmt.Printf("=====================================================\n")
+	fmt.Printf("  [OK] Added:   %d\n", result.Added)
+	fmt.Printf("  [SYNC] Updated: %d\n", result.Updated)
+	fmt.Printf("  [DEL]  Removed: %d\n", result.Removed)
+	if result.Errors > 0 {
+		fmt.Printf("  [FAIL] Errors:  %d\n", result.Errors)
+	}
+	fmt.Printf("  [TIME]  Duration: %.2fs\n", result.Duration)
+	fmt.Printf("=====================================================\n")
+
+	// Show details if verbose
+	if catalogVerbose && len(result.Details) > 0 {
+		fmt.Printf("\nDetails:\n")
+		for _, detail := range result.Details {
+			fmt.Printf("  %s\n", detail)
+		}
+	}
+
+	return nil
+}
+
+func runCatalogList(cmd *cobra.Command, args []string) error {
+	cat, err := openCatalog()
+	if err != nil {
+		return err
+	}
+	defer cat.Close()
+
+	ctx := context.Background()
+
+	query := &catalog.SearchQuery{
+		Database:  catalogDatabase,
+		Limit:     catalogLimit,
+		OrderBy:   "created_at",
+		OrderDesc: true,
+	}
+
+	entries, err := cat.Search(ctx, query)
+	if err != nil {
+		return err
+	}
+
+	if len(entries) == 0 {
+		fmt.Println("No backups in catalog. Run 'dbbackup catalog sync <directory>' to import backups.")
+		return nil
+	}
+
+	if catalogFormat == "json" {
+		data, _ := json.MarshalIndent(entries, "", "  ")
+		fmt.Println(string(data))
+		return nil
+	}
+
+	// Table format
+	fmt.Printf("%-30s %-12s %-10s %-20s %-10s %s\n",
+		"DATABASE", "TYPE", "SIZE", "CREATED", "STATUS", "PATH")
+	fmt.Println(strings.Repeat("-", 120))
+
+	for _, entry := range entries {
+		dbName := truncateString(entry.Database, 28)
+		backupPath := truncateString(filepath.Base(entry.BackupPath), 40)
+
+		status := string(entry.Status)
+		if entry.VerifyValid != nil && *entry.VerifyValid {
+			status = "[OK] verified"
+		}
+		if entry.DrillSuccess != nil && *entry.DrillSuccess {
+			status = "[OK] tested"
+		}
+
+		fmt.Printf("%-30s %-12s %-10s %-20s %-10s %s\n",
+			dbName,
+			entry.DatabaseType,
+			catalog.FormatSize(entry.SizeBytes),
+			entry.CreatedAt.Format("2006-01-02 15:04"),
+			status,
+			backupPath,
+		)
+	}
+
+	fmt.Printf("\nShowing %d of %d total backups\n", len(entries), len(entries))
+	return nil
+}
+
+func runCatalogStats(cmd *cobra.Command, args []string) error {
+	cat, err := openCatalog()
+	if err != nil {
+		return err
+	}
+	defer cat.Close()
+
+	ctx := context.Background()
+
+	var stats *catalog.Stats
+	if catalogDatabase != "" {
+		stats, err = cat.StatsByDatabase(ctx, catalogDatabase)
+	} else {
+		stats, err = cat.Stats(ctx)
+	}
+	if err != nil {
+		return err
+	}
+
+	if catalogFormat == "json" {
+		data, _ := json.MarshalIndent(stats, "", "  ")
+		fmt.Println(string(data))
+		return nil
+	}
+
+	// Table format
+	fmt.Printf("=====================================================\n")
+	if catalogDatabase != "" {
+		fmt.Printf("  Catalog Statistics: %s\n", catalogDatabase)
+	} else {
+		fmt.Printf("  Catalog Statistics\n")
+	}
+	fmt.Printf("=====================================================\n\n")
+
+	fmt.Printf("[STATS] Total Backups:    %d\n", stats.TotalBackups)
+	fmt.Printf("[SAVE] Total Size:       %s\n", stats.TotalSizeHuman)
+	fmt.Printf("[SIZE] Average Size:     %s\n", catalog.FormatSize(stats.AvgSize))
+	fmt.Printf("[TIME]  Average Duration: %.1fs\n", stats.AvgDuration)
+	fmt.Printf("[OK] Verified:         %d\n", stats.VerifiedCount)
+	fmt.Printf("[TEST] Drill Tested:     %d\n", stats.DrillTestedCount)
+
+	if stats.OldestBackup != nil {
+		fmt.Printf("📅 Oldest Backup:    %s\n", stats.OldestBackup.Format("2006-01-02 15:04"))
+	}
+	if stats.NewestBackup != nil {
+		fmt.Printf("📅 Newest Backup:    %s\n", stats.NewestBackup.Format("2006-01-02 15:04"))
+	}
+
+	if len(stats.ByDatabase) > 0 && catalogDatabase == "" {
+		fmt.Printf("\n[DIR] By Database:\n")
+		for db, count := range stats.ByDatabase {
+			fmt.Printf("   %-30s %d\n", db, count)
+		}
+	}
+
+	if len(stats.ByType) > 0 {
+		fmt.Printf("\n[PKG] By Type:\n")
+		for t, count := range stats.ByType {
+			fmt.Printf("   %-15s %d\n", t, count)
+		}
+	}
+
+	if len(stats.ByStatus) > 0 {
+		fmt.Printf("\n[LOG] By Status:\n")
+		for s, count := range stats.ByStatus {
+			fmt.Printf("   %-15s %d\n", s, count)
+		}
+	}
+
+	fmt.Printf("\n=====================================================\n")
+	return nil
+}
+
+func runCatalogGaps(cmd *cobra.Command, args []string) error {
+	cat, err := openCatalog()
+	if err != nil {
+		return err
+	}
+	defer cat.Close()
+
+	ctx := context.Background()
+
+	// Parse interval
+	interval, err := time.ParseDuration(catalogInterval)
+	if err != nil {
+		return fmt.Errorf("invalid interval: %w", err)
+	}
+
+	config := &catalog.GapDetectionConfig{
+		ExpectedInterval: interval,
+		Tolerance:        interval / 4, // 25% tolerance
+		RPOThreshold:     interval * 2, // 2x interval = critical
+	}
+
+	// Parse date range
+	if catalogStartDate != "" {
+		t, err := time.Parse("2006-01-02", catalogStartDate)
+		if err != nil {
+			return fmt.Errorf("invalid start date: %w", err)
+		}
+		config.StartDate = &t
+	}
+	if catalogEndDate != "" {
+		t, err := time.Parse("2006-01-02", catalogEndDate)
+		if err != nil {
+			return fmt.Errorf("invalid end date: %w", err)
+		}
+		config.EndDate = &t
+	}
+
+	var allGaps map[string][]*catalog.Gap
+
+	if len(args) > 0 {
+		// Specific database
+		database := args[0]
+		gaps, err := cat.DetectGaps(ctx, database, config)
+		if err != nil {
+			return err
+		}
+		if len(gaps) > 0 {
+			allGaps = map[string][]*catalog.Gap{database: gaps}
+		}
+	} else {
+		// All databases
+		allGaps, err = cat.DetectAllGaps(ctx, config)
+		if err != nil {
+			return err
+		}
+	}
+
+	if catalogFormat == "json" {
+		data, _ := json.MarshalIndent(allGaps, "", "  ")
+		fmt.Println(string(data))
+		return nil
+	}
+
+	if len(allGaps) == 0 {
+		fmt.Printf("[OK] No backup gaps detected (expected interval: %s)\n", interval)
+		return nil
+	}
+
+	fmt.Printf("=====================================================\n")
+	fmt.Printf("  Backup Gaps Detected (expected interval: %s)\n", interval)
+	fmt.Printf("=====================================================\n\n")
+
+	totalGaps := 0
+	criticalGaps := 0
+
+	for database, gaps := range allGaps {
+		fmt.Printf("[DIR] %s (%d gaps)\n", database, len(gaps))
+
+		for _, gap := range gaps {
+			totalGaps++
+			icon := "[INFO]"
+			switch gap.Severity {
+			case catalog.SeverityWarning:
+				icon = "[WARN]"
+			case catalog.SeverityCritical:
+				icon = "🚨"
+				criticalGaps++
+			}
+
+			fmt.Printf("   %s %s\n", icon, gap.Description)
+			fmt.Printf("      Gap: %s → %s (%s)\n",
+				gap.GapStart.Format("2006-01-02 15:04"),
+				gap.GapEnd.Format("2006-01-02 15:04"),
+				catalog.FormatDuration(gap.Duration))
+			fmt.Printf("      Expected at: %s\n", gap.ExpectedAt.Format("2006-01-02 15:04"))
+		}
+		fmt.Println()
+	}
+
+	fmt.Printf("=====================================================\n")
+	fmt.Printf("Total: %d gaps detected", totalGaps)
+	if criticalGaps > 0 {
+		fmt.Printf(" (%d critical)", criticalGaps)
+	}
+	fmt.Println()
+
+	return nil
+}
+
+func runCatalogSearch(cmd *cobra.Command, args []string) error {
+	cat, err := openCatalog()
+	if err != nil {
+		return err
+	}
+	defer cat.Close()
+
+	ctx := context.Background()
+
+	query := &catalog.SearchQuery{
+		Database:  catalogDatabase,
+		Limit:     catalogLimit,
+		OrderBy:   "created_at",
+		OrderDesc: true,
+	}
+
+	// Parse date range
+	if catalogStartDate != "" {
+		t, err := time.Parse("2006-01-02", catalogStartDate)
+		if err != nil {
+			return fmt.Errorf("invalid start date: %w", err)
+		}
+		query.StartDate = &t
+	}
+	if catalogEndDate != "" {
+		t, err := time.Parse("2006-01-02", catalogEndDate)
+		if err != nil {
+			return fmt.Errorf("invalid end date: %w", err)
+		}
+		query.EndDate = &t
+	}
+
+	// Boolean filters
+	if verified, _ := cmd.Flags().GetBool("verified"); verified {
+		t := true
+		query.Verified = &t
+	}
+	if encrypted, _ := cmd.Flags().GetBool("encrypted"); encrypted {
+		t := true
+		query.Encrypted = &t
+	}
+	if drillTested, _ := cmd.Flags().GetBool("drill-tested"); drillTested {
+		t := true
+		query.DrillTested = &t
+	}
+
+	entries, err := cat.Search(ctx, query)
+	if err != nil {
+		return err
+	}
+
+	if len(entries) == 0 {
+		fmt.Println("No matching backups found.")
+		return nil
+	}
+
+	if catalogFormat == "json" {
+		data, _ := json.MarshalIndent(entries, "", "  ")
+		fmt.Println(string(data))
+		return nil
+	}
+
+	fmt.Printf("Found %d matching backups:\n\n", len(entries))
+
+	for _, entry := range entries {
+		fmt.Printf("[DIR] %s\n", entry.Database)
+		fmt.Printf("   Path: %s\n", entry.BackupPath)
+		fmt.Printf("   Type: %s | Size: %s | Created: %s\n",
+			entry.DatabaseType,
+			catalog.FormatSize(entry.SizeBytes),
+			entry.CreatedAt.Format("2006-01-02 15:04:05"))
+		if entry.Encrypted {
+			fmt.Printf("   [LOCK] Encrypted\n")
+		}
+		if entry.VerifyValid != nil && *entry.VerifyValid {
+			fmt.Printf("   [OK] Verified: %s\n", entry.VerifiedAt.Format("2006-01-02 15:04"))
+		}
+		if entry.DrillSuccess != nil && *entry.DrillSuccess {
+			fmt.Printf("   [TEST] Drill Tested: %s\n", entry.DrillTestedAt.Format("2006-01-02 15:04"))
+		}
+		fmt.Println()
+	}
+
+	return nil
+}
+
+func runCatalogInfo(cmd *cobra.Command, args []string) error {
+	backupPath := args[0]
+
+	cat, err := openCatalog()
+	if err != nil {
+		return err
+	}
+	defer cat.Close()
+
+	ctx := context.Background()
+
+	// Try absolute path
+	absPath, _ := filepath.Abs(backupPath)
+	entry, err := cat.GetByPath(ctx, absPath)
+	if err != nil {
+		return err
+	}
+
+	if entry == nil {
+		// Try as provided
+		entry, err = cat.GetByPath(ctx, backupPath)
+		if err != nil {
+			return err
+		}
+	}
+
+	if entry == nil {
+		return fmt.Errorf("backup not found in catalog: %s", backupPath)
+	}
+
+	if catalogFormat == "json" {
+		data, _ := json.MarshalIndent(entry, "", "  ")
+		fmt.Println(string(data))
+		return nil
+	}
+
+	fmt.Printf("=====================================================\n")
+	fmt.Printf("  Backup Details\n")
+	fmt.Printf("=====================================================\n\n")
+
+	fmt.Printf("[DIR] Database:     %s\n", entry.Database)
+	fmt.Printf("🔧 Type:         %s\n", entry.DatabaseType)
+	fmt.Printf("[HOST]  Host:         %s:%d\n", entry.Host, entry.Port)
+	fmt.Printf("📂 Path:         %s\n", entry.BackupPath)
+	fmt.Printf("[PKG] Backup Type:  %s\n", entry.BackupType)
+	fmt.Printf("[SAVE] Size:         %s (%d bytes)\n", catalog.FormatSize(entry.SizeBytes), entry.SizeBytes)
+	fmt.Printf("[HASH] SHA256:       %s\n", entry.SHA256)
+	fmt.Printf("📅 Created:      %s\n", entry.CreatedAt.Format("2006-01-02 15:04:05 MST"))
+	fmt.Printf("[TIME]  Duration:     %.2fs\n", entry.Duration)
+	fmt.Printf("[LOG] Status:       %s\n", entry.Status)
+
+	if entry.Compression != "" {
+		fmt.Printf("[PKG] Compression:  %s\n", entry.Compression)
+	}
+	if entry.Encrypted {
+		fmt.Printf("[LOCK] Encrypted:    yes\n")
+	}
+	if entry.CloudLocation != "" {
+		fmt.Printf("[CLOUD]  Cloud:        %s\n", entry.CloudLocation)
+	}
+	if entry.RetentionPolicy != "" {
+		fmt.Printf("📆 Retention:    %s\n", entry.RetentionPolicy)
+	}
+
+	fmt.Printf("\n[STATS] Verification:\n")
+	if entry.VerifiedAt != nil {
+		status := "[FAIL] Failed"
+		if entry.VerifyValid != nil && *entry.VerifyValid {
+			status = "[OK] Valid"
+		}
+		fmt.Printf("   Status: %s (checked %s)\n", status, entry.VerifiedAt.Format("2006-01-02 15:04"))
+	} else {
+		fmt.Printf("   Status: [WAIT] Not verified\n")
+	}
+
+	fmt.Printf("\n[TEST] DR Drill Test:\n")
+	if entry.DrillTestedAt != nil {
+		status := "[FAIL] Failed"
+		if entry.DrillSuccess != nil && *entry.DrillSuccess {
+			status = "[OK] Passed"
+		}
+		fmt.Printf("   Status: %s (tested %s)\n", status, entry.DrillTestedAt.Format("2006-01-02 15:04"))
+	} else {
+		fmt.Printf("   Status: [WAIT] Not tested\n")
+	}
+
+	if len(entry.Metadata) > 0 {
+		fmt.Printf("\n[NOTE] Additional Metadata:\n")
+		for k, v := range entry.Metadata {
+			fmt.Printf("   %s: %s\n", k, v)
+		}
+	}
+
+	fmt.Printf("\n=====================================================\n")
+
+	return nil
+}
+
+func truncateString(s string, maxLen int) string {
+	if len(s) <= maxLen {
+		return s
+	}
+	return s[:maxLen-3] + "..."
+}
--- a/cmd/cleanup.go
+++ b/cmd/cleanup.go
@@ -11,6 +11,7 @@ import (
 	"dbbackup/internal/cloud"
 	"dbbackup/internal/metadata"
 	"dbbackup/internal/retention"
+
 	"github.com/spf13/cobra"
 )

@@ -24,6 +25,13 @@ The retention policy ensures:
 2. At least --min-backups most recent backups are always kept
 3. Both conditions must be met for deletion

+GFS (Grandfather-Father-Son) Mode:
+When --gfs flag is enabled, a tiered retention policy is applied:
+- Yearly: Keep one backup per year on the first eligible day
+- Monthly: Keep one backup per month on the specified day
+- Weekly: Keep one backup per week on the specified weekday
+- Daily: Keep most recent daily backups
+
 Examples:
  # Clean up backups older than 30 days (keep at least 5)
  dbbackup cleanup /backups --retention-days 30 --min-backups 5
@@ -34,6 +42,12 @@ Examples:
  # Clean up specific database backups only
  dbbackup cleanup /backups --pattern "mydb_*.dump"

+  # GFS retention: 7 daily, 4 weekly, 12 monthly, 3 yearly
+  dbbackup cleanup /backups --gfs --gfs-daily 7 --gfs-weekly 4 --gfs-monthly 12 --gfs-yearly 3
+
+  # GFS with custom weekly day (Saturday) and monthly day (15th)
+  dbbackup cleanup /backups --gfs --gfs-weekly-day Saturday --gfs-monthly-day 15
+
  # Aggressive cleanup (keep only 3 most recent)
  dbbackup cleanup /backups --retention-days 1 --min-backups 3`,
 	Args: cobra.ExactArgs(1),
@@ -45,6 +59,15 @@ var (
 	minBackups     int
 	dryRun         bool
 	cleanupPattern string
+
+	// GFS retention policy flags
+	gfsEnabled    bool
+	gfsDaily      int
+	gfsWeekly     int
+	gfsMonthly    int
+	gfsYearly     int
+	gfsWeeklyDay  string
+	gfsMonthlyDay int
 )

 func init() {
@@ -53,6 +76,15 @@ func init() {
 	cleanupCmd.Flags().IntVar(&minBackups, "min-backups", 5, "Always keep at least this many backups")
 	cleanupCmd.Flags().BoolVar(&dryRun, "dry-run", false, "Show what would be deleted without actually deleting")
 	cleanupCmd.Flags().StringVar(&cleanupPattern, "pattern", "", "Only clean up backups matching this pattern (e.g., 'mydb_*.dump')")
+
+	// GFS retention policy flags
+	cleanupCmd.Flags().BoolVar(&gfsEnabled, "gfs", false, "Enable GFS (Grandfather-Father-Son) retention policy")
+	cleanupCmd.Flags().IntVar(&gfsDaily, "gfs-daily", 7, "Number of daily backups to keep (GFS mode)")
+	cleanupCmd.Flags().IntVar(&gfsWeekly, "gfs-weekly", 4, "Number of weekly backups to keep (GFS mode)")
+	cleanupCmd.Flags().IntVar(&gfsMonthly, "gfs-monthly", 12, "Number of monthly backups to keep (GFS mode)")
+	cleanupCmd.Flags().IntVar(&gfsYearly, "gfs-yearly", 3, "Number of yearly backups to keep (GFS mode)")
+	cleanupCmd.Flags().StringVar(&gfsWeeklyDay, "gfs-weekly-day", "Sunday", "Day of week for weekly backups (e.g., 'Sunday')")
+	cleanupCmd.Flags().IntVar(&gfsMonthlyDay, "gfs-monthly-day", 1, "Day of month for monthly backups (1-28)")
 }

 func runCleanup(cmd *cobra.Command, args []string) error {
@@ -71,6 +103,11 @@ func runCleanup(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("backup directory does not exist: %s", backupDir)
 	}

+	// Check if GFS mode is enabled
+	if gfsEnabled {
+		return runGFSCleanup(backupDir)
+	}
+
 	// Create retention policy
 	policy := retention.Policy{
 		RetentionDays: retentionDays,
@@ -78,7 +115,7 @@ func runCleanup(cmd *cobra.Command, args []string) error {
 		DryRun:        dryRun,
 	}

-	fmt.Printf("🗑️  Cleanup Policy:\n")
+	fmt.Printf("[CLEANUP] Cleanup Policy:\n")
 	fmt.Printf("   Directory: %s\n", backupDir)
 	fmt.Printf("   Retention: %d days\n", policy.RetentionDays)
 	fmt.Printf("   Min backups: %d\n", policy.MinBackups)
@@ -105,16 +142,16 @@ func runCleanup(cmd *cobra.Command, args []string) error {
 	}

 	// Display results
-	fmt.Printf("📊 Results:\n")
+	fmt.Printf("[RESULTS] Results:\n")
 	fmt.Printf("   Total backups: %d\n", result.TotalBackups)
 	fmt.Printf("   Eligible for deletion: %d\n", result.EligibleForDeletion)

 	if len(result.Deleted) > 0 {
 		fmt.Printf("\n")
 		if dryRun {
-			fmt.Printf("🔍 Would delete %d backup(s):\n", len(result.Deleted))
+			fmt.Printf("[DRY-RUN] Would delete %d backup(s):\n", len(result.Deleted))
 		} else {
-			fmt.Printf("✅ Deleted %d backup(s):\n", len(result.Deleted))
+			fmt.Printf("[OK] Deleted %d backup(s):\n", len(result.Deleted))
 		}
 		for _, file := range result.Deleted {
 			fmt.Printf("   - %s\n", filepath.Base(file))
@@ -122,33 +159,33 @@ func runCleanup(cmd *cobra.Command, args []string) error {
 	}

 	if len(result.Kept) > 0 && len(result.Kept) <= 10 {
-		fmt.Printf("\n📦 Kept %d backup(s):\n", len(result.Kept))
+		fmt.Printf("\n[KEPT] Kept %d backup(s):\n", len(result.Kept))
 		for _, file := range result.Kept {
 			fmt.Printf("   - %s\n", filepath.Base(file))
 		}
 	} else if len(result.Kept) > 10 {
-		fmt.Printf("\n📦 Kept %d backup(s)\n", len(result.Kept))
+		fmt.Printf("\n[KEPT] Kept %d backup(s)\n", len(result.Kept))
 	}

 	if !dryRun && result.SpaceFreed > 0 {
-		fmt.Printf("\n💾 Space freed: %s\n", metadata.FormatSize(result.SpaceFreed))
+		fmt.Printf("\n[FREED] Space freed: %s\n", metadata.FormatSize(result.SpaceFreed))
 	}

 	if len(result.Errors) > 0 {
-		fmt.Printf("\n⚠️  Errors:\n")
+		fmt.Printf("\n[WARN] Errors:\n")
 		for _, err := range result.Errors {
 			fmt.Printf("   - %v\n", err)
 		}
 	}

-	fmt.Println(strings.Repeat("─", 50))
+	fmt.Println(strings.Repeat("-", 50))

 	if dryRun {
-		fmt.Println("✅ Dry run completed (no files were deleted)")
+		fmt.Println("[OK] Dry run completed (no files were deleted)")
 	} else if len(result.Deleted) > 0 {
-		fmt.Println("✅ Cleanup completed successfully")
+		fmt.Println("[OK] Cleanup completed successfully")
 	} else {
-		fmt.Println("ℹ️  No backups eligible for deletion")
+		fmt.Println("[INFO] No backups eligible for deletion")
 	}

 	return nil
@@ -175,7 +212,7 @@ func runCloudCleanup(ctx context.Context, uri string) error {
 		return fmt.Errorf("invalid cloud URI: %w", err)
 	}

-	fmt.Printf("☁️  Cloud Cleanup Policy:\n")
+	fmt.Printf("[CLOUD] Cloud Cleanup Policy:\n")
 	fmt.Printf("   URI: %s\n", uri)
 	fmt.Printf("   Provider: %s\n", cloudURI.Provider)
 	fmt.Printf("   Bucket: %s\n", cloudURI.Bucket)
@@ -258,7 +295,7 @@ func runCloudCleanup(ctx context.Context, uri string) error {
 	}

 	// Display results
-	fmt.Printf("📊 Results:\n")
+	fmt.Printf("[RESULTS] Results:\n")
 	fmt.Printf("   Total backups: %d\n", totalBackups)
 	fmt.Printf("   Eligible for deletion: %d\n", len(toDelete))
 	fmt.Printf("   Will keep: %d\n", len(toKeep))
@@ -266,9 +303,9 @@ func runCloudCleanup(ctx context.Context, uri string) error {

 	if len(toDelete) > 0 {
 		if dryRun {
-			fmt.Printf("🔍 Would delete %d backup(s):\n", len(toDelete))
+			fmt.Printf("[DRY-RUN] Would delete %d backup(s):\n", len(toDelete))
 		} else {
-			fmt.Printf("🗑️  Deleting %d backup(s):\n", len(toDelete))
+			fmt.Printf("[DELETE] Deleting %d backup(s):\n", len(toDelete))
 		}

 		var totalSize int64
@@ -284,7 +321,7 @@ func runCloudCleanup(ctx context.Context, uri string) error {

 			if !dryRun {
 				if err := backend.Delete(ctx, backup.Key); err != nil {
-					fmt.Printf("     ❌ Error: %v\n", err)
+					fmt.Printf("     [FAIL] Error: %v\n", err)
 				} else {
 					deletedCount++
 					// Also try to delete metadata
@@ -293,12 +330,12 @@ func runCloudCleanup(ctx context.Context, uri string) error {
 			}
 		}

-		fmt.Printf("\n💾 Space %s: %s\n", 
+		fmt.Printf("\n[FREED] Space %s: %s\n",
 			map[bool]string{true: "would be freed", false: "freed"}[dryRun],
 			cloud.FormatSize(totalSize))

 		if !dryRun && deletedCount > 0 {
-			fmt.Printf("✅ Successfully deleted %d backup(s)\n", deletedCount)
+			fmt.Printf("[OK] Successfully deleted %d backup(s)\n", deletedCount)
 		}
 	} else {
 		fmt.Println("No backups eligible for deletion")
@@ -332,3 +369,112 @@ func formatBackupAge(t time.Time) string {
 		return fmt.Sprintf("%d years", years)
 	}
 }
+
+// runGFSCleanup applies GFS (Grandfather-Father-Son) retention policy
+func runGFSCleanup(backupDir string) error {
+	// Create GFS policy
+	policy := retention.GFSPolicy{
+		Enabled:    true,
+		Daily:      gfsDaily,
+		Weekly:     gfsWeekly,
+		Monthly:    gfsMonthly,
+		Yearly:     gfsYearly,
+		WeeklyDay:  retention.ParseWeekday(gfsWeeklyDay),
+		MonthlyDay: gfsMonthlyDay,
+		DryRun:     dryRun,
+	}
+
+	fmt.Printf("📅 GFS Retention Policy:\n")
+	fmt.Printf("   Directory: %s\n", backupDir)
+	fmt.Printf("   Daily:     %d backups\n", policy.Daily)
+	fmt.Printf("   Weekly:    %d backups (on %s)\n", policy.Weekly, gfsWeeklyDay)
+	fmt.Printf("   Monthly:   %d backups (day %d)\n", policy.Monthly, policy.MonthlyDay)
+	fmt.Printf("   Yearly:    %d backups\n", policy.Yearly)
+	if cleanupPattern != "" {
+		fmt.Printf("   Pattern:   %s\n", cleanupPattern)
+	}
+	if dryRun {
+		fmt.Printf("   Mode:      DRY RUN (no files will be deleted)\n")
+	}
+	fmt.Println()
+
+	// Apply GFS policy
+	result, err := retention.ApplyGFSPolicy(backupDir, policy)
+	if err != nil {
+		return fmt.Errorf("GFS cleanup failed: %w", err)
+	}
+
+	// Display tier breakdown
+	fmt.Printf("[STATS] Backup Classification:\n")
+	fmt.Printf("   Yearly:  %d\n", result.YearlyKept)
+	fmt.Printf("   Monthly: %d\n", result.MonthlyKept)
+	fmt.Printf("   Weekly:  %d\n", result.WeeklyKept)
+	fmt.Printf("   Daily:   %d\n", result.DailyKept)
+	fmt.Printf("   Total kept: %d\n", result.TotalKept)
+	fmt.Println()
+
+	// Display deletions
+	if len(result.Deleted) > 0 {
+		if dryRun {
+			fmt.Printf("[SEARCH] Would delete %d backup(s):\n", len(result.Deleted))
+		} else {
+			fmt.Printf("[OK] Deleted %d backup(s):\n", len(result.Deleted))
+		}
+		for _, file := range result.Deleted {
+			fmt.Printf("   - %s\n", filepath.Base(file))
+		}
+	}
+
+	// Display kept backups (limited display)
+	if len(result.Kept) > 0 && len(result.Kept) <= 15 {
+		fmt.Printf("\n[PKG] Kept %d backup(s):\n", len(result.Kept))
+		for _, file := range result.Kept {
+			// Show tier classification
+			info, _ := os.Stat(file)
+			if info != nil {
+				tiers := retention.ClassifyBackup(info.ModTime(), policy)
+				tierStr := formatTiers(tiers)
+				fmt.Printf("   - %s [%s]\n", filepath.Base(file), tierStr)
+			} else {
+				fmt.Printf("   - %s\n", filepath.Base(file))
+			}
+		}
+	} else if len(result.Kept) > 15 {
+		fmt.Printf("\n[PKG] Kept %d backup(s)\n", len(result.Kept))
+	}
+
+	if !dryRun && result.SpaceFreed > 0 {
+		fmt.Printf("\n[SAVE] Space freed: %s\n", metadata.FormatSize(result.SpaceFreed))
+	}
+
+	if len(result.Errors) > 0 {
+		fmt.Printf("\n[WARN]  Errors:\n")
+		for _, err := range result.Errors {
+			fmt.Printf("   - %v\n", err)
+		}
+	}
+
+	fmt.Println(strings.Repeat("-", 50))
+
+	if dryRun {
+		fmt.Println("[OK] GFS dry run completed (no files were deleted)")
+	} else if len(result.Deleted) > 0 {
+		fmt.Println("[OK] GFS cleanup completed successfully")
+	} else {
+		fmt.Println("[INFO]  No backups eligible for deletion under GFS policy")
+	}
+
+	return nil
+}
+
+// formatTiers formats a list of tiers as a comma-separated string
+func formatTiers(tiers []retention.Tier) string {
+	if len(tiers) == 0 {
+		return "none"
+	}
+	parts := make([]string, len(tiers))
+	for i, t := range tiers {
+		parts[i] = t.String()
+	}
+	return strings.Join(parts, ",")
+}
--- a/cmd/cloud.go
+++ b/cmd/cloud.go
@@ -9,6 +9,7 @@ import (
 	"time"

 	"dbbackup/internal/cloud"
+
 	"github.com/spf13/cobra"
 )

@@ -188,12 +189,12 @@ func runCloudUpload(cmd *cobra.Command, args []string) error {
 		}
 	}

-	fmt.Printf("☁️  Uploading %d file(s) to %s...\n\n", len(files), backend.Name())
+	fmt.Printf("[CLOUD] Uploading %d file(s) to %s...\n\n", len(files), backend.Name())

 	successCount := 0
 	for _, localPath := range files {
 		filename := filepath.Base(localPath)
-		fmt.Printf("📤 %s\n", filename)
+		fmt.Printf("[UPLOAD] %s\n", filename)

 		// Progress callback
 		var lastPercent int
@@ -213,21 +214,21 @@ func runCloudUpload(cmd *cobra.Command, args []string) error {

 		err := backend.Upload(ctx, localPath, filename, progress)
 		if err != nil {
-			fmt.Printf("   ❌ Failed: %v\n\n", err)
+			fmt.Printf("   [FAIL] Failed: %v\n\n", err)
 			continue
 		}

 		// Get file size
 		if info, err := os.Stat(localPath); err == nil {
-			fmt.Printf("   ✅ Uploaded (%s)\n\n", cloud.FormatSize(info.Size()))
+			fmt.Printf("   [OK] Uploaded (%s)\n\n", cloud.FormatSize(info.Size()))
 		} else {
-			fmt.Printf("   ✅ Uploaded\n\n")
+			fmt.Printf("   [OK] Uploaded\n\n")
 		}
 		successCount++
 	}

-	fmt.Println(strings.Repeat("─", 50))
-	fmt.Printf("✅ Successfully uploaded %d/%d file(s)\n", successCount, len(files))
+	fmt.Println(strings.Repeat("-", 50))
+	fmt.Printf("[OK] Successfully uploaded %d/%d file(s)\n", successCount, len(files))

 	return nil
 }
@@ -247,8 +248,8 @@ func runCloudDownload(cmd *cobra.Command, args []string) error {
 		localPath = filepath.Join(localPath, filepath.Base(remotePath))
 	}

-	fmt.Printf("☁️  Downloading from %s...\n\n", backend.Name())
-	fmt.Printf("📥 %s → %s\n", remotePath, localPath)
+	fmt.Printf("[CLOUD] Downloading from %s...\n\n", backend.Name())
+	fmt.Printf("[DOWNLOAD] %s -> %s\n", remotePath, localPath)

 	// Progress callback
 	var lastPercent int
@@ -273,9 +274,9 @@ func runCloudDownload(cmd *cobra.Command, args []string) error {

 	// Get file size
 	if info, err := os.Stat(localPath); err == nil {
-		fmt.Printf("   ✅ Downloaded (%s)\n", cloud.FormatSize(info.Size()))
+		fmt.Printf("   [OK] Downloaded (%s)\n", cloud.FormatSize(info.Size()))
 	} else {
-		fmt.Printf("   ✅ Downloaded\n")
+		fmt.Printf("   [OK] Downloaded\n")
 	}

 	return nil
@@ -293,7 +294,7 @@ func runCloudList(cmd *cobra.Command, args []string) error {
 		prefix = args[0]
 	}

-	fmt.Printf("☁️  Listing backups in %s/%s...\n\n", backend.Name(), cloudBucket)
+	fmt.Printf("[CLOUD] Listing backups in %s/%s...\n\n", backend.Name(), cloudBucket)

 	backups, err := backend.List(ctx, prefix)
 	if err != nil {
@@ -310,7 +311,7 @@ func runCloudList(cmd *cobra.Command, args []string) error {
 		totalSize += backup.Size

 		if cloudVerbose {
-			fmt.Printf("📦 %s\n", backup.Name)
+			fmt.Printf("[FILE] %s\n", backup.Name)
 			fmt.Printf("   Size: %s\n", cloud.FormatSize(backup.Size))
 			fmt.Printf("   Modified: %s\n", backup.LastModified.Format(time.RFC3339))
 			if backup.StorageClass != "" {
@@ -327,7 +328,7 @@ func runCloudList(cmd *cobra.Command, args []string) error {
 		}
 	}

-	fmt.Println(strings.Repeat("─", 50))
+	fmt.Println(strings.Repeat("-", 50))
 	fmt.Printf("Total: %d backup(s), %s\n", len(backups), cloud.FormatSize(totalSize))

 	return nil
@@ -359,7 +360,7 @@ func runCloudDelete(cmd *cobra.Command, args []string) error {

 	// Confirmation prompt
 	if !cloudConfirm {
-		fmt.Printf("⚠️  Delete %s (%s) from cloud storage?\n", remotePath, cloud.FormatSize(size))
+		fmt.Printf("[WARN] Delete %s (%s) from cloud storage?\n", remotePath, cloud.FormatSize(size))
 		fmt.Print("Type 'yes' to confirm: ")
 		var response string
 		fmt.Scanln(&response)
@@ -369,14 +370,14 @@ func runCloudDelete(cmd *cobra.Command, args []string) error {
 		}
 	}

-	fmt.Printf("🗑️  Deleting %s...\n", remotePath)
+	fmt.Printf("[DELETE] Deleting %s...\n", remotePath)

 	err = backend.Delete(ctx, remotePath)
 	if err != nil {
 		return fmt.Errorf("delete failed: %w", err)
 	}

-	fmt.Printf("✅ Deleted %s (%s)\n", remotePath, cloud.FormatSize(size))
+	fmt.Printf("[OK] Deleted %s (%s)\n", remotePath, cloud.FormatSize(size))

 	return nil
 }
--- a/cmd/cpu.go
+++ b/cmd/cpu.go
@@ -61,10 +61,10 @@ func runCPUInfo(ctx context.Context) error {

 	// Show current vs optimal
 	if cfg.AutoDetectCores {
-		fmt.Println("\n✅ CPU optimization is enabled")
+		fmt.Println("\n[OK] CPU optimization is enabled")
 		fmt.Println("Job counts are automatically optimized based on detected hardware")
 	} else {
-		fmt.Println("\n⚠️  CPU optimization is disabled")
+		fmt.Println("\n[WARN] CPU optimization is disabled")
 		fmt.Println("Consider enabling --auto-detect-cores for better performance")
 	}

