Sync dev to main (#171)

* test(orchestrator): maximize coverage for network_apply

- Add network_apply_additional_test.go with extensive tests for rollback (arm/disarm), NIC repair CLI (overrides/conflicts), snapshot IP parsing, command selection, and error paths.
- Use FakeFS/FakeCommandRunner plus PATH stubs to deterministically exercise both success and failure branches.
- Bring network_apply.go coverage to ~99% with no production code changes.

* ci: bump the actions-updates group across 1 directory with 2 updates (#164)

Bumps the actions-updates group with 2 updates in the / directory: [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance).


Updates `goreleaser/goreleaser-action` from 6 to 7
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@v6...v7)

Updates `actions/attest-build-provenance` from 3 to 4
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](actions/attest-build-provenance@v3...v4)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-updates
- dependency-name: actions/attest-build-provenance
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* backup/pve: clarify datastore skip logs

Make PVE datastore skip messages user-friendly: log disabled storages as SKIP,
offline storages as actionable WARNING, and always emit DEBUG skip details with
active/enabled/status and an explicit reason.
Fix detected datastores report header to match output column order.
Extend unit tests to cover runtime flag parsing and the new skip logging, and
make Makefile coverage targets honor the go.mod toolchain via GOTOOLCHAIN.

* feat(webhook): optional Discord content fallback for embed-only messages

Adds per-endpoint opt-in Discord content text (WEBHOOK_<ENDPOINT>_DISCORD_CONTENT_ENABLED/..._DISCORD_CONTENT) to avoid “empty” messages when embeds aren’t rendered. Default remains unchanged (embed-only). Includes 2000-char truncation, docs/template updates, and tests.

* Revert "feat(webhook): optional Discord content fallback for embed-only messages"

This reverts commit fc0aed4.

* Update go.mod

* Harden restore decisions against untrusted backup metadata

Derive restore compatibility, cluster gating, and hostname warnings from archive-backed facts instead of candidate manifest metadata. Add restore archive analysis for internal backup metadata and category-based fallback, update restore planning and compatibility checks to consume trusted decision inputs, and add regression tests covering manifest spoofing for backup type and cluster mode.

* Enforce staged backup checksum verification in restore/decrypt flows

Require checksum verification for staged backup archives before any restore or decrypt operation proceeds. Add strict SHA256 parsing and normalization, enforce checksum source agreement between sidecar and manifest metadata, reject raw backup candidates with no verifiable integrity source, centralize shared prepare-path verification for bundle and raw inputs, preserve source artifact checksum separately from the prepared plain archive checksum, and update regression tests to cover missing, mismatched, and legacy checksum scenarios.

* fix(orchestrator): preserve staged network symlinks

Use Lstat in network staged apply so symlink entries are handled as symlinks instead of being dereferenced and copied as regular file contents. Reject symlinked staged network directories, extend the FS abstraction with Lstat, and add regression tests covering preserved symlinks and invalid symlinked stage roots.

* fix(orchestrator): harden restore path validation against broken symlink escapes

Replace the restore path safety checks with a shared FS-aware resolver that walks paths component by component using Lstat and Readlink, correctly handling missing tails and rejecting intermediate symlink escapes. Apply the new validation to regular restore, safety restore, symlink and hardlink handling, and add regression tests for broken escaping symlinks, symlink loops, and symlinked restore roots.

* fix(backup): sanitize datastore and storage path segments

Introduce a shared path-safe key for PBS datastore names and PVE storage names when building collector output paths, preventing path traversal and filename collisions from raw config values. Keep raw names unchanged in metadata and command invocations, update all affected PBS/PVE collector call sites, and add regression tests covering unsafe names while preserving the existing layout for already-safe names.

* fix(io): bound timed fs and input goroutine buildup

Prevent unbounded goroutine accumulation in timeout/cancel wrappers by limiting in-flight safefs operations and reusing a single in-flight read per reader/file descriptor in the input package. Keep public APIs unchanged, preserve current timeout semantics, and add regression coverage for limiter saturation, repeated timeouts, and race-safe cleanup of timed operations.

