CodeMonkeyCybersecurity
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 7 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎cmd/backup/list.go‎
Lines changed: 4 additions & 10 deletions b/‎cmd/backup/list.go‎
Lines changed: 4 additions & 10 deletions
diff --git a/‎cmd/backup/quick.go‎
Lines changed: 6 additions & 6 deletions b/‎cmd/backup/quick.go‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎cmd/backup/restore.go‎
Lines changed: 5 additions & 11 deletions b/‎cmd/backup/restore.go‎
Lines changed: 5 additions & 11 deletions
diff --git a/‎cmd/backup/update.go‎
Lines changed: 4 additions & 7 deletions b/‎cmd/backup/update.go‎
Lines changed: 4 additions & 7 deletions
diff --git a/‎cmd/backup/verify.go‎
Lines changed: 8 additions & 20 deletions b/‎cmd/backup/verify.go‎
Lines changed: 8 additions & 20 deletions
diff --git a/‎cmd/list/backups.go‎
Lines changed: 4 additions & 11 deletions b/‎cmd/list/backups.go‎
Lines changed: 4 additions & 11 deletions
diff --git a/‎pkg/backup/client.go‎
Lines changed: 2 additions & 2 deletions b/‎pkg/backup/client.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/backup/client_integration_test.go‎
Lines changed: 15 additions & 5 deletions b/‎pkg/backup/client_integration_test.go‎
Lines changed: 15 additions & 5 deletions
@@ -134,6 +134,8 @@ jobs:
           POSTGRES_URL: postgres://postgres:testpass@localhost:5432/testdb?sslmode=disable
         run: |
           go test -v -timeout=15m ./test/integration_test.go ./test/integration_scenarios_test.go
+          # Backup integration layer (20% test pyramid allocation for backup workflow)
+          go test -v -timeout=15m -run Integration ./pkg/backup/...
           go test -v -timeout=15m -tags=integration ./pkg/vault/...
 
   ci-e2e-smoke:
@@ -156,6 +158,11 @@ jobs:
       - name: Run smoke e2e tests
         run: go test -v -tags=e2e_smoke -timeout=10m ./test/e2e/smoke/...
 
+      - name: Run backup e2e smoke tests
+        run: |
+          # Backup e2e layer (10% test pyramid allocation for backup workflow)
+          go test -v -tags=e2e_smoke -timeout=10m -run Backup ./test/e2e/smoke/...
+
   ci-e2e-full:
     name: ci-e2e-full
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
 
@@ -166,17 +166,11 @@ Examples:
 		filterHost, _ := cmd.Flags().GetString("host")
 		filterPath, _ := cmd.Flags().GetString("path")
 
-		// Use default repository if not specified
-		if repoName == "" {
-			config, err := backup.LoadConfig(rc)
-			if err != nil {
-				return fmt.Errorf("loading configuration: %w", err)
-			}
-			repoName = config.DefaultRepository
-			if repoName == "" {
-				return fmt.Errorf("no repository specified and no default configured")
-			}
+		resolvedRepoName, err := backup.ResolveRepositoryName(rc, repoName)
+		if err != nil {
+			return err
 		}
+		repoName = resolvedRepoName
 
 		logger.Info("Listing snapshots",
 			zap.String("repository", repoName),
 
@@ -25,10 +25,10 @@ import (
 var quickBackupCmd = &cobra.Command{
 	Use:   ". [directory]",
 	Short: "Quick backup of current (or specified) directory",
-	Long: `Instantly backup the current directory or specified path with timestamp.
+	Long: fmt.Sprintf(`Instantly backup the current directory or specified path with timestamp.
 
 This command reuses your existing backup configuration:
-- Uses the default repository defined in /etc/eos/backup.yaml
+- Uses the default repository defined in %s
 - Honors repository credentials and password files you already manage
 - Timestamps each backup automatically
 - Recursive by default
@@ -41,7 +41,7 @@ Examples:
 
 Restore:
   eos restore . [snapshot-id]                # Restore latest or specific snapshot
-  eos restore . --target /tmp/restored       # Restore to different location`,
+  eos restore . --target /tmp/restored       # Restore to different location`, backup.ConfigFile),
 