--- a/cmd/dedup.go
+++ b/cmd/dedup.go
@@ -0,0 +1,1284 @@
+package cmd
+
+import (
+	"compress/gzip"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"dbbackup/internal/dedup"
+
+	"github.com/spf13/cobra"
+)
+
+var dedupCmd = &cobra.Command{
+	Use:   "dedup",
+	Short: "Deduplicated backup operations",
+	Long: `Content-defined chunking deduplication for space-efficient backups.
+
+Similar to restic/borgbackup but with native database dump support.
+
+Features:
+- Content-defined chunking (CDC) with Buzhash rolling hash
+- SHA-256 content-addressed storage
+- AES-256-GCM encryption (optional)
+- Gzip compression (optional)
+- SQLite index for fast lookups
+
+Storage Structure:
+  <dedup-dir>/
+    chunks/       # Content-addressed chunk files
+      ab/cdef...  # Sharded by first 2 chars of hash
+    manifests/    # JSON manifest per backup
+    chunks.db     # SQLite index
+
+NFS/CIFS NOTICE:
+  SQLite may have locking issues on network storage.
+  Use --index-db to put the SQLite index on local storage while keeping
+  chunks on network storage:
+  
+    dbbackup dedup backup mydb.sql \
+      --dedup-dir /mnt/nfs/backups/dedup \
+      --index-db /var/lib/dbbackup/dedup-index.db
+
+  This avoids "database is locked" errors while still storing chunks remotely.
+
+COMPRESSED INPUT NOTICE:
+  Pre-compressed files (.gz) have poor deduplication ratios (<10%).
+  Use --decompress-input to decompress before chunking for better results:
+  
+    dbbackup dedup backup mydb.sql.gz --decompress-input`,
+}
+
+var dedupBackupCmd = &cobra.Command{
+	Use:   "backup <file>",
+	Short: "Create a deduplicated backup of a file",
+	Long: `Chunk a file using content-defined chunking and store deduplicated chunks.
+
+Example:
+  dbbackup dedup backup /path/to/database.dump
+  dbbackup dedup backup mydb.sql --compress --encrypt`,
+	Args: cobra.ExactArgs(1),
+	RunE: runDedupBackup,
+}
+
+var dedupRestoreCmd = &cobra.Command{
+	Use:   "restore <manifest-id> <output-file>",
+	Short: "Restore a backup from its manifest",
+	Long: `Reconstruct a file from its deduplicated chunks.
+
+Example:
+  dbbackup dedup restore 2026-01-07_120000_mydb /tmp/restored.dump
+  dbbackup dedup list  # to see available manifests`,
+	Args: cobra.ExactArgs(2),
+	RunE: runDedupRestore,
+}
+
+var dedupListCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List all deduplicated backups",
+	RunE:  runDedupList,
+}
+
+var dedupStatsCmd = &cobra.Command{
+	Use:   "stats",
+	Short: "Show deduplication statistics",
+	RunE:  runDedupStats,
+}
+
+var dedupGCCmd = &cobra.Command{
+	Use:   "gc",
+	Short: "Garbage collect unreferenced chunks",
+	Long: `Remove chunks that are no longer referenced by any manifest.
+
+Run after deleting old backups to reclaim space.`,
+	RunE: runDedupGC,
+}
+
+var dedupDeleteCmd = &cobra.Command{
+	Use:   "delete <manifest-id>",
+	Short: "Delete a backup manifest (chunks cleaned by gc)",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runDedupDelete,
+}
+
+var dedupVerifyCmd = &cobra.Command{
+	Use:   "verify [manifest-id]",
+	Short: "Verify chunk integrity against manifests",
+	Long: `Verify that all chunks referenced by manifests exist and have correct hashes.
+
+Without arguments, verifies all backups. With a manifest ID, verifies only that backup.
+
+Examples:
+  dbbackup dedup verify                    # Verify all backups
+  dbbackup dedup verify 2026-01-07_mydb    # Verify specific backup`,
+	RunE: runDedupVerify,
+}
+
+var dedupPruneCmd = &cobra.Command{
+	Use:   "prune",
+	Short: "Apply retention policy to manifests",
+	Long: `Delete old manifests based on retention policy (like borg prune).
+
+Keeps a specified number of recent backups per database and deletes the rest.
+
+Examples:
+  dbbackup dedup prune --keep-last 7                    # Keep 7 most recent
+  dbbackup dedup prune --keep-daily 7 --keep-weekly 4   # Keep 7 daily + 4 weekly`,
+	RunE: runDedupPrune,
+}
+
+var dedupBackupDBCmd = &cobra.Command{
+	Use:   "backup-db",
+	Short: "Direct database dump with deduplication",
+	Long: `Dump a database directly into deduplicated chunks without temp files.
+
+Streams the database dump through the chunker for efficient deduplication.
+
+Examples:
+  dbbackup dedup backup-db --db-type postgres --db-name mydb
+  dbbackup dedup backup-db -d mariadb --database production_db --host db.local`,
+	RunE: runDedupBackupDB,
+}
+
+// Prune flags
+var (
+	pruneKeepLast   int
+	pruneKeepDaily  int
+	pruneKeepWeekly int
+	pruneDryRun     bool
+)
+
+// backup-db flags
+var (
+	backupDBDatabase string
+	backupDBUser     string
+	backupDBPassword string
+)
+
+// metrics flags
+var (
+	dedupMetricsOutput   string
+	dedupMetricsInstance string
+)
+
+var dedupMetricsCmd = &cobra.Command{
+	Use:   "metrics",
+	Short: "Export dedup statistics as Prometheus metrics",
+	Long: `Export deduplication statistics in Prometheus format.
+
+Can write to a textfile for node_exporter's textfile collector,
+or print to stdout for custom integrations.
+
+Examples:
+  dbbackup dedup metrics                                    # Print to stdout
+  dbbackup dedup metrics --output /var/lib/node_exporter/textfile_collector/dedup.prom
+  dbbackup dedup metrics --instance prod-db-1`,
+	RunE: runDedupMetrics,
+}
+
+// Flags
+var (
+	dedupDir        string
+	dedupIndexDB    string // Separate path for SQLite index (for NFS/CIFS support)
+	dedupCompress   bool
+	dedupEncrypt    bool
+	dedupKey        string
+	dedupName       string
+	dedupDBType     string
+	dedupDBName     string
+	dedupDBHost     string
+	dedupDecompress bool // Auto-decompress gzip input
+)
+
+func init() {
+	rootCmd.AddCommand(dedupCmd)
+	dedupCmd.AddCommand(dedupBackupCmd)
+	dedupCmd.AddCommand(dedupRestoreCmd)
+	dedupCmd.AddCommand(dedupListCmd)
+	dedupCmd.AddCommand(dedupStatsCmd)
+	dedupCmd.AddCommand(dedupGCCmd)
+	dedupCmd.AddCommand(dedupDeleteCmd)
+	dedupCmd.AddCommand(dedupVerifyCmd)
+	dedupCmd.AddCommand(dedupPruneCmd)
+	dedupCmd.AddCommand(dedupBackupDBCmd)
+	dedupCmd.AddCommand(dedupMetricsCmd)
+
+	// Global dedup flags
+	dedupCmd.PersistentFlags().StringVar(&dedupDir, "dedup-dir", "", "Dedup storage directory (default: $BACKUP_DIR/dedup)")
+	dedupCmd.PersistentFlags().StringVar(&dedupIndexDB, "index-db", "", "SQLite index path (local recommended for NFS/CIFS chunk dirs)")
+	dedupCmd.PersistentFlags().BoolVar(&dedupCompress, "compress", true, "Compress chunks with gzip")
+	dedupCmd.PersistentFlags().BoolVar(&dedupEncrypt, "encrypt", false, "Encrypt chunks with AES-256-GCM")
+	dedupCmd.PersistentFlags().StringVar(&dedupKey, "key", "", "Encryption key (hex) or use DBBACKUP_DEDUP_KEY env")
+
+	// Backup-specific flags
+	dedupBackupCmd.Flags().StringVar(&dedupName, "name", "", "Optional backup name")
+	dedupBackupCmd.Flags().StringVar(&dedupDBType, "db-type", "", "Database type (postgres/mysql)")
+	dedupBackupCmd.Flags().StringVar(&dedupDBName, "db-name", "", "Database name")
+	dedupBackupCmd.Flags().StringVar(&dedupDBHost, "db-host", "", "Database host")
+	dedupBackupCmd.Flags().BoolVar(&dedupDecompress, "decompress-input", false, "Auto-decompress gzip input before chunking (improves dedup ratio)")
+
+	// Prune flags
+	dedupPruneCmd.Flags().IntVar(&pruneKeepLast, "keep-last", 0, "Keep the last N backups")
+	dedupPruneCmd.Flags().IntVar(&pruneKeepDaily, "keep-daily", 0, "Keep N daily backups")
+	dedupPruneCmd.Flags().IntVar(&pruneKeepWeekly, "keep-weekly", 0, "Keep N weekly backups")
+	dedupPruneCmd.Flags().BoolVar(&pruneDryRun, "dry-run", false, "Show what would be deleted without actually deleting")
+
+	// backup-db flags
+	dedupBackupDBCmd.Flags().StringVarP(&dedupDBType, "db-type", "d", "", "Database type (postgres/mariadb/mysql)")
+	dedupBackupDBCmd.Flags().StringVar(&backupDBDatabase, "database", "", "Database name to backup")
+	dedupBackupDBCmd.Flags().StringVar(&dedupDBHost, "host", "localhost", "Database host")
+	dedupBackupDBCmd.Flags().StringVarP(&backupDBUser, "user", "u", "", "Database user")
+	dedupBackupDBCmd.Flags().StringVarP(&backupDBPassword, "password", "p", "", "Database password (or use env)")
+	dedupBackupDBCmd.MarkFlagRequired("db-type")
+	dedupBackupDBCmd.MarkFlagRequired("database")
+
+	// Metrics flags
+	dedupMetricsCmd.Flags().StringVarP(&dedupMetricsOutput, "output", "o", "", "Output file path (default: stdout)")
+	dedupMetricsCmd.Flags().StringVar(&dedupMetricsInstance, "instance", "", "Instance label for metrics (default: hostname)")
+}
+
+func getDedupDir() string {
+	if dedupDir != "" {
+		return dedupDir
+	}
+	if cfg != nil && cfg.BackupDir != "" {
+		return filepath.Join(cfg.BackupDir, "dedup")
+	}
+	return filepath.Join(os.Getenv("HOME"), "db_backups", "dedup")
+}
+
+func getIndexDBPath() string {
+	if dedupIndexDB != "" {
+		return dedupIndexDB
+	}
+	// Default: same directory as chunks (may have issues on NFS/CIFS)
+	return filepath.Join(getDedupDir(), "chunks.db")
+}
+
+func getEncryptionKey() string {
+	if dedupKey != "" {
+		return dedupKey
+	}
+	return os.Getenv("DBBACKUP_DEDUP_KEY")
+}
+
+func runDedupBackup(cmd *cobra.Command, args []string) error {
+	inputPath := args[0]
+
+	// Open input file
+	file, err := os.Open(inputPath)
+	if err != nil {
+		return fmt.Errorf("failed to open input file: %w", err)
+	}
+	defer file.Close()
+
+	info, err := file.Stat()
+	if err != nil {
+		return fmt.Errorf("failed to stat input file: %w", err)
+	}
+
+	// Check for compressed input and warn/handle
+	var reader io.Reader = file
+	isGzipped := strings.HasSuffix(strings.ToLower(inputPath), ".gz")
+	if isGzipped && !dedupDecompress {
+		fmt.Printf("Warning: Input appears to be gzip compressed (.gz)\n")
+		fmt.Printf("  Compressed data typically has poor dedup ratios (<10%%).\n")
+		fmt.Printf("  Consider using --decompress-input for better deduplication.\n\n")
+	}
+
+	if isGzipped && dedupDecompress {
+		fmt.Printf("Auto-decompressing gzip input for better dedup ratio...\n")
+		gzReader, err := gzip.NewReader(file)
+		if err != nil {
+			return fmt.Errorf("failed to decompress gzip input: %w", err)
+		}
+		defer gzReader.Close()
+		reader = gzReader
+	}
+
+	// Setup dedup storage
+	basePath := getDedupDir()
+	encKey := ""
+	if dedupEncrypt {
+		encKey = getEncryptionKey()
+		if encKey == "" {
+			return fmt.Errorf("encryption enabled but no key provided (use --key or DBBACKUP_DEDUP_KEY)")
+		}
+	}
+
+	store, err := dedup.NewChunkStore(dedup.StoreConfig{
+		BasePath:      basePath,
+		Compress:      dedupCompress,
+		EncryptionKey: encKey,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to open chunk store: %w", err)
+	}
+
+	manifestStore, err := dedup.NewManifestStore(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open manifest store: %w", err)
+	}
+
+	index, err := dedup.NewChunkIndexAt(getIndexDBPath())
+	if err != nil {
+		return fmt.Errorf("failed to open chunk index: %w", err)
+	}
+	defer index.Close()
+
+	// Generate manifest ID
+	now := time.Now()
+	manifestID := now.Format("2006-01-02_150405")
+	if dedupDBName != "" {
+		manifestID += "_" + dedupDBName
+	} else {
+		base := filepath.Base(inputPath)
+		ext := filepath.Ext(base)
+		// Remove .gz extension if decompressing
+		if isGzipped && dedupDecompress {
+			base = strings.TrimSuffix(base, ext)
+			ext = filepath.Ext(base)
+		}
+		manifestID += "_" + strings.TrimSuffix(base, ext)
+	}
+
+	fmt.Printf("Creating deduplicated backup: %s\n", manifestID)
+	fmt.Printf("Input: %s (%s)\n", inputPath, formatBytes(info.Size()))
+	if isGzipped && dedupDecompress {
+		fmt.Printf("Mode: Decompressing before chunking\n")
+	}
+	fmt.Printf("Store: %s\n", basePath)
+	if dedupIndexDB != "" {
+		fmt.Printf("Index: %s\n", getIndexDBPath())
+	}
+
+	// For decompressed input, we can't seek - use TeeReader to hash while chunking
+	h := sha256.New()
+	var chunkReader io.Reader
+
+	if isGzipped && dedupDecompress {
+		// Can't seek on gzip stream - hash will be computed inline
+		chunkReader = io.TeeReader(reader, h)
+	} else {
+		// Regular file - hash first, then reset and chunk
+		file.Seek(0, 0)
+		io.Copy(h, file)
+		file.Seek(0, 0)
+		chunkReader = file
+		h = sha256.New() // Reset for inline hashing
+		chunkReader = io.TeeReader(file, h)
+	}
+
+	// Chunk the file
+	chunker := dedup.NewChunker(chunkReader, dedup.DefaultChunkerConfig())
+	var chunks []dedup.ChunkRef
+	var totalSize, storedSize int64
+	var chunkCount, newChunks int
+
+	startTime := time.Now()
+
+	for {
+		chunk, err := chunker.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("chunking failed: %w", err)
+		}
+
+		chunkCount++
+		totalSize += int64(chunk.Length)
+
+		// Store chunk (deduplication happens here)
+		isNew, err := store.Put(chunk)
+		if err != nil {
+			return fmt.Errorf("failed to store chunk: %w", err)
+		}
+
+		if isNew {
+			newChunks++
+			storedSize += int64(chunk.Length)
+			// Record in index
+			index.AddChunk(chunk.Hash, chunk.Length, chunk.Length)
+		}
+
+		chunks = append(chunks, dedup.ChunkRef{
+			Hash:   chunk.Hash,
+			Offset: chunk.Offset,
+			Length: chunk.Length,
+		})
+
+		// Progress
+		if chunkCount%1000 == 0 {
+			fmt.Printf("\r  Processed %d chunks, %d new...", chunkCount, newChunks)
+		}
+	}
+
+	duration := time.Since(startTime)
+
+	// Get final hash (computed inline via TeeReader)
+	fileHash := hex.EncodeToString(h.Sum(nil))
+
+	// Calculate dedup ratio
+	dedupRatio := 0.0
+	if totalSize > 0 {
+		dedupRatio = 1.0 - float64(storedSize)/float64(totalSize)
+	}
+
+	// Create manifest
+	manifest := &dedup.Manifest{
+		ID:           manifestID,
+		Name:         dedupName,
+		CreatedAt:    now,
+		DatabaseType: dedupDBType,
+		DatabaseName: dedupDBName,
+		DatabaseHost: dedupDBHost,
+		Chunks:       chunks,
+		OriginalSize: totalSize,
+		StoredSize:   storedSize,
+		ChunkCount:   chunkCount,
+		NewChunks:    newChunks,
+		DedupRatio:   dedupRatio,
+		Encrypted:    dedupEncrypt,
+		Compressed:   dedupCompress,
+		SHA256:       fileHash,
+		Decompressed: isGzipped && dedupDecompress, // Track if we decompressed
+	}
+
+	if err := manifestStore.Save(manifest); err != nil {
+		return fmt.Errorf("failed to save manifest: %w", err)
+	}
+
+	if err := index.AddManifest(manifest); err != nil {
+		log.Warn("Failed to index manifest", "error", err)
+	}
+
+	fmt.Printf("\r                                        \r")
+	fmt.Printf("\nBackup complete!\n")
+	fmt.Printf("  Manifest:    %s\n", manifestID)
+	fmt.Printf("  Chunks:      %d total, %d new\n", chunkCount, newChunks)
+	fmt.Printf("  Original:    %s\n", formatBytes(totalSize))
+	fmt.Printf("  Stored:      %s (new data)\n", formatBytes(storedSize))
+	fmt.Printf("  Dedup ratio: %.1f%%\n", dedupRatio*100)
+	fmt.Printf("  Duration:    %s\n", duration.Round(time.Millisecond))
+	fmt.Printf("  Throughput:  %s/s\n", formatBytes(int64(float64(totalSize)/duration.Seconds())))
+
+	return nil
+}
+
+func runDedupRestore(cmd *cobra.Command, args []string) error {
+	manifestID := args[0]
+	outputPath := args[1]
+
+	basePath := getDedupDir()
+	encKey := ""
+	if dedupEncrypt {
+		encKey = getEncryptionKey()
+	}
+
+	store, err := dedup.NewChunkStore(dedup.StoreConfig{
+		BasePath:      basePath,
+		Compress:      dedupCompress,
+		EncryptionKey: encKey,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to open chunk store: %w", err)
+	}
+
+	manifestStore, err := dedup.NewManifestStore(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open manifest store: %w", err)
+	}
+
+	manifest, err := manifestStore.Load(manifestID)
+	if err != nil {
+		return fmt.Errorf("failed to load manifest: %w", err)
+	}
+
+	fmt.Printf("Restoring backup: %s\n", manifestID)
+	fmt.Printf("  Created:  %s\n", manifest.CreatedAt.Format(time.RFC3339))
+	fmt.Printf("  Size:     %s\n", formatBytes(manifest.OriginalSize))
+	fmt.Printf("  Chunks:   %d\n", manifest.ChunkCount)
+
+	// Create output file
+	outFile, err := os.Create(outputPath)
+	if err != nil {
+		return fmt.Errorf("failed to create output file: %w", err)
+	}
+	defer outFile.Close()
+
+	h := sha256.New()
+	writer := io.MultiWriter(outFile, h)
+
+	startTime := time.Now()
+
+	for i, ref := range manifest.Chunks {
+		chunk, err := store.Get(ref.Hash)
+		if err != nil {
+			return fmt.Errorf("failed to read chunk %d (%s): %w", i, ref.Hash[:8], err)
+		}
+
+		if _, err := writer.Write(chunk.Data); err != nil {
+			return fmt.Errorf("failed to write chunk %d: %w", i, err)
+		}
+
+		if (i+1)%1000 == 0 {
+			fmt.Printf("\r  Restored %d/%d chunks...", i+1, manifest.ChunkCount)
+		}
+	}
+
+	duration := time.Since(startTime)
+	restoredHash := hex.EncodeToString(h.Sum(nil))
+
+	fmt.Printf("\r                                        \r")
+	fmt.Printf("\nRestore complete!\n")
+	fmt.Printf("  Output:      %s\n", outputPath)
+	fmt.Printf("  Duration:    %s\n", duration.Round(time.Millisecond))
+
+	// Verify hash
+	if manifest.SHA256 != "" {
+		if restoredHash == manifest.SHA256 {
+			fmt.Printf("  Verification: [OK] SHA-256 matches\n")
+		} else {
+			fmt.Printf("  Verification: [FAIL] SHA-256 MISMATCH!\n")
+			fmt.Printf("    Expected: %s\n", manifest.SHA256)
+			fmt.Printf("    Got:      %s\n", restoredHash)
+			return fmt.Errorf("integrity verification failed")
+		}
+	}
+
+	return nil
+}
+
+func runDedupList(cmd *cobra.Command, args []string) error {
+	basePath := getDedupDir()
+
+	manifestStore, err := dedup.NewManifestStore(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open manifest store: %w", err)
+	}
+
+	manifests, err := manifestStore.ListAll()
+	if err != nil {
+		return fmt.Errorf("failed to list manifests: %w", err)
+	}
+
+	if len(manifests) == 0 {
+		fmt.Println("No deduplicated backups found.")
+		fmt.Printf("Store: %s\n", basePath)
+		return nil
+	}
+
+	fmt.Printf("Deduplicated Backups (%s)\n\n", basePath)
+	fmt.Printf("%-30s %-12s %-10s %-10s %s\n", "ID", "SIZE", "DEDUP", "CHUNKS", "CREATED")
+	fmt.Println(strings.Repeat("-", 80))
+
+	for _, m := range manifests {
+		fmt.Printf("%-30s %-12s %-10.1f%% %-10d %s\n",
+			truncateStr(m.ID, 30),
+			formatBytes(m.OriginalSize),
+			m.DedupRatio*100,
+			m.ChunkCount,
+			m.CreatedAt.Format("2006-01-02 15:04"),
+		)
+	}
+
+	return nil
+}
+
+func runDedupStats(cmd *cobra.Command, args []string) error {
+	basePath := getDedupDir()
+
+	index, err := dedup.NewChunkIndex(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open chunk index: %w", err)
+	}
+	defer index.Close()
+
+	stats, err := index.Stats()
+	if err != nil {
+		return fmt.Errorf("failed to get stats: %w", err)
+	}
+
+	store, err := dedup.NewChunkStore(dedup.StoreConfig{BasePath: basePath})
+	if err != nil {
+		return fmt.Errorf("failed to open chunk store: %w", err)
+	}
+
+	storeStats, err := store.Stats()
+	if err != nil {
+		log.Warn("Failed to get store stats", "error", err)
+	}
+
+	fmt.Printf("Deduplication Statistics\n")
+	fmt.Printf("========================\n\n")
+	fmt.Printf("Store:           %s\n", basePath)
+	fmt.Printf("Manifests:       %d\n", stats.TotalManifests)
+	fmt.Printf("Unique chunks:   %d\n", stats.TotalChunks)
+	fmt.Printf("Total raw size:  %s\n", formatBytes(stats.TotalSizeRaw))
+	fmt.Printf("Stored size:     %s\n", formatBytes(stats.TotalSizeStored))
+	fmt.Printf("\n")
+	fmt.Printf("Backup Statistics (accurate dedup calculation):\n")
+	fmt.Printf("  Total backed up:  %s (across all backups)\n", formatBytes(stats.TotalBackupSize))
+	fmt.Printf("  New data stored:  %s\n", formatBytes(stats.TotalNewData))
+	fmt.Printf("  Space saved:      %s\n", formatBytes(stats.SpaceSaved))
+	fmt.Printf("  Dedup ratio:      %.1f%%\n", stats.DedupRatio*100)
+
+	if storeStats != nil {
+		fmt.Printf("Disk usage:      %s\n", formatBytes(storeStats.TotalSize))
+		fmt.Printf("Directories:     %d\n", storeStats.Directories)
+	}
+
+	return nil
+}
+
+func runDedupGC(cmd *cobra.Command, args []string) error {
+	basePath := getDedupDir()
+
+	index, err := dedup.NewChunkIndex(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open chunk index: %w", err)
+	}
+	defer index.Close()
+
+	store, err := dedup.NewChunkStore(dedup.StoreConfig{
+		BasePath: basePath,
+		Compress: dedupCompress,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to open chunk store: %w", err)
+	}
+
+	// Find orphaned chunks
+	orphans, err := index.ListOrphanedChunks()
+	if err != nil {
+		return fmt.Errorf("failed to find orphaned chunks: %w", err)
+	}
+
+	if len(orphans) == 0 {
+		fmt.Println("No orphaned chunks to clean up.")
+		return nil
+	}
+
+	fmt.Printf("Found %d orphaned chunks\n", len(orphans))
+
+	var freed int64
+	for _, hash := range orphans {
+		if meta, _ := index.GetChunk(hash); meta != nil {
+			freed += meta.SizeStored
+		}
+		if err := store.Delete(hash); err != nil {
+			log.Warn("Failed to delete chunk", "hash", hash[:8], "error", err)
+			continue
+		}
+		if err := index.RemoveChunk(hash); err != nil {
+			log.Warn("Failed to remove chunk from index", "hash", hash[:8], "error", err)
+		}
+	}
+
+	fmt.Printf("Deleted %d chunks, freed %s\n", len(orphans), formatBytes(freed))
+
+	// Vacuum the index
+	if err := index.Vacuum(); err != nil {
+		log.Warn("Failed to vacuum index", "error", err)
+	}
+
+	return nil
+}
+
+func runDedupDelete(cmd *cobra.Command, args []string) error {
+	manifestID := args[0]
+	basePath := getDedupDir()
+
+	manifestStore, err := dedup.NewManifestStore(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open manifest store: %w", err)
+	}
+
+	index, err := dedup.NewChunkIndex(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open chunk index: %w", err)
+	}
+	defer index.Close()
+
+	// Load manifest to decrement chunk refs
+	manifest, err := manifestStore.Load(manifestID)
+	if err != nil {
+		return fmt.Errorf("failed to load manifest: %w", err)
+	}
+
+	// Decrement reference counts
+	for _, ref := range manifest.Chunks {
+		index.DecrementRef(ref.Hash)
+	}
+
+	// Delete manifest
+	if err := manifestStore.Delete(manifestID); err != nil {
+		return fmt.Errorf("failed to delete manifest: %w", err)
+	}
+
+	if err := index.RemoveManifest(manifestID); err != nil {
+		log.Warn("Failed to remove manifest from index", "error", err)
+	}
+
+	fmt.Printf("Deleted backup: %s\n", manifestID)
+	fmt.Println("Run 'dbbackup dedup gc' to reclaim space from unreferenced chunks.")
+
+	return nil
+}
+
+// Helper functions
+func formatBytes(b int64) string {
+	const unit = 1024
+	if b < unit {
+		return fmt.Sprintf("%d B", b)
+	}
+	div, exp := int64(unit), 0
+	for n := b / unit; n >= unit; n /= unit {
+		div *= unit
+		exp++
+	}
+	return fmt.Sprintf("%.1f %cB", float64(b)/float64(div), "KMGTPE"[exp])
+}
+
+func truncateStr(s string, max int) string {
+	if len(s) <= max {
+		return s
+	}
+	return s[:max-3] + "..."
+}
+
+func runDedupVerify(cmd *cobra.Command, args []string) error {
+	basePath := getDedupDir()
+
+	store, err := dedup.NewChunkStore(dedup.StoreConfig{
+		BasePath: basePath,
+		Compress: dedupCompress,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to open chunk store: %w", err)
+	}
+
+	manifestStore, err := dedup.NewManifestStore(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open manifest store: %w", err)
+	}
+
+	index, err := dedup.NewChunkIndexAt(getIndexDBPath())
+	if err != nil {
+		return fmt.Errorf("failed to open chunk index: %w", err)
+	}
+	defer index.Close()
+
+	var manifests []*dedup.Manifest
+
+	if len(args) > 0 {
+		// Verify specific manifest
+		m, err := manifestStore.Load(args[0])
+		if err != nil {
+			return fmt.Errorf("failed to load manifest: %w", err)
+		}
+		manifests = []*dedup.Manifest{m}
+	} else {
+		// Verify all manifests
+		manifests, err = manifestStore.ListAll()
+		if err != nil {
+			return fmt.Errorf("failed to list manifests: %w", err)
+		}
+	}
+
+	if len(manifests) == 0 {
+		fmt.Println("No manifests to verify.")
+		return nil
+	}
+
+	fmt.Printf("Verifying %d backup(s)...\n\n", len(manifests))
+
+	var totalChunks, missingChunks, corruptChunks int
+	var allOK = true
+
+	for _, m := range manifests {
+		fmt.Printf("Verifying: %s (%d chunks)\n", m.ID, m.ChunkCount)
+
+		var missing, corrupt int
+		seenHashes := make(map[string]bool)
+
+		for i, ref := range m.Chunks {
+			if seenHashes[ref.Hash] {
+				continue // Already verified this chunk
+			}
+			seenHashes[ref.Hash] = true
+			totalChunks++
+
+			// Check if chunk exists
+			if !store.Has(ref.Hash) {
+				missing++
+				missingChunks++
+				if missing <= 5 {
+					fmt.Printf("  [MISSING] chunk %d: %s\n", i, ref.Hash[:16])
+				}
+				continue
+			}
+
+			// Verify chunk hash by reading it
+			chunk, err := store.Get(ref.Hash)
+			if err != nil {
+				corrupt++
+				corruptChunks++
+				if corrupt <= 5 {
+					fmt.Printf("  [CORRUPT] chunk %d: %s - %v\n", i, ref.Hash[:16], err)
+				}
+				continue
+			}
+
+			// Verify size
+			if chunk.Length != ref.Length {
+				corrupt++
+				corruptChunks++
+				if corrupt <= 5 {
+					fmt.Printf("  [SIZE MISMATCH] chunk %d: expected %d, got %d\n", i, ref.Length, chunk.Length)
+				}
+			}
+		}
+
+		if missing > 0 || corrupt > 0 {
+			allOK = false
+			fmt.Printf("  Result: FAILED (%d missing, %d corrupt)\n", missing, corrupt)
+			if missing > 5 || corrupt > 5 {
+				fmt.Printf("  ... and %d more errors\n", (missing+corrupt)-10)
+			}
+		} else {
+			fmt.Printf("  Result: OK (%d unique chunks verified)\n", len(seenHashes))
+			// Update verified timestamp
+			m.VerifiedAt = time.Now()
+			manifestStore.Save(m)
+			index.UpdateManifestVerified(m.ID, m.VerifiedAt)
+		}
+		fmt.Println()
+	}
+
+	fmt.Println("========================================")
+	if allOK {
+		fmt.Printf("All %d backup(s) verified successfully!\n", len(manifests))
+		fmt.Printf("Total unique chunks checked: %d\n", totalChunks)
+	} else {
+		fmt.Printf("Verification FAILED!\n")
+		fmt.Printf("Missing chunks: %d\n", missingChunks)
+		fmt.Printf("Corrupt chunks: %d\n", corruptChunks)
+		return fmt.Errorf("verification failed: %d missing, %d corrupt chunks", missingChunks, corruptChunks)
+	}
+
+	return nil
+}
+
+func runDedupPrune(cmd *cobra.Command, args []string) error {
+	if pruneKeepLast == 0 && pruneKeepDaily == 0 && pruneKeepWeekly == 0 {
+		return fmt.Errorf("at least one of --keep-last, --keep-daily, or --keep-weekly must be specified")
+	}
+
+	basePath := getDedupDir()
+
+	manifestStore, err := dedup.NewManifestStore(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open manifest store: %w", err)
+	}
+
+	index, err := dedup.NewChunkIndexAt(getIndexDBPath())
+	if err != nil {
+		return fmt.Errorf("failed to open chunk index: %w", err)
+	}
+	defer index.Close()
+
+	manifests, err := manifestStore.ListAll()
+	if err != nil {
+		return fmt.Errorf("failed to list manifests: %w", err)
+	}
+
+	if len(manifests) == 0 {
+		fmt.Println("No backups to prune.")
+		return nil
+	}
+
+	// Group by database name
+	byDatabase := make(map[string][]*dedup.Manifest)
+	for _, m := range manifests {
+		key := m.DatabaseName
+		if key == "" {
+			key = "_default"
+		}
+		byDatabase[key] = append(byDatabase[key], m)
+	}
+
+	var toDelete []*dedup.Manifest
+
+	for dbName, dbManifests := range byDatabase {
+		// Already sorted by time (newest first from ListAll)
+		kept := make(map[string]bool)
+		var keepReasons = make(map[string]string)
+
+		// Keep last N
+		if pruneKeepLast > 0 {
+			for i := 0; i < pruneKeepLast && i < len(dbManifests); i++ {
+				kept[dbManifests[i].ID] = true
+				keepReasons[dbManifests[i].ID] = "keep-last"
+			}
+		}
+
+		// Keep daily (one per day)
+		if pruneKeepDaily > 0 {
+			seenDays := make(map[string]bool)
+			count := 0
+			for _, m := range dbManifests {
+				day := m.CreatedAt.Format("2006-01-02")
+				if !seenDays[day] {
+					seenDays[day] = true
+					if count < pruneKeepDaily {
+						kept[m.ID] = true
+						if keepReasons[m.ID] == "" {
+							keepReasons[m.ID] = "keep-daily"
+						}
+						count++
+					}
+				}
+			}
+		}
+
+		// Keep weekly (one per week)
+		if pruneKeepWeekly > 0 {
+			seenWeeks := make(map[string]bool)
+			count := 0
+			for _, m := range dbManifests {
+				year, week := m.CreatedAt.ISOWeek()
+				weekKey := fmt.Sprintf("%d-W%02d", year, week)
+				if !seenWeeks[weekKey] {
+					seenWeeks[weekKey] = true
+					if count < pruneKeepWeekly {
+						kept[m.ID] = true
+						if keepReasons[m.ID] == "" {
+							keepReasons[m.ID] = "keep-weekly"
+						}
+						count++
+					}
+				}
+			}
+		}
+
+		if dbName != "_default" {
+			fmt.Printf("\nDatabase: %s\n", dbName)
+		} else {
+			fmt.Printf("\nUnnamed backups:\n")
+		}
+
+		for _, m := range dbManifests {
+			if kept[m.ID] {
+				fmt.Printf("  [KEEP]   %s (%s) - %s\n", m.ID, m.CreatedAt.Format("2006-01-02"), keepReasons[m.ID])
+			} else {
+				fmt.Printf("  [DELETE] %s (%s)\n", m.ID, m.CreatedAt.Format("2006-01-02"))
+				toDelete = append(toDelete, m)
+			}
+		}
+	}
+
+	if len(toDelete) == 0 {
+		fmt.Printf("\nNo backups to prune (all match retention policy).\n")
+		return nil
+	}
+
+	fmt.Printf("\n%d backup(s) will be deleted.\n", len(toDelete))
+
+	if pruneDryRun {
+		fmt.Println("\n[DRY RUN] No changes made. Remove --dry-run to actually delete.")
+		return nil
+	}
+
+	// Actually delete
+	for _, m := range toDelete {
+		// Decrement chunk references
+		for _, ref := range m.Chunks {
+			index.DecrementRef(ref.Hash)
+		}
+
+		if err := manifestStore.Delete(m.ID); err != nil {
+			log.Warn("Failed to delete manifest", "id", m.ID, "error", err)
+		}
+		index.RemoveManifest(m.ID)
+	}
+
+	fmt.Printf("\nDeleted %d backup(s).\n", len(toDelete))
+	fmt.Println("Run 'dbbackup dedup gc' to reclaim space from unreferenced chunks.")
+
+	return nil
+}
+
+func runDedupBackupDB(cmd *cobra.Command, args []string) error {
+	dbType := strings.ToLower(dedupDBType)
+	dbName := backupDBDatabase
+
+	// Validate db type
+	var dumpCmd string
+	var dumpArgs []string
+
+	switch dbType {
+	case "postgres", "postgresql", "pg":
+		dbType = "postgres"
+		dumpCmd = "pg_dump"
+		dumpArgs = []string{"-Fc"} // Custom format for better compression
+		if dedupDBHost != "" && dedupDBHost != "localhost" {
+			dumpArgs = append(dumpArgs, "-h", dedupDBHost)
+		}
+		if backupDBUser != "" {
+			dumpArgs = append(dumpArgs, "-U", backupDBUser)
+		}
+		dumpArgs = append(dumpArgs, dbName)
+
+	case "mysql":
+		dumpCmd = "mysqldump"
+		dumpArgs = []string{
+			"--single-transaction",
+			"--routines",
+			"--triggers",
+			"--events",
+		}
+		if dedupDBHost != "" {
+			dumpArgs = append(dumpArgs, "-h", dedupDBHost)
+		}
+		if backupDBUser != "" {
+			dumpArgs = append(dumpArgs, "-u", backupDBUser)
+		}
+		if backupDBPassword != "" {
+			dumpArgs = append(dumpArgs, "-p"+backupDBPassword)
+		}
+		dumpArgs = append(dumpArgs, dbName)
+
+	case "mariadb":
+		dumpCmd = "mariadb-dump"
+		// Fall back to mysqldump if mariadb-dump not available
+		if _, err := exec.LookPath(dumpCmd); err != nil {
+			dumpCmd = "mysqldump"
+		}
+		dumpArgs = []string{
+			"--single-transaction",
+			"--routines",
+			"--triggers",
+			"--events",
+		}
+		if dedupDBHost != "" {
+			dumpArgs = append(dumpArgs, "-h", dedupDBHost)
+		}
+		if backupDBUser != "" {
+			dumpArgs = append(dumpArgs, "-u", backupDBUser)
+		}
+		if backupDBPassword != "" {
+			dumpArgs = append(dumpArgs, "-p"+backupDBPassword)
+		}
+		dumpArgs = append(dumpArgs, dbName)
+
+	default:
+		return fmt.Errorf("unsupported database type: %s (use postgres, mysql, or mariadb)", dbType)
+	}
+
+	// Verify dump command exists
+	if _, err := exec.LookPath(dumpCmd); err != nil {
+		return fmt.Errorf("%s not found in PATH: %w", dumpCmd, err)
+	}
+
+	// Setup dedup storage
+	basePath := getDedupDir()
+	encKey := ""
+	if dedupEncrypt {
+		encKey = getEncryptionKey()
+		if encKey == "" {
+			return fmt.Errorf("encryption enabled but no key provided (use --key or DBBACKUP_DEDUP_KEY)")
+		}
+	}
+
+	store, err := dedup.NewChunkStore(dedup.StoreConfig{
+		BasePath:      basePath,
+		Compress:      dedupCompress,
+		EncryptionKey: encKey,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to open chunk store: %w", err)
+	}
+
+	manifestStore, err := dedup.NewManifestStore(basePath)
+	if err != nil {
+		return fmt.Errorf("failed to open manifest store: %w", err)
+	}
+
+	index, err := dedup.NewChunkIndexAt(getIndexDBPath())
+	if err != nil {
+		return fmt.Errorf("failed to open chunk index: %w", err)
+	}
+	defer index.Close()
+
+	// Generate manifest ID
+	now := time.Now()
+	manifestID := now.Format("2006-01-02_150405") + "_" + dbName
+
+	fmt.Printf("Creating deduplicated database backup: %s\n", manifestID)
+	fmt.Printf("Database: %s (%s)\n", dbName, dbType)
+	fmt.Printf("Command: %s %s\n", dumpCmd, strings.Join(dumpArgs, " "))
+	fmt.Printf("Store: %s\n", basePath)
+
+	// Start the dump command
+	dumpExec := exec.Command(dumpCmd, dumpArgs...)
+
+	// Set password via environment for postgres
+	if dbType == "postgres" && backupDBPassword != "" {
+		dumpExec.Env = append(os.Environ(), "PGPASSWORD="+backupDBPassword)
+	}
+
+	stdout, err := dumpExec.StdoutPipe()
+	if err != nil {
+		return fmt.Errorf("failed to get stdout pipe: %w", err)
+	}
+
+	stderr, err := dumpExec.StderrPipe()
+	if err != nil {
+		return fmt.Errorf("failed to get stderr pipe: %w", err)
+	}
+
+	if err := dumpExec.Start(); err != nil {
+		return fmt.Errorf("failed to start %s: %w", dumpCmd, err)
+	}
+
+	// Hash while chunking using TeeReader
+	h := sha256.New()
+	reader := io.TeeReader(stdout, h)
+
+	// Chunk the stream directly
+	chunker := dedup.NewChunker(reader, dedup.DefaultChunkerConfig())
+	var chunks []dedup.ChunkRef
+	var totalSize, storedSize int64
+	var chunkCount, newChunks int
+
+	startTime := time.Now()
+
+	for {
+		chunk, err := chunker.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("chunking failed: %w", err)
+		}
+
+		chunkCount++
+		totalSize += int64(chunk.Length)
+
+		// Store chunk (deduplication happens here)
+		isNew, err := store.Put(chunk)
+		if err != nil {
+			return fmt.Errorf("failed to store chunk: %w", err)
+		}
+
+		if isNew {
+			newChunks++
+			storedSize += int64(chunk.Length)
+			index.AddChunk(chunk.Hash, chunk.Length, chunk.Length)
+		}
+
+		chunks = append(chunks, dedup.ChunkRef{
+			Hash:   chunk.Hash,
+			Offset: chunk.Offset,
+			Length: chunk.Length,
+		})
+
+		if chunkCount%1000 == 0 {
+			fmt.Printf("\r  Processed %d chunks, %d new, %s...", chunkCount, newChunks, formatBytes(totalSize))
+		}
+	}
+
+	// Read any stderr
+	stderrBytes, _ := io.ReadAll(stderr)
+
+	// Wait for command to complete
+	if err := dumpExec.Wait(); err != nil {
+		return fmt.Errorf("%s failed: %w\nstderr: %s", dumpCmd, err, string(stderrBytes))
+	}
+
+	duration := time.Since(startTime)
+	fileHash := hex.EncodeToString(h.Sum(nil))
+
+	// Calculate dedup ratio
+	dedupRatio := 0.0
+	if totalSize > 0 {
+		dedupRatio = 1.0 - float64(storedSize)/float64(totalSize)
+	}
+
+	// Create manifest
+	manifest := &dedup.Manifest{
+		ID:           manifestID,
+		Name:         dedupName,
+		CreatedAt:    now,
+		DatabaseType: dbType,
+		DatabaseName: dbName,
+		DatabaseHost: dedupDBHost,
+		Chunks:       chunks,
+		OriginalSize: totalSize,
+		StoredSize:   storedSize,
+		ChunkCount:   chunkCount,
+		NewChunks:    newChunks,
+		DedupRatio:   dedupRatio,
+		Encrypted:    dedupEncrypt,
+		Compressed:   dedupCompress,
+		SHA256:       fileHash,
+	}
+
+	if err := manifestStore.Save(manifest); err != nil {
+		return fmt.Errorf("failed to save manifest: %w", err)
+	}
+
+	if err := index.AddManifest(manifest); err != nil {
+		log.Warn("Failed to index manifest", "error", err)
+	}
+
+	fmt.Printf("\r                                                    \r")
+	fmt.Printf("\nBackup complete!\n")
+	fmt.Printf("  Manifest:    %s\n", manifestID)
+	fmt.Printf("  Chunks:      %d total, %d new\n", chunkCount, newChunks)
+	fmt.Printf("  Dump size:   %s\n", formatBytes(totalSize))
+	fmt.Printf("  Stored:      %s (new data)\n", formatBytes(storedSize))
+	fmt.Printf("  Dedup ratio: %.1f%%\n", dedupRatio*100)
+	fmt.Printf("  Duration:    %s\n", duration.Round(time.Millisecond))
+	fmt.Printf("  Throughput:  %s/s\n", formatBytes(int64(float64(totalSize)/duration.Seconds())))
+
+	return nil
+}
+
+func runDedupMetrics(cmd *cobra.Command, args []string) error {
+	basePath := getDedupDir()
+	indexPath := getIndexDBPath()
+
+	instance := dedupMetricsInstance
+	if instance == "" {
+		hostname, _ := os.Hostname()
+		instance = hostname
+	}
+
+	metrics, err := dedup.CollectMetrics(basePath, indexPath)
+	if err != nil {
+		return fmt.Errorf("failed to collect metrics: %w", err)
+	}
+
+	output := dedup.FormatPrometheusMetrics(metrics, instance)
+
+	if dedupMetricsOutput != "" {
+		if err := dedup.WritePrometheusTextfile(dedupMetricsOutput, instance, basePath, indexPath); err != nil {
+			return fmt.Errorf("failed to write metrics: %w", err)
+		}
+		fmt.Printf("Wrote metrics to %s\n", dedupMetricsOutput)
+	} else {
+		fmt.Print(output)
+	}
+
+	return nil
+}
--- a/cmd/drill.go
+++ b/cmd/drill.go
@@ -0,0 +1,500 @@
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"dbbackup/internal/catalog"
+	"dbbackup/internal/drill"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	drillBackupPath     string
+	drillDatabaseName   string
+	drillDatabaseType   string
+	drillImage          string
+	drillPort           int
+	drillTimeout        int
+	drillRTOTarget      int
+	drillKeepContainer  bool
+	drillOutputDir      string
+	drillFormat         string
+	drillVerbose        bool
+	drillExpectedTables string
+	drillMinRows        int64
+	drillQueries        string
+)
+
+// drillCmd represents the drill command group
+var drillCmd = &cobra.Command{
+	Use:   "drill",
+	Short: "Disaster Recovery drill testing",
+	Long: `Run DR drills to verify backup restorability.
+
+A DR drill:
+  1. Spins up a temporary Docker container
+  2. Restores the backup into the container
+  3. Runs validation queries
+  4. Generates a detailed report
+  5. Cleans up the container
+
+This answers the critical question: "Can I restore this backup at 3 AM?"
+
+Examples:
+  # Run a drill on a PostgreSQL backup
+  dbbackup drill run backup.dump.gz --database mydb --type postgresql
+
+  # Run with validation queries
+  dbbackup drill run backup.dump.gz --database mydb --type postgresql \
+    --validate "SELECT COUNT(*) FROM users" \
+    --min-rows 1000
+
+  # Quick test with minimal validation
+  dbbackup drill quick backup.dump.gz --database mydb
+
+  # List all drill containers
+  dbbackup drill list
+
+  # Cleanup old drill containers
+  dbbackup drill cleanup`,
+}
+
+// drillRunCmd runs a DR drill
+var drillRunCmd = &cobra.Command{
+	Use:   "run [backup-file]",
+	Short: "Run a DR drill on a backup",
+	Long: `Execute a complete DR drill on a backup file.
+
+This will:
+  1. Pull the appropriate database Docker image
+  2. Start a temporary container
+  3. Restore the backup
+  4. Run validation queries
+  5. Calculate RTO metrics
+  6. Generate a report
+
+Examples:
+  # Basic drill
+  dbbackup drill run /backups/mydb_20240115.dump.gz --database mydb --type postgresql
+
+  # With RTO target (5 minutes)
+  dbbackup drill run /backups/mydb.dump.gz --database mydb --type postgresql --rto 300
+
+  # With expected tables validation
+  dbbackup drill run /backups/mydb.dump.gz --database mydb --type postgresql \
+    --tables "users,orders,products"
+
+  # Keep container on failure for debugging
+  dbbackup drill run /backups/mydb.dump.gz --database mydb --type postgresql --keep`,
+	Args: cobra.ExactArgs(1),
+	RunE: runDrill,
+}
+
+// drillQuickCmd runs a quick test
+var drillQuickCmd = &cobra.Command{
+	Use:   "quick [backup-file]",
+	Short: "Quick restore test with minimal validation",
+	Long: `Run a quick DR test that only verifies the backup can be restored.
+
+This is faster than a full drill but provides less validation.
+
+Examples:
+  # Quick test a PostgreSQL backup
+  dbbackup drill quick /backups/mydb.dump.gz --database mydb --type postgresql
+
+  # Quick test a MySQL backup
+  dbbackup drill quick /backups/mydb.sql.gz --database mydb --type mysql`,
+	Args: cobra.ExactArgs(1),
+	RunE: runQuickDrill,
+}
+
+// drillListCmd lists drill containers
+var drillListCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List DR drill containers",
+	Long: `List all Docker containers created by DR drills.
+
+Shows containers that may still be running or stopped from previous drills.`,
+	RunE: runDrillList,
+}
+
+// drillCleanupCmd cleans up drill resources
+var drillCleanupCmd = &cobra.Command{
+	Use:   "cleanup [drill-id]",
+	Short: "Cleanup DR drill containers",
+	Long: `Remove containers created by DR drills.
+
+If no drill ID is specified, removes all drill containers.
+
+Examples:
+  # Cleanup all drill containers
+  dbbackup drill cleanup
+
+  # Cleanup specific drill
+  dbbackup drill cleanup drill_20240115_120000`,
+	RunE: runDrillCleanup,
+}
+
+// drillReportCmd shows a drill report
+var drillReportCmd = &cobra.Command{
+	Use:   "report [report-file]",
+	Short: "Display a DR drill report",
+	Long: `Display a previously saved DR drill report.
+
+Examples:
+  # Show report
+  dbbackup drill report drill_20240115_120000_report.json
+
+  # Show as JSON
+  dbbackup drill report drill_20240115_120000_report.json --format json`,
+	Args: cobra.ExactArgs(1),
+	RunE: runDrillReport,
+}
+
+func init() {
+	rootCmd.AddCommand(drillCmd)
+
+	// Add subcommands
+	drillCmd.AddCommand(drillRunCmd)
+	drillCmd.AddCommand(drillQuickCmd)
+	drillCmd.AddCommand(drillListCmd)
+	drillCmd.AddCommand(drillCleanupCmd)
+	drillCmd.AddCommand(drillReportCmd)
+
+	// Run command flags
+	drillRunCmd.Flags().StringVar(&drillDatabaseName, "database", "", "Target database name (required)")
+	drillRunCmd.Flags().StringVar(&drillDatabaseType, "type", "", "Database type: postgresql, mysql, mariadb (required)")
+	drillRunCmd.Flags().StringVar(&drillImage, "image", "", "Docker image (default: auto-detect)")
+	drillRunCmd.Flags().IntVar(&drillPort, "port", 0, "Host port for container (default: 15432/13306)")
+	drillRunCmd.Flags().IntVar(&drillTimeout, "timeout", 60, "Container startup timeout in seconds")
+	drillRunCmd.Flags().IntVar(&drillRTOTarget, "rto", 300, "RTO target in seconds")
+	drillRunCmd.Flags().BoolVar(&drillKeepContainer, "keep", false, "Keep container after drill")
+	drillRunCmd.Flags().StringVar(&drillOutputDir, "output", "", "Output directory for reports")
+	drillRunCmd.Flags().StringVar(&drillFormat, "format", "table", "Output format: table, json")
+	drillRunCmd.Flags().BoolVarP(&drillVerbose, "verbose", "v", false, "Verbose output")
+	drillRunCmd.Flags().StringVar(&drillExpectedTables, "tables", "", "Expected tables (comma-separated)")
+	drillRunCmd.Flags().Int64Var(&drillMinRows, "min-rows", 0, "Minimum expected row count")
+	drillRunCmd.Flags().StringVar(&drillQueries, "validate", "", "Validation SQL query")
+
+	drillRunCmd.MarkFlagRequired("database")
+	drillRunCmd.MarkFlagRequired("type")
+
+	// Quick command flags
+	drillQuickCmd.Flags().StringVar(&drillDatabaseName, "database", "", "Target database name (required)")
+	drillQuickCmd.Flags().StringVar(&drillDatabaseType, "type", "", "Database type: postgresql, mysql, mariadb (required)")
+	drillQuickCmd.Flags().BoolVarP(&drillVerbose, "verbose", "v", false, "Verbose output")
+
+	drillQuickCmd.MarkFlagRequired("database")
+	drillQuickCmd.MarkFlagRequired("type")
+
+	// Report command flags
+	drillReportCmd.Flags().StringVar(&drillFormat, "format", "table", "Output format: table, json")
+}
+
+func runDrill(cmd *cobra.Command, args []string) error {
+	backupPath := args[0]
+
+	// Validate backup file exists
+	absPath, err := filepath.Abs(backupPath)
+	if err != nil {
+		return fmt.Errorf("invalid backup path: %w", err)
+	}
+	if _, err := os.Stat(absPath); err != nil {
+		return fmt.Errorf("backup file not found: %s", absPath)
+	}
+
+	// Build drill config
+	config := drill.DefaultConfig()
+	config.BackupPath = absPath
+	config.DatabaseName = drillDatabaseName
+	config.DatabaseType = drillDatabaseType
+	config.ContainerImage = drillImage
+	config.ContainerPort = drillPort
+	config.ContainerTimeout = drillTimeout
+	config.MaxRestoreSeconds = drillRTOTarget
+	config.CleanupOnExit = !drillKeepContainer
+	config.KeepOnFailure = true
+	config.OutputDir = drillOutputDir
+	config.Verbose = drillVerbose
+
+	// Parse expected tables
+	if drillExpectedTables != "" {
+		config.ExpectedTables = strings.Split(drillExpectedTables, ",")
+		for i := range config.ExpectedTables {
+			config.ExpectedTables[i] = strings.TrimSpace(config.ExpectedTables[i])
+		}
+	}
+
+	// Set minimum row count
+	config.MinRowCount = drillMinRows
+
+	// Add validation query if provided
+	if drillQueries != "" {
+		config.ValidationQueries = append(config.ValidationQueries, drill.ValidationQuery{
+			Name:        "Custom Query",
+			Query:       drillQueries,
+			MustSucceed: true,
+		})
+	}
+
+	// Create drill engine
+	engine := drill.NewEngine(log, drillVerbose)
+
+	// Run drill
+	ctx := cmd.Context()
+	result, err := engine.Run(ctx, config)
+	if err != nil {
+		return err
+	}
+
+	// Update catalog if available
+	updateCatalogWithDrillResult(ctx, absPath, result)
+
+	// Output result
+	if drillFormat == "json" {
+		data, _ := json.MarshalIndent(result, "", "  ")
+		fmt.Println(string(data))
+	} else {
+		printDrillResult(result)
+	}
+
+	if !result.Success {
+		return fmt.Errorf("drill failed: %s", result.Message)
+	}
+
+	return nil
+}
+
+func runQuickDrill(cmd *cobra.Command, args []string) error {
+	backupPath := args[0]
+
+	absPath, err := filepath.Abs(backupPath)
+	if err != nil {
+		return fmt.Errorf("invalid backup path: %w", err)
+	}
+	if _, err := os.Stat(absPath); err != nil {
+		return fmt.Errorf("backup file not found: %s", absPath)
+	}
+
+	engine := drill.NewEngine(log, drillVerbose)
+
+	ctx := cmd.Context()
+	result, err := engine.QuickTest(ctx, absPath, drillDatabaseType, drillDatabaseName)
+	if err != nil {
+		return err
+	}
+
+	// Update catalog
+	updateCatalogWithDrillResult(ctx, absPath, result)
+
+	printDrillResult(result)
+
+	if !result.Success {
+		return fmt.Errorf("quick test failed: %s", result.Message)
+	}
+
+	return nil
+}
+
+func runDrillList(cmd *cobra.Command, args []string) error {
+	docker := drill.NewDockerManager(false)
+
+	ctx := cmd.Context()
+	containers, err := docker.ListDrillContainers(ctx)
+	if err != nil {
+		return err
+	}
+
+	if len(containers) == 0 {
+		fmt.Println("No drill containers found.")
+		return nil
+	}
+
+	fmt.Printf("%-15s %-40s %-20s %s\n", "ID", "NAME", "IMAGE", "STATUS")
+	fmt.Println(strings.Repeat("-", 100))
+
+	for _, c := range containers {
+		fmt.Printf("%-15s %-40s %-20s %s\n",
+			c.ID[:12],
+			truncateString(c.Name, 38),
+			truncateString(c.Image, 18),
+			c.Status,
+		)
+	}
+
+	return nil
+}
+
+func runDrillCleanup(cmd *cobra.Command, args []string) error {
+	drillID := ""
+	if len(args) > 0 {
+		drillID = args[0]
+	}
+
+	engine := drill.NewEngine(log, true)
+
+	ctx := cmd.Context()
+	if err := engine.Cleanup(ctx, drillID); err != nil {
+		return err
+	}
+
+	fmt.Println("[OK] Cleanup completed")
+	return nil
+}
+
+func runDrillReport(cmd *cobra.Command, args []string) error {
+	reportPath := args[0]
+
+	result, err := drill.LoadResult(reportPath)
+	if err != nil {
+		return err
+	}
+
+	if drillFormat == "json" {
+		data, _ := json.MarshalIndent(result, "", "  ")
+		fmt.Println(string(data))
+	} else {
+		printDrillResult(result)
+	}
+
+	return nil
+}
+
+func printDrillResult(result *drill.DrillResult) {
+	fmt.Printf("\n")
+	fmt.Printf("=====================================================\n")
+	fmt.Printf("  DR Drill Report: %s\n", result.DrillID)
+	fmt.Printf("=====================================================\n\n")
+
+	status := "[OK] PASSED"
+	if !result.Success {
+		status = "[FAIL] FAILED"
+	} else if result.Status == drill.StatusPartial {
+		status = "[WARN] PARTIAL"
+	}
+
+	fmt.Printf("[LOG] Status:       %s\n", status)
+	fmt.Printf("[SAVE] Backup:       %s\n", filepath.Base(result.BackupPath))
+	fmt.Printf("[DB]  Database:     %s (%s)\n", result.DatabaseName, result.DatabaseType)
+	fmt.Printf("[TIME]  Duration:     %.2fs\n", result.Duration)
+	fmt.Printf("📅 Started:      %s\n", result.StartTime.Format(time.RFC3339))
+	fmt.Printf("\n")
+
+	// Phases
+	fmt.Printf("[STATS] Phases:\n")
+	for _, phase := range result.Phases {
+		icon := "[OK]"
+		if phase.Status == "failed" {
+			icon = "[FAIL]"
+		} else if phase.Status == "running" {
+			icon = "[SYNC]"
+		}
+		fmt.Printf("   %s %-20s (%.2fs) %s\n", icon, phase.Name, phase.Duration, phase.Message)
+	}
+	fmt.Printf("\n")
+
+	// Metrics
+	fmt.Printf("📈 Metrics:\n")
+	fmt.Printf("   Tables:         %d\n", result.TableCount)
+	fmt.Printf("   Total Rows:     %d\n", result.TotalRows)
+	fmt.Printf("   Restore Time:   %.2fs\n", result.RestoreTime)
+	fmt.Printf("   Validation:     %.2fs\n", result.ValidationTime)
+	if result.QueryTimeAvg > 0 {
+		fmt.Printf("   Avg Query Time: %.0fms\n", result.QueryTimeAvg)
+	}
+	fmt.Printf("\n")
+
+	// RTO
+	fmt.Printf("[TIME]  RTO Analysis:\n")
+	rtoIcon := "[OK]"
+	if !result.RTOMet {
+		rtoIcon = "[FAIL]"
+	}
+	fmt.Printf("   Actual RTO:     %.2fs\n", result.ActualRTO)
+	fmt.Printf("   Target RTO:     %.0fs\n", result.TargetRTO)
+	fmt.Printf("   RTO Met:        %s\n", rtoIcon)
+	fmt.Printf("\n")
+
+	// Validation results
+	if len(result.ValidationResults) > 0 {
+		fmt.Printf("[SEARCH] Validation Queries:\n")
+		for _, vr := range result.ValidationResults {
+			icon := "[OK]"
+			if !vr.Success {
+				icon = "[FAIL]"
+			}
+			fmt.Printf("   %s %s: %s\n", icon, vr.Name, vr.Result)
+			if vr.Error != "" {
+				fmt.Printf("      Error: %s\n", vr.Error)
+			}
+		}
+		fmt.Printf("\n")
+	}
+
+	// Check results
+	if len(result.CheckResults) > 0 {
+		fmt.Printf("[OK] Checks:\n")
+		for _, cr := range result.CheckResults {
+			icon := "[OK]"
+			if !cr.Success {
+				icon = "[FAIL]"
+			}
+			fmt.Printf("   %s %s\n", icon, cr.Message)
+		}
+		fmt.Printf("\n")
+	}
+
+	// Errors and warnings
+	if len(result.Errors) > 0 {
+		fmt.Printf("[FAIL] Errors:\n")
+		for _, e := range result.Errors {
+			fmt.Printf("   • %s\n", e)
+		}
+		fmt.Printf("\n")
+	}
+
+	if len(result.Warnings) > 0 {
+		fmt.Printf("[WARN] Warnings:\n")
+		for _, w := range result.Warnings {
+			fmt.Printf("   • %s\n", w)
+		}
+		fmt.Printf("\n")
+	}
+
+	// Container info
+	if result.ContainerKept {
+		fmt.Printf("[PKG] Container kept: %s\n", result.ContainerID[:12])
+		fmt.Printf("   Connect with: docker exec -it %s bash\n", result.ContainerID[:12])
+		fmt.Printf("\n")
+	}
+
+	fmt.Printf("=====================================================\n")
+	fmt.Printf("  %s\n", result.Message)
+	fmt.Printf("=====================================================\n")
+}
+
+func updateCatalogWithDrillResult(ctx context.Context, backupPath string, result *drill.DrillResult) {
+	// Try to update the catalog with drill results
+	cat, err := catalog.NewSQLiteCatalog(catalogDBPath)
+	if err != nil {
+		return // Catalog not available, skip
+	}
+	defer cat.Close()
+
+	entry, err := cat.GetByPath(ctx, backupPath)
+	if err != nil || entry == nil {
+		return // Entry not in catalog
+	}
+
+	// Update drill status
+	if err := cat.MarkDrillTested(ctx, entry.ID, result.Success); err != nil {
+		log.Debug("Failed to update catalog drill status", "error", err)
+	}
+}
--- a/cmd/encryption.go
+++ b/cmd/encryption.go
@@ -0,0 +1,77 @@
+package cmd
+
+import (
+	"encoding/base64"
+	"fmt"
+	"os"
+	"strings"
+
+	"dbbackup/internal/crypto"
+)
+
+// loadEncryptionKey loads encryption key from file or environment variable
+func loadEncryptionKey(keyFile, keyEnvVar string) ([]byte, error) {
+	// Priority 1: Key file
+	if keyFile != "" {
+		keyData, err := os.ReadFile(keyFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read encryption key file: %w", err)
+		}
+
+		// Try to decode as base64 first
+		if decoded, err := base64.StdEncoding.DecodeString(strings.TrimSpace(string(keyData))); err == nil && len(decoded) == crypto.KeySize {
+			return decoded, nil
+		}
+
+		// Use raw bytes if exactly 32 bytes
+		if len(keyData) == crypto.KeySize {
+			return keyData, nil
+		}
+
+		// Otherwise treat as passphrase and derive key
+		salt, err := crypto.GenerateSalt()
+		if err != nil {
+			return nil, fmt.Errorf("failed to generate salt: %w", err)
+		}
+		key := crypto.DeriveKey([]byte(strings.TrimSpace(string(keyData))), salt)
+		return key, nil
+	}
+
+	// Priority 2: Environment variable
+	if keyEnvVar != "" {
+		keyData := os.Getenv(keyEnvVar)
+		if keyData == "" {
+			return nil, fmt.Errorf("encryption enabled but %s environment variable not set", keyEnvVar)
+		}
+
+		// Try to decode as base64 first
+		if decoded, err := base64.StdEncoding.DecodeString(strings.TrimSpace(keyData)); err == nil && len(decoded) == crypto.KeySize {
+			return decoded, nil
+		}
+
+		// Otherwise treat as passphrase and derive key
+		salt, err := crypto.GenerateSalt()
+		if err != nil {
+			return nil, fmt.Errorf("failed to generate salt: %w", err)
+		}
+		key := crypto.DeriveKey([]byte(strings.TrimSpace(keyData)), salt)
+		return key, nil
+	}
+
+	return nil, fmt.Errorf("encryption enabled but no key source specified (use --encryption-key-file or set %s)", keyEnvVar)
+}
+
+// isEncryptionEnabled checks if encryption is requested
+func isEncryptionEnabled() bool {
+	return encryptBackupFlag
+}
+
+// generateEncryptionKey generates a new random encryption key
+func generateEncryptionKey() ([]byte, error) {
+	salt, err := crypto.GenerateSalt()
+	if err != nil {
+		return nil, err
+	}
+	// For key generation, use salt as both password and salt (random)
+	return crypto.DeriveKey(salt, salt), nil
+}
--- a/cmd/engine.go
+++ b/cmd/engine.go
@@ -0,0 +1,110 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"dbbackup/internal/engine"
+
+	"github.com/spf13/cobra"
+)
+
+var engineCmd = &cobra.Command{
+	Use:   "engine",
+	Short: "Backup engine management commands",
+	Long: `Commands for managing and selecting backup engines.
+
+Available engines:
+  - mysqldump: Traditional mysqldump backup (all MySQL versions)
+  - clone:     MySQL Clone Plugin (MySQL 8.0.17+)
+  - snapshot:  Filesystem snapshot (LVM/ZFS/Btrfs)
+  - streaming: Direct cloud streaming backup`,
+}
+
+var engineListCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List available backup engines",
+	Long:  "List all registered backup engines and their availability status",
+	RunE:  runEngineList,
+}
+
+var engineInfoCmd = &cobra.Command{
+	Use:   "info [engine-name]",
+	Short: "Show detailed information about an engine",
+	Long:  "Display detailed information about a specific backup engine",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runEngineInfo,
+}
+
+func init() {
+	rootCmd.AddCommand(engineCmd)
+	engineCmd.AddCommand(engineListCmd)
+	engineCmd.AddCommand(engineInfoCmd)
+}
+
+func runEngineList(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+	registry := engine.DefaultRegistry
+
+	fmt.Println("Available Backup Engines:")
+	fmt.Println(strings.Repeat("-", 70))
+
+	for _, info := range registry.List() {
+		eng, err := registry.Get(info.Name)
+		if err != nil {
+			continue
+		}
+
+		avail, err := eng.CheckAvailability(ctx)
+		if err != nil {
+			fmt.Printf("\n%s (%s)\n", info.Name, info.Description)
+			fmt.Printf("  Status:     Error checking availability\n")
+			continue
+		}
+
+		status := "[Y] Available"
+		if !avail.Available {
+			status = "[N] Not available"
+		}
+
+		fmt.Printf("\n%s (%s)\n", info.Name, info.Description)
+		fmt.Printf("  Status:     %s\n", status)
+		if !avail.Available && avail.Reason != "" {
+			fmt.Printf("  Reason:     %s\n", avail.Reason)
+		}
+		fmt.Printf("  Restore:    %v\n", eng.SupportsRestore())
+		fmt.Printf("  Incremental: %v\n", eng.SupportsIncremental())
+		fmt.Printf("  Streaming:  %v\n", eng.SupportsStreaming())
+	}
+
+	return nil
+}
+
+func runEngineInfo(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+	registry := engine.DefaultRegistry
+
+	eng, err := registry.Get(args[0])
+	if err != nil {
+		return fmt.Errorf("engine not found: %s", args[0])
+	}
+
+	avail, err := eng.CheckAvailability(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to check availability: %w", err)
+	}
+
+	fmt.Printf("Engine: %s\n", eng.Name())
+	fmt.Printf("Description: %s\n", eng.Description())
+	fmt.Println(strings.Repeat("-", 50))
+	fmt.Printf("Available:     %v\n", avail.Available)
+	if avail.Reason != "" {
+		fmt.Printf("Reason:        %s\n", avail.Reason)
+	}
+	fmt.Printf("Restore:       %v\n", eng.SupportsRestore())
+	fmt.Printf("Incremental:   %v\n", eng.SupportsIncremental())
+	fmt.Printf("Streaming:     %v\n", eng.SupportsStreaming())
+
+	return nil
+}
--- a/cmd/install.go
+++ b/cmd/install.go
@@ -0,0 +1,239 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"os/signal"
+	"strings"
+	"syscall"
+
+	"dbbackup/internal/installer"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	// Install flags
+	installInstance    string
+	installSchedule    string
+	installBackupType  string
+	installUser        string
+	installGroup       string
+	installBackupDir   string
+	installConfigPath  string
+	installTimeout     int
+	installWithMetrics bool
+	installMetricsPort int
+	installDryRun      bool
+	installStatus      bool
+
+	// Uninstall flags
+	uninstallPurge bool
+)
+
+// installCmd represents the install command
+var installCmd = &cobra.Command{
+	Use:   "install",
+	Short: "Install dbbackup as a systemd service",
+	Long: `Install dbbackup as a systemd service with automatic scheduling.
+
+This command creates systemd service and timer units for automated database backups.
+It supports both single database and cluster backup modes.
+
+Examples:
+  # Interactive installation (will prompt for options)
+  sudo dbbackup install
+
+  # Install cluster backup running daily at 2am
+  sudo dbbackup install --backup-type cluster --schedule "daily"
+
+  # Install single database backup with custom schedule
+  sudo dbbackup install --instance production --backup-type single --schedule "*-*-* 03:00:00"
+
+  # Install with Prometheus metrics exporter
+  sudo dbbackup install --with-metrics --metrics-port 9399
+
+  # Check installation status
+  dbbackup install --status
+
+  # Dry-run to see what would be installed
+  sudo dbbackup install --dry-run
+
+Schedule format (OnCalendar):
+  daily           - Every day at midnight
+  weekly          - Every Monday at midnight
+  *-*-* 02:00:00  - Every day at 2am
+  *-*-* 02,14:00  - Twice daily at 2am and 2pm
+  Mon *-*-* 03:00 - Every Monday at 3am
+`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		// Handle --status flag
+		if installStatus {
+			return runInstallStatus(cmd.Context())
+		}
+
+		return runInstall(cmd.Context())
+	},
+}
+
+// uninstallCmd represents the uninstall command
+var uninstallCmd = &cobra.Command{
+	Use:   "uninstall [instance]",
+	Short: "Uninstall dbbackup systemd service",
+	Long: `Uninstall dbbackup systemd service and timer.
+
+Examples:
+  # Uninstall default instance
+  sudo dbbackup uninstall
+
+  # Uninstall specific instance
+  sudo dbbackup uninstall production
+
+  # Uninstall and remove all configuration
+  sudo dbbackup uninstall --purge
+`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		instance := "cluster"
+		if len(args) > 0 {
+			instance = args[0]
+		}
+		return runUninstall(cmd.Context(), instance)
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(installCmd)
+	rootCmd.AddCommand(uninstallCmd)
+
+	// Install flags
+	installCmd.Flags().StringVarP(&installInstance, "instance", "i", "", "Instance name (e.g., production, staging)")
+	installCmd.Flags().StringVarP(&installSchedule, "schedule", "s", "daily", "Backup schedule (OnCalendar format)")
+	installCmd.Flags().StringVarP(&installBackupType, "backup-type", "t", "cluster", "Backup type: single or cluster")
+	installCmd.Flags().StringVar(&installUser, "user", "dbbackup", "System user to run backups")
+	installCmd.Flags().StringVar(&installGroup, "group", "dbbackup", "System group for backup user")
+	installCmd.Flags().StringVar(&installBackupDir, "backup-dir", "/var/lib/dbbackup/backups", "Directory for backups")
+	installCmd.Flags().StringVar(&installConfigPath, "config-path", "/etc/dbbackup/dbbackup.conf", "Path to config file")
+	installCmd.Flags().IntVar(&installTimeout, "timeout", 3600, "Backup timeout in seconds")
+	installCmd.Flags().BoolVar(&installWithMetrics, "with-metrics", false, "Install Prometheus metrics exporter")
+	installCmd.Flags().IntVar(&installMetricsPort, "metrics-port", 9399, "Prometheus metrics port")
+	installCmd.Flags().BoolVar(&installDryRun, "dry-run", false, "Show what would be installed without making changes")
+	installCmd.Flags().BoolVar(&installStatus, "status", false, "Show installation status")
+
+	// Uninstall flags
+	uninstallCmd.Flags().BoolVar(&uninstallPurge, "purge", false, "Also remove configuration files")
+}
+
+func runInstall(ctx context.Context) error {
+	// Create context with signal handling
+	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
+	defer cancel()
+
+	// Expand schedule shortcuts
+	schedule := expandSchedule(installSchedule)
+
+	// Create installer
+	inst := installer.NewInstaller(log, installDryRun)
+
+	// Set up options
+	opts := installer.InstallOptions{
+		Instance:       installInstance,
+		BackupType:     installBackupType,
+		Schedule:       schedule,
+		User:           installUser,
+		Group:          installGroup,
+		BackupDir:      installBackupDir,
+		ConfigPath:     installConfigPath,
+		TimeoutSeconds: installTimeout,
+		WithMetrics:    installWithMetrics,
+		MetricsPort:    installMetricsPort,
+	}
+
+	// For cluster backup, override instance
+	if installBackupType == "cluster" {
+		opts.Instance = "cluster"
+	}
+
+	return inst.Install(ctx, opts)
+}
+
+func runUninstall(ctx context.Context, instance string) error {
+	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
+	defer cancel()
+
+	inst := installer.NewInstaller(log, false)
+	return inst.Uninstall(ctx, instance, uninstallPurge)
+}
+
+func runInstallStatus(ctx context.Context) error {
+	inst := installer.NewInstaller(log, false)
+
+	// Check cluster status
+	clusterStatus, err := inst.Status(ctx, "cluster")
+	if err != nil {
+		return err
+	}
+
+	fmt.Println()
+	fmt.Println("[STATUS] DBBackup Installation Status")
+	fmt.Println(strings.Repeat("=", 50))
+
+	if clusterStatus.Installed {
+		fmt.Println()
+		fmt.Println("  * Cluster Backup:")
+		fmt.Printf("   Service:  %s\n", formatStatus(clusterStatus.Installed, clusterStatus.Active))
+		fmt.Printf("   Timer:    %s\n", formatStatus(clusterStatus.TimerEnabled, clusterStatus.TimerActive))
+		if clusterStatus.NextRun != "" {
+			fmt.Printf("   Next run: %s\n", clusterStatus.NextRun)
+		}
+		if clusterStatus.LastRun != "" {
+			fmt.Printf("   Last run: %s\n", clusterStatus.LastRun)
+		}
+	} else {
+		fmt.Println()
+		fmt.Println("[NONE] No systemd services installed")
+		fmt.Println()
+		fmt.Println("Run 'sudo dbbackup install' to install as a systemd service")
+	}
+
+	// Check for exporter
+	if _, err := os.Stat("/etc/systemd/system/dbbackup-exporter.service"); err == nil {
+		fmt.Println()
+		fmt.Println("  * Metrics Exporter:")
+		// Check if exporter is active using systemctl
+		cmd := exec.CommandContext(ctx, "systemctl", "is-active", "dbbackup-exporter")
+		if err := cmd.Run(); err == nil {
+			fmt.Printf("   Service:  [OK] active\n")
+		} else {
+			fmt.Printf("   Service:  [-] inactive\n")
+		}
+	}
+
+	fmt.Println()
+	return nil
+}
+
+func formatStatus(installed, active bool) string {
+	if !installed {
+		return "not installed"
+	}
+	if active {
+		return "[OK] active"
+	}
+	return "[-] inactive"
+}
+
+func expandSchedule(schedule string) string {
+	shortcuts := map[string]string{
+		"hourly":  "*-*-* *:00:00",
+		"daily":   "*-*-* 02:00:00",
+		"weekly":  "Mon *-*-* 02:00:00",
+		"monthly": "*-*-01 02:00:00",
+	}
+
+	if expanded, ok := shortcuts[strings.ToLower(schedule)]; ok {
+		return expanded
+	}
+	return schedule
+}
--- a/cmd/metrics.go
+++ b/cmd/metrics.go
@@ -0,0 +1,138 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"dbbackup/internal/prometheus"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	metricsInstance string
+	metricsOutput   string
+	metricsPort     int
+)
+
+// metricsCmd represents the metrics command
+var metricsCmd = &cobra.Command{
+	Use:   "metrics",
+	Short: "Prometheus metrics management",
+	Long: `Prometheus metrics management for dbbackup.
+
+Export metrics to a textfile for node_exporter, or run an HTTP server
+for direct Prometheus scraping.`,
+}
+
+// metricsExportCmd exports metrics to a textfile
+var metricsExportCmd = &cobra.Command{
+	Use:   "export",
+	Short: "Export metrics to textfile",
+	Long: `Export Prometheus metrics to a textfile for node_exporter.
+
+The textfile collector in node_exporter can scrape metrics from files
+in a designated directory (typically /var/lib/node_exporter/textfile_collector/).
+
+Examples:
+  # Export metrics to default location
+  dbbackup metrics export
+
+  # Export with custom output path
+  dbbackup metrics export --output /var/lib/dbbackup/metrics/dbbackup.prom
+
+  # Export for specific instance
+  dbbackup metrics export --instance production --output /var/lib/dbbackup/metrics/production.prom
+
+After export, configure node_exporter with:
+  --collector.textfile.directory=/var/lib/dbbackup/metrics/
+`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return runMetricsExport(cmd.Context())
+	},
+}
+
+// metricsServeCmd runs the HTTP metrics server
+var metricsServeCmd = &cobra.Command{
+	Use:   "serve",
+	Short: "Run Prometheus HTTP server",
+	Long: `Run an HTTP server exposing Prometheus metrics.
+
+This starts a long-running daemon that serves metrics at /metrics.
+Prometheus can scrape this endpoint directly.
+
+Examples:
+  # Start server on default port 9399
+  dbbackup metrics serve
+
+  # Start server on custom port
+  dbbackup metrics serve --port 9100
+
+  # Run as systemd service (installed via 'dbbackup install --with-metrics')
+  sudo systemctl start dbbackup-exporter
+
+Endpoints:
+  /metrics  - Prometheus metrics
+  /health   - Health check (returns 200 OK)
+  /         - Service info page
+`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return runMetricsServe(cmd.Context())
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(metricsCmd)
+	metricsCmd.AddCommand(metricsExportCmd)
+	metricsCmd.AddCommand(metricsServeCmd)
+
+	// Export flags
+	metricsExportCmd.Flags().StringVar(&metricsInstance, "instance", "default", "Instance name for metrics labels")
+	metricsExportCmd.Flags().StringVarP(&metricsOutput, "output", "o", "/var/lib/dbbackup/metrics/dbbackup.prom", "Output file path")
+
+	// Serve flags
+	metricsServeCmd.Flags().StringVar(&metricsInstance, "instance", "default", "Instance name for metrics labels")
+	metricsServeCmd.Flags().IntVarP(&metricsPort, "port", "p", 9399, "HTTP server port")
+}
+
+func runMetricsExport(ctx context.Context) error {
+	// Open catalog
+	cat, err := openCatalog()
+	if err != nil {
+		return fmt.Errorf("failed to open catalog: %w", err)
+	}
+	defer cat.Close()
+
+	// Create metrics writer
+	writer := prometheus.NewMetricsWriter(log, cat, metricsInstance)
+
+	// Write textfile
+	if err := writer.WriteTextfile(metricsOutput); err != nil {
+		return fmt.Errorf("failed to write metrics: %w", err)
+	}
+
+	log.Info("Exported metrics to textfile", "path", metricsOutput, "instance", metricsInstance)
+	return nil
+}
+
+func runMetricsServe(ctx context.Context) error {
+	// Setup signal handling
+	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
+	defer cancel()
+
+	// Open catalog
+	cat, err := openCatalog()
+	if err != nil {
+		return fmt.Errorf("failed to open catalog: %w", err)
+	}
+	defer cat.Close()
+
+	// Create exporter
+	exporter := prometheus.NewExporter(log, cat, metricsInstance, metricsPort)
+
+	// Run server (blocks until context is cancelled)
+	return exporter.Serve(ctx)
+}
--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@@ -0,0 +1,454 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"syscall"
+	"time"
+
+	"dbbackup/internal/config"
+	"dbbackup/internal/migrate"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	// Source connection flags
+	migrateSourceHost     string
+	migrateSourcePort     int
+	migrateSourceUser     string
+	migrateSourcePassword string
+	migrateSourceSSLMode  string
+
+	// Target connection flags
+	migrateTargetHost     string
+	migrateTargetPort     int
+	migrateTargetUser     string
+	migrateTargetPassword string
+	migrateTargetDatabase string
+	migrateTargetSSLMode  string
+
+	// Migration options
+	migrateWorkdir    string
+	migrateClean      bool
+	migrateConfirm    bool
+	migrateDryRun     bool
+	migrateKeepBackup bool
+	migrateJobs       int
+	migrateVerbose    bool
+	migrateExclude    []string
+)
+
+// migrateCmd represents the migrate command
+var migrateCmd = &cobra.Command{
+	Use:   "migrate",
+	Short: "Migrate databases between servers",
+	Long: `Migrate databases from one server to another.
+
+This command performs a staged migration:
+1. Creates a backup from the source server
+2. Stores backup in a working directory
+3. Restores the backup to the target server
+4. Cleans up temporary files (unless --keep-backup)
+
+Supports PostgreSQL and MySQL cluster migration or single database migration.
+
+Examples:
+  # Migrate entire PostgreSQL cluster
+  dbbackup migrate cluster \
+    --source-host old-server --source-port 5432 --source-user postgres \
+    --target-host new-server --target-port 5432 --target-user postgres \
+    --confirm
+
+  # Migrate single database
+  dbbackup migrate single mydb \
+    --source-host old-server --source-user postgres \
+    --target-host new-server --target-user postgres \
+    --confirm
+
+  # Dry-run to preview migration
+  dbbackup migrate cluster \
+    --source-host old-server \
+    --target-host new-server \
+    --dry-run
+`,
+	Run: func(cmd *cobra.Command, args []string) {
+		cmd.Help()
+	},
+}
+
+// migrateClusterCmd migrates an entire database cluster
+var migrateClusterCmd = &cobra.Command{
+	Use:   "cluster",
+	Short: "Migrate entire database cluster to target server",
+	Long: `Migrate all databases from source cluster to target server.
+
+This command:
+1. Connects to source server and lists all databases
+2. Creates individual backups of each database
+3. Restores each database to target server
+4. Optionally cleans up backup files after successful migration
+
+Requirements:
+- Database client tools (pg_dump/pg_restore or mysqldump/mysql)
+- Network access to both source and target servers
+- Sufficient disk space in working directory for backups
+
+Safety features:
+- Dry-run mode by default (use --confirm to execute)
+- Pre-flight checks on both servers
+- Optional backup retention after migration
+
+Examples:
+  # Preview migration
+  dbbackup migrate cluster \
+    --source-host old-server \
+    --target-host new-server
+
+  # Execute migration with cleanup of existing databases
+  dbbackup migrate cluster \
+    --source-host old-server --source-user postgres \
+    --target-host new-server --target-user postgres \
+    --clean --confirm
+
+  # Exclude specific databases
+  dbbackup migrate cluster \
+    --source-host old-server \
+    --target-host new-server \
+    --exclude template0,template1 \
+    --confirm
+`,
+	RunE: runMigrateCluster,
+}
+
+// migrateSingleCmd migrates a single database
+var migrateSingleCmd = &cobra.Command{
+	Use:   "single [database-name]",
+	Short: "Migrate single database to target server",
+	Long: `Migrate a single database from source server to target server.
+
+Examples:
+  # Migrate database to same name on target
+  dbbackup migrate single myapp_db \
+    --source-host old-server \
+    --target-host new-server \
+    --confirm
+
+  # Migrate to different database name
+  dbbackup migrate single myapp_db \
+    --source-host old-server \
+    --target-host new-server \
+    --target-database myapp_db_new \
+    --confirm
+`,
+	Args: cobra.ExactArgs(1),
+	RunE: runMigrateSingle,
+}
+
+func init() {
+	// Add migrate command to root
+	rootCmd.AddCommand(migrateCmd)
+
+	// Add subcommands
+	migrateCmd.AddCommand(migrateClusterCmd)
+	migrateCmd.AddCommand(migrateSingleCmd)
+
+	// Source connection flags
+	migrateCmd.PersistentFlags().StringVar(&migrateSourceHost, "source-host", "localhost", "Source database host")
+	migrateCmd.PersistentFlags().IntVar(&migrateSourcePort, "source-port", 5432, "Source database port")
+	migrateCmd.PersistentFlags().StringVar(&migrateSourceUser, "source-user", "", "Source database user")
+	migrateCmd.PersistentFlags().StringVar(&migrateSourcePassword, "source-password", "", "Source database password")
+	migrateCmd.PersistentFlags().StringVar(&migrateSourceSSLMode, "source-ssl-mode", "prefer", "Source SSL mode (disable, prefer, require)")
+
+	// Target connection flags
+	migrateCmd.PersistentFlags().StringVar(&migrateTargetHost, "target-host", "", "Target database host (required)")
+	migrateCmd.PersistentFlags().IntVar(&migrateTargetPort, "target-port", 5432, "Target database port")
+	migrateCmd.PersistentFlags().StringVar(&migrateTargetUser, "target-user", "", "Target database user (default: same as source)")
+	migrateCmd.PersistentFlags().StringVar(&migrateTargetPassword, "target-password", "", "Target database password")
+	migrateCmd.PersistentFlags().StringVar(&migrateTargetSSLMode, "target-ssl-mode", "prefer", "Target SSL mode (disable, prefer, require)")
+
+	// Single database specific flags
+	migrateSingleCmd.Flags().StringVar(&migrateTargetDatabase, "target-database", "", "Target database name (default: same as source)")
+
+	// Cluster specific flags
+	migrateClusterCmd.Flags().StringSliceVar(&migrateExclude, "exclude", []string{}, "Databases to exclude from migration")
+
+	// Migration options
+	migrateCmd.PersistentFlags().StringVar(&migrateWorkdir, "workdir", "", "Working directory for backup files (default: system temp)")
+	migrateCmd.PersistentFlags().BoolVar(&migrateClean, "clean", false, "Drop existing databases on target before restore")
+	migrateCmd.PersistentFlags().BoolVar(&migrateConfirm, "confirm", false, "Confirm and execute migration (default: dry-run)")
+	migrateCmd.PersistentFlags().BoolVar(&migrateDryRun, "dry-run", false, "Preview migration without executing")
+	migrateCmd.PersistentFlags().BoolVar(&migrateKeepBackup, "keep-backup", false, "Keep backup files after successful migration")
+	migrateCmd.PersistentFlags().IntVar(&migrateJobs, "jobs", 4, "Parallel jobs for backup/restore")
+	migrateCmd.PersistentFlags().BoolVar(&migrateVerbose, "verbose", false, "Verbose output")
+
+	// Mark required flags
+	migrateCmd.MarkPersistentFlagRequired("target-host")
+}
+
+func runMigrateCluster(cmd *cobra.Command, args []string) error {
+	// Validate target host
+	if migrateTargetHost == "" {
+		return fmt.Errorf("--target-host is required")
+	}
+
+	// Set defaults
+	if migrateSourceUser == "" {
+		migrateSourceUser = os.Getenv("USER")
+	}
+	if migrateTargetUser == "" {
+		migrateTargetUser = migrateSourceUser
+	}
+
+	// Create source config first to get WorkDir
+	sourceCfg := config.New()
+	sourceCfg.Host = migrateSourceHost
+	sourceCfg.Port = migrateSourcePort
+	sourceCfg.User = migrateSourceUser
+	sourceCfg.Password = migrateSourcePassword
+
+	workdir := migrateWorkdir
+	if workdir == "" {
+		// Use WorkDir from config if available
+		workdir = filepath.Join(sourceCfg.GetEffectiveWorkDir(), "dbbackup-migrate")
+	}
+
+	// Create working directory
+	if err := os.MkdirAll(workdir, 0755); err != nil {
+		return fmt.Errorf("failed to create working directory: %w", err)
+	}
+
+	// Update source config with remaining settings
+	sourceCfg.SSLMode = migrateSourceSSLMode
+	sourceCfg.Database = "postgres" // Default connection database
+	sourceCfg.DatabaseType = cfg.DatabaseType
+	sourceCfg.BackupDir = workdir
+	sourceCfg.DumpJobs = migrateJobs
+
+	// Create target config
+	targetCfg := config.New()
+	targetCfg.Host = migrateTargetHost
+	targetCfg.Port = migrateTargetPort
+	targetCfg.User = migrateTargetUser
+	targetCfg.Password = migrateTargetPassword
+	targetCfg.SSLMode = migrateTargetSSLMode
+	targetCfg.Database = "postgres"
+	targetCfg.DatabaseType = cfg.DatabaseType
+	targetCfg.BackupDir = workdir
+
+	// Create migration engine
+	engine, err := migrate.NewEngine(sourceCfg, targetCfg, log)
+	if err != nil {
+		return fmt.Errorf("failed to create migration engine: %w", err)
+	}
+	defer engine.Close()
+
+	// Configure engine
+	engine.SetWorkDir(workdir)
+	engine.SetKeepBackup(migrateKeepBackup)
+	engine.SetJobs(migrateJobs)
+	engine.SetDryRun(migrateDryRun || !migrateConfirm)
+	engine.SetVerbose(migrateVerbose)
+	engine.SetCleanTarget(migrateClean)
+
+	// Setup context with cancellation
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Handle interrupt signals
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM)
+	go func() {
+		<-sigChan
+		log.Warn("Received interrupt signal, cancelling migration...")
+		cancel()
+	}()
+
+	// Connect to databases
+	if err := engine.Connect(ctx); err != nil {
+		return fmt.Errorf("failed to connect: %w", err)
+	}
+
+	// Print migration plan
+	fmt.Println()
+	fmt.Println("=== Cluster Migration Plan ===")
+	fmt.Println()
+	fmt.Printf("Source: %s@%s:%d\n", migrateSourceUser, migrateSourceHost, migrateSourcePort)
+	fmt.Printf("Target: %s@%s:%d\n", migrateTargetUser, migrateTargetHost, migrateTargetPort)
+	fmt.Printf("Database Type: %s\n", cfg.DatabaseType)
+	fmt.Printf("Working Directory: %s\n", workdir)
+	fmt.Printf("Clean Target: %v\n", migrateClean)
+	fmt.Printf("Keep Backup: %v\n", migrateKeepBackup)
+	fmt.Printf("Parallel Jobs: %d\n", migrateJobs)
+	if len(migrateExclude) > 0 {
+		fmt.Printf("Excluded: %v\n", migrateExclude)
+	}
+	fmt.Println()
+
+	isDryRun := migrateDryRun || !migrateConfirm
+	if isDryRun {
+		fmt.Println("Mode: DRY-RUN (use --confirm to execute)")
+		fmt.Println()
+		return engine.PreflightCheck(ctx)
+	}
+
+	fmt.Println("Mode: EXECUTE")
+	fmt.Println()
+
+	// Execute migration
+	startTime := time.Now()
+	result, err := engine.MigrateCluster(ctx, migrateExclude)
+	duration := time.Since(startTime)
+
+	if err != nil {
+		log.Error("Migration failed", "error", err, "duration", duration)
+		return fmt.Errorf("migration failed: %w", err)
+	}
+
+	// Print results
+	fmt.Println()
+	fmt.Println("=== Migration Complete ===")
+	fmt.Println()
+	fmt.Printf("Duration: %s\n", duration.Round(time.Second))
+	fmt.Printf("Databases Migrated: %d\n", result.DatabaseCount)
+	if result.BackupPath != "" && migrateKeepBackup {
+		fmt.Printf("Backup Location: %s\n", result.BackupPath)
+	}
+	fmt.Println()
+
+	return nil
+}
+
+func runMigrateSingle(cmd *cobra.Command, args []string) error {
+	dbName := args[0]
+
+	// Validate target host
+	if migrateTargetHost == "" {
+		return fmt.Errorf("--target-host is required")
+	}
+
+	// Set defaults
+	if migrateSourceUser == "" {
+		migrateSourceUser = os.Getenv("USER")
+	}
+	if migrateTargetUser == "" {
+		migrateTargetUser = migrateSourceUser
+	}
+
+	targetDB := migrateTargetDatabase
+	if targetDB == "" {
+		targetDB = dbName
+	}
+
+	workdir := migrateWorkdir
+	if workdir == "" {
+		tempCfg := config.New()
+		workdir = filepath.Join(tempCfg.GetEffectiveWorkDir(), "dbbackup-migrate")
+	}
+
+	// Create working directory
+	if err := os.MkdirAll(workdir, 0755); err != nil {
+		return fmt.Errorf("failed to create working directory: %w", err)
+	}
+
+	// Create source config
+	sourceCfg := config.New()
+	sourceCfg.Host = migrateSourceHost
+	sourceCfg.Port = migrateSourcePort
+	sourceCfg.User = migrateSourceUser
+	sourceCfg.Password = migrateSourcePassword
+	sourceCfg.SSLMode = migrateSourceSSLMode
+	sourceCfg.Database = dbName
+	sourceCfg.DatabaseType = cfg.DatabaseType
+	sourceCfg.BackupDir = workdir
+	sourceCfg.DumpJobs = migrateJobs
+
+	// Create target config
+	targetCfg := config.New()
+	targetCfg.Host = migrateTargetHost
+	targetCfg.Port = migrateTargetPort
+	targetCfg.User = migrateTargetUser
+	targetCfg.Password = migrateTargetPassword
+	targetCfg.SSLMode = migrateTargetSSLMode
+	targetCfg.Database = targetDB
+	targetCfg.DatabaseType = cfg.DatabaseType
+	targetCfg.BackupDir = workdir
+
+	// Create migration engine
+	engine, err := migrate.NewEngine(sourceCfg, targetCfg, log)
+	if err != nil {
+		return fmt.Errorf("failed to create migration engine: %w", err)
+	}
+	defer engine.Close()
+
+	// Configure engine
+	engine.SetWorkDir(workdir)
+	engine.SetKeepBackup(migrateKeepBackup)
+	engine.SetJobs(migrateJobs)
+	engine.SetDryRun(migrateDryRun || !migrateConfirm)
+	engine.SetVerbose(migrateVerbose)
+	engine.SetCleanTarget(migrateClean)
+
+	// Setup context with cancellation
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Handle interrupt signals
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM)
+	go func() {
+		<-sigChan
+		log.Warn("Received interrupt signal, cancelling migration...")
+		cancel()
+	}()
+
+	// Connect to databases
+	if err := engine.Connect(ctx); err != nil {
+		return fmt.Errorf("failed to connect: %w", err)
+	}
+
+	// Print migration plan
+	fmt.Println()
+	fmt.Println("=== Single Database Migration Plan ===")
+	fmt.Println()
+	fmt.Printf("Source: %s@%s:%d/%s\n", migrateSourceUser, migrateSourceHost, migrateSourcePort, dbName)
+	fmt.Printf("Target: %s@%s:%d/%s\n", migrateTargetUser, migrateTargetHost, migrateTargetPort, targetDB)
+	fmt.Printf("Database Type: %s\n", cfg.DatabaseType)
+	fmt.Printf("Working Directory: %s\n", workdir)
+	fmt.Printf("Clean Target: %v\n", migrateClean)
+	fmt.Printf("Keep Backup: %v\n", migrateKeepBackup)
+	fmt.Println()
+
+	isDryRun := migrateDryRun || !migrateConfirm
+	if isDryRun {
+		fmt.Println("Mode: DRY-RUN (use --confirm to execute)")
+		fmt.Println()
+		return engine.PreflightCheck(ctx)
+	}
+
+	fmt.Println("Mode: EXECUTE")
+	fmt.Println()
+
+	// Execute migration
+	startTime := time.Now()
+	err = engine.MigrateSingle(ctx, dbName, targetDB)
+	duration := time.Since(startTime)
+
+	if err != nil {
+		log.Error("Migration failed", "error", err, "duration", duration)
+		return fmt.Errorf("migration failed: %w", err)
+	}
+
+	// Print results
+	fmt.Println()
+	fmt.Println("=== Migration Complete ===")
+	fmt.Println()
+	fmt.Printf("Duration: %s\n", duration.Round(time.Second))
+	fmt.Printf("Database: %s -> %s\n", dbName, targetDB)
+	fmt.Println()
+
+	return nil
+}
--- a/cmd/pitr.go
+++ b/cmd/pitr.go
@@ -0,0 +1,1324 @@
+package cmd
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"dbbackup/internal/pitr"
+	"dbbackup/internal/wal"
+)
+
+var (
+	// PITR enable flags
+	pitrArchiveDir string
+	pitrForce      bool
+
+	// WAL archive flags
+	walArchiveDir        string
+	walCompress          bool
+	walEncrypt           bool
+	walEncryptionKeyFile string
+	walEncryptionKeyEnv  string = "DBBACKUP_ENCRYPTION_KEY"
+
+	// WAL cleanup flags
+	walRetentionDays int
+
+	// PITR restore flags
+	pitrTargetTime      string
+	pitrTargetXID       string
+	pitrTargetName      string
+	pitrTargetLSN       string
+	pitrTargetImmediate bool
+	pitrRecoveryAction  string
+	pitrWALSource       string
+
+	// MySQL PITR flags
+	mysqlBinlogDir        string
+	mysqlArchiveDir       string
+	mysqlArchiveInterval  string
+	mysqlRequireRowFormat bool
+	mysqlRequireGTID      bool
+	mysqlWatchMode        bool
+)
+
+// pitrCmd represents the pitr command group
+var pitrCmd = &cobra.Command{
+	Use:   "pitr",
+	Short: "Point-in-Time Recovery (PITR) operations",
+	Long: `Manage PostgreSQL Point-in-Time Recovery (PITR) with WAL archiving.
+
+PITR allows you to restore your database to any point in time, not just
+to the time of your last backup. This requires continuous WAL archiving.
+
+Commands:
+  enable   - Configure PostgreSQL for PITR
+  disable  - Disable PITR
+  status   - Show current PITR configuration
+`,
+}
+
+// pitrEnableCmd enables PITR
+var pitrEnableCmd = &cobra.Command{
+	Use:   "enable",
+	Short: "Enable Point-in-Time Recovery",
+	Long: `Configure PostgreSQL for Point-in-Time Recovery by enabling WAL archiving.
+
+This command will:
+1. Create WAL archive directory
+2. Update postgresql.conf with PITR settings
+3. Set archive_mode = on
+4. Configure archive_command to use dbbackup
+
+Note: PostgreSQL restart is required after enabling PITR.
+
+Example:
+  dbbackup pitr enable --archive-dir /backups/wal_archive
+`,
+	RunE: runPITREnable,
+}
+
+// pitrDisableCmd disables PITR
+var pitrDisableCmd = &cobra.Command{
+	Use:   "disable",
+	Short: "Disable Point-in-Time Recovery",
+	Long: `Disable PITR by turning off WAL archiving.
+
+This sets archive_mode = off in postgresql.conf.
+Requires PostgreSQL restart to take effect.
+
+Example:
+  dbbackup pitr disable
+`,
+	RunE: runPITRDisable,
+}
+
+// pitrStatusCmd shows PITR status
+var pitrStatusCmd = &cobra.Command{
+	Use:   "status",
+	Short: "Show PITR configuration and WAL archive status",
+	Long: `Display current PITR settings and WAL archive statistics.
+
+Shows:
+- archive_mode, wal_level, archive_command
+- Number of archived WAL files
+- Total archive size
+- Oldest and newest WAL archives
+
+Example:
+  dbbackup pitr status
+`,
+	RunE: runPITRStatus,
+}
+
+// walCmd represents the wal command group
+var walCmd = &cobra.Command{
+	Use:   "wal",
+	Short: "WAL (Write-Ahead Log) operations",
+	Long: `Manage PostgreSQL Write-Ahead Log (WAL) files.
+
+WAL files contain all changes made to the database and are essential
+for Point-in-Time Recovery (PITR).
+`,
+}
+
+// walArchiveCmd archives a WAL file
+var walArchiveCmd = &cobra.Command{
+	Use:   "archive <wal_path> <wal_filename>",
+	Short: "Archive a WAL file (called by PostgreSQL)",
+	Long: `Archive a PostgreSQL WAL file to the archive directory.
+
+This command is typically called automatically by PostgreSQL via the
+archive_command setting. It can also be run manually for testing.
+
+Arguments:
+  wal_path     - Full path to the WAL file (e.g., /var/lib/postgresql/data/pg_wal/0000...)
+  wal_filename - WAL filename only (e.g., 000000010000000000000001)
+
+Example:
+  dbbackup wal archive /var/lib/postgresql/data/pg_wal/000000010000000000000001 000000010000000000000001 --archive-dir /backups/wal
+`,
+	Args: cobra.ExactArgs(2),
+	RunE: runWALArchive,
+}
+
+// walListCmd lists archived WAL files
+var walListCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List archived WAL files",
+	Long: `List all WAL files in the archive directory.
+
+Shows timeline, segment number, size, and archive time for each WAL file.
+
+Example:
+  dbbackup wal list --archive-dir /backups/wal_archive
+`,
+	RunE: runWALList,
+}
+
+// walCleanupCmd cleans up old WAL archives
+var walCleanupCmd = &cobra.Command{
+	Use:   "cleanup",
+	Short: "Remove old WAL archives based on retention policy",
+	Long: `Delete WAL archives older than the specified retention period.
+
+WAL files older than --retention-days will be permanently deleted.
+
+Example:
+  dbbackup wal cleanup --archive-dir /backups/wal_archive --retention-days 7
+`,
+	RunE: runWALCleanup,
+}
+
+// walTimelineCmd shows timeline history
+var walTimelineCmd = &cobra.Command{
+	Use:   "timeline",
+	Short: "Show timeline branching history",
+	Long: `Display PostgreSQL timeline history and branching structure.
+
+Timelines track recovery points and allow parallel recovery paths.
+A new timeline is created each time you perform point-in-time recovery.
+
+Shows:
+- Timeline hierarchy and parent relationships
+- Timeline switch points (LSN)
+- WAL segment ranges per timeline
+- Reason for timeline creation
+
+Example:
+  dbbackup wal timeline --archive-dir /backups/wal_archive
+`,
+	RunE: runWALTimeline,
+}
+
+// ============================================================================
+// MySQL/MariaDB Binlog Commands
+// ============================================================================
+
+// binlogCmd represents the binlog command group (MySQL equivalent of WAL)
+var binlogCmd = &cobra.Command{
+	Use:   "binlog",
+	Short: "Binary log operations for MySQL/MariaDB",
+	Long: `Manage MySQL/MariaDB binary log files for Point-in-Time Recovery.
+
+Binary logs contain all changes made to the database and are essential
+for Point-in-Time Recovery (PITR) with MySQL and MariaDB.
+
+Commands:
+  list     - List available binlog files
+  archive  - Archive binlog files
+  watch    - Watch for new binlog files and archive them
+  validate - Validate binlog chain integrity
+  position - Show current binlog position
+`,
+}
+
+// binlogListCmd lists binary log files
+var binlogListCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List binary log files",
+	Long: `List all available binary log files from the MySQL data directory
+and/or the archive directory.
+
+Shows: filename, size, timestamps, server_id, and format for each binlog.
+
+Examples:
+  dbbackup binlog list --binlog-dir /var/lib/mysql
+  dbbackup binlog list --archive-dir /backups/binlog_archive
+`,
+	RunE: runBinlogList,
+}
+
+// binlogArchiveCmd archives binary log files
+var binlogArchiveCmd = &cobra.Command{
+	Use:   "archive",
+	Short: "Archive binary log files",
+	Long: `Archive MySQL binary log files to a backup location.
+
+This command copies completed binlog files (not the currently active one)
+to the archive directory, optionally with compression and encryption.
+
+Examples:
+  dbbackup binlog archive --binlog-dir /var/lib/mysql --archive-dir /backups/binlog
+  dbbackup binlog archive --compress --archive-dir /backups/binlog
+`,
+	RunE: runBinlogArchive,
+}
+
+// binlogWatchCmd watches for new binlogs and archives them
+var binlogWatchCmd = &cobra.Command{
+	Use:   "watch",
+	Short: "Watch for new binlog files and archive them automatically",
+	Long: `Continuously monitor the binlog directory for new files and
+archive them automatically when they are closed.
+
+This runs as a background process and provides continuous binlog archiving
+for PITR capability.
+
+Example:
+  dbbackup binlog watch --binlog-dir /var/lib/mysql --archive-dir /backups/binlog --interval 30s
+`,
+	RunE: runBinlogWatch,
+}
+
+// binlogValidateCmd validates binlog chain
+var binlogValidateCmd = &cobra.Command{
+	Use:   "validate",
+	Short: "Validate binlog chain integrity",
+	Long: `Check the binary log chain for gaps or inconsistencies.
+
+Validates:
+- Sequential numbering of binlog files
+- No missing files in the chain
+- Server ID consistency
+- GTID continuity (if enabled)
+
+Example:
+  dbbackup binlog validate --binlog-dir /var/lib/mysql
+  dbbackup binlog validate --archive-dir /backups/binlog
+`,
+	RunE: runBinlogValidate,
+}
+
+// binlogPositionCmd shows current binlog position
+var binlogPositionCmd = &cobra.Command{
+	Use:   "position",
+	Short: "Show current binary log position",
+	Long: `Display the current MySQL binary log position.
+
+This connects to MySQL and runs SHOW MASTER STATUS to get:
+- Current binlog filename
+- Current byte position
+- Executed GTID set (if GTID mode is enabled)
+
+Example:
+  dbbackup binlog position
+`,
+	RunE: runBinlogPosition,
+}
+
+// mysqlPitrStatusCmd shows MySQL-specific PITR status
+var mysqlPitrStatusCmd = &cobra.Command{
+	Use:   "mysql-status",
+	Short: "Show MySQL/MariaDB PITR status",
+	Long: `Display MySQL/MariaDB-specific PITR configuration and status.
+
+Shows:
+- Binary log configuration (log_bin, binlog_format)
+- GTID mode status
+- Archive directory and statistics
+- Current binlog position
+- Recovery windows available
+
+Example:
+  dbbackup pitr mysql-status
+`,
+	RunE: runMySQLPITRStatus,
+}
+
+// mysqlPitrEnableCmd enables MySQL PITR
+var mysqlPitrEnableCmd = &cobra.Command{
+	Use:   "mysql-enable",
+	Short: "Enable PITR for MySQL/MariaDB",
+	Long: `Configure MySQL/MariaDB for Point-in-Time Recovery.
+
+This validates MySQL settings and sets up binlog archiving:
+- Checks binary logging is enabled (log_bin=ON)
+- Validates binlog_format (ROW recommended)
+- Creates archive directory
+- Saves PITR configuration
+
+Prerequisites in my.cnf:
+  [mysqld]
+  log_bin = mysql-bin
+  binlog_format = ROW
+  server_id = 1
+
+Example:
+  dbbackup pitr mysql-enable --archive-dir /backups/binlog_archive
+`,
+	RunE: runMySQLPITREnable,
+}
+
+func init() {
+	rootCmd.AddCommand(pitrCmd)
+	rootCmd.AddCommand(walCmd)
+	rootCmd.AddCommand(binlogCmd)
+
+	// PITR subcommands
+	pitrCmd.AddCommand(pitrEnableCmd)
+	pitrCmd.AddCommand(pitrDisableCmd)
+	pitrCmd.AddCommand(pitrStatusCmd)
+	pitrCmd.AddCommand(mysqlPitrStatusCmd)
+	pitrCmd.AddCommand(mysqlPitrEnableCmd)
+
+	// WAL subcommands (PostgreSQL)
+	walCmd.AddCommand(walArchiveCmd)
+	walCmd.AddCommand(walListCmd)
+	walCmd.AddCommand(walCleanupCmd)
+	walCmd.AddCommand(walTimelineCmd)
+
+	// Binlog subcommands (MySQL/MariaDB)
+	binlogCmd.AddCommand(binlogListCmd)
+	binlogCmd.AddCommand(binlogArchiveCmd)
+	binlogCmd.AddCommand(binlogWatchCmd)
+	binlogCmd.AddCommand(binlogValidateCmd)
+	binlogCmd.AddCommand(binlogPositionCmd)
+
+	// PITR enable flags
+	pitrEnableCmd.Flags().StringVar(&pitrArchiveDir, "archive-dir", "/var/backups/wal_archive", "Directory to store WAL archives")
+	pitrEnableCmd.Flags().BoolVar(&pitrForce, "force", false, "Overwrite existing PITR configuration")
+
+	// WAL archive flags
+	walArchiveCmd.Flags().StringVar(&walArchiveDir, "archive-dir", "", "WAL archive directory (required)")
+	walArchiveCmd.Flags().BoolVar(&walCompress, "compress", false, "Compress WAL files with gzip")
+	walArchiveCmd.Flags().BoolVar(&walEncrypt, "encrypt", false, "Encrypt WAL files")
+	walArchiveCmd.Flags().StringVar(&walEncryptionKeyFile, "encryption-key-file", "", "Path to encryption key file (32 bytes)")
+	walArchiveCmd.Flags().StringVar(&walEncryptionKeyEnv, "encryption-key-env", "DBBACKUP_ENCRYPTION_KEY", "Environment variable containing encryption key")
+	walArchiveCmd.MarkFlagRequired("archive-dir")
+
+	// WAL list flags
+	walListCmd.Flags().StringVar(&walArchiveDir, "archive-dir", "/var/backups/wal_archive", "WAL archive directory")
+
+	// WAL cleanup flags
+	walCleanupCmd.Flags().StringVar(&walArchiveDir, "archive-dir", "/var/backups/wal_archive", "WAL archive directory")
+	walCleanupCmd.Flags().IntVar(&walRetentionDays, "retention-days", 7, "Days to keep WAL archives")
+
+	// WAL timeline flags
+	walTimelineCmd.Flags().StringVar(&walArchiveDir, "archive-dir", "/var/backups/wal_archive", "WAL archive directory")
+
+	// MySQL binlog flags
+	binlogListCmd.Flags().StringVar(&mysqlBinlogDir, "binlog-dir", "/var/lib/mysql", "MySQL binary log directory")
+	binlogListCmd.Flags().StringVar(&mysqlArchiveDir, "archive-dir", "", "Binlog archive directory")
+
+	binlogArchiveCmd.Flags().StringVar(&mysqlBinlogDir, "binlog-dir", "/var/lib/mysql", "MySQL binary log directory")
+	binlogArchiveCmd.Flags().StringVar(&mysqlArchiveDir, "archive-dir", "/var/backups/binlog_archive", "Binlog archive directory")
+	binlogArchiveCmd.Flags().BoolVar(&walCompress, "compress", false, "Compress binlog files")
+	binlogArchiveCmd.Flags().BoolVar(&walEncrypt, "encrypt", false, "Encrypt binlog files")
+	binlogArchiveCmd.Flags().StringVar(&walEncryptionKeyFile, "encryption-key-file", "", "Path to encryption key file")
+	binlogArchiveCmd.MarkFlagRequired("archive-dir")
+
+	binlogWatchCmd.Flags().StringVar(&mysqlBinlogDir, "binlog-dir", "/var/lib/mysql", "MySQL binary log directory")
+	binlogWatchCmd.Flags().StringVar(&mysqlArchiveDir, "archive-dir", "/var/backups/binlog_archive", "Binlog archive directory")
+	binlogWatchCmd.Flags().StringVar(&mysqlArchiveInterval, "interval", "30s", "Check interval for new binlogs")
+	binlogWatchCmd.Flags().BoolVar(&walCompress, "compress", false, "Compress binlog files")
+	binlogWatchCmd.MarkFlagRequired("archive-dir")
+
+	binlogValidateCmd.Flags().StringVar(&mysqlBinlogDir, "binlog-dir", "/var/lib/mysql", "MySQL binary log directory")
+	binlogValidateCmd.Flags().StringVar(&mysqlArchiveDir, "archive-dir", "", "Binlog archive directory")
+
+	// MySQL PITR enable flags
+	mysqlPitrEnableCmd.Flags().StringVar(&mysqlArchiveDir, "archive-dir", "/var/backups/binlog_archive", "Binlog archive directory")
+	mysqlPitrEnableCmd.Flags().IntVar(&walRetentionDays, "retention-days", 7, "Days to keep archived binlogs")
+	mysqlPitrEnableCmd.Flags().BoolVar(&mysqlRequireRowFormat, "require-row-format", true, "Require ROW binlog format")
+	mysqlPitrEnableCmd.Flags().BoolVar(&mysqlRequireGTID, "require-gtid", false, "Require GTID mode enabled")
+	mysqlPitrEnableCmd.MarkFlagRequired("archive-dir")
+}
+
+// Command implementations
+
+func runPITREnable(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsPostgreSQL() {
+		return fmt.Errorf("PITR is only supported for PostgreSQL (detected: %s)", cfg.DisplayDatabaseType())
+	}
+
+	log.Info("Enabling Point-in-Time Recovery (PITR)", "archive_dir", pitrArchiveDir)
+
+	pitrManager := wal.NewPITRManager(cfg, log)
+	if err := pitrManager.EnablePITR(ctx, pitrArchiveDir); err != nil {
+		return fmt.Errorf("failed to enable PITR: %w", err)
+	}
+
+	log.Info("[OK] PITR enabled successfully!")
+	log.Info("")
+	log.Info("Next steps:")
+	log.Info("1. Restart PostgreSQL: sudo systemctl restart postgresql")
+	log.Info("2. Create a base backup: dbbackup backup single <database>")
+	log.Info("3. WAL files will be automatically archived to: " + pitrArchiveDir)
+	log.Info("")
+	log.Info("To restore to a point in time, use:")
+	log.Info("  dbbackup restore pitr <backup> --target-time '2024-01-15 14:30:00'")
+
+	return nil
+}
+
+func runPITRDisable(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsPostgreSQL() {
+		return fmt.Errorf("PITR is only supported for PostgreSQL")
+	}
+
+	log.Info("Disabling Point-in-Time Recovery (PITR)")
+
+	pitrManager := wal.NewPITRManager(cfg, log)
+	if err := pitrManager.DisablePITR(ctx); err != nil {
+		return fmt.Errorf("failed to disable PITR: %w", err)
+	}
+
+	log.Info("[OK] PITR disabled successfully!")
+	log.Info("PostgreSQL restart required: sudo systemctl restart postgresql")
+
+	return nil
+}
+
+func runPITRStatus(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsPostgreSQL() {
+		return fmt.Errorf("PITR is only supported for PostgreSQL")
+	}
+
+	pitrManager := wal.NewPITRManager(cfg, log)
+	config, err := pitrManager.GetCurrentPITRConfig(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to get PITR configuration: %w", err)
+	}
+
+	// Display PITR configuration
+	fmt.Println("======================================================")
+	fmt.Println("  Point-in-Time Recovery (PITR) Status")
+	fmt.Println("======================================================")
+	fmt.Println()
+
+	if config.Enabled {
+		fmt.Println("Status:          [OK] ENABLED")
+	} else {
+		fmt.Println("Status:          [FAIL] DISABLED")
+	}
+
+	fmt.Printf("WAL Level:       %s\n", config.WALLevel)
+	fmt.Printf("Archive Mode:    %s\n", config.ArchiveMode)
+	fmt.Printf("Archive Command: %s\n", config.ArchiveCommand)
+
+	if config.MaxWALSenders > 0 {
+		fmt.Printf("Max WAL Senders: %d\n", config.MaxWALSenders)
+	}
+	if config.WALKeepSize != "" {
+		fmt.Printf("WAL Keep Size:   %s\n", config.WALKeepSize)
+	}
+
+	// Show WAL archive statistics if archive directory can be determined
+	if config.ArchiveCommand != "" {
+		// Extract archive dir from command (simple parsing)
+		fmt.Println()
+		fmt.Println("WAL Archive Statistics:")
+		fmt.Println("======================================================")
+		// TODO: Parse archive dir and show stats
+		fmt.Println("  (Use 'dbbackup wal list --archive-dir <dir>' to view archives)")
+	}
+
+	return nil
+}
+
+func runWALArchive(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+	walPath := args[0]
+	walFilename := args[1]
+
+	// Load encryption key if encryption is enabled
+	var encryptionKey []byte
+	if walEncrypt {
+		key, err := loadEncryptionKey(walEncryptionKeyFile, walEncryptionKeyEnv)
+		if err != nil {
+			return fmt.Errorf("failed to load WAL encryption key: %w", err)
+		}
+		encryptionKey = key
+	}
+
+	archiver := wal.NewArchiver(cfg, log)
+	archiveConfig := wal.ArchiveConfig{
+		ArchiveDir:    walArchiveDir,
+		CompressWAL:   walCompress,
+		EncryptWAL:    walEncrypt,
+		EncryptionKey: encryptionKey,
+	}
+
+	info, err := archiver.ArchiveWALFile(ctx, walPath, walFilename, archiveConfig)
+	if err != nil {
+		return fmt.Errorf("WAL archiving failed: %w", err)
+	}
+
+	log.Info("WAL file archived successfully",
+		"wal", info.WALFileName,
+		"archive", info.ArchivePath,
+		"original_size", info.OriginalSize,
+		"archived_size", info.ArchivedSize,
+		"timeline", info.Timeline,
+		"segment", info.Segment)
+
+	return nil
+}
+
+func runWALList(cmd *cobra.Command, args []string) error {
+	archiver := wal.NewArchiver(cfg, log)
+	archiveConfig := wal.ArchiveConfig{
+		ArchiveDir: walArchiveDir,
+	}
+
+	archives, err := archiver.ListArchivedWALFiles(archiveConfig)
+	if err != nil {
+		return fmt.Errorf("failed to list WAL archives: %w", err)
+	}
+
+	if len(archives) == 0 {
+		fmt.Println("No WAL archives found in: " + walArchiveDir)
+		return nil
+	}
+
+	// Display archives
+	fmt.Println("======================================================")
+	fmt.Printf("  WAL Archives (%d files)\n", len(archives))
+	fmt.Println("======================================================")
+	fmt.Println()
+
+	fmt.Printf("%-28s  %10s  %10s  %8s  %s\n", "WAL Filename", "Timeline", "Segment", "Size", "Archived At")
+	fmt.Println("--------------------------------------------------------------------------------")
+
+	for _, archive := range archives {
+		size := formatWALSize(archive.ArchivedSize)
+		timeStr := archive.ArchivedAt.Format("2006-01-02 15:04")
+
+		flags := ""
+		if archive.Compressed {
+			flags += "C"
+		}
+		if archive.Encrypted {
+			flags += "E"
+		}
+		if flags != "" {
+			flags = " [" + flags + "]"
+		}
+
+		fmt.Printf("%-28s  %10d  0x%08X  %8s  %s%s\n",
+			archive.WALFileName,
+			archive.Timeline,
+			archive.Segment,
+			size,
+			timeStr,
+			flags)
+	}
+
+	// Show statistics
+	stats, _ := archiver.GetArchiveStats(archiveConfig)
+	if stats != nil {
+		fmt.Println()
+		fmt.Printf("Total Size: %s\n", stats.FormatSize())
+		if stats.CompressedFiles > 0 {
+			fmt.Printf("Compressed: %d files\n", stats.CompressedFiles)
+		}
+		if stats.EncryptedFiles > 0 {
+			fmt.Printf("Encrypted:  %d files\n", stats.EncryptedFiles)
+		}
+		if !stats.OldestArchive.IsZero() {
+			fmt.Printf("Oldest:     %s\n", stats.OldestArchive.Format("2006-01-02 15:04"))
+			fmt.Printf("Newest:     %s\n", stats.NewestArchive.Format("2006-01-02 15:04"))
+		}
+	}
+
+	return nil
+}
+
+func runWALCleanup(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	archiver := wal.NewArchiver(cfg, log)
+	archiveConfig := wal.ArchiveConfig{
+		ArchiveDir:    walArchiveDir,
+		RetentionDays: walRetentionDays,
+	}
+
+	if archiveConfig.RetentionDays <= 0 {
+		return fmt.Errorf("--retention-days must be greater than 0")
+	}
+
+	deleted, err := archiver.CleanupOldWALFiles(ctx, archiveConfig)
+	if err != nil {
+		return fmt.Errorf("WAL cleanup failed: %w", err)
+	}
+
+	log.Info("[OK] WAL cleanup completed", "deleted", deleted, "retention_days", archiveConfig.RetentionDays)
+	return nil
+}
+
+func runWALTimeline(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	// Create timeline manager
+	tm := wal.NewTimelineManager(log)
+
+	// Parse timeline history
+	history, err := tm.ParseTimelineHistory(ctx, walArchiveDir)
+	if err != nil {
+		return fmt.Errorf("failed to parse timeline history: %w", err)
+	}
+
+	// Validate consistency
+	if err := tm.ValidateTimelineConsistency(ctx, history); err != nil {
+		log.Warn("Timeline consistency issues detected", "error", err)
+	}
+
+	// Display timeline tree
+	fmt.Println(tm.FormatTimelineTree(history))
+
+	// Display timeline details
+	if len(history.Timelines) > 0 {
+		fmt.Println("\nTimeline Details:")
+		fmt.Println("=================")
+		for _, tl := range history.Timelines {
+			fmt.Printf("\nTimeline %d:\n", tl.TimelineID)
+			if tl.ParentTimeline > 0 {
+				fmt.Printf("  Parent:      Timeline %d\n", tl.ParentTimeline)
+				fmt.Printf("  Switch LSN:  %s\n", tl.SwitchPoint)
+			}
+			if tl.Reason != "" {
+				fmt.Printf("  Reason:      %s\n", tl.Reason)
+			}
+			if tl.FirstWALSegment > 0 {
+				fmt.Printf("  WAL Range:   0x%016X - 0x%016X\n", tl.FirstWALSegment, tl.LastWALSegment)
+				segmentCount := tl.LastWALSegment - tl.FirstWALSegment + 1
+				fmt.Printf("  Segments:    %d files (~%d MB)\n", segmentCount, segmentCount*16)
+			}
+			if !tl.CreatedAt.IsZero() {
+				fmt.Printf("  Created:     %s\n", tl.CreatedAt.Format("2006-01-02 15:04:05"))
+			}
+			if tl.TimelineID == history.CurrentTimeline {
+				fmt.Printf("  Status:      [CURR] CURRENT\n")
+			}
+		}
+	}
+
+	return nil
+}
+
+// Helper functions
+
+func formatWALSize(bytes int64) string {
+	const (
+		KB = 1024
+		MB = 1024 * KB
+	)
+
+	if bytes >= MB {
+		return fmt.Sprintf("%.1f MB", float64(bytes)/float64(MB))
+	}
+	return fmt.Sprintf("%.1f KB", float64(bytes)/float64(KB))
+}
+
+// ============================================================================
+// MySQL/MariaDB Binlog Command Implementations
+// ============================================================================
+
+func runBinlogList(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsMySQL() {
+		return fmt.Errorf("binlog commands are only supported for MySQL/MariaDB (detected: %s)", cfg.DisplayDatabaseType())
+	}
+
+	binlogDir := mysqlBinlogDir
+	if binlogDir == "" && mysqlArchiveDir != "" {
+		binlogDir = mysqlArchiveDir
+	}
+
+	if binlogDir == "" {
+		return fmt.Errorf("please specify --binlog-dir or --archive-dir")
+	}
+
+	bmConfig := pitr.BinlogManagerConfig{
+		BinlogDir:  binlogDir,
+		ArchiveDir: mysqlArchiveDir,
+	}
+
+	bm, err := pitr.NewBinlogManager(bmConfig)
+	if err != nil {
+		return fmt.Errorf("initializing binlog manager: %w", err)
+	}
+
+	// List binlogs from source directory
+	binlogs, err := bm.DiscoverBinlogs(ctx)
+	if err != nil {
+		return fmt.Errorf("discovering binlogs: %w", err)
+	}
+
+	// Also list archived binlogs if archive dir is specified
+	var archived []pitr.BinlogArchiveInfo
+	if mysqlArchiveDir != "" {
+		archived, _ = bm.ListArchivedBinlogs(ctx)
+	}
+
+	if len(binlogs) == 0 && len(archived) == 0 {
+		fmt.Println("No binary log files found")
+		return nil
+	}
+
+	fmt.Println("=============================================================")
+	fmt.Printf("  Binary Log Files (%s)\n", bm.ServerType())
+	fmt.Println("=============================================================")
+	fmt.Println()
+
+	if len(binlogs) > 0 {
+		fmt.Println("Source Directory:")
+		fmt.Printf("%-24s  %10s  %-19s  %-19s  %s\n", "Filename", "Size", "Start Time", "End Time", "Format")
+		fmt.Println("--------------------------------------------------------------------------------")
+
+		var totalSize int64
+		for _, b := range binlogs {
+			size := formatWALSize(b.Size)
+			totalSize += b.Size
+
+			startTime := "unknown"
+			endTime := "unknown"
+			if !b.StartTime.IsZero() {
+				startTime = b.StartTime.Format("2006-01-02 15:04:05")
+			}
+			if !b.EndTime.IsZero() {
+				endTime = b.EndTime.Format("2006-01-02 15:04:05")
+			}
+
+			format := b.Format
+			if format == "" {
+				format = "-"
+			}
+
+			fmt.Printf("%-24s  %10s  %-19s  %-19s  %s\n", b.Name, size, startTime, endTime, format)
+		}
+		fmt.Printf("\nTotal: %d files, %s\n", len(binlogs), formatWALSize(totalSize))
+	}
+
+	if len(archived) > 0 {
+		fmt.Println()
+		fmt.Println("Archived Binlogs:")
+		fmt.Printf("%-24s  %10s  %-19s  %s\n", "Original", "Size", "Archived At", "Flags")
+		fmt.Println("--------------------------------------------------------------------------------")
+
+		var totalSize int64
+		for _, a := range archived {
+			size := formatWALSize(a.Size)
+			totalSize += a.Size
+
+			archivedTime := a.ArchivedAt.Format("2006-01-02 15:04:05")
+
+			flags := ""
+			if a.Compressed {
+				flags += "C"
+			}
+			if a.Encrypted {
+				flags += "E"
+			}
+			if flags != "" {
+				flags = "[" + flags + "]"
+			}
+
+			fmt.Printf("%-24s  %10s  %-19s  %s\n", a.OriginalFile, size, archivedTime, flags)
+		}
+		fmt.Printf("\nTotal archived: %d files, %s\n", len(archived), formatWALSize(totalSize))
+	}
+
+	return nil
+}
+
+func runBinlogArchive(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsMySQL() {
+		return fmt.Errorf("binlog commands are only supported for MySQL/MariaDB")
+	}
+
+	if mysqlBinlogDir == "" {
+		return fmt.Errorf("--binlog-dir is required")
+	}
+
+	// Load encryption key if needed
+	var encryptionKey []byte
+	if walEncrypt {
+		key, err := loadEncryptionKey(walEncryptionKeyFile, walEncryptionKeyEnv)
+		if err != nil {
+			return fmt.Errorf("failed to load encryption key: %w", err)
+		}
+		encryptionKey = key
+	}
+
+	bmConfig := pitr.BinlogManagerConfig{
+		BinlogDir:     mysqlBinlogDir,
+		ArchiveDir:    mysqlArchiveDir,
+		Compression:   walCompress,
+		Encryption:    walEncrypt,
+		EncryptionKey: encryptionKey,
+	}
+
+	bm, err := pitr.NewBinlogManager(bmConfig)
+	if err != nil {
+		return fmt.Errorf("initializing binlog manager: %w", err)
+	}
+
+	// Discover binlogs
+	binlogs, err := bm.DiscoverBinlogs(ctx)
+	if err != nil {
+		return fmt.Errorf("discovering binlogs: %w", err)
+	}
+
+	// Get already archived
+	archived, _ := bm.ListArchivedBinlogs(ctx)
+	archivedSet := make(map[string]struct{})
+	for _, a := range archived {
+		archivedSet[a.OriginalFile] = struct{}{}
+	}
+
+	// Need to connect to MySQL to get current position
+	// For now, skip the active binlog by looking at which one was modified most recently
+	var latestModTime int64
+	var latestBinlog string
+	for _, b := range binlogs {
+		if b.ModTime.Unix() > latestModTime {
+			latestModTime = b.ModTime.Unix()
+			latestBinlog = b.Name
+		}
+	}
+
+	var newArchives []pitr.BinlogArchiveInfo
+	for i := range binlogs {
+		b := &binlogs[i]
+
+		// Skip if already archived
+		if _, exists := archivedSet[b.Name]; exists {
+			log.Info("Skipping already archived", "binlog", b.Name)
+			continue
+		}
+
+		// Skip the most recently modified (likely active)
+		if b.Name == latestBinlog {
+			log.Info("Skipping active binlog", "binlog", b.Name)
+			continue
+		}
+
+		log.Info("Archiving binlog", "binlog", b.Name, "size", formatWALSize(b.Size))
+		archiveInfo, err := bm.ArchiveBinlog(ctx, b)
+		if err != nil {
+			log.Error("Failed to archive binlog", "binlog", b.Name, "error", err)
+			continue
+		}
+		newArchives = append(newArchives, *archiveInfo)
+	}
+
+	// Update metadata
+	if len(newArchives) > 0 {
+		allArchived, _ := bm.ListArchivedBinlogs(ctx)
+		bm.SaveArchiveMetadata(allArchived)
+	}
+
+	log.Info("[OK] Binlog archiving completed", "archived", len(newArchives))
+	return nil
+}
+
+func runBinlogWatch(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsMySQL() {
+		return fmt.Errorf("binlog commands are only supported for MySQL/MariaDB")
+	}
+
+	interval, err := time.ParseDuration(mysqlArchiveInterval)
+	if err != nil {
+		return fmt.Errorf("invalid interval: %w", err)
+	}
+
+	bmConfig := pitr.BinlogManagerConfig{
+		BinlogDir:   mysqlBinlogDir,
+		ArchiveDir:  mysqlArchiveDir,
+		Compression: walCompress,
+	}
+
+	bm, err := pitr.NewBinlogManager(bmConfig)
+	if err != nil {
+		return fmt.Errorf("initializing binlog manager: %w", err)
+	}
+
+	log.Info("Starting binlog watcher",
+		"binlog_dir", mysqlBinlogDir,
+		"archive_dir", mysqlArchiveDir,
+		"interval", interval)
+
+	// Watch for new binlogs
+	err = bm.WatchBinlogs(ctx, interval, func(b *pitr.BinlogFile) {
+		log.Info("New binlog detected, archiving", "binlog", b.Name)
+		archiveInfo, err := bm.ArchiveBinlog(ctx, b)
+		if err != nil {
+			log.Error("Failed to archive binlog", "binlog", b.Name, "error", err)
+			return
+		}
+		log.Info("Binlog archived successfully",
+			"binlog", b.Name,
+			"archive", archiveInfo.ArchivePath,
+			"size", formatWALSize(archiveInfo.Size))
+
+		// Update metadata
+		allArchived, _ := bm.ListArchivedBinlogs(ctx)
+		bm.SaveArchiveMetadata(allArchived)
+	})
+
+	if err != nil && err != context.Canceled {
+		return err
+	}
+
+	return nil
+}
+
+func runBinlogValidate(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsMySQL() {
+		return fmt.Errorf("binlog commands are only supported for MySQL/MariaDB")
+	}
+
+	binlogDir := mysqlBinlogDir
+	if binlogDir == "" {
+		binlogDir = mysqlArchiveDir
+	}
+
+	if binlogDir == "" {
+		return fmt.Errorf("please specify --binlog-dir or --archive-dir")
+	}
+
+	bmConfig := pitr.BinlogManagerConfig{
+		BinlogDir:  binlogDir,
+		ArchiveDir: mysqlArchiveDir,
+	}
+
+	bm, err := pitr.NewBinlogManager(bmConfig)
+	if err != nil {
+		return fmt.Errorf("initializing binlog manager: %w", err)
+	}
+
+	// Discover binlogs
+	binlogs, err := bm.DiscoverBinlogs(ctx)
+	if err != nil {
+		return fmt.Errorf("discovering binlogs: %w", err)
+	}
+
+	if len(binlogs) == 0 {
+		fmt.Println("No binlog files found to validate")
+		return nil
+	}
+
+	// Validate chain
+	validation, err := bm.ValidateBinlogChain(ctx, binlogs)
+	if err != nil {
+		return fmt.Errorf("validating binlog chain: %w", err)
+	}
+
+	fmt.Println("=============================================================")
+	fmt.Println("  Binlog Chain Validation")
+	fmt.Println("=============================================================")
+	fmt.Println()
+
+	if validation.Valid {
+		fmt.Println("Status:     [OK] VALID - Binlog chain is complete")
+	} else {
+		fmt.Println("Status:     [FAIL] INVALID - Binlog chain has gaps")
+	}
+
+	fmt.Printf("Files:      %d binlog files\n", validation.LogCount)
+	fmt.Printf("Total Size: %s\n", formatWALSize(validation.TotalSize))
+
+	if validation.StartPos != nil {
+		fmt.Printf("Start:      %s\n", validation.StartPos.String())
+	}
+	if validation.EndPos != nil {
+		fmt.Printf("End:        %s\n", validation.EndPos.String())
+	}
+
+	if len(validation.Gaps) > 0 {
+		fmt.Println()
+		fmt.Println("Gaps Found:")
+		for _, gap := range validation.Gaps {
+			fmt.Printf("  • After %s, before %s: %s\n", gap.After, gap.Before, gap.Reason)
+		}
+	}
+
+	if len(validation.Warnings) > 0 {
+		fmt.Println()
+		fmt.Println("Warnings:")
+		for _, w := range validation.Warnings {
+			fmt.Printf("  ⚠ %s\n", w)
+		}
+	}
+
+	if len(validation.Errors) > 0 {
+		fmt.Println()
+		fmt.Println("Errors:")
+		for _, e := range validation.Errors {
+			fmt.Printf("  [FAIL] %s\n", e)
+		}
+	}
+
+	if !validation.Valid {
+		os.Exit(1)
+	}
+
+	return nil
+}
+
+func runBinlogPosition(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsMySQL() {
+		return fmt.Errorf("binlog commands are only supported for MySQL/MariaDB")
+	}
+
+	// Connect to MySQL
+	dsn := fmt.Sprintf("%s:%s@tcp(%s:%d)/",
+		cfg.User, cfg.Password, cfg.Host, cfg.Port)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return fmt.Errorf("connecting to MySQL: %w", err)
+	}
+	defer db.Close()
+
+	if err := db.PingContext(ctx); err != nil {
+		return fmt.Errorf("pinging MySQL: %w", err)
+	}
+
+	// Get binlog position using raw query
+	rows, err := db.QueryContext(ctx, "SHOW MASTER STATUS")
+	if err != nil {
+		return fmt.Errorf("getting master status: %w", err)
+	}
+	defer rows.Close()
+
+	fmt.Println("=============================================================")
+	fmt.Println("  Current Binary Log Position")
+	fmt.Println("=============================================================")
+	fmt.Println()
+
+	if rows.Next() {
+		var file string
+		var position uint64
+		var binlogDoDB, binlogIgnoreDB, executedGtidSet sql.NullString
+
+		cols, _ := rows.Columns()
+		switch len(cols) {
+		case 5:
+			err = rows.Scan(&file, &position, &binlogDoDB, &binlogIgnoreDB, &executedGtidSet)
+		case 4:
+			err = rows.Scan(&file, &position, &binlogDoDB, &binlogIgnoreDB)
+		default:
+			err = rows.Scan(&file, &position)
+		}
+
+		if err != nil {
+			return fmt.Errorf("scanning master status: %w", err)
+		}
+
+		fmt.Printf("File:     %s\n", file)
+		fmt.Printf("Position: %d\n", position)
+		if executedGtidSet.Valid && executedGtidSet.String != "" {
+			fmt.Printf("GTID Set: %s\n", executedGtidSet.String)
+		}
+
+		// Compact format for use in restore commands
+		fmt.Println()
+		fmt.Printf("Position String: %s:%d\n", file, position)
+	} else {
+		fmt.Println("Binary logging appears to be disabled.")
+		fmt.Println("Enable binary logging by adding to my.cnf:")
+		fmt.Println("  [mysqld]")
+		fmt.Println("  log_bin = mysql-bin")
+		fmt.Println("  server_id = 1")
+	}
+
+	return nil
+}
+
+func runMySQLPITRStatus(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsMySQL() {
+		return fmt.Errorf("this command is only for MySQL/MariaDB (use 'pitr status' for PostgreSQL)")
+	}
+
+	// Connect to MySQL
+	dsn := fmt.Sprintf("%s:%s@tcp(%s:%d)/",
+		cfg.User, cfg.Password, cfg.Host, cfg.Port)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return fmt.Errorf("connecting to MySQL: %w", err)
+	}
+	defer db.Close()
+
+	if err := db.PingContext(ctx); err != nil {
+		return fmt.Errorf("pinging MySQL: %w", err)
+	}
+
+	pitrConfig := pitr.MySQLPITRConfig{
+		Host:       cfg.Host,
+		Port:       cfg.Port,
+		User:       cfg.User,
+		Password:   cfg.Password,
+		BinlogDir:  mysqlBinlogDir,
+		ArchiveDir: mysqlArchiveDir,
+	}
+
+	mysqlPitr, err := pitr.NewMySQLPITR(db, pitrConfig)
+	if err != nil {
+		return fmt.Errorf("initializing MySQL PITR: %w", err)
+	}
+
+	status, err := mysqlPitr.Status(ctx)
+	if err != nil {
+		return fmt.Errorf("getting PITR status: %w", err)
+	}
+
+	fmt.Println("=============================================================")
+	fmt.Printf("  MySQL/MariaDB PITR Status (%s)\n", status.DatabaseType)
+	fmt.Println("=============================================================")
+	fmt.Println()
+
+	if status.Enabled {
+		fmt.Println("PITR Status:     [OK] ENABLED")
+	} else {
+		fmt.Println("PITR Status:     [FAIL] NOT CONFIGURED")
+	}
+
+	// Get binary logging status
+	var logBin string
+	db.QueryRowContext(ctx, "SELECT @@log_bin").Scan(&logBin)
+	if logBin == "1" || logBin == "ON" {
+		fmt.Println("Binary Logging:  [OK] ENABLED")
+	} else {
+		fmt.Println("Binary Logging:  [FAIL] DISABLED")
+	}
+
+	fmt.Printf("Binlog Format:   %s\n", status.LogLevel)
+
+	// Check GTID mode
+	var gtidMode string
+	if status.DatabaseType == pitr.DatabaseMariaDB {
+		db.QueryRowContext(ctx, "SELECT @@gtid_current_pos").Scan(&gtidMode)
+		if gtidMode != "" {
+			fmt.Println("GTID Mode:       [OK] ENABLED")
+		} else {
+			fmt.Println("GTID Mode:       [FAIL] DISABLED")
+		}
+	} else {
+		db.QueryRowContext(ctx, "SELECT @@gtid_mode").Scan(&gtidMode)
+		if gtidMode == "ON" {
+			fmt.Println("GTID Mode:       [OK] ENABLED")
+		} else {
+			fmt.Printf("GTID Mode:       %s\n", gtidMode)
+		}
+	}
+
+	if status.Position != nil {
+		fmt.Printf("Current Position: %s\n", status.Position.String())
+	}
+
+	if status.ArchiveDir != "" {
+		fmt.Println()
+		fmt.Println("Archive Statistics:")
+		fmt.Printf("  Directory:    %s\n", status.ArchiveDir)
+		fmt.Printf("  File Count:   %d\n", status.ArchiveCount)
+		fmt.Printf("  Total Size:   %s\n", formatWALSize(status.ArchiveSize))
+		if !status.LastArchived.IsZero() {
+			fmt.Printf("  Last Archive: %s\n", status.LastArchived.Format("2006-01-02 15:04:05"))
+		}
+	}
+
+	// Show requirements
+	fmt.Println()
+	fmt.Println("PITR Requirements:")
+	if logBin == "1" || logBin == "ON" {
+		fmt.Println("  [OK] Binary logging enabled")
+	} else {
+		fmt.Println("  [FAIL] Binary logging must be enabled (log_bin = mysql-bin)")
+	}
+	if status.LogLevel == "ROW" {
+		fmt.Println("  [OK] Row-based logging (recommended)")
+	} else {
+		fmt.Printf("  ⚠  binlog_format = %s (ROW recommended for PITR)\n", status.LogLevel)
+	}
+
+	return nil
+}
+
+func runMySQLPITREnable(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	if !cfg.IsMySQL() {
+		return fmt.Errorf("this command is only for MySQL/MariaDB (use 'pitr enable' for PostgreSQL)")
+	}
+
+	// Connect to MySQL
+	dsn := fmt.Sprintf("%s:%s@tcp(%s:%d)/",
+		cfg.User, cfg.Password, cfg.Host, cfg.Port)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return fmt.Errorf("connecting to MySQL: %w", err)
+	}
+	defer db.Close()
+
+	if err := db.PingContext(ctx); err != nil {
+		return fmt.Errorf("pinging MySQL: %w", err)
+	}
+
+	pitrConfig := pitr.MySQLPITRConfig{
+		Host:             cfg.Host,
+		Port:             cfg.Port,
+		User:             cfg.User,
+		Password:         cfg.Password,
+		BinlogDir:        mysqlBinlogDir,
+		ArchiveDir:       mysqlArchiveDir,
+		RequireRowFormat: mysqlRequireRowFormat,
+		RequireGTID:      mysqlRequireGTID,
+	}
+
+	mysqlPitr, err := pitr.NewMySQLPITR(db, pitrConfig)
+	if err != nil {
+		return fmt.Errorf("initializing MySQL PITR: %w", err)
+	}
+
+	enableConfig := pitr.PITREnableConfig{
+		ArchiveDir:    mysqlArchiveDir,
+		RetentionDays: walRetentionDays,
+		Compression:   walCompress,
+	}
+
+	log.Info("Enabling MySQL PITR", "archive_dir", mysqlArchiveDir)
+
+	if err := mysqlPitr.Enable(ctx, enableConfig); err != nil {
+		return fmt.Errorf("enabling PITR: %w", err)
+	}
+
+	log.Info("[OK] MySQL PITR enabled successfully!")
+	log.Info("")
+	log.Info("Next steps:")
+	log.Info("1. Start binlog archiving: dbbackup binlog watch --archive-dir " + mysqlArchiveDir)
+	log.Info("2. Create a base backup: dbbackup backup single <database>")
+	log.Info("3. Binlogs will be archived to: " + mysqlArchiveDir)
+	log.Info("")
+	log.Info("To restore to a point in time, use:")
+	log.Info("  dbbackup restore pitr <backup> --target-time '2024-01-15 14:30:00'")
+
+	return nil
+}
+
+// getMySQLBinlogDir attempts to determine the binlog directory from MySQL
+func getMySQLBinlogDir(ctx context.Context, db *sql.DB) (string, error) {
+	var logBinBasename string
+	err := db.QueryRowContext(ctx, "SELECT @@log_bin_basename").Scan(&logBinBasename)
+	if err != nil {
+		return "", err
+	}
+
+	return filepath.Dir(logBinBasename), nil
+}
--- a/cmd/placeholder.go
+++ b/cmd/placeholder.go
@@ -14,6 +14,7 @@ import (
 	"dbbackup/internal/auth"
 	"dbbackup/internal/logger"
 	"dbbackup/internal/tui"
+
 	"github.com/spf13/cobra"
 )

