v5.7.7: DR Drill MariaDB fixes, SMTP notifications, verify paths

### Fixed (5.7.3 - 5.7.7) - MariaDB binlog position bug (4 vs 5 columns) - Notify test command ENV variable reading - SMTP 250 Ok response treated as error - Verify command absolute path handling - DR Drill for modern MariaDB containers: - Use mariadb-admin/mariadb client - TCP instead of socket connections - DROP DATABASE before restore ### Improved - Better --password flag error message - PostgreSQL peer auth fallback logging - Binlog warnings at DEBUG level
2026-02-03 13:42:02 +01:00
26 changed files with 722 additions and 150 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,83 @@ All notable changes to dbbackup will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [5.7.7] - 2026-02-03
+
+### Fixed
+- **DR Drill MariaDB**: Complete fixes for modern MariaDB containers
+  - Use TCP (127.0.0.1) instead of socket for health checks and restore
+  - Use `mariadb-admin` and `mariadb` client (not `mysqladmin`/`mysql`)
+  - Drop existing database before restore (backup contains CREATE DATABASE)
+  - Tested with MariaDB 12.1.2 image
+
+## [5.7.6] - 2026-02-03
+
+### Fixed
+- **Verify Command**: Fixed absolute path handling
+  - `dbbackup verify /full/path/to/backup.dump` now works correctly
+  - Previously always prefixed with `--backup-dir`, breaking absolute paths
+
+## [5.7.5] - 2026-02-03
+
+### Fixed
+- **SMTP Notifications**: Fixed false error on successful email delivery
+  - `client.Quit()` response "250 Ok: queued" was incorrectly treated as error
+  - Now properly closes data writer and ignores successful quit response
+
+## [5.7.4] - 2026-02-03
+
+### Fixed
+- **Notify Test Command** - Fixed `dbbackup notify test` to properly read NOTIFY_* environment variables
+  - Previously only checked `cfg.NotifyEnabled` which wasn't set from ENV
+  - Now uses `notify.ConfigFromEnv()` like the rest of the application
+  - Clear error messages showing exactly which ENV variables to set
+
+### Technical Details
+- `cmd/notify.go`: Refactored to use `notify.ConfigFromEnv()` instead of `cfg.*` fields
+
+## [5.7.3] - 2026-02-03
+
+### Fixed
+- **MariaDB Binlog Position Bug** - Fixed `getBinlogPosition()` to handle dynamic column count
+  - MariaDB `SHOW MASTER STATUS` returns 4 columns
+  - MySQL 5.6+ returns 5 columns (with `Executed_Gtid_Set`)
+  - Now tries 5 columns first, falls back to 4 columns for MariaDB compatibility
+
+### Improved
+- **Better `--password` Flag Error Message**
+  - Using `--password` now shows helpful error with instructions for `MYSQL_PWD`/`PGPASSWORD` environment variables
+  - Flag is hidden but accepted for better error handling
+
+- **Improved Fallback Logging for PostgreSQL Peer Authentication**
+  - Changed from `WARN: Native engine failed, falling back...` 
+  - Now shows `INFO: Native engine requires password auth, using pg_dump with peer authentication`
+  - Clearer indication that this is expected behavior, not an error
+
+- **Reduced Noise from Binlog Position Warnings**
+  - "Binary logging not enabled" now logged at DEBUG level (was WARN)
+  - "Insufficient privileges for binlog" now logged at DEBUG level (was WARN)
+  - Only unexpected errors still logged as WARN
+
+### Technical Details
+- `internal/engine/native/mysql.go`: Dynamic column detection in `getBinlogPosition()`
+- `cmd/root.go`: Added hidden `--password` flag with helpful error message
+- `cmd/backup_impl.go`: Improved fallback logging for peer auth scenarios
+
+## [5.7.2] - 2026-02-02
+
+### Added
+- Native engine improvements for production stability
+
+## [5.7.1] - 2026-02-02
+
+### Fixed
+- Minor stability fixes
+
+## [5.7.0] - 2026-02-02
+
+### Added
+- Enhanced native engine support for MariaDB
+
 ## [5.6.0] - 2026-02-02

 ### Performance Optimizations 🚀
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -17,9 +17,9 @@ Be respectful, constructive, and professional in all interactions. We're buildin

 **Bug Report Template:**
 ```
-**Version:** dbbackup v3.42.1
+**Version:** dbbackup v5.7.7
 **OS:** Linux/macOS/BSD
-**Database:** PostgreSQL 14 / MySQL 8.0 / MariaDB 10.6
+**Database:** PostgreSQL 14+ / MySQL 8.0+ / MariaDB 10.6+
 **Command:** The exact command that failed
 **Error:** Full error message and stack trace
 **Expected:** What you expected to happen
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@ Database backup and restore utility for PostgreSQL, MySQL, and MariaDB.

 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Go Version](https://img.shields.io/badge/Go-1.21+-00ADD8?logo=go)](https://golang.org/)
-[![Release](https://img.shields.io/badge/Release-v5.1.15-green.svg)](https://github.com/PlusOne/dbbackup/releases/latest)
+[![Release](https://img.shields.io/badge/Release-v5.7.7-green.svg)](https://git.uuxo.net/UUXO/dbbackup/releases/latest)

 **Repository:** https://git.uuxo.net/UUXO/dbbackup  
 **Mirror:** https://github.com/PlusOne/dbbackup
@ -92,7 +92,7 @@ Download from [releases](https://git.uuxo.net/UUXO/dbbackup/releases):

 ```bash
 # Linux x86_64
-wget https://git.uuxo.net/UUXO/dbbackup/releases/download/v3.42.74/dbbackup-linux-amd64
+wget https://git.uuxo.net/UUXO/dbbackup/releases/download/v5.7.7/dbbackup-linux-amd64
 chmod +x dbbackup-linux-amd64
 sudo mv dbbackup-linux-amd64 /usr/local/bin/dbbackup
 ```
@ -115,8 +115,9 @@ go build
 # PostgreSQL with peer authentication
 sudo -u postgres dbbackup interactive

-# MySQL/MariaDB
-dbbackup interactive --db-type mysql --user root --password secret
+# MySQL/MariaDB (use MYSQL_PWD env var for password)
+export MYSQL_PWD='secret'
+dbbackup interactive --db-type mysql --user root
 ```

 **Main Menu:**
@ -401,7 +402,7 @@ dbbackup backup single mydb --dry-run
 | `--host` | Database host | localhost |
 | `--port` | Database port | 5432/3306 |
 | `--user` | Database user | current user |
-| `--password` | Database password | - |
+| `MYSQL_PWD` / `PGPASSWORD` | Database password (env var) | - |
 | `--backup-dir` | Backup directory | ~/db_backups |
 | `--compression` | Compression level (0-9) | 6 |
 | `--jobs` | Parallel jobs | 8 |
@ -673,6 +674,22 @@ dbbackup backup single mydb
 - `dr_drill_passed`, `dr_drill_failed`
 - `gap_detected`, `rpo_violation`

+### Testing Notifications
+
+```bash
+# Test notification configuration
+export NOTIFY_SMTP_HOST="localhost"
+export NOTIFY_SMTP_PORT="25"
+export NOTIFY_SMTP_FROM="dbbackup@myserver.local"
+export NOTIFY_SMTP_TO="admin@example.com"
+
+dbbackup notify test --verbose
+# [OK] Notification sent successfully
+
+# For servers using STARTTLS with self-signed certs
+export NOTIFY_SMTP_STARTTLS="false"
+```
+
 ## Backup Catalog