* fix(orchestrator): preserve operational restore errors during path validation

Teach the restore path resolver to distinguish security violations from local operational failures, so only real root-escape conditions are reported as illegal paths. Keep broken-symlink and traversal hardening intact, allow in-root permission and ENOTDIR failures to surface through the normal restore flow, and add regression tests covering the new security vs operational error classification.

* Separate PBS override scan roots from real datastore identities.

- add explicit PBS datastore metadata for source, CLI identity and output key
- derive stable path-based output keys for PBS_DATASTORE_PATH overrides
- keep existing output names for real CLI-discovered PBS datastores
- skip datastore show/status CLI calls for override-only entries
- use filesystem-only namespace discovery for override paths
- keep PXAR outputs isolated for colliding override basenames
- preserve distinct override entries in PBS datastore inventory
- exclude override-only inventory entries from datastore.cfg fallback restore
- add regression coverage for basename collisions and restore safety
- update PBS_DATASTORE_PATH documentation to reflect scan-root semantics

* fix(orchestrator): resolve symlinked base dirs before validating relative links

resolvePathRelativeToBaseWithinRootFS now canonicalizes baseDir by resolving existing symlinks before validating relative link targets. This closes the bypass where an archive could create an apparently harmless parent symlink and then install a relative symlink that escapes destRoot once materialized by the kernel.

* fix(safefs): harden timeout test cleanup and limiter capture

Make safefs timeout tests failure-safe by draining blocked workers from cleanup and separating worker cleanup from global state restore. Also capture limiter and fs operation hooks locally in runLimited/Stat/ReadDir/Statfs to avoid races with global resets while async work is still in flight.

* fix(input): preserve completed inflight reads across retries

Keep completed in-flight line and password reads attached to their state until
a caller consumes the buffered result, instead of clearing the inflight state
from the producer goroutine.

This fixes the race where a read could complete after a timeout, be cleaned up
before the next retry started, and leave the completed input unreachable.
Add deterministic tests for both retry-while-pending and completion-before-retry
cases to lock the behavior down.

* fix(pbs): disambiguate datastore output keys across CLI and overrides

Add a PBS-specific output-key resolver to guarantee stable, unique datastore filenames and directories across auto-detected datastores and PBS_DATASTORE_PATH overrides. This fixes real collisions between CLI datastore names and path-derived override keys, makes pbsDatastore.pathKey() source-aware when OutputKey is unset, and keeps inventory output_key values aligned with the actual files written by PBS collectors. Includes regression tests for CLI-vs-override collisions, override fallback behavior, and inventory consistency.

* test(input): assert inflight cleanup after completed retry consumption

The new tests verify that line and password inflight reads remain attached
after timeout until the completed result is reused, and that state.inflight
is cleared immediately after that consumer receives the result.

* fix(safefs): return TimeoutError when deadline expires before run

update runLimited to re-check ctx.Err() after effectiveTimeout()
avoid calling run() when effectiveTimeout() returns 0 because the context deadline already elapsed
preserve the no-timeout path only for genuinely disabled timeouts
add a regression test for the expired-deadline edge case in internal/safefs

* fix(restore): validate compatibility before full restore fallback

When restore archive analysis fails in the UI workflow, do not jump
immediately to full restore.
Build a best-effort RestoreDecisionInfo from the manifest, run the
existing compatibility check first, and only then fall back to
runFullRestoreWithUI.
Also add a regression test covering the analysis-error path to ensure
the compatibility warning is still shown before the full restore
fallback executes.

* fix(orchestrator): bound restore metadata reads

Reject oversized backup_metadata.txt entries during restore archive inspection by reading through a fixed limit before parsing. This prevents unbounded memory allocation from crafted archives and ensures truncated metadata caused by limit overflow is treated as invalid rather than partially trusted. Add regression tests covering oversized metadata rejection and the public restore analysis path.