@@ -140,7 +141,7 @@ func runList(ctx context.Context) error {
 				continue
 			}

-			fmt.Printf("📦 %s\n", file.Name)
+			fmt.Printf("[FILE] %s\n", file.Name)
 			fmt.Printf("   Size: %s\n", formatFileSize(stat.Size()))
 			fmt.Printf("   Modified: %s\n", stat.ModTime().Format("2006-01-02 15:04:05"))
 			fmt.Printf("   Type: %s\n", getBackupType(file.Name))
@@ -236,56 +237,56 @@ func runPreflight(ctx context.Context) error {
 	totalChecks := 6

 	// 1. Database connectivity check
-	fmt.Print("🔗 Database connectivity... ")
+	fmt.Print("[1] Database connectivity... ")
 	if err := testDatabaseConnection(); err != nil {
-		fmt.Printf("❌ FAILED: %v\n", err)
+		fmt.Printf("[FAIL] FAILED: %v\n", err)
 	} else {
-		fmt.Println("✅ PASSED")
+		fmt.Println("[OK] PASSED")
 		checksPassed++
 	}

 	// 2. Required tools check
-	fmt.Print("🛠️  Required tools (pg_dump/pg_restore)... ")
+	fmt.Print("[2] Required tools (pg_dump/pg_restore)... ")
 	if err := checkRequiredTools(); err != nil {
-		fmt.Printf("❌ FAILED: %v\n", err)
+		fmt.Printf("[FAIL] FAILED: %v\n", err)
 	} else {
-		fmt.Println("✅ PASSED")
+		fmt.Println("[OK] PASSED")
 		checksPassed++
 	}

 	// 3. Backup directory check
-	fmt.Print("📁 Backup directory access... ")
+	fmt.Print("[3] Backup directory access... ")
 	if err := checkBackupDirectory(); err != nil {
-		fmt.Printf("❌ FAILED: %v\n", err)
+		fmt.Printf("[FAIL] FAILED: %v\n", err)
 	} else {
-		fmt.Println("✅ PASSED")
+		fmt.Println("[OK] PASSED")
 		checksPassed++
 	}

 	// 4. Disk space check
-	fmt.Print("💾 Available disk space... ")
+	fmt.Print("[4] Available disk space... ")
 	if err := checkDiskSpace(); err != nil {
-		fmt.Printf("❌ FAILED: %v\n", err)
+		fmt.Printf("[FAIL] FAILED: %v\n", err)
 	} else {
-		fmt.Println("✅ PASSED")
+		fmt.Println("[OK] PASSED")
 		checksPassed++
 	}

 	// 5. Permissions check
-	fmt.Print("🔐 File permissions... ")
+	fmt.Print("[5] File permissions... ")
 	if err := checkPermissions(); err != nil {
-		fmt.Printf("❌ FAILED: %v\n", err)
+		fmt.Printf("[FAIL] FAILED: %v\n", err)
 	} else {
-		fmt.Println("✅ PASSED")
+		fmt.Println("[OK] PASSED")
 		checksPassed++
 	}

 	// 6. CPU/Memory resources check
-	fmt.Print("🖥️  System resources... ")
+	fmt.Print("[6] System resources... ")
 	if err := checkSystemResources(); err != nil {
-		fmt.Printf("❌ FAILED: %v\n", err)
+		fmt.Printf("[FAIL] FAILED: %v\n", err)
 	} else {
-		fmt.Println("✅ PASSED")
+		fmt.Println("[OK] PASSED")
 		checksPassed++
 	}

@@ -293,10 +294,10 @@ func runPreflight(ctx context.Context) error {
 	fmt.Printf("Results: %d/%d checks passed\n", checksPassed, totalChecks)

 	if checksPassed == totalChecks {
-		fmt.Println("🎉 All preflight checks passed! System is ready for backup operations.")
+		fmt.Println("[SUCCESS] All preflight checks passed! System is ready for backup operations.")
 		return nil
 	} else {
-		fmt.Printf("⚠️  %d check(s) failed. Please address the issues before running backups.\n", totalChecks-checksPassed)
+		fmt.Printf("[WARN] %d check(s) failed. Please address the issues before running backups.\n", totalChecks-checksPassed)
 		return fmt.Errorf("preflight checks failed: %d/%d passed", checksPassed, totalChecks)
 	}
 }
@@ -413,44 +414,44 @@ func runRestore(ctx context.Context, archiveName string) error {
 	fmt.Println()

 	// Show warning
-	fmt.Println("⚠️  WARNING: This will restore data to the target database.")
+	fmt.Println("[WARN] WARNING: This will restore data to the target database.")
 	fmt.Println("   Existing data may be overwritten or merged depending on the restore method.")
 	fmt.Println()

 	// For safety, show what would be done without actually doing it
 	switch archiveType {
 	case "Single Database (.dump)":
-		fmt.Println("🔄 Would execute: pg_restore to restore single database")
+		fmt.Println("[EXEC] Would execute: pg_restore to restore single database")
 		fmt.Printf("   Command: pg_restore -h %s -p %d -U %s -d %s --verbose %s\n",
 			cfg.Host, cfg.Port, cfg.User, cfg.Database, archivePath)
 	case "Single Database (.dump.gz)":
-		fmt.Println("🔄 Would execute: gunzip and pg_restore to restore single database")
+		fmt.Println("[EXEC] Would execute: gunzip and pg_restore to restore single database")
 		fmt.Printf("   Command: gunzip -c %s | pg_restore -h %s -p %d -U %s -d %s --verbose\n",
 			archivePath, cfg.Host, cfg.Port, cfg.User, cfg.Database)
 	case "SQL Script (.sql)":
 		if cfg.IsPostgreSQL() {
-			fmt.Println("🔄 Would execute: psql to run SQL script")
+			fmt.Println("[EXEC] Would execute: psql to run SQL script")
 			fmt.Printf("   Command: psql -h %s -p %d -U %s -d %s -f %s\n",
 				cfg.Host, cfg.Port, cfg.User, cfg.Database, archivePath)
 		} else if cfg.IsMySQL() {
-			fmt.Println("🔄 Would execute: mysql to run SQL script")
+			fmt.Println("[EXEC] Would execute: mysql to run SQL script")
 			fmt.Printf("   Command: %s\n", mysqlRestoreCommand(archivePath, false))
 		} else {
-			fmt.Println("🔄 Would execute: SQL client to run script (database type unknown)")
+			fmt.Println("[EXEC] Would execute: SQL client to run script (database type unknown)")
 		}
 	case "SQL Script (.sql.gz)":
 		if cfg.IsPostgreSQL() {
-			fmt.Println("🔄 Would execute: gunzip and psql to run SQL script")
+			fmt.Println("[EXEC] Would execute: gunzip and psql to run SQL script")
 			fmt.Printf("   Command: gunzip -c %s | psql -h %s -p %d -U %s -d %s\n",
 				archivePath, cfg.Host, cfg.Port, cfg.User, cfg.Database)
 		} else if cfg.IsMySQL() {
-			fmt.Println("🔄 Would execute: gunzip and mysql to run SQL script")
+			fmt.Println("[EXEC] Would execute: gunzip and mysql to run SQL script")
 			fmt.Printf("   Command: %s\n", mysqlRestoreCommand(archivePath, true))
 		} else {
-			fmt.Println("🔄 Would execute: gunzip and SQL client to run script (database type unknown)")
+			fmt.Println("[EXEC] Would execute: gunzip and SQL client to run script (database type unknown)")
 		}
 	case "Cluster Backup (.tar.gz)":
-		fmt.Println("🔄 Would execute: Extract and restore cluster backup")
+		fmt.Println("[EXEC] Would execute: Extract and restore cluster backup")
 		fmt.Println("   Steps:")
 		fmt.Println("   1. Extract tar.gz archive")
 		fmt.Println("   2. Restore global objects (roles, tablespaces)")
@@ -460,7 +461,7 @@ func runRestore(ctx context.Context, archiveName string) error {
 	}

 	fmt.Println()
-	fmt.Println("🛡️  SAFETY MODE: Restore command is in preview mode.")
+	fmt.Println("[SAFETY] SAFETY MODE: Restore command is in preview mode.")
 	fmt.Println("   This shows what would be executed without making changes.")
 	fmt.Println("   To enable actual restore, add --confirm flag (not yet implemented).")

@@ -519,25 +520,25 @@ func runVerify(ctx context.Context, archiveName string) error {
 	checksPassed := 0

 	// Basic file existence and readability
-	fmt.Print("📁 File accessibility... ")
+	fmt.Print("[CHK] File accessibility... ")
 	if file, err := os.Open(archivePath); err != nil {
-		fmt.Printf("❌ FAILED: %v\n", err)
+		fmt.Printf("[FAIL] FAILED: %v\n", err)
 	} else {
 		file.Close()
-		fmt.Println("✅ PASSED")
+		fmt.Println("[OK] PASSED")
 		checksPassed++
 	}
 	checksRun++

 	// File size sanity check
-	fmt.Print("📏 File size check... ")
+	fmt.Print("[CHK] File size check... ")
 	if stat.Size() == 0 {
-		fmt.Println("❌ FAILED: File is empty")
+		fmt.Println("[FAIL] FAILED: File is empty")
 	} else if stat.Size() < 100 {
-		fmt.Println("⚠️  WARNING: File is very small (< 100 bytes)")
+		fmt.Println("[WARN] WARNING: File is very small (< 100 bytes)")
 		checksPassed++
 	} else {
-		fmt.Println("✅ PASSED")
+		fmt.Println("[OK] PASSED")
 		checksPassed++
 	}
 	checksRun++
@@ -545,51 +546,51 @@ func runVerify(ctx context.Context, archiveName string) error {
 	// Type-specific verification
 	switch archiveType {
 	case "Single Database (.dump)":
-		fmt.Print("🔍 PostgreSQL dump format check... ")
+		fmt.Print("[CHK] PostgreSQL dump format check... ")
 		if err := verifyPgDump(archivePath); err != nil {
-			fmt.Printf("❌ FAILED: %v\n", err)
+			fmt.Printf("[FAIL] FAILED: %v\n", err)
 		} else {
-			fmt.Println("✅ PASSED")
+			fmt.Println("[OK] PASSED")
 			checksPassed++
 		}
 		checksRun++

 	case "Single Database (.dump.gz)":
-		fmt.Print("🔍 PostgreSQL dump format check (gzip)... ")
+		fmt.Print("[CHK] PostgreSQL dump format check (gzip)... ")
 		if err := verifyPgDumpGzip(archivePath); err != nil {
-			fmt.Printf("❌ FAILED: %v\n", err)
+			fmt.Printf("[FAIL] FAILED: %v\n", err)
 		} else {
-			fmt.Println("✅ PASSED")
+			fmt.Println("[OK] PASSED")
 			checksPassed++
 		}
 		checksRun++

 	case "SQL Script (.sql)":
-		fmt.Print("📜 SQL script validation... ")
+		fmt.Print("[CHK] SQL script validation... ")
 		if err := verifySqlScript(archivePath); err != nil {
-			fmt.Printf("❌ FAILED: %v\n", err)
+			fmt.Printf("[FAIL] FAILED: %v\n", err)
 		} else {
-			fmt.Println("✅ PASSED")
+			fmt.Println("[OK] PASSED")
 			checksPassed++
 		}
 		checksRun++

 	case "SQL Script (.sql.gz)":
-		fmt.Print("📜 SQL script validation (gzip)... ")
+		fmt.Print("[CHK] SQL script validation (gzip)... ")
 		if err := verifyGzipSqlScript(archivePath); err != nil {
-			fmt.Printf("❌ FAILED: %v\n", err)
+			fmt.Printf("[FAIL] FAILED: %v\n", err)
 		} else {
-			fmt.Println("✅ PASSED")
+			fmt.Println("[OK] PASSED")
 			checksPassed++
 		}
 		checksRun++

 	case "Cluster Backup (.tar.gz)":
-		fmt.Print("📦 Archive extraction test... ")
+		fmt.Print("[CHK] Archive extraction test... ")
 		if err := verifyTarGz(archivePath); err != nil {
-			fmt.Printf("❌ FAILED: %v\n", err)
+			fmt.Printf("[FAIL] FAILED: %v\n", err)
 		} else {
-			fmt.Println("✅ PASSED")
+			fmt.Println("[OK] PASSED")
 			checksPassed++
 		}
 		checksRun++
@@ -597,11 +598,11 @@ func runVerify(ctx context.Context, archiveName string) error {

 	// Check for metadata file
 	metadataPath := archivePath + ".info"
-	fmt.Print("📋 Metadata file check... ")
+	fmt.Print("[CHK] Metadata file check... ")
 	if _, err := os.Stat(metadataPath); os.IsNotExist(err) {
-		fmt.Println("⚠️  WARNING: No metadata file found")
+		fmt.Println("[WARN] WARNING: No metadata file found")
 	} else {
-		fmt.Println("✅ PASSED")
+		fmt.Println("[OK] PASSED")
 		checksPassed++
 	}
 	checksRun++
@@ -610,13 +611,13 @@ func runVerify(ctx context.Context, archiveName string) error {
 	fmt.Printf("Verification Results: %d/%d checks passed\n", checksPassed, checksRun)

 	if checksPassed == checksRun {
-		fmt.Println("🎉 Archive verification completed successfully!")
+		fmt.Println("[SUCCESS] Archive verification completed successfully!")
 		return nil
 	} else if float64(checksPassed)/float64(checksRun) >= 0.8 {
-		fmt.Println("⚠️  Archive verification completed with warnings.")
+		fmt.Println("[WARN] Archive verification completed with warnings.")
 		return nil
 	} else {
-		fmt.Println("❌ Archive verification failed. Archive may be corrupted.")
+		fmt.Println("[FAIL] Archive verification failed. Archive may be corrupted.")
 		return fmt.Errorf("verification failed: %d/%d checks passed", checksPassed, checksRun)
 	}
 }
--- a/cmd/report.go
+++ b/cmd/report.go
@@ -0,0 +1,316 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"dbbackup/internal/catalog"
+	"dbbackup/internal/report"
+
+	"github.com/spf13/cobra"
+)
+
+var reportCmd = &cobra.Command{
+	Use:   "report",
+	Short: "Generate compliance reports",
+	Long: `Generate compliance reports for various regulatory frameworks.
+
+Supported frameworks:
+  - soc2      SOC 2 Type II Trust Service Criteria
+  - gdpr      General Data Protection Regulation
+  - hipaa     Health Insurance Portability and Accountability Act
+  - pci-dss   Payment Card Industry Data Security Standard
+  - iso27001  ISO 27001 Information Security Management
+
+Examples:
+  # Generate SOC2 report for the last 90 days
+  dbbackup report generate --type soc2 --days 90
+
+  # Generate HIPAA report as HTML
+  dbbackup report generate --type hipaa --format html --output report.html
+
+  # Show report summary for current period
+  dbbackup report summary --type soc2`,
+}
+
+var reportGenerateCmd = &cobra.Command{
+	Use:   "generate",
+	Short: "Generate a compliance report",
+	Long:  "Generate a compliance report for a specified framework and time period",
+	RunE:  runReportGenerate,
+}
+
+var reportSummaryCmd = &cobra.Command{
+	Use:   "summary",
+	Short: "Show compliance summary",
+	Long:  "Display a quick compliance summary for the specified framework",
+	RunE:  runReportSummary,
+}
+
+var reportListCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List available frameworks",
+	Long:  "Display all available compliance frameworks",
+	RunE:  runReportList,
+}
+
+var reportControlsCmd = &cobra.Command{
+	Use:   "controls [framework]",
+	Short: "List controls for a framework",
+	Long:  "Display all controls for a specific compliance framework",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runReportControls,
+}
+
+var (
+	reportType      string
+	reportDays      int
+	reportStartDate string
+	reportEndDate   string
+	reportFormat    string
+	reportOutput    string
+	reportCatalog   string
+	reportTitle     string
+	includeEvidence bool
+)
+
+func init() {
+	rootCmd.AddCommand(reportCmd)
+	reportCmd.AddCommand(reportGenerateCmd)
+	reportCmd.AddCommand(reportSummaryCmd)
+	reportCmd.AddCommand(reportListCmd)
+	reportCmd.AddCommand(reportControlsCmd)
+
+	// Generate command flags
+	reportGenerateCmd.Flags().StringVarP(&reportType, "type", "t", "soc2", "Report type (soc2, gdpr, hipaa, pci-dss, iso27001)")
+	reportGenerateCmd.Flags().IntVarP(&reportDays, "days", "d", 90, "Number of days to include in report")
+	reportGenerateCmd.Flags().StringVar(&reportStartDate, "start", "", "Start date (YYYY-MM-DD)")
+	reportGenerateCmd.Flags().StringVar(&reportEndDate, "end", "", "End date (YYYY-MM-DD)")
+	reportGenerateCmd.Flags().StringVarP(&reportFormat, "format", "f", "markdown", "Output format (json, markdown, html)")
+	reportGenerateCmd.Flags().StringVarP(&reportOutput, "output", "o", "", "Output file path")
+	reportGenerateCmd.Flags().StringVar(&reportCatalog, "catalog", "", "Path to backup catalog database")
+	reportGenerateCmd.Flags().StringVar(&reportTitle, "title", "", "Custom report title")
+	reportGenerateCmd.Flags().BoolVar(&includeEvidence, "evidence", true, "Include evidence in report")
+
+	// Summary command flags
+	reportSummaryCmd.Flags().StringVarP(&reportType, "type", "t", "soc2", "Report type")
+	reportSummaryCmd.Flags().IntVarP(&reportDays, "days", "d", 90, "Number of days to include")
+	reportSummaryCmd.Flags().StringVar(&reportCatalog, "catalog", "", "Path to backup catalog database")
+}
+
+func runReportGenerate(cmd *cobra.Command, args []string) error {
+	// Determine time period
+	var startDate, endDate time.Time
+	endDate = time.Now()
+
+	if reportStartDate != "" {
+		parsed, err := time.Parse("2006-01-02", reportStartDate)
+		if err != nil {
+			return fmt.Errorf("invalid start date: %w", err)
+		}
+		startDate = parsed
+	} else {
+		startDate = endDate.AddDate(0, 0, -reportDays)
+	}
+
+	if reportEndDate != "" {
+		parsed, err := time.Parse("2006-01-02", reportEndDate)
+		if err != nil {
+			return fmt.Errorf("invalid end date: %w", err)
+		}
+		endDate = parsed
+	}
+
+	// Determine report type
+	rptType := parseReportType(reportType)
+	if rptType == "" {
+		return fmt.Errorf("unknown report type: %s", reportType)
+	}
+
+	// Get catalog path
+	catalogPath := reportCatalog
+	if catalogPath == "" {
+		homeDir, _ := os.UserHomeDir()
+		catalogPath = filepath.Join(homeDir, ".dbbackup", "catalog.db")
+	}
+
+	// Open catalog
+	cat, err := catalog.NewSQLiteCatalog(catalogPath)
+	if err != nil {
+		return fmt.Errorf("failed to open catalog: %w", err)
+	}
+	defer cat.Close()
+
+	// Configure generator
+	config := report.ReportConfig{
+		Type:            rptType,
+		PeriodStart:     startDate,
+		PeriodEnd:       endDate,
+		CatalogPath:     catalogPath,
+		OutputFormat:    parseOutputFormat(reportFormat),
+		OutputPath:      reportOutput,
+		IncludeEvidence: includeEvidence,
+	}
+
+	if reportTitle != "" {
+		config.Title = reportTitle
+	}
+
+	// Generate report
+	gen := report.NewGenerator(cat, config)
+	rpt, err := gen.Generate()
+	if err != nil {
+		return fmt.Errorf("failed to generate report: %w", err)
+	}
+
+	// Get formatter
+	formatter := report.GetFormatter(config.OutputFormat)
+
+	// Write output
+	var output *os.File
+	if reportOutput != "" {
+		output, err = os.Create(reportOutput)
+		if err != nil {
+			return fmt.Errorf("failed to create output file: %w", err)
+		}
+		defer output.Close()
+	} else {
+		output = os.Stdout
+	}
+
+	if err := formatter.Format(rpt, output); err != nil {
+		return fmt.Errorf("failed to format report: %w", err)
+	}
+
+	if reportOutput != "" {
+		fmt.Printf("Report generated: %s\n", reportOutput)
+		fmt.Printf("  Type:       %s\n", rpt.Type)
+		fmt.Printf("  Status:     %s %s\n", report.StatusIcon(rpt.Status), rpt.Status)
+		fmt.Printf("  Score:      %.1f%%\n", rpt.Score)
+		fmt.Printf("  Findings:   %d open\n", rpt.Summary.OpenFindings)
+	}
+
+	return nil
+}
+
+func runReportSummary(cmd *cobra.Command, args []string) error {
+	endDate := time.Now()
+	startDate := endDate.AddDate(0, 0, -reportDays)
+
+	rptType := parseReportType(reportType)
+	if rptType == "" {
+		return fmt.Errorf("unknown report type: %s", reportType)
+	}
+
+	// Get catalog path
+	catalogPath := reportCatalog
+	if catalogPath == "" {
+		homeDir, _ := os.UserHomeDir()
+		catalogPath = filepath.Join(homeDir, ".dbbackup", "catalog.db")
+	}
+
+	// Open catalog
+	cat, err := catalog.NewSQLiteCatalog(catalogPath)
+	if err != nil {
+		return fmt.Errorf("failed to open catalog: %w", err)
+	}
+	defer cat.Close()
+
+	// Configure and generate
+	config := report.ReportConfig{
+		Type:        rptType,
+		PeriodStart: startDate,
+		PeriodEnd:   endDate,
+		CatalogPath: catalogPath,
+	}
+
+	gen := report.NewGenerator(cat, config)
+	rpt, err := gen.Generate()
+	if err != nil {
+		return fmt.Errorf("failed to generate report: %w", err)
+	}
+
+	// Display console summary
+	formatter := &report.ConsoleFormatter{}
+	return formatter.Format(rpt, os.Stdout)
+}
+
+func runReportList(cmd *cobra.Command, args []string) error {
+	fmt.Println("\nAvailable Compliance Frameworks:")
+	fmt.Println(strings.Repeat("-", 50))
+	fmt.Printf("  %-12s %s\n", "soc2", "SOC 2 Type II Trust Service Criteria")
+	fmt.Printf("  %-12s %s\n", "gdpr", "General Data Protection Regulation (EU)")
+	fmt.Printf("  %-12s %s\n", "hipaa", "Health Insurance Portability and Accountability Act")
+	fmt.Printf("  %-12s %s\n", "pci-dss", "Payment Card Industry Data Security Standard")
+	fmt.Printf("  %-12s %s\n", "iso27001", "ISO 27001 Information Security Management")
+	fmt.Println()
+	fmt.Println("Usage: dbbackup report generate --type <framework>")
+	fmt.Println()
+	return nil
+}
+
+func runReportControls(cmd *cobra.Command, args []string) error {
+	rptType := parseReportType(args[0])
+	if rptType == "" {
+		return fmt.Errorf("unknown report type: %s", args[0])
+	}
+
+	framework := report.GetFramework(rptType)
+	if framework == nil {
+		return fmt.Errorf("no framework defined for: %s", args[0])
+	}
+
+	fmt.Printf("\n%s Controls\n", strings.ToUpper(args[0]))
+	fmt.Println(strings.Repeat("=", 60))
+
+	for _, cat := range framework {
+		fmt.Printf("\n%s\n", cat.Name)
+		fmt.Printf("%s\n", cat.Description)
+		fmt.Println(strings.Repeat("-", 40))
+
+		for _, ctrl := range cat.Controls {
+			fmt.Printf("  [%s] %s\n", ctrl.Reference, ctrl.Name)
+			fmt.Printf("          %s\n", ctrl.Description)
+		}
+	}
+
+	fmt.Println()
+	return nil
+}
+
+func parseReportType(s string) report.ReportType {
+	switch strings.ToLower(s) {
+	case "soc2", "soc-2", "soc2-type2":
+		return report.ReportSOC2
+	case "gdpr":
+		return report.ReportGDPR
+	case "hipaa":
+		return report.ReportHIPAA
+	case "pci-dss", "pcidss", "pci":
+		return report.ReportPCIDSS
+	case "iso27001", "iso-27001", "iso":
+		return report.ReportISO27001
+	case "custom":
+		return report.ReportCustom
+	default:
+		return ""
+	}
+}
+
+func parseOutputFormat(s string) report.OutputFormat {
+	switch strings.ToLower(s) {
+	case "json":
+		return report.FormatJSON
+	case "html":
+		return report.FormatHTML
+	case "md", "markdown":
+		return report.FormatMarkdown
+	case "pdf":
+		return report.FormatPDF
+	default:
+		return report.FormatMarkdown
+	}
+}
--- a/cmd/restore.go
+++ b/cmd/restore.go
@@ -4,14 +4,17 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/exec"
 	"os/signal"
 	"path/filepath"
 	"strings"
 	"syscall"
 	"time"

+	"dbbackup/internal/backup"
 	"dbbackup/internal/cloud"
 	"dbbackup/internal/database"
+	"dbbackup/internal/pitr"
 	"dbbackup/internal/restore"
 	"dbbackup/internal/security"

@@ -28,6 +31,28 @@ var (
 	restoreTarget       string
 	restoreVerbose      bool
 	restoreNoProgress   bool
+	restoreWorkdir      string
+	restoreCleanCluster bool
+	restoreDiagnose     bool   // Run diagnosis before restore
+	restoreSaveDebugLog string // Path to save debug log on failure
+
+	// Diagnose flags
+	diagnoseJSON     bool
+	diagnoseDeep     bool
+	diagnoseKeepTemp bool
+
+	// Encryption flags
+	restoreEncryptionKeyFile string
+	restoreEncryptionKeyEnv  string = "DBBACKUP_ENCRYPTION_KEY"
+
+	// PITR restore flags (additional to pitr.go)
+	pitrBaseBackup  string
+	pitrWALArchive  string
+	pitrTargetDir   string
+	pitrInclusive   bool
+	pitrSkipExtract bool
+	pitrAutoStart   bool
+	pitrMonitor     bool
 )

 // restoreCmd represents the restore command
@@ -120,6 +145,12 @@ Examples:

 	# Use parallel decompression
 	dbbackup restore cluster cluster_backup.tar.gz --jobs 4 --confirm
+
+	# Use alternative working directory (for VMs with small system disk)
+	dbbackup restore cluster cluster_backup.tar.gz --workdir /mnt/storage/restore_tmp --confirm
+
+	# Disaster recovery: drop all existing databases first (clean slate)
+	dbbackup restore cluster cluster_backup.tar.gz --clean-cluster --confirm
 `,
 	Args: cobra.ExactArgs(1),
 	RunE: runRestoreCluster,
@@ -141,11 +172,102 @@ Shows information about each archive:
 	RunE: runRestoreList,
 }

+// restorePITRCmd performs Point-in-Time Recovery
+var restorePITRCmd = &cobra.Command{
+	Use:   "pitr",
+	Short: "Point-in-Time Recovery (PITR) restore",
+	Long: `Restore PostgreSQL database to a specific point in time using WAL archives.
+
+PITR allows restoring to any point in time, not just the backup moment.
+Requires a base backup and continuous WAL archives.
+
+Recovery Target Types:
+  --target-time      Restore to specific timestamp
+  --target-xid       Restore to transaction ID
+  --target-lsn       Restore to Log Sequence Number
+  --target-name      Restore to named restore point
+  --target-immediate Restore to earliest consistent point
+
+Examples:
+  # Restore to specific time
+  dbbackup restore pitr \\
+    --base-backup /backups/base.tar.gz \\
+    --wal-archive /backups/wal/ \\
+    --target-time "2024-11-26 12:00:00" \\
+    --target-dir /var/lib/postgresql/14/main
+
+  # Restore to transaction ID
+  dbbackup restore pitr \\
+    --base-backup /backups/base.tar.gz \\
+    --wal-archive /backups/wal/ \\
+    --target-xid 1000000 \\
+    --target-dir /var/lib/postgresql/14/main \\
+    --auto-start
+
+  # Restore to LSN
+  dbbackup restore pitr \\
+    --base-backup /backups/base.tar.gz \\
+    --wal-archive /backups/wal/ \\
+    --target-lsn "0/3000000" \\
+    --target-dir /var/lib/postgresql/14/main
+
+  # Restore to earliest consistent point
+  dbbackup restore pitr \\
+    --base-backup /backups/base.tar.gz \\
+    --wal-archive /backups/wal/ \\
+    --target-immediate \\
+    --target-dir /var/lib/postgresql/14/main
+`,
+	RunE: runRestorePITR,
+}
+
+// restoreDiagnoseCmd diagnoses backup files before restore
+var restoreDiagnoseCmd = &cobra.Command{
+	Use:   "diagnose [archive-file]",
+	Short: "Diagnose backup file integrity and format",
+	Long: `Perform deep analysis of backup files to detect issues before restore.
+
+This command validates backup archives and provides detailed diagnostics
+including truncation detection, format verification, and COPY block integrity.
+
+Use this when:
+  - Restore fails with syntax errors
+  - You suspect backup corruption or truncation
+  - You want to verify backup integrity before restore
+  - Restore reports millions of errors
+
+Checks performed:
+  - File format detection (custom dump vs SQL)
+  - PGDMP signature verification
+  - Gzip integrity validation
+  - COPY block termination check
+  - pg_restore --list verification
+  - Cluster archive structure validation
+
+Examples:
+  # Diagnose a single dump file
+  dbbackup restore diagnose mydb.dump.gz
+
+  # Diagnose with verbose output
+  dbbackup restore diagnose mydb.sql.gz --verbose
+
+  # Diagnose cluster archive and all contained dumps
+  dbbackup restore diagnose cluster_backup.tar.gz --deep
+
+  # Output as JSON for scripting
+  dbbackup restore diagnose mydb.dump --json
+`,
+	Args: cobra.ExactArgs(1),
+	RunE: runRestoreDiagnose,
+}
+
 func init() {
 	rootCmd.AddCommand(restoreCmd)
 	restoreCmd.AddCommand(restoreSingleCmd)
 	restoreCmd.AddCommand(restoreClusterCmd)
 	restoreCmd.AddCommand(restoreListCmd)
+	restoreCmd.AddCommand(restorePITRCmd)
+	restoreCmd.AddCommand(restoreDiagnoseCmd)

 	// Single restore flags
 	restoreSingleCmd.Flags().BoolVar(&restoreConfirm, "confirm", false, "Confirm and execute restore (required)")
@@ -156,14 +278,156 @@ func init() {
 	restoreSingleCmd.Flags().StringVar(&restoreTarget, "target", "", "Target database name (defaults to original)")
 	restoreSingleCmd.Flags().BoolVar(&restoreVerbose, "verbose", false, "Show detailed restore progress")
 	restoreSingleCmd.Flags().BoolVar(&restoreNoProgress, "no-progress", false, "Disable progress indicators")
+	restoreSingleCmd.Flags().StringVar(&restoreEncryptionKeyFile, "encryption-key-file", "", "Path to encryption key file (required for encrypted backups)")
+	restoreSingleCmd.Flags().StringVar(&restoreEncryptionKeyEnv, "encryption-key-env", "DBBACKUP_ENCRYPTION_KEY", "Environment variable containing encryption key")
+	restoreSingleCmd.Flags().BoolVar(&restoreDiagnose, "diagnose", false, "Run deep diagnosis before restore to detect corruption/truncation")
+	restoreSingleCmd.Flags().StringVar(&restoreSaveDebugLog, "save-debug-log", "", "Save detailed error report to file on failure (e.g., /tmp/restore-debug.json)")

 	// Cluster restore flags
 	restoreClusterCmd.Flags().BoolVar(&restoreConfirm, "confirm", false, "Confirm and execute restore (required)")
 	restoreClusterCmd.Flags().BoolVar(&restoreDryRun, "dry-run", false, "Show what would be done without executing")
 	restoreClusterCmd.Flags().BoolVar(&restoreForce, "force", false, "Skip safety checks and confirmations")
+	restoreClusterCmd.Flags().BoolVar(&restoreCleanCluster, "clean-cluster", false, "Drop all existing user databases before restore (disaster recovery)")
 	restoreClusterCmd.Flags().IntVar(&restoreJobs, "jobs", 0, "Number of parallel decompression jobs (0 = auto)")
+	restoreClusterCmd.Flags().StringVar(&restoreWorkdir, "workdir", "", "Working directory for extraction (use when system disk is small, e.g. /mnt/storage/restore_tmp)")
 	restoreClusterCmd.Flags().BoolVar(&restoreVerbose, "verbose", false, "Show detailed restore progress")
 	restoreClusterCmd.Flags().BoolVar(&restoreNoProgress, "no-progress", false, "Disable progress indicators")
+	restoreClusterCmd.Flags().StringVar(&restoreEncryptionKeyFile, "encryption-key-file", "", "Path to encryption key file (required for encrypted backups)")
+	restoreClusterCmd.Flags().StringVar(&restoreEncryptionKeyEnv, "encryption-key-env", "DBBACKUP_ENCRYPTION_KEY", "Environment variable containing encryption key")
+	restoreClusterCmd.Flags().BoolVar(&restoreDiagnose, "diagnose", false, "Run deep diagnosis on all dumps before restore")
+	restoreClusterCmd.Flags().StringVar(&restoreSaveDebugLog, "save-debug-log", "", "Save detailed error report to file on failure (e.g., /tmp/restore-debug.json)")
+
+	// PITR restore flags
+	restorePITRCmd.Flags().StringVar(&pitrBaseBackup, "base-backup", "", "Path to base backup file (.tar.gz) (required)")
+	restorePITRCmd.Flags().StringVar(&pitrWALArchive, "wal-archive", "", "Path to WAL archive directory (required)")
+	restorePITRCmd.Flags().StringVar(&pitrTargetTime, "target-time", "", "Restore to timestamp (YYYY-MM-DD HH:MM:SS)")
+	restorePITRCmd.Flags().StringVar(&pitrTargetXID, "target-xid", "", "Restore to transaction ID")
+	restorePITRCmd.Flags().StringVar(&pitrTargetLSN, "target-lsn", "", "Restore to LSN (e.g., 0/3000000)")
+	restorePITRCmd.Flags().StringVar(&pitrTargetName, "target-name", "", "Restore to named restore point")
+	restorePITRCmd.Flags().BoolVar(&pitrTargetImmediate, "target-immediate", false, "Restore to earliest consistent point")
+	restorePITRCmd.Flags().StringVar(&pitrRecoveryAction, "target-action", "promote", "Action after recovery (promote|pause|shutdown)")
+	restorePITRCmd.Flags().StringVar(&pitrTargetDir, "target-dir", "", "PostgreSQL data directory (required)")
+	restorePITRCmd.Flags().StringVar(&pitrWALSource, "timeline", "latest", "Timeline to follow (latest or timeline ID)")
+	restorePITRCmd.Flags().BoolVar(&pitrInclusive, "inclusive", true, "Include target transaction/time")
+	restorePITRCmd.Flags().BoolVar(&pitrSkipExtract, "skip-extraction", false, "Skip base backup extraction (data dir exists)")
+	restorePITRCmd.Flags().BoolVar(&pitrAutoStart, "auto-start", false, "Automatically start PostgreSQL after setup")
+	restorePITRCmd.Flags().BoolVar(&pitrMonitor, "monitor", false, "Monitor recovery progress (requires --auto-start)")
+
+	restorePITRCmd.MarkFlagRequired("base-backup")
+	restorePITRCmd.MarkFlagRequired("wal-archive")
+	restorePITRCmd.MarkFlagRequired("target-dir")
+
+	// Diagnose flags
+	restoreDiagnoseCmd.Flags().BoolVar(&diagnoseJSON, "json", false, "Output diagnosis as JSON")
+	restoreDiagnoseCmd.Flags().BoolVar(&diagnoseDeep, "deep", false, "For cluster archives, extract and diagnose all contained dumps")
+	restoreDiagnoseCmd.Flags().BoolVar(&diagnoseKeepTemp, "keep-temp", false, "Keep temporary extraction directory (for debugging)")
+	restoreDiagnoseCmd.Flags().BoolVar(&restoreVerbose, "verbose", false, "Show detailed analysis progress")
+}
+
+// runRestoreDiagnose diagnoses backup files
+func runRestoreDiagnose(cmd *cobra.Command, args []string) error {
+	archivePath := args[0]
+
+	// Convert to absolute path
+	if !filepath.IsAbs(archivePath) {
+		absPath, err := filepath.Abs(archivePath)
+		if err != nil {
+			return fmt.Errorf("invalid archive path: %w", err)
+		}
+		archivePath = absPath
+	}
+
+	// Check if file exists
+	if _, err := os.Stat(archivePath); err != nil {
+		return fmt.Errorf("archive not found: %s", archivePath)
+	}
+
+	log.Info("[DIAG] Diagnosing backup file", "path", archivePath)
+
+	diagnoser := restore.NewDiagnoser(log, restoreVerbose)
+
+	// Check if it's a cluster archive that needs deep analysis
+	format := restore.DetectArchiveFormat(archivePath)
+
+	if format.IsClusterBackup() && diagnoseDeep {
+		// Create temp directory for extraction in configured WorkDir
+		workDir := cfg.GetEffectiveWorkDir()
+		tempDir, err := os.MkdirTemp(workDir, "dbbackup-diagnose-*")
+		if err != nil {
+			return fmt.Errorf("failed to create temp directory in %s: %w", workDir, err)
+		}
+
+		if !diagnoseKeepTemp {
+			defer os.RemoveAll(tempDir)
+		} else {
+			log.Info("Temp directory preserved", "path", tempDir)
+		}
+
+		log.Info("Extracting cluster archive for deep analysis...")
+
+		// Extract and diagnose all dumps
+		results, err := diagnoser.DiagnoseClusterDumps(archivePath, tempDir)
+		if err != nil {
+			return fmt.Errorf("cluster diagnosis failed: %w", err)
+		}
+
+		// Output results
+		var hasErrors bool
+		for _, result := range results {
+			if diagnoseJSON {
+				diagnoser.PrintDiagnosisJSON(result)
+			} else {
+				diagnoser.PrintDiagnosis(result)
+			}
+			if !result.IsValid {
+				hasErrors = true
+			}
+		}
+
+		// Summary
+		if !diagnoseJSON {
+			fmt.Println("\n" + strings.Repeat("=", 70))
+			fmt.Printf("[SUMMARY] CLUSTER SUMMARY: %d databases analyzed\n", len(results))
+
+			validCount := 0
+			for _, r := range results {
+				if r.IsValid {
+					validCount++
+				}
+			}
+
+			if validCount == len(results) {
+				fmt.Println("[OK] All dumps are valid")
+			} else {
+				fmt.Printf("[FAIL] %d/%d dumps have issues\n", len(results)-validCount, len(results))
+			}
+			fmt.Println(strings.Repeat("=", 70))
+		}
+
+		if hasErrors {
+			return fmt.Errorf("one or more dumps have validation errors")
+		}
+		return nil
+	}
+
+	// Single file diagnosis
+	result, err := diagnoser.DiagnoseFile(archivePath)
+	if err != nil {
+		return fmt.Errorf("diagnosis failed: %w", err)
+	}
+
+	if diagnoseJSON {
+		diagnoser.PrintDiagnosisJSON(result)
+	} else {
+		diagnoser.PrintDiagnosis(result)
+	}
+
+	if !result.IsValid {
+		return fmt.Errorf("backup file has validation errors")
+	}
+
+	log.Info("[OK] Backup file appears valid")
+	return nil
 }

 // runRestoreSingle restores a single database
@@ -210,10 +474,24 @@ func runRestoreSingle(cmd *cobra.Command, args []string) error {

 		// Check if file exists
 		if _, err := os.Stat(archivePath); err != nil {
-			return fmt.Errorf("archive not found: %s", archivePath)
+			return fmt.Errorf("backup archive not found at %s. Check path or use cloud:// URI for remote backups: %w", archivePath, err)
 		}
 	}

+	// Check if backup is encrypted and decrypt if necessary
+	if backup.IsBackupEncrypted(archivePath) {
+		log.Info("Encrypted backup detected, decrypting...")
+		key, err := loadEncryptionKey(restoreEncryptionKeyFile, restoreEncryptionKeyEnv)
+		if err != nil {
+			return fmt.Errorf("encrypted backup requires encryption key: %w", err)
+		}
+		// Decrypt in-place (same path)
+		if err := backup.DecryptBackupFile(archivePath, archivePath, key, log); err != nil {
+			return fmt.Errorf("decryption failed: %w", err)
+		}
+		log.Info("Decryption completed successfully")
+	}
+
 	// Detect format
 	format := restore.DetectArchiveFormat(archivePath)
 	if format == restore.FormatUnknown {
@@ -267,7 +545,7 @@ func runRestoreSingle(cmd *cobra.Command, args []string) error {
 	isDryRun := restoreDryRun || !restoreConfirm

 	if isDryRun {
-		fmt.Println("\n🔍 DRY-RUN MODE - No changes will be made")
+		fmt.Println("\n[DRY-RUN] DRY-RUN MODE - No changes will be made")
 		fmt.Printf("\nWould restore:\n")
 		fmt.Printf("  Archive: %s\n", archivePath)
 		fmt.Printf("  Format: %s\n", format.String())
@@ -288,6 +566,12 @@ func runRestoreSingle(cmd *cobra.Command, args []string) error {
 	// Create restore engine
 	engine := restore.New(cfg, log, db)

+	// Enable debug logging if requested
+	if restoreSaveDebugLog != "" {
+		engine.SetDebugLogPath(restoreSaveDebugLog)
+		log.Info("Debug logging enabled", "output", restoreSaveDebugLog)
+	}
+
 	// Setup signal handling
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@@ -302,6 +586,37 @@ func runRestoreSingle(cmd *cobra.Command, args []string) error {
 		cancel()
 	}()

+	// Run pre-restore diagnosis if requested
+	if restoreDiagnose {
+		log.Info("[DIAG] Running pre-restore diagnosis...")
+
+		diagnoser := restore.NewDiagnoser(log, restoreVerbose)
+		result, err := diagnoser.DiagnoseFile(archivePath)
+		if err != nil {
+			return fmt.Errorf("diagnosis failed: %w", err)
+		}
+
+		diagnoser.PrintDiagnosis(result)
+
+		if !result.IsValid {
+			log.Error("[FAIL] Pre-restore diagnosis found issues")
+			if result.IsTruncated {
+				log.Error("   The backup file appears to be TRUNCATED")
+			}
+			if result.IsCorrupted {
+				log.Error("   The backup file appears to be CORRUPTED")
+			}
+			fmt.Println("\nUse --force to attempt restore anyway.")
+
+			if !restoreForce {
+				return fmt.Errorf("aborting restore due to backup file issues")
+			}
+			log.Warn("Continuing despite diagnosis errors (--force enabled)")
+		} else {
+			log.Info("[OK] Backup file passed diagnosis")
+		}
+	}
+
 	// Execute restore
 	log.Info("Starting restore...", "database", targetDB)

@@ -318,7 +633,7 @@ func runRestoreSingle(cmd *cobra.Command, args []string) error {
 	// Audit log: restore success
 	auditLogger.LogRestoreComplete(user, targetDB, time.Since(startTime))

-	log.Info("✅ Restore completed successfully", "database", targetDB)
+	log.Info("[OK] Restore completed successfully", "database", targetDB)
 	return nil
 }

@@ -340,6 +655,20 @@ func runRestoreCluster(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("archive not found: %s", archivePath)
 	}

+	// Check if backup is encrypted and decrypt if necessary
+	if backup.IsBackupEncrypted(archivePath) {
+		log.Info("Encrypted cluster backup detected, decrypting...")
+		key, err := loadEncryptionKey(restoreEncryptionKeyFile, restoreEncryptionKeyEnv)
+		if err != nil {
+			return fmt.Errorf("encrypted backup requires encryption key: %w", err)
+		}
+		// Decrypt in-place (same path)
+		if err := backup.DecryptBackupFile(archivePath, archivePath, key, log); err != nil {
+			return fmt.Errorf("decryption failed: %w", err)
+		}
+		log.Info("Cluster decryption completed successfully")
+	}
+
 	// Verify it's a cluster backup
 	format := restore.DetectArchiveFormat(archivePath)
 	if !format.IsClusterBackup() {
@@ -359,9 +688,27 @@ func runRestoreCluster(cmd *cobra.Command, args []string) error {
 			return fmt.Errorf("archive validation failed: %w", err)
 		}

+		// Determine where to check disk space
+		checkDir := cfg.BackupDir
+		if restoreWorkdir != "" {
+			checkDir = restoreWorkdir
+
+			// Verify workdir exists or create it
+			if _, err := os.Stat(restoreWorkdir); os.IsNotExist(err) {
+				log.Warn("Working directory does not exist, will be created", "path", restoreWorkdir)
+				if err := os.MkdirAll(restoreWorkdir, 0755); err != nil {
+					return fmt.Errorf("cannot create working directory: %w", err)
+				}
+			}
+
+			log.Warn("[WARN] Using alternative working directory for extraction")
+			log.Warn("    This is recommended when system disk space is limited")
+			log.Warn("    Location: " + restoreWorkdir)
+		}
+
 		log.Info("Checking disk space...")
 		multiplier := 4.0 // Cluster needs more space for extraction
-		if err := safety.CheckDiskSpace(archivePath, multiplier); err != nil {
+		if err := safety.CheckDiskSpaceAt(archivePath, checkDir, multiplier); err != nil {
 			return fmt.Errorf("disk space check failed: %w", err)
 		}

@@ -369,30 +716,82 @@ func runRestoreCluster(cmd *cobra.Command, args []string) error {
 		if err := safety.VerifyTools("postgres"); err != nil {
 			return fmt.Errorf("tool verification failed: %w", err)
 		}
-	}
-
-	// Dry-run mode or confirmation required
-	isDryRun := restoreDryRun || !restoreConfirm
-
-	if isDryRun {
-		fmt.Println("\n🔍 DRY-RUN MODE - No changes will be made")
-		fmt.Printf("\nWould restore cluster:\n")
-		fmt.Printf("  Archive: %s\n", archivePath)
-		fmt.Printf("  Parallel Jobs: %d (0 = auto)\n", restoreJobs)
-		fmt.Println("\nTo execute this restore, add --confirm flag")
-		return nil
-	}
-
-	// Create database instance
+	} // Create database instance for pre-checks
 	db, err := database.New(cfg, log)
 	if err != nil {
 		return fmt.Errorf("failed to create database instance: %w", err)
 	}
 	defer db.Close()

+	// Check existing databases if --clean-cluster is enabled
+	var existingDBs []string
+	if restoreCleanCluster {
+		ctx := context.Background()
+		if err := db.Connect(ctx); err != nil {
+			return fmt.Errorf("failed to connect to database: %w", err)
+		}
+
+		allDBs, err := db.ListDatabases(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to list databases: %w", err)
+		}
+
+		// Filter out system databases (keep postgres, template0, template1)
+		systemDBs := map[string]bool{
+			"postgres":  true,
+			"template0": true,
+			"template1": true,
+		}
+
+		for _, dbName := range allDBs {
+			if !systemDBs[dbName] {
+				existingDBs = append(existingDBs, dbName)
+			}
+		}
+	}
+
+	// Dry-run mode or confirmation required
+	isDryRun := restoreDryRun || !restoreConfirm
+
+	if isDryRun {
+		fmt.Println("\n[DRY-RUN] DRY-RUN MODE - No changes will be made")
+		fmt.Printf("\nWould restore cluster:\n")
+		fmt.Printf("  Archive: %s\n", archivePath)
+		fmt.Printf("  Parallel Jobs: %d (0 = auto)\n", restoreJobs)
+		if restoreWorkdir != "" {
+			fmt.Printf("  Working Directory: %s (alternative extraction location)\n", restoreWorkdir)
+		}
+		if restoreCleanCluster {
+			fmt.Printf("  Clean Cluster: true (will drop %d existing database(s))\n", len(existingDBs))
+			if len(existingDBs) > 0 {
+				fmt.Printf("\n[WARN] Databases to be dropped:\n")
+				for _, dbName := range existingDBs {
+					fmt.Printf("    - %s\n", dbName)
+				}
+			}
+		}
+		fmt.Println("\nTo execute this restore, add --confirm flag")
+		return nil
+	}
+
+	// Warning for clean-cluster
+	if restoreCleanCluster && len(existingDBs) > 0 {
+		log.Warn("[!!] Clean cluster mode enabled")
+		log.Warn(fmt.Sprintf("   %d existing database(s) will be DROPPED before restore!", len(existingDBs)))
+		for _, dbName := range existingDBs {
+			log.Warn("   - " + dbName)
+		}
+	}
+
 	// Create restore engine
 	engine := restore.New(cfg, log, db)

+	// Enable debug logging if requested
+	if restoreSaveDebugLog != "" {
+		engine.SetDebugLogPath(restoreSaveDebugLog)
+		log.Info("Debug logging enabled", "output", restoreSaveDebugLog)
+	}
+
 	// Setup signal handling
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@@ -407,6 +806,74 @@ func runRestoreCluster(cmd *cobra.Command, args []string) error {
 		cancel()
 	}()

+	// Drop existing databases if clean-cluster is enabled
+	if restoreCleanCluster && len(existingDBs) > 0 {
+		log.Info("Dropping existing databases before restore...")
+		for _, dbName := range existingDBs {
+			log.Info("Dropping database", "name", dbName)
+			// Use CLI-based drop to avoid connection issues
+			dropCmd := exec.CommandContext(ctx, "psql",
+				"-h", cfg.Host,
+				"-p", fmt.Sprintf("%d", cfg.Port),
+				"-U", cfg.User,
+				"-d", "postgres",
+				"-c", fmt.Sprintf("DROP DATABASE IF EXISTS \"%s\"", dbName),
+			)
+			if err := dropCmd.Run(); err != nil {
+				log.Warn("Failed to drop database", "name", dbName, "error", err)
+				// Continue with other databases
+			}
+		}
+		log.Info("Database cleanup completed")
+	}
+
+	// Run pre-restore diagnosis if requested
+	if restoreDiagnose {
+		log.Info("[DIAG] Running pre-restore diagnosis...")
+
+		// Create temp directory for extraction in configured WorkDir
+		workDir := cfg.GetEffectiveWorkDir()
+		diagTempDir, err := os.MkdirTemp(workDir, "dbbackup-diagnose-*")
+		if err != nil {
+			return fmt.Errorf("failed to create temp directory for diagnosis in %s: %w", workDir, err)
+		}
+		defer os.RemoveAll(diagTempDir)
+
+		diagnoser := restore.NewDiagnoser(log, restoreVerbose)
+		results, err := diagnoser.DiagnoseClusterDumps(archivePath, diagTempDir)
+		if err != nil {
+			return fmt.Errorf("diagnosis failed: %w", err)
+		}
+
+		// Check for any invalid dumps
+		var invalidDumps []string
+		for _, result := range results {
+			if !result.IsValid {
+				invalidDumps = append(invalidDumps, result.FileName)
+				diagnoser.PrintDiagnosis(result)
+			}
+		}
+
+		if len(invalidDumps) > 0 {
+			log.Error("[FAIL] Pre-restore diagnosis found issues",
+				"invalid_dumps", len(invalidDumps),
+				"total_dumps", len(results))
+			fmt.Println("\n[WARN] The following dumps have issues and will likely fail during restore:")
+			for _, name := range invalidDumps {
+				fmt.Printf("    - %s\n", name)
+			}
+			fmt.Println("\nRun 'dbbackup restore diagnose <archive> --deep' for full details.")
+			fmt.Println("Use --force to attempt restore anyway.")
+
+			if !restoreForce {
+				return fmt.Errorf("aborting restore due to %d invalid dump(s)", len(invalidDumps))
+			}
+			log.Warn("Continuing despite diagnosis errors (--force enabled)")
+		} else {
+			log.Info("[OK] All dumps passed diagnosis", "count", len(results))
+		}
+	}
+
 	// Execute cluster restore
 	log.Info("Starting cluster restore...")