 	Args: cobra.MaximumNArgs(1),
 	RunE: eos.Wrap(func(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error {
@@ -173,7 +173,7 @@ func resolveQuickBackupRepository(rc *eos_io.RuntimeContext) (string, backup.Rep
 	}
 
 	if len(config.Repositories) == 0 {
-		return "", backup.Repository{}, fmt.Errorf("no repositories configured; add at least one in /etc/eos/backup.yaml")
+		return "", backup.Repository{}, fmt.Errorf("no repositories configured; add at least one in %s", backup.ConfigFile)
 	}
 
 	if len(config.Repositories) == 1 {
@@ -192,8 +192,8 @@ func resolveQuickBackupRepository(rc *eos_io.RuntimeContext) (string, backup.Rep
 	sort.Strings(repoNames)
 
 	return "", backup.Repository{}, eos_err.NewExpectedError(rc.Ctx, fmt.Errorf(
-		"multiple repositories configured (%s) but no default_repository set; update /etc/eos/backup.yaml to select one",
-		strings.Join(repoNames, ", ")))
+		"multiple repositories configured (%s) but no default_repository set; update %s to select one",
+		strings.Join(repoNames, ", "), backup.ConfigFile))
 }
 
 func init() {
 
@@ -3,9 +3,9 @@
 package backup
 
 import (
-	"github.com/CodeMonkeyCybersecurity/eos/pkg/shared"
 	"encoding/json"
 	"fmt"
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/shared"
 	"os"
 	"path/filepath"
 
@@ -55,17 +55,11 @@ Examples:
 		verify, _ := cmd.Flags().GetBool("verify")
 		force, _ := cmd.Flags().GetBool("force")
 
-		// Use default repository if not specified
-		if repoName == "" {
-			config, err := backup.LoadConfig(rc)
-			if err != nil {
-				return fmt.Errorf("loading configuration: %w", err)
-			}
-			repoName = config.DefaultRepository
-			if repoName == "" {
-				return fmt.Errorf("no repository specified and no default configured")
-			}
+		resolvedRepoName, err := backup.ResolveRepositoryName(rc, repoName)
+		if err != nil {
+			return err
 		}
+		repoName = resolvedRepoName
 
 		logger.Info("Starting restore operation",
 			zap.String("snapshot", snapshotID),
 
@@ -8,8 +8,8 @@ import (
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/backup"
 	eos "github.com/CodeMonkeyCybersecurity/eos/pkg/eos_cli"
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/eos_io"
-	"github.com/CodeMonkeyCybersecurity/eos/pkg/verify"
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/patterns"
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/verify"
 	"github.com/spf13/cobra"
 	"github.com/uptrace/opentelemetry-go-extra/otelzap"
 	"go.uber.org/zap"
@@ -73,12 +73,9 @@ Examples:
 		}
 
 		// Determine repository
-		repoName := profile.Repository
-		if repoName == "" {
-			repoName = config.DefaultRepository
-			if repoName == "" {
-				return fmt.Errorf("no repository specified and no default configured")
-			}
+		repoName, err := backup.ResolveRepositoryNameFromConfig(config, profile.Repository)
+		if err != nil {
+			return err
 		}
 
 		logger.Info("Using repository",
 
@@ -45,17 +45,11 @@ var verifyRepoCmd = &cobra.Command{
 		readData, _ := cmd.Flags().GetBool("read-data")
 		readDataSubset, _ := cmd.Flags().GetString("read-data-subset")
 
-		// Use default repository if not specified
-		if repoName == "" {
-			config, err := backup.LoadConfig(rc)
-			if err != nil {
-				return fmt.Errorf("loading configuration: %w", err)
-			}
-			repoName = config.DefaultRepository
-			if repoName == "" {
-				return fmt.Errorf("no repository specified and no default configured")
-			}
+		resolvedRepoName, err := backup.ResolveRepositoryName(rc, repoName)
+		if err != nil {
+			return err
 		}
+		repoName = resolvedRepoName
 
 		logger.Info("Verifying repository integrity",
 			zap.String("repository", repoName),
@@ -110,17 +104,11 @@ var verifySnapshotCmd = &cobra.Command{
 		repoName, _ := cmd.Flags().GetString("repo")
 		readData, _ := cmd.Flags().GetBool("read-data")
 
-		// Use default repository if not specified
-		if repoName == "" {
-			config, err := backup.LoadConfig(rc)
-			if err != nil {
-				return fmt.Errorf("loading configuration: %w", err)
-			}
-			repoName = config.DefaultRepository
-			if repoName == "" {
-				return fmt.Errorf("no repository specified and no default configured")
-			}
+		resolvedRepoName, err := backup.ResolveRepositoryName(rc, repoName)
+		if err != nil {
+			return err
 		}
+		repoName = resolvedRepoName
 
 		logger.Info("Verifying snapshot integrity",
 			zap.String("snapshot", snapshotID),
 