* fix(orchestrator): validate staged network symlink targets

Validate symlink targets during staged network apply before recreating them
under the destination tree. Reuse the existing path-security resolver to
ensure targets stay within the allowed destination root, rewrite safe
absolute targets to relative links, and reject absolute or relative targets
that escape the subtree. Add regression tests for safe rewrites and escaping
symlink targets.

* fix(orchestrator): validate symlink targets in firewall staged sync

Validate symlink targets in syncDirExact before recreating them under the
destination subtree. Reuse the existing path-security resolver to ensure
firewall and SDN staged symlinks stay within the allowed destination root,
rewrite safe absolute targets to relative links, and reject absolute or
relative targets that escape the subtree. Add regression tests for safe
rewrites and escaping symlink targets.

* fix(orchestrator): recognize full Proxmox system names

Verify and fix parseSystemTypeString in compatibility.go.

The parser now recognizes space-separated and full-name variants such as
"Proxmox VE", "Proxmox Backup", and "Proxmox Backup Server", in addition
to the existing acronym and hyphenated forms.

Add regression tests to ensure these values map correctly to
SystemTypePVE and SystemTypePBS.

* fix(orchestrator): validate raw backup checksums during discovery

Validate and normalize manifest and sidecar SHA256 values before
accepting local or rclone raw backup candidates.

Reject candidates when the manifest checksum is malformed, the .sha256
sidecar cannot be parsed, or both checksum sources disagree. Persist the
normalized checksum and its source on the candidate so downstream staged
integrity verification only works with pre-validated values.

Add coverage for local and rclone discovery, malformed and conflicting
checksums, and reuse of the candidate integrity expectation during
staged verification.

* test: add PBS datastore status filename collision regression coverage

Adds a regression test for collectPBSCommands() covering colliding PBS datastore output keys. The test verifies that assignUniquePBSDatastoreOutputKeys() disambiguates colliding datastore status filenames and that two distinct datastore_*_status.json files are written with the correct datastore-specific content.

* fix(pbs): always apply datastore path overrides without CLI discovery

Make PBS datastore enumeration best-effort in getDatastoreList so configured PBSDatastorePaths overrides are still appended when proxmox-backup-manager is missing, the datastore list command fails, or its JSON output is invalid. Preserve context cancellation as a fatal error, keep unique output key assignment, and add regression tests for missing CLI, command failure, and parse failure fallback cases.

* Normalize safefs deadline handling

Add focused safefs tests for expired-deadline paths and make deadline-driven context cancellations consistently map to ErrTimeout/TimeoutError in runLimited and operationLimiter.acquire. This fixes inconsistent timeout classification where some context deadline expirations returned context.DeadlineExceeded instead of the safefs timeout sentinel, while preserving context.Canceled behavior.

* Surface decompressor close errors during restore archive inspection

Make restore archive inspection fail when the decompression reader reports an error on Close, instead of silently accepting the archive as valid. This updates inspectRestoreArchiveContents to preserve existing inspect errors while surfacing deferred decompressor failures, and adds targeted tests covering both close-error propagation and error-precedence behavior.

* Fix symlink target rewriting for resolved destination parents

Update overlay symlink validation to rewrite absolute targets relative to the resolved destination parent instead of the lexical parent path. This fixes incorrect rewritten targets when the destination's parent directory is itself a symlink, and adds a regression test covering the symlinked-parent case.

* Revalidate created overlay symlinks within restore root

Add post-creation symlink verification for network overlay and firewall sync paths, mirroring the existing restore symlink safety model. The new check reads back each created symlink, ensures its effective target still resolves within the destination root, removes the link on validation failure, and adds regression tests covering readback failures and post-create escape scenarios.

* Normalize trimmed age encryption mode during bundle preparation

Trim manifest EncryptionMode before lowercasing in preparePlainBundleCommon so values like " age " still trigger decryption. This aligns decryption behavior with statusFromManifest and adds a regression test proving whitespace-padded age mode is decrypted instead of being misclassified as plain.