 Track all backups in a SQLite catalog with gap detection and search:
@ -970,8 +987,12 @@ export PGPASSWORD=password
 ### MySQL/MariaDB Authentication

 ```bash
-# Command line
-dbbackup backup single mydb --db-type mysql --user root --password secret
+# Environment variable (recommended)
+export MYSQL_PWD='secret'
+dbbackup backup single mydb --db-type mysql --user root
+
+# Socket authentication (no password needed)
+dbbackup backup single mydb --db-type mysql --socket /var/run/mysqld/mysqld.sock

 # Configuration file
 cat > ~/.my.cnf << EOF
@ -982,6 +1003,9 @@ EOF
 chmod 0600 ~/.my.cnf
 ```

+> **Note:** The `--password` command-line flag is not supported for security reasons
+> (passwords would be visible in `ps aux` output). Use environment variables or config files.
+
 ### Configuration Persistence

 Settings are saved to `.dbbackup.conf` in the current directory:
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,9 +6,10 @@ We release security updates for the following versions:

 | Version | Supported          |
 | ------- | ------------------ |
-| 3.1.x   | :white_check_mark: |
-| 3.0.x   | :white_check_mark: |
-| < 3.0   | :x:                |
+| 5.7.x   | :white_check_mark: |
+| 5.6.x   | :white_check_mark: |
+| 5.5.x   | :white_check_mark: |
+| < 5.5   | :x:                |

 ## Reporting a Vulnerability

--- a/cmd/backup_impl.go
+++ b/cmd/backup_impl.go
@ -286,7 +286,13 @@ func runSingleBackup(ctx context.Context, databaseName string) error {
 		err = runNativeBackup(ctx, db, databaseName, backupType, baseBackup, backupStartTime, user)

 		if err != nil && cfg.FallbackToTools {
-			log.Warn("Native engine failed, falling back to external tools", "error", err)
+			// Check if this is an expected authentication failure (peer auth doesn't provide password to native engine)
+			errStr := err.Error()
+			if strings.Contains(errStr, "password authentication failed") || strings.Contains(errStr, "SASL auth") {
+				log.Info("Native engine requires password auth, using pg_dump with peer authentication")
+			} else {
+				log.Warn("Native engine failed, falling back to external tools", "error", err)
+			}
 			// Continue with tool-based backup below
 		} else {
 			// Native engine succeeded or no fallback configured
--- a/cmd/native_backup.go
+++ b/cmd/native_backup.go
@ -6,6 +6,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"

 	"dbbackup/internal/database"
@ -188,7 +189,7 @@ func detectDatabaseTypeFromConfig() string {
 	return "unknown"
 }

-// buildNativeDSN builds a PostgreSQL DSN from the global configuration
+// buildNativeDSN builds a DSN from the global configuration for the appropriate database type
 func buildNativeDSN(databaseName string) string {
 	if cfg == nil {
 		return ""
@ -199,9 +200,39 @@ func buildNativeDSN(databaseName string) string {
 		host = "localhost"
 	}

+	dbName := databaseName
+	if dbName == "" {
+		dbName = cfg.Database
+	}
+
+	// Build MySQL DSN for MySQL/MariaDB
+	if cfg.IsMySQL() {
+		port := cfg.Port
+		if port == 0 {
+			port = 3306 // MySQL default port
+		}
+
+		user := cfg.User
+		if user == "" {
+			user = "root"
+		}
+
+		// MySQL DSN format: user:password@tcp(host:port)/dbname
+		dsn := user
+		if cfg.Password != "" {
+			dsn += ":" + cfg.Password
+		}
+		dsn += fmt.Sprintf("@tcp(%s:%d)/", host, port)
+		if dbName != "" {
+			dsn += dbName
+		}
+		return dsn
+	}
+
+	// Build PostgreSQL DSN (default)
 	port := cfg.Port
 	if port == 0 {
-		port = 5432
+		port = 5432 // PostgreSQL default port
 	}

 	user := cfg.User
@ -209,25 +240,38 @@ func buildNativeDSN(databaseName string) string {
 		user = "postgres"
 	}

-	dbName := databaseName
-	if dbName == "" {
-		dbName = cfg.Database
-	}
 	if dbName == "" {
 		dbName = "postgres"
 	}

+	// Check if host is a Unix socket path (starts with /)
+	isSocketPath := strings.HasPrefix(host, "/")
+
 	dsn := fmt.Sprintf("postgres://%s", user)
 	if cfg.Password != "" {
 		dsn += ":" + cfg.Password
 	}
-	dsn += fmt.Sprintf("@%s:%d/%s", host, port, dbName)
+
+	if isSocketPath {
+		// Unix socket: use host parameter in query string
+		// pgx format: postgres://user@/dbname?host=/var/run/postgresql
+		dsn += fmt.Sprintf("@/%s", dbName)
+	} else {
+		// TCP connection: use host:port in authority
+		dsn += fmt.Sprintf("@%s:%d/%s", host, port, dbName)
+	}

 	sslMode := cfg.SSLMode
 	if sslMode == "" {
 		sslMode = "prefer"
 	}
-	dsn += "?sslmode=" + sslMode
+
+	if isSocketPath {
+		// For Unix sockets, add host parameter and disable SSL
+		dsn += fmt.Sprintf("?host=%s&sslmode=disable", host)
+	} else {
+		dsn += "?sslmode=" + sslMode
+	}

 	return dsn
 }
--- a/cmd/notify.go
+++ b/cmd/notify.go
@ -54,19 +54,29 @@ func init() {
 }

 func runNotifyTest(cmd *cobra.Command, args []string) error {
-	if !cfg.NotifyEnabled {
-		fmt.Println("[WARN] Notifications are disabled")
-		fmt.Println("Enable with: --notify-enabled")
+	// Load notification config from environment variables (same as root.go)
+	notifyCfg := notify.ConfigFromEnv()
+
+	// Check if any notification method is configured
+	if !notifyCfg.SMTPEnabled && !notifyCfg.WebhookEnabled {
+		fmt.Println("[WARN] No notification endpoints configured")
 		fmt.Println()
-		fmt.Println("Example configuration:")
-		fmt.Println("  notify_enabled = true")
-		fmt.Println("  notify_on_success = true")
-		fmt.Println("  notify_on_failure = true")
-		fmt.Println("  notify_webhook_url = \"https://your-webhook-url\"")
-		fmt.Println("  # or")
-		fmt.Println("  notify_smtp_host = \"smtp.example.com\"")
-		fmt.Println("  notify_smtp_from = \"backups@example.com\"")
-		fmt.Println("  notify_smtp_to = \"admin@example.com\"")
+		fmt.Println("Configure via environment variables:")
+		fmt.Println()
+		fmt.Println("  SMTP Email:")
+		fmt.Println("    NOTIFY_SMTP_HOST=smtp.example.com")
+		fmt.Println("    NOTIFY_SMTP_PORT=587")
+		fmt.Println("    NOTIFY_SMTP_FROM=backups@example.com")
+		fmt.Println("    NOTIFY_SMTP_TO=admin@example.com")
+		fmt.Println()
+		fmt.Println("  Webhook:")
+		fmt.Println("    NOTIFY_WEBHOOK_URL=https://your-webhook-url")
+		fmt.Println()
+		fmt.Println("  Optional:")
+		fmt.Println("    NOTIFY_SMTP_USER=username")
+		fmt.Println("    NOTIFY_SMTP_PASSWORD=password")
+		fmt.Println("    NOTIFY_SMTP_STARTTLS=true")
+		fmt.Println("    NOTIFY_WEBHOOK_SECRET=hmac-secret")
 		return nil
 	}