@@ -423,7 +890,7 @@ func runRestoreCluster(cmd *cobra.Command, args []string) error {
 	// Audit log: restore success
 	auditLogger.LogRestoreComplete(user, "all_databases", time.Since(startTime))

-	log.Info("✅ Cluster restore completed successfully")
+	log.Info("[OK] Cluster restore completed successfully")
 	return nil
 }

@@ -472,7 +939,7 @@ func runRestoreList(cmd *cobra.Command, args []string) error {
 	}

 	// Print header
-	fmt.Printf("\n📦 Available backup archives in %s\n\n", backupDir)
+	fmt.Printf("\n[LIST] Available backup archives in %s\n\n", backupDir)
 	fmt.Printf("%-40s %-25s %-12s %-20s %s\n",
 		"FILENAME", "FORMAT", "SIZE", "MODIFIED", "DATABASE")
 	fmt.Println(strings.Repeat("-", 120))
@@ -568,3 +1035,53 @@ func truncate(s string, max int) string {
 	}
 	return s[:max-3] + "..."
 }
+
+// runRestorePITR performs Point-in-Time Recovery
+func runRestorePITR(cmd *cobra.Command, args []string) error {
+	ctx := cmd.Context()
+
+	// Parse recovery target
+	target, err := pitr.ParseRecoveryTarget(
+		pitrTargetTime,
+		pitrTargetXID,
+		pitrTargetLSN,
+		pitrTargetName,
+		pitrTargetImmediate,
+		pitrRecoveryAction,
+		pitrWALSource,
+		pitrInclusive,
+	)
+	if err != nil {
+		return fmt.Errorf("invalid recovery target: %w", err)
+	}
+
+	// Display recovery target info
+	log.Info("=====================================================")
+	log.Info("  Point-in-Time Recovery (PITR)")
+	log.Info("=====================================================")
+	log.Info("")
+	log.Info(target.String())
+	log.Info("")
+
+	// Create restore orchestrator
+	orchestrator := pitr.NewRestoreOrchestrator(cfg, log)
+
+	// Prepare restore options
+	opts := &pitr.RestoreOptions{
+		BaseBackupPath:  pitrBaseBackup,
+		WALArchiveDir:   pitrWALArchive,
+		Target:          target,
+		TargetDataDir:   pitrTargetDir,
+		SkipExtraction:  pitrSkipExtract,
+		AutoStart:       pitrAutoStart,
+		MonitorProgress: pitrMonitor,
+	}
+
+	// Perform PITR restore
+	if err := orchestrator.RestorePointInTime(ctx, opts); err != nil {
+		return fmt.Errorf("PITR restore failed: %w", err)
+	}
+
+	log.Info("[OK] PITR restore completed successfully")
+	return nil
+}
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -7,6 +7,7 @@ import (
 	"dbbackup/internal/config"
 	"dbbackup/internal/logger"
 	"dbbackup/internal/security"
+
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
--- a/cmd/rto.go
+++ b/cmd/rto.go
@@ -0,0 +1,458 @@
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"dbbackup/internal/catalog"
+	"dbbackup/internal/rto"
+
+	"github.com/spf13/cobra"
+)
+
+var rtoCmd = &cobra.Command{
+	Use:   "rto",
+	Short: "RTO/RPO analysis and monitoring",
+	Long: `Analyze and monitor Recovery Time Objective (RTO) and 
+Recovery Point Objective (RPO) metrics.
+
+RTO: How long to recover from a failure
+RPO: How much data you can afford to lose
+
+Examples:
+  # Analyze RTO/RPO for all databases
+  dbbackup rto analyze
+
+  # Analyze specific database
+  dbbackup rto analyze --database mydb
+
+  # Show summary status
+  dbbackup rto status
+
+  # Set targets and check compliance
+  dbbackup rto check --target-rto 4h --target-rpo 1h`,
+}
+
+var rtoAnalyzeCmd = &cobra.Command{
+	Use:   "analyze",
+	Short: "Analyze RTO/RPO for databases",
+	Long:  "Perform detailed RTO/RPO analysis based on backup history",
+	RunE:  runRTOAnalyze,
+}
+
+var rtoStatusCmd = &cobra.Command{
+	Use:   "status",
+	Short: "Show RTO/RPO status summary",
+	Long:  "Display current RTO/RPO compliance status for all databases",
+	RunE:  runRTOStatus,
+}
+
+var rtoCheckCmd = &cobra.Command{
+	Use:   "check",
+	Short: "Check RTO/RPO compliance",
+	Long:  "Check if databases meet RTO/RPO targets",
+	RunE:  runRTOCheck,
+}
+
+var (
+	rtoDatabase  string
+	rtoTargetRTO string
+	rtoTargetRPO string
+	rtoCatalog   string
+	rtoFormat    string
+	rtoOutput    string
+)
+
+func init() {
+	rootCmd.AddCommand(rtoCmd)
+	rtoCmd.AddCommand(rtoAnalyzeCmd)
+	rtoCmd.AddCommand(rtoStatusCmd)
+	rtoCmd.AddCommand(rtoCheckCmd)
+
+	// Analyze command flags
+	rtoAnalyzeCmd.Flags().StringVarP(&rtoDatabase, "database", "d", "", "Database to analyze (all if not specified)")
+	rtoAnalyzeCmd.Flags().StringVar(&rtoTargetRTO, "target-rto", "4h", "Target RTO (e.g., 4h, 30m)")
+	rtoAnalyzeCmd.Flags().StringVar(&rtoTargetRPO, "target-rpo", "1h", "Target RPO (e.g., 1h, 15m)")
+	rtoAnalyzeCmd.Flags().StringVar(&rtoCatalog, "catalog", "", "Path to backup catalog")
+	rtoAnalyzeCmd.Flags().StringVarP(&rtoFormat, "format", "f", "text", "Output format (text, json)")
+	rtoAnalyzeCmd.Flags().StringVarP(&rtoOutput, "output", "o", "", "Output file")
+
+	// Status command flags
+	rtoStatusCmd.Flags().StringVar(&rtoCatalog, "catalog", "", "Path to backup catalog")
+	rtoStatusCmd.Flags().StringVar(&rtoTargetRTO, "target-rto", "4h", "Target RTO")
+	rtoStatusCmd.Flags().StringVar(&rtoTargetRPO, "target-rpo", "1h", "Target RPO")
+
+	// Check command flags
+	rtoCheckCmd.Flags().StringVarP(&rtoDatabase, "database", "d", "", "Database to check")
+	rtoCheckCmd.Flags().StringVar(&rtoTargetRTO, "target-rto", "4h", "Target RTO")
+	rtoCheckCmd.Flags().StringVar(&rtoTargetRPO, "target-rpo", "1h", "Target RPO")
+	rtoCheckCmd.Flags().StringVar(&rtoCatalog, "catalog", "", "Path to backup catalog")
+}
+
+func runRTOAnalyze(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	// Parse duration targets
+	targetRTO, err := time.ParseDuration(rtoTargetRTO)
+	if err != nil {
+		return fmt.Errorf("invalid target-rto: %w", err)
+	}
+	targetRPO, err := time.ParseDuration(rtoTargetRPO)
+	if err != nil {
+		return fmt.Errorf("invalid target-rpo: %w", err)
+	}
+
+	// Get catalog
+	cat, err := openRTOCatalog()
+	if err != nil {
+		return err
+	}
+	defer cat.Close()
+
+	// Create calculator
+	config := rto.DefaultConfig()
+	config.TargetRTO = targetRTO
+	config.TargetRPO = targetRPO
+	calc := rto.NewCalculator(cat, config)
+
+	var analyses []*rto.Analysis
+
+	if rtoDatabase != "" {
+		// Analyze single database
+		analysis, err := calc.Analyze(ctx, rtoDatabase)
+		if err != nil {
+			return fmt.Errorf("analysis failed: %w", err)
+		}
+		analyses = append(analyses, analysis)
+	} else {
+		// Analyze all databases
+		analyses, err = calc.AnalyzeAll(ctx)
+		if err != nil {
+			return fmt.Errorf("analysis failed: %w", err)
+		}
+	}
+
+	// Output
+	if rtoFormat == "json" {
+		return outputJSON(analyses, rtoOutput)
+	}
+
+	return outputAnalysisText(analyses)
+}
+
+func runRTOStatus(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	// Parse targets
+	targetRTO, err := time.ParseDuration(rtoTargetRTO)
+	if err != nil {
+		return fmt.Errorf("invalid target-rto: %w", err)
+	}
+	targetRPO, err := time.ParseDuration(rtoTargetRPO)
+	if err != nil {
+		return fmt.Errorf("invalid target-rpo: %w", err)
+	}
+
+	// Get catalog
+	cat, err := openRTOCatalog()
+	if err != nil {
+		return err
+	}
+	defer cat.Close()
+
+	// Create calculator and analyze all
+	config := rto.DefaultConfig()
+	config.TargetRTO = targetRTO
+	config.TargetRPO = targetRPO
+	calc := rto.NewCalculator(cat, config)
+
+	analyses, err := calc.AnalyzeAll(ctx)
+	if err != nil {
+		return fmt.Errorf("analysis failed: %w", err)
+	}
+
+	// Create summary
+	summary := rto.Summarize(analyses)
+
+	// Display status
+	fmt.Println()
+	fmt.Println("+-----------------------------------------------------------+")
+	fmt.Println("|              RTO/RPO STATUS SUMMARY                       |")
+	fmt.Println("+-----------------------------------------------------------+")
+	fmt.Printf("|  Target RTO: %-15s  Target RPO: %-15s |\n",
+		formatDuration(config.TargetRTO),
+		formatDuration(config.TargetRPO))
+	fmt.Println("+-----------------------------------------------------------+")
+
+	// Compliance status
+	rpoRate := 0.0
+	rtoRate := 0.0
+	fullRate := 0.0
+	if summary.TotalDatabases > 0 {
+		rpoRate = float64(summary.RPOCompliant) / float64(summary.TotalDatabases) * 100
+		rtoRate = float64(summary.RTOCompliant) / float64(summary.TotalDatabases) * 100
+		fullRate = float64(summary.FullyCompliant) / float64(summary.TotalDatabases) * 100
+	}
+
+	fmt.Printf("|  Databases:     %-5d                                      |\n", summary.TotalDatabases)
+	fmt.Printf("|  RPO Compliant: %-5d  (%.0f%%)                              |\n", summary.RPOCompliant, rpoRate)
+	fmt.Printf("|  RTO Compliant: %-5d  (%.0f%%)                              |\n", summary.RTOCompliant, rtoRate)
+	fmt.Printf("|  Fully Compliant: %-3d  (%.0f%%)                             |\n", summary.FullyCompliant, fullRate)
+
+	if summary.CriticalIssues > 0 {
+		fmt.Printf("|  [WARN]  Critical Issues: %-3d                                  |\n", summary.CriticalIssues)
+	}
+
+	fmt.Println("+-----------------------------------------------------------+")
+	fmt.Printf("|  Average RPO: %-15s  Worst: %-15s    |\n",
+		formatDuration(summary.AverageRPO),
+		formatDuration(summary.WorstRPO))
+	fmt.Printf("|  Average RTO: %-15s  Worst: %-15s    |\n",
+		formatDuration(summary.AverageRTO),
+		formatDuration(summary.WorstRTO))
+
+	if summary.WorstRPODatabase != "" {
+		fmt.Printf("|  Worst RPO Database: %-38s|\n", summary.WorstRPODatabase)
+	}
+	if summary.WorstRTODatabase != "" {
+		fmt.Printf("|  Worst RTO Database: %-38s|\n", summary.WorstRTODatabase)
+	}
+
+	fmt.Println("+-----------------------------------------------------------+")
+	fmt.Println()
+
+	// Per-database status
+	if len(analyses) > 0 {
+		fmt.Println("Database Status:")
+		fmt.Println(strings.Repeat("-", 70))
+		fmt.Printf("%-25s %-12s %-12s %-12s\n", "DATABASE", "RPO", "RTO", "STATUS")
+		fmt.Println(strings.Repeat("-", 70))
+
+		for _, a := range analyses {
+			status := "[OK]"
+			if !a.RPOCompliant || !a.RTOCompliant {
+				status = "[FAIL]"
+			}
+
+			rpoStr := formatDuration(a.CurrentRPO)
+			rtoStr := formatDuration(a.CurrentRTO)
+
+			if !a.RPOCompliant {
+				rpoStr = "[WARN] " + rpoStr
+			}
+			if !a.RTOCompliant {
+				rtoStr = "[WARN] " + rtoStr
+			}
+
+			fmt.Printf("%-25s %-12s %-12s %s\n",
+				truncateRTO(a.Database, 24),
+				rpoStr,
+				rtoStr,
+				status)
+		}
+		fmt.Println(strings.Repeat("-", 70))
+	}
+
+	return nil
+}
+
+func runRTOCheck(cmd *cobra.Command, args []string) error {
+	ctx := context.Background()
+
+	// Parse targets
+	targetRTO, err := time.ParseDuration(rtoTargetRTO)
+	if err != nil {
+		return fmt.Errorf("invalid target-rto: %w", err)
+	}
+	targetRPO, err := time.ParseDuration(rtoTargetRPO)
+	if err != nil {
+		return fmt.Errorf("invalid target-rpo: %w", err)
+	}
+
+	// Get catalog
+	cat, err := openRTOCatalog()
+	if err != nil {
+		return err
+	}
+	defer cat.Close()
+
+	// Create calculator
+	config := rto.DefaultConfig()
+	config.TargetRTO = targetRTO
+	config.TargetRPO = targetRPO
+	calc := rto.NewCalculator(cat, config)
+
+	var analyses []*rto.Analysis
+
+	if rtoDatabase != "" {
+		analysis, err := calc.Analyze(ctx, rtoDatabase)
+		if err != nil {
+			return fmt.Errorf("analysis failed: %w", err)
+		}
+		analyses = append(analyses, analysis)
+	} else {
+		analyses, err = calc.AnalyzeAll(ctx)
+		if err != nil {
+			return fmt.Errorf("analysis failed: %w", err)
+		}
+	}
+
+	// Check compliance
+	exitCode := 0
+	for _, a := range analyses {
+		if !a.RPOCompliant {
+			fmt.Printf("[FAIL] %s: RPO violation - current %s exceeds target %s\n",
+				a.Database,
+				formatDuration(a.CurrentRPO),
+				formatDuration(config.TargetRPO))
+			exitCode = 1
+		}
+		if !a.RTOCompliant {
+			fmt.Printf("[FAIL] %s: RTO violation - estimated %s exceeds target %s\n",
+				a.Database,
+				formatDuration(a.CurrentRTO),
+				formatDuration(config.TargetRTO))
+			exitCode = 1
+		}
+		if a.RPOCompliant && a.RTOCompliant {
+			fmt.Printf("[OK] %s: Compliant (RPO: %s, RTO: %s)\n",
+				a.Database,
+				formatDuration(a.CurrentRPO),
+				formatDuration(a.CurrentRTO))
+		}
+	}
+
+	if exitCode != 0 {
+		os.Exit(exitCode)
+	}
+
+	return nil
+}
+
+func openRTOCatalog() (*catalog.SQLiteCatalog, error) {
+	catalogPath := rtoCatalog
+	if catalogPath == "" {
+		homeDir, _ := os.UserHomeDir()
+		catalogPath = filepath.Join(homeDir, ".dbbackup", "catalog.db")
+	}
+
+	cat, err := catalog.NewSQLiteCatalog(catalogPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open catalog: %w", err)
+	}
+
+	return cat, nil
+}
+
+func outputJSON(data interface{}, outputPath string) error {
+	jsonData, err := json.MarshalIndent(data, "", "  ")
+	if err != nil {
+		return err
+	}
+
+	if outputPath != "" {
+		return os.WriteFile(outputPath, jsonData, 0644)
+	}
+
+	fmt.Println(string(jsonData))
+	return nil
+}
+
+func outputAnalysisText(analyses []*rto.Analysis) error {
+	for _, a := range analyses {
+		fmt.Println()
+		fmt.Println(strings.Repeat("=", 60))
+		fmt.Printf("  Database: %s\n", a.Database)
+		fmt.Println(strings.Repeat("=", 60))
+
+		// Status
+		rpoStatus := "[OK] Compliant"
+		if !a.RPOCompliant {
+			rpoStatus = "[FAIL] Violation"
+		}
+		rtoStatus := "[OK] Compliant"
+		if !a.RTOCompliant {
+			rtoStatus = "[FAIL] Violation"
+		}
+
+		fmt.Println()
+		fmt.Println("  Recovery Objectives:")
+		fmt.Println(strings.Repeat("-", 50))
+		fmt.Printf("  RPO (Current):  %-15s  Target: %s\n",
+			formatDuration(a.CurrentRPO), formatDuration(a.TargetRPO))
+		fmt.Printf("  RPO Status:     %s\n", rpoStatus)
+		fmt.Printf("  RTO (Estimated): %-14s  Target: %s\n",
+			formatDuration(a.CurrentRTO), formatDuration(a.TargetRTO))
+		fmt.Printf("  RTO Status:     %s\n", rtoStatus)
+
+		if a.LastBackup != nil {
+			fmt.Printf("  Last Backup:    %s\n", a.LastBackup.Format("2006-01-02 15:04:05"))
+		}
+		if a.BackupInterval > 0 {
+			fmt.Printf("  Backup Interval: %s\n", formatDuration(a.BackupInterval))
+		}
+
+		// RTO Breakdown
+		fmt.Println()
+		fmt.Println("  RTO Breakdown:")
+		fmt.Println(strings.Repeat("-", 50))
+		b := a.RTOBreakdown
+		fmt.Printf("    Detection:    %s\n", formatDuration(b.DetectionTime))
+		fmt.Printf("    Decision:     %s\n", formatDuration(b.DecisionTime))
+		if b.DownloadTime > 0 {
+			fmt.Printf("    Download:     %s\n", formatDuration(b.DownloadTime))
+		}
+		fmt.Printf("    Restore:      %s\n", formatDuration(b.RestoreTime))
+		fmt.Printf("    Startup:      %s\n", formatDuration(b.StartupTime))
+		fmt.Printf("    Validation:   %s\n", formatDuration(b.ValidationTime))
+		fmt.Printf("    Switchover:   %s\n", formatDuration(b.SwitchoverTime))
+		fmt.Println(strings.Repeat("-", 30))
+		fmt.Printf("    Total:        %s\n", formatDuration(b.TotalTime))
+
+		// Recommendations
+		if len(a.Recommendations) > 0 {
+			fmt.Println()
+			fmt.Println("  Recommendations:")
+			fmt.Println(strings.Repeat("-", 50))
+			for _, r := range a.Recommendations {
+				icon := "[TIP]"
+				switch r.Priority {
+				case rto.PriorityCritical:
+					icon = "🔴"
+				case rto.PriorityHigh:
+					icon = "🟠"
+				case rto.PriorityMedium:
+					icon = "🟡"
+				}
+				fmt.Printf("  %s [%s] %s\n", icon, r.Priority, r.Title)
+				fmt.Printf("      %s\n", r.Description)
+			}
+		}
+	}
+
+	return nil
+}
+
+func formatDuration(d time.Duration) string {
+	if d < time.Minute {
+		return fmt.Sprintf("%.0fs", d.Seconds())
+	}
+	if d < time.Hour {
+		return fmt.Sprintf("%.0fm", d.Minutes())
+	}
+	hours := int(d.Hours())
+	mins := int(d.Minutes()) - hours*60
+	return fmt.Sprintf("%dh %dm", hours, mins)
+}
+
+func truncateRTO(s string, maxLen int) string {
+	if len(s) <= maxLen {
+		return s
+	}
+	return s[:maxLen-3] + "..."
+}
--- a/cmd/status.go
+++ b/cmd/status.go
@@ -141,7 +141,7 @@ func testConnection(ctx context.Context) error {

 	// Display results
 	fmt.Println("Connection Test Results:")
-	fmt.Printf("  Status:        Connected ✅\n")
+	fmt.Printf("  Status:        Connected [OK]\n")
 	fmt.Printf("  Version:       %s\n", version)
 	fmt.Printf("  Databases:     %d found\n", len(databases))

@@ -167,7 +167,7 @@ func testConnection(ctx context.Context) error {
 	}

 	fmt.Println()
-	fmt.Println("✅ Status check completed successfully!")
+	fmt.Println("[OK] Status check completed successfully!")

 	return nil
 }
--- a/cmd/verify.go
+++ b/cmd/verify.go
@@ -12,6 +12,7 @@ import (
 	"dbbackup/internal/metadata"
 	"dbbackup/internal/restore"
 	"dbbackup/internal/verification"
+
 	"github.com/spf13/cobra"
 )

@@ -95,17 +96,17 @@ func runVerifyBackup(cmd *cobra.Command, args []string) error {
 			continue
 		}

-		fmt.Printf("📁 %s\n", filepath.Base(backupFile))
+		fmt.Printf("[FILE] %s\n", filepath.Base(backupFile))

 		if quickVerify {
 			// Quick check: size only
 			err := verification.QuickCheck(backupFile)
 			if err != nil {
-				fmt.Printf("   ❌ FAILED: %v\n\n", err)
+				fmt.Printf("   [FAIL] FAILED: %v\n\n", err)
 				failureCount++
 				continue
 			}
-			fmt.Printf("   ✅ VALID (quick check)\n\n")
+			fmt.Printf("   [OK] VALID (quick check)\n\n")
 			successCount++
 		} else {
 			// Full verification with SHA-256
@@ -115,7 +116,7 @@ func runVerifyBackup(cmd *cobra.Command, args []string) error {
 			}

 			if result.Valid {
-				fmt.Printf("   ✅ VALID\n")
+				fmt.Printf("   [OK] VALID\n")
 				if verboseVerify {
 					meta, _ := metadata.Load(backupFile)
 					fmt.Printf("   Size: %s\n", metadata.FormatSize(meta.SizeBytes))
@@ -126,7 +127,7 @@ func runVerifyBackup(cmd *cobra.Command, args []string) error {
 				fmt.Println()
 				successCount++
 			} else {
-				fmt.Printf("   ❌ FAILED: %v\n", result.Error)
+				fmt.Printf("   [FAIL] FAILED: %v\n", result.Error)
 				if verboseVerify {
 					if !result.FileExists {
 						fmt.Printf("   File does not exist\n")
@@ -146,11 +147,11 @@ func runVerifyBackup(cmd *cobra.Command, args []string) error {
 	}

 	// Summary
-	fmt.Println(strings.Repeat("─", 50))
+	fmt.Println(strings.Repeat("-", 50))
 	fmt.Printf("Total: %d backups\n", len(backupFiles))
-	fmt.Printf("✅ Valid: %d\n", successCount)
+	fmt.Printf("[OK] Valid: %d\n", successCount)
 	if failureCount > 0 {
-		fmt.Printf("❌ Failed: %d\n", failureCount)
+		fmt.Printf("[FAIL] Failed: %d\n", failureCount)
 		os.Exit(1)
 	}

@@ -194,16 +195,16 @@ func runVerifyCloudBackup(cmd *cobra.Command, args []string) error {

 	for _, uri := range args {
 		if !isCloudURI(uri) {
-			fmt.Printf("⚠️  Skipping non-cloud URI: %s\n", uri)
+			fmt.Printf("[WARN] Skipping non-cloud URI: %s\n", uri)
 			continue
 		}

-		fmt.Printf("☁️  %s\n", uri)
+		fmt.Printf("[CLOUD] %s\n", uri)

 		// Download and verify
 		result, err := verifyCloudBackup(cmd.Context(), uri, quickVerify, verboseVerify)
 		if err != nil {
-			fmt.Printf("   ❌ FAILED: %v\n\n", err)
+			fmt.Printf("   [FAIL] FAILED: %v\n\n", err)
 			failureCount++
 			continue
 		}
@@ -211,7 +212,7 @@ func runVerifyCloudBackup(cmd *cobra.Command, args []string) error {
 		// Cleanup temp file
 		defer result.Cleanup()

-		fmt.Printf("   ✅ VALID\n")
+		fmt.Printf("   [OK] VALID\n")
 		if verboseVerify && result.MetadataPath != "" {
 			meta, _ := metadata.Load(result.MetadataPath)
 			if meta != nil {
@@ -225,7 +226,7 @@ func runVerifyCloudBackup(cmd *cobra.Command, args []string) error {
 		successCount++
 	}

-	fmt.Printf("\n✅ Summary: %d valid, %d failed\n", successCount, failureCount)
+	fmt.Printf("\n[OK] Summary: %d valid, %d failed\n", successCount, failureCount)

 	if failureCount > 0 {
 		os.Exit(1)
--- a/go.mod
+++ b/go.mod
@@ -5,15 +5,27 @@ go 1.24.0
 toolchain go1.24.9

 require (
-	github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2
+	cloud.google.com/go/storage v1.57.2
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3
+	github.com/aws/aws-sdk-go-v2 v1.40.0
+	github.com/aws/aws-sdk-go-v2/config v1.32.2
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.2
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.12
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1
 	github.com/charmbracelet/bubbles v0.21.0
 	github.com/charmbracelet/bubbletea v1.3.10
 	github.com/charmbracelet/lipgloss v1.1.0
+	github.com/dustin/go-humanize v1.0.1
 	github.com/go-sql-driver/mysql v1.9.3
 	github.com/jackc/pgx/v5 v5.7.6
+	github.com/mattn/go-sqlite3 v1.14.32
+	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.9
+	golang.org/x/crypto v0.43.0
+	google.golang.org/api v0.256.0
 )

 require (
@@ -24,20 +36,13 @@ require (
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.2 // indirect
 	cloud.google.com/go/monitoring v1.24.2 // indirect
-	cloud.google.com/go/storage v1.57.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.40.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.32.2 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.2 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.14 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.12 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
@@ -46,46 +51,58 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/signin v1.0.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.30.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.2 // indirect
 	github.com/aws/smithy-go v1.23.2 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/x/ansi v0.10.1 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
-	github.com/creack/pty v1.1.17 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/schollz/progressbar/v3 v3.19.0 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.12 // indirect
+	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	github.com/zeebo/errs v1.4.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect
@@ -96,14 +113,13 @@ require (
 	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
-	golang.org/x/crypto v0.43.0 // indirect
 	golang.org/x/net v0.46.0 // indirect
 	golang.org/x/oauth2 v0.33.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.36.0 // indirect
 	golang.org/x/text v0.30.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
-	google.golang.org/api v0.256.0 // indirect
 	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 // indirect
--- a/go.sum
+++ b/go.sum
@@ -10,36 +10,44 @@ cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdB
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8=
 cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE=
+cloud.google.com/go/logging v1.13.0 h1:7j0HgAp0B94o1YRDqiqm26w4q1rDMH7XNRU34lJXHYc=
+cloud.google.com/go/logging v1.13.0/go.mod h1:36CoKh6KA/M0PbhPKMq6/qety2DCAErbhXT62TuXALA=
+cloud.google.com/go/longrunning v0.7.0 h1:FV0+SYF1RIj59gyoWDRi45GiYUMM3K1qO51qoboQT1E=
+cloud.google.com/go/longrunning v0.7.0/go.mod h1:ySn2yXmjbK9Ba0zsQqunhDkYi0+9rlXIwnoAf+h+TPY=
 cloud.google.com/go/monitoring v1.24.2 h1:5OTsoJ1dXYIiMiuL+sYscLc9BumrL3CarVLL7dd7lHM=
 cloud.google.com/go/monitoring v1.24.2/go.mod h1:x7yzPWcgDRnPEv3sI+jJGBkwl5qINf+6qY4eq0I9B4U=
 cloud.google.com/go/storage v1.57.2 h1:sVlym3cHGYhrp6XZKkKb+92I1V42ks2qKKpB0CF5Mb4=
 cloud.google.com/go/storage v1.57.2/go.mod h1:n5ijg4yiRXXpCu0sJTD6k+eMf7GRrJmPyr9YxLXGHOk=
+cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4=
+cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 h1:KpMC6LFL7mqpExyMC9jVOYRiVhLmamjeZfRsUpB7l4s=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 h1:/Zt+cDPnpC3OVDm/JKLOs7M2DKmLRIIp3XIx9pHHiig=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1/go.mod h1:Ng3urmn6dYe8gnbCMoHHVl5APYz2txho3koEkV2o2HA=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3 h1:ZJJNFaQ86GVKQ9ehwqyAFE6pIfyicpuJ8IkVaPBc6/4=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3/go.mod h1:URuDvhmATVKqHBH9/0nOiNKk0+YcwfQ3WkK5PqHKxc8=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 h1:UQUsRi8WTzhZntp5313l+CHIAT95ojUI2lpP/ExlZa4=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0/go.mod h1:Cz6ft6Dkn3Et6l2v2a9/RpN7epQ1GtDlO6lj8bEcOvw=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 h1:owcC2UnmsZycprQ5RfRgjydWhuoxg71LUfyiQdijZuM=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0/go.mod h1:ZPpqegjbE99EPKsu3iUWV22A04wzGPcAY/ziSIQEEgs=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0 h1:4LP6hvB4I5ouTbGgWtixJhgED6xdf67twf9PoY96Tbg=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0/go.mod h1:jUZ5LYlw40WMd07qxcQJD5M40aUxrfwqQX1g7zxYnrQ=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 h1:Ron4zCA/yk6U7WOBXhTJcDpsUBG9npumK6xw2auFltQ=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0/go.mod h1:cSgYe11MCNYunTnRXrKiR/tHc0eoKjICUuWpNZoVCOo=
-github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
-github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
 github.com/aws/aws-sdk-go-v2 v1.40.0 h1:/WMUA0kjhZExjOQN2z3oLALDREea1A7TobfuiBrKlwc=
 github.com/aws/aws-sdk-go-v2 v1.40.0/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 h1:DHctwEM8P8iTXFxC/QK0MRjwEpWQeM9yzidCRjldUz0=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3/go.mod h1:xdCzcZEtnSTKVDOmUZs4l/j3pSV6rpo1WXl5ugNsL8Y=
-github.com/aws/aws-sdk-go-v2/config v1.32.1 h1:iODUDLgk3q8/flEC7ymhmxjfoAnBDwEEYEVyKZ9mzjU=
-github.com/aws/aws-sdk-go-v2/config v1.32.1/go.mod h1:xoAgo17AGrPpJBSLg81W+ikM0cpOZG8ad04T2r+d5P0=
 github.com/aws/aws-sdk-go-v2/config v1.32.2 h1:4liUsdEpUUPZs5WVapsJLx5NPmQhQdez7nYFcovrytk=
 github.com/aws/aws-sdk-go-v2/config v1.32.2/go.mod h1:l0hs06IFz1eCT+jTacU/qZtC33nvcnLADAPL/XyrkZI=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.1 h1:JeW+EwmtTE0yXFK8SmklrFh/cGTTXsQJumgMZNlbxfM=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.1/go.mod h1:BOoXiStwTF+fT2XufhO0Efssbi1CNIO/ZXpZu87N0pw=
 github.com/aws/aws-sdk-go-v2/credentials v1.19.2 h1:qZry8VUyTK4VIo5aEdUcBjPZHL2v4FyQ3QEOaWcFLu4=
 github.com/aws/aws-sdk-go-v2/credentials v1.19.2/go.mod h1:YUqm5a1/kBnoK+/NY5WEiMocZihKSo15/tJdmdXnM5g=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.14 h1:WZVR5DbDgxzA0BJeudId89Kmgy6DIU4ORpxwsVHz0qA=
@@ -62,30 +70,22 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14 h1:FIouAnCE
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14/go.mod h1:UTwDc5COa5+guonQU8qBikJo1ZJ4ln2r1MkF7Dqag1E=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 h1:FzQE21lNtUor0Fb7QNgnEyiRCBlolLTX/Z1j65S7teM=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14/go.mod h1:s1ydyWG9pm3ZwmmYN21HKyG9WzAZhYVW85wMHs5FV6w=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.92.0 h1:8FshVvnV2sr9kOSAbOnc/vwVmmAwMjOedKH6JW2ddPM=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.92.0/go.mod h1:wYNqY3L02Z3IgRYxOBPH9I1zD9Cjh9hI5QOy/eOjQvw=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1 h1:OgQy/+0+Kc3khtqiEOk23xQAglXi3Tj0y5doOxbi5tg=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1/go.mod h1:wYNqY3L02Z3IgRYxOBPH9I1zD9Cjh9hI5QOy/eOjQvw=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.1 h1:BDgIUYGEo5TkayOWv/oBLPphWwNm/A91AebUjAu5L5g=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.1/go.mod h1:iS6EPmNeqCsGo+xQmXv0jIMjyYtQfnwg36zl2FwEouk=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.2 h1:MxMBdKTYBjPQChlJhi4qlEueqB1p1KcbTEa7tD5aqPs=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.2/go.mod h1:iS6EPmNeqCsGo+xQmXv0jIMjyYtQfnwg36zl2FwEouk=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.4 h1:U//SlnkE1wOQiIImxzdY5PXat4Wq+8rlfVEw4Y7J8as=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.4/go.mod h1:av+ArJpoYf3pgyrj6tcehSFW+y9/QvAY8kMooR9bZCw=
 github.com/aws/aws-sdk-go-v2/service/sso v1.30.5 h1:ksUT5KtgpZd3SAiFJNJ0AFEJVva3gjBmN7eXUZjzUwQ=
 github.com/aws/aws-sdk-go-v2/service/sso v1.30.5/go.mod h1:av+ArJpoYf3pgyrj6tcehSFW+y9/QvAY8kMooR9bZCw=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.9 h1:LU8S9W/mPDAU9q0FjCLi0TrCheLMGwzbRpvUMwYspcA=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.9/go.mod h1:/j67Z5XBVDx8nZVp9EuFM9/BS5dvBznbqILGuu73hug=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.10 h1:GtsxyiF3Nd3JahRBJbxLCCdYW9ltGQYrFWg8XdkGDd8=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.10/go.mod h1:/j67Z5XBVDx8nZVp9EuFM9/BS5dvBznbqILGuu73hug=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.1 h1:GdGmKtG+/Krag7VfyOXV17xjTCz0i9NT+JnqLTOI5nA=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.1/go.mod h1:6TxbXoDSgBQ225Qd8Q+MbxUxUh6TtNKwbRt/EPS9xso=
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.2 h1:a5UTtD4mHBU3t0o6aHQZFJTNKVfxFWfPX7J0Lr7G+uY=
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.2/go.mod h1:6TxbXoDSgBQ225Qd8Q+MbxUxUh6TtNKwbRt/EPS9xso=
 github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
 github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u6mfQdFs=
@@ -105,17 +105,24 @@ github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNE
 github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls=
 github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
-github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
+github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA=
 github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
 github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
+github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
+github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
 github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
 github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI=
@@ -125,8 +132,19 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=
+github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0=
 github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -135,6 +153,10 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAV
 github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
 github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
 github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -145,30 +167,52 @@ github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
 github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
+github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
+github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ=
+github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
+github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/schollz/progressbar/v3 v3.19.0 h1:Ea18xuIRQXLAUidVDox3AbwfUhD0/1IvohyTutOIFoc=
+github.com/schollz/progressbar/v3 v3.19.0/go.mod h1:IsO3lpbaGuzh8zIMzgY3+J8l4C8GjO0Y9S69eFvNsec=
+github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
+github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
 github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
 github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
@@ -177,13 +221,17 @@ github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8W
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
+github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
+github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
+github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
@@ -196,6 +244,8 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6h
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
 go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
 go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0 h1:rixTyDGXFxRy1xzhKrotaHy3/KXdPhlWARrCgK+eqUY=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0/go.mod h1:dowW6UsM9MKbJq5JTz2AMVp3/5iW5I/TStsk8S+CfHw=
 go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
 go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
 go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
@@ -204,41 +254,35 @@ go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFh
 go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
 go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
 golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
 golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
 golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
 golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
 golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
 golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
 golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/api v0.256.0 h1:u6Khm8+F9sxbCTYNoBHg6/Hwv0N/i+V94MvkOSor6oI=
 google.golang.org/api v0.256.0/go.mod h1:KIgPhksXADEKJlnEoRa9qAII4rXcy40vfI8HRqcU964=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
--- a/grafana/dbbackup-dashboard.json
+++ b/grafana/dbbackup-dashboard.json
@@ -0,0 +1,1303 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": null,
+  "links": [],
+  "liveNow": false,
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [
+            {
+              "options": {
+                "0": {
+                  "color": "red",
+                  "index": 1,
+                  "text": "FAILED"
+                },
+                "1": {
+                  "color": "green",
+                  "index": 0,
+                  "text": "SUCCESS"
+                }
+              },
+              "type": "value"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "red",
+                "value": null
+              },
+              {
+                "color": "green",
+                "value": 1
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_rpo_seconds{instance=~\"$instance\"} < 86400",
+          "legendFormat": "{{database}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Last Backup Status",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "yellow",
+                "value": 43200
+              },
+              {
+                "color": "red",
+                "value": 86400
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 6,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_rpo_seconds{instance=~\"$instance\"}",
+          "legendFormat": "{{database}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Time Since Last Backup",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 12,
+        "y": 0
+      },
+      "id": 3,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_backup_total{instance=~\"$instance\", status=\"success\"}",
+          "legendFormat": "{{database}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Total Successful Backups",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 1
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 18,
+        "y": 0
+      },
+      "id": 4,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_backup_total{instance=~\"$instance\", status=\"failure\"}",
+          "legendFormat": "{{database}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Total Failed Backups",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "line"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 86400
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 4
+      },
+      "id": 5,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_rpo_seconds{instance=~\"$instance\"}",
+          "legendFormat": "{{instance}} - {{database}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "RPO Over Time",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "bars",
+            "fillOpacity": 100,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 4
+      },
+      "id": 6,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_last_backup_size_bytes{instance=~\"$instance\"}",
+          "legendFormat": "{{instance}} - {{database}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Backup Size",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 12
+      },
+      "id": 7,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_last_backup_duration_seconds{instance=~\"$instance\"}",
+          "legendFormat": "{{instance}} - {{database}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Backup Duration",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "custom": {
+            "align": "auto",
+            "cellOptions": {
+              "type": "auto"
+            },
+            "inspect": false
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          }
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Status"
+            },
+            "properties": [
+              {
+                "id": "mappings",
+                "value": [
+                  {
+                    "options": {
+                      "0": {
+                        "color": "red",
+                        "index": 1,
+                        "text": "FAILED"
+                      },
+                      "1": {
+                        "color": "green",
+                        "index": 0,
+                        "text": "SUCCESS"
+                      }
+                    },
+                    "type": "value"
+                  }
+                ]
+              },
+              {
+                "id": "custom.cellOptions",
+                "value": {
+                  "mode": "basic",
+                  "type": "color-background"
+                }
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "RPO"
+            },
+            "properties": [
+              {
+                "id": "unit",
+                "value": "s"
+              },
+              {
+                "id": "thresholds",
+                "value": {
+                  "mode": "absolute",
+                  "steps": [
+                    {
+                      "color": "green",
+                      "value": null
+                    },
+                    {
+                      "color": "yellow",
+                      "value": 43200
+                    },
+                    {
+                      "color": "red",
+                      "value": 86400
+                    }
+                  ]
+                }
+              },
+              {
+                "id": "custom.cellOptions",
+                "value": {
+                  "mode": "basic",
+                  "type": "color-background"
+                }
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Size"
+            },
+            "properties": [
+              {
+                "id": "unit",
+                "value": "bytes"
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 12
+      },
+      "id": 8,
+      "options": {
+        "cellHeight": "sm",
+        "footer": {
+          "countRows": false,
+          "fields": "",
+          "reducer": [
+            "sum"
+          ],
+          "show": false
+        },
+        "showHeader": true
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_rpo_seconds{instance=~\"$instance\"} < 86400",
+          "format": "table",
+          "instant": true,
+          "legendFormat": "__auto",
+          "range": false,
+          "refId": "Status"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_rpo_seconds{instance=~\"$instance\"}",
+          "format": "table",
+          "hide": false,
+          "instant": true,
+          "legendFormat": "__auto",
+          "range": false,
+          "refId": "RPO"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_last_backup_size_bytes{instance=~\"$instance\"}",
+          "format": "table",
+          "hide": false,
+          "instant": true,
+          "legendFormat": "__auto",
+          "range": false,
+          "refId": "Size"
+        }
+      ],
+      "title": "Backup Status Overview",
+      "transformations": [
+        {
+          "id": "joinByField",
+          "options": {
+            "byField": "database",
+            "mode": "outer"
+          }
+        },
+        {
+          "id": "organize",
+          "options": {
+            "excludeByName": {
+              "Time": true,
+              "Time 1": true,
+              "Time 2": true,
+              "Time 3": true,
+              "__name__": true,
+              "__name__ 1": true,
+              "__name__ 2": true,
+              "__name__ 3": true,
+              "instance 1": true,
+              "instance 2": true,
+              "instance 3": true,
+              "job": true,
+              "job 1": true,
+              "job 2": true,
+              "job 3": true
+            },
+            "indexByName": {},
+            "renameByName": {
+              "Value #RPO": "RPO",
+              "Value #Size": "Size",
+              "Value #Status": "Status",
+              "database": "Database",
+              "instance": "Instance"
+            }
+          }
+        }
+      ],
+      "type": "table"
+    },
+    {
+      "collapsed": false,
+      "gridPos": {
+        "h": 1,
+        "w": 24,
+        "x": 0,
+        "y": 30
+      },
+      "id": 100,
+      "panels": [],
+      "title": "Deduplication Statistics",
+      "type": "row"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "blue",
+                "value": null
+              }
+            ]
+          },
+          "unit": "percentunit"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 6,
+        "x": 0,
+        "y": 31
+      },
+      "id": 101,
+      "options": {
+        "colorMode": "background",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_dedup_ratio{instance=~\"$instance\"}",
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Dedup Ratio",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 6,
+        "x": 6,
+        "y": 31
+      },
+      "id": 102,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_dedup_space_saved_bytes{instance=~\"$instance\"}",
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Space Saved",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "yellow",
+                "value": null
+              }
+            ]
+          },
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 6,
+        "x": 12,
+        "y": 31
+      },
+      "id": 103,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_dedup_disk_usage_bytes{instance=~\"$instance\"}",
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Disk Usage",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "purple",
+                "value": null
+              }
+            ]
+          },
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 6,
+        "x": 18,
+        "y": 31
+      },
+      "id": 104,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_dedup_chunks_total{instance=~\"$instance\"}",
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Total Chunks",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "percentunit"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 36
+      },
+      "id": 105,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_dedup_database_ratio{instance=~\"$instance\"}",
+          "legendFormat": "{{database}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Dedup Ratio by Database",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 36
+      },
+      "id": 106,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.2.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_dedup_space_saved_bytes{instance=~\"$instance\"}",
+          "legendFormat": "Space Saved",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "dbbackup_dedup_disk_usage_bytes{instance=~\"$instance\"}",
+          "legendFormat": "Disk Usage",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Dedup Storage Over Time",
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "30s",
+  "schemaVersion": 38,
+  "tags": [
+    "dbbackup",
+    "backup",
+    "database",
+    "dedup"
+  ],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "selected": false,
+          "text": "All",
+          "value": "$__all"
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_PROMETHEUS}"
+        },
+        "definition": "label_values(dbbackup_rpo_seconds, instance)",
+        "hide": 0,
+        "includeAll": true,
+        "label": "Instance",
+        "multi": true,
+        "name": "instance",
+        "options": [],
+        "query": {
+          "query": "label_values(dbbackup_rpo_seconds, instance)",
+          "refId": "StandardVariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 1,
+        "type": "query"
+      },
+      {
+        "hide": 2,
+        "name": "DS_PROMETHEUS",
+        "query": "prometheus",
+        "skipUrlSync": false,
+        "type": "datasource"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-24h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "DBBackup Overview",
+  "uid": "dbbackup-overview",
+  "version": 1,
+  "weekStart": ""
+}
--- a/internal/auth/helper.go
+++ b/internal/auth/helper.go
@@ -2,12 +2,14 @@ package auth

 import (
 	"bufio"
+	"context"
 	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strconv"
 	"strings"
+	"time"

 	"dbbackup/internal/config"
 )
@@ -69,7 +71,10 @@ func checkPgHbaConf(user string) AuthMethod {

 // findHbaFileViaPostgres asks PostgreSQL for the hba_file location
 func findHbaFileViaPostgres() string {
-	cmd := exec.Command("psql", "-U", "postgres", "-t", "-c", "SHOW hba_file;")
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "psql", "-U", "postgres", "-t", "-c", "SHOW hba_file;")
 	output, err := cmd.Output()
 	if err != nil {
 		return ""
@@ -82,8 +87,11 @@ func parsePgHbaConf(path string, user string) AuthMethod {
 	// Try with sudo if we can't read directly
 	file, err := os.Open(path)
 	if err != nil {
-		// Try with sudo
-		cmd := exec.Command("sudo", "cat", path)
+		// Try with sudo (with timeout)
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+
+		cmd := exec.CommandContext(ctx, "sudo", "cat", path)
 		output, err := cmd.Output()
 		if err != nil {
 			return AuthUnknown
@@ -196,13 +204,13 @@ func CheckAuthenticationMismatch(cfg *config.Config) (bool, string) {
 func buildAuthMismatchMessage(osUser, dbUser string, method AuthMethod) string {
 	var msg strings.Builder

-	msg.WriteString("\n⚠️  Authentication Mismatch Detected\n")
+	msg.WriteString("\n[WARN]  Authentication Mismatch Detected\n")
 	msg.WriteString(strings.Repeat("=", 60) + "\n\n")

 	msg.WriteString(fmt.Sprintf("   PostgreSQL is using '%s' authentication\n", method))
 	msg.WriteString(fmt.Sprintf("   OS user '%s' cannot authenticate as DB user '%s'\n\n", osUser, dbUser))

-	msg.WriteString("💡 Solutions (choose one):\n\n")
+	msg.WriteString("[TIP] Solutions (choose one):\n\n")

 	msg.WriteString(fmt.Sprintf("   1. Run as matching user:\n"))
 	msg.WriteString(fmt.Sprintf("      sudo -u %s %s\n\n", dbUser, getCommandLine()))
@@ -218,7 +226,7 @@ func buildAuthMismatchMessage(osUser, dbUser string, method AuthMethod) string {
 	msg.WriteString("   4. Provide password via flag:\n")
 	msg.WriteString(fmt.Sprintf("      %s --password your_password\n\n", getCommandLine()))

-	msg.WriteString("📝 Note: For production use, ~/.pgpass or PGPASSWORD are recommended\n")
+	msg.WriteString("[NOTE] Note: For production use, ~/.pgpass or PGPASSWORD are recommended\n")
 	msg.WriteString("         to avoid exposing passwords in command history.\n\n")

 	msg.WriteString(strings.Repeat("=", 60) + "\n")
--- a/internal/backup/encryption.go
+++ b/internal/backup/encryption.go
@@ -0,0 +1,152 @@
+package backup
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"dbbackup/internal/crypto"
+	"dbbackup/internal/logger"
+	"dbbackup/internal/metadata"
+)
+
+// EncryptBackupFile encrypts a backup file in-place
+// The original file is replaced with the encrypted version
+func EncryptBackupFile(backupPath string, key []byte, log logger.Logger) error {
+	log.Info("Encrypting backup file", "file", filepath.Base(backupPath))
+
+	// Validate key
+	if err := crypto.ValidateKey(key); err != nil {
+		return fmt.Errorf("invalid encryption key: %w", err)
+	}
+
+	// Create encryptor
+	encryptor := crypto.NewAESEncryptor()
+
+	// Generate encrypted file path
+	encryptedPath := backupPath + ".encrypted.tmp"
+
+	// Encrypt file
+	if err := encryptor.EncryptFile(backupPath, encryptedPath, key); err != nil {
+		// Clean up temp file on failure
+		os.Remove(encryptedPath)
+		return fmt.Errorf("encryption failed: %w", err)
+	}
+
+	// Update metadata to indicate encryption
+	metaPath := backupPath + ".meta.json"
+	if _, err := os.Stat(metaPath); err == nil {
+		// Load existing metadata
+		meta, err := metadata.Load(metaPath)
+		if err != nil {
+			log.Warn("Failed to load metadata for encryption update", "error", err)
+		} else {
+			// Mark as encrypted
+			meta.Encrypted = true
+			meta.EncryptionAlgorithm = string(crypto.AlgorithmAES256GCM)
+
+			// Save updated metadata
+			if err := metadata.Save(metaPath, meta); err != nil {
+				log.Warn("Failed to update metadata with encryption info", "error", err)
+			}
+		}
+	}
+
+	// Remove original unencrypted file
+	if err := os.Remove(backupPath); err != nil {
+		log.Warn("Failed to remove original unencrypted file", "error", err)
+		// Don't fail - encrypted file exists
+	}
+
+	// Rename encrypted file to original name
+	if err := os.Rename(encryptedPath, backupPath); err != nil {
+		return fmt.Errorf("failed to rename encrypted file: %w", err)
+	}
+
+	log.Info("Backup encrypted successfully", "file", filepath.Base(backupPath))
+	return nil
+}
+
+// IsBackupEncrypted checks if a backup file is encrypted
+func IsBackupEncrypted(backupPath string) bool {
+	// Check metadata first - try cluster metadata (for cluster backups)
+	// Try cluster metadata first
+	if clusterMeta, err := metadata.LoadCluster(backupPath); err == nil {
+		// For cluster backups, check if ANY database is encrypted
+		for _, db := range clusterMeta.Databases {
+			if db.Encrypted {
+				return true
+			}
+		}
+		// All databases are unencrypted
+		return false
+	}
+
+	// Try single database metadata
+	if meta, err := metadata.Load(backupPath); err == nil {
+		return meta.Encrypted
+	}
+
+	// No metadata found - check file format to determine if encrypted
+	// Known unencrypted formats have specific magic bytes:
+	// - Gzip: 1f 8b
+	// - PGDMP (PostgreSQL custom): 50 47 44 4d 50 (PGDMP)
+	// - Plain SQL: starts with text (-- or SET or CREATE)
+	// - Tar: 75 73 74 61 72 (ustar) at offset 257
+	//
+	// If file doesn't match any known format, it MIGHT be encrypted,
+	// but we return false to avoid false positives. User must provide
+	// metadata file or use --encrypt flag explicitly.
+	file, err := os.Open(backupPath)
+	if err != nil {
+		return false
+	}
+	defer file.Close()
+
+	header := make([]byte, 6)
+	if n, err := file.Read(header); err != nil || n < 2 {
+		return false
+	}
+
+	// Check for known unencrypted formats
+	// Gzip magic: 1f 8b
+	if header[0] == 0x1f && header[1] == 0x8b {
+		return false // Gzip compressed - not encrypted
+	}
+
+	// PGDMP magic (PostgreSQL custom format)
+	if len(header) >= 5 && string(header[:5]) == "PGDMP" {
+		return false // PostgreSQL custom dump - not encrypted
+	}
+
+	// Plain text SQL (starts with --, SET, CREATE, etc.)
+	if header[0] == '-' || header[0] == 'S' || header[0] == 'C' || header[0] == '/' {
+		return false // Plain text SQL - not encrypted
+	}
+
+	// Without metadata, we cannot reliably determine encryption status
+	// Return false to avoid blocking restores with false positives
+	return false
+}
+
+// DecryptBackupFile decrypts an encrypted backup file
+// Creates a new decrypted file
+func DecryptBackupFile(encryptedPath, outputPath string, key []byte, log logger.Logger) error {
+	log.Info("Decrypting backup file", "file", filepath.Base(encryptedPath))
+
+	// Validate key
+	if err := crypto.ValidateKey(key); err != nil {
+		return fmt.Errorf("invalid decryption key: %w", err)
+	}
+
+	// Create encryptor
+	encryptor := crypto.NewAESEncryptor()
+
+	// Decrypt file
+	if err := encryptor.DecryptFile(encryptedPath, outputPath, key); err != nil {
+		return fmt.Errorf("decryption failed (wrong key?): %w", err)
+	}
+
+	log.Info("Backup decrypted successfully", "output", filepath.Base(outputPath))
+	return nil
+}
--- a/internal/backup/engine.go
+++ b/internal/backup/engine.go
@@ -20,11 +20,11 @@ import (
 	"dbbackup/internal/cloud"
 	"dbbackup/internal/config"
 	"dbbackup/internal/database"
-	"dbbackup/internal/security"
 	"dbbackup/internal/logger"
 	"dbbackup/internal/metadata"
 	"dbbackup/internal/metrics"
 	"dbbackup/internal/progress"
+	"dbbackup/internal/security"
 	"dbbackup/internal/swap"
 )

@@ -146,9 +146,10 @@ func (e *Engine) BackupSingle(ctx context.Context, databaseName string) error {
 	e.cfg.BackupDir = validBackupDir

 	if err := os.MkdirAll(e.cfg.BackupDir, 0755); err != nil {
-		prepStep.Fail(fmt.Errorf("failed to create backup directory: %w", err))
-		tracker.Fail(fmt.Errorf("failed to create backup directory: %w", err))
-		return fmt.Errorf("failed to create backup directory: %w", err)
+		err = fmt.Errorf("failed to create backup directory %s. Check write permissions or use --backup-dir to specify writable location: %w", e.cfg.BackupDir, err)
+		prepStep.Fail(err)
+		tracker.Fail(err)
+		return err
 	}
 	prepStep.Complete("Backup directory prepared")
 	tracker.UpdateProgress(10, "Backup directory prepared")
@@ -186,9 +187,10 @@ func (e *Engine) BackupSingle(ctx context.Context, databaseName string) error {
 	tracker.UpdateProgress(40, "Starting database backup...")

 	if err := e.executeCommandWithProgress(ctx, cmd, outputFile, tracker); err != nil {
-		execStep.Fail(fmt.Errorf("backup execution failed: %w", err))
-		tracker.Fail(fmt.Errorf("backup failed: %w", err))
-		return fmt.Errorf("backup failed: %w", err)
+		err = fmt.Errorf("backup failed for %s: %w. Check database connectivity and disk space", databaseName, err)
+		execStep.Fail(err)
+		tracker.Fail(err)
+		return err
 	}
 	execStep.Complete("Database backup completed")
 	tracker.UpdateProgress(80, "Database backup completed")
@@ -196,9 +198,10 @@ func (e *Engine) BackupSingle(ctx context.Context, databaseName string) error {
 	// Verify backup file
 	verifyStep := tracker.AddStep("verify", "Verifying backup file")
 	if info, err := os.Stat(outputFile); err != nil {
-		verifyStep.Fail(fmt.Errorf("backup file not created: %w", err))
-		tracker.Fail(fmt.Errorf("backup file not created: %w", err))
-		return fmt.Errorf("backup file not created: %w", err)
+		err = fmt.Errorf("backup file not created at %s. Backup command may have failed silently: %w", outputFile, err)
+		verifyStep.Fail(err)
+		tracker.Fail(err)
+		return err
 	} else {
 		size := formatBytes(info.Size())
 		tracker.SetDetails("file_size", size)
@@ -440,6 +443,14 @@ func (e *Engine) BackupCluster(ctx context.Context) error {
 			defer wg.Done()
 			defer func() { <-semaphore }() // Release

+			// Panic recovery - prevent one database failure from crashing entire cluster backup
+			defer func() {
+				if r := recover(); r != nil {
+					e.log.Error("Panic in database backup goroutine", "database", name, "panic", r)
+					atomic.AddInt32(&failCount, 1)
+				}
+			}()
+
 			// Check for cancellation at start of goroutine
 			select {
 			case <-ctx.Done():
@@ -462,7 +473,7 @@ func (e *Engine) BackupCluster(ctx context.Context) error {
 				mu.Lock()
 				e.printf("       Database size: %s\n", sizeStr)
 				if size > 10*1024*1024*1024 { // > 10GB
-					e.printf("       ⚠️  Large database detected - this may take a while\n")
+					e.printf("       [WARN]  Large database detected - this may take a while\n")
 				}
 				mu.Unlock()
 			}
@@ -499,24 +510,24 @@ func (e *Engine) BackupCluster(ctx context.Context) error {

 			cmd := e.db.BuildBackupCommand(name, dumpFile, options)

-			dbCtx, cancel := context.WithTimeout(ctx, 2*time.Hour)
-			defer cancel()
-			err := e.executeCommand(dbCtx, cmd, dumpFile)
-			cancel()
+			// NO TIMEOUT for individual database backups
+			// Large databases with large objects can take many hours
+			// The parent context handles cancellation if needed
+			err := e.executeCommand(ctx, cmd, dumpFile)

 			if err != nil {
 				e.log.Warn("Failed to backup database", "database", name, "error", err)
 				mu.Lock()
-				e.printf("   ⚠️  WARNING: Failed to backup %s: %v\n", name, err)
+				e.printf("   [WARN]  WARNING: Failed to backup %s: %v\n", name, err)
 				mu.Unlock()
 				atomic.AddInt32(&failCount, 1)
 			} else {
 				compressedCandidate := strings.TrimSuffix(dumpFile, ".dump") + ".sql.gz"
 				mu.Lock()
 				if info, err := os.Stat(compressedCandidate); err == nil {
-					e.printf("   ✅ Completed %s (%s)\n", name, formatBytes(info.Size()))
+					e.printf("   [OK] Completed %s (%s)\n", name, formatBytes(info.Size()))
 				} else if info, err := os.Stat(dumpFile); err == nil {
-					e.printf("   ✅ Completed %s (%s)\n", name, formatBytes(info.Size()))
+					e.printf("   [OK] Completed %s (%s)\n", name, formatBytes(info.Size()))
 				}
 				mu.Unlock()
 				atomic.AddInt32(&successCount, 1)
@@ -595,12 +606,36 @@ func (e *Engine) executeCommandWithProgress(ctx context.Context, cmdArgs []strin
 		return fmt.Errorf("failed to start command: %w", err)
 	}

-	// Monitor progress via stderr
-	go e.monitorCommandProgress(stderr, tracker)
+	// Monitor progress via stderr in goroutine
+	stderrDone := make(chan struct{})
+	go func() {
+		defer close(stderrDone)
+		e.monitorCommandProgress(stderr, tracker)
+	}()

-	// Wait for command to complete
-	if err := cmd.Wait(); err != nil {
-		return fmt.Errorf("backup command failed: %w", err)
+	// Wait for command to complete with proper context handling
+	cmdDone := make(chan error, 1)
+	go func() {
+		cmdDone <- cmd.Wait()
+	}()
+
+	var cmdErr error
+	select {
+	case cmdErr = <-cmdDone:
+		// Command completed (success or failure)
+	case <-ctx.Done():
+		// Context cancelled - kill process to unblock
+		e.log.Warn("Backup cancelled - killing process")
+		cmd.Process.Kill()
+		<-cmdDone // Wait for goroutine to finish
+		cmdErr = ctx.Err()
+	}
+
+	// Wait for stderr reader to finish
+	<-stderrDone
+
+	if cmdErr != nil {
+		return fmt.Errorf("backup command failed: %w", cmdErr)
 	}

 	return nil
@@ -611,6 +646,7 @@ func (e *Engine) monitorCommandProgress(stderr io.ReadCloser, tracker *progress.
 	defer stderr.Close()

 	scanner := bufio.NewScanner(stderr)
+	scanner.Buffer(make([]byte, 64*1024), 1024*1024) // 64KB initial, 1MB max for performance
 	progressBase := 40                               // Start from 40% since command preparation is done
 	progressIncrement := 0

@@ -676,8 +712,12 @@ func (e *Engine) executeMySQLWithProgressAndCompression(ctx context.Context, cmd
 		return fmt.Errorf("failed to get stderr pipe: %w", err)
 	}

-	// Start monitoring progress
-	go e.monitorCommandProgress(stderr, tracker)
+	// Start monitoring progress in goroutine
+	stderrDone := make(chan struct{})
+	go func() {
+		defer close(stderrDone)
+		e.monitorCommandProgress(stderr, tracker)
+	}()

 	// Start both commands
 	if err := gzipCmd.Start(); err != nil {
@@ -685,20 +725,41 @@ func (e *Engine) executeMySQLWithProgressAndCompression(ctx context.Context, cmd
 	}

 	if err := dumpCmd.Start(); err != nil {
+		gzipCmd.Process.Kill()
 		return fmt.Errorf("failed to start mysqldump: %w", err)
 	}

-	// Wait for mysqldump to complete
-	if err := dumpCmd.Wait(); err != nil {
-		return fmt.Errorf("mysqldump failed: %w", err)
+	// Wait for mysqldump with context handling
+	dumpDone := make(chan error, 1)
+	go func() {
+		dumpDone <- dumpCmd.Wait()
+	}()
+
+	var dumpErr error
+	select {
+	case dumpErr = <-dumpDone:
+		// mysqldump completed
+	case <-ctx.Done():
+		e.log.Warn("Backup cancelled - killing mysqldump")
+		dumpCmd.Process.Kill()
+		gzipCmd.Process.Kill()
+		<-dumpDone
+		return ctx.Err()
 	}

+	// Wait for stderr reader
+	<-stderrDone
+
 	// Close pipe and wait for gzip
 	pipe.Close()
 	if err := gzipCmd.Wait(); err != nil {
 		return fmt.Errorf("gzip failed: %w", err)
 	}

+	if dumpErr != nil {
+		return fmt.Errorf("mysqldump failed: %w", dumpErr)
+	}
+
 	return nil
 }

@@ -729,19 +790,45 @@ func (e *Engine) executeMySQLWithCompression(ctx context.Context, cmdArgs []stri
 	gzipCmd.Stdin = stdin
 	gzipCmd.Stdout = outFile

-	// Start both commands
+	// Start gzip first
 	if err := gzipCmd.Start(); err != nil {
 		return fmt.Errorf("failed to start gzip: %w", err)
 	}

-	if err := dumpCmd.Run(); err != nil {
-		return fmt.Errorf("mysqldump failed: %w", err)
+	// Start mysqldump
+	if err := dumpCmd.Start(); err != nil {
+		gzipCmd.Process.Kill()
+		return fmt.Errorf("failed to start mysqldump: %w", err)
 	}

+	// Wait for mysqldump with context handling
+	dumpDone := make(chan error, 1)
+	go func() {
+		dumpDone <- dumpCmd.Wait()
+	}()
+
+	var dumpErr error
+	select {
+	case dumpErr = <-dumpDone:
+		// mysqldump completed
+	case <-ctx.Done():
+		e.log.Warn("Backup cancelled - killing mysqldump")
+		dumpCmd.Process.Kill()
+		gzipCmd.Process.Kill()
+		<-dumpDone
+		return ctx.Err()
+	}
+
+	// Close pipe and wait for gzip
+	stdin.Close()
 	if err := gzipCmd.Wait(); err != nil {
 		return fmt.Errorf("gzip failed: %w", err)
 	}

+	if dumpErr != nil {
+		return fmt.Errorf("mysqldump failed: %w", dumpErr)
+	}
+
 	return nil
 }

@@ -878,15 +965,46 @@ func (e *Engine) createArchive(ctx context.Context, sourceDir, outputFile string
 			goto regularTar
 		}

-		// Wait for tar to finish
-		if err := cmd.Wait(); err != nil {
+		// Wait for tar with proper context handling
+		tarDone := make(chan error, 1)
+		go func() {
+			tarDone <- cmd.Wait()
+		}()
+
+		var tarErr error
+		select {
+		case tarErr = <-tarDone:
+			// tar completed
+		case <-ctx.Done():
+			e.log.Warn("Archive creation cancelled - killing processes")
+			cmd.Process.Kill()
 			pigzCmd.Process.Kill()
-			return fmt.Errorf("tar failed: %w", err)
+			<-tarDone
+			return ctx.Err()
 		}

-		// Wait for pigz to finish
-		if err := pigzCmd.Wait(); err != nil {
-			return fmt.Errorf("pigz compression failed: %w", err)
+		if tarErr != nil {
+			pigzCmd.Process.Kill()
+			return fmt.Errorf("tar failed: %w", tarErr)
+		}
+
+		// Wait for pigz with proper context handling
+		pigzDone := make(chan error, 1)
+		go func() {
+			pigzDone <- pigzCmd.Wait()
+		}()
+
+		var pigzErr error
+		select {
+		case pigzErr = <-pigzDone:
+		case <-ctx.Done():
+			pigzCmd.Process.Kill()
+			<-pigzDone
+			return ctx.Err()
+		}
+
+		if pigzErr != nil {
+			return fmt.Errorf("pigz compression failed: %w", pigzErr)
 		}
 		return nil
 	}
@@ -1124,23 +1242,29 @@ func (e *Engine) uploadToCloud(ctx context.Context, backupFile string, tracker *
 	filename := filepath.Base(backupFile)
 	e.log.Info("Uploading backup to cloud", "file", filename, "size", cloud.FormatSize(info.Size()))

-	// Progress callback
-	var lastPercent int
+	// Create schollz progressbar for visual upload progress
+	bar := progress.NewSchollzBar(info.Size(), fmt.Sprintf("Uploading %s", filename))
+
+	// Progress callback with schollz progressbar
+	var lastBytes int64
 	progressCallback := func(transferred, total int64) {
-		percent := int(float64(transferred) / float64(total) * 100)
-		if percent != lastPercent && percent%10 == 0 {
-			e.log.Debug("Upload progress", "percent", percent, "transferred", cloud.FormatSize(transferred), "total", cloud.FormatSize(total))
-			lastPercent = percent
+		delta := transferred - lastBytes
+		if delta > 0 {
+			_ = bar.Add64(delta)
 		}
+		lastBytes = transferred
 	}

 	// Upload to cloud
 	err = backend.Upload(ctx, backupFile, filename, progressCallback)
 	if err != nil {
+		bar.Fail("Upload failed")
 		uploadStep.Fail(fmt.Errorf("cloud upload failed: %w", err))
 		return err
 	}

+	_ = bar.Finish()
+
 	// Also upload metadata file
 	metaFile := backupFile + ".meta.json"
 	if _, err := os.Stat(metaFile); err == nil {
@@ -1231,8 +1355,10 @@ func (e *Engine) executeCommand(ctx context.Context, cmdArgs []string, outputFil
 		return fmt.Errorf("failed to start backup command: %w", err)
 	}

-	// Stream stderr output (don't buffer it all in memory)
+	// Stream stderr output in goroutine (don't buffer it all in memory)
+	stderrDone := make(chan struct{})
 	go func() {
+		defer close(stderrDone)
 		scanner := bufio.NewScanner(stderr)
 		scanner.Buffer(make([]byte, 64*1024), 1024*1024) // 1MB max line size
 		for scanner.Scan() {
@@ -1243,10 +1369,30 @@ func (e *Engine) executeCommand(ctx context.Context, cmdArgs []string, outputFil
 		}
 	}()

-	// Wait for command to complete
-	if err := cmd.Wait(); err != nil {
-		e.log.Error("Backup command failed", "error", err, "database", filepath.Base(outputFile))
-		return fmt.Errorf("backup command failed: %w", err)
+	// Wait for command to complete with proper context handling
+	cmdDone := make(chan error, 1)
+	go func() {
+		cmdDone <- cmd.Wait()
+	}()
+
+	var cmdErr error
+	select {
+	case cmdErr = <-cmdDone:
+		// Command completed (success or failure)
+	case <-ctx.Done():
+		// Context cancelled - kill process to unblock
+		e.log.Warn("Backup cancelled - killing pg_dump process")
+		cmd.Process.Kill()
+		<-cmdDone // Wait for goroutine to finish
+		cmdErr = ctx.Err()
+	}
+
+	// Wait for stderr reader to finish
+	<-stderrDone
+
+	if cmdErr != nil {
+		e.log.Error("Backup command failed", "error", cmdErr, "database", filepath.Base(outputFile))
+		return fmt.Errorf("backup command failed: %w", cmdErr)
 	}

 	return nil
@@ -1348,20 +1494,53 @@ func (e *Engine) executeWithStreamingCompression(ctx context.Context, cmdArgs []

 	// Then start pg_dump
 	if err := dumpCmd.Start(); err != nil {
+		compressCmd.Process.Kill()
 		return fmt.Errorf("failed to start pg_dump: %w", err)
 	}

-	// Wait for pg_dump to complete
-	if err := dumpCmd.Wait(); err != nil {
-		return fmt.Errorf("pg_dump failed: %w", err)
+	// Wait for pg_dump in a goroutine to handle context timeout properly
+	// This prevents deadlock if pipe buffer fills and pg_dump blocks
+	dumpDone := make(chan error, 1)
+	go func() {
+		dumpDone <- dumpCmd.Wait()
+	}()
+
+	var dumpErr error
+	select {
+	case dumpErr = <-dumpDone:
+		// pg_dump completed (success or failure)
+	case <-ctx.Done():
+		// Context cancelled/timeout - kill pg_dump to unblock
+		e.log.Warn("Backup timeout - killing pg_dump process")
+		dumpCmd.Process.Kill()
+		<-dumpDone // Wait for goroutine to finish
+		dumpErr = ctx.Err()
 	}

 	// Close stdout pipe to signal compressor we're done
+	// This MUST happen after pg_dump exits to avoid broken pipe
 	dumpStdout.Close()

 	// Wait for compression to complete
-	if err := compressCmd.Wait(); err != nil {
-		return fmt.Errorf("compression failed: %w", err)
+	compressErr := compressCmd.Wait()
+
+	// Check errors - compressor failure first (it's usually the root cause)
+	if compressErr != nil {
+		e.log.Error("Compressor failed", "error", compressErr)
+		return fmt.Errorf("compression failed (check disk space): %w", compressErr)
+	}
+	if dumpErr != nil {
+		// Check for SIGPIPE (exit code 141) - indicates compressor died first
+		if exitErr, ok := dumpErr.(*exec.ExitError); ok && exitErr.ExitCode() == 141 {
+			e.log.Error("pg_dump received SIGPIPE - compressor may have failed")
+			return fmt.Errorf("pg_dump broken pipe - check disk space and compressor")
+		}
+		return fmt.Errorf("pg_dump failed: %w", dumpErr)
+	}
+
+	// Sync file to disk to ensure durability (prevents truncation on power loss)
+	if err := outFile.Sync(); err != nil {
+		e.log.Warn("Failed to sync output file", "error", err)
 	}