* Use a fresh timeout for rclone checksum inspection

Stop reusing the raw-item metadata context for checksum probing in discoverRcloneBackups. The checksum fetch now gets its own per-command timeout budget, matching the documented RCLONE_TIMEOUT_CONNECTION behavior, and a regression test covers the case where a slow metadata read previously left too little time for the checksum fetch.

* fix(orchestrator): fail safety restore on operational symlink validation errors

Distinguish path-security errors from operational failures during safety-backup symlink restore. Keep the existing warning-and-skip behavior for symlink targets that escape the restore root, but propagate non-security errors from resolvePathRelativeToBaseWithinRootFS so restore failures are reported instead of silently dropping symlinks. Add tests covering operational failures before and after symlink creation.

* Avoid holding the input state mutex across blocking waits on ctx.Done() and inflight completion.

- lock only to create/read the current inflight operation
- release the mutex before waiting on cancellation or read completion
- re-acquire the mutex only to clear state.inflight if it still matches
  the captured inflight
- store completed line/password results on the inflight state and use done
  as a broadcast completion signal for concurrent waiters
- add regression tests for concurrent cancelled callers and preserve
  existing retry/inflight reuse behavior

* backup: skip relative PBS datastore overrides

Reject relative PBS_DATASTORE_PATH values when building the datastore list.
normalizePBSDatastorePath only cleans input, so relative paths could previously
be accepted as overrides.

Keep the existing override naming, output key, and deduplication logic for valid
absolute paths, and log a warning when skipping an invalid relative override.

Add a regression test covering relative PBS_DATASTORE_PATH entries.

* backup: prefer CLI datastore path when merging inventory

Fix PBS datastore inventory merge so the runtime CLI path overrides datastore.cfg for the same datastore identity. Add a regression test covering config-vs-CLI path precedence during merge.

* fix(orchestrator): bound .sha256 reads during backup discovery

Replace unbounded checksum sidecar reads in backup discovery with bounded
streaming reads for both local files and rclone sources.

- cap checksum input to 4 KiB before parsing
- remove full-file ReadFile / CombinedOutput usage on .sha256 paths
- return clear errors for oversized or empty checksum files
- preserve compatibility with valid bounded checksum files without trailing newline
- add coverage for local and rclone oversized / bounded-input cases

* fix(orchestrator): surface rclone checksum failures after early close

Only ignore `rclone cat` wait errors when stdout was closed early after
reading a valid first checksum line and stderr is empty.

This prevents genuine rclone failures from being masked when the checksum
is read successfully but the command still exits non-zero with an error
message. Add a regression test for a fake rclone that prints a valid
checksum line and then exits with code 1.

* fix(orchestrator): validate prepared archive paths before decrypt/copy

Validate the staged archive path against the manifest encryption mode in
preparePlainBundleCommon before deriving the plain archive output path.

This rejects inconsistent inputs where `EncryptionMode=age` does not have
a `.age` archive suffix, or where a non-age archive still ends with
`.age`. It also ensures decryption never runs with identical input and
output paths by generating a unique output name when needed.

Add regression coverage for both mode/suffix mismatch cases and the
unique-path fallback for age archives.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: tis24dev

.github/workflows/release.yml

@@ -70,7 +70,7 @@ jobs:
       # GORELEASER
       ########################################
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
         with:
           version: latest
           workdir: ${{ github.workspace }}
@@ -82,6 +82,6 @@ jobs:
       # ATTESTAZIONE PROVENIENZA BUILD
       ########################################
       - name: Attest Build Provenance
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest-build-provenance@v4
         with:
           subject-path: build/proxsave_*

Makefile

@@ -1,6 +1,8 @@
 .PHONY: build test clean run build-release test-coverage lint fmt deps help coverage coverage-check
 