@ -79,52 +89,19 @@ func runNotifyTest(cmd *cobra.Command, args []string) error {
 	fmt.Println("[TEST] Testing notification configuration...")
 	fmt.Println()

-	// Check what's configured
-	hasWebhook := cfg.NotifyWebhookURL != ""
-	hasSMTP := cfg.NotifySMTPHost != ""
-
-	if !hasWebhook && !hasSMTP {
-		fmt.Println("[WARN] No notification endpoints configured")
-		fmt.Println()
-		fmt.Println("Configure at least one:")
-		fmt.Println("  --notify-webhook-url URL         # Generic webhook")
-		fmt.Println("  --notify-smtp-host HOST          # Email (requires SMTP settings)")
-		return nil
-	}
-
 	// Show what will be tested
-	if hasWebhook {
-		fmt.Printf("[INFO] Webhook configured: %s\n", cfg.NotifyWebhookURL)
+	if notifyCfg.WebhookEnabled {
+		fmt.Printf("[INFO] Webhook configured: %s\n", notifyCfg.WebhookURL)
 	}
-	if hasSMTP {
-		fmt.Printf("[INFO] SMTP configured: %s:%d\n", cfg.NotifySMTPHost, cfg.NotifySMTPPort)
-		fmt.Printf("       From: %s\n", cfg.NotifySMTPFrom)
-		if len(cfg.NotifySMTPTo) > 0 {
-			fmt.Printf("       To:   %v\n", cfg.NotifySMTPTo)
+	if notifyCfg.SMTPEnabled {
+		fmt.Printf("[INFO] SMTP configured: %s:%d\n", notifyCfg.SMTPHost, notifyCfg.SMTPPort)
+		fmt.Printf("       From: %s\n", notifyCfg.SMTPFrom)
+		if len(notifyCfg.SMTPTo) > 0 {
+			fmt.Printf("       To:   %v\n", notifyCfg.SMTPTo)
 		}
 	}
 	fmt.Println()

-	// Create notification config
-	notifyCfg := notify.Config{
-		SMTPEnabled:  hasSMTP,
-		SMTPHost:     cfg.NotifySMTPHost,
-		SMTPPort:     cfg.NotifySMTPPort,
-		SMTPUser:     cfg.NotifySMTPUser,
-		SMTPPassword: cfg.NotifySMTPPassword,
-		SMTPFrom:     cfg.NotifySMTPFrom,
-		SMTPTo:       cfg.NotifySMTPTo,
-		SMTPTLS:      cfg.NotifySMTPTLS,
-		SMTPStartTLS: cfg.NotifySMTPStartTLS,
-
-		WebhookEnabled: hasWebhook,
-		WebhookURL:     cfg.NotifyWebhookURL,
-		WebhookMethod:  "POST",
-
-		OnSuccess: true,
-		OnFailure: true,
-	}
-
 	// Create manager
 	manager := notify.NewManager(notifyCfg)

--- a/cmd/placeholder.go
+++ b/cmd/placeholder.go
@ -423,8 +423,13 @@ func runVerify(ctx context.Context, archiveName string) error {
 	fmt.Println(" Backup Archive Verification")
 	fmt.Println("==============================================================")

-	// Construct full path to archive
-	archivePath := filepath.Join(cfg.BackupDir, archiveName)
+	// Construct full path to archive - use as-is if already absolute
+	var archivePath string
+	if filepath.IsAbs(archiveName) {
+		archivePath = archiveName
+	} else {
+		archivePath = filepath.Join(cfg.BackupDir, archiveName)
+	}

 	// Check if archive exists
 	if _, err := os.Stat(archivePath); os.IsNotExist(err) {
--- a/cmd/root.go
+++ b/cmd/root.go
@ -125,9 +125,15 @@ For help with specific commands, use: dbbackup [command] --help`,
 		}

 		// Auto-detect socket from --host path (if host starts with /)
+		// For MySQL/MariaDB: set Socket and reset Host to localhost
+		// For PostgreSQL: keep Host as socket path (pgx/libpq handle it correctly)
 		if strings.HasPrefix(cfg.Host, "/") && cfg.Socket == "" {
-			cfg.Socket = cfg.Host
-			cfg.Host = "localhost" // Reset host for socket connections
+			if cfg.IsMySQL() {
+				// MySQL uses separate Socket field, Host should be localhost
+				cfg.Socket = cfg.Host
+				cfg.Host = "localhost"
+			}
+			// For PostgreSQL, keep cfg.Host as the socket path - pgx handles this correctly
 		}