 	e.log.Debug("Streaming compression completed", "output", compressedFile)
--- a/internal/backup/incremental.go
+++ b/internal/backup/incremental.go
@@ -0,0 +1,108 @@
+package backup
+
+import (
+	"context"
+	"time"
+)
+
+// BackupType represents the type of backup
+type BackupType string
+
+const (
+	BackupTypeFull        BackupType = "full"        // Complete backup of all data
+	BackupTypeIncremental BackupType = "incremental" // Only changed files since base backup
+)
+
+// IncrementalMetadata contains metadata for incremental backups
+type IncrementalMetadata struct {
+	// BaseBackupID is the SHA-256 checksum of the base backup this incremental depends on
+	BaseBackupID string `json:"base_backup_id"`
+
+	// BaseBackupPath is the filename of the base backup (e.g., "mydb_20250126_120000.tar.gz")
+	BaseBackupPath string `json:"base_backup_path"`
+
+	// BaseBackupTimestamp is when the base backup was created
+	BaseBackupTimestamp time.Time `json:"base_backup_timestamp"`
+
+	// IncrementalFiles is the number of changed files included in this backup
+	IncrementalFiles int `json:"incremental_files"`
+
+	// TotalSize is the total size of changed files (bytes)
+	TotalSize int64 `json:"total_size"`
+
+	// BackupChain is the list of all backups needed for restore (base + incrementals)
+	// Ordered from oldest to newest: [base, incr1, incr2, ...]
+	BackupChain []string `json:"backup_chain"`
+}
+
+// ChangedFile represents a file that changed since the base backup
+type ChangedFile struct {
+	// RelativePath is the path relative to PostgreSQL data directory
+	RelativePath string
+
+	// AbsolutePath is the full filesystem path
+	AbsolutePath string
+
+	// Size is the file size in bytes
+	Size int64
+
+	// ModTime is the last modification time
+	ModTime time.Time
+
+	// Checksum is the SHA-256 hash of the file content (optional)
+	Checksum string
+}
+
+// IncrementalBackupConfig holds configuration for incremental backups
+type IncrementalBackupConfig struct {
+	// BaseBackupPath is the path to the base backup archive
+	BaseBackupPath string
+
+	// DataDirectory is the PostgreSQL data directory to scan
+	DataDirectory string
+
+	// IncludeWAL determines if WAL files should be included
+	IncludeWAL bool
+
+	// CompressionLevel for the incremental archive (0-9)
+	CompressionLevel int
+}
+
+// BackupChainResolver resolves the chain of backups needed for restore
+type BackupChainResolver interface {
+	// FindBaseBackup locates the base backup for an incremental backup
+	FindBaseBackup(ctx context.Context, incrementalBackupID string) (*BackupInfo, error)
+
+	// ResolveChain returns the complete chain of backups needed for restore
+	// Returned in order: [base, incr1, incr2, ..., target]
+	ResolveChain(ctx context.Context, targetBackupID string) ([]*BackupInfo, error)
+
+	// ValidateChain verifies all backups in the chain exist and are valid
+	ValidateChain(ctx context.Context, chain []*BackupInfo) error
+}
+
+// IncrementalBackupEngine handles incremental backup operations
+type IncrementalBackupEngine interface {
+	// FindChangedFiles identifies files changed since the base backup
+	FindChangedFiles(ctx context.Context, config *IncrementalBackupConfig) ([]ChangedFile, error)
+
+	// CreateIncrementalBackup creates a new incremental backup
+	CreateIncrementalBackup(ctx context.Context, config *IncrementalBackupConfig, changedFiles []ChangedFile) error
+
+	// RestoreIncremental restores an incremental backup on top of a base backup
+	RestoreIncremental(ctx context.Context, baseBackupPath, incrementalPath, targetDir string) error
+}
+
+// BackupInfo extends the existing Info struct with incremental metadata
+// This will be integrated into the existing backup.Info struct
+type BackupInfo struct {
+	// Existing fields from backup.Info...
+	Database  string    `json:"database"`
+	Timestamp time.Time `json:"timestamp"`
+	Size      int64     `json:"size"`
+	Checksum  string    `json:"checksum"`
+
+	// New fields for incremental support
+	BackupType  BackupType           `json:"backup_type"`           // "full" or "incremental"
+	Incremental *IncrementalMetadata `json:"incremental,omitempty"` // Only present for incremental backups
+}
--- a/internal/backup/incremental_extract.go
+++ b/internal/backup/incremental_extract.go
@@ -0,0 +1,103 @@
+package backup
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+)
+
+// extractTarGz extracts a tar.gz archive to the specified directory
+// Files are extracted with their original permissions and timestamps
+func (e *PostgresIncrementalEngine) extractTarGz(ctx context.Context, archivePath, targetDir string) error {
+	// Open archive file
+	archiveFile, err := os.Open(archivePath)
+	if err != nil {
+		return fmt.Errorf("failed to open archive: %w", err)
+	}
+	defer archiveFile.Close()
+
+	// Create gzip reader
+	gzReader, err := gzip.NewReader(archiveFile)
+	if err != nil {
+		return fmt.Errorf("failed to create gzip reader: %w", err)
+	}
+	defer gzReader.Close()
+
+	// Create tar reader
+	tarReader := tar.NewReader(gzReader)
+
+	// Extract each file
+	fileCount := 0
+	for {
+		// Check context cancellation
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
+		header, err := tarReader.Next()
+		if err == io.EOF {
+			break // End of archive
+		}
+		if err != nil {
+			return fmt.Errorf("failed to read tar header: %w", err)
+		}
+
+		// Build target path
+		targetPath := filepath.Join(targetDir, header.Name)
+
+		// Ensure parent directory exists
+		if err := os.MkdirAll(filepath.Dir(targetPath), 0755); err != nil {
+			return fmt.Errorf("failed to create directory for %s: %w", header.Name, err)
+		}
+
+		switch header.Typeflag {
+		case tar.TypeDir:
+			// Create directory
+			if err := os.MkdirAll(targetPath, os.FileMode(header.Mode)); err != nil {
+				return fmt.Errorf("failed to create directory %s: %w", header.Name, err)
+			}
+
+		case tar.TypeReg:
+			// Extract regular file
+			outFile, err := os.OpenFile(targetPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, os.FileMode(header.Mode))
+			if err != nil {
+				return fmt.Errorf("failed to create file %s: %w", header.Name, err)
+			}
+
+			if _, err := io.Copy(outFile, tarReader); err != nil {
+				outFile.Close()
+				return fmt.Errorf("failed to write file %s: %w", header.Name, err)
+			}
+			outFile.Close()
+
+			// Preserve modification time
+			if err := os.Chtimes(targetPath, header.ModTime, header.ModTime); err != nil {
+				e.log.Warn("Failed to set file modification time", "file", header.Name, "error", err)
+			}
+
+			fileCount++
+			if fileCount%100 == 0 {
+				e.log.Debug("Extraction progress", "files", fileCount)
+			}
+
+		case tar.TypeSymlink:
+			// Create symlink
+			if err := os.Symlink(header.Linkname, targetPath); err != nil {
+				// Don't fail on symlink errors - just warn
+				e.log.Warn("Failed to create symlink", "source", header.Name, "target", header.Linkname, "error", err)
+			}
+
+		default:
+			e.log.Warn("Unsupported tar entry type", "type", header.Typeflag, "name", header.Name)
+		}
+	}
+
+	e.log.Info("Archive extracted", "files", fileCount, "archive", filepath.Base(archivePath))
+	return nil
+}
--- a/internal/backup/incremental_mysql.go
+++ b/internal/backup/incremental_mysql.go
@@ -0,0 +1,543 @@
+package backup
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"dbbackup/internal/logger"
+	"dbbackup/internal/metadata"
+)
+
+// MySQLIncrementalEngine implements incremental backups for MySQL/MariaDB
+type MySQLIncrementalEngine struct {
+	log logger.Logger
+}
+
+// NewMySQLIncrementalEngine creates a new MySQL incremental backup engine
+func NewMySQLIncrementalEngine(log logger.Logger) *MySQLIncrementalEngine {
+	return &MySQLIncrementalEngine{
+		log: log,
+	}
+}
+
+// FindChangedFiles identifies files that changed since the base backup
+// Uses mtime-based detection. Production could integrate with MySQL binary logs for more precision.
+func (e *MySQLIncrementalEngine) FindChangedFiles(ctx context.Context, config *IncrementalBackupConfig) ([]ChangedFile, error) {
+	e.log.Info("Finding changed files for incremental backup (MySQL)",
+		"base_backup", config.BaseBackupPath,
+		"data_dir", config.DataDirectory)
+
+	// Load base backup metadata to get timestamp
+	baseInfo, err := e.loadBackupInfo(config.BaseBackupPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load base backup info: %w", err)
+	}
+
+	// Validate base backup is full backup
+	if baseInfo.BackupType != "" && baseInfo.BackupType != "full" {
+		return nil, fmt.Errorf("base backup must be a full backup, got: %s", baseInfo.BackupType)
+	}
+
+	baseTimestamp := baseInfo.Timestamp
+	e.log.Info("Base backup timestamp", "timestamp", baseTimestamp)
+
+	// Scan data directory for changed files
+	var changedFiles []ChangedFile
+
+	err = filepath.Walk(config.DataDirectory, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Skip directories
+		if info.IsDir() {
+			return nil
+		}
+
+		// Skip temporary files, relay logs, and other MySQL-specific files
+		if e.shouldSkipFile(path, info) {
+			return nil
+		}
+
+		// Check if file was modified after base backup
+		if info.ModTime().After(baseTimestamp) {
+			relPath, err := filepath.Rel(config.DataDirectory, path)
+			if err != nil {
+				e.log.Warn("Failed to get relative path", "path", path, "error", err)
+				return nil
+			}
+
+			changedFiles = append(changedFiles, ChangedFile{
+				RelativePath: relPath,
+				AbsolutePath: path,
+				Size:         info.Size(),
+				ModTime:      info.ModTime(),
+			})
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to scan data directory: %w", err)
+	}
+
+	e.log.Info("Found changed files", "count", len(changedFiles))
+	return changedFiles, nil
+}
+
+// shouldSkipFile determines if a file should be excluded from incremental backup (MySQL-specific)
+func (e *MySQLIncrementalEngine) shouldSkipFile(path string, info os.FileInfo) bool {
+	name := info.Name()
+	lowerPath := strings.ToLower(path)
+
+	// Skip temporary files
+	if strings.HasSuffix(name, ".tmp") || strings.HasPrefix(name, "#sql") {
+		return true
+	}
+
+	// Skip MySQL lock files
+	if strings.HasSuffix(name, ".lock") || name == "auto.cnf.lock" {
+		return true
+	}
+
+	// Skip MySQL pid file
+	if strings.HasSuffix(name, ".pid") || name == "mysqld.pid" {
+		return true
+	}
+
+	// Skip sockets
+	if info.Mode()&os.ModeSocket != 0 || strings.HasSuffix(name, ".sock") {
+		return true
+	}
+
+	// Skip MySQL relay logs (replication)
+	if strings.Contains(lowerPath, "relay-log") || strings.Contains(name, "relay-bin") {
+		return true
+	}
+
+	// Skip MySQL binary logs (handled separately if needed)
+	// Note: For production incremental backups, binary logs should be backed up separately
+	if strings.Contains(name, "mysql-bin") || strings.Contains(name, "binlog") {
+		return true
+	}
+
+	// Skip InnoDB redo logs (ib_logfile*)
+	if strings.HasPrefix(name, "ib_logfile") {
+		return true
+	}
+
+	// Skip InnoDB undo logs (undo_*)
+	if strings.HasPrefix(name, "undo_") {
+		return true
+	}
+
+	// Skip MySQL error logs
+	if strings.HasSuffix(name, ".err") || name == "error.log" {
+		return true
+	}
+
+	// Skip MySQL slow query logs
+	if strings.Contains(name, "slow") && strings.HasSuffix(name, ".log") {
+		return true
+	}
+
+	// Skip general query logs
+	if name == "general.log" || name == "query.log" {
+		return true
+	}
+
+	// Skip performance schema (in-memory only)
+	if strings.Contains(lowerPath, "performance_schema") {
+		return true
+	}
+
+	// Skip MySQL Cluster temporary files
+	if strings.HasPrefix(name, "ndb_") {
+		return true
+	}
+
+	return false
+}
+
+// loadBackupInfo loads backup metadata from .meta.json file
+func (e *MySQLIncrementalEngine) loadBackupInfo(backupPath string) (*metadata.BackupMetadata, error) {
+	// Load using metadata package
+	meta, err := metadata.Load(backupPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load backup metadata: %w", err)
+	}
+
+	return meta, nil
+}
+
+// CreateIncrementalBackup creates a new incremental backup archive for MySQL
+func (e *MySQLIncrementalEngine) CreateIncrementalBackup(ctx context.Context, config *IncrementalBackupConfig, changedFiles []ChangedFile) error {
+	e.log.Info("Creating incremental backup (MySQL)",
+		"changed_files", len(changedFiles),
+		"base_backup", config.BaseBackupPath)
+
+	if len(changedFiles) == 0 {
+		e.log.Info("No changed files detected - skipping incremental backup")
+		return fmt.Errorf("no changed files since base backup")
+	}
+
+	// Load base backup metadata
+	baseInfo, err := e.loadBackupInfo(config.BaseBackupPath)
+	if err != nil {
+		return fmt.Errorf("failed to load base backup info: %w", err)
+	}
+
+	// Generate output filename: dbname_incr_TIMESTAMP.tar.gz
+	timestamp := time.Now().Format("20060102_150405")
+	outputFile := filepath.Join(filepath.Dir(config.BaseBackupPath),
+		fmt.Sprintf("%s_incr_%s.tar.gz", baseInfo.Database, timestamp))
+
+	e.log.Info("Creating incremental archive", "output", outputFile)
+
+	// Create tar.gz archive with changed files
+	if err := e.createTarGz(ctx, outputFile, changedFiles, config); err != nil {
+		return fmt.Errorf("failed to create archive: %w", err)
+	}
+
+	// Calculate checksum
+	checksum, err := e.CalculateFileChecksum(outputFile)
+	if err != nil {
+		return fmt.Errorf("failed to calculate checksum: %w", err)
+	}
+
+	// Get archive size
+	stat, err := os.Stat(outputFile)
+	if err != nil {
+		return fmt.Errorf("failed to stat archive: %w", err)
+	}
+
+	// Calculate total size of changed files
+	var totalSize int64
+	for _, f := range changedFiles {
+		totalSize += f.Size
+	}
+
+	// Create incremental metadata
+	metadata := &metadata.BackupMetadata{
+		Version:      "2.3.0",
+		Timestamp:    time.Now(),
+		Database:     baseInfo.Database,
+		DatabaseType: baseInfo.DatabaseType,
+		Host:         baseInfo.Host,
+		Port:         baseInfo.Port,
+		User:         baseInfo.User,
+		BackupFile:   outputFile,
+		SizeBytes:    stat.Size(),
+		SHA256:       checksum,
+		Compression:  "gzip",
+		BackupType:   "incremental",
+		BaseBackup:   filepath.Base(config.BaseBackupPath),
+		Incremental: &metadata.IncrementalMetadata{
+			BaseBackupID:        baseInfo.SHA256,
+			BaseBackupPath:      filepath.Base(config.BaseBackupPath),
+			BaseBackupTimestamp: baseInfo.Timestamp,
+			IncrementalFiles:    len(changedFiles),
+			TotalSize:           totalSize,
+			BackupChain:         buildBackupChain(baseInfo, filepath.Base(outputFile)),
+		},
+	}
+
+	// Save metadata
+	if err := metadata.Save(); err != nil {
+		return fmt.Errorf("failed to save metadata: %w", err)
+	}
+
+	e.log.Info("Incremental backup created successfully (MySQL)",
+		"output", outputFile,
+		"size", stat.Size(),
+		"changed_files", len(changedFiles),
+		"checksum", checksum[:16]+"...")
+
+	return nil
+}
+
+// RestoreIncremental restores a MySQL incremental backup on top of a base
+func (e *MySQLIncrementalEngine) RestoreIncremental(ctx context.Context, baseBackupPath, incrementalPath, targetDir string) error {
+	e.log.Info("Restoring incremental backup (MySQL)",
+		"base", baseBackupPath,
+		"incremental", incrementalPath,
+		"target", targetDir)
+
+	// Load incremental metadata to verify it's an incremental backup
+	incrInfo, err := e.loadBackupInfo(incrementalPath)
+	if err != nil {
+		return fmt.Errorf("failed to load incremental backup metadata: %w", err)
+	}
+
+	if incrInfo.BackupType != "incremental" {
+		return fmt.Errorf("backup is not incremental (type: %s)", incrInfo.BackupType)
+	}
+
+	if incrInfo.Incremental == nil {
+		return fmt.Errorf("incremental metadata missing")
+	}
+
+	// Verify base backup path matches metadata
+	expectedBase := filepath.Join(filepath.Dir(incrementalPath), incrInfo.Incremental.BaseBackupPath)
+	if !strings.EqualFold(filepath.Clean(baseBackupPath), filepath.Clean(expectedBase)) {
+		e.log.Warn("Base backup path mismatch",
+			"provided", baseBackupPath,
+			"expected", expectedBase)
+		// Continue anyway - user might have moved files
+	}
+
+	// Verify base backup exists
+	if _, err := os.Stat(baseBackupPath); err != nil {
+		return fmt.Errorf("base backup not found: %w", err)
+	}
+
+	// Load base backup metadata to verify it's a full backup
+	baseInfo, err := e.loadBackupInfo(baseBackupPath)
+	if err != nil {
+		return fmt.Errorf("failed to load base backup metadata: %w", err)
+	}
+
+	if baseInfo.BackupType != "full" && baseInfo.BackupType != "" {
+		return fmt.Errorf("base backup is not a full backup (type: %s)", baseInfo.BackupType)
+	}
+
+	// Verify checksums match
+	if incrInfo.Incremental.BaseBackupID != "" && baseInfo.SHA256 != "" {
+		if incrInfo.Incremental.BaseBackupID != baseInfo.SHA256 {
+			return fmt.Errorf("base backup checksum mismatch: expected %s, got %s",
+				incrInfo.Incremental.BaseBackupID, baseInfo.SHA256)
+		}
+		e.log.Info("Base backup checksum verified", "checksum", baseInfo.SHA256)
+	}
+
+	// Create target directory if it doesn't exist
+	if err := os.MkdirAll(targetDir, 0755); err != nil {
+		return fmt.Errorf("failed to create target directory: %w", err)
+	}
+
+	// Step 1: Extract base backup to target directory
+	e.log.Info("Extracting base backup (MySQL)", "output", targetDir)
+	if err := e.extractTarGz(ctx, baseBackupPath, targetDir); err != nil {
+		return fmt.Errorf("failed to extract base backup: %w", err)
+	}
+	e.log.Info("Base backup extracted successfully")
+
+	// Step 2: Extract incremental backup, overwriting changed files
+	e.log.Info("Applying incremental backup (MySQL)", "changed_files", incrInfo.Incremental.IncrementalFiles)
+	if err := e.extractTarGz(ctx, incrementalPath, targetDir); err != nil {
+		return fmt.Errorf("failed to extract incremental backup: %w", err)
+	}
+	e.log.Info("Incremental backup applied successfully")
+
+	// Step 3: Verify restoration
+	e.log.Info("Restore complete (MySQL)",
+		"base_backup", filepath.Base(baseBackupPath),
+		"incremental_backup", filepath.Base(incrementalPath),
+		"target_directory", targetDir,
+		"total_files_updated", incrInfo.Incremental.IncrementalFiles)
+
+	return nil
+}
+
+// CalculateFileChecksum computes SHA-256 hash of a file
+func (e *MySQLIncrementalEngine) CalculateFileChecksum(path string) (string, error) {
+	file, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	hash := sha256.New()
+	if _, err := io.Copy(hash, file); err != nil {
+		return "", err
+	}
+
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
+
+// createTarGz creates a tar.gz archive with the specified changed files
+func (e *MySQLIncrementalEngine) createTarGz(ctx context.Context, outputFile string, changedFiles []ChangedFile, config *IncrementalBackupConfig) error {
+	// Import needed for tar/gzip
+	outFile, err := os.Create(outputFile)
+	if err != nil {
+		return fmt.Errorf("failed to create output file: %w", err)
+	}
+	defer outFile.Close()
+
+	// Create gzip writer
+	gzWriter, err := gzip.NewWriterLevel(outFile, config.CompressionLevel)
+	if err != nil {
+		return fmt.Errorf("failed to create gzip writer: %w", err)
+	}
+	defer gzWriter.Close()
+
+	// Create tar writer
+	tarWriter := tar.NewWriter(gzWriter)
+	defer tarWriter.Close()
+
+	// Add each changed file to archive
+	for i, changedFile := range changedFiles {
+		// Check context cancellation
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
+		e.log.Debug("Adding file to archive (MySQL)",
+			"file", changedFile.RelativePath,
+			"progress", fmt.Sprintf("%d/%d", i+1, len(changedFiles)))
+
+		if err := e.addFileToTar(tarWriter, changedFile); err != nil {
+			return fmt.Errorf("failed to add file %s: %w", changedFile.RelativePath, err)
+		}
+	}
+
+	return nil
+}
+
+// addFileToTar adds a single file to the tar archive
+func (e *MySQLIncrementalEngine) addFileToTar(tarWriter *tar.Writer, changedFile ChangedFile) error {
+	// Open the file
+	file, err := os.Open(changedFile.AbsolutePath)
+	if err != nil {
+		return fmt.Errorf("failed to open file: %w", err)
+	}
+	defer file.Close()
+
+	// Get file info
+	info, err := file.Stat()
+	if err != nil {
+		return fmt.Errorf("failed to stat file: %w", err)
+	}
+
+	// Skip if file has been deleted/changed since scan
+	if info.Size() != changedFile.Size {
+		e.log.Warn("File size changed since scan, using current size",
+			"file", changedFile.RelativePath,
+			"old_size", changedFile.Size,
+			"new_size", info.Size())
+	}
+
+	// Create tar header
+	header := &tar.Header{
+		Name:    changedFile.RelativePath,
+		Size:    info.Size(),
+		Mode:    int64(info.Mode()),
+		ModTime: info.ModTime(),
+	}
+
+	// Write header
+	if err := tarWriter.WriteHeader(header); err != nil {
+		return fmt.Errorf("failed to write tar header: %w", err)
+	}
+
+	// Copy file content
+	if _, err := io.Copy(tarWriter, file); err != nil {
+		return fmt.Errorf("failed to copy file content: %w", err)
+	}
+
+	return nil
+}
+
+// extractTarGz extracts a tar.gz archive to the specified directory
+// Files are extracted with their original permissions and timestamps
+func (e *MySQLIncrementalEngine) extractTarGz(ctx context.Context, archivePath, targetDir string) error {
+	// Open archive file
+	archiveFile, err := os.Open(archivePath)
+	if err != nil {
+		return fmt.Errorf("failed to open archive: %w", err)
+	}
+	defer archiveFile.Close()
+
+	// Create gzip reader
+	gzReader, err := gzip.NewReader(archiveFile)
+	if err != nil {
+		return fmt.Errorf("failed to create gzip reader: %w", err)
+	}
+	defer gzReader.Close()
+
+	// Create tar reader
+	tarReader := tar.NewReader(gzReader)
+
+	// Extract each file
+	fileCount := 0
+	for {
+		// Check context cancellation
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
+		header, err := tarReader.Next()
+		if err == io.EOF {
+			break // End of archive
+		}
+		if err != nil {
+			return fmt.Errorf("failed to read tar header: %w", err)
+		}
+
+		// Build target path
+		targetPath := filepath.Join(targetDir, header.Name)
+
+		// Ensure parent directory exists
+		if err := os.MkdirAll(filepath.Dir(targetPath), 0755); err != nil {
+			return fmt.Errorf("failed to create directory for %s: %w", header.Name, err)
+		}
+
+		switch header.Typeflag {
+		case tar.TypeDir:
+			// Create directory
+			if err := os.MkdirAll(targetPath, os.FileMode(header.Mode)); err != nil {
+				return fmt.Errorf("failed to create directory %s: %w", header.Name, err)
+			}
+
+		case tar.TypeReg:
+			// Extract regular file
+			outFile, err := os.OpenFile(targetPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, os.FileMode(header.Mode))
+			if err != nil {
+				return fmt.Errorf("failed to create file %s: %w", header.Name, err)
+			}
+
+			if _, err := io.Copy(outFile, tarReader); err != nil {
+				outFile.Close()
+				return fmt.Errorf("failed to write file %s: %w", header.Name, err)
+			}
+			outFile.Close()
+
+			// Preserve modification time
+			if err := os.Chtimes(targetPath, header.ModTime, header.ModTime); err != nil {
+				e.log.Warn("Failed to set file modification time", "file", header.Name, "error", err)
+			}
+
+			fileCount++
+			if fileCount%100 == 0 {
+				e.log.Debug("Extraction progress (MySQL)", "files", fileCount)
+			}
+
+		case tar.TypeSymlink:
+			// Create symlink
+			if err := os.Symlink(header.Linkname, targetPath); err != nil {
+				// Don't fail on symlink errors - just warn
+				e.log.Warn("Failed to create symlink", "source", header.Name, "target", header.Linkname, "error", err)
+			}
+
+		default:
+			e.log.Warn("Unsupported tar entry type", "type", header.Typeflag, "name", header.Name)
+		}
+	}
+
+	e.log.Info("Archive extracted (MySQL)", "files", fileCount, "archive", filepath.Base(archivePath))
+	return nil
+}
--- a/internal/backup/incremental_postgres.go
+++ b/internal/backup/incremental_postgres.go
@@ -0,0 +1,345 @@
+package backup
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"dbbackup/internal/logger"
+	"dbbackup/internal/metadata"
+)
+
+// PostgresIncrementalEngine implements incremental backups for PostgreSQL
+type PostgresIncrementalEngine struct {
+	log logger.Logger
+}
+
+// NewPostgresIncrementalEngine creates a new PostgreSQL incremental backup engine
+func NewPostgresIncrementalEngine(log logger.Logger) *PostgresIncrementalEngine {
+	return &PostgresIncrementalEngine{
+		log: log,
+	}
+}
+
+// FindChangedFiles identifies files that changed since the base backup
+// This is a simple mtime-based implementation. Production should use pg_basebackup with incremental support.
+func (e *PostgresIncrementalEngine) FindChangedFiles(ctx context.Context, config *IncrementalBackupConfig) ([]ChangedFile, error) {
+	e.log.Info("Finding changed files for incremental backup",
+		"base_backup", config.BaseBackupPath,
+		"data_dir", config.DataDirectory)
+
+	// Load base backup metadata to get timestamp
+	baseInfo, err := e.loadBackupInfo(config.BaseBackupPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load base backup info: %w", err)
+	}
+
+	// Validate base backup is full backup
+	if baseInfo.BackupType != "" && baseInfo.BackupType != "full" {
+		return nil, fmt.Errorf("base backup must be a full backup, got: %s", baseInfo.BackupType)
+	}
+
+	baseTimestamp := baseInfo.Timestamp
+	e.log.Info("Base backup timestamp", "timestamp", baseTimestamp)
+
+	// Scan data directory for changed files
+	var changedFiles []ChangedFile
+
+	err = filepath.Walk(config.DataDirectory, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Skip directories
+		if info.IsDir() {
+			return nil
+		}
+
+		// Skip temporary files, lock files, and sockets
+		if e.shouldSkipFile(path, info) {
+			return nil
+		}
+
+		// Check if file was modified after base backup
+		if info.ModTime().After(baseTimestamp) {
+			relPath, err := filepath.Rel(config.DataDirectory, path)
+			if err != nil {
+				e.log.Warn("Failed to get relative path", "path", path, "error", err)
+				return nil
+			}
+
+			changedFiles = append(changedFiles, ChangedFile{
+				RelativePath: relPath,
+				AbsolutePath: path,
+				Size:         info.Size(),
+				ModTime:      info.ModTime(),
+			})
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to scan data directory: %w", err)
+	}
+
+	e.log.Info("Found changed files", "count", len(changedFiles))
+	return changedFiles, nil
+}
+
+// shouldSkipFile determines if a file should be excluded from incremental backup
+func (e *PostgresIncrementalEngine) shouldSkipFile(path string, info os.FileInfo) bool {
+	name := info.Name()
+
+	// Skip temporary files
+	if strings.HasSuffix(name, ".tmp") {
+		return true
+	}
+
+	// Skip lock files
+	if strings.HasSuffix(name, ".lock") || name == "postmaster.pid" {
+		return true
+	}
+
+	// Skip sockets
+	if info.Mode()&os.ModeSocket != 0 {
+		return true
+	}
+
+	// Skip pg_wal symlink target (WAL handled separately if needed)
+	if strings.Contains(path, "pg_wal") || strings.Contains(path, "pg_xlog") {
+		return true
+	}
+
+	// Skip pg_replslot (replication slots)
+	if strings.Contains(path, "pg_replslot") {
+		return true
+	}
+
+	// Skip postmaster.opts (runtime config, regenerated on startup)
+	if name == "postmaster.opts" {
+		return true
+	}
+
+	return false
+}
+
+// loadBackupInfo loads backup metadata from .meta.json file
+func (e *PostgresIncrementalEngine) loadBackupInfo(backupPath string) (*metadata.BackupMetadata, error) {
+	// Load using metadata package
+	meta, err := metadata.Load(backupPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load backup metadata: %w", err)
+	}
+
+	return meta, nil
+}
+
+// CreateIncrementalBackup creates a new incremental backup archive
+func (e *PostgresIncrementalEngine) CreateIncrementalBackup(ctx context.Context, config *IncrementalBackupConfig, changedFiles []ChangedFile) error {
+	e.log.Info("Creating incremental backup",
+		"changed_files", len(changedFiles),
+		"base_backup", config.BaseBackupPath)
+
+	if len(changedFiles) == 0 {
+		e.log.Info("No changed files detected - skipping incremental backup")
+		return fmt.Errorf("no changed files since base backup")
+	}
+
+	// Load base backup metadata
+	baseInfo, err := e.loadBackupInfo(config.BaseBackupPath)
+	if err != nil {
+		return fmt.Errorf("failed to load base backup info: %w", err)
+	}
+
+	// Generate output filename: dbname_incr_TIMESTAMP.tar.gz
+	timestamp := time.Now().Format("20060102_150405")
+	outputFile := filepath.Join(filepath.Dir(config.BaseBackupPath),
+		fmt.Sprintf("%s_incr_%s.tar.gz", baseInfo.Database, timestamp))
+
+	e.log.Info("Creating incremental archive", "output", outputFile)
+
+	// Create tar.gz archive with changed files
+	if err := e.createTarGz(ctx, outputFile, changedFiles, config); err != nil {
+		return fmt.Errorf("failed to create archive: %w", err)
+	}
+
+	// Calculate checksum
+	checksum, err := e.CalculateFileChecksum(outputFile)
+	if err != nil {
+		return fmt.Errorf("failed to calculate checksum: %w", err)
+	}
+
+	// Get archive size
+	stat, err := os.Stat(outputFile)
+	if err != nil {
+		return fmt.Errorf("failed to stat archive: %w", err)
+	}
+
+	// Calculate total size of changed files
+	var totalSize int64
+	for _, f := range changedFiles {
+		totalSize += f.Size
+	}
+
+	// Create incremental metadata
+	metadata := &metadata.BackupMetadata{
+		Version:      "2.2.0",
+		Timestamp:    time.Now(),
+		Database:     baseInfo.Database,
+		DatabaseType: baseInfo.DatabaseType,
+		Host:         baseInfo.Host,
+		Port:         baseInfo.Port,
+		User:         baseInfo.User,
+		BackupFile:   outputFile,
+		SizeBytes:    stat.Size(),
+		SHA256:       checksum,
+		Compression:  "gzip",
+		BackupType:   "incremental",
+		BaseBackup:   filepath.Base(config.BaseBackupPath),
+		Incremental: &metadata.IncrementalMetadata{
+			BaseBackupID:        baseInfo.SHA256,
+			BaseBackupPath:      filepath.Base(config.BaseBackupPath),
+			BaseBackupTimestamp: baseInfo.Timestamp,
+			IncrementalFiles:    len(changedFiles),
+			TotalSize:           totalSize,
+			BackupChain:         buildBackupChain(baseInfo, filepath.Base(outputFile)),
+		},
+	}
+
+	// Save metadata
+	if err := metadata.Save(); err != nil {
+		return fmt.Errorf("failed to save metadata: %w", err)
+	}
+
+	e.log.Info("Incremental backup created successfully",
+		"output", outputFile,
+		"size", stat.Size(),
+		"changed_files", len(changedFiles),
+		"checksum", checksum[:16]+"...")
+
+	return nil
+}
+
+// RestoreIncremental restores an incremental backup on top of a base
+func (e *PostgresIncrementalEngine) RestoreIncremental(ctx context.Context, baseBackupPath, incrementalPath, targetDir string) error {
+	e.log.Info("Restoring incremental backup",
+		"base", baseBackupPath,
+		"incremental", incrementalPath,
+		"target", targetDir)
+
+	// Load incremental metadata to verify it's an incremental backup
+	incrInfo, err := e.loadBackupInfo(incrementalPath)
+	if err != nil {
+		return fmt.Errorf("failed to load incremental backup metadata: %w", err)
+	}
+
+	if incrInfo.BackupType != "incremental" {
+		return fmt.Errorf("backup is not incremental (type: %s)", incrInfo.BackupType)
+	}
+
+	if incrInfo.Incremental == nil {
+		return fmt.Errorf("incremental metadata missing")
+	}
+
+	// Verify base backup path matches metadata
+	expectedBase := filepath.Join(filepath.Dir(incrementalPath), incrInfo.Incremental.BaseBackupPath)
+	if !strings.EqualFold(filepath.Clean(baseBackupPath), filepath.Clean(expectedBase)) {
+		e.log.Warn("Base backup path mismatch",
+			"provided", baseBackupPath,
+			"expected", expectedBase)
+		// Continue anyway - user might have moved files
+	}
+
+	// Verify base backup exists
+	if _, err := os.Stat(baseBackupPath); err != nil {
+		return fmt.Errorf("base backup not found: %w", err)
+	}
+
+	// Load base backup metadata to verify it's a full backup
+	baseInfo, err := e.loadBackupInfo(baseBackupPath)
+	if err != nil {
+		return fmt.Errorf("failed to load base backup metadata: %w", err)
+	}
+
+	if baseInfo.BackupType != "full" && baseInfo.BackupType != "" {
+		return fmt.Errorf("base backup is not a full backup (type: %s)", baseInfo.BackupType)
+	}
+
+	// Verify checksums match
+	if incrInfo.Incremental.BaseBackupID != "" && baseInfo.SHA256 != "" {
+		if incrInfo.Incremental.BaseBackupID != baseInfo.SHA256 {
+			return fmt.Errorf("base backup checksum mismatch: expected %s, got %s",
+				incrInfo.Incremental.BaseBackupID, baseInfo.SHA256)
+		}
+		e.log.Info("Base backup checksum verified", "checksum", baseInfo.SHA256)
+	}
+
+	// Create target directory if it doesn't exist
+	if err := os.MkdirAll(targetDir, 0755); err != nil {
+		return fmt.Errorf("failed to create target directory: %w", err)
+	}
+
+	// Step 1: Extract base backup to target directory
+	e.log.Info("Extracting base backup", "output", targetDir)
+	if err := e.extractTarGz(ctx, baseBackupPath, targetDir); err != nil {
+		return fmt.Errorf("failed to extract base backup: %w", err)
+	}
+	e.log.Info("Base backup extracted successfully")
+
+	// Step 2: Extract incremental backup, overwriting changed files
+	e.log.Info("Applying incremental backup", "changed_files", incrInfo.Incremental.IncrementalFiles)
+	if err := e.extractTarGz(ctx, incrementalPath, targetDir); err != nil {
+		return fmt.Errorf("failed to extract incremental backup: %w", err)
+	}
+	e.log.Info("Incremental backup applied successfully")
+
+	// Step 3: Verify restoration
+	e.log.Info("Restore complete",
+		"base_backup", filepath.Base(baseBackupPath),
+		"incremental_backup", filepath.Base(incrementalPath),
+		"target_directory", targetDir,
+		"total_files_updated", incrInfo.Incremental.IncrementalFiles)
+
+	return nil
+}
+
+// CalculateFileChecksum computes SHA-256 hash of a file
+func (e *PostgresIncrementalEngine) CalculateFileChecksum(path string) (string, error) {
+	file, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	hash := sha256.New()
+	if _, err := io.Copy(hash, file); err != nil {
+		return "", err
+	}
+
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
+
+// buildBackupChain constructs the backup chain from base backup to current incremental
+func buildBackupChain(baseInfo *metadata.BackupMetadata, currentBackup string) []string {
+	chain := []string{}
+
+	// If base backup has a chain (is itself incremental), use that
+	if baseInfo.Incremental != nil && len(baseInfo.Incremental.BackupChain) > 0 {
+		chain = append(chain, baseInfo.Incremental.BackupChain...)
+	} else {
+		// Base is a full backup, start chain with it
+		chain = append(chain, filepath.Base(baseInfo.BackupFile))
+	}
+
+	// Add current incremental to chain
+	chain = append(chain, currentBackup)
+
+	return chain
+}
--- a/internal/backup/incremental_tar.go
+++ b/internal/backup/incremental_tar.go
@@ -0,0 +1,95 @@
+package backup
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"io"
+	"os"
+)
+
+// createTarGz creates a tar.gz archive with the specified changed files
+func (e *PostgresIncrementalEngine) createTarGz(ctx context.Context, outputFile string, changedFiles []ChangedFile, config *IncrementalBackupConfig) error {
+	// Create output file
+	outFile, err := os.Create(outputFile)
+	if err != nil {
+		return fmt.Errorf("failed to create output file: %w", err)
+	}
+	defer outFile.Close()
+
+	// Create gzip writer
+	gzWriter, err := gzip.NewWriterLevel(outFile, config.CompressionLevel)
+	if err != nil {
+		return fmt.Errorf("failed to create gzip writer: %w", err)
+	}
+	defer gzWriter.Close()
+
+	// Create tar writer
+	tarWriter := tar.NewWriter(gzWriter)
+	defer tarWriter.Close()
+
+	// Add each changed file to archive
+	for i, changedFile := range changedFiles {
+		// Check context cancellation
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
+		e.log.Debug("Adding file to archive",
+			"file", changedFile.RelativePath,
+			"progress", fmt.Sprintf("%d/%d", i+1, len(changedFiles)))
+
+		if err := e.addFileToTar(tarWriter, changedFile); err != nil {
+			return fmt.Errorf("failed to add file %s: %w", changedFile.RelativePath, err)
+		}
+	}
+
+	return nil
+}
+
+// addFileToTar adds a single file to the tar archive
+func (e *PostgresIncrementalEngine) addFileToTar(tarWriter *tar.Writer, changedFile ChangedFile) error {
+	// Open the file
+	file, err := os.Open(changedFile.AbsolutePath)
+	if err != nil {
+		return fmt.Errorf("failed to open file: %w", err)
+	}
+	defer file.Close()
+
+	// Get file info
+	info, err := file.Stat()
+	if err != nil {
+		return fmt.Errorf("failed to stat file: %w", err)
+	}
+
+	// Skip if file has been deleted/changed since scan
+	if info.Size() != changedFile.Size {
+		e.log.Warn("File size changed since scan, using current size",
+			"file", changedFile.RelativePath,
+			"old_size", changedFile.Size,
+			"new_size", info.Size())
+	}
+
+	// Create tar header
+	header := &tar.Header{
+		Name:    changedFile.RelativePath,
+		Size:    info.Size(),
+		Mode:    int64(info.Mode()),
+		ModTime: info.ModTime(),
+	}
+
+	// Write header
+	if err := tarWriter.WriteHeader(header); err != nil {
+		return fmt.Errorf("failed to write tar header: %w", err)
+	}
+
+	// Copy file content
+	if _, err := io.Copy(tarWriter, file); err != nil {
+		return fmt.Errorf("failed to copy file content: %w", err)
+	}
+
+	return nil
+}
--- a/internal/backup/incremental_test.go
+++ b/internal/backup/incremental_test.go
@@ -0,0 +1,339 @@
+package backup
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"dbbackup/internal/logger"
+)
+
+// TestIncrementalBackupRestore tests the full incremental backup workflow
+func TestIncrementalBackupRestore(t *testing.T) {
+	// Create test directories
+	tempDir, err := os.MkdirTemp("", "incremental_test_*")
+	if err != nil {
+		t.Fatalf("Failed to create temp directory: %v", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	dataDir := filepath.Join(tempDir, "pgdata")
+	backupDir := filepath.Join(tempDir, "backups")
+	restoreDir := filepath.Join(tempDir, "restore")
+
+	// Create directories
+	for _, dir := range []string{dataDir, backupDir, restoreDir} {
+		if err := os.MkdirAll(dir, 0755); err != nil {
+			t.Fatalf("Failed to create directory %s: %v", dir, err)
+		}
+	}
+
+	// Initialize logger
+	log := logger.New("info", "text")
+
+	// Create incremental engine
+	engine := &PostgresIncrementalEngine{
+		log: log,
+	}
+
+	ctx := context.Background()
+
+	// Step 1: Create test data files (simulate PostgreSQL data directory)
+	t.Log("Step 1: Creating test data files...")
+	testFiles := map[string]string{
+		"base/12345/1234":     "Original table data file",
+		"base/12345/1235":     "Another table file",
+		"base/12345/1236":     "Third table file",
+		"global/pg_control":   "PostgreSQL control file",
+		"pg_wal/000000010000": "WAL file (should be excluded)",
+	}
+
+	for relPath, content := range testFiles {
+		fullPath := filepath.Join(dataDir, relPath)
+		if err := os.MkdirAll(filepath.Dir(fullPath), 0755); err != nil {
+			t.Fatalf("Failed to create directory for %s: %v", relPath, err)
+		}
+		if err := os.WriteFile(fullPath, []byte(content), 0644); err != nil {
+			t.Fatalf("Failed to write test file %s: %v", relPath, err)
+		}
+	}
+
+	// Wait a moment to ensure timestamps differ
+	time.Sleep(100 * time.Millisecond)
+
+	// Step 2: Create base (full) backup
+	t.Log("Step 2: Creating base backup...")
+	baseBackupPath := filepath.Join(backupDir, "testdb_base.tar.gz")
+
+	// Manually create base backup for testing
+	baseConfig := &IncrementalBackupConfig{
+		DataDirectory:    dataDir,
+		CompressionLevel: 6,
+	}
+
+	// Create a simple tar.gz of the data directory (simulating full backup)
+	changedFiles := []ChangedFile{}
+	err = filepath.Walk(dataDir, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			return nil
+		}
+		relPath, err := filepath.Rel(dataDir, path)
+		if err != nil {
+			return err
+		}
+		changedFiles = append(changedFiles, ChangedFile{
+			RelativePath: relPath,
+			AbsolutePath: path,
+			Size:         info.Size(),
+			ModTime:      info.ModTime(),
+		})
+		return nil
+	})
+	if err != nil {
+		t.Fatalf("Failed to walk data directory: %v", err)
+	}
+
+	// Create base backup using tar
+	if err := engine.createTarGz(ctx, baseBackupPath, changedFiles, baseConfig); err != nil {
+		t.Fatalf("Failed to create base backup: %v", err)
+	}
+
+	// Calculate checksum for base backup
+	baseChecksum, err := engine.CalculateFileChecksum(baseBackupPath)
+	if err != nil {
+		t.Fatalf("Failed to calculate base backup checksum: %v", err)
+	}
+	t.Logf("Base backup created: %s (checksum: %s)", baseBackupPath, baseChecksum[:16])
+
+	// Create base backup metadata
+	baseStat, _ := os.Stat(baseBackupPath)
+	baseMetadata := createTestMetadata("testdb", baseBackupPath, baseStat.Size(), baseChecksum, "full", nil)
+	if err := saveTestMetadata(baseBackupPath, baseMetadata); err != nil {
+		t.Fatalf("Failed to save base metadata: %v", err)
+	}
+
+	// Wait to ensure different timestamps
+	time.Sleep(200 * time.Millisecond)
+
+	// Step 3: Modify data files (simulate database changes)
+	t.Log("Step 3: Modifying data files...")
+	modifiedFiles := map[string]string{
+		"base/12345/1234": "MODIFIED table data - incremental will capture this",
+		"base/12345/1237": "NEW table file added after base backup",
+	}
+
+	for relPath, content := range modifiedFiles {
+		fullPath := filepath.Join(dataDir, relPath)
+		if err := os.MkdirAll(filepath.Dir(fullPath), 0755); err != nil {
+			t.Fatalf("Failed to create directory for %s: %v", relPath, err)
+		}
+		if err := os.WriteFile(fullPath, []byte(content), 0644); err != nil {
+			t.Fatalf("Failed to write modified file %s: %v", relPath, err)
+		}
+	}
+
+	// Wait to ensure different timestamps
+	time.Sleep(100 * time.Millisecond)
+
+	// Step 4: Find changed files
+	t.Log("Step 4: Finding changed files...")
+	incrConfig := &IncrementalBackupConfig{
+		BaseBackupPath:   baseBackupPath,
+		DataDirectory:    dataDir,
+		CompressionLevel: 6,
+	}
+
+	changedFilesList, err := engine.FindChangedFiles(ctx, incrConfig)
+	if err != nil {
+		t.Fatalf("Failed to find changed files: %v", err)
+	}
+
+	t.Logf("Found %d changed files", len(changedFilesList))
+	if len(changedFilesList) == 0 {
+		t.Fatal("Expected changed files but found none")
+	}
+
+	// Verify we found the modified files
+	foundModified := false
+	foundNew := false
+	for _, cf := range changedFilesList {
+		if cf.RelativePath == "base/12345/1234" {
+			foundModified = true
+		}
+		if cf.RelativePath == "base/12345/1237" {
+			foundNew = true
+		}
+	}
+
+	if !foundModified {
+		t.Error("Did not find modified file base/12345/1234")
+	}
+	if !foundNew {
+		t.Error("Did not find new file base/12345/1237")
+	}
+
+	// Step 5: Create incremental backup
+	t.Log("Step 5: Creating incremental backup...")
+	if err := engine.CreateIncrementalBackup(ctx, incrConfig, changedFilesList); err != nil {
+		t.Fatalf("Failed to create incremental backup: %v", err)
+	}
+
+	// Find the incremental backup (has _incr_ in filename)
+	entries, err := os.ReadDir(backupDir)
+	if err != nil {
+		t.Fatalf("Failed to read backup directory: %v", err)
+	}
+
+	var incrementalBackupPath string
+	for _, entry := range entries {
+		if !entry.IsDir() && filepath.Ext(entry.Name()) == ".gz" &&
+			entry.Name() != filepath.Base(baseBackupPath) {
+			incrementalBackupPath = filepath.Join(backupDir, entry.Name())
+			break
+		}
+	}
+
+	if incrementalBackupPath == "" {
+		t.Fatal("Incremental backup file not found")
+	}
+
+	t.Logf("Incremental backup created: %s", incrementalBackupPath)
+
+	// Verify incremental backup was created
+	incrStat, _ := os.Stat(incrementalBackupPath)
+	t.Logf("Base backup size: %d bytes", baseStat.Size())
+	t.Logf("Incremental backup size: %d bytes", incrStat.Size())
+
+	// Note: For tiny test files, incremental might be larger due to tar.gz overhead
+	// In real-world scenarios with larger files, incremental would be much smaller
+	t.Logf("Incremental contains %d changed files out of %d total",
+		len(changedFilesList), len(testFiles))
+
+	// Step 6: Restore incremental backup
+	t.Log("Step 6: Restoring incremental backup...")
+	if err := engine.RestoreIncremental(ctx, baseBackupPath, incrementalBackupPath, restoreDir); err != nil {
+		t.Fatalf("Failed to restore incremental backup: %v", err)
+	}
+
+	// Step 7: Verify restored files
+	t.Log("Step 7: Verifying restored files...")
+	for relPath, expectedContent := range modifiedFiles {
+		restoredPath := filepath.Join(restoreDir, relPath)
+		content, err := os.ReadFile(restoredPath)
+		if err != nil {
+			t.Errorf("Failed to read restored file %s: %v", relPath, err)
+			continue
+		}
+		if string(content) != expectedContent {
+			t.Errorf("File %s content mismatch:\nExpected: %s\nGot: %s",
+				relPath, expectedContent, string(content))
+		}
+	}
+
+	// Verify unchanged files still exist
+	unchangedFile := filepath.Join(restoreDir, "base/12345/1235")
+	if _, err := os.Stat(unchangedFile); err != nil {
+		t.Errorf("Unchanged file base/12345/1235 not found in restore: %v", err)
+	}
+
+	t.Log("[OK] Incremental backup and restore test completed successfully")
+}
+
+// TestIncrementalBackupErrors tests error handling
+func TestIncrementalBackupErrors(t *testing.T) {
+	log := logger.New("info", "text")
+	engine := &PostgresIncrementalEngine{log: log}
+	ctx := context.Background()
+
+	tempDir, err := os.MkdirTemp("", "incremental_error_test_*")
+	if err != nil {
+		t.Fatalf("Failed to create temp directory: %v", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	t.Run("Missing base backup", func(t *testing.T) {
+		config := &IncrementalBackupConfig{
+			BaseBackupPath:   filepath.Join(tempDir, "nonexistent.tar.gz"),
+			DataDirectory:    tempDir,
+			CompressionLevel: 6,
+		}
+		_, err := engine.FindChangedFiles(ctx, config)
+		if err == nil {
+			t.Error("Expected error for missing base backup, got nil")
+		}
+	})
+
+	t.Run("No changed files", func(t *testing.T) {
+		// Create a dummy base backup
+		baseBackupPath := filepath.Join(tempDir, "base.tar.gz")
+		os.WriteFile(baseBackupPath, []byte("dummy"), 0644)
+
+		// Create metadata with current timestamp
+		baseMetadata := createTestMetadata("testdb", baseBackupPath, 100, "dummychecksum", "full", nil)
+		saveTestMetadata(baseBackupPath, baseMetadata)
+
+		config := &IncrementalBackupConfig{
+			BaseBackupPath:   baseBackupPath,
+			DataDirectory:    tempDir,
+			CompressionLevel: 6,
+		}
+
+		// This should find no changed files (empty directory)
+		err := engine.CreateIncrementalBackup(ctx, config, []ChangedFile{})
+		if err == nil {
+			t.Error("Expected error for no changed files, got nil")
+		}
+	})
+}
+
+// Helper function to create test metadata
+func createTestMetadata(database, backupFile string, size int64, checksum, backupType string, incremental *IncrementalMetadata) map[string]interface{} {
+	metadata := map[string]interface{}{
+		"database":    database,
+		"backup_file": backupFile,
+		"size":        size,
+		"sha256":      checksum,
+		"timestamp":   time.Now().Format(time.RFC3339),
+		"backup_type": backupType,
+	}
+	if incremental != nil {
+		metadata["incremental"] = incremental
+	}
+	return metadata
+}
+
+// Helper function to save test metadata
+func saveTestMetadata(backupPath string, metadata map[string]interface{}) error {
+	metaPath := backupPath + ".meta.json"
+	file, err := os.Create(metaPath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	// Simple JSON encoding
+	content := fmt.Sprintf(`{
+		"database": "%s",
+		"backup_file": "%s",
+		"size": %d,
+		"sha256": "%s",
+		"timestamp": "%s",
+		"backup_type": "%s"
+	}`,
+		metadata["database"],
+		metadata["backup_file"],
+		metadata["size"],
+		metadata["sha256"],
+		metadata["timestamp"],
+		metadata["backup_type"],
+	)
+
+	_, err = file.WriteString(content)
+	return err
+}
--- a/internal/catalog/catalog.go
+++ b/internal/catalog/catalog.go
@@ -0,0 +1,188 @@
+// Package catalog provides backup catalog management with SQLite storage
+package catalog
+
+import (
+	"context"
+	"fmt"
+	"time"
+)
+
+// Entry represents a single backup in the catalog
+type Entry struct {
+	ID              int64             `json:"id"`
+	Database        string            `json:"database"`
+	DatabaseType    string            `json:"database_type"` // postgresql, mysql, mariadb
+	Host            string            `json:"host"`
+	Port            int               `json:"port"`
+	BackupPath      string            `json:"backup_path"`
+	BackupType      string            `json:"backup_type"` // full, incremental
+	SizeBytes       int64             `json:"size_bytes"`
+	SHA256          string            `json:"sha256"`
+	Compression     string            `json:"compression"`
+	Encrypted       bool              `json:"encrypted"`
+	CreatedAt       time.Time         `json:"created_at"`
+	Duration        float64           `json:"duration_seconds"`
+	Status          BackupStatus      `json:"status"`
+	VerifiedAt      *time.Time        `json:"verified_at,omitempty"`
+	VerifyValid     *bool             `json:"verify_valid,omitempty"`
+	DrillTestedAt   *time.Time        `json:"drill_tested_at,omitempty"`
+	DrillSuccess    *bool             `json:"drill_success,omitempty"`
+	CloudLocation   string            `json:"cloud_location,omitempty"`
+	RetentionPolicy string            `json:"retention_policy,omitempty"` // daily, weekly, monthly, yearly
+	Tags            map[string]string `json:"tags,omitempty"`
+	Metadata        map[string]string `json:"metadata,omitempty"`
+}
+
+// BackupStatus represents the state of a backup
+type BackupStatus string
+
+const (
+	StatusCompleted BackupStatus = "completed"
+	StatusFailed    BackupStatus = "failed"
+	StatusVerified  BackupStatus = "verified"
+	StatusCorrupted BackupStatus = "corrupted"
+	StatusDeleted   BackupStatus = "deleted"
+	StatusArchived  BackupStatus = "archived"
+)
+
+// Gap represents a detected backup gap
+type Gap struct {
+	Database    string        `json:"database"`
+	GapStart    time.Time     `json:"gap_start"`
+	GapEnd      time.Time     `json:"gap_end"`
+	Duration    time.Duration `json:"duration"`
+	ExpectedAt  time.Time     `json:"expected_at"`
+	Description string        `json:"description"`
+	Severity    GapSeverity   `json:"severity"`
+}
+
+// GapSeverity indicates how serious a backup gap is
+type GapSeverity string
+
+const (
+	SeverityInfo     GapSeverity = "info"     // Gap within tolerance
+	SeverityWarning  GapSeverity = "warning"  // Gap exceeds expected interval
+	SeverityCritical GapSeverity = "critical" // Gap exceeds RPO
+)
+
+// Stats contains backup statistics
+type Stats struct {
+	TotalBackups     int64            `json:"total_backups"`
+	TotalSize        int64            `json:"total_size_bytes"`
+	TotalSizeHuman   string           `json:"total_size_human"`
+	OldestBackup     *time.Time       `json:"oldest_backup,omitempty"`
+	NewestBackup     *time.Time       `json:"newest_backup,omitempty"`
+	ByDatabase       map[string]int64 `json:"by_database"`
+	ByType           map[string]int64 `json:"by_type"`
+	ByStatus         map[string]int64 `json:"by_status"`
+	VerifiedCount    int64            `json:"verified_count"`
+	DrillTestedCount int64            `json:"drill_tested_count"`
+	AvgDuration      float64          `json:"avg_duration_seconds"`
+	AvgSize          int64            `json:"avg_size_bytes"`
+	GapsDetected     int              `json:"gaps_detected"`
+}
+
+// SearchQuery represents search criteria for catalog entries
+type SearchQuery struct {
+	Database     string     // Filter by database name (supports wildcards)
+	DatabaseType string     // Filter by database type
+	Host         string     // Filter by host
+	Status       string     // Filter by status
+	StartDate    *time.Time // Backups after this date
+	EndDate      *time.Time // Backups before this date
+	MinSize      int64      // Minimum size in bytes
+	MaxSize      int64      // Maximum size in bytes
+	BackupType   string     // full, incremental
+	Encrypted    *bool      // Filter by encryption status
+	Verified     *bool      // Filter by verification status
+	DrillTested  *bool      // Filter by drill test status
+	Limit        int        // Max results (0 = no limit)
+	Offset       int        // Offset for pagination
+	OrderBy      string     // Field to order by
+	OrderDesc    bool       // Order descending
+}
+
+// GapDetectionConfig configures gap detection
+type GapDetectionConfig struct {
+	ExpectedInterval time.Duration // Expected backup interval (e.g., 24h)
+	Tolerance        time.Duration // Allowed variance (e.g., 1h)
+	RPOThreshold     time.Duration // Critical threshold (RPO)
+	StartDate        *time.Time    // Start of analysis window
+	EndDate          *time.Time    // End of analysis window
+}
+
+// Catalog defines the interface for backup catalog operations
+type Catalog interface {
+	// Entry management
+	Add(ctx context.Context, entry *Entry) error
+	Update(ctx context.Context, entry *Entry) error
+	Delete(ctx context.Context, id int64) error
+	Get(ctx context.Context, id int64) (*Entry, error)
+	GetByPath(ctx context.Context, path string) (*Entry, error)
+
+	// Search and listing
+	Search(ctx context.Context, query *SearchQuery) ([]*Entry, error)
+	List(ctx context.Context, database string, limit int) ([]*Entry, error)
+	ListDatabases(ctx context.Context) ([]string, error)
+	Count(ctx context.Context, query *SearchQuery) (int64, error)
+
+	// Statistics
+	Stats(ctx context.Context) (*Stats, error)
+	StatsByDatabase(ctx context.Context, database string) (*Stats, error)
+
+	// Gap detection
+	DetectGaps(ctx context.Context, database string, config *GapDetectionConfig) ([]*Gap, error)
+	DetectAllGaps(ctx context.Context, config *GapDetectionConfig) (map[string][]*Gap, error)
+
+	// Verification tracking
+	MarkVerified(ctx context.Context, id int64, valid bool) error
+	MarkDrillTested(ctx context.Context, id int64, success bool) error
+
+	// Sync with filesystem
+	SyncFromDirectory(ctx context.Context, dir string) (*SyncResult, error)
+	SyncFromCloud(ctx context.Context, provider, bucket, prefix string) (*SyncResult, error)
+
+	// Maintenance
+	Prune(ctx context.Context, before time.Time) (int, error)
+	Vacuum(ctx context.Context) error
+	Close() error
+}
+
+// SyncResult contains results from a catalog sync operation
+type SyncResult struct {
+	Added    int      `json:"added"`
+	Updated  int      `json:"updated"`
+	Removed  int      `json:"removed"`
+	Errors   int      `json:"errors"`
+	Duration float64  `json:"duration_seconds"`
+	Details  []string `json:"details,omitempty"`
+}
+
+// FormatSize formats bytes as human-readable string
+func FormatSize(bytes int64) string {
+	const unit = 1024
+	if bytes < unit {
+		return fmt.Sprintf("%d B", bytes)
+	}
+	div, exp := int64(unit), 0
+	for n := bytes / unit; n >= unit; n /= unit {
+		div *= unit
+		exp++
+	}
+	return fmt.Sprintf("%.1f %cB", float64(bytes)/float64(div), "KMGTPE"[exp])
+}
+
+// FormatDuration formats duration as human-readable string
+func FormatDuration(d time.Duration) string {
+	if d < time.Minute {
+		return fmt.Sprintf("%.0fs", d.Seconds())
+	}
+	if d < time.Hour {
+		mins := int(d.Minutes())
+		secs := int(d.Seconds()) - mins*60
+		return fmt.Sprintf("%dm %ds", mins, secs)
+	}
+	hours := int(d.Hours())
+	mins := int(d.Minutes()) - hours*60
+	return fmt.Sprintf("%dh %dm", hours, mins)
+}
--- a/internal/catalog/catalog_test.go
+++ b/internal/catalog/catalog_test.go
@@ -0,0 +1,308 @@
+package catalog
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+func TestSQLiteCatalog(t *testing.T) {
+	// Create temp directory for test database
+	tmpDir, err := os.MkdirTemp("", "catalog_test")
+	if err != nil {
+		t.Fatalf("Failed to create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	dbPath := filepath.Join(tmpDir, "test_catalog.db")
+
+	// Test creation
+	cat, err := NewSQLiteCatalog(dbPath)
+	if err != nil {
+		t.Fatalf("Failed to create catalog: %v", err)
+	}
+	defer cat.Close()
+
+	ctx := context.Background()
+
+	// Test Add
+	entry := &Entry{
+		Database:     "testdb",
+		DatabaseType: "postgresql",
+		Host:         "localhost",
+		Port:         5432,
+		BackupPath:   "/backups/testdb_20240115.dump.gz",
+		BackupType:   "full",
+		SizeBytes:    1024 * 1024 * 100, // 100 MB
+		SHA256:       "abc123def456",
+		Compression:  "gzip",
+		Encrypted:    false,
+		CreatedAt:    time.Now().Add(-24 * time.Hour),
+		Duration:     45.5,
+		Status:       StatusCompleted,
+	}
+
+	err = cat.Add(ctx, entry)
+	if err != nil {
+		t.Fatalf("Failed to add entry: %v", err)
+	}
+
+	if entry.ID == 0 {
+		t.Error("Expected entry ID to be set after Add")
+	}
+
+	// Test Get
+	retrieved, err := cat.Get(ctx, entry.ID)
+	if err != nil {
+		t.Fatalf("Failed to get entry: %v", err)
+	}
+
+	if retrieved == nil {
+		t.Fatal("Expected to retrieve entry, got nil")
+	}
+
+	if retrieved.Database != "testdb" {
+		t.Errorf("Expected database 'testdb', got '%s'", retrieved.Database)
+	}
+
+	if retrieved.SizeBytes != entry.SizeBytes {
+		t.Errorf("Expected size %d, got %d", entry.SizeBytes, retrieved.SizeBytes)
+	}
+
+	// Test GetByPath
+	byPath, err := cat.GetByPath(ctx, entry.BackupPath)
+	if err != nil {
+		t.Fatalf("Failed to get by path: %v", err)
+	}
+
+	if byPath == nil || byPath.ID != entry.ID {
+		t.Error("GetByPath returned wrong entry")
+	}
+
+	// Test List
+	entries, err := cat.List(ctx, "testdb", 10)
+	if err != nil {
+		t.Fatalf("Failed to list entries: %v", err)
+	}
+
+	if len(entries) != 1 {
+		t.Errorf("Expected 1 entry, got %d", len(entries))
+	}
+
+	// Test ListDatabases
+	databases, err := cat.ListDatabases(ctx)
+	if err != nil {
+		t.Fatalf("Failed to list databases: %v", err)
+	}
+
+	if len(databases) != 1 || databases[0] != "testdb" {
+		t.Errorf("Expected ['testdb'], got %v", databases)
+	}
+
+	// Test Stats
+	stats, err := cat.Stats(ctx)
+	if err != nil {
+		t.Fatalf("Failed to get stats: %v", err)
+	}
+
+	if stats.TotalBackups != 1 {
+		t.Errorf("Expected 1 total backup, got %d", stats.TotalBackups)
+	}
+
+	if stats.TotalSize != entry.SizeBytes {
+		t.Errorf("Expected size %d, got %d", entry.SizeBytes, stats.TotalSize)
+	}
+
+	// Test MarkVerified
+	err = cat.MarkVerified(ctx, entry.ID, true)
+	if err != nil {
+		t.Fatalf("Failed to mark verified: %v", err)
+	}
+
+	verified, _ := cat.Get(ctx, entry.ID)
+	if verified.VerifiedAt == nil {
+		t.Error("Expected VerifiedAt to be set")
+	}
+	if verified.VerifyValid == nil || !*verified.VerifyValid {
+		t.Error("Expected VerifyValid to be true")
+	}
+
+	// Test Update
+	entry.SizeBytes = 200 * 1024 * 1024 // 200 MB
+	err = cat.Update(ctx, entry)
+	if err != nil {
+		t.Fatalf("Failed to update entry: %v", err)
+	}
+
+	updated, _ := cat.Get(ctx, entry.ID)
+	if updated.SizeBytes != entry.SizeBytes {
+		t.Errorf("Update failed: expected size %d, got %d", entry.SizeBytes, updated.SizeBytes)
+	}
+
+	// Test Search with filters
+	query := &SearchQuery{
+		Database:  "testdb",
+		Limit:     10,
+		OrderBy:   "created_at",
+		OrderDesc: true,
+	}
+
+	results, err := cat.Search(ctx, query)
+	if err != nil {
+		t.Fatalf("Search failed: %v", err)
+	}
+
+	if len(results) != 1 {
+		t.Errorf("Expected 1 result, got %d", len(results))
+	}
+
+	// Test Search with wildcards
+	query.Database = "test*"
+	results, err = cat.Search(ctx, query)
+	if err != nil {
+		t.Fatalf("Wildcard search failed: %v", err)
+	}
+
+	if len(results) != 1 {
+		t.Errorf("Expected 1 result from wildcard search, got %d", len(results))
+	}
+
+	// Test Count
+	count, err := cat.Count(ctx, &SearchQuery{Database: "testdb"})
+	if err != nil {
+		t.Fatalf("Count failed: %v", err)
+	}
+
+	if count != 1 {
+		t.Errorf("Expected count 1, got %d", count)
+	}
+
+	// Test Delete
+	err = cat.Delete(ctx, entry.ID)
+	if err != nil {
+		t.Fatalf("Failed to delete entry: %v", err)
+	}
+
+	deleted, _ := cat.Get(ctx, entry.ID)
+	if deleted != nil {
+		t.Error("Expected entry to be deleted")
+	}
+}
+
+func TestGapDetection(t *testing.T) {
+	tmpDir, err := os.MkdirTemp("", "catalog_gaps_test")
+	if err != nil {
+		t.Fatalf("Failed to create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	dbPath := filepath.Join(tmpDir, "test_catalog.db")
+	cat, err := NewSQLiteCatalog(dbPath)
+	if err != nil {
+		t.Fatalf("Failed to create catalog: %v", err)
+	}
+	defer cat.Close()
+
+	ctx := context.Background()
+
+	// Add backups with varying intervals
+	now := time.Now()
+	backups := []time.Time{
+		now.Add(-7 * 24 * time.Hour), // 7 days ago
+		now.Add(-6 * 24 * time.Hour), // 6 days ago (OK)
+		now.Add(-5 * 24 * time.Hour), // 5 days ago (OK)
+		// Missing 4 days ago - GAP
+		now.Add(-3 * 24 * time.Hour), // 3 days ago
+		now.Add(-2 * 24 * time.Hour), // 2 days ago (OK)
+		// Missing 1 day ago and today - GAP to now
+	}
+
+	for i, ts := range backups {
+		entry := &Entry{
+			Database:     "gaptest",
+			DatabaseType: "postgresql",
+			BackupPath:   filepath.Join(tmpDir, fmt.Sprintf("backup_%d.dump", i)),
+			BackupType:   "full",
+			CreatedAt:    ts,
+			Status:       StatusCompleted,
+		}
+		cat.Add(ctx, entry)
+	}
+
+	// Detect gaps with 24h expected interval
+	config := &GapDetectionConfig{
+		ExpectedInterval: 24 * time.Hour,
+		Tolerance:        2 * time.Hour,
+		RPOThreshold:     48 * time.Hour,
+	}
+
+	gaps, err := cat.DetectGaps(ctx, "gaptest", config)
+	if err != nil {
+		t.Fatalf("Gap detection failed: %v", err)
+	}
+
+	// Should detect at least 2 gaps:
+	// 1. Between 5 days ago and 3 days ago (missing 4 days ago)
+	// 2. Between 2 days ago and now (missing recent backups)
+	if len(gaps) < 2 {
+		t.Errorf("Expected at least 2 gaps, got %d", len(gaps))
+	}
+
+	// Check gap severities
+	hasCritical := false
+	for _, gap := range gaps {
+		if gap.Severity == SeverityCritical {
+			hasCritical = true
+		}
+		if gap.Duration < config.ExpectedInterval {
+			t.Errorf("Gap duration %v is less than expected interval", gap.Duration)
+		}
+	}
+
+	// The gap from 2 days ago to now should be critical (>48h)
+	if !hasCritical {
+		t.Log("Note: Expected at least one critical gap")
+	}
+}
+
+func TestFormatSize(t *testing.T) {
+	tests := []struct {
+		bytes    int64
+		expected string
+	}{
+		{0, "0 B"},
+		{500, "500 B"},
+		{1024, "1.0 KB"},
+		{1024 * 1024, "1.0 MB"},
+		{1024 * 1024 * 1024, "1.0 GB"},
+		{1024 * 1024 * 1024 * 1024, "1.0 TB"},
+	}
+
+	for _, test := range tests {
+		result := FormatSize(test.bytes)
+		if result != test.expected {
+			t.Errorf("FormatSize(%d) = %s, expected %s", test.bytes, result, test.expected)
+		}
+	}
+}
+
+func TestFormatDuration(t *testing.T) {
+	tests := []struct {
+		duration time.Duration
+		expected string
+	}{
+		{30 * time.Second, "30s"},
+		{90 * time.Second, "1m 30s"},
+		{2 * time.Hour, "2h 0m"},
+	}
+
+	for _, test := range tests {
+		result := FormatDuration(test.duration)
+		if result != test.expected {
+			t.Errorf("FormatDuration(%v) = %s, expected %s", test.duration, result, test.expected)
+		}
+	}
+}
--- a/internal/catalog/gaps.go
+++ b/internal/catalog/gaps.go
@@ -0,0 +1,299 @@
+// Package catalog - Gap detection for backup schedules
+package catalog
+
+import (
+	"context"
+	"sort"
+	"time"
+)
+
+// DetectGaps analyzes backup history and finds gaps in the schedule
+func (c *SQLiteCatalog) DetectGaps(ctx context.Context, database string, config *GapDetectionConfig) ([]*Gap, error) {
+	if config == nil {
+		config = &GapDetectionConfig{
+			ExpectedInterval: 24 * time.Hour,
+			Tolerance:        time.Hour,
+			RPOThreshold:     48 * time.Hour,
+		}
+	}
+
+	// Get all backups for this database, ordered by time
+	query := &SearchQuery{
+		Database:  database,
+		Status:    string(StatusCompleted),
+		OrderBy:   "created_at",
+		OrderDesc: false,
+	}
+
+	if config.StartDate != nil {
+		query.StartDate = config.StartDate
+	}
+	if config.EndDate != nil {
+		query.EndDate = config.EndDate
+	}
+
+	entries, err := c.Search(ctx, query)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(entries) < 2 {
+		return nil, nil // Not enough backups to detect gaps
+	}
+
+	var gaps []*Gap
+
+	for i := 1; i < len(entries); i++ {
+		prev := entries[i-1]
+		curr := entries[i]
+
+		actualInterval := curr.CreatedAt.Sub(prev.CreatedAt)
+		expectedWithTolerance := config.ExpectedInterval + config.Tolerance
+
+		if actualInterval > expectedWithTolerance {
+			gap := &Gap{
+				Database:   database,
+				GapStart:   prev.CreatedAt,
+				GapEnd:     curr.CreatedAt,
+				Duration:   actualInterval,
+				ExpectedAt: prev.CreatedAt.Add(config.ExpectedInterval),
+			}
+
+			// Determine severity
+			if actualInterval > config.RPOThreshold {
+				gap.Severity = SeverityCritical
+				gap.Description = "CRITICAL: Gap exceeds RPO threshold"
+			} else if actualInterval > config.ExpectedInterval*2 {
+				gap.Severity = SeverityWarning
+				gap.Description = "WARNING: Gap exceeds 2x expected interval"
+			} else {
+				gap.Severity = SeverityInfo
+				gap.Description = "INFO: Gap exceeds expected interval"
+			}
+
+			gaps = append(gaps, gap)
+		}
+	}
+
+	// Check for gap from last backup to now
+	lastBackup := entries[len(entries)-1]
+	now := time.Now()
+	if config.EndDate != nil {
+		now = *config.EndDate
+	}
+
+	sinceLastBackup := now.Sub(lastBackup.CreatedAt)
+	if sinceLastBackup > config.ExpectedInterval+config.Tolerance {
+		gap := &Gap{
+			Database:   database,
+			GapStart:   lastBackup.CreatedAt,
+			GapEnd:     now,
+			Duration:   sinceLastBackup,
+			ExpectedAt: lastBackup.CreatedAt.Add(config.ExpectedInterval),
+		}
+
+		if sinceLastBackup > config.RPOThreshold {
+			gap.Severity = SeverityCritical
+			gap.Description = "CRITICAL: No backup since " + FormatDuration(sinceLastBackup)
+		} else if sinceLastBackup > config.ExpectedInterval*2 {
+			gap.Severity = SeverityWarning
+			gap.Description = "WARNING: No backup since " + FormatDuration(sinceLastBackup)
+		} else {
+			gap.Severity = SeverityInfo
+			gap.Description = "INFO: Backup overdue by " + FormatDuration(sinceLastBackup-config.ExpectedInterval)
+		}
+
+		gaps = append(gaps, gap)
+	}
+
+	return gaps, nil
+}
+
+// DetectAllGaps analyzes all databases for backup gaps
+func (c *SQLiteCatalog) DetectAllGaps(ctx context.Context, config *GapDetectionConfig) (map[string][]*Gap, error) {
+	databases, err := c.ListDatabases(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	allGaps := make(map[string][]*Gap)
+
+	for _, db := range databases {
+		gaps, err := c.DetectGaps(ctx, db, config)
+		if err != nil {
+			continue // Skip errors for individual databases
+		}
+		if len(gaps) > 0 {
+			allGaps[db] = gaps
+		}
+	}
+
+	return allGaps, nil
+}
+
+// BackupFrequencyAnalysis provides analysis of backup frequency
+type BackupFrequencyAnalysis struct {
+	Database        string        `json:"database"`
+	TotalBackups    int           `json:"total_backups"`
+	AnalysisPeriod  time.Duration `json:"analysis_period"`
+	AverageInterval time.Duration `json:"average_interval"`
+	MinInterval     time.Duration `json:"min_interval"`
+	MaxInterval     time.Duration `json:"max_interval"`
+	StdDeviation    time.Duration `json:"std_deviation"`
+	Regularity      float64       `json:"regularity"` // 0-1, higher is more regular
+	GapsDetected    int           `json:"gaps_detected"`
+	MissedBackups   int           `json:"missed_backups"` // Estimated based on expected interval
+}
+
+// AnalyzeFrequency analyzes backup frequency for a database
+func (c *SQLiteCatalog) AnalyzeFrequency(ctx context.Context, database string, expectedInterval time.Duration) (*BackupFrequencyAnalysis, error) {
+	query := &SearchQuery{
+		Database:  database,
+		Status:    string(StatusCompleted),
+		OrderBy:   "created_at",
+		OrderDesc: false,
+	}
+
+	entries, err := c.Search(ctx, query)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(entries) < 2 {
+		return &BackupFrequencyAnalysis{
+			Database:     database,
+			TotalBackups: len(entries),
+		}, nil
+	}
+
+	analysis := &BackupFrequencyAnalysis{
+		Database:     database,
+		TotalBackups: len(entries),
+	}
+
+	// Calculate intervals
+	var intervals []time.Duration
+	for i := 1; i < len(entries); i++ {
+		interval := entries[i].CreatedAt.Sub(entries[i-1].CreatedAt)
+		intervals = append(intervals, interval)
+	}
+
+	analysis.AnalysisPeriod = entries[len(entries)-1].CreatedAt.Sub(entries[0].CreatedAt)
+
+	// Calculate min, max, average
+	sort.Slice(intervals, func(i, j int) bool {
+		return intervals[i] < intervals[j]
+	})
+
+	analysis.MinInterval = intervals[0]
+	analysis.MaxInterval = intervals[len(intervals)-1]
+
+	var total time.Duration
+	for _, interval := range intervals {
+		total += interval
+	}
+	analysis.AverageInterval = total / time.Duration(len(intervals))
+
+	// Calculate standard deviation
+	var sumSquares float64
+	avgNanos := float64(analysis.AverageInterval.Nanoseconds())
+	for _, interval := range intervals {
+		diff := float64(interval.Nanoseconds()) - avgNanos
+		sumSquares += diff * diff
+	}
+	variance := sumSquares / float64(len(intervals))
+	analysis.StdDeviation = time.Duration(int64(variance)) // Simplified
+
+	// Calculate regularity score (lower deviation = higher regularity)
+	if analysis.AverageInterval > 0 {
+		deviationRatio := float64(analysis.StdDeviation) / float64(analysis.AverageInterval)
+		analysis.Regularity = 1.0 - min(deviationRatio, 1.0)
+	}
+
+	// Detect gaps and missed backups
+	config := &GapDetectionConfig{
+		ExpectedInterval: expectedInterval,
+		Tolerance:        expectedInterval / 4,
+		RPOThreshold:     expectedInterval * 2,
+	}
+
+	gaps, _ := c.DetectGaps(ctx, database, config)
+	analysis.GapsDetected = len(gaps)
+
+	// Estimate missed backups
+	if expectedInterval > 0 {
+		expectedBackups := int(analysis.AnalysisPeriod / expectedInterval)
+		if expectedBackups > analysis.TotalBackups {
+			analysis.MissedBackups = expectedBackups - analysis.TotalBackups
+		}
+	}
+
+	return analysis, nil
+}
+
+// RecoveryPointObjective calculates the current RPO status
+type RPOStatus struct {
+	Database         string        `json:"database"`
+	LastBackup       time.Time     `json:"last_backup"`
+	TimeSinceBackup  time.Duration `json:"time_since_backup"`
+	TargetRPO        time.Duration `json:"target_rpo"`
+	CurrentRPO       time.Duration `json:"current_rpo"`
+	RPOMet           bool          `json:"rpo_met"`
+	NextBackupDue    time.Time     `json:"next_backup_due"`
+	BackupsIn24Hours int           `json:"backups_in_24h"`
+	BackupsIn7Days   int           `json:"backups_in_7d"`
+}
+
+// CalculateRPOStatus calculates RPO status for a database
+func (c *SQLiteCatalog) CalculateRPOStatus(ctx context.Context, database string, targetRPO time.Duration) (*RPOStatus, error) {
+	status := &RPOStatus{
+		Database:  database,
+		TargetRPO: targetRPO,
+	}
+
+	// Get most recent backup
+	entries, err := c.List(ctx, database, 1)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(entries) == 0 {
+		status.RPOMet = false
+		status.CurrentRPO = time.Duration(0)
+		return status, nil
+	}
+
+	status.LastBackup = entries[0].CreatedAt
+	status.TimeSinceBackup = time.Since(entries[0].CreatedAt)
+	status.CurrentRPO = status.TimeSinceBackup
+	status.RPOMet = status.TimeSinceBackup <= targetRPO
+	status.NextBackupDue = entries[0].CreatedAt.Add(targetRPO)
+
+	// Count backups in time windows
+	now := time.Now()
+	last24h := now.Add(-24 * time.Hour)
+	last7d := now.Add(-7 * 24 * time.Hour)
+
+	count24h, _ := c.Count(ctx, &SearchQuery{
+		Database:  database,
+		StartDate: &last24h,
+		Status:    string(StatusCompleted),
+	})
+	count7d, _ := c.Count(ctx, &SearchQuery{
+		Database:  database,
+		StartDate: &last7d,
+		Status:    string(StatusCompleted),
+	})
+
+	status.BackupsIn24Hours = int(count24h)
+	status.BackupsIn7Days = int(count7d)
+
+	return status, nil
+}
+
+func min(a, b float64) float64 {
+	if a < b {
+		return a
+	}
+	return b
+}
--- a/internal/catalog/sqlite.go
+++ b/internal/catalog/sqlite.go
@@ -0,0 +1,632 @@
+// Package catalog - SQLite storage implementation
+package catalog
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	_ "github.com/mattn/go-sqlite3"
+)
+
+// SQLiteCatalog implements Catalog interface with SQLite storage
+type SQLiteCatalog struct {
+	db   *sql.DB
+	path string
+}
+
+// NewSQLiteCatalog creates a new SQLite-backed catalog
+func NewSQLiteCatalog(dbPath string) (*SQLiteCatalog, error) {
+	// Ensure directory exists
+	dir := filepath.Dir(dbPath)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return nil, fmt.Errorf("failed to create catalog directory: %w", err)
+	}
+
+	db, err := sql.Open("sqlite3", dbPath+"?_journal_mode=WAL&_foreign_keys=ON")
+	if err != nil {
+		return nil, fmt.Errorf("failed to open catalog database: %w", err)
+	}
+
+	catalog := &SQLiteCatalog{
+		db:   db,
+		path: dbPath,
+	}
+
+	if err := catalog.initialize(); err != nil {
+		db.Close()
+		return nil, err
+	}
+
+	return catalog, nil
+}
+
+// initialize creates the database schema
+func (c *SQLiteCatalog) initialize() error {
+	schema := `
+	CREATE TABLE IF NOT EXISTS backups (
+		id INTEGER PRIMARY KEY AUTOINCREMENT,
+		database TEXT NOT NULL,
+		database_type TEXT NOT NULL,
+		host TEXT,
+		port INTEGER,
+		backup_path TEXT NOT NULL UNIQUE,
+		backup_type TEXT DEFAULT 'full',
+		size_bytes INTEGER,
+		sha256 TEXT,
+		compression TEXT,
+		encrypted INTEGER DEFAULT 0,
+		created_at DATETIME NOT NULL,
+		duration REAL,
+		status TEXT DEFAULT 'completed',
+		verified_at DATETIME,
+		verify_valid INTEGER,
+		drill_tested_at DATETIME,
+		drill_success INTEGER,
+		cloud_location TEXT,
+		retention_policy TEXT,
+		tags TEXT,
+		metadata TEXT,
+		updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
+	);
+
+	CREATE INDEX IF NOT EXISTS idx_backups_database ON backups(database);
+	CREATE INDEX IF NOT EXISTS idx_backups_created_at ON backups(created_at);
+	CREATE INDEX IF NOT EXISTS idx_backups_status ON backups(status);
+	CREATE INDEX IF NOT EXISTS idx_backups_host ON backups(host);
+	CREATE INDEX IF NOT EXISTS idx_backups_database_type ON backups(database_type);
+
+	CREATE TABLE IF NOT EXISTS catalog_meta (
+		key TEXT PRIMARY KEY,
+		value TEXT,
+		updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
+	);
+
+	-- Store schema version for migrations
+	INSERT OR IGNORE INTO catalog_meta (key, value) VALUES ('schema_version', '1');
+	`
+
+	_, err := c.db.Exec(schema)
+	if err != nil {
+		return fmt.Errorf("failed to initialize schema: %w", err)
+	}
+
+	return nil
+}
+
+// Add inserts a new backup entry
+func (c *SQLiteCatalog) Add(ctx context.Context, entry *Entry) error {
+	tagsJSON, _ := json.Marshal(entry.Tags)
+	metaJSON, _ := json.Marshal(entry.Metadata)
+
+	result, err := c.db.ExecContext(ctx, `
+		INSERT INTO backups (
+			database, database_type, host, port, backup_path, backup_type,
+			size_bytes, sha256, compression, encrypted, created_at, duration,
+			status, cloud_location, retention_policy, tags, metadata
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+	`,
+		entry.Database, entry.DatabaseType, entry.Host, entry.Port,
+		entry.BackupPath, entry.BackupType, entry.SizeBytes, entry.SHA256,
+		entry.Compression, entry.Encrypted, entry.CreatedAt, entry.Duration,
+		entry.Status, entry.CloudLocation, entry.RetentionPolicy,
+		string(tagsJSON), string(metaJSON),
+	)
+	if err != nil {
+		return fmt.Errorf("failed to add catalog entry: %w", err)
+	}
+
+	id, _ := result.LastInsertId()
+	entry.ID = id
+	return nil
+}
+
+// Update updates an existing backup entry
+func (c *SQLiteCatalog) Update(ctx context.Context, entry *Entry) error {
+	tagsJSON, _ := json.Marshal(entry.Tags)
+	metaJSON, _ := json.Marshal(entry.Metadata)
+
+	_, err := c.db.ExecContext(ctx, `
+		UPDATE backups SET
+			database = ?, database_type = ?, host = ?, port = ?,
+			backup_type = ?, size_bytes = ?, sha256 = ?, compression = ?,
+			encrypted = ?, duration = ?, status = ?, verified_at = ?,
+			verify_valid = ?, drill_tested_at = ?, drill_success = ?,
+			cloud_location = ?, retention_policy = ?, tags = ?, metadata = ?,
+			updated_at = CURRENT_TIMESTAMP
+		WHERE id = ?
+	`,
+		entry.Database, entry.DatabaseType, entry.Host, entry.Port,
+		entry.BackupType, entry.SizeBytes, entry.SHA256, entry.Compression,
+		entry.Encrypted, entry.Duration, entry.Status, entry.VerifiedAt,
+		entry.VerifyValid, entry.DrillTestedAt, entry.DrillSuccess,
+		entry.CloudLocation, entry.RetentionPolicy,
+		string(tagsJSON), string(metaJSON), entry.ID,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to update catalog entry: %w", err)
+	}
+	return nil
+}
+
+// Delete removes a backup entry
+func (c *SQLiteCatalog) Delete(ctx context.Context, id int64) error {
+	_, err := c.db.ExecContext(ctx, "DELETE FROM backups WHERE id = ?", id)
+	if err != nil {
+		return fmt.Errorf("failed to delete catalog entry: %w", err)
+	}
+	return nil
+}
+
+// Get retrieves a backup entry by ID
+func (c *SQLiteCatalog) Get(ctx context.Context, id int64) (*Entry, error) {
+	row := c.db.QueryRowContext(ctx, `
+		SELECT id, database, database_type, host, port, backup_path, backup_type,
+			size_bytes, sha256, compression, encrypted, created_at, duration,
+			status, verified_at, verify_valid, drill_tested_at, drill_success,
+			cloud_location, retention_policy, tags, metadata
+		FROM backups WHERE id = ?
+	`, id)
+
+	return c.scanEntry(row)
+}
+
+// GetByPath retrieves a backup entry by file path
+func (c *SQLiteCatalog) GetByPath(ctx context.Context, path string) (*Entry, error) {
+	row := c.db.QueryRowContext(ctx, `
+		SELECT id, database, database_type, host, port, backup_path, backup_type,
+			size_bytes, sha256, compression, encrypted, created_at, duration,
+			status, verified_at, verify_valid, drill_tested_at, drill_success,
+			cloud_location, retention_policy, tags, metadata
+		FROM backups WHERE backup_path = ?
+	`, path)
+
+	return c.scanEntry(row)
+}
+
+// scanEntry scans a row into an Entry struct
+func (c *SQLiteCatalog) scanEntry(row *sql.Row) (*Entry, error) {
+	var entry Entry
+	var tagsJSON, metaJSON sql.NullString
+	var verifiedAt, drillTestedAt sql.NullTime
+	var verifyValid, drillSuccess sql.NullBool
+
+	err := row.Scan(
+		&entry.ID, &entry.Database, &entry.DatabaseType, &entry.Host, &entry.Port,
+		&entry.BackupPath, &entry.BackupType, &entry.SizeBytes, &entry.SHA256,
+		&entry.Compression, &entry.Encrypted, &entry.CreatedAt, &entry.Duration,
+		&entry.Status, &verifiedAt, &verifyValid, &drillTestedAt, &drillSuccess,
+		&entry.CloudLocation, &entry.RetentionPolicy, &tagsJSON, &metaJSON,
+	)
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("failed to scan entry: %w", err)
+	}
+
+	if verifiedAt.Valid {
+		entry.VerifiedAt = &verifiedAt.Time
+	}
+	if verifyValid.Valid {
+		entry.VerifyValid = &verifyValid.Bool
+	}
+	if drillTestedAt.Valid {
+		entry.DrillTestedAt = &drillTestedAt.Time
+	}
+	if drillSuccess.Valid {
+		entry.DrillSuccess = &drillSuccess.Bool
+	}
+
+	if tagsJSON.Valid && tagsJSON.String != "" {
+		json.Unmarshal([]byte(tagsJSON.String), &entry.Tags)
+	}
+	if metaJSON.Valid && metaJSON.String != "" {
+		json.Unmarshal([]byte(metaJSON.String), &entry.Metadata)
+	}
+
+	return &entry, nil
+}
+
+// Search finds backup entries matching the query
+func (c *SQLiteCatalog) Search(ctx context.Context, query *SearchQuery) ([]*Entry, error) {
+	where, args := c.buildSearchQuery(query)
+
+	orderBy := "created_at DESC"
+	if query.OrderBy != "" {
+		orderBy = query.OrderBy
+		if query.OrderDesc {
+			orderBy += " DESC"
+		}
+	}
+
+	sql := fmt.Sprintf(`
+		SELECT id, database, database_type, host, port, backup_path, backup_type,
+			size_bytes, sha256, compression, encrypted, created_at, duration,
+			status, verified_at, verify_valid, drill_tested_at, drill_success,
+			cloud_location, retention_policy, tags, metadata
+		FROM backups
+		%s
+		ORDER BY %s
+	`, where, orderBy)
+
+	if query.Limit > 0 {
+		sql += fmt.Sprintf(" LIMIT %d", query.Limit)
+		if query.Offset > 0 {
+			sql += fmt.Sprintf(" OFFSET %d", query.Offset)
+		}
+	}
+
+	rows, err := c.db.QueryContext(ctx, sql, args...)
+	if err != nil {
+		return nil, fmt.Errorf("search query failed: %w", err)
+	}
+	defer rows.Close()
+
+	return c.scanEntries(rows)
+}
+
+// scanEntries scans multiple rows into Entry slices
+func (c *SQLiteCatalog) scanEntries(rows *sql.Rows) ([]*Entry, error) {
+	var entries []*Entry
+
+	for rows.Next() {
+		var entry Entry
+		var tagsJSON, metaJSON sql.NullString
+		var verifiedAt, drillTestedAt sql.NullTime
+		var verifyValid, drillSuccess sql.NullBool
+
+		err := rows.Scan(
+			&entry.ID, &entry.Database, &entry.DatabaseType, &entry.Host, &entry.Port,
+			&entry.BackupPath, &entry.BackupType, &entry.SizeBytes, &entry.SHA256,
+			&entry.Compression, &entry.Encrypted, &entry.CreatedAt, &entry.Duration,
+			&entry.Status, &verifiedAt, &verifyValid, &drillTestedAt, &drillSuccess,
+			&entry.CloudLocation, &entry.RetentionPolicy, &tagsJSON, &metaJSON,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to scan row: %w", err)
+		}
+
+		if verifiedAt.Valid {
+			entry.VerifiedAt = &verifiedAt.Time
+		}
+		if verifyValid.Valid {
+			entry.VerifyValid = &verifyValid.Bool
+		}
+		if drillTestedAt.Valid {
+			entry.DrillTestedAt = &drillTestedAt.Time
+		}
+		if drillSuccess.Valid {
+			entry.DrillSuccess = &drillSuccess.Bool
+		}
+
+		if tagsJSON.Valid && tagsJSON.String != "" {
+			json.Unmarshal([]byte(tagsJSON.String), &entry.Tags)
+		}
+		if metaJSON.Valid && metaJSON.String != "" {
+			json.Unmarshal([]byte(metaJSON.String), &entry.Metadata)
+		}
+
+		entries = append(entries, &entry)
+	}
+
+	return entries, rows.Err()
+}
+
+// buildSearchQuery builds the WHERE clause from a SearchQuery
+func (c *SQLiteCatalog) buildSearchQuery(query *SearchQuery) (string, []interface{}) {
+	var conditions []string
+	var args []interface{}
+
+	if query.Database != "" {
+		if strings.Contains(query.Database, "*") {
+			conditions = append(conditions, "database LIKE ?")
+			args = append(args, strings.ReplaceAll(query.Database, "*", "%"))
+		} else {
+			conditions = append(conditions, "database = ?")
+			args = append(args, query.Database)
+		}
+	}
+
+	if query.DatabaseType != "" {
+		conditions = append(conditions, "database_type = ?")
+		args = append(args, query.DatabaseType)
+	}
+
+	if query.Host != "" {
+		conditions = append(conditions, "host = ?")
+		args = append(args, query.Host)
+	}
+
+	if query.Status != "" {
+		conditions = append(conditions, "status = ?")
+		args = append(args, query.Status)
+	}
+
+	if query.StartDate != nil {
+		conditions = append(conditions, "created_at >= ?")
+		args = append(args, *query.StartDate)
+	}
+
+	if query.EndDate != nil {
+		conditions = append(conditions, "created_at <= ?")
+		args = append(args, *query.EndDate)
+	}
+
+	if query.MinSize > 0 {
+		conditions = append(conditions, "size_bytes >= ?")
+		args = append(args, query.MinSize)
+	}
+
+	if query.MaxSize > 0 {
+		conditions = append(conditions, "size_bytes <= ?")
+		args = append(args, query.MaxSize)
+	}
+
+	if query.BackupType != "" {
+		conditions = append(conditions, "backup_type = ?")
+		args = append(args, query.BackupType)
+	}
+
+	if query.Encrypted != nil {
+		conditions = append(conditions, "encrypted = ?")
+		args = append(args, *query.Encrypted)
+	}
+
+	if query.Verified != nil {
+		if *query.Verified {
+			conditions = append(conditions, "verified_at IS NOT NULL AND verify_valid = 1")
+		} else {
+			conditions = append(conditions, "verified_at IS NULL")
+		}
+	}
+
+	if query.DrillTested != nil {
+		if *query.DrillTested {
+			conditions = append(conditions, "drill_tested_at IS NOT NULL AND drill_success = 1")
+		} else {
+			conditions = append(conditions, "drill_tested_at IS NULL")
+		}
+	}
+
+	if len(conditions) == 0 {
+		return "", nil
+	}
+
+	return "WHERE " + strings.Join(conditions, " AND "), args
+}
+
+// List returns recent backups for a database
+func (c *SQLiteCatalog) List(ctx context.Context, database string, limit int) ([]*Entry, error) {
+	query := &SearchQuery{
+		Database:  database,
+		Limit:     limit,
+		OrderBy:   "created_at",
+		OrderDesc: true,
+	}
+	return c.Search(ctx, query)
+}
+
+// ListDatabases returns all unique database names
+func (c *SQLiteCatalog) ListDatabases(ctx context.Context) ([]string, error) {
+	rows, err := c.db.QueryContext(ctx, "SELECT DISTINCT database FROM backups ORDER BY database")
+	if err != nil {
+		return nil, fmt.Errorf("failed to list databases: %w", err)
+	}
+	defer rows.Close()
+
+	var databases []string
+	for rows.Next() {
+		var db string
+		if err := rows.Scan(&db); err != nil {
+			return nil, err
+		}
+		databases = append(databases, db)
+	}
+
+	return databases, rows.Err()
+}
+
+// Count returns the number of entries matching the query
+func (c *SQLiteCatalog) Count(ctx context.Context, query *SearchQuery) (int64, error) {
+	where, args := c.buildSearchQuery(query)
+
+	sql := "SELECT COUNT(*) FROM backups " + where
+
+	var count int64
+	err := c.db.QueryRowContext(ctx, sql, args...).Scan(&count)
+	if err != nil {
+		return 0, fmt.Errorf("count query failed: %w", err)
+	}
+
+	return count, nil
+}
+
+// Stats returns overall catalog statistics
+func (c *SQLiteCatalog) Stats(ctx context.Context) (*Stats, error) {
+	stats := &Stats{
+		ByDatabase: make(map[string]int64),
+		ByType:     make(map[string]int64),
+		ByStatus:   make(map[string]int64),
+	}
+
+	// Basic stats
+	row := c.db.QueryRowContext(ctx, `
+		SELECT 
+			COUNT(*),
+			COALESCE(SUM(size_bytes), 0),
+			MIN(created_at),
+			MAX(created_at),
+			COALESCE(AVG(duration), 0),
+			CAST(COALESCE(AVG(size_bytes), 0) AS INTEGER),
+			SUM(CASE WHEN verified_at IS NOT NULL THEN 1 ELSE 0 END),
+			SUM(CASE WHEN drill_tested_at IS NOT NULL THEN 1 ELSE 0 END)
+		FROM backups WHERE status != 'deleted'
+	`)
+
+	var oldest, newest sql.NullString
+	err := row.Scan(
+		&stats.TotalBackups, &stats.TotalSize, &oldest, &newest,
+		&stats.AvgDuration, &stats.AvgSize,
+		&stats.VerifiedCount, &stats.DrillTestedCount,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get stats: %w", err)
+	}
+
+	if oldest.Valid {
+		if t, err := time.Parse(time.RFC3339Nano, oldest.String); err == nil {
+			stats.OldestBackup = &t
+		} else if t, err := time.Parse("2006-01-02 15:04:05.999999999-07:00", oldest.String); err == nil {
+			stats.OldestBackup = &t
+		} else if t, err := time.Parse("2006-01-02T15:04:05Z", oldest.String); err == nil {
+			stats.OldestBackup = &t
+		}
+	}
+	if newest.Valid {
+		if t, err := time.Parse(time.RFC3339Nano, newest.String); err == nil {
+			stats.NewestBackup = &t
+		} else if t, err := time.Parse("2006-01-02 15:04:05.999999999-07:00", newest.String); err == nil {
+			stats.NewestBackup = &t
+		} else if t, err := time.Parse("2006-01-02T15:04:05Z", newest.String); err == nil {
+			stats.NewestBackup = &t
+		}
+	}
+	stats.TotalSizeHuman = FormatSize(stats.TotalSize)
+
+	// By database
+	rows, _ := c.db.QueryContext(ctx, "SELECT database, COUNT(*) FROM backups GROUP BY database")
+	defer rows.Close()
+	for rows.Next() {
+		var db string
+		var count int64
+		rows.Scan(&db, &count)
+		stats.ByDatabase[db] = count
+	}
+
+	// By type
+	rows, _ = c.db.QueryContext(ctx, "SELECT backup_type, COUNT(*) FROM backups GROUP BY backup_type")
+	defer rows.Close()
+	for rows.Next() {
+		var t string
+		var count int64
+		rows.Scan(&t, &count)
+		stats.ByType[t] = count
+	}
+
+	// By status
+	rows, _ = c.db.QueryContext(ctx, "SELECT status, COUNT(*) FROM backups GROUP BY status")
+	defer rows.Close()
+	for rows.Next() {
+		var s string
+		var count int64
+		rows.Scan(&s, &count)
+		stats.ByStatus[s] = count
+	}
+
+	return stats, nil
+}
+
+// StatsByDatabase returns statistics for a specific database
+func (c *SQLiteCatalog) StatsByDatabase(ctx context.Context, database string) (*Stats, error) {
+	stats := &Stats{
+		ByDatabase: make(map[string]int64),
+		ByType:     make(map[string]int64),
+		ByStatus:   make(map[string]int64),
+	}
+
+	row := c.db.QueryRowContext(ctx, `
+		SELECT 
+			COUNT(*),
+			COALESCE(SUM(size_bytes), 0),
+			MIN(created_at),
+			MAX(created_at),
+			COALESCE(AVG(duration), 0),
+			COALESCE(AVG(size_bytes), 0),
+			SUM(CASE WHEN verified_at IS NOT NULL THEN 1 ELSE 0 END),
+			SUM(CASE WHEN drill_tested_at IS NOT NULL THEN 1 ELSE 0 END)
+		FROM backups WHERE database = ? AND status != 'deleted'
+	`, database)
+
+	var oldest, newest sql.NullTime
+	err := row.Scan(
+		&stats.TotalBackups, &stats.TotalSize, &oldest, &newest,
+		&stats.AvgDuration, &stats.AvgSize,
+		&stats.VerifiedCount, &stats.DrillTestedCount,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get database stats: %w", err)
+	}
+
+	if oldest.Valid {
+		stats.OldestBackup = &oldest.Time
+	}
+	if newest.Valid {
+		stats.NewestBackup = &newest.Time
+	}
+	stats.TotalSizeHuman = FormatSize(stats.TotalSize)
+
+	return stats, nil
+}
+
+// MarkVerified updates the verification status of a backup
+func (c *SQLiteCatalog) MarkVerified(ctx context.Context, id int64, valid bool) error {
+	status := StatusVerified
+	if !valid {
+		status = StatusCorrupted
+	}
+
+	_, err := c.db.ExecContext(ctx, `
+		UPDATE backups SET 
+			verified_at = CURRENT_TIMESTAMP,
+			verify_valid = ?,
+			status = ?,
+			updated_at = CURRENT_TIMESTAMP
+		WHERE id = ?
+	`, valid, status, id)
+
+	return err
+}
+
+// MarkDrillTested updates the drill test status of a backup
+func (c *SQLiteCatalog) MarkDrillTested(ctx context.Context, id int64, success bool) error {
+	_, err := c.db.ExecContext(ctx, `
+		UPDATE backups SET 
+			drill_tested_at = CURRENT_TIMESTAMP,
+			drill_success = ?,
+			updated_at = CURRENT_TIMESTAMP
+		WHERE id = ?
+	`, success, id)
+
+	return err
+}
+
+// Prune removes entries older than the given time
+func (c *SQLiteCatalog) Prune(ctx context.Context, before time.Time) (int, error) {
+	result, err := c.db.ExecContext(ctx,
+		"DELETE FROM backups WHERE created_at < ? AND status = 'deleted'",
+		before,
+	)
+	if err != nil {
+		return 0, fmt.Errorf("prune failed: %w", err)
+	}
+
+	affected, _ := result.RowsAffected()
+	return int(affected), nil
+}
+
+// Vacuum optimizes the database
+func (c *SQLiteCatalog) Vacuum(ctx context.Context) error {
+	_, err := c.db.ExecContext(ctx, "VACUUM")
+	return err
+}
+
+// Close closes the database connection
+func (c *SQLiteCatalog) Close() error {
+	return c.db.Close()
+}
--- a/internal/catalog/sync.go
+++ b/internal/catalog/sync.go
@@ -0,0 +1,234 @@
+// Package catalog - Sync functionality for importing backups into catalog
+package catalog
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"dbbackup/internal/metadata"
+)
+
+// SyncFromDirectory scans a directory and imports backup metadata into the catalog
+func (c *SQLiteCatalog) SyncFromDirectory(ctx context.Context, dir string) (*SyncResult, error) {
+	start := time.Now()
+	result := &SyncResult{}
+
+	// Find all metadata files
+	pattern := filepath.Join(dir, "*.meta.json")
+	matches, err := filepath.Glob(pattern)
+	if err != nil {
+		return nil, fmt.Errorf("failed to scan directory: %w", err)
+	}
+
+	// Also check subdirectories
+	subPattern := filepath.Join(dir, "*", "*.meta.json")
+	subMatches, _ := filepath.Glob(subPattern)
+	matches = append(matches, subMatches...)
+
+	for _, metaPath := range matches {
+		// Derive backup file path from metadata path
+		backupPath := strings.TrimSuffix(metaPath, ".meta.json")
+
+		// Check if backup file exists
+		if _, err := os.Stat(backupPath); os.IsNotExist(err) {
+			result.Details = append(result.Details,
+				fmt.Sprintf("SKIP: %s (backup file missing)", filepath.Base(backupPath)))
+			continue
+		}
+
+		// Load metadata
+		meta, err := metadata.Load(backupPath)
+		if err != nil {
+			result.Errors++
+			result.Details = append(result.Details,
+				fmt.Sprintf("ERROR: %s - %v", filepath.Base(backupPath), err))
+			continue
+		}
+
+		// Check if already in catalog
+		existing, _ := c.GetByPath(ctx, backupPath)
+		if existing != nil {
+			// Update if metadata changed
+			if existing.SHA256 != meta.SHA256 || existing.SizeBytes != meta.SizeBytes {
+				entry := metadataToEntry(meta, backupPath)
+				entry.ID = existing.ID
+				if err := c.Update(ctx, entry); err != nil {
+					result.Errors++
+					result.Details = append(result.Details,
+						fmt.Sprintf("ERROR updating: %s - %v", filepath.Base(backupPath), err))
+				} else {
+					result.Updated++
+				}
+			}
+			continue
+		}
+
+		// Add new entry
+		entry := metadataToEntry(meta, backupPath)
+		if err := c.Add(ctx, entry); err != nil {
+			result.Errors++
+			result.Details = append(result.Details,
+				fmt.Sprintf("ERROR adding: %s - %v", filepath.Base(backupPath), err))
+		} else {
+			result.Added++
+			result.Details = append(result.Details,
+				fmt.Sprintf("ADDED: %s (%s)", filepath.Base(backupPath), FormatSize(meta.SizeBytes)))
+		}
+	}
+
+	// Check for removed backups (backups in catalog but not on disk)
+	entries, _ := c.Search(ctx, &SearchQuery{})
+	for _, entry := range entries {
+		if !strings.HasPrefix(entry.BackupPath, dir) {
+			continue
+		}
+		if _, err := os.Stat(entry.BackupPath); os.IsNotExist(err) {
+			// Mark as deleted
+			entry.Status = StatusDeleted
+			c.Update(ctx, entry)
+			result.Removed++
+			result.Details = append(result.Details,
+				fmt.Sprintf("REMOVED: %s (file not found)", filepath.Base(entry.BackupPath)))
+		}
+	}
+
+	result.Duration = time.Since(start).Seconds()
+	return result, nil
+}
+
+// SyncFromCloud imports backups from cloud storage
+func (c *SQLiteCatalog) SyncFromCloud(ctx context.Context, provider, bucket, prefix string) (*SyncResult, error) {
+	// This will be implemented when integrating with cloud package
+	// For now, return a placeholder
+	return &SyncResult{
+		Details: []string{"Cloud sync not yet implemented - use directory sync instead"},
+	}, nil
+}
+
+// metadataToEntry converts backup metadata to a catalog entry
+func metadataToEntry(meta *metadata.BackupMetadata, backupPath string) *Entry {
+	entry := &Entry{
+		Database:     meta.Database,
+		DatabaseType: meta.DatabaseType,
+		Host:         meta.Host,
+		Port:         meta.Port,
+		BackupPath:   backupPath,
+		BackupType:   meta.BackupType,
+		SizeBytes:    meta.SizeBytes,
+		SHA256:       meta.SHA256,
+		Compression:  meta.Compression,
+		Encrypted:    meta.Encrypted,
+		CreatedAt:    meta.Timestamp,
+		Duration:     meta.Duration,
+		Status:       StatusCompleted,
+		Metadata:     meta.ExtraInfo,
+	}
+
+	if entry.BackupType == "" {
+		entry.BackupType = "full"
+	}
+
+	return entry
+}
+
+// ImportEntry creates a catalog entry directly from backup file info
+func (c *SQLiteCatalog) ImportEntry(ctx context.Context, backupPath string, info os.FileInfo, dbName, dbType string) error {
+	entry := &Entry{
+		Database:     dbName,
+		DatabaseType: dbType,
+		BackupPath:   backupPath,
+		BackupType:   "full",
+		SizeBytes:    info.Size(),
+		CreatedAt:    info.ModTime(),
+		Status:       StatusCompleted,
+	}
+
+	// Detect compression from extension
+	switch {
+	case strings.HasSuffix(backupPath, ".gz"):
+		entry.Compression = "gzip"
+	case strings.HasSuffix(backupPath, ".lz4"):
+		entry.Compression = "lz4"
+	case strings.HasSuffix(backupPath, ".zst"):
+		entry.Compression = "zstd"
+	}
+
+	// Check if encrypted
+	if strings.Contains(backupPath, ".enc") {
+		entry.Encrypted = true
+	}
+
+	// Try to load metadata if exists
+	if meta, err := metadata.Load(backupPath); err == nil {
+		entry.SHA256 = meta.SHA256
+		entry.Duration = meta.Duration
+		entry.Host = meta.Host
+		entry.Port = meta.Port
+		entry.Metadata = meta.ExtraInfo
+	}
+
+	return c.Add(ctx, entry)
+}
+
+// SyncStatus returns the sync status summary
+type SyncStatus struct {
+	LastSync       *time.Time `json:"last_sync,omitempty"`
+	TotalEntries   int64      `json:"total_entries"`
+	ActiveEntries  int64      `json:"active_entries"`
+	DeletedEntries int64      `json:"deleted_entries"`
+	Directories    []string   `json:"directories"`
+}
+
+// GetSyncStatus returns the current sync status
+func (c *SQLiteCatalog) GetSyncStatus(ctx context.Context) (*SyncStatus, error) {
+	status := &SyncStatus{}
+
+	// Get last sync time
+	var lastSync sql.NullString
+	c.db.QueryRowContext(ctx, "SELECT value FROM catalog_meta WHERE key = 'last_sync'").Scan(&lastSync)
+	if lastSync.Valid {
+		if t, err := time.Parse(time.RFC3339, lastSync.String); err == nil {
+			status.LastSync = &t
+		}
+	}
+
+	// Count entries
+	c.db.QueryRowContext(ctx, "SELECT COUNT(*) FROM backups").Scan(&status.TotalEntries)
+	c.db.QueryRowContext(ctx, "SELECT COUNT(*) FROM backups WHERE status != 'deleted'").Scan(&status.ActiveEntries)
+	c.db.QueryRowContext(ctx, "SELECT COUNT(*) FROM backups WHERE status = 'deleted'").Scan(&status.DeletedEntries)
+
+	// Get unique directories
+	rows, _ := c.db.QueryContext(ctx, `
+		SELECT DISTINCT 
+			CASE 
+				WHEN instr(backup_path, '/') > 0 
+				THEN substr(backup_path, 1, length(backup_path) - length(replace(backup_path, '/', '')) - length(substr(backup_path, length(backup_path) - length(replace(backup_path, '/', '')) + 2)))
+				ELSE backup_path 
+			END as dir
+		FROM backups WHERE status != 'deleted'
+	`)
+	if rows != nil {
+		defer rows.Close()
+		for rows.Next() {
+			var dir string
+			rows.Scan(&dir)
+			status.Directories = append(status.Directories, dir)
+		}
+	}
+
+	return status, nil
+}
+
+// SetLastSync updates the last sync timestamp
+func (c *SQLiteCatalog) SetLastSync(ctx context.Context) error {
+	_, err := c.db.ExecContext(ctx, `
+		INSERT OR REPLACE INTO catalog_meta (key, value, updated_at) 
+		VALUES ('last_sync', ?, CURRENT_TIMESTAMP)
+	`, time.Now().Format(time.RFC3339))
+	return err
+}
--- a/internal/checks/disk_check.go
+++ b/internal/checks/disk_check.go
@@ -75,16 +75,16 @@ func FormatDiskSpaceMessage(check *DiskSpaceCheck) string {