 COVERAGE_THRESHOLD ?= 50.0
+TOOLCHAIN_FROM_MOD := $(shell awk '/^toolchain /{print $$2}' go.mod 2>/dev/null)
+COVER_GOTOOLCHAIN := $(if $(TOOLCHAIN_FROM_MOD),$(TOOLCHAIN_FROM_MOD)+auto,auto)
 
 # Build del progetto
 build:
@@ -60,20 +62,20 @@ test:
 
 # Test con coverage
 test-coverage:
-	go test -coverprofile=coverage.out ./...
-	go tool cover -html=coverage.out
+	GOTOOLCHAIN=$(COVER_GOTOOLCHAIN) go test -coverprofile=coverage.out ./...
+	GOTOOLCHAIN=$(COVER_GOTOOLCHAIN) go tool cover -html=coverage.out
 
 # Full coverage report (all packages)
 coverage:
 	@echo "Running coverage across all packages..."
-	@go test -coverpkg=./... -coverprofile=coverage.out ./...
-	@go tool cover -func=coverage.out | tail -n 1
+	@GOTOOLCHAIN=$(COVER_GOTOOLCHAIN) go test -coverpkg=./... -coverprofile=coverage.out ./...
+	@GOTOOLCHAIN=$(COVER_GOTOOLCHAIN) go tool cover -func=coverage.out | tail -n 1
 
 # Enforce minimum coverage threshold
 coverage-check:
 	@echo "Running coverage check (threshold $(COVERAGE_THRESHOLD)% )..."
-	@go test -coverpkg=./... -coverprofile=coverage.out ./...
-	@total=$$(go tool cover -func=coverage.out | grep total: | awk '{print $$3}' | sed 's/%//'); \
+	@GOTOOLCHAIN=$(COVER_GOTOOLCHAIN) go test -coverpkg=./... -coverprofile=coverage.out ./...
+	@total=$$(GOTOOLCHAIN=$(COVER_GOTOOLCHAIN) go tool cover -func=coverage.out | grep total: | awk '{print $$3}' | sed 's/%//'); \
 		echo "Total coverage: $$total%"; \
 		if awk -v total="$$total" -v threshold="$(COVERAGE_THRESHOLD)" 'BEGIN { exit !(total+0 >= threshold+0) }'; then \
 			echo "Coverage check passed."; \

docs/CONFIGURATION.md

@@ -1053,6 +1053,8 @@ VZDUMP_CONFIG_PATH=/etc/vzdump.conf
 
 # PBS datastore paths (comma/space separated)
 PBS_DATASTORE_PATH=                # e.g., "/mnt/pbs1,/mnt/pbs2"
+# Extra filesystem scan roots for datastore/PXAR discovery; these do not create
+# real PBS datastore definitions and may use path-derived output keys.
 
 # System root override (testing/chroot)
 SYSTEM_ROOT_PREFIX=                # Optional alternate root for system collection. Empty or "/" = real root.