 		return cfg.SetDatabaseType(cfg.DatabaseType)
@ -164,7 +170,16 @@ func Execute(ctx context.Context, config *config.Config, logger logger.Logger) e
 	rootCmd.PersistentFlags().StringVar(&cfg.User, "user", cfg.User, "Database user")
 	rootCmd.PersistentFlags().StringVar(&cfg.Database, "database", cfg.Database, "Database name")
 	// SECURITY: Password flag removed - use PGPASSWORD/MYSQL_PWD environment variable or .pgpass file
-	// rootCmd.PersistentFlags().StringVar(&cfg.Password, "password", cfg.Password, "Database password")
+	// Provide helpful error message for users expecting --password flag
+	var deprecatedPassword string
+	rootCmd.PersistentFlags().StringVar(&deprecatedPassword, "password", "", "DEPRECATED: Use MYSQL_PWD or PGPASSWORD environment variable instead")
+	rootCmd.PersistentFlags().MarkHidden("password")
+	rootCmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+		if deprecatedPassword != "" {
+			return fmt.Errorf("--password flag is not supported for security reasons. Use environment variables instead:\n  - MySQL/MariaDB: export MYSQL_PWD='your_password'\n  - PostgreSQL: export PGPASSWORD='your_password' or use .pgpass file")
+		}
+		return nil
+	}
 	rootCmd.PersistentFlags().StringVarP(&cfg.DatabaseType, "db-type", "d", cfg.DatabaseType, "Database type (postgres|mysql|mariadb)")
 	rootCmd.PersistentFlags().StringVar(&cfg.BackupDir, "backup-dir", cfg.BackupDir, "Backup directory")
 	rootCmd.PersistentFlags().BoolVar(&cfg.NoColor, "no-color", cfg.NoColor, "Disable colored output")
--- a/deploy/ansible/deploy-production.yml
+++ b/deploy/ansible/deploy-production.yml
@ -0,0 +1,104 @@
+---
+# dbbackup Production Deployment Playbook
+# Deploys dbbackup binary and verifies backup jobs
+#
+# Usage (from dev.uuxo.net):
+#   ansible-playbook -i inventory.yml deploy-production.yml
+#   ansible-playbook -i inventory.yml deploy-production.yml --limit mysql01.uuxoi.local
+#   ansible-playbook -i inventory.yml deploy-production.yml --tags binary  # Only deploy binary
+
+- name: Deploy dbbackup to production DB hosts
+  hosts: db_servers
+  become: yes
+  
+  vars:
+    # Binary source: /tmp/dbbackup_linux_amd64 on Ansible controller (dev.uuxo.net)
+    local_binary: "{{ dbbackup_binary_src | default('/tmp/dbbackup_linux_amd64') }}"
+    install_path: /usr/local/bin/dbbackup
+  
+  tasks:
+    - name: Deploy dbbackup binary
+      tags: [binary, deploy]
+      block:
+        - name: Copy dbbackup binary
+          copy:
+            src: "{{ local_binary }}"
+            dest: "{{ install_path }}"
+            mode: "0755"
+            owner: root
+            group: root
+          register: binary_deployed
+
+        - name: Verify dbbackup version
+          command: "{{ install_path }} --version"
+          register: version_check
+          changed_when: false
+
+        - name: Display installed version
+          debug:
+            msg: "{{ inventory_hostname }}: {{ version_check.stdout }}"
+
+    - name: Check backup configuration
+      tags: [verify, check]
+      block:
+        - name: Check backup script exists
+          stat:
+            path: "/opt/dbbackup/bin/{{ dbbackup_backup_script | default('backup.sh') }}"
+          register: backup_script
+
+        - name: Display backup script status
+          debug:
+            msg: "Backup script: {{ 'EXISTS' if backup_script.stat.exists else 'MISSING' }}"
+
+        - name: Check systemd timer status
+          shell: systemctl list-timers --no-pager | grep dbbackup || echo "No timer found"
+          register: timer_status
+          changed_when: false
+
+        - name: Display timer status
+          debug:
+            msg: "{{ timer_status.stdout_lines }}"
+
+        - name: Check exporter service
+          shell: systemctl is-active dbbackup-exporter 2>/dev/null || echo "not running"
+          register: exporter_status
+          changed_when: false
+
+        - name: Display exporter status
+          debug:
+            msg: "Exporter: {{ exporter_status.stdout }}"
+
+    - name: Run test backup (dry-run)
+      tags: [test, never]
+      block:
+        - name: Execute dry-run backup
+          command: >
+            {{ install_path }} backup single {{ dbbackup_databases[0] }}
+            --db-type {{ dbbackup_db_type }}
+            {% if dbbackup_socket is defined %}--socket {{ dbbackup_socket }}{% endif %}
+            {% if dbbackup_host is defined %}--host {{ dbbackup_host }}{% endif %}
+            {% if dbbackup_port is defined %}--port {{ dbbackup_port }}{% endif %}
+            --user root
+            --allow-root
+            --dry-run
+          environment:
+            MYSQL_PWD: "{{ dbbackup_password | default('') }}"
+          register: dryrun_result
+          changed_when: false
+          ignore_errors: yes
+
+        - name: Display dry-run result
+          debug:
+            msg: "{{ dryrun_result.stdout_lines[-5:] }}"
+
+  post_tasks:
+    - name: Deployment summary
+      debug:
+        msg: |
+          === {{ inventory_hostname }} ===
+          Version: {{ version_check.stdout | default('unknown') }}
+          DB Type: {{ dbbackup_db_type }}
+          Databases: {{ dbbackup_databases | join(', ') }}
+          Backup Dir: {{ dbbackup_backup_dir }}
+          Timer: {{ 'active' if 'dbbackup' in timer_status.stdout else 'not configured' }}
+          Exporter: {{ exporter_status.stdout }}
--- a/deploy/ansible/inventory.yml
+++ b/deploy/ansible/inventory.yml
@ -0,0 +1,56 @@
+# dbbackup Production Inventory
+# Ansible läuft auf dev.uuxo.net - direkter SSH-Zugang zu allen Hosts
+
+all:
+  vars:
+    ansible_user: root
+    ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+    dbbackup_version: "5.7.2"
+    # Binary wird von dev.uuxo.net aus deployed (dort liegt es in /tmp nach scp)
+    dbbackup_binary_src: "/tmp/dbbackup_linux_amd64"
+
+  children:
+    db_servers:
+      hosts:
+        mysql01.uuxoi.local:
+          dbbackup_db_type: mariadb
+          dbbackup_databases: 
+            - ejabberd
+          dbbackup_backup_dir: /mnt/smb-mysql01/backups/databases
+          dbbackup_socket: /var/run/mysqld/mysqld.sock
+          dbbackup_pitr_enabled: true
+          dbbackup_backup_script: backup-mysql01.sh
+
+        alternate.uuxoi.local:
+          dbbackup_db_type: mariadb
+          dbbackup_databases:
+            - dbispconfig
+            - c1aps1
+            - c2marianskronkorken
+            - matomo
+            - phpmyadmin
+            - roundcube
+            - roundcubemail
+          dbbackup_backup_dir: /mnt/smb-alternate/backups/databases
+          dbbackup_host: 127.0.0.1
+          dbbackup_port: 3306
+          dbbackup_password: "xt3kci28"
+          dbbackup_backup_script: backup-alternate.sh
+
+        cloud.uuxoi.local:
+          dbbackup_db_type: mariadb
+          dbbackup_databases:
+            - nextcloud_db
+          dbbackup_backup_dir: /mnt/smb-cloud/backups/dedup
+          dbbackup_socket: /var/run/mysqld/mysqld.sock
+          dbbackup_dedup_enabled: true
+          dbbackup_backup_script: backup-cloud.sh
+
+    # Hosts mit speziellen Anforderungen
+    special_hosts:
+      hosts:
+        git.uuxoi.local:
+          dbbackup_db_type: mariadb
+          dbbackup_databases:
+            - gitea
+          dbbackup_note: "Docker-based MariaDB - needs SSH key setup"
--- a/docs/ENGINES.md
+++ b/docs/ENGINES.md
@ -370,6 +370,39 @@ SET GLOBAL gtid_mode = ON;
 4. **Monitoring**: Check progress with `dbbackup status`
 5. **Testing**: Verify restores regularly with `dbbackup verify`

+## Authentication
+
+### Password Handling (Security)
+
+For security reasons, dbbackup does **not** support `--password` as a command-line flag. Passwords should be passed via environment variables:
+
+```bash
+# MySQL/MariaDB
+export MYSQL_PWD='your_password'
+dbbackup backup single mydb --db-type mysql
+
+# PostgreSQL  
+export PGPASSWORD='your_password'
+dbbackup backup single mydb --db-type postgres
+```
+
+Alternative methods:
+- **MySQL/MariaDB**: Use socket authentication with `--socket /var/run/mysqld/mysqld.sock`
+- **PostgreSQL**: Use peer authentication by running as the postgres user
+
+### PostgreSQL Peer Authentication
+
+When using PostgreSQL with peer authentication (running as the `postgres` user), the native engine will automatically fall back to `pg_dump` since peer auth doesn't provide a password for the native protocol:
+
+```bash
+# This works - dbbackup detects peer auth and uses pg_dump
+sudo -u postgres dbbackup backup single mydb -d postgres
+```
+
+You'll see: `INFO: Native engine requires password auth, using pg_dump with peer authentication`
+
+This is expected behavior, not an error.
+
 ## See Also

 - [PITR.md](PITR.md) - Point-in-Time Recovery guide
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -319,7 +319,8 @@ func (c *Config) UpdateFromEnvironment() {
 	if password := os.Getenv("PGPASSWORD"); password != "" {
 		c.Password = password
 	}
-	if password := os.Getenv("MYSQL_PWD"); password != "" && c.DatabaseType == "mysql" {
+	// MYSQL_PWD works for both mysql and mariadb
+	if password := os.Getenv("MYSQL_PWD"); password != "" && (c.DatabaseType == "mysql" || c.DatabaseType == "mariadb") {
 		c.Password = password
 	}
 }
--- a/internal/database/postgresql.go
+++ b/internal/database/postgresql.go
@ -324,12 +324,21 @@ func (p *PostgreSQL) BuildBackupCommand(database, outputFile string, options Bac
 	cmd := []string{"pg_dump"}