 	if check.Critical {
 		status = "CRITICAL"
-		icon = "❌"
+		icon = "[X]"
 	} else if check.Warning {
 		status = "WARNING"
-		icon = "⚠️ "
+		icon = "[!]"
 	} else {
 		status = "OK"
-		icon = "✓"
+		icon = "[+]"
 	}

-	msg := fmt.Sprintf(`📊 Disk Space Check (%s):
+	msg := fmt.Sprintf(`[DISK] Disk Space Check (%s):
   Path: %s
   Total: %s
   Available: %s (%.1f%% used)
@@ -98,43 +98,14 @@ func FormatDiskSpaceMessage(check *DiskSpaceCheck) string {
 		status)

 	if check.Critical {
-		msg += "\n   \n   ⚠️  CRITICAL: Insufficient disk space!"
+		msg += "\n   \n   [!!] CRITICAL: Insufficient disk space!"
 		msg += "\n   Operation blocked. Free up space before continuing."
 	} else if check.Warning {
-		msg += "\n   \n   ⚠️  WARNING: Low disk space!"
+		msg += "\n   \n   [!] WARNING: Low disk space!"
 		msg += "\n   Backup may fail if database is larger than estimated."
 	} else {
-		msg += "\n   \n   ✓ Sufficient space available"
+		msg += "\n   \n   [+] Sufficient space available"
 	}

 	return msg
 }
-
-// EstimateBackupSize estimates backup size based on database size
-func EstimateBackupSize(databaseSize uint64, compressionLevel int) uint64 {
-	// Typical compression ratios:
-	// Level 0 (no compression): 1.0x
-	// Level 1-3 (fast): 0.4-0.6x
-	// Level 4-6 (balanced): 0.3-0.4x
-	// Level 7-9 (best): 0.2-0.3x
-
-	var compressionRatio float64
-	if compressionLevel == 0 {
-		compressionRatio = 1.0
-	} else if compressionLevel <= 3 {
-		compressionRatio = 0.5
-	} else if compressionLevel <= 6 {
-		compressionRatio = 0.35
-	} else {
-		compressionRatio = 0.25
-	}
-
-	estimated := uint64(float64(databaseSize) * compressionRatio)
-
-	// Add 10% buffer for metadata, indexes, etc.
-	return uint64(float64(estimated) * 1.1)
-}
-
-
-
-
--- a/internal/checks/disk_check_bsd.go
+++ b/internal/checks/disk_check_bsd.go
@@ -75,16 +75,16 @@ func FormatDiskSpaceMessage(check *DiskSpaceCheck) string {

 	if check.Critical {
 		status = "CRITICAL"
-		icon = "❌"
+		icon = "[X]"
 	} else if check.Warning {
 		status = "WARNING"
-		icon = "⚠️ "
+		icon = "[!]"
 	} else {
 		status = "OK"
-		icon = "✓"
+		icon = "[+]"
 	}

-	msg := fmt.Sprintf(`📊 Disk Space Check (%s):
+	msg := fmt.Sprintf(`[DISK] Disk Space Check (%s):
   Path: %s
   Total: %s
   Available: %s (%.1f%% used)
@@ -98,13 +98,13 @@ func FormatDiskSpaceMessage(check *DiskSpaceCheck) string {
 		status)

 	if check.Critical {
-		msg += "\n   \n   ⚠️  CRITICAL: Insufficient disk space!"
+		msg += "\n   \n   [!!] CRITICAL: Insufficient disk space!"
 		msg += "\n   Operation blocked. Free up space before continuing."
 	} else if check.Warning {
-		msg += "\n   \n   ⚠️  WARNING: Low disk space!"
+		msg += "\n   \n   [!] WARNING: Low disk space!"
 		msg += "\n   Backup may fail if database is larger than estimated."
 	} else {
-		msg += "\n   \n   ✓ Sufficient space available"
+		msg += "\n   \n   [+] Sufficient space available"
 	}

 	return msg
--- a/internal/checks/disk_check_netbsd.go
+++ b/internal/checks/disk_check_netbsd.go
@@ -58,16 +58,16 @@ func FormatDiskSpaceMessage(check *DiskSpaceCheck) string {

 	if check.Critical {
 		status = "CRITICAL"
-		icon = "❌"
+		icon = "[X]"
 	} else if check.Warning {
 		status = "WARNING"
-		icon = "⚠️ "
+		icon = "[!]"
 	} else {
 		status = "OK"
-		icon = "✓"
+		icon = "[+]"
 	}

-	msg := fmt.Sprintf(`📊 Disk Space Check (%s):
+	msg := fmt.Sprintf(`[DISK] Disk Space Check (%s):
   Path: %s
   Total: %s
   Available: %s (%.1f%% used)
@@ -81,13 +81,13 @@ func FormatDiskSpaceMessage(check *DiskSpaceCheck) string {
 		status)

 	if check.Critical {
-		msg += "\n   \n   ⚠️  CRITICAL: Insufficient disk space!"
+		msg += "\n   \n   [!!] CRITICAL: Insufficient disk space!"
 		msg += "\n   Operation blocked. Free up space before continuing."
 	} else if check.Warning {
-		msg += "\n   \n   ⚠️  WARNING: Low disk space!"
+		msg += "\n   \n   [!] WARNING: Low disk space!"
 		msg += "\n   Backup may fail if database is larger than estimated."
 	} else {
-		msg += "\n   \n   ✓ Sufficient space available"
+		msg += "\n   \n   [+] Sufficient space available"
 	}

 	return msg
--- a/internal/checks/disk_check_windows.go
+++ b/internal/checks/disk_check_windows.go
@@ -94,16 +94,16 @@ func FormatDiskSpaceMessage(check *DiskSpaceCheck) string {

 	if check.Critical {
 		status = "CRITICAL"
-		icon = "❌"
+		icon = "[X]"
 	} else if check.Warning {
 		status = "WARNING"
-		icon = "⚠️ "
+		icon = "[!]"
 	} else {
 		status = "OK"
-		icon = "✓"
+		icon = "[+]"
 	}

-	msg := fmt.Sprintf(`📊 Disk Space Check (%s):
+	msg := fmt.Sprintf(`[DISK] Disk Space Check (%s):
   Path: %s
   Total: %s
   Available: %s (%.1f%% used)
@@ -117,15 +117,14 @@ func FormatDiskSpaceMessage(check *DiskSpaceCheck) string {
 		status)

 	if check.Critical {
-		msg += "\n   \n   ⚠️  CRITICAL: Insufficient disk space!"
+		msg += "\n   \n   [!!] CRITICAL: Insufficient disk space!"
 		msg += "\n   Operation blocked. Free up space before continuing."
 	} else if check.Warning {
-		msg += "\n   \n   ⚠️  WARNING: Low disk space!"
+		msg += "\n   \n   [!] WARNING: Low disk space!"
 		msg += "\n   Backup may fail if database is larger than estimated."
 	} else {
-		msg += "\n   \n   ✓ Sufficient space available"
+		msg += "\n   \n   [+] Sufficient space available"
 	}

 	return msg
 }
-
--- a/internal/checks/error_hints.go
+++ b/internal/checks/error_hints.go
@@ -68,8 +68,8 @@ func ClassifyError(errorMsg string) *ErrorClassification {
 			Type:     "critical",
 			Category: "locks",
 			Message:  errorMsg,
-			Hint:     "Lock table exhausted - typically caused by large objects in parallel restore",
-			Action:   "Increase max_locks_per_transaction in postgresql.conf to 512 or higher",
+			Hint:     "Lock table exhausted - typically caused by large objects (BLOBs) during restore",
+			Action:   "Option 1: Increase max_locks_per_transaction to 1024+ in postgresql.conf (requires restart). Option 2: Update dbbackup and retry - phased restore now auto-enabled for BLOB databases",
 			Severity: 2,
 		}
 	case "permission_denied":
@@ -142,8 +142,8 @@ func ClassifyError(errorMsg string) *ErrorClassification {
 			Type:     "critical",
 			Category: "locks",
 			Message:  errorMsg,
-			Hint:     "Lock table exhausted - typically caused by large objects in parallel restore",
-			Action:   "Increase max_locks_per_transaction in postgresql.conf to 512 or higher",
+			Hint:     "Lock table exhausted - typically caused by large objects (BLOBs) during restore",
+			Action:   "Option 1: Increase max_locks_per_transaction to 1024+ in postgresql.conf (requires restart). Option 2: Update dbbackup and retry - phased restore now auto-enabled for BLOB databases",
 			Severity: 2,
 		}
 	}
@@ -234,22 +234,22 @@ func FormatErrorWithHint(errorMsg string) string {
 	var icon string
 	switch classification.Type {
 	case "ignorable":
-		icon = "ℹ️ "
+		icon = "[i]"
 	case "warning":
-		icon = "⚠️ "
+		icon = "[!]"
 	case "critical":
-		icon = "❌"
+		icon = "[X]"
 	case "fatal":
-		icon = "🛑"
+		icon = "[!!]"
 	default:
-		icon = "⚠️ "
+		icon = "[!]"
 	}

 	output := fmt.Sprintf("%s %s Error\n\n", icon, strings.ToUpper(classification.Type))
 	output += fmt.Sprintf("Category: %s\n", classification.Category)
 	output += fmt.Sprintf("Message: %s\n\n", classification.Message)
-	output += fmt.Sprintf("💡 Hint: %s\n\n", classification.Hint)
-	output += fmt.Sprintf("🔧 Action: %s\n", classification.Action)
+	output += fmt.Sprintf("[HINT] Hint: %s\n\n", classification.Hint)
+	output += fmt.Sprintf("[ACTION] Action: %s\n", classification.Action)

 	return output
 }
@@ -257,7 +257,7 @@ func FormatErrorWithHint(errorMsg string) string {
 // FormatMultipleErrors formats multiple errors with classification
 func FormatMultipleErrors(errors []string) string {
 	if len(errors) == 0 {
-		return "✓ No errors"
+		return "[+] No errors"
 	}

 	ignorable := 0
@@ -285,22 +285,22 @@ func FormatMultipleErrors(errors []string) string {
 		}
 	}

-	output := "📊 Error Summary:\n\n"
+	output := "[SUMMARY] Error Summary:\n\n"
 	if ignorable > 0 {
-		output += fmt.Sprintf("   ℹ️  %d ignorable (objects already exist)\n", ignorable)
+		output += fmt.Sprintf("   [i] %d ignorable (objects already exist)\n", ignorable)
 	}
 	if warnings > 0 {
-		output += fmt.Sprintf("   ⚠️  %d warnings\n", warnings)
+		output += fmt.Sprintf("   [!] %d warnings\n", warnings)
 	}
 	if critical > 0 {
-		output += fmt.Sprintf("   ❌ %d critical errors\n", critical)
+		output += fmt.Sprintf("   [X] %d critical errors\n", critical)
 	}
 	if fatal > 0 {
-		output += fmt.Sprintf("   🛑 %d fatal errors\n", fatal)
+		output += fmt.Sprintf("   [!!] %d fatal errors\n", fatal)
 	}

 	if len(criticalErrors) > 0 {
-		output += "\n📝 Critical Issues:\n\n"
+		output += "\n[CRITICAL] Critical Issues:\n\n"
 		for i, err := range criticalErrors {
 			class := ClassifyError(err)
 			output += fmt.Sprintf("%d. %s\n", i+1, class.Hint)
--- a/internal/checks/estimate.go
+++ b/internal/checks/estimate.go
@@ -0,0 +1,26 @@
+package checks
+
+// EstimateBackupSize estimates backup size based on database size
+func EstimateBackupSize(databaseSize uint64, compressionLevel int) uint64 {
+	// Typical compression ratios:
+	// Level 0 (no compression): 1.0x
+	// Level 1-3 (fast): 0.4-0.6x
+	// Level 4-6 (balanced): 0.3-0.4x
+	// Level 7-9 (best): 0.2-0.3x
+
+	var compressionRatio float64
+	if compressionLevel == 0 {
+		compressionRatio = 1.0
+	} else if compressionLevel <= 3 {
+		compressionRatio = 0.5
+	} else if compressionLevel <= 6 {
+		compressionRatio = 0.35
+	} else {
+		compressionRatio = 0.25
+	}
+
+	estimated := uint64(float64(databaseSize) * compressionRatio)
+
+	// Add 10% buffer for metadata, indexes, etc.
+	return uint64(float64(estimated) * 1.1)
+}
--- a/internal/checks/preflight.go
+++ b/internal/checks/preflight.go
@@ -0,0 +1,545 @@
+package checks
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"dbbackup/internal/config"
+	"dbbackup/internal/database"
+	"dbbackup/internal/logger"
+)
+
+// PreflightCheck represents a single preflight check result
+type PreflightCheck struct {
+	Name    string
+	Status  CheckStatus
+	Message string
+	Details string
+}
+
+// CheckStatus represents the status of a preflight check
+type CheckStatus int
+
+const (
+	StatusPassed CheckStatus = iota
+	StatusWarning
+	StatusFailed
+	StatusSkipped
+)
+
+func (s CheckStatus) String() string {
+	switch s {
+	case StatusPassed:
+		return "PASSED"
+	case StatusWarning:
+		return "WARNING"
+	case StatusFailed:
+		return "FAILED"
+	case StatusSkipped:
+		return "SKIPPED"
+	default:
+		return "UNKNOWN"
+	}
+}
+
+func (s CheckStatus) Icon() string {
+	switch s {
+	case StatusPassed:
+		return "[+]"
+	case StatusWarning:
+		return "[!]"
+	case StatusFailed:
+		return "[-]"
+	case StatusSkipped:
+		return "[ ]"
+	default:
+		return "[?]"
+	}
+}
+
+// PreflightResult contains all preflight check results
+type PreflightResult struct {
+	Checks        []PreflightCheck
+	AllPassed     bool
+	HasWarnings   bool
+	FailureCount  int
+	WarningCount  int
+	DatabaseInfo  *DatabaseInfo
+	StorageInfo   *StorageInfo
+	EstimatedSize uint64
+}
+
+// DatabaseInfo contains database connection details
+type DatabaseInfo struct {
+	Type    string
+	Version string
+	Host    string
+	Port    int
+	User    string
+}
+
+// StorageInfo contains storage target details
+type StorageInfo struct {
+	Type           string // "local" or "cloud"
+	Path           string
+	AvailableBytes uint64
+	TotalBytes     uint64
+}
+
+// PreflightChecker performs preflight checks before backup operations
+type PreflightChecker struct {
+	cfg *config.Config
+	log logger.Logger
+	db  database.Database
+}
+
+// NewPreflightChecker creates a new preflight checker
+func NewPreflightChecker(cfg *config.Config, log logger.Logger) *PreflightChecker {
+	return &PreflightChecker{
+		cfg: cfg,
+		log: log,
+	}
+}
+
+// RunAllChecks runs all preflight checks for a backup operation
+func (p *PreflightChecker) RunAllChecks(ctx context.Context, dbName string) (*PreflightResult, error) {
+	result := &PreflightResult{
+		Checks:    make([]PreflightCheck, 0),
+		AllPassed: true,
+	}
+
+	// 1. Database connectivity check
+	dbCheck := p.checkDatabaseConnectivity(ctx)
+	result.Checks = append(result.Checks, dbCheck)
+	if dbCheck.Status == StatusFailed {
+		result.AllPassed = false
+		result.FailureCount++
+	}
+
+	// Extract database info if connection succeeded
+	if dbCheck.Status == StatusPassed && p.db != nil {
+		version, _ := p.db.GetVersion(ctx)
+		result.DatabaseInfo = &DatabaseInfo{
+			Type:    p.cfg.DisplayDatabaseType(),
+			Version: version,
+			Host:    p.cfg.Host,
+			Port:    p.cfg.Port,
+			User:    p.cfg.User,
+		}
+	}
+
+	// 2. Required tools check
+	toolsCheck := p.checkRequiredTools()
+	result.Checks = append(result.Checks, toolsCheck)
+	if toolsCheck.Status == StatusFailed {
+		result.AllPassed = false
+		result.FailureCount++
+	}
+
+	// 3. Storage target check
+	storageCheck := p.checkStorageTarget()
+	result.Checks = append(result.Checks, storageCheck)
+	if storageCheck.Status == StatusFailed {
+		result.AllPassed = false
+		result.FailureCount++
+	} else if storageCheck.Status == StatusWarning {
+		result.HasWarnings = true
+		result.WarningCount++
+	}
+
+	// Extract storage info
+	diskCheck := CheckDiskSpace(p.cfg.BackupDir)
+	result.StorageInfo = &StorageInfo{
+		Type:           "local",
+		Path:           p.cfg.BackupDir,
+		AvailableBytes: diskCheck.AvailableBytes,
+		TotalBytes:     diskCheck.TotalBytes,
+	}
+
+	// 4. Backup size estimation
+	sizeCheck := p.estimateBackupSize(ctx, dbName)
+	result.Checks = append(result.Checks, sizeCheck)
+	if sizeCheck.Status == StatusFailed {
+		result.AllPassed = false
+		result.FailureCount++
+	} else if sizeCheck.Status == StatusWarning {
+		result.HasWarnings = true
+		result.WarningCount++
+	}
+
+	// 5. Encryption configuration check (if enabled)
+	if p.cfg.CloudEnabled || os.Getenv("DBBACKUP_ENCRYPTION_KEY") != "" {
+		encCheck := p.checkEncryptionConfig()
+		result.Checks = append(result.Checks, encCheck)
+		if encCheck.Status == StatusFailed {
+			result.AllPassed = false
+			result.FailureCount++
+		}
+	}
+
+	// 6. Cloud storage check (if enabled)
+	if p.cfg.CloudEnabled {
+		cloudCheck := p.checkCloudStorage(ctx)
+		result.Checks = append(result.Checks, cloudCheck)
+		if cloudCheck.Status == StatusFailed {
+			result.AllPassed = false
+			result.FailureCount++
+		}
+
+		// Update storage info
+		result.StorageInfo.Type = "cloud"
+		result.StorageInfo.Path = fmt.Sprintf("%s://%s/%s", p.cfg.CloudProvider, p.cfg.CloudBucket, p.cfg.CloudPrefix)
+	}
+
+	// 7. Permissions check
+	permCheck := p.checkPermissions()
+	result.Checks = append(result.Checks, permCheck)
+	if permCheck.Status == StatusFailed {
+		result.AllPassed = false
+		result.FailureCount++
+	}
+
+	return result, nil
+}
+
+// checkDatabaseConnectivity verifies database connection
+func (p *PreflightChecker) checkDatabaseConnectivity(ctx context.Context) PreflightCheck {
+	check := PreflightCheck{
+		Name: "Database Connection",
+	}
+
+	// Create database connection
+	db, err := database.New(p.cfg, p.log)
+	if err != nil {
+		check.Status = StatusFailed
+		check.Message = "Failed to create database instance"
+		check.Details = err.Error()
+		return check
+	}
+
+	// Connect
+	if err := db.Connect(ctx); err != nil {
+		check.Status = StatusFailed
+		check.Message = "Connection failed"
+		check.Details = fmt.Sprintf("Cannot connect to %s@%s:%d - %s",
+			p.cfg.User, p.cfg.Host, p.cfg.Port, err.Error())
+		return check
+	}
+
+	// Ping
+	if err := db.Ping(ctx); err != nil {
+		check.Status = StatusFailed
+		check.Message = "Ping failed"
+		check.Details = err.Error()
+		db.Close()
+		return check
+	}
+
+	// Get version
+	version, err := db.GetVersion(ctx)
+	if err != nil {
+		version = "unknown"
+	}
+
+	p.db = db
+	check.Status = StatusPassed
+	check.Message = fmt.Sprintf("OK (%s %s)", p.cfg.DisplayDatabaseType(), version)
+	check.Details = fmt.Sprintf("Connected to %s@%s:%d", p.cfg.User, p.cfg.Host, p.cfg.Port)
+
+	return check
+}
+
+// checkRequiredTools verifies backup tools are available
+func (p *PreflightChecker) checkRequiredTools() PreflightCheck {
+	check := PreflightCheck{
+		Name: "Required Tools",
+	}
+
+	var requiredTools []string
+	if p.cfg.IsPostgreSQL() {
+		requiredTools = []string{"pg_dump", "pg_dumpall"}
+	} else if p.cfg.IsMySQL() {
+		requiredTools = []string{"mysqldump"}
+	}
+
+	var found []string
+	var missing []string
+	var versions []string
+
+	for _, tool := range requiredTools {
+		path, err := exec.LookPath(tool)
+		if err != nil {
+			missing = append(missing, tool)
+		} else {
+			found = append(found, tool)
+			// Try to get version
+			version := getToolVersion(tool)
+			if version != "" {
+				versions = append(versions, fmt.Sprintf("%s %s", tool, version))
+			}
+		}
+		_ = path // silence unused
+	}
+
+	if len(missing) > 0 {
+		check.Status = StatusFailed
+		check.Message = fmt.Sprintf("Missing tools: %s", strings.Join(missing, ", "))
+		check.Details = "Install required database tools and ensure they're in PATH"
+		return check
+	}
+
+	check.Status = StatusPassed
+	check.Message = fmt.Sprintf("%s found", strings.Join(found, ", "))
+	if len(versions) > 0 {
+		check.Details = strings.Join(versions, "; ")
+	}
+
+	return check
+}
+
+// checkStorageTarget verifies backup directory is writable
+func (p *PreflightChecker) checkStorageTarget() PreflightCheck {
+	check := PreflightCheck{
+		Name: "Storage Target",
+	}
+
+	backupDir := p.cfg.BackupDir
+
+	// Check if directory exists
+	info, err := os.Stat(backupDir)
+	if os.IsNotExist(err) {
+		// Try to create it
+		if err := os.MkdirAll(backupDir, 0755); err != nil {
+			check.Status = StatusFailed
+			check.Message = "Cannot create backup directory"
+			check.Details = err.Error()
+			return check
+		}
+	} else if err != nil {
+		check.Status = StatusFailed
+		check.Message = "Cannot access backup directory"
+		check.Details = err.Error()
+		return check
+	} else if !info.IsDir() {
+		check.Status = StatusFailed
+		check.Message = "Backup path is not a directory"
+		check.Details = backupDir
+		return check
+	}
+
+	// Check disk space
+	diskCheck := CheckDiskSpace(backupDir)
+
+	if diskCheck.Critical {
+		check.Status = StatusFailed
+		check.Message = "Insufficient disk space"
+		check.Details = fmt.Sprintf("%s available (%.1f%% used)",
+			formatBytes(diskCheck.AvailableBytes), diskCheck.UsedPercent)
+		return check
+	}
+
+	if diskCheck.Warning {
+		check.Status = StatusWarning
+		check.Message = fmt.Sprintf("%s (%s available, low space warning)",
+			backupDir, formatBytes(diskCheck.AvailableBytes))
+		check.Details = fmt.Sprintf("%.1f%% disk usage", diskCheck.UsedPercent)
+		return check
+	}
+
+	check.Status = StatusPassed
+	check.Message = fmt.Sprintf("%s (%s available)", backupDir, formatBytes(diskCheck.AvailableBytes))
+	check.Details = fmt.Sprintf("%.1f%% used", diskCheck.UsedPercent)
+
+	return check
+}
+
+// estimateBackupSize estimates the backup size
+func (p *PreflightChecker) estimateBackupSize(ctx context.Context, dbName string) PreflightCheck {
+	check := PreflightCheck{
+		Name: "Estimated Backup Size",
+	}
+
+	if p.db == nil {
+		check.Status = StatusSkipped
+		check.Message = "Skipped (no database connection)"
+		return check
+	}
+
+	// Get database size
+	var dbSize int64
+	var err error
+
+	if dbName != "" {
+		dbSize, err = p.db.GetDatabaseSize(ctx, dbName)
+	} else {
+		// For cluster backup, we'd need to sum all databases
+		// For now, just use the default database
+		dbSize, err = p.db.GetDatabaseSize(ctx, p.cfg.Database)
+	}
+
+	if err != nil {
+		check.Status = StatusSkipped
+		check.Message = "Could not estimate size"
+		check.Details = err.Error()
+		return check
+	}
+
+	// Estimate compressed size
+	estimatedSize := EstimateBackupSize(uint64(dbSize), p.cfg.CompressionLevel)
+
+	// Check if we have enough space
+	diskCheck := CheckDiskSpace(p.cfg.BackupDir)
+	if diskCheck.AvailableBytes < estimatedSize*2 { // 2x buffer
+		check.Status = StatusWarning
+		check.Message = fmt.Sprintf("~%s (may not fit)", formatBytes(estimatedSize))
+		check.Details = fmt.Sprintf("Only %s available, need ~%s with safety margin",
+			formatBytes(diskCheck.AvailableBytes), formatBytes(estimatedSize*2))
+		return check
+	}
+
+	check.Status = StatusPassed
+	check.Message = fmt.Sprintf("~%s (from %s database)",
+		formatBytes(estimatedSize), formatBytes(uint64(dbSize)))
+	check.Details = fmt.Sprintf("Compression level %d", p.cfg.CompressionLevel)
+
+	return check
+}
+
+// checkEncryptionConfig verifies encryption setup
+func (p *PreflightChecker) checkEncryptionConfig() PreflightCheck {
+	check := PreflightCheck{
+		Name: "Encryption",
+	}
+
+	// Check for encryption key
+	key := os.Getenv("DBBACKUP_ENCRYPTION_KEY")
+	if key == "" {
+		check.Status = StatusSkipped
+		check.Message = "Not configured"
+		check.Details = "Set DBBACKUP_ENCRYPTION_KEY to enable encryption"
+		return check
+	}
+
+	// Validate key length (should be at least 16 characters for AES)
+	if len(key) < 16 {
+		check.Status = StatusFailed
+		check.Message = "Encryption key too short"
+		check.Details = "Key must be at least 16 characters (32 recommended for AES-256)"
+		return check
+	}
+
+	check.Status = StatusPassed
+	check.Message = "AES-256 configured"
+	check.Details = fmt.Sprintf("Key length: %d characters", len(key))
+
+	return check
+}
+
+// checkCloudStorage verifies cloud storage access
+func (p *PreflightChecker) checkCloudStorage(ctx context.Context) PreflightCheck {
+	check := PreflightCheck{
+		Name: "Cloud Storage",
+	}
+
+	if !p.cfg.CloudEnabled {
+		check.Status = StatusSkipped
+		check.Message = "Not configured"
+		return check
+	}
+
+	// Check required cloud configuration
+	if p.cfg.CloudBucket == "" {
+		check.Status = StatusFailed
+		check.Message = "No bucket configured"
+		check.Details = "Set --cloud-bucket or use --cloud URI"
+		return check
+	}
+
+	if p.cfg.CloudProvider == "" {
+		check.Status = StatusFailed
+		check.Message = "No provider configured"
+		check.Details = "Set --cloud-provider (s3, minio, azure, gcs)"
+		return check
+	}
+
+	// Note: Actually testing cloud connectivity would require initializing the cloud backend
+	// For now, just validate configuration is present
+	check.Status = StatusPassed
+	check.Message = fmt.Sprintf("%s://%s configured", p.cfg.CloudProvider, p.cfg.CloudBucket)
+	if p.cfg.CloudPrefix != "" {
+		check.Details = fmt.Sprintf("Prefix: %s", p.cfg.CloudPrefix)
+	}
+
+	return check
+}
+
+// checkPermissions verifies write permissions
+func (p *PreflightChecker) checkPermissions() PreflightCheck {
+	check := PreflightCheck{
+		Name: "Write Permissions",
+	}
+
+	// Try to create a test file
+	testFile := filepath.Join(p.cfg.BackupDir, ".dbbackup_preflight_test")
+	f, err := os.Create(testFile)
+	if err != nil {
+		check.Status = StatusFailed
+		check.Message = "Cannot write to backup directory"
+		check.Details = err.Error()
+		return check
+	}
+	f.Close()
+	os.Remove(testFile)
+
+	check.Status = StatusPassed
+	check.Message = "OK"
+	check.Details = fmt.Sprintf("Can write to %s", p.cfg.BackupDir)
+
+	return check
+}
+
+// Close closes any resources (like database connection)
+func (p *PreflightChecker) Close() error {
+	if p.db != nil {
+		return p.db.Close()
+	}
+	return nil
+}
+
+// getToolVersion tries to get the version of a command-line tool
+func getToolVersion(tool string) string {
+	var cmd *exec.Cmd
+
+	switch tool {
+	case "pg_dump", "pg_dumpall", "pg_restore", "psql":
+		cmd = exec.Command(tool, "--version")
+	case "mysqldump", "mysql":
+		cmd = exec.Command(tool, "--version")
+	default:
+		return ""
+	}
+
+	output, err := cmd.Output()
+	if err != nil {
+		return ""
+	}
+
+	// Extract version from output
+	line := strings.TrimSpace(string(output))
+	// Usually format is "tool (PostgreSQL) X.Y.Z" or "tool Ver X.Y.Z"
+	parts := strings.Fields(line)
+	if len(parts) >= 3 {
+		// Try to find version number
+		for _, part := range parts {
+			if len(part) > 0 && (part[0] >= '0' && part[0] <= '9') {
+				return part
+			}
+		}
+	}
+
+	return ""
+}
--- a/internal/checks/preflight_test.go
+++ b/internal/checks/preflight_test.go
@@ -0,0 +1,134 @@
+package checks
+
+import (
+	"testing"
+)
+
+func TestPreflightResult(t *testing.T) {
+	result := &PreflightResult{
+		Checks:    []PreflightCheck{},
+		AllPassed: true,
+		DatabaseInfo: &DatabaseInfo{
+			Type:    "postgres",
+			Version: "PostgreSQL 15.0",
+			Host:    "localhost",
+			Port:    5432,
+			User:    "postgres",
+		},
+		StorageInfo: &StorageInfo{
+			Type:           "local",
+			Path:           "/backups",
+			AvailableBytes: 10 * 1024 * 1024 * 1024,
+			TotalBytes:     100 * 1024 * 1024 * 1024,
+		},
+		EstimatedSize: 1 * 1024 * 1024 * 1024,
+	}
+
+	if !result.AllPassed {
+		t.Error("Result should be AllPassed")
+	}
+
+	if result.DatabaseInfo.Type != "postgres" {
+		t.Errorf("DatabaseInfo.Type = %q, expected postgres", result.DatabaseInfo.Type)
+	}
+
+	if result.StorageInfo.Path != "/backups" {
+		t.Errorf("StorageInfo.Path = %q, expected /backups", result.StorageInfo.Path)
+	}
+}
+
+func TestPreflightCheck(t *testing.T) {
+	check := PreflightCheck{
+		Name:    "Database Connectivity",
+		Status:  StatusPassed,
+		Message: "Connected successfully",
+		Details: "PostgreSQL 15.0",
+	}
+
+	if check.Status != StatusPassed {
+		t.Error("Check status should be passed")
+	}
+
+	if check.Name != "Database Connectivity" {
+		t.Errorf("Check name = %q", check.Name)
+	}
+}
+
+func TestCheckStatusString(t *testing.T) {
+	tests := []struct {
+		status   CheckStatus
+		expected string
+	}{
+		{StatusPassed, "PASSED"},
+		{StatusFailed, "FAILED"},
+		{StatusWarning, "WARNING"},
+		{StatusSkipped, "SKIPPED"},
+	}
+
+	for _, tc := range tests {
+		result := tc.status.String()
+		if result != tc.expected {
+			t.Errorf("Status.String() = %q, expected %q", result, tc.expected)
+		}
+	}
+}
+
+func TestFormatPreflightReport(t *testing.T) {
+	result := &PreflightResult{
+		Checks: []PreflightCheck{
+			{Name: "Test Check", Status: StatusPassed, Message: "OK"},
+		},
+		AllPassed: true,
+		DatabaseInfo: &DatabaseInfo{
+			Type:    "postgres",
+			Version: "PostgreSQL 15.0",
+			Host:    "localhost",
+			Port:    5432,
+		},
+		StorageInfo: &StorageInfo{
+			Type:           "local",
+			Path:           "/backups",
+			AvailableBytes: 10 * 1024 * 1024 * 1024,
+		},
+	}
+
+	report := FormatPreflightReport(result, "testdb", false)
+	if report == "" {
+		t.Error("Report should not be empty")
+	}
+}
+
+func TestFormatPreflightReportPlain(t *testing.T) {
+	result := &PreflightResult{
+		Checks: []PreflightCheck{
+			{Name: "Test Check", Status: StatusFailed, Message: "Connection failed"},
+		},
+		AllPassed:    false,
+		FailureCount: 1,
+	}
+
+	report := FormatPreflightReportPlain(result, "testdb")
+	if report == "" {
+		t.Error("Report should not be empty")
+	}
+}
+
+func TestFormatPreflightReportJSON(t *testing.T) {
+	result := &PreflightResult{
+		Checks:    []PreflightCheck{},
+		AllPassed: true,
+	}
+
+	report, err := FormatPreflightReportJSON(result, "testdb")
+	if err != nil {
+		t.Errorf("FormatPreflightReportJSON() error = %v", err)
+	}
+
+	if len(report) == 0 {
+		t.Error("Report should not be empty")
+	}
+
+	if report[0] != '{' {
+		t.Error("Report should start with '{'")
+	}
+}
--- a/internal/checks/report.go
+++ b/internal/checks/report.go
@@ -0,0 +1,184 @@
+package checks
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+)
+
+// FormatPreflightReport formats preflight results for display
+func FormatPreflightReport(result *PreflightResult, dbName string, verbose bool) string {
+	var sb strings.Builder
+
+	sb.WriteString("\n")
+	sb.WriteString("+==============================================================+\n")
+	sb.WriteString("|             [DRY RUN] Preflight Check Results                |\n")
+	sb.WriteString("+==============================================================+\n")
+	sb.WriteString("\n")
+
+	// Database info
+	if result.DatabaseInfo != nil {
+		sb.WriteString(fmt.Sprintf("  Database: %s %s\n", result.DatabaseInfo.Type, result.DatabaseInfo.Version))
+		sb.WriteString(fmt.Sprintf("  Target:   %s@%s:%d",
+			result.DatabaseInfo.User, result.DatabaseInfo.Host, result.DatabaseInfo.Port))
+		if dbName != "" {
+			sb.WriteString(fmt.Sprintf("/%s", dbName))
+		}
+		sb.WriteString("\n\n")
+	}
+
+	// Check results
+	sb.WriteString("  Checks:\n")
+	sb.WriteString("  --------------------------------------------------------------\n")
+
+	for _, check := range result.Checks {
+		icon := check.Status.Icon()
+		color := getStatusColor(check.Status)
+		reset := "\033[0m"
+
+		sb.WriteString(fmt.Sprintf("  %s%s%s %-25s %s\n",
+			color, icon, reset, check.Name+":", check.Message))
+
+		if verbose && check.Details != "" {
+			sb.WriteString(fmt.Sprintf("      +- %s\n", check.Details))
+		}
+	}
+
+	sb.WriteString("  --------------------------------------------------------------\n")
+	sb.WriteString("\n")
+
+	// Summary
+	if result.AllPassed {
+		if result.HasWarnings {
+			sb.WriteString("  [!] All checks passed with warnings\n")
+			sb.WriteString("\n")
+			sb.WriteString("  Ready to backup. Remove --dry-run to execute.\n")
+		} else {
+			sb.WriteString("  [OK] All checks passed\n")
+			sb.WriteString("\n")
+			sb.WriteString("  Ready to backup. Remove --dry-run to execute.\n")
+		}
+	} else {
+		sb.WriteString(fmt.Sprintf("  [FAIL] %d check(s) failed\n", result.FailureCount))
+		sb.WriteString("\n")
+		sb.WriteString("  Fix the issues above before running backup.\n")
+	}
+
+	sb.WriteString("\n")
+
+	return sb.String()
+}
+
+// FormatPreflightReportPlain formats preflight results without colors
+func FormatPreflightReportPlain(result *PreflightResult, dbName string) string {
+	var sb strings.Builder
+
+	sb.WriteString("\n")
+	sb.WriteString("[DRY RUN] Preflight Check Results\n")
+	sb.WriteString("==================================\n")
+	sb.WriteString("\n")
+
+	// Database info
+	if result.DatabaseInfo != nil {
+		sb.WriteString(fmt.Sprintf("Database: %s %s\n", result.DatabaseInfo.Type, result.DatabaseInfo.Version))
+		sb.WriteString(fmt.Sprintf("Target:   %s@%s:%d",
+			result.DatabaseInfo.User, result.DatabaseInfo.Host, result.DatabaseInfo.Port))
+		if dbName != "" {
+			sb.WriteString(fmt.Sprintf("/%s", dbName))
+		}
+		sb.WriteString("\n\n")
+	}
+
+	// Check results
+	sb.WriteString("Checks:\n")
+
+	for _, check := range result.Checks {
+		status := fmt.Sprintf("[%s]", check.Status.String())
+		sb.WriteString(fmt.Sprintf("  %-10s %-25s %s\n", status, check.Name+":", check.Message))
+		if check.Details != "" {
+			sb.WriteString(fmt.Sprintf("             +- %s\n", check.Details))
+		}
+	}
+
+	sb.WriteString("\n")
+
+	// Summary
+	if result.AllPassed {
+		sb.WriteString("Result: READY\n")
+		sb.WriteString("Remove --dry-run to execute backup.\n")
+	} else {
+		sb.WriteString(fmt.Sprintf("Result: FAILED (%d issues)\n", result.FailureCount))
+		sb.WriteString("Fix the issues above before running backup.\n")
+	}
+
+	sb.WriteString("\n")
+
+	return sb.String()
+}
+
+// FormatPreflightReportJSON formats preflight results as JSON
+func FormatPreflightReportJSON(result *PreflightResult, dbName string) ([]byte, error) {
+	type CheckJSON struct {
+		Name    string `json:"name"`
+		Status  string `json:"status"`
+		Message string `json:"message"`
+		Details string `json:"details,omitempty"`
+	}
+
+	type ReportJSON struct {
+		DryRun       bool          `json:"dry_run"`
+		AllPassed    bool          `json:"all_passed"`
+		HasWarnings  bool          `json:"has_warnings"`
+		FailureCount int           `json:"failure_count"`
+		WarningCount int           `json:"warning_count"`
+		Database     *DatabaseInfo `json:"database,omitempty"`
+		Storage      *StorageInfo  `json:"storage,omitempty"`
+		TargetDB     string        `json:"target_database,omitempty"`
+		Checks       []CheckJSON   `json:"checks"`
+	}
+
+	report := ReportJSON{
+		DryRun:       true,
+		AllPassed:    result.AllPassed,
+		HasWarnings:  result.HasWarnings,
+		FailureCount: result.FailureCount,
+		WarningCount: result.WarningCount,
+		Database:     result.DatabaseInfo,
+		Storage:      result.StorageInfo,
+		TargetDB:     dbName,
+		Checks:       make([]CheckJSON, len(result.Checks)),
+	}
+
+	for i, check := range result.Checks {
+		report.Checks[i] = CheckJSON{
+			Name:    check.Name,
+			Status:  check.Status.String(),
+			Message: check.Message,
+			Details: check.Details,
+		}
+	}
+
+	// Use standard library json encoding
+	return marshalJSON(report)
+}
+
+// marshalJSON is a simple JSON marshaler
+func marshalJSON(v interface{}) ([]byte, error) {
+	return json.MarshalIndent(v, "", "  ")
+}
+
+// getStatusColor returns ANSI color code for status
+func getStatusColor(status CheckStatus) string {
+	switch status {
+	case StatusPassed:
+		return "\033[32m" // Green
+	case StatusWarning:
+		return "\033[33m" // Yellow
+	case StatusFailed:
+		return "\033[31m" // Red
+	case StatusSkipped:
+		return "\033[90m" // Gray
+	default:
+		return ""
+	}
+}
--- a/internal/cleanup/processes.go
+++ b/internal/cleanup/processes.go
@@ -12,6 +12,7 @@ import (
 	"strings"
 	"sync"
 	"syscall"
+	"time"

 	"dbbackup/internal/logger"
 )
@@ -116,8 +117,11 @@ func KillOrphanedProcesses(log logger.Logger) error {

 // findProcessesByName returns PIDs of processes matching the given name
 func findProcessesByName(name string, excludePID int) ([]int, error) {
-	// Use pgrep for efficient process searching
-	cmd := exec.Command("pgrep", "-x", name)
+	// Use pgrep for efficient process searching with timeout
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "pgrep", "-x", name)
 	output, err := cmd.Output()
 	if err != nil {
 		// Exit code 1 means no processes found (not an error)
--- a/internal/cloud/azure.go
+++ b/internal/cloud/azure.go
@@ -90,7 +90,7 @@ func NewAzureBackend(cfg *Config) (*AzureBackend, error) {
 			}
 		} else {
 			// Use default Azure credential (managed identity, environment variables, etc.)
-			return nil, fmt.Errorf("Azure authentication requires account name and key, or use AZURE_STORAGE_CONNECTION_STRING environment variable")
+			return nil, fmt.Errorf("azure authentication requires account name and key, or use AZURE_STORAGE_CONNECTION_STRING environment variable")
 		}
 	}

@@ -151,8 +151,14 @@ func (a *AzureBackend) Upload(ctx context.Context, localPath, remotePath string,
 	return a.uploadSimple(ctx, file, blobName, fileSize, progress)
 }

-// uploadSimple uploads a file using simple upload (single request)
+// uploadSimple uploads a file using simple upload (single request) with retry
 func (a *AzureBackend) uploadSimple(ctx context.Context, file *os.File, blobName string, fileSize int64, progress ProgressCallback) error {
+	return RetryOperationWithNotify(ctx, DefaultRetryConfig(), func() error {
+		// Reset file position for retry
+		if _, err := file.Seek(0, 0); err != nil {
+			return fmt.Errorf("failed to reset file position: %w", err)
+		}
+
 		blockBlobClient := a.client.ServiceClient().NewContainerClient(a.containerName).NewBlockBlobClient(blobName)

 		// Wrap reader with progress tracking
@@ -182,6 +188,9 @@ func (a *AzureBackend) uploadSimple(ctx context.Context, file *os.File, blobName
 		}

 		return nil
+	}, func(err error, duration time.Duration) {
+		fmt.Printf("[Azure] Upload retry in %v: %v\n", duration, err)
+	})
 }

 // uploadBlocks uploads a file using block blob staging (for large files)
@@ -251,7 +260,7 @@ func (a *AzureBackend) uploadBlocks(ctx context.Context, file *os.File, blobName
 	return nil
 }

-// Download downloads a file from Azure Blob Storage
+// Download downloads a file from Azure Blob Storage with retry
 func (a *AzureBackend) Download(ctx context.Context, remotePath, localPath string, progress ProgressCallback) error {
 	blobName := strings.TrimPrefix(remotePath, "/")
 	blockBlobClient := a.client.ServiceClient().NewContainerClient(a.containerName).NewBlockBlobClient(blobName)
@@ -264,6 +273,7 @@ func (a *AzureBackend) Download(ctx context.Context, remotePath, localPath strin

 	fileSize := *props.ContentLength

+	return RetryOperationWithNotify(ctx, DefaultRetryConfig(), func() error {
 		// Download blob
 		resp, err := blockBlobClient.DownloadStream(ctx, nil)
 		if err != nil {
@@ -271,7 +281,7 @@ func (a *AzureBackend) Download(ctx context.Context, remotePath, localPath strin
 		}
 		defer resp.Body.Close()

-	// Create local file
+		// Create/truncate local file
 		file, err := os.Create(localPath)
 		if err != nil {
 			return fmt.Errorf("failed to create file: %w", err)
@@ -288,6 +298,9 @@ func (a *AzureBackend) Download(ctx context.Context, remotePath, localPath strin
 		}

 		return nil
+	}, func(err error, duration time.Duration) {
+		fmt.Printf("[Azure] Download retry in %v: %v\n", duration, err)
+	})
 }

 // Delete deletes a file from Azure Blob Storage
--- a/internal/cloud/gcs.go
+++ b/internal/cloud/gcs.go
@@ -89,7 +89,7 @@ func (g *GCSBackend) Name() string {
 	return "gcs"
 }

-// Upload uploads a file to Google Cloud Storage
+// Upload uploads a file to Google Cloud Storage with retry
 func (g *GCSBackend) Upload(ctx context.Context, localPath, remotePath string, progress ProgressCallback) error {
 	file, err := os.Open(localPath)
 	if err != nil {
@@ -106,6 +106,12 @@ func (g *GCSBackend) Upload(ctx context.Context, localPath, remotePath string, p
 	// Remove leading slash from remote path
 	objectName := strings.TrimPrefix(remotePath, "/")

+	return RetryOperationWithNotify(ctx, DefaultRetryConfig(), func() error {
+		// Reset file position for retry
+		if _, err := file.Seek(0, 0); err != nil {
+			return fmt.Errorf("failed to reset file position: %w", err)
+		}
+
 		bucket := g.client.Bucket(g.bucketName)
 		object := bucket.Object(objectName)

@@ -142,9 +148,12 @@ func (g *GCSBackend) Upload(ctx context.Context, localPath, remotePath string, p
 		}

 		return nil
+	}, func(err error, duration time.Duration) {
+		fmt.Printf("[GCS] Upload retry in %v: %v\n", duration, err)
+	})
 }

-// Download downloads a file from Google Cloud Storage
+// Download downloads a file from Google Cloud Storage with retry
 func (g *GCSBackend) Download(ctx context.Context, remotePath, localPath string, progress ProgressCallback) error {
 	objectName := strings.TrimPrefix(remotePath, "/")

@@ -159,6 +168,7 @@ func (g *GCSBackend) Download(ctx context.Context, remotePath, localPath string,

 	fileSize := attrs.Size

+	return RetryOperationWithNotify(ctx, DefaultRetryConfig(), func() error {
 		// Create reader
 		reader, err := object.NewReader(ctx)
 		if err != nil {
@@ -166,7 +176,7 @@ func (g *GCSBackend) Download(ctx context.Context, remotePath, localPath string,
 		}
 		defer reader.Close()

-	// Create local file
+		// Create/truncate local file
 		file, err := os.Create(localPath)
 		if err != nil {
 			return fmt.Errorf("failed to create file: %w", err)
@@ -183,6 +193,9 @@ func (g *GCSBackend) Download(ctx context.Context, remotePath, localPath string,
 		}

 		return nil
+	}, func(err error, duration time.Duration) {
+		fmt.Printf("[GCS] Download retry in %v: %v\n", duration, err)
+	})
 }

 // Delete deletes a file from Google Cloud Storage
--- a/internal/cloud/retry.go
+++ b/internal/cloud/retry.go
@@ -0,0 +1,257 @@
+package cloud
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+)
+
+// RetryConfig configures retry behavior
+type RetryConfig struct {
+	MaxRetries      int           // Maximum number of retries (0 = unlimited)
+	InitialInterval time.Duration // Initial backoff interval
+	MaxInterval     time.Duration // Maximum backoff interval
+	MaxElapsedTime  time.Duration // Maximum total time for retries
+	Multiplier      float64       // Backoff multiplier
+}
+
+// DefaultRetryConfig returns sensible defaults for cloud operations
+func DefaultRetryConfig() *RetryConfig {
+	return &RetryConfig{
+		MaxRetries:      5,
+		InitialInterval: 500 * time.Millisecond,
+		MaxInterval:     30 * time.Second,
+		MaxElapsedTime:  5 * time.Minute,
+		Multiplier:      2.0,
+	}
+}
+
+// AggressiveRetryConfig returns config for critical operations that need more retries
+func AggressiveRetryConfig() *RetryConfig {
+	return &RetryConfig{
+		MaxRetries:      10,
+		InitialInterval: 1 * time.Second,
+		MaxInterval:     60 * time.Second,
+		MaxElapsedTime:  15 * time.Minute,
+		Multiplier:      1.5,
+	}
+}
+
+// QuickRetryConfig returns config for operations that should fail fast
+func QuickRetryConfig() *RetryConfig {
+	return &RetryConfig{
+		MaxRetries:      3,
+		InitialInterval: 100 * time.Millisecond,
+		MaxInterval:     5 * time.Second,
+		MaxElapsedTime:  30 * time.Second,
+		Multiplier:      2.0,
+	}
+}
+
+// RetryOperation executes an operation with exponential backoff retry
+func RetryOperation(ctx context.Context, cfg *RetryConfig, operation func() error) error {
+	if cfg == nil {
+		cfg = DefaultRetryConfig()
+	}
+
+	// Create exponential backoff
+	expBackoff := backoff.NewExponentialBackOff()
+	expBackoff.InitialInterval = cfg.InitialInterval
+	expBackoff.MaxInterval = cfg.MaxInterval
+	expBackoff.MaxElapsedTime = cfg.MaxElapsedTime
+	expBackoff.Multiplier = cfg.Multiplier
+	expBackoff.Reset()
+
+	// Wrap with max retries if specified
+	var b backoff.BackOff = expBackoff
+	if cfg.MaxRetries > 0 {
+		b = backoff.WithMaxRetries(expBackoff, uint64(cfg.MaxRetries))
+	}
+
+	// Add context support
+	b = backoff.WithContext(b, ctx)
+
+	// Track attempts for logging
+	attempt := 0
+
+	// Wrap operation to handle permanent vs retryable errors
+	wrappedOp := func() error {
+		attempt++
+		err := operation()
+		if err == nil {
+			return nil
+		}
+
+		// Check if error is permanent (should not retry)
+		if IsPermanentError(err) {
+			return backoff.Permanent(err)
+		}
+
+		return err
+	}
+
+	return backoff.Retry(wrappedOp, b)
+}
+
+// RetryOperationWithNotify executes an operation with retry and calls notify on each retry
+func RetryOperationWithNotify(ctx context.Context, cfg *RetryConfig, operation func() error, notify func(err error, duration time.Duration)) error {
+	if cfg == nil {
+		cfg = DefaultRetryConfig()
+	}
+
+	// Create exponential backoff
+	expBackoff := backoff.NewExponentialBackOff()
+	expBackoff.InitialInterval = cfg.InitialInterval
+	expBackoff.MaxInterval = cfg.MaxInterval
+	expBackoff.MaxElapsedTime = cfg.MaxElapsedTime
+	expBackoff.Multiplier = cfg.Multiplier
+	expBackoff.Reset()
+
+	// Wrap with max retries if specified
+	var b backoff.BackOff = expBackoff
+	if cfg.MaxRetries > 0 {
+		b = backoff.WithMaxRetries(expBackoff, uint64(cfg.MaxRetries))
+	}
+
+	// Add context support
+	b = backoff.WithContext(b, ctx)
+
+	// Wrap operation to handle permanent vs retryable errors
+	wrappedOp := func() error {
+		err := operation()
+		if err == nil {
+			return nil
+		}
+
+		// Check if error is permanent (should not retry)
+		if IsPermanentError(err) {
+			return backoff.Permanent(err)
+		}
+
+		return err
+	}
+
+	return backoff.RetryNotify(wrappedOp, b, notify)
+}
+
+// IsPermanentError returns true if the error should not be retried
+func IsPermanentError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	errStr := strings.ToLower(err.Error())
+
+	// Authentication/authorization errors - don't retry
+	permanentPatterns := []string{
+		"access denied",
+		"forbidden",
+		"unauthorized",
+		"invalid credentials",
+		"invalid access key",
+		"invalid secret",
+		"no such bucket",
+		"bucket not found",
+		"container not found",
+		"nosuchbucket",
+		"nosuchkey",
+		"invalid argument",
+		"malformed",
+		"invalid request",
+		"permission denied",
+		"access control",
+		"policy",
+	}
+
+	for _, pattern := range permanentPatterns {
+		if strings.Contains(errStr, pattern) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// IsRetryableError returns true if the error is transient and should be retried
+func IsRetryableError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	// Network errors are typically retryable
+	var netErr net.Error
+	if ok := isNetError(err, &netErr); ok {
+		return netErr.Timeout() || netErr.Temporary()
+	}
+
+	errStr := strings.ToLower(err.Error())
+
+	// Transient errors - should retry
+	retryablePatterns := []string{
+		"timeout",
+		"connection reset",
+		"connection refused",
+		"connection closed",
+		"eof",
+		"broken pipe",
+		"temporary failure",
+		"service unavailable",
+		"internal server error",
+		"bad gateway",
+		"gateway timeout",
+		"too many requests",
+		"rate limit",
+		"throttl",
+		"slowdown",
+		"try again",
+		"retry",
+	}
+
+	for _, pattern := range retryablePatterns {
+		if strings.Contains(errStr, pattern) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// isNetError checks if err wraps a net.Error
+func isNetError(err error, target *net.Error) bool {
+	for err != nil {
+		if ne, ok := err.(net.Error); ok {
+			*target = ne
+			return true
+		}
+		// Try to unwrap
+		if unwrapper, ok := err.(interface{ Unwrap() error }); ok {
+			err = unwrapper.Unwrap()
+		} else {
+			break
+		}
+	}
+	return false
+}
+
+// WithRetry is a helper that wraps a function with default retry logic
+func WithRetry(ctx context.Context, operationName string, fn func() error) error {
+	notify := func(err error, duration time.Duration) {
+		// Log retry attempts (caller can provide their own logger if needed)
+		fmt.Printf("[RETRY] %s failed, retrying in %v: %v\n", operationName, duration, err)
+	}
+
+	return RetryOperationWithNotify(ctx, DefaultRetryConfig(), fn, notify)
+}
+
+// WithRetryConfig is a helper that wraps a function with custom retry config
+func WithRetryConfig(ctx context.Context, cfg *RetryConfig, operationName string, fn func() error) error {
+	notify := func(err error, duration time.Duration) {
+		fmt.Printf("[RETRY] %s failed, retrying in %v: %v\n", operationName, duration, err)
+	}
+
+	return RetryOperationWithNotify(ctx, cfg, fn, notify)
+}
--- a/internal/cloud/s3.go
+++ b/internal/cloud/s3.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"

 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
@@ -123,8 +124,14 @@ func (s *S3Backend) Upload(ctx context.Context, localPath, remotePath string, pr
 	return s.uploadSimple(ctx, file, key, fileSize, progress)
 }

-// uploadSimple performs a simple single-part upload
+// uploadSimple performs a simple single-part upload with retry
 func (s *S3Backend) uploadSimple(ctx context.Context, file *os.File, key string, fileSize int64, progress ProgressCallback) error {
+	return RetryOperationWithNotify(ctx, DefaultRetryConfig(), func() error {
+		// Reset file position for retry
+		if _, err := file.Seek(0, 0); err != nil {
+			return fmt.Errorf("failed to reset file position: %w", err)
+		}
+
 		// Create progress reader
 		var reader io.Reader = file
 		if progress != nil {
@@ -143,10 +150,19 @@ func (s *S3Backend) uploadSimple(ctx context.Context, file *os.File, key string,
 		}

 		return nil
+	}, func(err error, duration time.Duration) {
+		fmt.Printf("[S3] Upload retry in %v: %v\n", duration, err)
+	})
 }

-// uploadMultipart performs a multipart upload for large files
+// uploadMultipart performs a multipart upload for large files with retry
 func (s *S3Backend) uploadMultipart(ctx context.Context, file *os.File, key string, fileSize int64, progress ProgressCallback) error {
+	return RetryOperationWithNotify(ctx, AggressiveRetryConfig(), func() error {
+		// Reset file position for retry
+		if _, err := file.Seek(0, 0); err != nil {
+			return fmt.Errorf("failed to reset file position: %w", err)
+		}
+
 		// Create uploader with custom options
 		uploader := manager.NewUploader(s.client, func(u *manager.Uploader) {
 			// Part size: 10MB
@@ -177,9 +193,12 @@ func (s *S3Backend) uploadMultipart(ctx context.Context, file *os.File, key stri
 		}

 		return nil
+	}, func(err error, duration time.Duration) {
+		fmt.Printf("[S3] Multipart upload retry in %v: %v\n", duration, err)
+	})
 }

-// Download downloads a file from S3
+// Download downloads a file from S3 with retry
 func (s *S3Backend) Download(ctx context.Context, remotePath, localPath string, progress ProgressCallback) error {
 	// Build S3 key
 	key := s.buildKey(remotePath)
@@ -190,6 +209,12 @@ func (s *S3Backend) Download(ctx context.Context, remotePath, localPath string,
 		return fmt.Errorf("failed to get object size: %w", err)
 	}

+	// Create directory for local file
+	if err := os.MkdirAll(filepath.Dir(localPath), 0755); err != nil {
+		return fmt.Errorf("failed to create directory: %w", err)
+	}
+
+	return RetryOperationWithNotify(ctx, DefaultRetryConfig(), func() error {
 		// Download from S3
 		result, err := s.client.GetObject(ctx, &s3.GetObjectInput{
 			Bucket: aws.String(s.bucket),
@@ -200,11 +225,7 @@ func (s *S3Backend) Download(ctx context.Context, remotePath, localPath string,
 		}
 		defer result.Body.Close()

-	// Create local file
-	if err := os.MkdirAll(filepath.Dir(localPath), 0755); err != nil {
-		return fmt.Errorf("failed to create directory: %w", err)
-	}
-
+		// Create/truncate local file
 		outFile, err := os.Create(localPath)
 		if err != nil {
 			return fmt.Errorf("failed to create local file: %w", err)
@@ -223,6 +244,9 @@ func (s *S3Backend) Download(ctx context.Context, remotePath, localPath string,
 		}

 		return nil
+	}, func(err error, duration time.Duration) {
+		fmt.Printf("[S3] Download retry in %v: %v\n", duration, err)
+	})
 }

 // List lists all backup files in S3
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -64,6 +64,9 @@ type Config struct {
 	// Cluster parallelism
 	ClusterParallelism int // Number of concurrent databases during cluster operations (0 = sequential)

+	// Working directory for large operations (extraction, diagnosis)
+	WorkDir string // Alternative temp directory for large operations (default: system temp)
+
 	// Swap file management (for large backups)
 	SwapFilePath   string // Path to temporary swap file
 	SwapFileSizeGB int    // Size in GB (0 = disabled)
@@ -76,6 +79,28 @@ type Config struct {
 	AllowRoot      bool // Allow running as root/Administrator
 	CheckResources bool // Check resource limits before operations

+	// GFS (Grandfather-Father-Son) retention options
+	GFSEnabled    bool   // Enable GFS retention policy
+	GFSDaily      int    // Number of daily backups to keep
+	GFSWeekly     int    // Number of weekly backups to keep
+	GFSMonthly    int    // Number of monthly backups to keep
+	GFSYearly     int    // Number of yearly backups to keep
+	GFSWeeklyDay  string // Day for weekly backup (e.g., "Sunday")
+	GFSMonthlyDay int    // Day of month for monthly backup (1-28)
+
+	// PITR (Point-in-Time Recovery) options
+	PITREnabled    bool   // Enable WAL archiving for PITR
+	WALArchiveDir  string // Directory to store WAL archives
+	WALCompression bool   // Compress WAL files
+	WALEncryption  bool   // Encrypt WAL files
+
+	// MySQL PITR options
+	BinlogDir             string // MySQL binary log directory
+	BinlogArchiveDir      string // Directory to archive binlogs
+	BinlogArchiveInterval string // Interval for binlog archiving (e.g., "30s")
+	RequireRowFormat      bool   // Require ROW format for binlog
+	RequireGTID           bool   // Require GTID mode enabled
+
 	// TUI automation options (for testing)
 	TUIAutoSelect   int    // Auto-select menu option (-1 = disabled)
 	TUIAutoDatabase string // Pre-fill database name
@@ -96,6 +121,22 @@ type Config struct {
 	CloudSecretKey  string // Secret key / Account key (Azure)
 	CloudPrefix     string // Key/object prefix
 	CloudAutoUpload bool   // Automatically upload after backup
+
+	// Notification options
+	NotifyEnabled       bool     // Enable notifications
+	NotifyOnSuccess     bool     // Send notifications on successful operations
+	NotifyOnFailure     bool     // Send notifications on failed operations
+	NotifySMTPHost      string   // SMTP server host
+	NotifySMTPPort      int      // SMTP server port
+	NotifySMTPUser      string   // SMTP username
+	NotifySMTPPassword  string   // SMTP password
+	NotifySMTPFrom      string   // From address for emails
+	NotifySMTPTo        []string // To addresses for emails
+	NotifySMTPTLS       bool     // Use direct TLS (port 465)
+	NotifySMTPStartTLS  bool     // Use STARTTLS (port 587)
+	NotifyWebhookURL    string   // Webhook URL
+	NotifyWebhookMethod string   // Webhook HTTP method (POST/GET)
+	NotifyWebhookSecret string   // Webhook signing secret
 }

 // New creates a new configuration with default values
@@ -176,14 +217,17 @@ func New() *Config {
 		SingleDBName:  getEnvString("SINGLE_DB_NAME", ""),
 		RestoreDBName: getEnvString("RESTORE_DB_NAME", ""),

-		// Timeouts
-		ClusterTimeoutMinutes: getEnvInt("CLUSTER_TIMEOUT_MIN", 240),
+		// Timeouts - default 24 hours (1440 min) to handle very large databases with large objects
+		ClusterTimeoutMinutes: getEnvInt("CLUSTER_TIMEOUT_MIN", 1440),

 		// Cluster parallelism (default: 2 concurrent operations for faster cluster backup/restore)
 		ClusterParallelism: getEnvInt("CLUSTER_PARALLELISM", 2),

+		// Working directory for large operations (default: system temp)
+		WorkDir: getEnvString("WORK_DIR", ""),
+
 		// Swap file management
-		SwapFilePath:   getEnvString("SWAP_FILE_PATH", "/tmp/dbbackup_swap"),
+		SwapFilePath:   "",                                // Will be set after WorkDir is initialized
 		SwapFileSizeGB: getEnvInt("SWAP_FILE_SIZE_GB", 0), // 0 = disabled by default
 		AutoSwap:       getEnvBool("AUTO_SWAP", false),

@@ -223,6 +267,13 @@ func New() *Config {
 		cfg.SSLMode = "prefer"
 	}

+	// Set SwapFilePath using WorkDir if not explicitly set via env var
+	if envSwap := os.Getenv("SWAP_FILE_PATH"); envSwap != "" {
+		cfg.SwapFilePath = envSwap
+	} else {
+		cfg.SwapFilePath = filepath.Join(cfg.GetEffectiveWorkDir(), "dbbackup_swap")
+	}
+
 	return cfg
 }

@@ -458,6 +509,14 @@ func GetCurrentOSUser() string {
 	return getCurrentUser()
 }

+// GetEffectiveWorkDir returns the configured WorkDir or system temp as fallback
+func (c *Config) GetEffectiveWorkDir() string {
+	if c.WorkDir != "" {
+		return c.WorkDir
+	}
+	return os.TempDir()
+}
+
 func getDefaultBackupDir() string {
 	// Try to create a sensible default backup directory
 	homeDir, _ := os.UserHomeDir()
@@ -475,7 +534,7 @@ func getDefaultBackupDir() string {
 		return "/var/lib/pgsql/pg_backups"
 	}

-	return "/tmp/db_backups"
+	return filepath.Join(os.TempDir(), "db_backups")
 }

 // CPU-related helper functions
--- a/internal/config/persist.go
+++ b/internal/config/persist.go
@@ -22,6 +22,7 @@ type LocalConfig struct {

 	// Backup settings
 	BackupDir   string
+	WorkDir     string // Working directory for large operations
 	Compression int
 	Jobs        int
 	DumpJobs    int
@@ -29,6 +30,7 @@ type LocalConfig struct {
 	// Performance settings
 	CPUWorkload    string
 	MaxCores       int
+	ClusterTimeout int // Cluster operation timeout in minutes (default: 1440 = 24 hours)

 	// Security settings
 	RetentionDays int
@@ -97,6 +99,8 @@ func LoadLocalConfig() (*LocalConfig, error) {
 			switch key {
 			case "backup_dir":
 				cfg.BackupDir = value
+			case "work_dir":
+				cfg.WorkDir = value
 			case "compression":
 				if c, err := strconv.Atoi(value); err == nil {
 					cfg.Compression = c
@@ -118,6 +122,10 @@ func LoadLocalConfig() (*LocalConfig, error) {
 				if mc, err := strconv.Atoi(value); err == nil {
 					cfg.MaxCores = mc
 				}
+			case "cluster_timeout":
+				if ct, err := strconv.Atoi(value); err == nil {
+					cfg.ClusterTimeout = ct
+				}
 			}
 		case "security":
 			switch key {
@@ -174,6 +182,9 @@ func SaveLocalConfig(cfg *LocalConfig) error {
 	if cfg.BackupDir != "" {
 		sb.WriteString(fmt.Sprintf("backup_dir = %s\n", cfg.BackupDir))
 	}
+	if cfg.WorkDir != "" {
+		sb.WriteString(fmt.Sprintf("work_dir = %s\n", cfg.WorkDir))
+	}
 	if cfg.Compression != 0 {
 		sb.WriteString(fmt.Sprintf("compression = %d\n", cfg.Compression))
 	}
@@ -193,6 +204,9 @@ func SaveLocalConfig(cfg *LocalConfig) error {
 	if cfg.MaxCores != 0 {
 		sb.WriteString(fmt.Sprintf("max_cores = %d\n", cfg.MaxCores))
 	}
+	if cfg.ClusterTimeout != 0 {
+		sb.WriteString(fmt.Sprintf("cluster_timeout = %d\n", cfg.ClusterTimeout))
+	}
 	sb.WriteString("\n")

 	// Security section
@@ -244,6 +258,9 @@ func ApplyLocalConfig(cfg *Config, local *LocalConfig) {
 	if local.BackupDir != "" {
 		cfg.BackupDir = local.BackupDir
 	}
+	if local.WorkDir != "" {
+		cfg.WorkDir = local.WorkDir
+	}
 	if cfg.CompressionLevel == 6 && local.Compression != 0 {
 		cfg.CompressionLevel = local.Compression
 	}
@@ -259,6 +276,10 @@ func ApplyLocalConfig(cfg *Config, local *LocalConfig) {
 	if local.MaxCores != 0 {
 		cfg.MaxCores = local.MaxCores
 	}
+	// Apply cluster timeout from config file (overrides default)
+	if local.ClusterTimeout != 0 {
+		cfg.ClusterTimeoutMinutes = local.ClusterTimeout
+	}
 	if cfg.RetentionDays == 30 && local.RetentionDays != 0 {
 		cfg.RetentionDays = local.RetentionDays
 	}
@@ -280,11 +301,13 @@ func ConfigFromConfig(cfg *Config) *LocalConfig {
 		Database:       cfg.Database,
 		SSLMode:        cfg.SSLMode,
 		BackupDir:      cfg.BackupDir,
+		WorkDir:        cfg.WorkDir,
 		Compression:    cfg.CompressionLevel,
 		Jobs:           cfg.Jobs,
 		DumpJobs:       cfg.DumpJobs,
 		CPUWorkload:    cfg.CPUWorkloadType,
 		MaxCores:       cfg.MaxCores,
+		ClusterTimeout: cfg.ClusterTimeoutMinutes,
 		RetentionDays:  cfg.RetentionDays,
 		MinBackups:     cfg.MinBackups,
 		MaxRetries:     cfg.MaxRetries,
--- a/internal/cpu/detection.go
+++ b/internal/cpu/detection.go
@@ -1,13 +1,13 @@
 package cpu

 import (
+	"bufio"
 	"fmt"
+	"os"
+	"os/exec"
 	"runtime"
 	"strconv"
 	"strings"
-	"os"
-	"os/exec"
-	"bufio"
 )