@@ -100,7 +100,6 @@ func listBackups(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) e
 		return err
 	}
 
-
 	// Get flags
 	repoName, _ := cmd.Flags().GetString("repo")
 	filterTags, _ := cmd.Flags().GetStringSlice("tags")
@@ -123,17 +122,11 @@ func listBackups(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) e
 		}
 	}
 
-	// Use default repository if not specified
-	if repoName == "" {
-		config, err := backup.LoadConfig(rc)
-		if err != nil {
-			return fmt.Errorf("loading configuration: %w", err)
-		}
-		repoName = config.DefaultRepository
-		if repoName == "" {
-			return fmt.Errorf("no repository specified and no default configured")
-		}
+	resolvedRepoName, err := backup.ResolveRepositoryName(rc, repoName)
+	if err != nil {
+		return err
 	}
+	repoName = resolvedRepoName
 
 	logger.Info("Listing backup snapshots",
 		zap.String("repository", repoName),
 
@@ -283,7 +283,7 @@ func (c *Client) getRepositoryPassword() (string, error) {
 	}
 
 	// 2. Global secrets directory fallback (used by managed repositories)
-	secretsPasswordPath := filepath.Join(SecretsDir, fmt.Sprintf("%s.password", c.repository.Name))
+	secretsPasswordPath := filepath.Join(secretsDirPath, fmt.Sprintf("%s.password", c.repository.Name))
 	if password, err := readPasswordFile(secretsPasswordPath); err == nil {
 		logger.Debug("Using secrets directory password file",
 			zap.String("path", secretsPasswordPath))
@@ -307,7 +307,7 @@ func (c *Client) getRepositoryPassword() (string, error) {
 	}
 
 	// 4a. Secrets directory .env file (fallback for non-local repositories)
-	secretsEnvPath := filepath.Join(SecretsDir, fmt.Sprintf("%s.env", c.repository.Name))
+	secretsEnvPath := filepath.Join(secretsDirPath, fmt.Sprintf("%s.env", c.repository.Name))
 	if password, err := readPasswordFromEnvFile(secretsEnvPath); err == nil {
 		logger.Debug("Using secrets .env file for restic password",
 			zap.String("path", secretsEnvPath))
 
@@ -201,12 +201,17 @@ func TestPasswordRetrievalIntegration(t *testing.T) {
 	}
 
 	t.Run("vault unavailable fallback", func(t *testing.T) {
+		originalSecretsDir := secretsDirPath
+		secretsDirPath = filepath.Join(repo.TempDir, "secrets", "backup")
+		t.Cleanup(func() {
+			secretsDirPath = originalSecretsDir
+		})
+
 		// Create local password file
-		secretsDir := filepath.Join(repo.TempDir, "secrets", "backup")
-		err := os.MkdirAll(secretsDir, 0700)
+		err := os.MkdirAll(secretsDirPath, 0700)
 		require.NoError(t, err)
 
-		passwordFile := filepath.Join(secretsDir, fmt.Sprintf("%s.password", repo.Name))
+		passwordFile := filepath.Join(secretsDirPath, fmt.Sprintf("%s.password", repo.Name))
 		err = os.WriteFile(passwordFile, []byte(repo.Password), 0600)
 		require.NoError(t, err)
 
@@ -223,13 +228,18 @@ func TestPasswordRetrievalIntegration(t *testing.T) {
 	})
 
 	t.Run("no password available", func(t *testing.T) {
+		originalSecretsDir := secretsDirPath
+		secretsDirPath = t.TempDir()
+		t.Cleanup(func() {
+			secretsDirPath = originalSecretsDir
+		})
+
 		// Test case where neither Vault nor local file is available
 		client.repository.Name = "nonexistent-repo"
 
 		// This should result in an error when getRepositoryPassword is called
 		// Since we can't easily mock Vault here, we test the error conditions
-		secretsDir := "/var/lib/eos/secrets/backup"
-		passwordFile := filepath.Join(secretsDir, "nonexistent-repo.password")
+		passwordFile := filepath.Join(secretsDirPath, "nonexistent-repo.password")
 
 		// Verify file doesn't exist
 		_, err := os.Stat(passwordFile)