 	// Connection parameters
-	// CRITICAL: Always pass port even for localhost - user may have non-standard port
-	if p.cfg.Host != "localhost" && p.cfg.Host != "127.0.0.1" && p.cfg.Host != "" {
+	// CRITICAL: For Unix socket paths (starting with /), use -h with socket dir but NO port
+	// This enables peer authentication via socket. Port would force TCP connection.
+	isSocketPath := strings.HasPrefix(p.cfg.Host, "/")
+	if isSocketPath {
+		// Unix socket: use -h with socket directory, no port needed
+		cmd = append(cmd, "-h", p.cfg.Host)
+	} else if p.cfg.Host != "localhost" && p.cfg.Host != "127.0.0.1" && p.cfg.Host != "" {
+		// Remote host: use -h and port
 		cmd = append(cmd, "-h", p.cfg.Host)
 		cmd = append(cmd, "--no-password")
+		cmd = append(cmd, "-p", strconv.Itoa(p.cfg.Port))
+	} else {
+		// localhost: always pass port for non-standard port configs
+		cmd = append(cmd, "-p", strconv.Itoa(p.cfg.Port))
 	}
-	cmd = append(cmd, "-p", strconv.Itoa(p.cfg.Port))
 	cmd = append(cmd, "-U", p.cfg.User)

 	// Format and compression
@ -347,9 +356,10 @@ func (p *PostgreSQL) BuildBackupCommand(database, outputFile string, options Bac
 		cmd = append(cmd, "--compress="+strconv.Itoa(options.Compression))
 	}

-	// Parallel jobs (supported for directory and custom formats since PostgreSQL 9.3)
+	// Parallel jobs (ONLY supported for directory format in pg_dump)
+	// NOTE: custom format does NOT support --jobs despite PostgreSQL docs being unclear
 	// NOTE: plain format does NOT support --jobs (it's single-threaded by design)
-	if options.Parallel > 1 && (options.Format == "directory" || options.Format == "custom") {
+	if options.Parallel > 1 && options.Format == "directory" {
 		cmd = append(cmd, "--jobs="+strconv.Itoa(options.Parallel))
 	}

@ -390,12 +400,21 @@ func (p *PostgreSQL) BuildRestoreCommand(database, inputFile string, options Res
 	cmd := []string{"pg_restore"}

 	// Connection parameters
-	// CRITICAL: Always pass port even for localhost - user may have non-standard port
-	if p.cfg.Host != "localhost" && p.cfg.Host != "127.0.0.1" && p.cfg.Host != "" {
+	// CRITICAL: For Unix socket paths (starting with /), use -h with socket dir but NO port
+	// This enables peer authentication via socket. Port would force TCP connection.
+	isSocketPath := strings.HasPrefix(p.cfg.Host, "/")
+	if isSocketPath {
+		// Unix socket: use -h with socket directory, no port needed
+		cmd = append(cmd, "-h", p.cfg.Host)
+	} else if p.cfg.Host != "localhost" && p.cfg.Host != "127.0.0.1" && p.cfg.Host != "" {
+		// Remote host: use -h and port
 		cmd = append(cmd, "-h", p.cfg.Host)
 		cmd = append(cmd, "--no-password")
+		cmd = append(cmd, "-p", strconv.Itoa(p.cfg.Port))
+	} else {
+		// localhost: always pass port for non-standard port configs
+		cmd = append(cmd, "-p", strconv.Itoa(p.cfg.Port))
 	}
-	cmd = append(cmd, "-p", strconv.Itoa(p.cfg.Port))
 	cmd = append(cmd, "-U", p.cfg.User)

 	// Parallel jobs (incompatible with --single-transaction per PostgreSQL docs)
@ -486,6 +505,15 @@ func (p *PostgreSQL) buildPgxDSN() string {
 	// pgx supports both URL and keyword=value formats
 	// Use keyword format for Unix sockets, URL for TCP

+	// Check if host is an explicit Unix socket path (starts with /)
+	if strings.HasPrefix(p.cfg.Host, "/") {
+		// User provided explicit socket directory path
+		dsn := fmt.Sprintf("user=%s dbname=%s host=%s sslmode=disable",
+			p.cfg.User, p.cfg.Database, p.cfg.Host)
+		p.log.Debug("Using explicit PostgreSQL socket path", "path", p.cfg.Host)
+		return dsn
+	}
+
 	// Try Unix socket first for localhost without password
 	if p.cfg.Host == "localhost" && p.cfg.Password == "" {
 		socketDirs := []string{
--- a/internal/drill/docker.go
+++ b/internal/drill/docker.go
@ -147,9 +147,10 @@ func (dm *DockerManager) healthCheckCommand(dbType string) []string {
 	case "postgresql", "postgres":
 		return []string{"pg_isready", "-U", "postgres"}
 	case "mysql":
-		return []string{"mysqladmin", "ping", "-h", "localhost", "-u", "root", "--password=root"}
+		return []string{"mysqladmin", "ping", "-h", "127.0.0.1", "-u", "root", "--password=root"}
 	case "mariadb":
-		return []string{"mariadb-admin", "ping", "-h", "localhost", "-u", "root", "--password=root"}
+		// Use mariadb-admin with TCP connection
+		return []string{"mariadb-admin", "ping", "-h", "127.0.0.1", "-u", "root", "--password=root"}
 	default:
 		return []string{"echo", "ok"}
 	}
--- a/internal/drill/engine.go
+++ b/internal/drill/engine.go
@ -340,10 +340,21 @@ func (e *Engine) executeRestore(ctx context.Context, config *DrillConfig, contai
 		}

 	case "mysql":
-		cmd = []string{"sh", "-c", fmt.Sprintf("mysql -u root --password=root %s < %s", config.DatabaseName, backupPath)}
+		// Drop database if exists (backup contains CREATE DATABASE)
+		_, _ = e.docker.ExecCommand(ctx, containerID, []string{
+			"mysql", "-h", "127.0.0.1", "-u", "root", "--password=root", "-e",
+			fmt.Sprintf("DROP DATABASE IF EXISTS %s", config.DatabaseName),
+		})
+		cmd = []string{"sh", "-c", fmt.Sprintf("mysql -h 127.0.0.1 -u root --password=root < %s", backupPath)}

 	case "mariadb":
-		cmd = []string{"sh", "-c", fmt.Sprintf("mariadb -u root --password=root %s < %s", config.DatabaseName, backupPath)}
+		// Drop database if exists (backup contains CREATE DATABASE)
+		_, _ = e.docker.ExecCommand(ctx, containerID, []string{
+			"mariadb", "-h", "127.0.0.1", "-u", "root", "--password=root", "-e",
+			fmt.Sprintf("DROP DATABASE IF EXISTS %s", config.DatabaseName),
+		})
+		// Use mariadb client (mysql symlink may not exist in newer images)
+		cmd = []string{"sh", "-c", fmt.Sprintf("mariadb -h 127.0.0.1 -u root --password=root < %s", backupPath)}

 	default:
 		return fmt.Errorf("unsupported database type: %s", config.DatabaseType)
--- a/internal/engine/native/mysql.go
+++ b/internal/engine/native/mysql.go
@ -138,7 +138,15 @@ func (e *MySQLNativeEngine) Backup(ctx context.Context, outputWriter io.Writer)
 	// Get binlog position for PITR
 	binlogPos, err := e.getBinlogPosition(ctx)
 	if err != nil {
-		e.log.Warn("Failed to get binlog position", "error", err)
+		// Only warn about binlog errors if it's not "no rows" (binlog disabled) or permission errors
+		errStr := err.Error()
+		if strings.Contains(errStr, "no rows in result set") {
+			e.log.Debug("Binary logging not enabled on this server, skipping binlog position capture")
+		} else if strings.Contains(errStr, "Access denied") || strings.Contains(errStr, "BINLOG MONITOR") {
+			e.log.Debug("Insufficient privileges for binlog position (PITR requires BINLOG MONITOR or SUPER privilege)")
+		} else {
+			e.log.Warn("Failed to get binlog position", "error", err)
+		}
 	}