 // CPUInfo holds information about the system CPU
--- a/internal/crypto/aes.go
+++ b/internal/crypto/aes.go
@@ -0,0 +1,294 @@
+package crypto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
+	"fmt"
+	"io"
+	"os"
+
+	"golang.org/x/crypto/pbkdf2"
+)
+
+const (
+	// AES-256 requires 32-byte keys
+	KeySize = 32
+
+	// GCM standard nonce size
+	NonceSize = 12
+
+	// Salt size for PBKDF2
+	SaltSize = 32
+
+	// PBKDF2 iterations (OWASP recommended minimum)
+	PBKDF2Iterations = 600000
+
+	// Buffer size for streaming encryption
+	BufferSize = 64 * 1024 // 64KB chunks
+)
+
+// AESEncryptor implements AES-256-GCM encryption
+type AESEncryptor struct{}
+
+// NewAESEncryptor creates a new AES-256-GCM encryptor
+func NewAESEncryptor() *AESEncryptor {
+	return &AESEncryptor{}
+}
+
+// Algorithm returns the algorithm name
+func (e *AESEncryptor) Algorithm() EncryptionAlgorithm {
+	return AlgorithmAES256GCM
+}
+
+// DeriveKey derives a 32-byte key from a password using PBKDF2-SHA256
+func DeriveKey(password []byte, salt []byte) []byte {
+	return pbkdf2.Key(password, salt, PBKDF2Iterations, KeySize, sha256.New)
+}
+
+// GenerateSalt generates a random salt
+func GenerateSalt() ([]byte, error) {
+	salt := make([]byte, SaltSize)
+	if _, err := io.ReadFull(rand.Reader, salt); err != nil {
+		return nil, fmt.Errorf("failed to generate salt: %w", err)
+	}
+	return salt, nil
+}
+
+// GenerateNonce generates a random nonce for GCM
+func GenerateNonce() ([]byte, error) {
+	nonce := make([]byte, NonceSize)
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+	return nonce, nil
+}
+
+// ValidateKey checks if a key is the correct length
+func ValidateKey(key []byte) error {
+	if len(key) != KeySize {
+		return fmt.Errorf("invalid key length: expected %d bytes, got %d bytes", KeySize, len(key))
+	}
+	return nil
+}
+
+// Encrypt encrypts data from reader and returns an encrypted reader
+func (e *AESEncryptor) Encrypt(reader io.Reader, key []byte) (io.Reader, error) {
+	if err := ValidateKey(key); err != nil {
+		return nil, err
+	}
+
+	// Create AES cipher
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cipher: %w", err)
+	}
+
+	// Create GCM mode
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCM: %w", err)
+	}
+
+	// Generate nonce
+	nonce, err := GenerateNonce()
+	if err != nil {
+		return nil, err
+	}
+
+	// Create pipe for streaming
+	pr, pw := io.Pipe()
+
+	go func() {
+		defer pw.Close()
+
+		// Write nonce first (needed for decryption)
+		if _, err := pw.Write(nonce); err != nil {
+			pw.CloseWithError(fmt.Errorf("failed to write nonce: %w", err))
+			return
+		}
+
+		// Read plaintext in chunks and encrypt
+		buf := make([]byte, BufferSize)
+		for {
+			n, err := reader.Read(buf)
+			if n > 0 {
+				// Encrypt chunk
+				ciphertext := gcm.Seal(nil, nonce, buf[:n], nil)
+
+				// Write encrypted chunk length (4 bytes) + encrypted data
+				lengthBuf := []byte{
+					byte(len(ciphertext) >> 24),
+					byte(len(ciphertext) >> 16),
+					byte(len(ciphertext) >> 8),
+					byte(len(ciphertext)),
+				}
+				if _, err := pw.Write(lengthBuf); err != nil {
+					pw.CloseWithError(fmt.Errorf("failed to write chunk length: %w", err))
+					return
+				}
+				if _, err := pw.Write(ciphertext); err != nil {
+					pw.CloseWithError(fmt.Errorf("failed to write ciphertext: %w", err))
+					return
+				}
+
+				// Increment nonce for next chunk (simple counter mode)
+				for i := len(nonce) - 1; i >= 0; i-- {
+					nonce[i]++
+					if nonce[i] != 0 {
+						break
+					}
+				}
+			}
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				pw.CloseWithError(fmt.Errorf("read error: %w", err))
+				return
+			}
+		}
+	}()
+
+	return pr, nil
+}
+
+// Decrypt decrypts data from reader and returns a decrypted reader
+func (e *AESEncryptor) Decrypt(reader io.Reader, key []byte) (io.Reader, error) {
+	if err := ValidateKey(key); err != nil {
+		return nil, err
+	}
+
+	// Create AES cipher
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cipher: %w", err)
+	}
+
+	// Create GCM mode
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCM: %w", err)
+	}
+
+	// Create pipe for streaming
+	pr, pw := io.Pipe()
+
+	go func() {
+		defer pw.Close()
+
+		// Read initial nonce
+		nonce := make([]byte, NonceSize)
+		if _, err := io.ReadFull(reader, nonce); err != nil {
+			pw.CloseWithError(fmt.Errorf("failed to read nonce: %w", err))
+			return
+		}
+
+		// Read and decrypt chunks
+		lengthBuf := make([]byte, 4)
+		for {
+			// Read chunk length
+			if _, err := io.ReadFull(reader, lengthBuf); err != nil {
+				if err == io.EOF {
+					break
+				}
+				pw.CloseWithError(fmt.Errorf("failed to read chunk length: %w", err))
+				return
+			}
+
+			chunkLen := int(lengthBuf[0])<<24 | int(lengthBuf[1])<<16 |
+				int(lengthBuf[2])<<8 | int(lengthBuf[3])
+
+			// Read encrypted chunk
+			ciphertext := make([]byte, chunkLen)
+			if _, err := io.ReadFull(reader, ciphertext); err != nil {
+				pw.CloseWithError(fmt.Errorf("failed to read ciphertext: %w", err))
+				return
+			}
+
+			// Decrypt chunk
+			plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
+			if err != nil {
+				pw.CloseWithError(fmt.Errorf("decryption failed (wrong key?): %w", err))
+				return
+			}
+
+			// Write plaintext
+			if _, err := pw.Write(plaintext); err != nil {
+				pw.CloseWithError(fmt.Errorf("failed to write plaintext: %w", err))
+				return
+			}
+
+			// Increment nonce for next chunk
+			for i := len(nonce) - 1; i >= 0; i-- {
+				nonce[i]++
+				if nonce[i] != 0 {
+					break
+				}
+			}
+		}
+	}()
+
+	return pr, nil
+}
+
+// EncryptFile encrypts a file
+func (e *AESEncryptor) EncryptFile(inputPath, outputPath string, key []byte) error {
+	// Open input file
+	inFile, err := os.Open(inputPath)
+	if err != nil {
+		return fmt.Errorf("failed to open input file: %w", err)
+	}
+	defer inFile.Close()
+
+	// Create output file
+	outFile, err := os.Create(outputPath)
+	if err != nil {
+		return fmt.Errorf("failed to create output file: %w", err)
+	}
+	defer outFile.Close()
+
+	// Encrypt
+	encReader, err := e.Encrypt(inFile, key)
+	if err != nil {
+		return err
+	}
+
+	// Copy encrypted data to output file
+	if _, err := io.Copy(outFile, encReader); err != nil {
+		return fmt.Errorf("failed to write encrypted data: %w", err)
+	}
+
+	return nil
+}
+
+// DecryptFile decrypts a file
+func (e *AESEncryptor) DecryptFile(inputPath, outputPath string, key []byte) error {
+	// Open input file
+	inFile, err := os.Open(inputPath)
+	if err != nil {
+		return fmt.Errorf("failed to open input file: %w", err)
+	}
+	defer inFile.Close()
+
+	// Create output file
+	outFile, err := os.Create(outputPath)
+	if err != nil {
+		return fmt.Errorf("failed to create output file: %w", err)
+	}
+	defer outFile.Close()
+
+	// Decrypt
+	decReader, err := e.Decrypt(inFile, key)
+	if err != nil {
+		return err
+	}
+
+	// Copy decrypted data to output file
+	if _, err := io.Copy(outFile, decReader); err != nil {
+		return fmt.Errorf("failed to write decrypted data: %w", err)
+	}
+
+	return nil
+}
--- a/internal/crypto/aes_test.go
+++ b/internal/crypto/aes_test.go
@@ -0,0 +1,232 @@
+package crypto
+
+import (
+	"bytes"
+	"crypto/rand"
+	"io"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestAESEncryptionDecryption(t *testing.T) {
+	encryptor := NewAESEncryptor()
+
+	// Generate a random key
+	key := make([]byte, KeySize)
+	if _, err := io.ReadFull(rand.Reader, key); err != nil {
+		t.Fatalf("Failed to generate key: %v", err)
+	}
+
+	testData := []byte("This is test data for encryption and decryption. It contains multiple bytes to ensure proper streaming.")
+
+	// Test streaming encryption/decryption
+	t.Run("StreamingEncryptDecrypt", func(t *testing.T) {
+		// Encrypt
+		reader := bytes.NewReader(testData)
+		encReader, err := encryptor.Encrypt(reader, key)
+		if err != nil {
+			t.Fatalf("Encryption failed: %v", err)
+		}
+
+		// Read all encrypted data
+		encryptedData, err := io.ReadAll(encReader)
+		if err != nil {
+			t.Fatalf("Failed to read encrypted data: %v", err)
+		}
+
+		// Verify encrypted data is different from original
+		if bytes.Equal(encryptedData, testData) {
+			t.Error("Encrypted data should not equal plaintext")
+		}
+
+		// Decrypt
+		decReader, err := encryptor.Decrypt(bytes.NewReader(encryptedData), key)
+		if err != nil {
+			t.Fatalf("Decryption failed: %v", err)
+		}
+
+		// Read decrypted data
+		decryptedData, err := io.ReadAll(decReader)
+		if err != nil {
+			t.Fatalf("Failed to read decrypted data: %v", err)
+		}
+
+		// Verify decrypted data matches original
+		if !bytes.Equal(decryptedData, testData) {
+			t.Errorf("Decrypted data does not match original.\nExpected: %s\nGot: %s",
+				string(testData), string(decryptedData))
+		}
+	})
+
+	// Test file encryption/decryption
+	t.Run("FileEncryptDecrypt", func(t *testing.T) {
+		tempDir, err := os.MkdirTemp("", "crypto_test_*")
+		if err != nil {
+			t.Fatalf("Failed to create temp dir: %v", err)
+		}
+		defer os.RemoveAll(tempDir)
+
+		// Create test file
+		testFile := filepath.Join(tempDir, "test.txt")
+		if err := os.WriteFile(testFile, testData, 0644); err != nil {
+			t.Fatalf("Failed to write test file: %v", err)
+		}
+
+		// Encrypt file
+		encryptedFile := filepath.Join(tempDir, "test.txt.enc")
+		if err := encryptor.EncryptFile(testFile, encryptedFile, key); err != nil {
+			t.Fatalf("File encryption failed: %v", err)
+		}
+
+		// Verify encrypted file exists and is different
+		encData, err := os.ReadFile(encryptedFile)
+		if err != nil {
+			t.Fatalf("Failed to read encrypted file: %v", err)
+		}
+		if bytes.Equal(encData, testData) {
+			t.Error("Encrypted file should not equal plaintext")
+		}
+
+		// Decrypt file
+		decryptedFile := filepath.Join(tempDir, "test.txt.dec")
+		if err := encryptor.DecryptFile(encryptedFile, decryptedFile, key); err != nil {
+			t.Fatalf("File decryption failed: %v", err)
+		}
+
+		// Verify decrypted file matches original
+		decData, err := os.ReadFile(decryptedFile)
+		if err != nil {
+			t.Fatalf("Failed to read decrypted file: %v", err)
+		}
+		if !bytes.Equal(decData, testData) {
+			t.Errorf("Decrypted file does not match original")
+		}
+	})
+
+	// Test wrong key
+	t.Run("WrongKey", func(t *testing.T) {
+		wrongKey := make([]byte, KeySize)
+		if _, err := io.ReadFull(rand.Reader, wrongKey); err != nil {
+			t.Fatalf("Failed to generate wrong key: %v", err)
+		}
+
+		// Encrypt with correct key
+		reader := bytes.NewReader(testData)
+		encReader, err := encryptor.Encrypt(reader, key)
+		if err != nil {
+			t.Fatalf("Encryption failed: %v", err)
+		}
+
+		encryptedData, err := io.ReadAll(encReader)
+		if err != nil {
+			t.Fatalf("Failed to read encrypted data: %v", err)
+		}
+
+		// Try to decrypt with wrong key
+		decReader, err := encryptor.Decrypt(bytes.NewReader(encryptedData), wrongKey)
+		if err != nil {
+			// Error during decrypt setup is OK
+			return
+		}
+
+		// Try to read - should fail
+		_, err = io.ReadAll(decReader)
+		if err == nil {
+			t.Error("Expected decryption to fail with wrong key")
+		}
+	})
+}
+
+func TestKeyDerivation(t *testing.T) {
+	password := []byte("test-password-12345")
+
+	// Generate salt
+	salt, err := GenerateSalt()
+	if err != nil {
+		t.Fatalf("Failed to generate salt: %v", err)
+	}
+
+	if len(salt) != SaltSize {
+		t.Errorf("Expected salt size %d, got %d", SaltSize, len(salt))
+	}
+
+	// Derive key
+	key := DeriveKey(password, salt)
+	if len(key) != KeySize {
+		t.Errorf("Expected key size %d, got %d", KeySize, len(key))
+	}
+
+	// Verify same password+salt produces same key
+	key2 := DeriveKey(password, salt)
+	if !bytes.Equal(key, key2) {
+		t.Error("Same password and salt should produce same key")
+	}
+
+	// Verify different salt produces different key
+	salt2, _ := GenerateSalt()
+	key3 := DeriveKey(password, salt2)
+	if bytes.Equal(key, key3) {
+		t.Error("Different salt should produce different key")
+	}
+}
+
+func TestKeyValidation(t *testing.T) {
+	validKey := make([]byte, KeySize)
+	if err := ValidateKey(validKey); err != nil {
+		t.Errorf("Valid key should pass validation: %v", err)
+	}
+
+	shortKey := make([]byte, 16)
+	if err := ValidateKey(shortKey); err == nil {
+		t.Error("Short key should fail validation")
+	}
+
+	longKey := make([]byte, 64)
+	if err := ValidateKey(longKey); err == nil {
+		t.Error("Long key should fail validation")
+	}
+}
+
+func TestLargeData(t *testing.T) {
+	encryptor := NewAESEncryptor()
+
+	// Generate key
+	key := make([]byte, KeySize)
+	if _, err := io.ReadFull(rand.Reader, key); err != nil {
+		t.Fatalf("Failed to generate key: %v", err)
+	}
+
+	// Create large test data (1MB)
+	largeData := make([]byte, 1024*1024)
+	if _, err := io.ReadFull(rand.Reader, largeData); err != nil {
+		t.Fatalf("Failed to generate large data: %v", err)
+	}
+
+	// Encrypt
+	encReader, err := encryptor.Encrypt(bytes.NewReader(largeData), key)
+	if err != nil {
+		t.Fatalf("Encryption failed: %v", err)
+	}
+
+	encryptedData, err := io.ReadAll(encReader)
+	if err != nil {
+		t.Fatalf("Failed to read encrypted data: %v", err)
+	}
+
+	// Decrypt
+	decReader, err := encryptor.Decrypt(bytes.NewReader(encryptedData), key)
+	if err != nil {
+		t.Fatalf("Decryption failed: %v", err)
+	}
+
+	decryptedData, err := io.ReadAll(decReader)
+	if err != nil {
+		t.Fatalf("Failed to read decrypted data: %v", err)
+	}
+
+	// Verify
+	if !bytes.Equal(decryptedData, largeData) {
+		t.Error("Decrypted large data does not match original")
+	}
+}
--- a/internal/crypto/interface.go
+++ b/internal/crypto/interface.go
@@ -0,0 +1,86 @@
+package crypto
+
+import (
+	"io"
+)
+
+// EncryptionAlgorithm represents the encryption algorithm used
+type EncryptionAlgorithm string
+
+const (
+	AlgorithmAES256GCM EncryptionAlgorithm = "aes-256-gcm"
+)
+
+// EncryptionConfig holds encryption configuration
+type EncryptionConfig struct {
+	// Enabled indicates whether encryption is enabled
+	Enabled bool
+
+	// KeyFile is the path to a file containing the encryption key
+	KeyFile string
+
+	// KeyEnvVar is the name of an environment variable containing the key
+	KeyEnvVar string
+
+	// Algorithm specifies the encryption algorithm to use
+	Algorithm EncryptionAlgorithm
+
+	// Key is the actual encryption key (derived from KeyFile or KeyEnvVar)
+	Key []byte
+}
+
+// Encryptor provides encryption and decryption capabilities
+type Encryptor interface {
+	// Encrypt encrypts data from reader and returns an encrypted reader
+	// The returned reader streams encrypted data without loading everything into memory
+	Encrypt(reader io.Reader, key []byte) (io.Reader, error)
+
+	// Decrypt decrypts data from reader and returns a decrypted reader
+	// The returned reader streams decrypted data without loading everything into memory
+	Decrypt(reader io.Reader, key []byte) (io.Reader, error)
+
+	// EncryptFile encrypts a file in-place or to a new file
+	EncryptFile(inputPath, outputPath string, key []byte) error
+
+	// DecryptFile decrypts a file in-place or to a new file
+	DecryptFile(inputPath, outputPath string, key []byte) error
+
+	// Algorithm returns the encryption algorithm used by this encryptor
+	Algorithm() EncryptionAlgorithm
+}
+
+// KeyDeriver derives encryption keys from passwords/passphrases
+type KeyDeriver interface {
+	// DeriveKey derives a key from a password using PBKDF2 or similar
+	DeriveKey(password []byte, salt []byte, keyLength int) ([]byte, error)
+
+	// GenerateSalt generates a random salt for key derivation
+	GenerateSalt() ([]byte, error)
+}
+
+// EncryptionMetadata contains metadata about encrypted backups
+type EncryptionMetadata struct {
+	// Algorithm used for encryption
+	Algorithm string `json:"algorithm"`
+
+	// KeyDerivation method used (e.g., "pbkdf2-sha256")
+	KeyDerivation string `json:"key_derivation,omitempty"`
+
+	// Salt used for key derivation (base64 encoded)
+	Salt string `json:"salt,omitempty"`
+
+	// Nonce/IV used for encryption (base64 encoded)
+	Nonce string `json:"nonce,omitempty"`
+
+	// Version of encryption format
+	Version int `json:"version"`
+}
+
+// DefaultConfig returns a default encryption configuration
+func DefaultConfig() *EncryptionConfig {
+	return &EncryptionConfig{
+		Enabled:   false,
+		Algorithm: AlgorithmAES256GCM,
+		KeyEnvVar: "DBBACKUP_ENCRYPTION_KEY",
+	}
+}
--- a/internal/database/interface.go
+++ b/internal/database/interface.go
@@ -9,8 +9,8 @@ import (
 	"dbbackup/internal/config"
 	"dbbackup/internal/logger"

-	_ "github.com/jackc/pgx/v5/stdlib"     // PostgreSQL driver (pgx - high performance)
 	_ "github.com/go-sql-driver/mysql" // MySQL driver
+	_ "github.com/jackc/pgx/v5/stdlib" // PostgreSQL driver (pgx - high performance)
 )

 // Database represents a database connection and operations
--- a/internal/database/mysql.go
+++ b/internal/database/mysql.go
@@ -126,13 +126,46 @@ func (m *MySQL) ListTables(ctx context.Context, database string) ([]string, erro
 	return tables, rows.Err()
 }

+// validateMySQLIdentifier checks if a database/table name is safe for use in SQL
+// Prevents SQL injection by only allowing alphanumeric names with underscores
+func validateMySQLIdentifier(name string) error {
+	if len(name) == 0 {
+		return fmt.Errorf("identifier cannot be empty")
+	}
+	if len(name) > 64 {
+		return fmt.Errorf("identifier too long (max 64 chars): %s", name)
+	}
+	// Only allow alphanumeric, underscores, and must start with letter or underscore
+	for i, c := range name {
+		if i == 0 && !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c == '_') {
+			return fmt.Errorf("identifier must start with letter or underscore: %s", name)
+		}
+		if !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '_') {
+			return fmt.Errorf("identifier contains invalid character %q: %s", c, name)
+		}
+	}
+	return nil
+}
+
+// quoteMySQLIdentifier safely quotes a MySQL identifier
+func quoteMySQLIdentifier(name string) string {
+	// Escape any backticks by doubling them and wrap in backticks
+	return "`" + strings.ReplaceAll(name, "`", "``") + "`"
+}
+
 // CreateDatabase creates a new database
 func (m *MySQL) CreateDatabase(ctx context.Context, name string) error {
 	if m.db == nil {
 		return fmt.Errorf("not connected to database")
 	}

-	query := fmt.Sprintf("CREATE DATABASE IF NOT EXISTS `%s`", name)
+	// Validate identifier to prevent SQL injection
+	if err := validateMySQLIdentifier(name); err != nil {
+		return fmt.Errorf("invalid database name: %w", err)
+	}
+
+	// Use safe quoting for identifier
+	query := fmt.Sprintf("CREATE DATABASE IF NOT EXISTS %s", quoteMySQLIdentifier(name))
 	_, err := m.db.ExecContext(ctx, query)
 	if err != nil {
 		return fmt.Errorf("failed to create database %s: %w", name, err)
@@ -148,7 +181,13 @@ func (m *MySQL) DropDatabase(ctx context.Context, name string) error {
 		return fmt.Errorf("not connected to database")
 	}

-	query := fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", name)
+	// Validate identifier to prevent SQL injection
+	if err := validateMySQLIdentifier(name); err != nil {
+		return fmt.Errorf("invalid database name: %w", err)
+	}
+
+	// Use safe quoting for identifier
+	query := fmt.Sprintf("DROP DATABASE IF EXISTS %s", quoteMySQLIdentifier(name))
 	_, err := m.db.ExecContext(ctx, query)
 	if err != nil {
 		return fmt.Errorf("failed to drop database %s: %w", name, err)
--- a/internal/database/postgresql.go
+++ b/internal/database/postgresql.go
@@ -15,7 +15,6 @@ import (

 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/jackc/pgx/v5/stdlib"
-	_ "github.com/jackc/pgx/v5/stdlib" // PostgreSQL driver (pgx)
 )

 // PostgreSQL implements Database interface for PostgreSQL
@@ -163,14 +162,47 @@ func (p *PostgreSQL) ListTables(ctx context.Context, database string) ([]string,
 	return tables, rows.Err()
 }

+// validateIdentifier checks if a database/table name is safe for use in SQL
+// Prevents SQL injection by only allowing alphanumeric names with underscores
+func validateIdentifier(name string) error {
+	if len(name) == 0 {
+		return fmt.Errorf("identifier cannot be empty")
+	}
+	if len(name) > 63 {
+		return fmt.Errorf("identifier too long (max 63 chars): %s", name)
+	}
+	// Only allow alphanumeric, underscores, and must start with letter or underscore
+	for i, c := range name {
+		if i == 0 && !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c == '_') {
+			return fmt.Errorf("identifier must start with letter or underscore: %s", name)
+		}
+		if !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '_') {
+			return fmt.Errorf("identifier contains invalid character %q: %s", c, name)
+		}
+	}
+	return nil
+}
+
+// quoteIdentifier safely quotes a PostgreSQL identifier
+func quoteIdentifier(name string) string {
+	// Double any existing double quotes and wrap in double quotes
+	return `"` + strings.ReplaceAll(name, `"`, `""`) + `"`
+}
+
 // CreateDatabase creates a new database
 func (p *PostgreSQL) CreateDatabase(ctx context.Context, name string) error {
 	if p.db == nil {
 		return fmt.Errorf("not connected to database")
 	}

+	// Validate identifier to prevent SQL injection
+	if err := validateIdentifier(name); err != nil {
+		return fmt.Errorf("invalid database name: %w", err)
+	}
+
 	// PostgreSQL doesn't support CREATE DATABASE in transactions or prepared statements
-	query := fmt.Sprintf("CREATE DATABASE %s", name)
+	// Use quoted identifier for safety
+	query := fmt.Sprintf("CREATE DATABASE %s", quoteIdentifier(name))
 	_, err := p.db.ExecContext(ctx, query)
 	if err != nil {
 		return fmt.Errorf("failed to create database %s: %w", name, err)
@@ -186,8 +218,14 @@ func (p *PostgreSQL) DropDatabase(ctx context.Context, name string) error {
 		return fmt.Errorf("not connected to database")
 	}