docs/RESTORE_GUIDE.md

@@ -117,7 +117,7 @@ API apply is automatic for supported PBS staged categories; ProxSave may fall ba
 |----------|------|-------------|-------|
 | `pbs_config` | PBS Config Export | **Export-only** copy of /etc/proxmox-backup (never written to system) | `./etc/proxmox-backup/` |
 | `pbs_host` | PBS Host & Integrations | **Staged** node settings, ACME, proxy, metric servers and traffic control (API/file apply) | `./etc/proxmox-backup/node.cfg`<br>`./etc/proxmox-backup/proxy.cfg`<br>`./etc/proxmox-backup/acme/accounts.cfg`<br>`./etc/proxmox-backup/acme/plugins.cfg`<br>`./etc/proxmox-backup/metricserver.cfg`<br>`./etc/proxmox-backup/traffic-control.cfg`<br>`./var/lib/proxsave-info/commands/pbs/node_config.json`<br>`./var/lib/proxsave-info/commands/pbs/acme_accounts.json`<br>`./var/lib/proxsave-info/commands/pbs/acme_plugins.json`<br>`./var/lib/proxsave-info/commands/pbs/acme_account_*_info.json`<br>`./var/lib/proxsave-info/commands/pbs/acme_plugin_*_config.json`<br>`./var/lib/proxsave-info/commands/pbs/traffic_control.json` |
-| `datastore_pbs` | PBS Datastore Configuration | **Staged** datastore definitions (incl. S3 endpoints) (API/file apply) | `./etc/proxmox-backup/datastore.cfg`<br>`./etc/proxmox-backup/s3.cfg`<br>`./var/lib/proxsave-info/commands/pbs/datastore_list.json`<br>`./var/lib/proxsave-info/commands/pbs/datastore_*_status.json`<br>`./var/lib/proxsave-info/commands/pbs/s3_endpoints.json`<br>`./var/lib/proxsave-info/commands/pbs/s3_endpoint_*_buckets.json`<br>`./var/lib/proxsave-info/commands/pbs/pbs_datastore_inventory.json` |
+| `datastore_pbs` | PBS Datastore Configuration | **Staged** datastore definitions (incl. S3 endpoints) (API/file apply) | `./etc/proxmox-backup/datastore.cfg`<br>`./etc/proxmox-backup/s3.cfg`<br>`./var/lib/proxsave-info/commands/pbs/datastore_list.json`<br>`./var/lib/proxsave-info/commands/pbs/datastore_*_status.json`<br>`./var/lib/proxsave-info/commands/pbs/s3_endpoints.json`<br>`./var/lib/proxsave-info/commands/pbs/s3_endpoint_*_buckets.json`<br>`./var/lib/proxsave-info/commands/pbs/pbs_datastore_inventory.json`<br>Note: `PBS_DATASTORE_PATH` override scan roots are inventory context only and are not recreated as datastore definitions during restore. |
 | `maintenance_pbs` | PBS Maintenance | Maintenance settings | `./etc/proxmox-backup/maintenance.cfg` |
 | `pbs_jobs` | PBS Jobs | **Staged** sync/verify/prune jobs (API/file apply) | `./etc/proxmox-backup/sync.cfg`<br>`./etc/proxmox-backup/verification.cfg`<br>`./etc/proxmox-backup/prune.cfg`<br>`./var/lib/proxsave-info/commands/pbs/sync_jobs.json`<br>`./var/lib/proxsave-info/commands/pbs/verification_jobs.json`<br>`./var/lib/proxsave-info/commands/pbs/prune_jobs.json`<br>`./var/lib/proxsave-info/commands/pbs/gc_jobs.json` |
 | `pbs_remotes` | PBS Remotes | **Staged** remotes for sync/verify (may include credentials) (API/file apply) | `./etc/proxmox-backup/remote.cfg`<br>`./var/lib/proxsave-info/commands/pbs/remote_list.json` |
@@ -2384,6 +2384,7 @@ systemctl restart proxmox-backup proxmox-backup-proxy
 **Restore behavior**:
 - ProxSave detects this condition during staged apply.
 - If `var/lib/proxsave-info/commands/pbs/pbs_datastore_inventory.json` is available in the backup, ProxSave will use its embedded snapshot of the original `datastore.cfg` to recover a valid configuration.
+- Inventory entries that came only from `PBS_DATASTORE_PATH` scan roots are treated as diagnostic context and are excluded from regenerated `datastore.cfg`.
 - If recovery is not possible, ProxSave will **leave the existing** `/etc/proxmox-backup/datastore.cfg` unchanged to avoid breaking PBS.
 