 	// Start transaction for consistent backup
@ -386,6 +394,10 @@ func (e *MySQLNativeEngine) buildDSN() string {
 		ReadTimeout:  30 * time.Second,
 		WriteTimeout: 30 * time.Second,

+		// Auth settings - required for MariaDB unix_socket auth
+		AllowNativePasswords: true,
+		AllowOldPasswords:    true,
+
 		// Character set
 		Params: map[string]string{
 			"charset":   "utf8mb4",
@ -418,21 +430,34 @@ func (e *MySQLNativeEngine) buildDSN() string {
 func (e *MySQLNativeEngine) getBinlogPosition(ctx context.Context) (*BinlogPosition, error) {
 	var file string
 	var position int64
+	var binlogDoDB, binlogIgnoreDB sql.NullString
+	var executedGtidSet sql.NullString // MySQL 5.6+ has 5th column

 	// Try MySQL 8.0.22+ syntax first, then fall back to legacy
+	// Note: MySQL 8.0.22+ uses SHOW BINARY LOG STATUS
+	// MySQL 5.6+ has 5 columns: File, Position, Binlog_Do_DB, Binlog_Ignore_DB, Executed_Gtid_Set
+	// MariaDB has 4 columns: File, Position, Binlog_Do_DB, Binlog_Ignore_DB
 	row := e.db.QueryRowContext(ctx, "SHOW BINARY LOG STATUS")
-	err := row.Scan(&file, &position, nil, nil, nil)
+	err := row.Scan(&file, &position, &binlogDoDB, &binlogIgnoreDB, &executedGtidSet)
 	if err != nil {
-		// Fall back to legacy syntax for older MySQL versions
+		// Fall back to legacy syntax for older MySQL/MariaDB versions
 		row = e.db.QueryRowContext(ctx, "SHOW MASTER STATUS")
-		if err = row.Scan(&file, &position, nil, nil, nil); err != nil {
-			return nil, fmt.Errorf("failed to get binlog status: %w", err)
+		// Try 5 columns first (MySQL 5.6+)
+		err = row.Scan(&file, &position, &binlogDoDB, &binlogIgnoreDB, &executedGtidSet)
+		if err != nil {
+			// MariaDB only has 4 columns
+			row = e.db.QueryRowContext(ctx, "SHOW MASTER STATUS")
+			if err = row.Scan(&file, &position, &binlogDoDB, &binlogIgnoreDB); err != nil {
+				return nil, fmt.Errorf("failed to get binlog status: %w", err)
+			}
 		}
 	}

-	// Try to get GTID set (MySQL 5.6+)
+	// Try to get GTID set (MySQL 5.6+ / MariaDB 10.0+)
 	var gtidSet string
-	if row := e.db.QueryRowContext(ctx, "SELECT @@global.gtid_executed"); row != nil {
+	if executedGtidSet.Valid && executedGtidSet.String != "" {
+		gtidSet = executedGtidSet.String
+	} else if row := e.db.QueryRowContext(ctx, "SELECT @@global.gtid_executed"); row != nil {
 		row.Scan(&gtidSet)
 	}

@ -689,7 +714,8 @@ func (e *MySQLNativeEngine) getTableInfo(ctx context.Context, database, table st
 	row := e.db.QueryRowContext(ctx, query, database, table)

 	var info MySQLTableInfo
-	var autoInc, createTime, updateTime sql.NullInt64
+	var autoInc sql.NullInt64
+	var createTime, updateTime sql.NullTime
 	var collation sql.NullString

 	err := row.Scan(&info.Name, &info.Engine, &collation, &info.RowCount,
@ -705,13 +731,11 @@ func (e *MySQLNativeEngine) getTableInfo(ctx context.Context, database, table st
 	}

 	if createTime.Valid {
-		createTimeVal := time.Unix(createTime.Int64, 0)
-		info.CreateTime = &createTimeVal
+		info.CreateTime = &createTime.Time
 	}

 	if updateTime.Valid {
-		updateTimeVal := time.Unix(updateTime.Int64, 0)
-		info.UpdateTime = &updateTimeVal
+		info.UpdateTime = &updateTime.Time
 	}

 	return &info, nil
--- a/internal/engine/native/postgresql.go
+++ b/internal/engine/native/postgresql.go
@ -592,18 +592,29 @@ func (e *PostgreSQLNativeEngine) formatDataType(dataType, udtName string, maxLen

 // Helper methods
 func (e *PostgreSQLNativeEngine) buildConnectionString() string {
+	// Check if host is a Unix socket path (starts with /)
+	isSocketPath := strings.HasPrefix(e.cfg.Host, "/")
+
 	parts := []string{
 		fmt.Sprintf("host=%s", e.cfg.Host),
-		fmt.Sprintf("port=%d", e.cfg.Port),
-		fmt.Sprintf("user=%s", e.cfg.User),
-		fmt.Sprintf("dbname=%s", e.cfg.Database),
 	}

+	// Only add port for TCP connections, not for Unix sockets
+	if !isSocketPath {
+		parts = append(parts, fmt.Sprintf("port=%d", e.cfg.Port))
+	}
+
+	parts = append(parts, fmt.Sprintf("user=%s", e.cfg.User))
+	parts = append(parts, fmt.Sprintf("dbname=%s", e.cfg.Database))
+
 	if e.cfg.Password != "" {
 		parts = append(parts, fmt.Sprintf("password=%s", e.cfg.Password))
 	}

-	if e.cfg.SSLMode != "" {
+	if isSocketPath {
+		// Unix socket connections don't use SSL
+		parts = append(parts, "sslmode=disable")
+	} else if e.cfg.SSLMode != "" {
 		parts = append(parts, fmt.Sprintf("sslmode=%s", e.cfg.SSLMode))
 	} else {
 		parts = append(parts, "sslmode=prefer")
--- a/internal/engine/native/profile.go
+++ b/internal/engine/native/profile.go
@ -2,12 +2,14 @@ package native

 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"os"
 	"runtime"
 	"strings"
 	"time"

+	_ "github.com/go-sql-driver/mysql"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/shirou/gopsutil/v3/cpu"
 	"github.com/shirou/gopsutil/v3/disk"
@ -355,6 +357,19 @@ func detectDiskProfile(ctx context.Context) (*DiskProfile, error) {