+	// Validate identifier to prevent SQL injection
+	if err := validateIdentifier(name); err != nil {
+		return fmt.Errorf("invalid database name: %w", err)
+	}
+
 	// Force drop connections and drop database
-	query := fmt.Sprintf("DROP DATABASE IF EXISTS %s", name)
+	// Use quoted identifier for safety
+	query := fmt.Sprintf("DROP DATABASE IF EXISTS %s", quoteIdentifier(name))
 	_, err := p.db.ExecContext(ctx, query)
 	if err != nil {
 		return fmt.Errorf("failed to drop database %s: %w", name, err)
--- a/internal/dedup/chunker.go
+++ b/internal/dedup/chunker.go
@@ -0,0 +1,228 @@
+// Package dedup provides content-defined chunking and deduplication
+// for database backups, similar to restic/borgbackup but with native
+// database dump support.
+package dedup
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"io"
+)
+
+// Chunker constants for content-defined chunking
+const (
+	// DefaultMinChunkSize is the minimum chunk size (4KB)
+	DefaultMinChunkSize = 4 * 1024
+
+	// DefaultAvgChunkSize is the target average chunk size (8KB)
+	DefaultAvgChunkSize = 8 * 1024
+
+	// DefaultMaxChunkSize is the maximum chunk size (32KB)
+	DefaultMaxChunkSize = 32 * 1024
+
+	// WindowSize for the rolling hash
+	WindowSize = 48
+
+	// ChunkMask determines average chunk size
+	// For 8KB average: we look for hash % 8192 == 0
+	ChunkMask = DefaultAvgChunkSize - 1
+)
+
+// Gear hash table - random values for each byte
+// This is used for the Gear rolling hash which is simpler and faster than Buzhash
+var gearTable = [256]uint64{
+	0x5c95c078, 0x22408989, 0x2d48a214, 0x12842087, 0x530f8afb, 0x474536b9, 0x2963b4f1, 0x44cb738b,
+	0x4ea7403d, 0x4d606b6e, 0x074ec5d3, 0x3f7e82f4, 0x4e3d26e7, 0x5cb4e82f, 0x7b0a1ef5, 0x3d4e7c92,
+	0x2a81ed69, 0x7f853df8, 0x452c8cf7, 0x0f4f3c9d, 0x3a5e81b7, 0x6cb2d819, 0x2e4c5f93, 0x7e8a1c57,
+	0x1f9d3e8c, 0x4b7c2a5d, 0x3c8f1d6e, 0x5d2a7b4f, 0x6e9c3f8a, 0x7a4d1e5c, 0x2b8c4f7d, 0x4f7d2c9e,
+	0x5a1e3d7c, 0x6b4f8a2d, 0x3e7c9d5a, 0x7d2a4f8b, 0x4c9e7d3a, 0x5b8a1c6e, 0x2d5f4a9c, 0x7a3c8d6b,
+	0x6e2a7b4d, 0x3f8c5d9a, 0x4a7d3e5b, 0x5c9a2d7e, 0x7b4e8f3c, 0x2a6d9c5b, 0x3e4a7d8c, 0x5d7b2e9a,
+	0x4c8a3d7b, 0x6e9d5c8a, 0x7a3e4d9c, 0x2b5c8a7d, 0x4d7e3a9c, 0x5a9c7d3e, 0x3c8b5a7d, 0x7d4e9c2a,
+	0x6a3d8c5b, 0x4e7a9d3c, 0x5c2a7b9e, 0x3a9d4e7c, 0x7b8c5a2d, 0x2d7e4a9c, 0x4a3c9d7b, 0x5e9a7c3d,
+	0x6c4d8a5b, 0x3b7e9c4a, 0x7a5c2d8b, 0x4d9a3e7c, 0x5b7c4a9e, 0x2e8a5d3c, 0x3c9e7a4d, 0x7d4a8c5b,
+	0x6b2d9a7c, 0x4a8c3e5d, 0x5d7a9c2e, 0x3e4c7b9a, 0x7c9d5a4b, 0x2a7e8c3d, 0x4c5a9d7e, 0x5a3e7c4b,
+	0x6d8a2c9e, 0x3c7b4a8d, 0x7e2d9c5a, 0x4b9a7e3c, 0x5c4d8a7b, 0x2d9e3c5a, 0x3a7c9d4e, 0x7b5a4c8d,
+	0x6a9c2e7b, 0x4d3e8a9c, 0x5e7b4d2a, 0x3b9a7c5d, 0x7c4e8a3b, 0x2e7d9c4a, 0x4a8b3e7d, 0x5d2c9a7e,
+	0x6c7a5d3e, 0x3e9c4a7b, 0x7a8d2c5e, 0x4c3e9a7d, 0x5b9c7e2a, 0x2a4d7c9e, 0x3d8a5c4b, 0x7e7b9a3c,
+	0x6b4a8d9e, 0x4e9c3b7a, 0x5a7d4e9c, 0x3c2a8b7d, 0x7d9e5c4a, 0x2b8a7d3e, 0x4d5c9a2b, 0x5e3a7c8d,
+	0x6a9d4b7c, 0x3b7a9c5e, 0x7c4b8a2d, 0x4a9e7c3b, 0x5d2b9a4e, 0x2e7c4d9a, 0x3a9b7e4c, 0x7e5a3c8b,
+	0x6c8a9d4e, 0x4b7c2a5e, 0x5a3e9c7d, 0x3d9a4b7c, 0x7a2d5e9c, 0x2c8b7a3d, 0x4e9c5a2b, 0x5b4d7e9a,
+	0x6d7a3c8b, 0x3e2b9a5d, 0x7c9d4a7e, 0x4a5e3c9b, 0x5e7a9d2c, 0x2b3c7e9a, 0x3a9e4b7d, 0x7d8a5c3e,
+	0x6b9c2d4a, 0x4c7e9a3b, 0x5a2c8b7e, 0x3b4d9a5c, 0x7e9b3a4d, 0x2d5a7c9e, 0x4b8d3e7a, 0x5c9a4b2d,
+	0x6a7c8d9e, 0x3c9e5a7b, 0x7b4a2c9d, 0x4d3b7e9a, 0x5e9c4a3b, 0x2a7b9d4e, 0x3e5c8a7b, 0x7a9d3e5c,
+	0x6c2a7b8d, 0x4e9a5c3b, 0x5b7d2a9e, 0x3a4e9c7b, 0x7d8b3a5c, 0x2c9e7a4b, 0x4a3d5e9c, 0x5d7b8a2e,
+	0x6b9a4c7d, 0x3d5a9e4b, 0x7e2c7b9a, 0x4b9d3a5e, 0x5c4e7a9d, 0x2e8a3c7b, 0x3b7c9e5a, 0x7a4d8b3e,
+	0x6d9c5a2b, 0x4a7e3d9c, 0x5e2a9b7d, 0x3c9a7e4b, 0x7b3e5c9a, 0x2a4b8d7e, 0x4d9c2a5b, 0x5a7d9e3c,
+	0x6c3b8a7d, 0x3e9d4a5c, 0x7d5c2b9e, 0x4c8a7d3b, 0x5b9e3c7a, 0x2d7a9c4e, 0x3a5e7b9d, 0x7e8b4a3c,
+	0x6a2d9e7b, 0x4b3e5a9d, 0x5d9c7b2a, 0x3b7d4e9c, 0x7c9a3b5e, 0x2e5c8a7d, 0x4a7b9d3e, 0x5c3a7e9b,
+	0x6d9e5c4a, 0x3c4a7b9e, 0x7a9d2e5c, 0x4e7c9a3d, 0x5a8b4e7c, 0x2b9a3d7e, 0x3d5b8a9c, 0x7b4e9a2d,
+	0x6c7d3a9e, 0x4a9c5e3b, 0x5e2b7d9a, 0x3a8d4c7b, 0x7d3e9a5c, 0x2c7a8b9e, 0x4b5d3a7c, 0x5c9a7e2b,
+	0x6a4b9d3e, 0x3e7c2a9d, 0x7c8a5b4e, 0x4d9e3c7a, 0x5b3a9e7c, 0x2e9c7b4a, 0x3b4e8a9d, 0x7a9c4e3b,
+	0x6d2a7c9e, 0x4c8b9a5d, 0x5a9e2b7c, 0x3c3d7a9e, 0x7e5a9c4b, 0x2a8d3e7c, 0x4e7a5c9b, 0x5d9b8a2e,
+	0x6b4c9e7a, 0x3a9d5b4e, 0x7b2e8a9c, 0x4a5c3e9b, 0x5c9a4d7e, 0x2d7e9a3c, 0x3e8b7c5a, 0x7c9e2a4d,
+	0x6a3b7d9c, 0x4d9a8b3e, 0x5e5c2a7b, 0x3b4a9d7c, 0x7a7c5e9b, 0x2c9b4a8d, 0x4b3e7c9a, 0x5a9d3b7e,
+	0x6c8a4e9d, 0x3d7b9c5a, 0x7e2a4b9c, 0x4c9e5d3a, 0x5b7a9c4e, 0x2e4d8a7b, 0x3a9c7e5d, 0x7b8d3a9e,
+	0x6d5c9a4b, 0x4a2e7b9d, 0x5d9b4c8a, 0x3c7a9e2b, 0x7d4b8c9e, 0x2b9a5c4d, 0x4e7d3a9c, 0x5c8a9e7b,
+}
+
+// Chunk represents a single deduplicated chunk
+type Chunk struct {
+	// Hash is the SHA-256 hash of the chunk data (content-addressed)
+	Hash string
+
+	// Data is the raw chunk bytes
+	Data []byte
+
+	// Offset is the byte offset in the original file
+	Offset int64
+
+	// Length is the size of this chunk
+	Length int
+}
+
+// ChunkerConfig holds configuration for the chunker
+type ChunkerConfig struct {
+	MinSize int // Minimum chunk size
+	AvgSize int // Target average chunk size
+	MaxSize int // Maximum chunk size
+}
+
+// DefaultChunkerConfig returns sensible defaults
+func DefaultChunkerConfig() ChunkerConfig {
+	return ChunkerConfig{
+		MinSize: DefaultMinChunkSize,
+		AvgSize: DefaultAvgChunkSize,
+		MaxSize: DefaultMaxChunkSize,
+	}
+}
+
+// Chunker performs content-defined chunking using Gear hash
+type Chunker struct {
+	reader io.Reader
+	config ChunkerConfig
+
+	// Rolling hash state
+	hash uint64
+
+	// Current chunk state
+	buf    []byte
+	offset int64
+	mask   uint64
+}
+
+// NewChunker creates a new chunker for the given reader
+func NewChunker(r io.Reader, config ChunkerConfig) *Chunker {
+	// Calculate mask for target average size
+	// We want: avg_size = 1 / P(boundary)
+	// With mask, P(boundary) = 1 / (mask + 1)
+	// So mask = avg_size - 1
+	mask := uint64(config.AvgSize - 1)
+
+	return &Chunker{
+		reader: r,
+		config: config,
+		buf:    make([]byte, 0, config.MaxSize),
+		mask:   mask,
+	}
+}
+
+// Next returns the next chunk from the input stream
+// Returns io.EOF when no more data is available
+func (c *Chunker) Next() (*Chunk, error) {
+	c.buf = c.buf[:0]
+	c.hash = 0
+
+	// Read bytes until we find a chunk boundary or hit max size
+	singleByte := make([]byte, 1)
+
+	for {
+		n, err := c.reader.Read(singleByte)
+		if n == 0 {
+			if err == io.EOF {
+				// Return remaining data as final chunk
+				if len(c.buf) > 0 {
+					return c.makeChunk(), nil
+				}
+				return nil, io.EOF
+			}
+			if err != nil {
+				return nil, err
+			}
+			continue
+		}
+
+		b := singleByte[0]
+		c.buf = append(c.buf, b)
+
+		// Update Gear rolling hash
+		// Gear hash: hash = (hash << 1) + gear_table[byte]
+		c.hash = (c.hash << 1) + gearTable[b]
+
+		// Check for chunk boundary after minimum size
+		if len(c.buf) >= c.config.MinSize {
+			// Check if we hit a boundary (hash matches mask pattern)
+			if (c.hash & c.mask) == 0 {
+				return c.makeChunk(), nil
+			}
+		}
+
+		// Force boundary at max size
+		if len(c.buf) >= c.config.MaxSize {
+			return c.makeChunk(), nil
+		}
+	}
+}
+
+// makeChunk creates a Chunk from the current buffer
+func (c *Chunker) makeChunk() *Chunk {
+	// Compute SHA-256 hash
+	h := sha256.Sum256(c.buf)
+	hash := hex.EncodeToString(h[:])
+
+	// Copy data
+	data := make([]byte, len(c.buf))
+	copy(data, c.buf)
+
+	chunk := &Chunk{
+		Hash:   hash,
+		Data:   data,
+		Offset: c.offset,
+		Length: len(data),
+	}
+
+	c.offset += int64(len(data))
+	return chunk
+}
+
+// ChunkReader splits a reader into content-defined chunks
+// and returns them via a channel for concurrent processing
+func ChunkReader(r io.Reader, config ChunkerConfig) (<-chan *Chunk, <-chan error) {
+	chunks := make(chan *Chunk, 100)
+	errs := make(chan error, 1)
+
+	go func() {
+		defer close(chunks)
+		defer close(errs)
+
+		chunker := NewChunker(r, config)
+		for {
+			chunk, err := chunker.Next()
+			if err == io.EOF {
+				return
+			}
+			if err != nil {
+				errs <- err
+				return
+			}
+			chunks <- chunk
+		}
+	}()
+
+	return chunks, errs
+}
+
+// HashData computes SHA-256 hash of data
+func HashData(data []byte) string {
+	h := sha256.Sum256(data)
+	return hex.EncodeToString(h[:])
+}
--- a/internal/dedup/chunker_test.go
+++ b/internal/dedup/chunker_test.go
@@ -0,0 +1,217 @@
+package dedup
+
+import (
+	"bytes"
+	"crypto/rand"
+	"io"
+	"testing"
+)
+
+func TestChunker_Basic(t *testing.T) {
+	// Create test data
+	data := make([]byte, 100*1024) // 100KB
+	rand.Read(data)
+
+	chunker := NewChunker(bytes.NewReader(data), DefaultChunkerConfig())
+
+	var chunks []*Chunk
+	var totalBytes int
+
+	for {
+		chunk, err := chunker.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			t.Fatalf("Chunker.Next() error: %v", err)
+		}
+
+		chunks = append(chunks, chunk)
+		totalBytes += chunk.Length
+
+		// Verify chunk properties
+		if chunk.Length < DefaultMinChunkSize && len(chunks) < 10 {
+			// Only the last chunk can be smaller than min
+			// (unless file is smaller than min)
+		}
+		if chunk.Length > DefaultMaxChunkSize {
+			t.Errorf("Chunk %d exceeds max size: %d > %d", len(chunks), chunk.Length, DefaultMaxChunkSize)
+		}
+		if chunk.Hash == "" {
+			t.Errorf("Chunk %d has empty hash", len(chunks))
+		}
+		if len(chunk.Hash) != 64 { // SHA-256 hex length
+			t.Errorf("Chunk %d has invalid hash length: %d", len(chunks), len(chunk.Hash))
+		}
+	}
+
+	if totalBytes != len(data) {
+		t.Errorf("Total bytes mismatch: got %d, want %d", totalBytes, len(data))
+	}
+
+	t.Logf("Chunked %d bytes into %d chunks", totalBytes, len(chunks))
+	t.Logf("Average chunk size: %d bytes", totalBytes/len(chunks))
+}
+
+func TestChunker_Deterministic(t *testing.T) {
+	// Same data should produce same chunks
+	data := make([]byte, 50*1024)
+	rand.Read(data)
+
+	// First pass
+	chunker1 := NewChunker(bytes.NewReader(data), DefaultChunkerConfig())
+	var hashes1 []string
+	for {
+		chunk, err := chunker1.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+		hashes1 = append(hashes1, chunk.Hash)
+	}
+
+	// Second pass
+	chunker2 := NewChunker(bytes.NewReader(data), DefaultChunkerConfig())
+	var hashes2 []string
+	for {
+		chunk, err := chunker2.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+		hashes2 = append(hashes2, chunk.Hash)
+	}
+
+	// Compare
+	if len(hashes1) != len(hashes2) {
+		t.Fatalf("Different chunk counts: %d vs %d", len(hashes1), len(hashes2))
+	}
+
+	for i := range hashes1 {
+		if hashes1[i] != hashes2[i] {
+			t.Errorf("Hash mismatch at chunk %d: %s vs %s", i, hashes1[i], hashes2[i])
+		}
+	}
+}
+
+func TestChunker_ShiftedData(t *testing.T) {
+	// Test that shifted data still shares chunks (the key CDC benefit)
+	original := make([]byte, 100*1024)
+	rand.Read(original)
+
+	// Create shifted version (prepend some bytes)
+	prefix := make([]byte, 1000)
+	rand.Read(prefix)
+	shifted := append(prefix, original...)
+
+	// Chunk both
+	config := DefaultChunkerConfig()
+
+	chunker1 := NewChunker(bytes.NewReader(original), config)
+	hashes1 := make(map[string]bool)
+	for {
+		chunk, err := chunker1.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+		hashes1[chunk.Hash] = true
+	}
+
+	chunker2 := NewChunker(bytes.NewReader(shifted), config)
+	var matched, total int
+	for {
+		chunk, err := chunker2.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+		total++
+		if hashes1[chunk.Hash] {
+			matched++
+		}
+	}
+
+	// Should have significant overlap despite the shift
+	overlapRatio := float64(matched) / float64(total)
+	t.Logf("Chunk overlap after %d-byte shift: %.1f%% (%d/%d chunks)",
+		len(prefix), overlapRatio*100, matched, total)
+
+	// We expect at least 50% overlap for content-defined chunking
+	if overlapRatio < 0.5 {
+		t.Errorf("Low chunk overlap: %.1f%% (expected >50%%)", overlapRatio*100)
+	}
+}
+
+func TestChunker_SmallFile(t *testing.T) {
+	// File smaller than min chunk size
+	data := []byte("hello world")
+	chunker := NewChunker(bytes.NewReader(data), DefaultChunkerConfig())
+
+	chunk, err := chunker.Next()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if chunk.Length != len(data) {
+		t.Errorf("Expected chunk length %d, got %d", len(data), chunk.Length)
+	}
+
+	// Should be EOF after
+	_, err = chunker.Next()
+	if err != io.EOF {
+		t.Errorf("Expected EOF, got %v", err)
+	}
+}
+
+func TestChunker_EmptyFile(t *testing.T) {
+	chunker := NewChunker(bytes.NewReader(nil), DefaultChunkerConfig())
+
+	_, err := chunker.Next()
+	if err != io.EOF {
+		t.Errorf("Expected EOF for empty file, got %v", err)
+	}
+}
+
+func TestHashData(t *testing.T) {
+	hash := HashData([]byte("test"))
+	if len(hash) != 64 {
+		t.Errorf("Expected 64-char hash, got %d", len(hash))
+	}
+
+	// Known SHA-256 of "test"
+	expected := "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+	if hash != expected {
+		t.Errorf("Hash mismatch: got %s, want %s", hash, expected)
+	}
+}
+
+func BenchmarkChunker(b *testing.B) {
+	// 1MB of random data
+	data := make([]byte, 1024*1024)
+	rand.Read(data)
+
+	b.ResetTimer()
+	b.SetBytes(int64(len(data)))
+
+	for i := 0; i < b.N; i++ {
+		chunker := NewChunker(bytes.NewReader(data), DefaultChunkerConfig())
+		for {
+			_, err := chunker.Next()
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+}
--- a/internal/dedup/index.go
+++ b/internal/dedup/index.go
@@ -0,0 +1,306 @@
+package dedup
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	_ "github.com/mattn/go-sqlite3" // SQLite driver
+)
+
+// ChunkIndex provides fast chunk lookups using SQLite
+type ChunkIndex struct {
+	db     *sql.DB
+	dbPath string
+}
+
+// NewChunkIndex opens or creates a chunk index database at the default location
+func NewChunkIndex(basePath string) (*ChunkIndex, error) {
+	dbPath := filepath.Join(basePath, "chunks.db")
+	return NewChunkIndexAt(dbPath)
+}
+
+// NewChunkIndexAt opens or creates a chunk index database at a specific path
+// Use this to put the SQLite index on local storage when chunks are on NFS/CIFS
+func NewChunkIndexAt(dbPath string) (*ChunkIndex, error) {
+	// Ensure parent directory exists
+	if err := os.MkdirAll(filepath.Dir(dbPath), 0700); err != nil {
+		return nil, fmt.Errorf("failed to create index directory: %w", err)
+	}
+
+	// Add busy_timeout to handle lock contention gracefully
+	db, err := sql.Open("sqlite3", dbPath+"?_journal_mode=WAL&_synchronous=NORMAL&_busy_timeout=5000")
+	if err != nil {
+		return nil, fmt.Errorf("failed to open chunk index: %w", err)
+	}
+
+	// Test the connection and check for locking issues
+	if err := db.Ping(); err != nil {
+		db.Close()
+		if isNFSLockingError(err) {
+			return nil, fmt.Errorf("database locked (common on NFS/CIFS): %w\n\n"+
+				"HINT: Use --index-db to put the SQLite index on local storage:\n"+
+				"  dbbackup dedup ... --index-db /var/lib/dbbackup/dedup-index.db", err)
+		}
+		return nil, fmt.Errorf("failed to connect to chunk index: %w", err)
+	}
+
+	idx := &ChunkIndex{db: db, dbPath: dbPath}
+	if err := idx.migrate(); err != nil {
+		db.Close()
+		if isNFSLockingError(err) {
+			return nil, fmt.Errorf("database locked during migration (common on NFS/CIFS): %w\n\n"+
+				"HINT: Use --index-db to put the SQLite index on local storage:\n"+
+				"  dbbackup dedup ... --index-db /var/lib/dbbackup/dedup-index.db", err)
+		}
+		return nil, err
+	}
+
+	return idx, nil
+}
+
+// isNFSLockingError checks if an error is likely due to NFS/CIFS locking issues
+func isNFSLockingError(err error) bool {
+	if err == nil {
+		return false
+	}
+	errStr := err.Error()
+	return strings.Contains(errStr, "database is locked") ||
+		strings.Contains(errStr, "SQLITE_BUSY") ||
+		strings.Contains(errStr, "cannot lock") ||
+		strings.Contains(errStr, "lock protocol")
+}
+
+// migrate creates the schema if needed
+func (idx *ChunkIndex) migrate() error {
+	schema := `
+		CREATE TABLE IF NOT EXISTS chunks (
+			hash TEXT PRIMARY KEY,
+			size_raw INTEGER NOT NULL,
+			size_stored INTEGER NOT NULL,
+			created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+			last_accessed DATETIME,
+			ref_count INTEGER DEFAULT 1
+		);
+
+		CREATE TABLE IF NOT EXISTS manifests (
+			id TEXT PRIMARY KEY,
+			database_type TEXT,
+			database_name TEXT,
+			database_host TEXT,
+			created_at DATETIME,
+			original_size INTEGER,
+			stored_size INTEGER,
+			chunk_count INTEGER,
+			new_chunks INTEGER,
+			dedup_ratio REAL,
+			sha256 TEXT,
+			verified_at DATETIME
+		);
+
+		CREATE INDEX IF NOT EXISTS idx_chunks_created ON chunks(created_at);
+		CREATE INDEX IF NOT EXISTS idx_chunks_accessed ON chunks(last_accessed);
+		CREATE INDEX IF NOT EXISTS idx_manifests_created ON manifests(created_at);
+		CREATE INDEX IF NOT EXISTS idx_manifests_database ON manifests(database_name);
+	`
+
+	_, err := idx.db.Exec(schema)
+	return err
+}
+
+// Close closes the database
+func (idx *ChunkIndex) Close() error {
+	return idx.db.Close()
+}
+
+// AddChunk records a chunk in the index
+func (idx *ChunkIndex) AddChunk(hash string, sizeRaw, sizeStored int) error {
+	_, err := idx.db.Exec(`
+		INSERT INTO chunks (hash, size_raw, size_stored, created_at, last_accessed, ref_count)
+		VALUES (?, ?, ?, ?, ?, 1)
+		ON CONFLICT(hash) DO UPDATE SET
+			ref_count = ref_count + 1,
+			last_accessed = ?
+	`, hash, sizeRaw, sizeStored, time.Now(), time.Now(), time.Now())
+	return err
+}
+
+// HasChunk checks if a chunk exists in the index
+func (idx *ChunkIndex) HasChunk(hash string) (bool, error) {
+	var count int
+	err := idx.db.QueryRow("SELECT COUNT(*) FROM chunks WHERE hash = ?", hash).Scan(&count)
+	return count > 0, err
+}
+
+// GetChunk retrieves chunk metadata
+func (idx *ChunkIndex) GetChunk(hash string) (*ChunkMeta, error) {
+	var m ChunkMeta
+	err := idx.db.QueryRow(`
+		SELECT hash, size_raw, size_stored, created_at, ref_count
+		FROM chunks WHERE hash = ?
+	`, hash).Scan(&m.Hash, &m.SizeRaw, &m.SizeStored, &m.CreatedAt, &m.RefCount)
+	if err == sql.ErrNoRows {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &m, nil
+}
+
+// ChunkMeta holds metadata about a chunk
+type ChunkMeta struct {
+	Hash       string
+	SizeRaw    int64
+	SizeStored int64
+	CreatedAt  time.Time
+	RefCount   int
+}
+
+// DecrementRef decreases the reference count for a chunk
+// Returns true if the chunk should be deleted (ref_count <= 0)
+func (idx *ChunkIndex) DecrementRef(hash string) (shouldDelete bool, err error) {
+	result, err := idx.db.Exec(`
+		UPDATE chunks SET ref_count = ref_count - 1 WHERE hash = ?
+	`, hash)
+	if err != nil {
+		return false, err
+	}
+
+	affected, _ := result.RowsAffected()
+	if affected == 0 {
+		return false, nil
+	}
+
+	var refCount int
+	err = idx.db.QueryRow("SELECT ref_count FROM chunks WHERE hash = ?", hash).Scan(&refCount)
+	if err != nil {
+		return false, err
+	}
+
+	return refCount <= 0, nil
+}
+
+// RemoveChunk removes a chunk from the index
+func (idx *ChunkIndex) RemoveChunk(hash string) error {
+	_, err := idx.db.Exec("DELETE FROM chunks WHERE hash = ?", hash)
+	return err
+}
+
+// AddManifest records a manifest in the index
+func (idx *ChunkIndex) AddManifest(m *Manifest) error {
+	_, err := idx.db.Exec(`
+		INSERT OR REPLACE INTO manifests
+		(id, database_type, database_name, database_host, created_at, 
+		 original_size, stored_size, chunk_count, new_chunks, dedup_ratio, sha256)
+		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+	`, m.ID, m.DatabaseType, m.DatabaseName, m.DatabaseHost, m.CreatedAt,
+		m.OriginalSize, m.StoredSize, m.ChunkCount, m.NewChunks, m.DedupRatio, m.SHA256)
+	return err
+}
+
+// RemoveManifest removes a manifest from the index
+func (idx *ChunkIndex) RemoveManifest(id string) error {
+	_, err := idx.db.Exec("DELETE FROM manifests WHERE id = ?", id)
+	return err
+}
+
+// UpdateManifestVerified updates the verified timestamp for a manifest
+func (idx *ChunkIndex) UpdateManifestVerified(id string, verifiedAt time.Time) error {
+	_, err := idx.db.Exec("UPDATE manifests SET verified_at = ? WHERE id = ?", verifiedAt, id)
+	return err
+}
+
+// IndexStats holds statistics about the dedup index
+type IndexStats struct {
+	TotalChunks     int64
+	TotalManifests  int64
+	TotalSizeRaw    int64   // Uncompressed, undeduplicated (per-chunk)
+	TotalSizeStored int64   // On-disk after dedup+compression (per-chunk)
+	DedupRatio      float64 // Based on manifests (real dedup ratio)
+	OldestChunk     time.Time
+	NewestChunk     time.Time
+
+	// Manifest-based stats (accurate dedup calculation)
+	TotalBackupSize int64 // Sum of all backup original sizes
+	TotalNewData    int64 // Sum of all new chunks stored
+	SpaceSaved      int64 // Difference = what dedup saved
+}
+
+// Stats returns statistics about the index
+func (idx *ChunkIndex) Stats() (*IndexStats, error) {
+	stats := &IndexStats{}
+
+	var oldestStr, newestStr string
+	err := idx.db.QueryRow(`
+		SELECT 
+			COUNT(*),
+			COALESCE(SUM(size_raw), 0),
+			COALESCE(SUM(size_stored), 0),
+			COALESCE(MIN(created_at), ''),
+			COALESCE(MAX(created_at), '')
+		FROM chunks
+	`).Scan(&stats.TotalChunks, &stats.TotalSizeRaw, &stats.TotalSizeStored,
+		&oldestStr, &newestStr)
+	if err != nil {
+		return nil, err
+	}
+
+	// Parse time strings
+	if oldestStr != "" {
+		stats.OldestChunk, _ = time.Parse("2006-01-02 15:04:05", oldestStr)
+	}
+	if newestStr != "" {
+		stats.NewestChunk, _ = time.Parse("2006-01-02 15:04:05", newestStr)
+	}
+
+	idx.db.QueryRow("SELECT COUNT(*) FROM manifests").Scan(&stats.TotalManifests)
+
+	// Calculate accurate dedup ratio from manifests
+	// Sum all backup original sizes and all new data stored
+	err = idx.db.QueryRow(`
+		SELECT 
+			COALESCE(SUM(original_size), 0),
+			COALESCE(SUM(stored_size), 0)
+		FROM manifests
+	`).Scan(&stats.TotalBackupSize, &stats.TotalNewData)
+	if err != nil {
+		return nil, err
+	}
+
+	// Calculate real dedup ratio: how much data was deduplicated across all backups
+	if stats.TotalBackupSize > 0 {
+		stats.DedupRatio = 1.0 - float64(stats.TotalNewData)/float64(stats.TotalBackupSize)
+		stats.SpaceSaved = stats.TotalBackupSize - stats.TotalNewData
+	}
+
+	return stats, nil
+}
+
+// ListOrphanedChunks returns chunks that have ref_count <= 0
+func (idx *ChunkIndex) ListOrphanedChunks() ([]string, error) {
+	rows, err := idx.db.Query("SELECT hash FROM chunks WHERE ref_count <= 0")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var hashes []string
+	for rows.Next() {
+		var hash string
+		if err := rows.Scan(&hash); err != nil {
+			continue
+		}
+		hashes = append(hashes, hash)
+	}
+	return hashes, rows.Err()
+}
+
+// Vacuum cleans up the database
+func (idx *ChunkIndex) Vacuum() error {
+	_, err := idx.db.Exec("VACUUM")
+	return err
+}
--- a/internal/dedup/manifest.go
+++ b/internal/dedup/manifest.go
@@ -0,0 +1,189 @@
+package dedup
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// Manifest describes a single backup as a list of chunks
+type Manifest struct {
+	// ID is the unique identifier (typically timestamp-based)
+	ID string `json:"id"`
+
+	// Name is an optional human-readable name
+	Name string `json:"name,omitempty"`
+
+	// CreatedAt is when this backup was created
+	CreatedAt time.Time `json:"created_at"`
+
+	// Database information
+	DatabaseType string `json:"database_type"` // postgres, mysql
+	DatabaseName string `json:"database_name"`
+	DatabaseHost string `json:"database_host"`
+
+	// Chunks is the ordered list of chunk hashes
+	// The file is reconstructed by concatenating chunks in order
+	Chunks []ChunkRef `json:"chunks"`
+
+	// Stats about the backup
+	OriginalSize int64 `json:"original_size"`  // Size before deduplication
+	StoredSize   int64 `json:"stored_size"`    // Size after dedup (new chunks only)
+	ChunkCount   int   `json:"chunk_count"`    // Total chunks
+	NewChunks    int   `json:"new_chunks"`     // Chunks that weren't deduplicated
+	DedupRatio   float64 `json:"dedup_ratio"` // 1.0 = no dedup, 0.0 = 100% dedup
+
+	// Encryption and compression settings used
+	Encrypted    bool `json:"encrypted"`
+	Compressed   bool `json:"compressed"`
+	Decompressed bool `json:"decompressed,omitempty"` // Input was auto-decompressed before chunking
+
+	// Verification
+	SHA256     string    `json:"sha256"`              // Hash of reconstructed file
+	VerifiedAt time.Time `json:"verified_at,omitempty"`
+}
+
+// ChunkRef references a chunk in the manifest
+type ChunkRef struct {
+	Hash   string `json:"h"`           // SHA-256 hash (64 chars)
+	Offset int64  `json:"o"`           // Offset in original file
+	Length int    `json:"l"`           // Chunk length
+}
+
+// ManifestStore manages backup manifests
+type ManifestStore struct {
+	basePath string
+}
+
+// NewManifestStore creates a new manifest store
+func NewManifestStore(basePath string) (*ManifestStore, error) {
+	manifestDir := filepath.Join(basePath, "manifests")
+	if err := os.MkdirAll(manifestDir, 0700); err != nil {
+		return nil, fmt.Errorf("failed to create manifest directory: %w", err)
+	}
+	return &ManifestStore{basePath: basePath}, nil
+}
+
+// manifestPath returns the path for a manifest ID
+func (s *ManifestStore) manifestPath(id string) string {
+	return filepath.Join(s.basePath, "manifests", id+".manifest.json")
+}
+
+// Save writes a manifest to disk
+func (s *ManifestStore) Save(m *Manifest) error {
+	path := s.manifestPath(m.ID)
+
+	data, err := json.MarshalIndent(m, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal manifest: %w", err)
+	}
+
+	// Atomic write
+	tmpPath := path + ".tmp"
+	if err := os.WriteFile(tmpPath, data, 0600); err != nil {
+		return fmt.Errorf("failed to write manifest: %w", err)
+	}
+
+	if err := os.Rename(tmpPath, path); err != nil {
+		os.Remove(tmpPath)
+		return fmt.Errorf("failed to commit manifest: %w", err)
+	}
+
+	return nil
+}
+
+// Load reads a manifest from disk
+func (s *ManifestStore) Load(id string) (*Manifest, error) {
+	path := s.manifestPath(id)
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read manifest %s: %w", id, err)
+	}
+
+	var m Manifest
+	if err := json.Unmarshal(data, &m); err != nil {
+		return nil, fmt.Errorf("failed to parse manifest %s: %w", id, err)
+	}
+
+	return &m, nil
+}
+
+// Delete removes a manifest
+func (s *ManifestStore) Delete(id string) error {
+	path := s.manifestPath(id)
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to delete manifest %s: %w", id, err)
+	}
+	return nil
+}
+
+// List returns all manifest IDs
+func (s *ManifestStore) List() ([]string, error) {
+	manifestDir := filepath.Join(s.basePath, "manifests")
+	entries, err := os.ReadDir(manifestDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list manifests: %w", err)
+	}
+
+	var ids []string
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		name := e.Name()
+		if len(name) > 14 && name[len(name)-14:] == ".manifest.json" {
+			ids = append(ids, name[:len(name)-14])
+		}
+	}
+
+	return ids, nil
+}
+
+// ListAll returns all manifests sorted by creation time (newest first)
+func (s *ManifestStore) ListAll() ([]*Manifest, error) {
+	ids, err := s.List()
+	if err != nil {
+		return nil, err
+	}
+
+	var manifests []*Manifest
+	for _, id := range ids {
+		m, err := s.Load(id)
+		if err != nil {
+			continue // Skip corrupted manifests
+		}
+		manifests = append(manifests, m)
+	}
+
+	// Sort by creation time (newest first)
+	for i := 0; i < len(manifests)-1; i++ {
+		for j := i + 1; j < len(manifests); j++ {
+			if manifests[j].CreatedAt.After(manifests[i].CreatedAt) {
+				manifests[i], manifests[j] = manifests[j], manifests[i]
+			}
+		}
+	}
+
+	return manifests, nil
+}
+
+// GetChunkHashes returns all unique chunk hashes referenced by manifests
+func (s *ManifestStore) GetChunkHashes() (map[string]int, error) {
+	manifests, err := s.ListAll()
+	if err != nil {
+		return nil, err
+	}
+
+	// Map hash -> reference count
+	refs := make(map[string]int)
+	for _, m := range manifests {
+		for _, c := range m.Chunks {
+			refs[c.Hash]++
+		}
+	}
+
+	return refs, nil
+}
--- a/internal/dedup/metrics.go
+++ b/internal/dedup/metrics.go
@@ -0,0 +1,235 @@
+package dedup
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+// DedupMetrics holds deduplication statistics for Prometheus
+type DedupMetrics struct {
+	// Global stats
+	TotalChunks     int64
+	TotalManifests  int64
+	TotalBackupSize int64   // Sum of all backup original sizes
+	TotalNewData    int64   // Sum of all new chunks stored
+	SpaceSaved      int64   // Bytes saved by deduplication
+	DedupRatio      float64 // Overall dedup ratio (0-1)
+	DiskUsage       int64   // Actual bytes on disk
+
+	// Per-database stats
+	ByDatabase map[string]*DatabaseDedupMetrics
+}
+
+// DatabaseDedupMetrics holds per-database dedup stats
+type DatabaseDedupMetrics struct {
+	Database       string
+	BackupCount    int
+	TotalSize      int64
+	StoredSize     int64
+	DedupRatio     float64
+	LastBackupTime time.Time
+	LastVerified   time.Time
+}
+
+// CollectMetrics gathers dedup statistics from the index and store
+func CollectMetrics(basePath string, indexPath string) (*DedupMetrics, error) {
+	var idx *ChunkIndex
+	var err error
+
+	if indexPath != "" {
+		idx, err = NewChunkIndexAt(indexPath)
+	} else {
+		idx, err = NewChunkIndex(basePath)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("failed to open chunk index: %w", err)
+	}
+	defer idx.Close()
+
+	store, err := NewChunkStore(StoreConfig{BasePath: basePath})
+	if err != nil {
+		return nil, fmt.Errorf("failed to open chunk store: %w", err)
+	}
+
+	// Get index stats
+	stats, err := idx.Stats()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get index stats: %w", err)
+	}
+
+	// Get store stats
+	storeStats, err := store.Stats()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get store stats: %w", err)
+	}
+
+	metrics := &DedupMetrics{
+		TotalChunks:     stats.TotalChunks,
+		TotalManifests:  stats.TotalManifests,
+		TotalBackupSize: stats.TotalBackupSize,
+		TotalNewData:    stats.TotalNewData,
+		SpaceSaved:      stats.SpaceSaved,
+		DedupRatio:      stats.DedupRatio,
+		DiskUsage:       storeStats.TotalSize,
+		ByDatabase:      make(map[string]*DatabaseDedupMetrics),
+	}
+
+	// Collect per-database metrics from manifest store
+	manifestStore, err := NewManifestStore(basePath)
+	if err != nil {
+		return metrics, nil // Return partial metrics
+	}
+
+	manifests, err := manifestStore.ListAll()
+	if err != nil {
+		return metrics, nil // Return partial metrics
+	}
+
+	for _, m := range manifests {
+		dbKey := m.DatabaseName
+		if dbKey == "" {
+			dbKey = "_default"
+		}
+
+		dbMetrics, ok := metrics.ByDatabase[dbKey]
+		if !ok {
+			dbMetrics = &DatabaseDedupMetrics{
+				Database: dbKey,
+			}
+			metrics.ByDatabase[dbKey] = dbMetrics
+		}
+
+		dbMetrics.BackupCount++
+		dbMetrics.TotalSize += m.OriginalSize
+		dbMetrics.StoredSize += m.StoredSize
+
+		if m.CreatedAt.After(dbMetrics.LastBackupTime) {
+			dbMetrics.LastBackupTime = m.CreatedAt
+		}
+		if !m.VerifiedAt.IsZero() && m.VerifiedAt.After(dbMetrics.LastVerified) {
+			dbMetrics.LastVerified = m.VerifiedAt
+		}
+	}
+
+	// Calculate per-database dedup ratios
+	for _, dbMetrics := range metrics.ByDatabase {
+		if dbMetrics.TotalSize > 0 {
+			dbMetrics.DedupRatio = 1.0 - float64(dbMetrics.StoredSize)/float64(dbMetrics.TotalSize)
+		}
+	}
+
+	return metrics, nil
+}
+
+// WritePrometheusTextfile writes dedup metrics in Prometheus format
+func WritePrometheusTextfile(path string, instance string, basePath string, indexPath string) error {
+	metrics, err := CollectMetrics(basePath, indexPath)
+	if err != nil {
+		return err
+	}
+
+	output := FormatPrometheusMetrics(metrics, instance)
+
+	// Atomic write
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("failed to create directory: %w", err)
+	}
+
+	tmpPath := path + ".tmp"
+	if err := os.WriteFile(tmpPath, []byte(output), 0644); err != nil {
+		return fmt.Errorf("failed to write temp file: %w", err)
+	}
+
+	if err := os.Rename(tmpPath, path); err != nil {
+		os.Remove(tmpPath)
+		return fmt.Errorf("failed to rename temp file: %w", err)
+	}
+
+	return nil
+}
+
+// FormatPrometheusMetrics formats dedup metrics in Prometheus exposition format
+func FormatPrometheusMetrics(m *DedupMetrics, instance string) string {
+	var b strings.Builder
+	now := time.Now().Unix()
+
+	b.WriteString("# DBBackup Deduplication Prometheus Metrics\n")
+	b.WriteString(fmt.Sprintf("# Generated at: %s\n", time.Now().Format(time.RFC3339)))
+	b.WriteString(fmt.Sprintf("# Instance: %s\n", instance))
+	b.WriteString("\n")
+
+	// Global dedup metrics
+	b.WriteString("# HELP dbbackup_dedup_chunks_total Total number of unique chunks stored\n")
+	b.WriteString("# TYPE dbbackup_dedup_chunks_total gauge\n")
+	b.WriteString(fmt.Sprintf("dbbackup_dedup_chunks_total{instance=%q} %d\n", instance, m.TotalChunks))
+	b.WriteString("\n")
+
+	b.WriteString("# HELP dbbackup_dedup_manifests_total Total number of deduplicated backups\n")
+	b.WriteString("# TYPE dbbackup_dedup_manifests_total gauge\n")
+	b.WriteString(fmt.Sprintf("dbbackup_dedup_manifests_total{instance=%q} %d\n", instance, m.TotalManifests))
+	b.WriteString("\n")
+
+	b.WriteString("# HELP dbbackup_dedup_backup_bytes_total Total logical size of all backups in bytes\n")
+	b.WriteString("# TYPE dbbackup_dedup_backup_bytes_total gauge\n")
+	b.WriteString(fmt.Sprintf("dbbackup_dedup_backup_bytes_total{instance=%q} %d\n", instance, m.TotalBackupSize))
+	b.WriteString("\n")
+
+	b.WriteString("# HELP dbbackup_dedup_stored_bytes_total Total unique data stored in bytes (after dedup)\n")
+	b.WriteString("# TYPE dbbackup_dedup_stored_bytes_total gauge\n")
+	b.WriteString(fmt.Sprintf("dbbackup_dedup_stored_bytes_total{instance=%q} %d\n", instance, m.TotalNewData))
+	b.WriteString("\n")
+
+	b.WriteString("# HELP dbbackup_dedup_space_saved_bytes Bytes saved by deduplication\n")
+	b.WriteString("# TYPE dbbackup_dedup_space_saved_bytes gauge\n")
+	b.WriteString(fmt.Sprintf("dbbackup_dedup_space_saved_bytes{instance=%q} %d\n", instance, m.SpaceSaved))
+	b.WriteString("\n")
+
+	b.WriteString("# HELP dbbackup_dedup_ratio Deduplication ratio (0-1, higher is better)\n")
+	b.WriteString("# TYPE dbbackup_dedup_ratio gauge\n")
+	b.WriteString(fmt.Sprintf("dbbackup_dedup_ratio{instance=%q} %.4f\n", instance, m.DedupRatio))
+	b.WriteString("\n")
+
+	b.WriteString("# HELP dbbackup_dedup_disk_usage_bytes Actual disk usage of chunk store\n")
+	b.WriteString("# TYPE dbbackup_dedup_disk_usage_bytes gauge\n")
+	b.WriteString(fmt.Sprintf("dbbackup_dedup_disk_usage_bytes{instance=%q} %d\n", instance, m.DiskUsage))
+	b.WriteString("\n")
+
+	// Per-database metrics
+	if len(m.ByDatabase) > 0 {
+		b.WriteString("# HELP dbbackup_dedup_database_backup_count Number of deduplicated backups per database\n")
+		b.WriteString("# TYPE dbbackup_dedup_database_backup_count gauge\n")
+		for _, db := range m.ByDatabase {
+			b.WriteString(fmt.Sprintf("dbbackup_dedup_database_backup_count{instance=%q,database=%q} %d\n",
+				instance, db.Database, db.BackupCount))
+		}
+		b.WriteString("\n")
+
+		b.WriteString("# HELP dbbackup_dedup_database_ratio Deduplication ratio per database (0-1)\n")
+		b.WriteString("# TYPE dbbackup_dedup_database_ratio gauge\n")
+		for _, db := range m.ByDatabase {
+			b.WriteString(fmt.Sprintf("dbbackup_dedup_database_ratio{instance=%q,database=%q} %.4f\n",
+				instance, db.Database, db.DedupRatio))
+		}
+		b.WriteString("\n")
+
+		b.WriteString("# HELP dbbackup_dedup_database_last_backup_timestamp Last backup timestamp per database\n")
+		b.WriteString("# TYPE dbbackup_dedup_database_last_backup_timestamp gauge\n")
+		for _, db := range m.ByDatabase {
+			if !db.LastBackupTime.IsZero() {
+				b.WriteString(fmt.Sprintf("dbbackup_dedup_database_last_backup_timestamp{instance=%q,database=%q} %d\n",
+					instance, db.Database, db.LastBackupTime.Unix()))
+			}
+		}
+		b.WriteString("\n")
+	}
+
+	b.WriteString("# HELP dbbackup_dedup_scrape_timestamp Unix timestamp when dedup metrics were collected\n")
+	b.WriteString("# TYPE dbbackup_dedup_scrape_timestamp gauge\n")
+	b.WriteString(fmt.Sprintf("dbbackup_dedup_scrape_timestamp{instance=%q} %d\n", instance, now))
+
+	return b.String()
+}
--- a/internal/dedup/store.go
+++ b/internal/dedup/store.go
@@ -0,0 +1,367 @@
+package dedup
+
+import (
+	"compress/gzip"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"sync"
+)
+
+// ChunkStore manages content-addressed chunk storage
+// Chunks are stored as: <base>/<prefix>/<hash>.chunk[.gz][.enc]
+type ChunkStore struct {
+	basePath       string
+	compress       bool
+	encryptionKey  []byte // 32 bytes for AES-256
+	mu             sync.RWMutex
+	existingChunks map[string]bool // Cache of known chunks
+}
+
+// StoreConfig holds configuration for the chunk store
+type StoreConfig struct {
+	BasePath      string
+	Compress      bool   // Enable gzip compression
+	EncryptionKey string // Optional: hex-encoded 32-byte key for AES-256-GCM
+}
+
+// NewChunkStore creates a new chunk store
+func NewChunkStore(config StoreConfig) (*ChunkStore, error) {
+	store := &ChunkStore{
+		basePath:       config.BasePath,
+		compress:       config.Compress,
+		existingChunks: make(map[string]bool),
+	}
+
+	// Parse encryption key if provided
+	if config.EncryptionKey != "" {
+		key, err := hex.DecodeString(config.EncryptionKey)
+		if err != nil {
+			return nil, fmt.Errorf("invalid encryption key: %w", err)
+		}
+		if len(key) != 32 {
+			return nil, fmt.Errorf("encryption key must be 32 bytes (got %d)", len(key))
+		}
+		store.encryptionKey = key
+	}
+
+	// Create base directory structure
+	if err := os.MkdirAll(config.BasePath, 0700); err != nil {
+		return nil, fmt.Errorf("failed to create chunk store: %w", err)
+	}
+
+	// Create chunks and manifests directories
+	for _, dir := range []string{"chunks", "manifests"} {
+		if err := os.MkdirAll(filepath.Join(config.BasePath, dir), 0700); err != nil {
+			return nil, fmt.Errorf("failed to create %s directory: %w", dir, err)
+		}
+	}
+
+	return store, nil
+}
+
+// chunkPath returns the filesystem path for a chunk hash
+// Uses 2-character prefix for directory sharding (256 subdirs)
+func (s *ChunkStore) chunkPath(hash string) string {
+	if len(hash) < 2 {
+		return filepath.Join(s.basePath, "chunks", "xx", hash+s.chunkExt())
+	}
+	prefix := hash[:2]
+	return filepath.Join(s.basePath, "chunks", prefix, hash+s.chunkExt())
+}
+
+// chunkExt returns the file extension based on compression/encryption settings
+func (s *ChunkStore) chunkExt() string {
+	ext := ".chunk"
+	if s.compress {
+		ext += ".gz"
+	}
+	if s.encryptionKey != nil {
+		ext += ".enc"
+	}
+	return ext
+}
+
+// Has checks if a chunk exists in the store
+func (s *ChunkStore) Has(hash string) bool {
+	s.mu.RLock()
+	if exists, ok := s.existingChunks[hash]; ok {
+		s.mu.RUnlock()
+		return exists
+	}
+	s.mu.RUnlock()
+
+	// Check filesystem
+	path := s.chunkPath(hash)
+	_, err := os.Stat(path)
+	exists := err == nil
+
+	s.mu.Lock()
+	s.existingChunks[hash] = exists
+	s.mu.Unlock()
+
+	return exists
+}
+
+// Put stores a chunk, returning true if it was new (not deduplicated)
+func (s *ChunkStore) Put(chunk *Chunk) (isNew bool, err error) {
+	// Check if already exists (deduplication!)
+	if s.Has(chunk.Hash) {
+		return false, nil
+	}
+
+	path := s.chunkPath(chunk.Hash)
+
+	// Create prefix directory
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
+		return false, fmt.Errorf("failed to create chunk directory: %w", err)
+	}
+
+	// Prepare data
+	data := chunk.Data
+
+	// Compress if enabled
+	if s.compress {
+		data, err = s.compressData(data)
+		if err != nil {
+			return false, fmt.Errorf("compression failed: %w", err)
+		}
+	}
+
+	// Encrypt if enabled
+	if s.encryptionKey != nil {
+		data, err = s.encryptData(data)
+		if err != nil {
+			return false, fmt.Errorf("encryption failed: %w", err)
+		}
+	}
+
+	// Write atomically (write to temp, then rename)
+	tmpPath := path + ".tmp"
+	if err := os.WriteFile(tmpPath, data, 0600); err != nil {
+		return false, fmt.Errorf("failed to write chunk: %w", err)
+	}
+
+	if err := os.Rename(tmpPath, path); err != nil {
+		os.Remove(tmpPath)
+		return false, fmt.Errorf("failed to commit chunk: %w", err)
+	}
+
+	// Update cache
+	s.mu.Lock()
+	s.existingChunks[chunk.Hash] = true
+	s.mu.Unlock()
+
+	return true, nil
+}
+
+// Get retrieves a chunk by hash
+func (s *ChunkStore) Get(hash string) (*Chunk, error) {
+	path := s.chunkPath(hash)
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read chunk %s: %w", hash, err)
+	}
+
+	// Decrypt if encrypted
+	if s.encryptionKey != nil {
+		data, err = s.decryptData(data)
+		if err != nil {
+			return nil, fmt.Errorf("decryption failed: %w", err)
+		}
+	}
+
+	// Decompress if compressed
+	if s.compress {
+		data, err = s.decompressData(data)
+		if err != nil {
+			return nil, fmt.Errorf("decompression failed: %w", err)
+		}
+	}
+
+	// Verify hash
+	h := sha256.Sum256(data)
+	actualHash := hex.EncodeToString(h[:])
+	if actualHash != hash {
+		return nil, fmt.Errorf("chunk hash mismatch: expected %s, got %s", hash, actualHash)
+	}
+
+	return &Chunk{
+		Hash:   hash,
+		Data:   data,
+		Length: len(data),
+	}, nil
+}
+
+// Delete removes a chunk from the store
+func (s *ChunkStore) Delete(hash string) error {
+	path := s.chunkPath(hash)
+
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to delete chunk %s: %w", hash, err)
+	}
+
+	s.mu.Lock()
+	delete(s.existingChunks, hash)
+	s.mu.Unlock()
+
+	return nil
+}
+
+// Stats returns storage statistics
+type StoreStats struct {
+	TotalChunks   int64
+	TotalSize     int64 // Bytes on disk (after compression/encryption)
+	UniqueSize    int64 // Bytes of unique data
+	Directories   int
+}
+
+// Stats returns statistics about the chunk store
+func (s *ChunkStore) Stats() (*StoreStats, error) {
+	stats := &StoreStats{}
+
+	chunksDir := filepath.Join(s.basePath, "chunks")
+	err := filepath.Walk(chunksDir, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			stats.Directories++
+			return nil
+		}
+		stats.TotalChunks++
+		stats.TotalSize += info.Size()
+		return nil
+	})
+
+	return stats, err
+}
+
+// LoadIndex loads the existing chunk hashes into memory
+func (s *ChunkStore) LoadIndex() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.existingChunks = make(map[string]bool)
+
+	chunksDir := filepath.Join(s.basePath, "chunks")
+	return filepath.Walk(chunksDir, func(path string, info os.FileInfo, err error) error {
+		if err != nil || info.IsDir() {
+			return err
+		}
+
+		// Extract hash from filename
+		base := filepath.Base(path)
+		hash := base
+		// Remove extensions
+		for _, ext := range []string{".enc", ".gz", ".chunk"} {
+			if len(hash) > len(ext) && hash[len(hash)-len(ext):] == ext {
+				hash = hash[:len(hash)-len(ext)]
+			}
+		}
+		if len(hash) == 64 { // SHA-256 hex length
+			s.existingChunks[hash] = true
+		}
+
+		return nil
+	})
+}
+
+// compressData compresses data using gzip
+func (s *ChunkStore) compressData(data []byte) ([]byte, error) {
+	var buf []byte
+	w, err := gzip.NewWriterLevel((*bytesBuffer)(&buf), gzip.BestCompression)
+	if err != nil {
+		return nil, err
+	}
+	if _, err := w.Write(data); err != nil {
+		return nil, err
+	}
+	if err := w.Close(); err != nil {
+		return nil, err
+	}
+	return buf, nil
+}
+
+// bytesBuffer is a simple io.Writer that appends to a byte slice
+type bytesBuffer []byte
+
+func (b *bytesBuffer) Write(p []byte) (int, error) {
+	*b = append(*b, p...)
+	return len(p), nil
+}
+
+// decompressData decompresses gzip data
+func (s *ChunkStore) decompressData(data []byte) ([]byte, error) {
+	r, err := gzip.NewReader(&bytesReader{data: data})
+	if err != nil {
+		return nil, err
+	}
+	defer r.Close()
+	return io.ReadAll(r)
+}
+
+// bytesReader is a simple io.Reader from a byte slice
+type bytesReader struct {
+	data []byte
+	pos  int
+}
+
+func (r *bytesReader) Read(p []byte) (int, error) {
+	if r.pos >= len(r.data) {
+		return 0, io.EOF
+	}
+	n := copy(p, r.data[r.pos:])
+	r.pos += n
+	return n, nil
+}
+
+// encryptData encrypts data using AES-256-GCM
+func (s *ChunkStore) encryptData(plaintext []byte) ([]byte, error) {
+	block, err := aes.NewCipher(s.encryptionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, err
+	}
+
+	// Prepend nonce to ciphertext
+	return gcm.Seal(nonce, nonce, plaintext, nil), nil
+}
+
+// decryptData decrypts AES-256-GCM encrypted data
+func (s *ChunkStore) decryptData(ciphertext []byte) ([]byte, error) {
+	block, err := aes.NewCipher(s.encryptionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(ciphertext) < gcm.NonceSize() {
+		return nil, fmt.Errorf("ciphertext too short")
+	}
+
+	nonce := ciphertext[:gcm.NonceSize()]
+	ciphertext = ciphertext[gcm.NonceSize():]
+
+	return gcm.Open(nil, nonce, ciphertext, nil)
+}
--- a/internal/drill/docker.go
+++ b/internal/drill/docker.go
@@ -0,0 +1,298 @@
+// Package drill - Docker container management for DR drills
+package drill
+
+import (
+	"context"
+	"fmt"
+	"os/exec"
+	"strings"
+	"time"
+)
+
+// DockerManager handles Docker container operations for DR drills
+type DockerManager struct {
+	verbose bool
+}
+
+// NewDockerManager creates a new Docker manager
+func NewDockerManager(verbose bool) *DockerManager {
+	return &DockerManager{verbose: verbose}
+}
+
+// ContainerConfig holds Docker container configuration
+type ContainerConfig struct {
+	Image         string            // Docker image (e.g., "postgres:15")
+	Name          string            // Container name
+	Port          int               // Host port to map
+	ContainerPort int               // Container port
+	Environment   map[string]string // Environment variables
+	Volumes       []string          // Volume mounts
+	Network       string            // Docker network
+	Timeout       int               // Startup timeout in seconds
+}
+
+// ContainerInfo holds information about a running container
+type ContainerInfo struct {
+	ID      string
+	Name    string
+	Image   string
+	Port    int
+	Status  string
+	Started time.Time
+	Healthy bool
+}
+
+// CheckDockerAvailable verifies Docker is installed and running
+func (dm *DockerManager) CheckDockerAvailable(ctx context.Context) error {
+	cmd := exec.CommandContext(ctx, "docker", "version")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("docker not available: %w (output: %s)", err, string(output))
+	}
+	return nil
+}
+
+// PullImage pulls a Docker image if not present
+func (dm *DockerManager) PullImage(ctx context.Context, image string) error {
+	// Check if image exists locally
+	checkCmd := exec.CommandContext(ctx, "docker", "image", "inspect", image)
+	if err := checkCmd.Run(); err == nil {
+		// Image exists
+		return nil
+	}
+
+	// Pull the image
+	pullCmd := exec.CommandContext(ctx, "docker", "pull", image)
+	output, err := pullCmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to pull image %s: %w (output: %s)", image, err, string(output))
+	}
+
+	return nil
+}
+
+// CreateContainer creates and starts a database container
+func (dm *DockerManager) CreateContainer(ctx context.Context, config *ContainerConfig) (*ContainerInfo, error) {
+	args := []string{
+		"run", "-d",
+		"--name", config.Name,
+		"-p", fmt.Sprintf("%d:%d", config.Port, config.ContainerPort),
+	}
+
+	// Add environment variables
+	for k, v := range config.Environment {
+		args = append(args, "-e", fmt.Sprintf("%s=%s", k, v))
+	}
+
+	// Add volumes
+	for _, v := range config.Volumes {
+		args = append(args, "-v", v)
+	}
+
+	// Add network if specified
+	if config.Network != "" {
+		args = append(args, "--network", config.Network)
+	}
+
+	// Add image
+	args = append(args, config.Image)
+
+	cmd := exec.CommandContext(ctx, "docker", args...)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create container: %w (output: %s)", err, string(output))
+	}
+
+	containerID := strings.TrimSpace(string(output))
+
+	return &ContainerInfo{
+		ID:      containerID,
+		Name:    config.Name,
+		Image:   config.Image,
+		Port:    config.Port,
+		Status:  "created",
+		Started: time.Now(),
+	}, nil
+}
+
+// WaitForHealth waits for container to be healthy
+func (dm *DockerManager) WaitForHealth(ctx context.Context, containerID string, dbType string, timeout int) error {
+	deadline := time.Now().Add(time.Duration(timeout) * time.Second)
+	ticker := time.NewTicker(time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+			if time.Now().After(deadline) {
+				return fmt.Errorf("timeout waiting for container to be healthy")
+			}
+
+			// Check container health
+			healthCmd := dm.healthCheckCommand(dbType)
+			args := append([]string{"exec", containerID}, healthCmd...)
+			cmd := exec.CommandContext(ctx, "docker", args...)
+			if err := cmd.Run(); err == nil {
+				return nil // Container is healthy
+			}
+		}
+	}
+}
+
+// healthCheckCommand returns the health check command for a database type
+func (dm *DockerManager) healthCheckCommand(dbType string) []string {
+	switch dbType {
+	case "postgresql", "postgres":
+		return []string{"pg_isready", "-U", "postgres"}
+	case "mysql":
+		return []string{"mysqladmin", "ping", "-h", "localhost", "-u", "root", "--password=root"}
+	case "mariadb":
+		return []string{"mariadb-admin", "ping", "-h", "localhost", "-u", "root", "--password=root"}
+	default:
+		return []string{"echo", "ok"}
+	}
+}
+
+// ExecCommand executes a command inside the container
+func (dm *DockerManager) ExecCommand(ctx context.Context, containerID string, command []string) (string, error) {
+	args := append([]string{"exec", containerID}, command...)
+	cmd := exec.CommandContext(ctx, "docker", args...)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return string(output), fmt.Errorf("exec failed: %w", err)
+	}
+	return string(output), nil
+}
+
+// CopyToContainer copies a file to the container
+func (dm *DockerManager) CopyToContainer(ctx context.Context, containerID, src, dest string) error {
+	cmd := exec.CommandContext(ctx, "docker", "cp", src, fmt.Sprintf("%s:%s", containerID, dest))
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("copy failed: %w (output: %s)", err, string(output))
+	}
+	return nil
+}
+
+// StopContainer stops a running container
+func (dm *DockerManager) StopContainer(ctx context.Context, containerID string) error {
+	cmd := exec.CommandContext(ctx, "docker", "stop", containerID)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to stop container: %w (output: %s)", err, string(output))
+	}
+	return nil
+}
+
+// RemoveContainer removes a container
+func (dm *DockerManager) RemoveContainer(ctx context.Context, containerID string) error {
+	cmd := exec.CommandContext(ctx, "docker", "rm", "-f", containerID)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to remove container: %w (output: %s)", err, string(output))
+	}
+	return nil
+}
+
+// GetContainerLogs retrieves container logs
+func (dm *DockerManager) GetContainerLogs(ctx context.Context, containerID string, tail int) (string, error) {
+	args := []string{"logs"}
+	if tail > 0 {
+		args = append(args, "--tail", fmt.Sprintf("%d", tail))
+	}
+	args = append(args, containerID)
+
+	cmd := exec.CommandContext(ctx, "docker", args...)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("failed to get logs: %w", err)
+	}
+	return string(output), nil
+}
+
+// ListDrillContainers lists all containers created by drill operations
+func (dm *DockerManager) ListDrillContainers(ctx context.Context) ([]*ContainerInfo, error) {
+	cmd := exec.CommandContext(ctx, "docker", "ps", "-a",
+		"--filter", "name=drill_",
+		"--format", "{{.ID}}\t{{.Names}}\t{{.Image}}\t{{.Status}}")
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return nil, fmt.Errorf("failed to list containers: %w", err)
+	}
+
+	var containers []*ContainerInfo
+	lines := strings.Split(strings.TrimSpace(string(output)), "\n")
+	for _, line := range lines {
+		if line == "" {
+			continue
+		}
+		parts := strings.Split(line, "\t")
+		if len(parts) >= 4 {
+			containers = append(containers, &ContainerInfo{
+				ID:     parts[0],
+				Name:   parts[1],
+				Image:  parts[2],
+				Status: parts[3],
+			})
+		}
+	}
+
+	return containers, nil
+}
+
+// GetDefaultImage returns the default Docker image for a database type
+func GetDefaultImage(dbType, version string) string {
+	if version == "" {
+		version = "latest"
+	}
+
+	switch dbType {
+	case "postgresql", "postgres":
+		return fmt.Sprintf("postgres:%s", version)
+	case "mysql":
+		return fmt.Sprintf("mysql:%s", version)
+	case "mariadb":
+		return fmt.Sprintf("mariadb:%s", version)
+	default:
+		return ""
+	}
+}
+
+// GetDefaultPort returns the default port for a database type
+func GetDefaultPort(dbType string) int {
+	switch dbType {
+	case "postgresql", "postgres":
+		return 5432
+	case "mysql", "mariadb":
+		return 3306
+	default:
+		return 0
+	}
+}
+
+// GetDefaultEnvironment returns default environment variables for a database container
+func GetDefaultEnvironment(dbType string) map[string]string {
+	switch dbType {
+	case "postgresql", "postgres":
+		return map[string]string{
+			"POSTGRES_PASSWORD": "drill_test_password",
+			"POSTGRES_USER":     "postgres",
+			"POSTGRES_DB":       "postgres",
+		}
+	case "mysql":
+		return map[string]string{
+			"MYSQL_ROOT_PASSWORD": "root",
+			"MYSQL_DATABASE":      "test",
+		}
+	case "mariadb":
+		return map[string]string{
+			"MARIADB_ROOT_PASSWORD": "root",
+			"MARIADB_DATABASE":      "test",
+		}
+	default:
+		return map[string]string{}
+	}
+}
--- a/internal/drill/drill.go
+++ b/internal/drill/drill.go
@@ -0,0 +1,247 @@
+// Package drill provides Disaster Recovery drill functionality
+// for testing backup restorability in isolated environments
+package drill
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// DrillConfig holds configuration for a DR drill
+type DrillConfig struct {
+	// Backup configuration
+	BackupPath   string `json:"backup_path"`
+	DatabaseName string `json:"database_name"`
+	DatabaseType string `json:"database_type"` // postgresql, mysql, mariadb
+
+	// Docker configuration
+	ContainerImage   string `json:"container_image"`   // e.g., "postgres:15"
+	ContainerName    string `json:"container_name"`    // Generated if empty
+	ContainerPort    int    `json:"container_port"`    // Host port mapping
+	ContainerTimeout int    `json:"container_timeout"` // Startup timeout in seconds
+	CleanupOnExit    bool   `json:"cleanup_on_exit"`   // Remove container after drill
+	KeepOnFailure    bool   `json:"keep_on_failure"`   // Keep container if drill fails
+
+	// Validation configuration
+	ValidationQueries []ValidationQuery `json:"validation_queries"`
+	MinRowCount       int64             `json:"min_row_count"`   // Minimum rows expected
+	ExpectedTables    []string          `json:"expected_tables"` // Tables that must exist
+	CustomChecks      []CustomCheck     `json:"custom_checks"`
+
+	// Encryption (if backup is encrypted)
+	EncryptionKeyFile string `json:"encryption_key_file,omitempty"`
+	EncryptionKeyEnv  string `json:"encryption_key_env,omitempty"`
+
+	// Performance thresholds
+	MaxRestoreSeconds int `json:"max_restore_seconds"` // RTO threshold
+	MaxQuerySeconds   int `json:"max_query_seconds"`   // Query timeout
+
+	// Output
+	OutputDir    string `json:"output_dir"`    // Directory for drill reports
+	ReportFormat string `json:"report_format"` // json, markdown, html
+	Verbose      bool   `json:"verbose"`
+}
+
+// ValidationQuery represents a SQL query to validate restored data
+type ValidationQuery struct {
+	Name          string `json:"name"`           // Human-readable name
+	Query         string `json:"query"`          // SQL query
+	ExpectedValue string `json:"expected_value"` // Expected result (optional)
+	MinValue      int64  `json:"min_value"`      // Minimum expected value
+	MaxValue      int64  `json:"max_value"`      // Maximum expected value
+	MustSucceed   bool   `json:"must_succeed"`   // Fail drill if query fails
+}
+
+// CustomCheck represents a custom validation check
+type CustomCheck struct {
+	Name        string `json:"name"`
+	Type        string `json:"type"` // row_count, table_exists, column_check
+	Table       string `json:"table"`
+	Column      string `json:"column,omitempty"`
+	Condition   string `json:"condition,omitempty"` // SQL condition
+	MinValue    int64  `json:"min_value,omitempty"`
+	MustSucceed bool   `json:"must_succeed"`
+}
+
+// DrillResult contains the complete result of a DR drill
+type DrillResult struct {
+	// Identification
+	DrillID   string    `json:"drill_id"`
+	StartTime time.Time `json:"start_time"`
+	EndTime   time.Time `json:"end_time"`
+	Duration  float64   `json:"duration_seconds"`
+
+	// Configuration
+	BackupPath   string `json:"backup_path"`
+	DatabaseName string `json:"database_name"`
+	DatabaseType string `json:"database_type"`
+
+	// Overall status
+	Success bool        `json:"success"`
+	Status  DrillStatus `json:"status"`
+	Message string      `json:"message"`
+
+	// Phase timings
+	Phases []DrillPhase `json:"phases"`
+
+	// Validation results
+	ValidationResults []ValidationResult `json:"validation_results"`
+	CheckResults      []CheckResult      `json:"check_results"`
+
+	// Database metrics
+	TableCount   int   `json:"table_count"`
+	TotalRows    int64 `json:"total_rows"`
+	DatabaseSize int64 `json:"database_size_bytes"`
+
+	// Performance metrics
+	RestoreTime    float64 `json:"restore_time_seconds"`
+	ValidationTime float64 `json:"validation_time_seconds"`
+	QueryTimeAvg   float64 `json:"query_time_avg_ms"`
+
+	// RTO/RPO metrics
+	ActualRTO float64 `json:"actual_rto_seconds"` // Total time to usable database
+	TargetRTO float64 `json:"target_rto_seconds"`
+	RTOMet    bool    `json:"rto_met"`
+
+	// Container info
+	ContainerID   string `json:"container_id,omitempty"`
+	ContainerKept bool   `json:"container_kept"`
+
+	// Errors and warnings
+	Errors   []string `json:"errors,omitempty"`
+	Warnings []string `json:"warnings,omitempty"`
+}
+
+// DrillStatus represents the current status of a drill
+type DrillStatus string
+
+const (
+	StatusPending   DrillStatus = "pending"
+	StatusRunning   DrillStatus = "running"
+	StatusCompleted DrillStatus = "completed"
+	StatusFailed    DrillStatus = "failed"
+	StatusAborted   DrillStatus = "aborted"
+	StatusPartial   DrillStatus = "partial" // Some validations failed
+)
+
+// DrillPhase represents a phase in the drill process
+type DrillPhase struct {
+	Name      string    `json:"name"`
+	Status    string    `json:"status"` // pending, running, completed, failed, skipped
+	StartTime time.Time `json:"start_time"`
+	EndTime   time.Time `json:"end_time"`
+	Duration  float64   `json:"duration_seconds"`
+	Message   string    `json:"message,omitempty"`
+}
+
+// ValidationResult holds the result of a validation query
+type ValidationResult struct {
+	Name     string  `json:"name"`
+	Query    string  `json:"query"`
+	Success  bool    `json:"success"`
+	Result   string  `json:"result,omitempty"`
+	Expected string  `json:"expected,omitempty"`
+	Duration float64 `json:"duration_ms"`
+	Error    string  `json:"error,omitempty"`
+}
+
+// CheckResult holds the result of a custom check
+type CheckResult struct {
+	Name     string `json:"name"`
+	Type     string `json:"type"`
+	Success  bool   `json:"success"`
+	Actual   int64  `json:"actual,omitempty"`
+	Expected int64  `json:"expected,omitempty"`
+	Message  string `json:"message"`
+}
+
+// DefaultConfig returns a DrillConfig with sensible defaults
+func DefaultConfig() *DrillConfig {
+	return &DrillConfig{
+		ContainerTimeout:  60,
+		CleanupOnExit:     true,
+		KeepOnFailure:     true,
+		MaxRestoreSeconds: 300, // 5 minutes
+		MaxQuerySeconds:   30,
+		ReportFormat:      "json",
+		Verbose:           false,
+		ValidationQueries: []ValidationQuery{},
+		ExpectedTables:    []string{},
+		CustomChecks:      []CustomCheck{},
+	}
+}
+
+// NewDrillID generates a unique drill ID
+func NewDrillID() string {
+	return fmt.Sprintf("drill_%s", time.Now().Format("20060102_150405"))
+}
+
+// SaveResult saves the drill result to a file
+func (r *DrillResult) SaveResult(outputDir string) error {
+	if err := os.MkdirAll(outputDir, 0755); err != nil {
+		return fmt.Errorf("failed to create output directory: %w", err)
+	}
+
+	filename := fmt.Sprintf("%s_report.json", r.DrillID)
+	filepath := filepath.Join(outputDir, filename)
+
+	data, err := json.MarshalIndent(r, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal result: %w", err)
+	}
+
+	if err := os.WriteFile(filepath, data, 0644); err != nil {
+		return fmt.Errorf("failed to write result file: %w", err)
+	}
+
+	return nil
+}
+
+// LoadResult loads a drill result from a file
+func LoadResult(filepath string) (*DrillResult, error) {
+	data, err := os.ReadFile(filepath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read result file: %w", err)
+	}
+
+	var result DrillResult
+	if err := json.Unmarshal(data, &result); err != nil {
+		return nil, fmt.Errorf("failed to parse result: %w", err)
+	}
+
+	return &result, nil
+}
+
+// IsSuccess returns true if the drill was successful
+func (r *DrillResult) IsSuccess() bool {
+	return r.Success && r.Status == StatusCompleted
+}
+
+// Summary returns a human-readable summary of the drill
+func (r *DrillResult) Summary() string {
+	status := "[OK] PASSED"
+	if !r.Success {
+		status = "[FAIL] FAILED"
+	} else if r.Status == StatusPartial {
+		status = "[WARN] PARTIAL"
+	}
+
+	return fmt.Sprintf("%s - %s (%.2fs) - %d tables, %d rows",
+		status, r.DatabaseName, r.Duration, r.TableCount, r.TotalRows)
+}
+
+// Drill is the interface for DR drill operations
+type Drill interface {
+	// Run executes the full DR drill
+	Run(ctx context.Context, config *DrillConfig) (*DrillResult, error)
+
+	// Validate runs validation queries against an existing database
+	Validate(ctx context.Context, config *DrillConfig) ([]ValidationResult, error)
+
+	// Cleanup removes drill resources (containers, temp files)
+	Cleanup(ctx context.Context, drillID string) error
+}
--- a/internal/drill/engine.go
+++ b/internal/drill/engine.go
@@ -0,0 +1,532 @@
+// Package drill - Main drill execution engine
+package drill
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"dbbackup/internal/logger"
+)
+
+// Engine executes DR drills
+type Engine struct {
+	docker  *DockerManager
+	log     logger.Logger
+	verbose bool
+}
+
+// NewEngine creates a new drill engine
+func NewEngine(log logger.Logger, verbose bool) *Engine {
+	return &Engine{
+		docker:  NewDockerManager(verbose),
+		log:     log,
+		verbose: verbose,
+	}
+}
+
+// Run executes a complete DR drill
+func (e *Engine) Run(ctx context.Context, config *DrillConfig) (*DrillResult, error) {
+	result := &DrillResult{
+		DrillID:      NewDrillID(),
+		StartTime:    time.Now(),
+		BackupPath:   config.BackupPath,
+		DatabaseName: config.DatabaseName,
+		DatabaseType: config.DatabaseType,
+		Status:       StatusRunning,
+		Phases:       make([]DrillPhase, 0),
+		TargetRTO:    float64(config.MaxRestoreSeconds),
+	}
+
+	e.log.Info("=====================================================")
+	e.log.Info("  [TEST] DR Drill: " + result.DrillID)
+	e.log.Info("=====================================================")
+	e.log.Info("")
+
+	// Cleanup function for error cases
+	var containerID string
+	cleanup := func() {
+		if containerID != "" && config.CleanupOnExit && (result.Success || !config.KeepOnFailure) {
+			e.log.Info("[DEL]  Cleaning up container...")
+			e.docker.RemoveContainer(context.Background(), containerID)
+		} else if containerID != "" {
+			result.ContainerKept = true
+			e.log.Info("[PKG] Container kept for debugging: " + containerID)
+		}
+	}
+	defer cleanup()
+
+	// Phase 1: Preflight checks
+	phase := e.startPhase("Preflight Checks")
+	if err := e.preflightChecks(ctx, config); err != nil {
+		e.failPhase(&phase, err.Error())
+		result.Phases = append(result.Phases, phase)
+		result.Status = StatusFailed
+		result.Message = "Preflight checks failed: " + err.Error()
+		result.Errors = append(result.Errors, err.Error())
+		e.finalize(result)
+		return result, nil
+	}
+	e.completePhase(&phase, "All checks passed")
+	result.Phases = append(result.Phases, phase)
+
+	// Phase 2: Start container
+	phase = e.startPhase("Start Container")
+	containerConfig := e.buildContainerConfig(config)
+	container, err := e.docker.CreateContainer(ctx, containerConfig)
+	if err != nil {
+		e.failPhase(&phase, err.Error())
+		result.Phases = append(result.Phases, phase)
+		result.Status = StatusFailed
+		result.Message = "Failed to start container: " + err.Error()
+		result.Errors = append(result.Errors, err.Error())
+		e.finalize(result)
+		return result, nil
+	}
+	containerID = container.ID
+	result.ContainerID = containerID
+	e.log.Info("[PKG] Container started: " + containerID[:12])
+
+	// Wait for container to be healthy
+	if err := e.docker.WaitForHealth(ctx, containerID, config.DatabaseType, config.ContainerTimeout); err != nil {
+		e.failPhase(&phase, "Container health check failed: "+err.Error())
+		result.Phases = append(result.Phases, phase)
+		result.Status = StatusFailed
+		result.Message = "Container failed to start"
+		result.Errors = append(result.Errors, err.Error())
+		e.finalize(result)
+		return result, nil
+	}
+	e.completePhase(&phase, "Container healthy")
+	result.Phases = append(result.Phases, phase)
+
+	// Phase 3: Restore backup
+	phase = e.startPhase("Restore Backup")
+	restoreStart := time.Now()
+	if err := e.restoreBackup(ctx, config, containerID, containerConfig); err != nil {
+		e.failPhase(&phase, err.Error())
+		result.Phases = append(result.Phases, phase)
+		result.Status = StatusFailed
+		result.Message = "Restore failed: " + err.Error()
+		result.Errors = append(result.Errors, err.Error())
+		e.finalize(result)
+		return result, nil
+	}
+	result.RestoreTime = time.Since(restoreStart).Seconds()
+	e.completePhase(&phase, fmt.Sprintf("Restored in %.2fs", result.RestoreTime))
+	result.Phases = append(result.Phases, phase)
+	e.log.Info(fmt.Sprintf("[OK] Backup restored in %.2fs", result.RestoreTime))
+
+	// Phase 4: Validate
+	phase = e.startPhase("Validate Database")
+	validateStart := time.Now()
+	validationErrors := e.validateDatabase(ctx, config, result, containerConfig)
+	result.ValidationTime = time.Since(validateStart).Seconds()
+	if validationErrors > 0 {
+		e.completePhase(&phase, fmt.Sprintf("Completed with %d errors", validationErrors))
+	} else {
+		e.completePhase(&phase, "All validations passed")
+	}
+	result.Phases = append(result.Phases, phase)
+
+	// Determine overall status
+	result.ActualRTO = result.RestoreTime + result.ValidationTime
+	result.RTOMet = result.ActualRTO <= result.TargetRTO
+
+	criticalFailures := 0
+	for _, vr := range result.ValidationResults {
+		if !vr.Success {
+			criticalFailures++
+		}
+	}
+	for _, cr := range result.CheckResults {
+		if !cr.Success {
+			criticalFailures++
+		}
+	}
+
+	if criticalFailures == 0 {
+		result.Success = true
+		result.Status = StatusCompleted
+		result.Message = "DR drill completed successfully"
+	} else if criticalFailures < len(result.ValidationResults)+len(result.CheckResults) {
+		result.Success = false
+		result.Status = StatusPartial
+		result.Message = fmt.Sprintf("DR drill completed with %d validation failures", criticalFailures)
+	} else {
+		result.Success = false
+		result.Status = StatusFailed
+		result.Message = "All validations failed"
+	}
+
+	e.finalize(result)
+
+	// Save result if output dir specified
+	if config.OutputDir != "" {
+		if err := result.SaveResult(config.OutputDir); err != nil {
+			e.log.Warn("Failed to save drill result", "error", err)
+		} else {
+			e.log.Info("📄 Report saved to: " + filepath.Join(config.OutputDir, result.DrillID+"_report.json"))
+		}
+	}
+
+	return result, nil
+}
+
+// preflightChecks runs preflight checks before the drill
+func (e *Engine) preflightChecks(ctx context.Context, config *DrillConfig) error {
+	// Check Docker is available
+	if err := e.docker.CheckDockerAvailable(ctx); err != nil {
+		return fmt.Errorf("docker not available: %w", err)
+	}
+	e.log.Info("[OK] Docker is available")
+
+	// Check backup file exists
+	if _, err := os.Stat(config.BackupPath); err != nil {
+		return fmt.Errorf("backup file not found: %s", config.BackupPath)
+	}
+	e.log.Info("[OK] Backup file exists: " + filepath.Base(config.BackupPath))
+
+	// Pull Docker image
+	image := config.ContainerImage
+	if image == "" {
+		image = GetDefaultImage(config.DatabaseType, "")
+	}
+	e.log.Info("[DOWN]  Pulling image: " + image)
+	if err := e.docker.PullImage(ctx, image); err != nil {
+		return fmt.Errorf("failed to pull image: %w", err)
+	}
+	e.log.Info("[OK] Image ready: " + image)
+
+	return nil
+}
+
+// buildContainerConfig creates container configuration
+func (e *Engine) buildContainerConfig(config *DrillConfig) *ContainerConfig {
+	containerName := config.ContainerName
+	if containerName == "" {
+		containerName = fmt.Sprintf("drill_%s_%s", config.DatabaseName, time.Now().Format("20060102_150405"))
+	}
+
+	image := config.ContainerImage
+	if image == "" {
+		image = GetDefaultImage(config.DatabaseType, "")
+	}
+
+	port := config.ContainerPort
+	if port == 0 {
+		port = 15432 // Default drill port (different from production)
+		if config.DatabaseType == "mysql" || config.DatabaseType == "mariadb" {
+			port = 13306
+		}
+	}
+
+	containerPort := GetDefaultPort(config.DatabaseType)
+	env := GetDefaultEnvironment(config.DatabaseType)
+
+	return &ContainerConfig{
+		Image:         image,
+		Name:          containerName,
+		Port:          port,
+		ContainerPort: containerPort,
+		Environment:   env,
+		Timeout:       config.ContainerTimeout,
+	}
+}
+
+// restoreBackup restores the backup into the container
+func (e *Engine) restoreBackup(ctx context.Context, config *DrillConfig, containerID string, containerConfig *ContainerConfig) error {
+	// Copy backup to container
+	backupName := filepath.Base(config.BackupPath)
+	containerBackupPath := "/tmp/" + backupName
+
+	e.log.Info("[DIR] Copying backup to container...")
+	if err := e.docker.CopyToContainer(ctx, containerID, config.BackupPath, containerBackupPath); err != nil {
+		return fmt.Errorf("failed to copy backup: %w", err)
+	}
+
+	// Handle encrypted backups
+	if config.EncryptionKeyFile != "" {
+		// For encrypted backups, we'd need to decrypt first
+		// This is a simplified implementation
+		e.log.Warn("Encrypted backup handling not fully implemented in drill mode")
+	}
+
+	// Restore based on database type and format
+	e.log.Info("[EXEC] Restoring backup...")
+	return e.executeRestore(ctx, config, containerID, containerBackupPath, containerConfig)
+}
+
+// executeRestore runs the actual restore command
+func (e *Engine) executeRestore(ctx context.Context, config *DrillConfig, containerID, backupPath string, containerConfig *ContainerConfig) error {
+	var cmd []string
+
+	switch config.DatabaseType {
+	case "postgresql", "postgres":
+		// Decompress if needed
+		if strings.HasSuffix(backupPath, ".gz") {
+			decompressedPath := strings.TrimSuffix(backupPath, ".gz")
+			_, err := e.docker.ExecCommand(ctx, containerID, []string{
+				"sh", "-c", fmt.Sprintf("gunzip -c %s > %s", backupPath, decompressedPath),
+			})
+			if err != nil {
+				return fmt.Errorf("decompression failed: %w", err)
+			}
+			backupPath = decompressedPath
+		}
+
+		// Create database
+		_, err := e.docker.ExecCommand(ctx, containerID, []string{
+			"psql", "-U", "postgres", "-c", fmt.Sprintf("CREATE DATABASE %s", config.DatabaseName),
+		})
+		if err != nil {
+			// Database might already exist
+			e.log.Debug("Create database returned (may already exist)")
+		}
+
+		// Detect restore method based on file content
+		isCustomFormat := strings.Contains(backupPath, ".dump") || strings.Contains(backupPath, ".custom")
+		if isCustomFormat {
+			cmd = []string{"pg_restore", "-U", "postgres", "-d", config.DatabaseName, "-v", backupPath}
+		} else {
+			cmd = []string{"sh", "-c", fmt.Sprintf("psql -U postgres -d %s < %s", config.DatabaseName, backupPath)}
+		}
+
+	case "mysql":
+		// Decompress if needed
+		if strings.HasSuffix(backupPath, ".gz") {
+			decompressedPath := strings.TrimSuffix(backupPath, ".gz")
+			_, err := e.docker.ExecCommand(ctx, containerID, []string{
+				"sh", "-c", fmt.Sprintf("gunzip -c %s > %s", backupPath, decompressedPath),
+			})
+			if err != nil {
+				return fmt.Errorf("decompression failed: %w", err)
+			}
+			backupPath = decompressedPath
+		}
+
+		cmd = []string{"sh", "-c", fmt.Sprintf("mysql -u root --password=root %s < %s", config.DatabaseName, backupPath)}
+
+	case "mariadb":
+		if strings.HasSuffix(backupPath, ".gz") {
+			decompressedPath := strings.TrimSuffix(backupPath, ".gz")
+			_, err := e.docker.ExecCommand(ctx, containerID, []string{
+				"sh", "-c", fmt.Sprintf("gunzip -c %s > %s", backupPath, decompressedPath),
+			})
+			if err != nil {
+				return fmt.Errorf("decompression failed: %w", err)
+			}
+			backupPath = decompressedPath
+		}
+
+		cmd = []string{"sh", "-c", fmt.Sprintf("mariadb -u root --password=root %s < %s", config.DatabaseName, backupPath)}
+
+	default:
+		return fmt.Errorf("unsupported database type: %s", config.DatabaseType)
+	}
+
+	output, err := e.docker.ExecCommand(ctx, containerID, cmd)
+	if err != nil {
+		return fmt.Errorf("restore failed: %w (output: %s)", err, output)
+	}
+
+	return nil
+}
+
+// validateDatabase runs validation against the restored database
+func (e *Engine) validateDatabase(ctx context.Context, config *DrillConfig, result *DrillResult, containerConfig *ContainerConfig) int {
+	errorCount := 0
+
+	// Connect to database
+	var user, password string
+	switch config.DatabaseType {
+	case "postgresql", "postgres":
+		user = "postgres"
+		password = containerConfig.Environment["POSTGRES_PASSWORD"]
+	case "mysql":
+		user = "root"
+		password = "root"
+	case "mariadb":
+		user = "root"
+		password = "root"
+	}
+
+	validator, err := NewValidator(config.DatabaseType, "localhost", containerConfig.Port, user, password, config.DatabaseName, e.verbose)
+	if err != nil {
+		e.log.Error("Failed to connect for validation", "error", err)
+		result.Errors = append(result.Errors, "Validation connection failed: "+err.Error())
+		return 1
+	}
+	defer validator.Close()
+
+	// Get database metrics
+	tables, err := validator.GetTableList(ctx)
+	if err == nil {
+		result.TableCount = len(tables)
+		e.log.Info(fmt.Sprintf("[STATS] Tables found: %d", result.TableCount))
+	}
+
+	totalRows, err := validator.GetTotalRowCount(ctx)
+	if err == nil {
+		result.TotalRows = totalRows
+		e.log.Info(fmt.Sprintf("[STATS] Total rows: %d", result.TotalRows))
+	}
+
+	dbSize, err := validator.GetDatabaseSize(ctx, config.DatabaseName)
+	if err == nil {
+		result.DatabaseSize = dbSize
+	}
+
+	// Run expected tables check
+	if len(config.ExpectedTables) > 0 {
+		tableResults := validator.ValidateExpectedTables(ctx, config.ExpectedTables)
+		for _, tr := range tableResults {
+			result.CheckResults = append(result.CheckResults, tr)
+			if !tr.Success {
+				errorCount++
+				e.log.Warn("[FAIL] " + tr.Message)
+			} else {
+				e.log.Info("[OK] " + tr.Message)
+			}
+		}
+	}
+
+	// Run validation queries
+	if len(config.ValidationQueries) > 0 {
+		queryResults := validator.RunValidationQueries(ctx, config.ValidationQueries)
+		result.ValidationResults = append(result.ValidationResults, queryResults...)
+
+		var totalQueryTime float64
+		for _, qr := range queryResults {
+			totalQueryTime += qr.Duration
+			if !qr.Success {
+				errorCount++
+				e.log.Warn(fmt.Sprintf("[FAIL] %s: %s", qr.Name, qr.Error))
+			} else {
+				e.log.Info(fmt.Sprintf("[OK] %s: %s (%.0fms)", qr.Name, qr.Result, qr.Duration))
+			}
+		}
+		if len(queryResults) > 0 {
+			result.QueryTimeAvg = totalQueryTime / float64(len(queryResults))
+		}
+	}
+
+	// Run custom checks
+	if len(config.CustomChecks) > 0 {
+		checkResults := validator.RunCustomChecks(ctx, config.CustomChecks)
+		for _, cr := range checkResults {
+			result.CheckResults = append(result.CheckResults, cr)
+			if !cr.Success {
+				errorCount++
+				e.log.Warn("[FAIL] " + cr.Message)
+			} else {
+				e.log.Info("[OK] " + cr.Message)
+			}
+		}
+	}
+
+	// Check minimum row count if specified
+	if config.MinRowCount > 0 && result.TotalRows < config.MinRowCount {
+		errorCount++
+		msg := fmt.Sprintf("Total rows (%d) below minimum (%d)", result.TotalRows, config.MinRowCount)
+		result.Warnings = append(result.Warnings, msg)
+		e.log.Warn("[WARN] " + msg)
+	}
+
+	return errorCount
+}
+
+// startPhase starts a new drill phase
+func (e *Engine) startPhase(name string) DrillPhase {
+	e.log.Info("[RUN]  " + name)
+	return DrillPhase{
+		Name:      name,
+		Status:    "running",
+		StartTime: time.Now(),
+	}
+}
+
+// completePhase marks a phase as completed
+func (e *Engine) completePhase(phase *DrillPhase, message string) {
+	phase.EndTime = time.Now()
+	phase.Duration = phase.EndTime.Sub(phase.StartTime).Seconds()
+	phase.Status = "completed"
+	phase.Message = message
+}
+
+// failPhase marks a phase as failed
+func (e *Engine) failPhase(phase *DrillPhase, message string) {
+	phase.EndTime = time.Now()
+	phase.Duration = phase.EndTime.Sub(phase.StartTime).Seconds()
+	phase.Status = "failed"
+	phase.Message = message
+	e.log.Error("[FAIL] Phase failed: " + message)
+}
+
+// finalize completes the drill result
+func (e *Engine) finalize(result *DrillResult) {
+	result.EndTime = time.Now()
+	result.Duration = result.EndTime.Sub(result.StartTime).Seconds()
+
+	e.log.Info("")
+	e.log.Info("=====================================================")
+	e.log.Info("  " + result.Summary())
+	e.log.Info("=====================================================")
+
+	if result.Success {
+		e.log.Info(fmt.Sprintf("  RTO: %.2fs (target: %.0fs) %s",
+			result.ActualRTO, result.TargetRTO, boolIcon(result.RTOMet)))
+	}
+}
+
+func boolIcon(b bool) string {
+	if b {
+		return "[OK]"
+	}
+	return "[FAIL]"
+}
+
+// Cleanup removes drill resources
+func (e *Engine) Cleanup(ctx context.Context, drillID string) error {
+	containers, err := e.docker.ListDrillContainers(ctx)
+	if err != nil {
+		return err
+	}
+
+	for _, c := range containers {
+		if strings.Contains(c.Name, drillID) || (drillID == "" && strings.HasPrefix(c.Name, "drill_")) {
+			e.log.Info("[DEL]  Removing container: " + c.Name)
+			if err := e.docker.RemoveContainer(ctx, c.ID); err != nil {
+				e.log.Warn("Failed to remove container", "id", c.ID, "error", err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// QuickTest runs a quick restore test without full validation
+func (e *Engine) QuickTest(ctx context.Context, backupPath, dbType, dbName string) (*DrillResult, error) {
+	config := DefaultConfig()
+	config.BackupPath = backupPath
+	config.DatabaseType = dbType
+	config.DatabaseName = dbName
+	config.CleanupOnExit = true
+	config.MaxRestoreSeconds = 600
+
+	return e.Run(ctx, config)
+}
+
+// Validate runs validation queries against an existing database (non-Docker)
+func (e *Engine) Validate(ctx context.Context, config *DrillConfig, host string, port int, user, password string) ([]ValidationResult, error) {
+	validator, err := NewValidator(config.DatabaseType, host, port, user, password, config.DatabaseName, e.verbose)
+	if err != nil {
+		return nil, err
+	}
+	defer validator.Close()
+
+	return validator.RunValidationQueries(ctx, config.ValidationQueries), nil
+}
--- a/internal/drill/validate.go
+++ b/internal/drill/validate.go
@@ -0,0 +1,358 @@
+// Package drill - Validation logic for DR drills
+package drill
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"strings"
+	"time"
+
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/jackc/pgx/v5/stdlib"
+)
+
+// Validator handles database validation during DR drills
+type Validator struct {
+	db      *sql.DB
+	dbType  string
+	verbose bool
+}
+
+// NewValidator creates a new database validator
+func NewValidator(dbType string, host string, port int, user, password, dbname string, verbose bool) (*Validator, error) {
+	var dsn string
+	var driver string
+
+	switch dbType {
+	case "postgresql", "postgres":
+		driver = "pgx"
+		dsn = fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+			host, port, user, password, dbname)
+	case "mysql":
+		driver = "mysql"
+		dsn = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+			user, password, host, port, dbname)
+	case "mariadb":
+		driver = "mysql"
+		dsn = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+			user, password, host, port, dbname)
+	default:
+		return nil, fmt.Errorf("unsupported database type: %s", dbType)
+	}
+
+	db, err := sql.Open(driver, dsn)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to database: %w", err)
+	}
+
+	// Test connection
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	if err := db.PingContext(ctx); err != nil {
+		db.Close()
+		return nil, fmt.Errorf("failed to ping database: %w", err)
+	}
+
+	return &Validator{
+		db:      db,
+		dbType:  dbType,
+		verbose: verbose,
+	}, nil
+}
+
+// Close closes the database connection
+func (v *Validator) Close() error {
+	return v.db.Close()
+}
+
+// RunValidationQueries executes validation queries and returns results
+func (v *Validator) RunValidationQueries(ctx context.Context, queries []ValidationQuery) []ValidationResult {
+	var results []ValidationResult
+
+	for _, q := range queries {
+		result := v.runQuery(ctx, q)
+		results = append(results, result)
+	}
+
+	return results
+}
+
+// runQuery executes a single validation query
+func (v *Validator) runQuery(ctx context.Context, query ValidationQuery) ValidationResult {
+	result := ValidationResult{
+		Name:     query.Name,
+		Query:    query.Query,
+		Expected: query.ExpectedValue,
+	}
+
+	start := time.Now()
+	rows, err := v.db.QueryContext(ctx, query.Query)
+	result.Duration = float64(time.Since(start).Milliseconds())
+
+	if err != nil {
+		result.Success = false
+		result.Error = err.Error()
+		return result
+	}
+	defer rows.Close()
+
+	// Get result
+	if rows.Next() {
+		var value interface{}
+		if err := rows.Scan(&value); err != nil {
+			result.Success = false
+			result.Error = fmt.Sprintf("scan error: %v", err)
+			return result
+		}
+		result.Result = fmt.Sprintf("%v", value)
+	}
+
+	// Validate result
+	result.Success = true
+	if query.ExpectedValue != "" && result.Result != query.ExpectedValue {
+		result.Success = false
+		result.Error = fmt.Sprintf("expected %s, got %s", query.ExpectedValue, result.Result)
+	}
+
+	// Check min/max if specified
+	if query.MinValue > 0 || query.MaxValue > 0 {
+		var numValue int64
+		fmt.Sscanf(result.Result, "%d", &numValue)
+
+		if query.MinValue > 0 && numValue < query.MinValue {
+			result.Success = false
+			result.Error = fmt.Sprintf("value %d below minimum %d", numValue, query.MinValue)
+		}
+		if query.MaxValue > 0 && numValue > query.MaxValue {
+			result.Success = false
+			result.Error = fmt.Sprintf("value %d above maximum %d", numValue, query.MaxValue)
+		}
+	}
+
+	return result
+}
+
+// RunCustomChecks executes custom validation checks
+func (v *Validator) RunCustomChecks(ctx context.Context, checks []CustomCheck) []CheckResult {
+	var results []CheckResult
+
+	for _, check := range checks {
+		result := v.runCheck(ctx, check)
+		results = append(results, result)
+	}
+
+	return results
+}
+
+// runCheck executes a single custom check
+func (v *Validator) runCheck(ctx context.Context, check CustomCheck) CheckResult {
+	result := CheckResult{
+		Name:     check.Name,
+		Type:     check.Type,
+		Expected: check.MinValue,
+	}
+
+	switch check.Type {
+	case "row_count":
+		count, err := v.getRowCount(ctx, check.Table, check.Condition)
+		if err != nil {
+			result.Success = false
+			result.Message = fmt.Sprintf("failed to get row count: %v", err)
+			return result
+		}
+		result.Actual = count
+		result.Success = count >= check.MinValue
+		if result.Success {
+			result.Message = fmt.Sprintf("Table %s has %d rows (min: %d)", check.Table, count, check.MinValue)
+		} else {
+			result.Message = fmt.Sprintf("Table %s has %d rows, expected at least %d", check.Table, count, check.MinValue)
+		}
+
+	case "table_exists":
+		exists, err := v.tableExists(ctx, check.Table)
+		if err != nil {
+			result.Success = false
+			result.Message = fmt.Sprintf("failed to check table: %v", err)
+			return result
+		}
+		result.Success = exists
+		if exists {
+			result.Actual = 1
+			result.Message = fmt.Sprintf("Table %s exists", check.Table)
+		} else {
+			result.Actual = 0
+			result.Message = fmt.Sprintf("Table %s does not exist", check.Table)
+		}
+
+	case "column_check":
+		exists, err := v.columnExists(ctx, check.Table, check.Column)
+		if err != nil {
+			result.Success = false
+			result.Message = fmt.Sprintf("failed to check column: %v", err)
+			return result
+		}
+		result.Success = exists
+		if exists {
+			result.Actual = 1
+			result.Message = fmt.Sprintf("Column %s.%s exists", check.Table, check.Column)
+		} else {
+			result.Actual = 0
+			result.Message = fmt.Sprintf("Column %s.%s does not exist", check.Table, check.Column)
+		}
+
+	default:
+		result.Success = false
+		result.Message = fmt.Sprintf("unknown check type: %s", check.Type)
+	}
+
+	return result
+}
+
+// getRowCount returns the row count for a table
+func (v *Validator) getRowCount(ctx context.Context, table, condition string) (int64, error) {
+	query := fmt.Sprintf("SELECT COUNT(*) FROM %s", v.quoteIdentifier(table))
+	if condition != "" {
+		query += " WHERE " + condition
+	}
+
+	var count int64
+	err := v.db.QueryRowContext(ctx, query).Scan(&count)
+	return count, err
+}
+
+// tableExists checks if a table exists
+func (v *Validator) tableExists(ctx context.Context, table string) (bool, error) {
+	var query string
+	switch v.dbType {
+	case "postgresql", "postgres":
+		query = `SELECT EXISTS (
+			SELECT FROM information_schema.tables 
+			WHERE table_name = $1
+		)`
+	case "mysql", "mariadb":
+		query = `SELECT COUNT(*) > 0 FROM information_schema.tables 
+			WHERE table_name = ?`
+	}
+
+	var exists bool
+	err := v.db.QueryRowContext(ctx, query, table).Scan(&exists)
+	return exists, err
+}
+
+// columnExists checks if a column exists
+func (v *Validator) columnExists(ctx context.Context, table, column string) (bool, error) {
+	var query string
+	switch v.dbType {
+	case "postgresql", "postgres":
+		query = `SELECT EXISTS (
+			SELECT FROM information_schema.columns 
+			WHERE table_name = $1 AND column_name = $2
+		)`
+	case "mysql", "mariadb":
+		query = `SELECT COUNT(*) > 0 FROM information_schema.columns 
+			WHERE table_name = ? AND column_name = ?`
+	}
+
+	var exists bool
+	err := v.db.QueryRowContext(ctx, query, table, column).Scan(&exists)
+	return exists, err
+}
+
+// GetTableList returns all tables in the database
+func (v *Validator) GetTableList(ctx context.Context) ([]string, error) {
+	var query string
+	switch v.dbType {
+	case "postgresql", "postgres":
+		query = `SELECT table_name FROM information_schema.tables 
+			WHERE table_schema = 'public' AND table_type = 'BASE TABLE'`
+	case "mysql", "mariadb":
+		query = `SELECT table_name FROM information_schema.tables 
+			WHERE table_schema = DATABASE() AND table_type = 'BASE TABLE'`
+	}
+
+	rows, err := v.db.QueryContext(ctx, query)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var tables []string
+	for rows.Next() {
+		var table string
+		if err := rows.Scan(&table); err != nil {
+			return nil, err
+		}
+		tables = append(tables, table)
+	}
+
+	return tables, rows.Err()
+}
+
+// GetTotalRowCount returns total row count across all tables
+func (v *Validator) GetTotalRowCount(ctx context.Context) (int64, error) {
+	tables, err := v.GetTableList(ctx)
+	if err != nil {
+		return 0, err
+	}
+
+	var total int64
+	for _, table := range tables {
+		count, err := v.getRowCount(ctx, table, "")
+		if err != nil {
+			continue // Skip tables that can't be counted
+		}
+		total += count
+	}
+
+	return total, nil
+}
+
+// GetDatabaseSize returns the database size in bytes
+func (v *Validator) GetDatabaseSize(ctx context.Context, dbname string) (int64, error) {
+	var query string
+	switch v.dbType {
+	case "postgresql", "postgres":
+		query = fmt.Sprintf("SELECT pg_database_size('%s')", dbname)
+	case "mysql", "mariadb":
+		query = fmt.Sprintf(`SELECT SUM(data_length + index_length) 
+			FROM information_schema.tables WHERE table_schema = '%s'`, dbname)
+	}
+
+	var size sql.NullInt64
+	err := v.db.QueryRowContext(ctx, query).Scan(&size)
+	if err != nil {
+		return 0, err
+	}
+
+	return size.Int64, nil
+}
+
+// ValidateExpectedTables checks that all expected tables exist
+func (v *Validator) ValidateExpectedTables(ctx context.Context, expectedTables []string) []CheckResult {
+	var results []CheckResult
+
+	for _, table := range expectedTables {
+		check := CustomCheck{
+			Name:  fmt.Sprintf("Table '%s' exists", table),
+			Type:  "table_exists",
+			Table: table,
+		}
+		results = append(results, v.runCheck(ctx, check))
+	}
+
+	return results
+}
+
+// quoteIdentifier quotes a database identifier
+func (v *Validator) quoteIdentifier(id string) string {
+	switch v.dbType {
+	case "postgresql", "postgres":
+		return fmt.Sprintf(`"%s"`, strings.ReplaceAll(id, `"`, `""`))
+	case "mysql", "mariadb":
+		return fmt.Sprintf("`%s`", strings.ReplaceAll(id, "`", "``"))
+	default:
+		return id
+	}
+}
--- a/internal/encryption/encryption.go
+++ b/internal/encryption/encryption.go
@@ -0,0 +1,398 @@
+package encryption
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
+	"fmt"
+	"io"
+
+	"golang.org/x/crypto/pbkdf2"
+)
+
+const (
+	// AES-256 requires 32-byte keys
+	KeySize = 32
+
+	// Nonce size for GCM
+	NonceSize = 12
+
+	// Salt size for key derivation
+	SaltSize = 32
+
+	// PBKDF2 iterations (100,000 is recommended minimum)
+	PBKDF2Iterations = 100000
+
+	// Magic header to identify encrypted files
+	EncryptedFileMagic = "DBBACKUP_ENCRYPTED_V1"
+)
+
+// EncryptionHeader stores metadata for encrypted files
+type EncryptionHeader struct {
+	Magic     [22]byte // "DBBACKUP_ENCRYPTED_V1" (21 bytes + null)
+	Version   uint8    // Version number (1)
+	Algorithm uint8    // Algorithm ID (1 = AES-256-GCM)
+	Salt      [32]byte // Salt for key derivation
+	Nonce     [12]byte // GCM nonce
+	Reserved  [32]byte // Reserved for future use
+}
+
+// EncryptionOptions configures encryption behavior
+type EncryptionOptions struct {
+	// Key is the encryption key (32 bytes for AES-256)
+	Key []byte
+
+	// Passphrase for key derivation (alternative to direct key)
+	Passphrase string
+
+	// Salt for key derivation (if empty, will be generated)
+	Salt []byte
+}
+
+// DeriveKey derives an encryption key from a passphrase using PBKDF2
+func DeriveKey(passphrase string, salt []byte) []byte {
+	return pbkdf2.Key([]byte(passphrase), salt, PBKDF2Iterations, KeySize, sha256.New)
+}
+
+// GenerateSalt creates a cryptographically secure random salt
+func GenerateSalt() ([]byte, error) {
+	salt := make([]byte, SaltSize)
+	if _, err := rand.Read(salt); err != nil {
+		return nil, fmt.Errorf("failed to generate salt: %w", err)
+	}
+	return salt, nil
+}
+
+// GenerateKey creates a cryptographically secure random key
+func GenerateKey() ([]byte, error) {
+	key := make([]byte, KeySize)
+	if _, err := rand.Read(key); err != nil {
+		return nil, fmt.Errorf("failed to generate key: %w", err)
+	}
+	return key, nil
+}
+
+// NewEncryptionWriter creates an encrypted writer that wraps an underlying writer
+// Data written to this writer will be encrypted before being written to the underlying writer
+func NewEncryptionWriter(w io.Writer, opts EncryptionOptions) (*EncryptionWriter, error) {
+	// Derive or validate key
+	var key []byte
+	var salt []byte
+
+	if opts.Passphrase != "" {
+		// Derive key from passphrase
+		if len(opts.Salt) == 0 {
+			var err error
+			salt, err = GenerateSalt()
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			salt = opts.Salt
+		}
+		key = DeriveKey(opts.Passphrase, salt)
+	} else if len(opts.Key) > 0 {
+		if len(opts.Key) != KeySize {
+			return nil, fmt.Errorf("invalid key size: expected %d bytes, got %d", KeySize, len(opts.Key))
+		}
+		key = opts.Key
+		// Generate salt even when using direct key (for header)
+		var err error
+		salt, err = GenerateSalt()
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		return nil, fmt.Errorf("either Key or Passphrase must be provided")
+	}
+
+	// Create AES cipher
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cipher: %w", err)
+	}
+
+	// Create GCM mode
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCM: %w", err)
+	}
+
+	// Generate nonce
+	nonce := make([]byte, NonceSize)
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+
+	// Write header
+	header := EncryptionHeader{
+		Version:   1,
+		Algorithm: 1, // AES-256-GCM
+	}
+	copy(header.Magic[:], []byte(EncryptedFileMagic))
+	copy(header.Salt[:], salt)
+	copy(header.Nonce[:], nonce)
+
+	if err := writeHeader(w, &header); err != nil {
+		return nil, fmt.Errorf("failed to write header: %w", err)
+	}
+
+	return &EncryptionWriter{
+		writer: w,
+		gcm:    gcm,
+		nonce:  nonce,
+		buffer: make([]byte, 0, 64*1024), // 64KB buffer
+	}, nil
+}
+
+// EncryptionWriter encrypts data written to it
+type EncryptionWriter struct {
+	writer io.Writer
+	gcm    cipher.AEAD
+	nonce  []byte
+	buffer []byte
+	closed bool
+}
+
+// Write encrypts and writes data
+func (ew *EncryptionWriter) Write(p []byte) (n int, err error) {
+	if ew.closed {
+		return 0, fmt.Errorf("writer is closed")
+	}
+
+	// Accumulate data in buffer
+	ew.buffer = append(ew.buffer, p...)
+
+	// If buffer is large enough, encrypt and write
+	const chunkSize = 64 * 1024 // 64KB chunks
+	for len(ew.buffer) >= chunkSize {
+		chunk := ew.buffer[:chunkSize]
+		encrypted := ew.gcm.Seal(nil, ew.nonce, chunk, nil)
+
+		// Write encrypted chunk size (4 bytes) then chunk
+		size := uint32(len(encrypted))
+		sizeBytes := []byte{
+			byte(size >> 24),
+			byte(size >> 16),
+			byte(size >> 8),
+			byte(size),
+		}
+		if _, err := ew.writer.Write(sizeBytes); err != nil {
+			return n, err
+		}
+		if _, err := ew.writer.Write(encrypted); err != nil {
+			return n, err
+		}
+
+		// Move remaining data to start of buffer
+		ew.buffer = ew.buffer[chunkSize:]
+		n += chunkSize
+
+		// Increment nonce for next chunk
+		incrementNonce(ew.nonce)
+	}
+
+	return len(p), nil
+}
+
+// Close flushes remaining data and finalizes encryption
+func (ew *EncryptionWriter) Close() error {
+	if ew.closed {
+		return nil
+	}
+	ew.closed = true
+
+	// Encrypt and write remaining buffer
+	if len(ew.buffer) > 0 {
+		encrypted := ew.gcm.Seal(nil, ew.nonce, ew.buffer, nil)
+
+		size := uint32(len(encrypted))
+		sizeBytes := []byte{
+			byte(size >> 24),
+			byte(size >> 16),
+			byte(size >> 8),
+			byte(size),
+		}
+		if _, err := ew.writer.Write(sizeBytes); err != nil {
+			return err
+		}
+		if _, err := ew.writer.Write(encrypted); err != nil {
+			return err
+		}
+	}
+
+	// Write final zero-length chunk to signal end
+	if _, err := ew.writer.Write([]byte{0, 0, 0, 0}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// NewDecryptionReader creates a decrypted reader from an encrypted stream
+func NewDecryptionReader(r io.Reader, opts EncryptionOptions) (*DecryptionReader, error) {
+	// Read and parse header
+	header, err := readHeader(r)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read header: %w", err)
+	}
+
+	// Verify magic
+	if string(header.Magic[:len(EncryptedFileMagic)]) != EncryptedFileMagic {
+		return nil, fmt.Errorf("not an encrypted backup file")
+	}
+
+	// Verify version
+	if header.Version != 1 {
+		return nil, fmt.Errorf("unsupported encryption version: %d", header.Version)
+	}
+
+	// Verify algorithm
+	if header.Algorithm != 1 {
+		return nil, fmt.Errorf("unsupported encryption algorithm: %d", header.Algorithm)
+	}
+
+	// Derive or validate key
+	var key []byte
+	if opts.Passphrase != "" {
+		key = DeriveKey(opts.Passphrase, header.Salt[:])
+	} else if len(opts.Key) > 0 {
+		if len(opts.Key) != KeySize {
+			return nil, fmt.Errorf("invalid key size: expected %d bytes, got %d", KeySize, len(opts.Key))
+		}
+		key = opts.Key
+	} else {
+		return nil, fmt.Errorf("either Key or Passphrase must be provided")
+	}
+
+	// Create AES cipher
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cipher: %w", err)
+	}
+
+	// Create GCM mode
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCM: %w", err)
+	}
+
+	nonce := make([]byte, NonceSize)
+	copy(nonce, header.Nonce[:])
+
+	return &DecryptionReader{
+		reader: r,
+		gcm:    gcm,
+		nonce:  nonce,
+		buffer: make([]byte, 0),
+	}, nil
+}
+
+// DecryptionReader decrypts data from an encrypted stream
+type DecryptionReader struct {
+	reader io.Reader
+	gcm    cipher.AEAD
+	nonce  []byte
+	buffer []byte
+	eof    bool
+}
+
+// Read decrypts and returns data
+func (dr *DecryptionReader) Read(p []byte) (n int, err error) {
+	// If we have buffered data, return it first
+	if len(dr.buffer) > 0 {
+		n = copy(p, dr.buffer)
+		dr.buffer = dr.buffer[n:]
+		return n, nil
+	}
+
+	// If EOF reached, return EOF
+	if dr.eof {
+		return 0, io.EOF
+	}
+
+	// Read next chunk size
+	sizeBytes := make([]byte, 4)
+	if _, err := io.ReadFull(dr.reader, sizeBytes); err != nil {
+		if err == io.EOF {
+			dr.eof = true
+			return 0, io.EOF
+		}
+		return 0, err
+	}
+
+	size := uint32(sizeBytes[0])<<24 | uint32(sizeBytes[1])<<16 | uint32(sizeBytes[2])<<8 | uint32(sizeBytes[3])
+
+	// Zero-length chunk signals end of stream
+	if size == 0 {
+		dr.eof = true
+		return 0, io.EOF
+	}
+
+	// Read encrypted chunk
+	encrypted := make([]byte, size)
+	if _, err := io.ReadFull(dr.reader, encrypted); err != nil {
+		return 0, err
+	}
+
+	// Decrypt chunk
+	decrypted, err := dr.gcm.Open(nil, dr.nonce, encrypted, nil)
+	if err != nil {
+		return 0, fmt.Errorf("decryption failed (wrong key?): %w", err)
+	}
+
+	// Increment nonce for next chunk
+	incrementNonce(dr.nonce)
+
+	// Return as much as fits in p, buffer the rest
+	n = copy(p, decrypted)
+	if n < len(decrypted) {
+		dr.buffer = decrypted[n:]
+	}
+
+	return n, nil
+}
+
+// Helper functions
+
+func writeHeader(w io.Writer, h *EncryptionHeader) error {
+	data := make([]byte, 100) // Total header size
+	copy(data[0:22], h.Magic[:])
+	data[22] = h.Version
+	data[23] = h.Algorithm
+	copy(data[24:56], h.Salt[:])
+	copy(data[56:68], h.Nonce[:])
+	copy(data[68:100], h.Reserved[:])
+
+	_, err := w.Write(data)
+	return err
+}
+
+func readHeader(r io.Reader) (*EncryptionHeader, error) {
+	data := make([]byte, 100)
+	if _, err := io.ReadFull(r, data); err != nil {
+		return nil, err
+	}
+
+	header := &EncryptionHeader{
+		Version:   data[22],
+		Algorithm: data[23],
+	}
+	copy(header.Magic[:], data[0:22])
+	copy(header.Salt[:], data[24:56])
+	copy(header.Nonce[:], data[56:68])
+	copy(header.Reserved[:], data[68:100])
+
+	return header, nil
+}
+
+func incrementNonce(nonce []byte) {
+	// Increment nonce as a big-endian counter
+	for i := len(nonce) - 1; i >= 0; i-- {
+		nonce[i]++
+		if nonce[i] != 0 {
+			break
+		}
+	}
+}
--- a/internal/encryption/encryption_test.go
+++ b/internal/encryption/encryption_test.go
@@ -0,0 +1,234 @@
+package encryption
+
+import (
+	"bytes"
+	"io"
+	"testing"
+)
+
+func TestEncryptDecrypt(t *testing.T) {
+	// Test data
+	original := []byte("This is a secret database backup that needs encryption! [LOCK]")
+
+	// Test with passphrase
+	t.Run("Passphrase", func(t *testing.T) {
+		var encrypted bytes.Buffer
+
+		// Encrypt
+		writer, err := NewEncryptionWriter(&encrypted, EncryptionOptions{
+			Passphrase: "super-secret-password",
+		})
+		if err != nil {
+			t.Fatalf("Failed to create encryption writer: %v", err)
+		}
+
+		if _, err := writer.Write(original); err != nil {
+			t.Fatalf("Failed to write data: %v", err)
+		}
+
+		if err := writer.Close(); err != nil {
+			t.Fatalf("Failed to close writer: %v", err)
+		}
+
+		t.Logf("Original size: %d bytes", len(original))
+		t.Logf("Encrypted size: %d bytes", encrypted.Len())
+
+		// Verify encrypted data is different from original
+		if bytes.Contains(encrypted.Bytes(), original) {
+			t.Error("Encrypted data contains plaintext - encryption failed!")
+		}
+
+		// Decrypt
+		reader, err := NewDecryptionReader(&encrypted, EncryptionOptions{
+			Passphrase: "super-secret-password",
+		})
+		if err != nil {
+			t.Fatalf("Failed to create decryption reader: %v", err)
+		}
+
+		decrypted, err := io.ReadAll(reader)
+		if err != nil {
+			t.Fatalf("Failed to read decrypted data: %v", err)
+		}
+
+		// Verify decrypted matches original
+		if !bytes.Equal(decrypted, original) {
+			t.Errorf("Decrypted data doesn't match original\nOriginal: %s\nDecrypted: %s",
+				string(original), string(decrypted))
+		}
+
+		t.Log("[OK] Encryption/decryption successful")
+	})
+
+	// Test with direct key
+	t.Run("DirectKey", func(t *testing.T) {
+		key, err := GenerateKey()
+		if err != nil {
+			t.Fatalf("Failed to generate key: %v", err)
+		}
+
+		var encrypted bytes.Buffer
+
+		// Encrypt
+		writer, err := NewEncryptionWriter(&encrypted, EncryptionOptions{
+			Key: key,
+		})
+		if err != nil {
+			t.Fatalf("Failed to create encryption writer: %v", err)
+		}
+
+		if _, err := writer.Write(original); err != nil {
+			t.Fatalf("Failed to write data: %v", err)
+		}
+
+		if err := writer.Close(); err != nil {
+			t.Fatalf("Failed to close writer: %v", err)
+		}
+
+		// Decrypt
+		reader, err := NewDecryptionReader(&encrypted, EncryptionOptions{
+			Key: key,
+		})
+		if err != nil {
+			t.Fatalf("Failed to create decryption reader: %v", err)
+		}
+
+		decrypted, err := io.ReadAll(reader)
+		if err != nil {
+			t.Fatalf("Failed to read decrypted data: %v", err)
+		}
+
+		if !bytes.Equal(decrypted, original) {
+			t.Errorf("Decrypted data doesn't match original")
+		}
+
+		t.Log("[OK] Direct key encryption/decryption successful")
+	})
+
+	// Test wrong password
+	t.Run("WrongPassword", func(t *testing.T) {
+		var encrypted bytes.Buffer
+
+		// Encrypt
+		writer, err := NewEncryptionWriter(&encrypted, EncryptionOptions{
+			Passphrase: "correct-password",
+		})
+		if err != nil {
+			t.Fatalf("Failed to create encryption writer: %v", err)
+		}
+
+		writer.Write(original)
+		writer.Close()
+
+		// Try to decrypt with wrong password
+		reader, err := NewDecryptionReader(&encrypted, EncryptionOptions{
+			Passphrase: "wrong-password",
+		})
+		if err != nil {
+			t.Fatalf("Failed to create decryption reader: %v", err)
+		}
+
+		_, err = io.ReadAll(reader)
+		if err == nil {
+			t.Error("Expected decryption to fail with wrong password, but it succeeded")
+		}
+
+		t.Logf("[OK] Wrong password correctly rejected: %v", err)
+	})
+}
+
+func TestLargeData(t *testing.T) {
+	// Test with large data (1MB) to test chunking
+	original := make([]byte, 1024*1024)
+	for i := range original {
+		original[i] = byte(i % 256)
+	}
+
+	var encrypted bytes.Buffer
+
+	// Encrypt
+	writer, err := NewEncryptionWriter(&encrypted, EncryptionOptions{
+		Passphrase: "test-password",
+	})
+	if err != nil {
+		t.Fatalf("Failed to create encryption writer: %v", err)
+	}
+
+	if _, err := writer.Write(original); err != nil {
+		t.Fatalf("Failed to write data: %v", err)
+	}
+
+	if err := writer.Close(); err != nil {
+		t.Fatalf("Failed to close writer: %v", err)
+	}
+
+	t.Logf("Original size: %d bytes", len(original))
+	t.Logf("Encrypted size: %d bytes", encrypted.Len())
+	t.Logf("Overhead: %.2f%%", float64(encrypted.Len()-len(original))/float64(len(original))*100)
+
+	// Decrypt
+	reader, err := NewDecryptionReader(&encrypted, EncryptionOptions{
+		Passphrase: "test-password",
+	})
+	if err != nil {
+		t.Fatalf("Failed to create decryption reader: %v", err)
+	}
+
+	decrypted, err := io.ReadAll(reader)
+	if err != nil {
+		t.Fatalf("Failed to read decrypted data: %v", err)
+	}
+
+	if !bytes.Equal(decrypted, original) {
+		t.Errorf("Large data decryption failed")
+	}
+
+	t.Log("[OK] Large data encryption/decryption successful")
+}
+
+func TestKeyGeneration(t *testing.T) {
+	// Test key generation
+	key1, err := GenerateKey()
+	if err != nil {
+		t.Fatalf("Failed to generate key: %v", err)
+	}
+
+	if len(key1) != KeySize {
+		t.Errorf("Key size mismatch: expected %d, got %d", KeySize, len(key1))
+	}
+
+	// Generate another key and verify it's different
+	key2, err := GenerateKey()
+	if err != nil {
+		t.Fatalf("Failed to generate second key: %v", err)
+	}
+
+	if bytes.Equal(key1, key2) {
+		t.Error("Generated keys are identical - randomness broken!")
+	}
+
+	t.Log("[OK] Key generation successful")
+}
+
+func TestKeyDerivation(t *testing.T) {
+	passphrase := "my-secret-passphrase"
+	salt1, _ := GenerateSalt()
+
+	// Derive key twice with same salt - should be identical
+	key1 := DeriveKey(passphrase, salt1)
+	key2 := DeriveKey(passphrase, salt1)
+
+	if !bytes.Equal(key1, key2) {
+		t.Error("Key derivation not deterministic")
+	}
+
+	// Derive with different salt - should be different
+	salt2, _ := GenerateSalt()
+	key3 := DeriveKey(passphrase, salt2)
+
+	if bytes.Equal(key1, key3) {
+		t.Error("Different salts produced same key")
+	}
+
+	t.Log("[OK] Key derivation successful")
+}
--- a/internal/engine/binlog/file_target.go
+++ b/internal/engine/binlog/file_target.go
@@ -0,0 +1,327 @@
+package binlog
+
+import (
+	"compress/gzip"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+)
+
+// FileTarget writes binlog events to local files
+type FileTarget struct {
+	basePath   string
+	rotateSize int64
+
+	mu      sync.Mutex
+	current *os.File
+	written int64
+	fileNum int
+	healthy bool
+	lastErr error
+}
+
+// NewFileTarget creates a new file target
+func NewFileTarget(basePath string, rotateSize int64) (*FileTarget, error) {
+	if rotateSize == 0 {
+		rotateSize = 100 * 1024 * 1024 // 100MB default
+	}
+
+	// Ensure directory exists
+	if err := os.MkdirAll(basePath, 0755); err != nil {
+		return nil, fmt.Errorf("failed to create directory: %w", err)
+	}
+
+	return &FileTarget{
+		basePath:   basePath,
+		rotateSize: rotateSize,
+		healthy:    true,
+	}, nil
+}
+
+// Name returns the target name
+func (f *FileTarget) Name() string {
+	return fmt.Sprintf("file:%s", f.basePath)
+}
+
+// Type returns the target type
+func (f *FileTarget) Type() string {
+	return "file"
+}
+
+// Write writes events to the current file
+func (f *FileTarget) Write(ctx context.Context, events []*Event) error {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+
+	// Open file if needed
+	if f.current == nil {
+		if err := f.openNewFile(); err != nil {
+			f.healthy = false
+			f.lastErr = err
+			return err
+		}
+	}
+
+	// Write events
+	for _, ev := range events {
+		data, err := json.Marshal(ev)
+		if err != nil {
+			continue
+		}
+
+		// Add newline for line-delimited JSON
+		data = append(data, '\n')
+
+		n, err := f.current.Write(data)
+		if err != nil {
+			f.healthy = false
+			f.lastErr = err
+			return fmt.Errorf("failed to write: %w", err)
+		}
+
+		f.written += int64(n)
+	}
+
+	// Rotate if needed
+	if f.written >= f.rotateSize {
+		if err := f.rotate(); err != nil {
+			f.healthy = false
+			f.lastErr = err
+			return err
+		}
+	}
+
+	f.healthy = true
+	return nil
+}
+
+// openNewFile opens a new output file
+func (f *FileTarget) openNewFile() error {
+	f.fileNum++
+	filename := filepath.Join(f.basePath,
+		fmt.Sprintf("binlog_%s_%04d.jsonl",
+			time.Now().Format("20060102_150405"),
+			f.fileNum))
+
+	file, err := os.Create(filename)
+	if err != nil {
+		return err
+	}
+
+	f.current = file
+	f.written = 0
+	return nil
+}
+
+// rotate closes current file and opens a new one
+func (f *FileTarget) rotate() error {
+	if f.current != nil {
+		if err := f.current.Close(); err != nil {
+			return err
+		}
+		f.current = nil
+	}
+
+	return f.openNewFile()
+}
+
+// Flush syncs the current file
+func (f *FileTarget) Flush(ctx context.Context) error {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+
+	if f.current != nil {
+		return f.current.Sync()
+	}
+	return nil
+}
+
+// Close closes the target
+func (f *FileTarget) Close() error {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+
+	if f.current != nil {
+		err := f.current.Close()
+		f.current = nil
+		return err
+	}
+	return nil
+}
+
+// Healthy returns target health status
+func (f *FileTarget) Healthy() bool {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	return f.healthy
+}
+
+// CompressedFileTarget writes compressed binlog events
+type CompressedFileTarget struct {
+	basePath   string
+	rotateSize int64
+
+	mu       sync.Mutex
+	file     *os.File
+	gzWriter *gzip.Writer
+	written  int64
+	fileNum  int
+	healthy  bool
+	lastErr  error
+}
+
+// NewCompressedFileTarget creates a gzip-compressed file target
+func NewCompressedFileTarget(basePath string, rotateSize int64) (*CompressedFileTarget, error) {
+	if rotateSize == 0 {
+		rotateSize = 100 * 1024 * 1024 // 100MB uncompressed
+	}
+
+	if err := os.MkdirAll(basePath, 0755); err != nil {
+		return nil, fmt.Errorf("failed to create directory: %w", err)
+	}
+
+	return &CompressedFileTarget{
+		basePath:   basePath,
+		rotateSize: rotateSize,
+		healthy:    true,
+	}, nil
+}
+
+// Name returns the target name
+func (c *CompressedFileTarget) Name() string {
+	return fmt.Sprintf("file-gzip:%s", c.basePath)
+}
+
+// Type returns the target type
+func (c *CompressedFileTarget) Type() string {
+	return "file-gzip"
+}
+
+// Write writes events to compressed file
+func (c *CompressedFileTarget) Write(ctx context.Context, events []*Event) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	// Open file if needed
+	if c.file == nil {
+		if err := c.openNewFile(); err != nil {
+			c.healthy = false
+			c.lastErr = err
+			return err
+		}
+	}
+
+	// Write events
+	for _, ev := range events {
+		data, err := json.Marshal(ev)
+		if err != nil {
+			continue
+		}
+
+		data = append(data, '\n')
+
+		n, err := c.gzWriter.Write(data)
+		if err != nil {
+			c.healthy = false
+			c.lastErr = err
+			return fmt.Errorf("failed to write: %w", err)
+		}
+
+		c.written += int64(n)
+	}
+
+	// Rotate if needed
+	if c.written >= c.rotateSize {
+		if err := c.rotate(); err != nil {
+			c.healthy = false
+			c.lastErr = err
+			return err
+		}
+	}
+
+	c.healthy = true
+	return nil
+}
+
+// openNewFile opens a new compressed file
+func (c *CompressedFileTarget) openNewFile() error {
+	c.fileNum++
+	filename := filepath.Join(c.basePath,
+		fmt.Sprintf("binlog_%s_%04d.jsonl.gz",
+			time.Now().Format("20060102_150405"),
+			c.fileNum))
+
+	file, err := os.Create(filename)
+	if err != nil {
+		return err
+	}
+
+	c.file = file
+	c.gzWriter = gzip.NewWriter(file)
+	c.written = 0
+	return nil
+}
+
+// rotate closes current file and opens a new one
+func (c *CompressedFileTarget) rotate() error {
+	if c.gzWriter != nil {
+		c.gzWriter.Close()
+	}
+	if c.file != nil {
+		c.file.Close()
+		c.file = nil
+	}
+
+	return c.openNewFile()
+}
+
+// Flush flushes the gzip writer
+func (c *CompressedFileTarget) Flush(ctx context.Context) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.gzWriter != nil {
+		if err := c.gzWriter.Flush(); err != nil {
+			return err
+		}
+	}
+	if c.file != nil {
+		return c.file.Sync()
+	}
+	return nil
+}
+
+// Close closes the target
+func (c *CompressedFileTarget) Close() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	var errs []error
+	if c.gzWriter != nil {
+		if err := c.gzWriter.Close(); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	if c.file != nil {
+		if err := c.file.Close(); err != nil {
+			errs = append(errs, err)
+		}
+		c.file = nil
+	}
+
+	if len(errs) > 0 {
+		return errs[0]
+	}
+	return nil
+}
+
+// Healthy returns target health status
+func (c *CompressedFileTarget) Healthy() bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.healthy
+}
--- a/internal/engine/binlog/s3_target.go
+++ b/internal/engine/binlog/s3_target.go
@@ -0,0 +1,244 @@
+package binlog
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+)
+
+// S3Target writes binlog events to S3
+type S3Target struct {
+	client   *s3.Client
+	bucket   string
+	prefix   string
+	region   string
+	partSize int64
+
+	mu         sync.Mutex
+	buffer     *bytes.Buffer
+	bufferSize int
+	currentKey string
+	uploadID   string
+	parts      []types.CompletedPart
+	partNumber int32
+	fileNum    int
+	healthy    bool
+	lastErr    error
+	lastWrite  time.Time
+}
+
+// NewS3Target creates a new S3 target
+func NewS3Target(bucket, prefix, region string) (*S3Target, error) {
+	if bucket == "" {
+		return nil, fmt.Errorf("bucket required for S3 target")
+	}
+
+	// Load AWS config
+	cfg, err := config.LoadDefaultConfig(context.Background(),
+		config.WithRegion(region),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load AWS config: %w", err)
+	}
+
+	client := s3.NewFromConfig(cfg)
+
+	return &S3Target{
+		client:   client,
+		bucket:   bucket,
+		prefix:   prefix,
+		region:   region,
+		partSize: 10 * 1024 * 1024, // 10MB parts
+		buffer:   bytes.NewBuffer(nil),
+		healthy:  true,
+	}, nil
+}
+
+// Name returns the target name
+func (s *S3Target) Name() string {
+	return fmt.Sprintf("s3://%s/%s", s.bucket, s.prefix)
+}
+
+// Type returns the target type
+func (s *S3Target) Type() string {
+	return "s3"
+}
+
+// Write writes events to S3 buffer
+func (s *S3Target) Write(ctx context.Context, events []*Event) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// Write events to buffer
+	for _, ev := range events {
+		data, err := json.Marshal(ev)
+		if err != nil {
+			continue
+		}
+
+		data = append(data, '\n')
+		s.buffer.Write(data)
+		s.bufferSize += len(data)
+	}
+
+	// Upload part if buffer exceeds threshold
+	if int64(s.bufferSize) >= s.partSize {
+		if err := s.uploadPart(ctx); err != nil {
+			s.healthy = false
+			s.lastErr = err
+			return err
+		}
+	}
+
+	s.healthy = true
+	s.lastWrite = time.Now()
+	return nil
+}
+
+// uploadPart uploads the current buffer as a part
+func (s *S3Target) uploadPart(ctx context.Context) error {
+	if s.bufferSize == 0 {
+		return nil
+	}
+
+	// Start multipart upload if not started
+	if s.uploadID == "" {
+		s.fileNum++
+		s.currentKey = fmt.Sprintf("%sbinlog_%s_%04d.jsonl",
+			s.prefix,
+			time.Now().Format("20060102_150405"),
+			s.fileNum)
+
+		result, err := s.client.CreateMultipartUpload(ctx, &s3.CreateMultipartUploadInput{
+			Bucket: aws.String(s.bucket),
+			Key:    aws.String(s.currentKey),
+		})
+		if err != nil {
+			return fmt.Errorf("failed to create multipart upload: %w", err)
+		}
+		s.uploadID = *result.UploadId
+		s.parts = nil
+		s.partNumber = 0
+	}
+
+	// Upload part
+	s.partNumber++
+	result, err := s.client.UploadPart(ctx, &s3.UploadPartInput{
+		Bucket:     aws.String(s.bucket),
+		Key:        aws.String(s.currentKey),
+		UploadId:   aws.String(s.uploadID),
+		PartNumber: aws.Int32(s.partNumber),
+		Body:       bytes.NewReader(s.buffer.Bytes()),
+	})
+	if err != nil {
+		return fmt.Errorf("failed to upload part: %w", err)
+	}
+
+	s.parts = append(s.parts, types.CompletedPart{
+		ETag:       result.ETag,
+		PartNumber: aws.Int32(s.partNumber),
+	})
+
+	// Reset buffer
+	s.buffer.Reset()
+	s.bufferSize = 0
+
+	return nil
+}
+
+// Flush completes the current multipart upload
+func (s *S3Target) Flush(ctx context.Context) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// Upload remaining buffer
+	if s.bufferSize > 0 {
+		if err := s.uploadPart(ctx); err != nil {
+			return err
+		}
+	}
+
+	// Complete multipart upload
+	if s.uploadID != "" && len(s.parts) > 0 {
+		_, err := s.client.CompleteMultipartUpload(ctx, &s3.CompleteMultipartUploadInput{
+			Bucket:   aws.String(s.bucket),
+			Key:      aws.String(s.currentKey),
+			UploadId: aws.String(s.uploadID),
+			MultipartUpload: &types.CompletedMultipartUpload{
+				Parts: s.parts,
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("failed to complete upload: %w", err)
+		}
+
+		// Reset for next file
+		s.uploadID = ""
+		s.parts = nil
+		s.partNumber = 0
+	}
+
+	return nil
+}
+
+// Close closes the target
+func (s *S3Target) Close() error {
+	return s.Flush(context.Background())
+}
+
+// Healthy returns target health status
+func (s *S3Target) Healthy() bool {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.healthy
+}
+
+// S3StreamingTarget supports larger files with resumable uploads
+type S3StreamingTarget struct {
+	*S3Target
+	rotateSize  int64
+	currentSize int64
+}
+
+// NewS3StreamingTarget creates an S3 target with file rotation
+func NewS3StreamingTarget(bucket, prefix, region string, rotateSize int64) (*S3StreamingTarget, error) {
+	base, err := NewS3Target(bucket, prefix, region)
+	if err != nil {
+		return nil, err
+	}
+
+	if rotateSize == 0 {
+		rotateSize = 1024 * 1024 * 1024 // 1GB default
+	}
+
+	return &S3StreamingTarget{
+		S3Target:   base,
+		rotateSize: rotateSize,
+	}, nil
+}
+
+// Write writes with rotation support
+func (s *S3StreamingTarget) Write(ctx context.Context, events []*Event) error {
+	// Check if we need to rotate
+	if s.currentSize >= s.rotateSize {
+		if err := s.Flush(ctx); err != nil {
+			return err
+		}
+		s.currentSize = 0
+	}
+
+	// Estimate size
+	for _, ev := range events {
+		s.currentSize += int64(len(ev.RawData))
+	}
+
+	return s.S3Target.Write(ctx, events)
+}
--- a/Show More
+++ b/Show More