 **Manual diagnosis**:

go.mod

@@ -2,7 +2,7 @@ module github.com/tis24dev/proxsave
 
 go 1.25
 
-toolchain go1.25.7
+toolchain go1.25.8
 
 require (
 	filippo.io/age v1.3.1

internal/backup/checksum.go

@@ -35,6 +35,30 @@ type Manifest struct {
 	ClusterMode      string    `json:"cluster_mode,omitempty"`
 }
 
+// NormalizeChecksum validates and normalizes a SHA256 checksum string.
+func NormalizeChecksum(value string) (string, error) {
+	checksum := strings.ToLower(strings.TrimSpace(value))
+	if checksum == "" {
+		return "", fmt.Errorf("checksum is empty")
+	}
+	if len(checksum) != sha256.Size*2 {
+		return "", fmt.Errorf("checksum must be %d hex characters, got %d", sha256.Size*2, len(checksum))
+	}
+	if _, err := hex.DecodeString(checksum); err != nil {
+		return "", fmt.Errorf("checksum is not valid hex: %w", err)
+	}
+	return checksum, nil
+}
+
+// ParseChecksumData extracts a SHA256 checksum from checksum file contents.
+func ParseChecksumData(data []byte) (string, error) {
+	fields := strings.Fields(string(data))
+	if len(fields) == 0 {
+		return "", fmt.Errorf("checksum file is empty")
+	}
+	return NormalizeChecksum(fields[0])
+}
+
 // GenerateChecksum calculates SHA256 checksum of a file
 func GenerateChecksum(ctx context.Context, logger *logging.Logger, filePath string) (string, error) {
 	logger.Debug("Generating SHA256 checksum for: %s", filePath)
@@ -105,16 +129,21 @@ func CreateManifest(ctx context.Context, logger *logging.Logger, manifest *Manif
 func VerifyChecksum(ctx context.Context, logger *logging.Logger, filePath, expectedChecksum string) (bool, error) {
 	logger.Debug("Verifying checksum for: %s", filePath)
 
+	normalizedExpected, err := NormalizeChecksum(expectedChecksum)
+	if err != nil {
+		return false, fmt.Errorf("invalid expected checksum: %w", err)
+	}
+
 	actualChecksum, err := GenerateChecksum(ctx, logger, filePath)
 	if err != nil {
 		return false, fmt.Errorf("failed to generate checksum: %w", err)
 	}
 
-	matches := actualChecksum == expectedChecksum
+	matches := actualChecksum == normalizedExpected
 	if matches {
 		logger.Debug("Checksum verification passed")
 	} else {
-		logger.Warning("Checksum mismatch! Expected: %s, Got: %s", expectedChecksum, actualChecksum)
+		logger.Warning("Checksum mismatch! Expected: %s, Got: %s", normalizedExpected, actualChecksum)
 	}
 
 	return matches, nil
@@ -205,9 +234,8 @@ func parseLegacyMetadata(scanner *bufio.Scanner, legacy *Manifest) {
 func loadLegacyChecksum(archivePath string, legacy *Manifest) {
 	// Attempt to load checksum from legacy .sha256 file
 	if shaData, err := os.ReadFile(archivePath + ".sha256"); err == nil {
-		fields := strings.Fields(string(shaData))
-		if len(fields) > 0 {
-			legacy.SHA256 = fields[0]
+		if checksum, parseErr := ParseChecksumData(shaData); parseErr == nil {
+			legacy.SHA256 = checksum
 		}
 	}
 }

internal/backup/checksum_legacy_test.go

@@ -28,7 +28,8 @@ func TestLoadLegacyManifestWithShaAndFallbackEncryption(t *testing.T) {
 		t.Fatalf("write metadata: %v", err)
 	}
 
-	shaLine := "deadbeef  " + filepath.Base(archive) + "\n"
+	expectedSHA := strings.Repeat("a", 64)
+	shaLine := expectedSHA + "  " + filepath.Base(archive) + "\n"
 	if err := os.WriteFile(archive+".sha256", []byte(shaLine), 0o640); err != nil {
 		t.Fatalf("write sha256: %v", err)
 	}
@@ -50,8 +51,8 @@ func TestLoadLegacyManifestWithShaAndFallbackEncryption(t *testing.T) {
 	if m.EncryptionMode != "plain" {
 		t.Fatalf("expected fallback encryption mode plain, got %s", m.EncryptionMode)
 	}
-	if m.SHA256 != "deadbeef" {
-		t.Fatalf("expected sha256 deadbeef, got %s", m.SHA256)
+	if m.SHA256 != expectedSHA {
+		t.Fatalf("expected sha256 %s, got %s", expectedSHA, m.SHA256)
 	}
 	if time.Since(m.CreatedAt) > time.Minute {
 		t.Fatalf("unexpected CreatedAt too old: %v", m.CreatedAt)