 // detectDatabaseProfile queries database for capabilities
 func detectDatabaseProfile(ctx context.Context, dsn string) (*DatabaseProfile, error) {
+	// Detect DSN type by format
+	if strings.HasPrefix(dsn, "postgres://") || strings.HasPrefix(dsn, "postgresql://") {
+		return detectPostgresDatabaseProfile(ctx, dsn)
+	}
+	// MySQL DSN format: user:password@tcp(host:port)/dbname
+	if strings.Contains(dsn, "@tcp(") || strings.Contains(dsn, "@unix(") {
+		return detectMySQLDatabaseProfile(ctx, dsn)
+	}
+	return nil, fmt.Errorf("unsupported DSN format for database profiling")
+}
+
+// detectPostgresDatabaseProfile profiles PostgreSQL database
+func detectPostgresDatabaseProfile(ctx context.Context, dsn string) (*DatabaseProfile, error) {
 	// Create temporary pool with minimal connections
 	poolConfig, err := pgxpool.ParseConfig(dsn)
 	if err != nil {
@ -449,6 +464,104 @@ func detectDatabaseProfile(ctx context.Context, dsn string) (*DatabaseProfile, e
 	return profile, nil
 }

+// detectMySQLDatabaseProfile profiles MySQL/MariaDB database
+func detectMySQLDatabaseProfile(ctx context.Context, dsn string) (*DatabaseProfile, error) {
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return nil, err
+	}
+	defer db.Close()
+
+	// Configure connection pool
+	db.SetMaxOpenConns(2)
+	db.SetMaxIdleConns(1)
+	db.SetConnMaxLifetime(30 * time.Second)
+
+	if err := db.PingContext(ctx); err != nil {
+		return nil, fmt.Errorf("failed to connect to MySQL: %w", err)
+	}
+
+	profile := &DatabaseProfile{}
+
+	// Get MySQL version
+	err = db.QueryRowContext(ctx, "SELECT version()").Scan(&profile.Version)
+	if err != nil {
+		return nil, err
+	}
+
+	// Get max_connections
+	var maxConns int
+	row := db.QueryRowContext(ctx, "SELECT @@max_connections")
+	if err := row.Scan(&maxConns); err == nil {
+		profile.MaxConnections = maxConns
+	}
+
+	// Get innodb_buffer_pool_size (equivalent to shared_buffers)
+	var bufferPoolSize uint64
+	row = db.QueryRowContext(ctx, "SELECT @@innodb_buffer_pool_size")
+	if err := row.Scan(&bufferPoolSize); err == nil {
+		profile.SharedBuffers = bufferPoolSize
+	}
+
+	// Get sort_buffer_size (somewhat equivalent to work_mem)
+	var sortBuffer uint64
+	row = db.QueryRowContext(ctx, "SELECT @@sort_buffer_size")
+	if err := row.Scan(&sortBuffer); err == nil {
+		profile.WorkMem = sortBuffer
+	}
+
+	// Estimate database size
+	var dbSize sql.NullInt64
+	row = db.QueryRowContext(ctx, `
+		SELECT SUM(data_length + index_length) 
+		FROM information_schema.tables 
+		WHERE table_schema = DATABASE()`)
+	if err := row.Scan(&dbSize); err == nil && dbSize.Valid {
+		profile.EstimatedSize = uint64(dbSize.Int64)
+	}
+
+	// Check for BLOB columns
+	var blobCount int
+	row = db.QueryRowContext(ctx, `
+		SELECT COUNT(*) 
+		FROM information_schema.columns 
+		WHERE table_schema = DATABASE() 
+		AND data_type IN ('blob', 'mediumblob', 'longblob', 'text', 'mediumtext', 'longtext')`)
+	if err := row.Scan(&blobCount); err == nil {
+		profile.HasBLOBs = blobCount > 0
+	}
+
+	// Check for indexes
+	var indexCount int
+	row = db.QueryRowContext(ctx, `
+		SELECT COUNT(*) 
+		FROM information_schema.statistics 
+		WHERE table_schema = DATABASE()`)
+	if err := row.Scan(&indexCount); err == nil {
+		profile.HasIndexes = indexCount > 0
+	}
+
+	// Count tables
+	row = db.QueryRowContext(ctx, `
+		SELECT COUNT(*) 
+		FROM information_schema.tables 
+		WHERE table_schema = DATABASE() 
+		AND table_type = 'BASE TABLE'`)
+	row.Scan(&profile.TableCount)
+
+	// Estimate row count
+	var rowCount sql.NullInt64
+	row = db.QueryRowContext(ctx, `
+		SELECT SUM(table_rows) 
+		FROM information_schema.tables 
+		WHERE table_schema = DATABASE()`)
+	if err := row.Scan(&rowCount); err == nil && rowCount.Valid {
+		profile.EstimatedRowCount = rowCount.Int64
+	}
+
+	return profile, nil
+}
+
 // parsePostgresSize parses PostgreSQL size strings like "128MB", "8GB"
 func parsePostgresSize(s string) uint64 {
 	s = strings.TrimSpace(s)
--- a/internal/notify/smtp.go
+++ b/internal/notify/smtp.go
@ -154,14 +154,21 @@ func (s *SMTPNotifier) sendMail(ctx context.Context, message string) error {
 	if err != nil {
 		return fmt.Errorf("data command failed: %w", err)
 	}
-	defer w.Close()

 	_, err = w.Write([]byte(message))
 	if err != nil {
 		return fmt.Errorf("write failed: %w", err)
 	}

-	return client.Quit()
+	// Close the data writer to finalize the message
+	if err = w.Close(); err != nil {
+		return fmt.Errorf("data close failed: %w", err)
+	}
+
+	// Quit gracefully - ignore the response as long as it's a 2xx code
+	// Some servers return "250 2.0.0 Ok: queued as..." which isn't an error
+	_ = client.Quit()
+	return nil
 }

 // getPriority returns X-Priority header value based on severity
--- a/internal/progress/unified.go
+++ b/internal/progress/unified.go
@ -30,24 +30,25 @@ var PhaseWeights = map[Phase]int{

 // ProgressSnapshot is a mutex-free copy of progress state for safe reading
 type ProgressSnapshot struct {
-	Operation      string
-	ArchiveFile    string
-	Phase          Phase
-	ExtractBytes   int64
-	ExtractTotal   int64
-	DatabasesDone  int
-	DatabasesTotal int
-	CurrentDB      string
-	CurrentDBBytes int64
-	CurrentDBTotal int64
-	DatabaseSizes  map[string]int64
-	VerifyDone     int
-	VerifyTotal    int
-	StartTime      time.Time
-	PhaseStartTime time.Time
-	LastUpdateTime time.Time
-	DatabaseTimes  []time.Duration
-	Errors         []string
+	Operation       string
+	ArchiveFile     string
+	Phase           Phase
+	ExtractBytes    int64
+	ExtractTotal    int64
+	DatabasesDone   int
+	DatabasesTotal  int
+	CurrentDB       string
+	CurrentDBBytes  int64
+	CurrentDBTotal  int64
+	DatabaseSizes   map[string]int64
+	VerifyDone      int
+	VerifyTotal     int
+	StartTime       time.Time
+	PhaseStartTime  time.Time
+	LastUpdateTime  time.Time
+	DatabaseTimes   []time.Duration
+	Errors          []string
+	UseNativeEngine bool // True if using pure Go native engine (no pg_restore)
 }