internal/backup/checksum_test.go

@@ -145,8 +145,9 @@ ENCRYPTION_MODE=age
 	if err := os.WriteFile(metadataPath, []byte(metadata), 0644); err != nil {
 		t.Fatalf("failed to write metadata: %v", err)
 	}
+	expectedSHA := "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 	shaPath := archivePath + ".sha256"
-	if err := os.WriteFile(shaPath, []byte("deadbeef "+filepath.Base(archivePath)), 0644); err != nil {
+	if err := os.WriteFile(shaPath, []byte(expectedSHA+" "+filepath.Base(archivePath)), 0644); err != nil {
 		t.Fatalf("failed to write sha file: %v", err)
 	}
 
@@ -163,7 +164,7 @@ ENCRYPTION_MODE=age
 	if manifest.Hostname != "legacy-host" || manifest.ScriptVersion != "legacy-1.0" {
 		t.Fatalf("legacy metadata not parsed correctly: %+v", manifest)
 	}
-	if manifest.SHA256 != "deadbeef" {
+	if manifest.SHA256 != expectedSHA {
 		t.Fatalf("expected SHA256 from sidecar, got %q", manifest.SHA256)
 	}
 	if manifest.EncryptionMode != "age" {

internal/backup/collector.go

@@ -3,6 +3,8 @@ package backup
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -1180,6 +1182,21 @@ func sanitizeFilename(name string) string {
 	return clean
 }
 
+func collectorPathKey(name string) string {
+	trimmed := strings.TrimSpace(name)
+	if trimmed == "" {
+		return "entry"
+	}
+
+	safe := sanitizeFilename(trimmed)
+	if safe == trimmed {
+		return safe
+	}
+
+	sum := sha256.Sum256([]byte(trimmed))
+	return fmt.Sprintf("%s_%s", safe, hex.EncodeToString(sum[:4]))
+}
+
 // GetStats returns current collection statistics
 func (c *Collector) GetStats() *CollectionStats {
 	c.statsMu.Lock()

internal/backup/collector_helpers_extra_test.go

@@ -1,6 +1,9 @@
 package backup
 
-import "testing"
+import (
+	"strings"
+	"testing"
+)
 
 func TestSummarizeCommandOutputText(t *testing.T) {
 	if got := summarizeCommandOutputText(""); got != "(no stdout/stderr)" {
@@ -38,3 +41,25 @@ func TestSanitizeFilenameExtra(t *testing.T) {
 		}
 	}
 }
+
+func TestCollectorPathKey(t *testing.T) {
+	if got := collectorPathKey("store1"); got != "store1" {
+		t.Fatalf("collectorPathKey(store1)=%q want %q", got, "store1")
+	}
+
+	unsafe := "../evil"
+	got := collectorPathKey(unsafe)
+	if got == unsafe {
+		t.Fatalf("collectorPathKey(%q) should not keep unsafe value", unsafe)
+	}
+	if got == sanitizeFilename(unsafe) {
+		t.Fatalf("collectorPathKey(%q) should add a disambiguating suffix", unsafe)
+	}
+	if !strings.HasPrefix(got, "__evil") {
+		t.Fatalf("collectorPathKey(%q)=%q should start with sanitized prefix", unsafe, got)
+	}
+
+	if a, b := collectorPathKey("a/b"), collectorPathKey("a_b"); a == b {
+		t.Fatalf("collectorPathKey should avoid collisions: %q == %q", a, b)
+	}
+}