 // UnifiedClusterProgress combines all progress states into one cohesive structure
@ -56,8 +57,9 @@ type UnifiedClusterProgress struct {
 	mu sync.RWMutex

 	// Operation info
-	Operation   string // "backup" or "restore"
-	ArchiveFile string
+	Operation       string // "backup" or "restore"
+	ArchiveFile     string
+	UseNativeEngine bool // True if using pure Go native engine (no pg_restore)

 	// Current phase
 	Phase Phase
@ -177,6 +179,13 @@ func (p *UnifiedClusterProgress) SetVerifyProgress(done, total int) {
 	p.LastUpdateTime = time.Now()
 }

+// SetUseNativeEngine sets whether native Go engine is used (no external tools)
+func (p *UnifiedClusterProgress) SetUseNativeEngine(native bool) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	p.UseNativeEngine = native
+}
+
 // AddError adds an error message
 func (p *UnifiedClusterProgress) AddError(err string) {
 	p.mu.Lock()
@ -320,24 +329,25 @@ func (p *UnifiedClusterProgress) GetSnapshot() ProgressSnapshot {
 	copy(errors, p.Errors)

 	return ProgressSnapshot{
-		Operation:      p.Operation,
-		ArchiveFile:    p.ArchiveFile,
-		Phase:          p.Phase,
-		ExtractBytes:   p.ExtractBytes,
-		ExtractTotal:   p.ExtractTotal,
-		DatabasesDone:  p.DatabasesDone,
-		DatabasesTotal: p.DatabasesTotal,
-		CurrentDB:      p.CurrentDB,
-		CurrentDBBytes: p.CurrentDBBytes,
-		CurrentDBTotal: p.CurrentDBTotal,
-		DatabaseSizes:  dbSizes,
-		VerifyDone:     p.VerifyDone,
-		VerifyTotal:    p.VerifyTotal,
-		StartTime:      p.StartTime,
-		PhaseStartTime: p.PhaseStartTime,
-		LastUpdateTime: p.LastUpdateTime,
-		DatabaseTimes:  dbTimes,
-		Errors:         errors,
+		Operation:       p.Operation,
+		ArchiveFile:     p.ArchiveFile,
+		Phase:           p.Phase,
+		ExtractBytes:    p.ExtractBytes,
+		ExtractTotal:    p.ExtractTotal,
+		DatabasesDone:   p.DatabasesDone,
+		DatabasesTotal:  p.DatabasesTotal,
+		CurrentDB:       p.CurrentDB,
+		CurrentDBBytes:  p.CurrentDBBytes,
+		CurrentDBTotal:  p.CurrentDBTotal,
+		DatabaseSizes:   dbSizes,
+		VerifyDone:      p.VerifyDone,
+		VerifyTotal:     p.VerifyTotal,
+		StartTime:       p.StartTime,
+		PhaseStartTime:  p.PhaseStartTime,
+		LastUpdateTime:  p.LastUpdateTime,
+		DatabaseTimes:   dbTimes,
+		Errors:          errors,
+		UseNativeEngine: p.UseNativeEngine,
 	}
 }

--- a/internal/restore/engine.go
+++ b/internal/restore/engine.go
@ -1848,7 +1848,11 @@ func (e *Engine) RestoreCluster(ctx context.Context, archivePath string, preExtr
 			var restoreErr error
 			if isCompressedSQL {
 				mu.Lock()
-				e.log.Info("Detected compressed SQL format, using psql + pgzip", "file", dumpFile, "database", dbName)
+				if e.cfg.UseNativeEngine {
+					e.log.Info("Detected compressed SQL format, using native Go engine", "file", dumpFile, "database", dbName)
+				} else {
+					e.log.Info("Detected compressed SQL format, using psql + pgzip", "file", dumpFile, "database", dbName)
+				}
 				mu.Unlock()
 				restoreErr = e.restorePostgreSQLSQL(ctx, dumpFile, dbName, true)
 			} else {
--- a/internal/tui/restore_exec.go
+++ b/internal/tui/restore_exec.go
@ -395,6 +395,8 @@ func executeRestoreWithTUIProgress(parentCtx context.Context, cfg *config.Config
 		// Initialize unified progress tracker for cluster restores
 		if restoreType == "restore-cluster" {
 			progressState.unifiedProgress = progress.NewUnifiedClusterProgress("restore", archive.Path)
+			// Set engine type for correct TUI display
+			progressState.unifiedProgress.SetUseNativeEngine(cfg.UseNativeEngine)
 		}
 		engine.SetProgressCallback(func(current, total int64, description string) {
 			// CRITICAL: Panic recovery to prevent nil pointer crashes
--- a/internal/tui/restore_preview.go
+++ b/internal/tui/restore_preview.go
@ -441,6 +441,13 @@ func (m RestorePreviewModel) View() string {
 		s.WriteString(fmt.Sprintf("  Database: %s\n", m.targetDB))
 		s.WriteString(fmt.Sprintf("  Host: %s:%d\n", m.config.Host, m.config.Port))

+		// Show Engine Mode for single restore too
+		if m.config.UseNativeEngine {
+			s.WriteString(CheckPassedStyle.Render("  Engine Mode: Native Go (pure Go, no external tools)") + "\n")
+		} else {
+			s.WriteString(fmt.Sprintf("  Engine Mode: External Tools (psql)\n"))
+		}
+
 		cleanIcon := "[N]"
 		if m.cleanFirst {
 			cleanIcon = "[Y]"
@ -473,6 +480,13 @@ func (m RestorePreviewModel) View() string {
 		s.WriteString(fmt.Sprintf("  CPU Workload: %s\n", m.config.CPUWorkloadType))
 		s.WriteString(fmt.Sprintf("  Cluster Parallelism: %d databases\n", m.config.ClusterParallelism))

+		// Show Engine Mode - critical for understanding restore behavior
+		if m.config.UseNativeEngine {
+			s.WriteString(CheckPassedStyle.Render("  Engine Mode: Native Go (pure Go, no external tools)") + "\n")
+		} else {
+			s.WriteString(fmt.Sprintf("  Engine Mode: External Tools (pg_restore, psql)\n"))
+		}
+
 		if m.existingDBError != "" {
 			// Show warning when database listing failed - but still allow cleanup toggle
 			s.WriteString(CheckWarningStyle.Render("  Existing Databases: Detection failed\n"))
--- a/internal/tui/rich_cluster_progress.go
+++ b/internal/tui/rich_cluster_progress.go
@ -236,7 +236,11 @@ func (v *RichClusterProgressView) renderPhaseDetails(snapshot *progress.Progress
 				b.WriteString(fmt.Sprintf("     %s %-20s [restoring...] running %s\n",
 					spinner, truncateString(snapshot.CurrentDB, 20),
 					formatDuration(phaseElapsed)))
-				b.WriteString(fmt.Sprintf("        └─ pg_restore in progress (progress updates every 5s)\n"))
+				if snapshot.UseNativeEngine {
+					b.WriteString(fmt.Sprintf("        └─ native Go engine in progress (pure Go, no external tools)\n"))
+				} else {
+					b.WriteString(fmt.Sprintf("        └─ pg_restore in progress (progress updates every 5s)\n"))
+				}
 			}
 		}

--- a/main.go
+++ b/main.go
@ -16,7 +16,7 @@ import (

 // Build information (set by ldflags)
 var (
-	version   = "5.7.2"
+	version   = "5.7.7"
 	buildTime = "unknown"
 	gitCommit = "unknown"
 )