v0.15.0

ProxSave v0.15.0

🧪 Installer UX upgrades, optional post install audit, and major testability expansion across restore paths

This release focuses on making installation and upgrades easier to operate while greatly expanding unit test coverage for critical restore workflows. It adds a guided post install audit that can disable unused collectors, improves the TUI wizard when editing existing configs, removes obsolete legacy compatibility layers, and introduces extensive dependency injection hooks so mount guards, firewall, access control, NIC mapping, and PBS staged apply can be tested thoroughly without touching the real system.

• Installer and wizard improvements

  • TUI install wizard can now prefill fields from an existing env template when editing, with tighter validation and preserved delivery preferences for Telegram and Email
  • Clearer behavior when a config file already exists, with refined prompts and updated docs for both CLI and TUI flows
  • Documentation updates to clarify prompts, cloud guidance, and installer flow details

• Optional post install audit using dry run

  • Added an optional post install audit that runs a proxsave dry run to detect unused BACKUP collectors and offers to disable them
  • CLI flow supports per key decisions and writes changes atomically only after explicit confirmation
  • TUI flow provides an interactive review UI, with improved logging, result summaries, and error surfacing
  • Installer session logs are documented, including where to find them under /tmp

• Removal of obsolete legacy compatibility

  • Removed the ENABLE_GO_BACKUP flag and related dead code and wrappers
  • Removed the prefilter manual command and cleaned up associated docs and tests
  • Consolidated bundle creation by routing callers to Orchestrator.createBundle and simplified legacy identity and orchestrator helpers

• Major restore testability and coverage expansion

  • Mount guards are now mockable via injectable function variables, enabling extensive unit tests for guard creation, mount detection, bind and remount behavior, unmount flows, fstab fallbacks, and timeout handling
  • PBS API apply root privilege checks are now injectable to enable full test coverage of service checks, error paths, and API apply behavior
  • Firewall restore flow is now fully mockable with broad new tests covering rollback arming and disarming, markers, prompts, file operations, fallbacks, and error branches
  • Access control apply and rollback flows are now mockable, with comprehensive tests for scripts, mounting checks, prompt timeouts, commit and abort paths, and failure handling
  • NIC mapping logic now supports a configurable sys class net path for tests, with a large new test suite covering inventory parsing, mapping computation, and repair planning and apply
  • PBS staged apply adds hookable functions for all key operations, with two new comprehensive test suites covering parsing, validation, fallbacks, deferral logic, atomic write errors, job and tape apply paths, permission checks, and edge cases

• Dependencies

  • Bumped filippo.io/edwards25519 from 1.1.0 to 1.1.1

Behavior changes to note

• ENABLE_GO_BACKUP support has been removed along with its legacy wrappers
• The prefilter manual command has been removed

Overall: a much smoother install experience, an optional guided audit to keep configs lean, and significantly stronger regression protection for the riskiest restore paths through deep testability improvements.

Changelog

• b55fa52 Sync dev to main (#162)

v0.14.1

ProxSave v0.14.1

🧷 Rootless-friendly collection: privilege-sensitive failures become SKIPs (with clearer hints)

• Rootless/LXC detection + safer reporting: Detect unprivileged/shifted user-namespace environments (rootless, LXC) and downgrade known privilege-sensitive command failures to non-critical SKIP instead of warnings.
• Targeted command handling: Collector now treats failures from dmidecode, blkid, sensors, and smartctl as SKIPs when matching expected permission patterns, reducing false-positive noise in constrained environments.
• Better diagnostics and testability: Added environment detection via /proc/self/{uid_map,gid_map} and /run/systemd/container, plus a deps hook for overrides; expanded unit tests for detection and failure matching.
• Clearer operator guidance: Logging now includes SKIP lines with concise hints (e.g. “fstab remap may be limited”), and docs were updated to explain the behavior and restore implications.
• Message cleanup: Standardized and shortened blkid/unprivileged skip wording, centralized the reason text, simplified Skip logging, and updated tests/docs accordingly.

Overall: cleaner logs and more predictable behavior when running ProxSave in rootless or user-namespace environments, without masking genuinely actionable issues.

Changelog

• 99d227c Sync dev to main (#159)

v0.14.0

ProxSave v0.14.0

🧭 PBS API-first restores, chunked artifacts, safer staging, and bounded IO across backups/restores

This release is a major step forward in restore safety, scalability, and operator control. It introduces an API-first, UI-driven PBS staged restore flow (with explicit Merge vs Clean behavior), adds chunking + reassembly to handle large artifacts and improve selective restores, hardens restore staging directory lifecycle and permissions, and makes several key operations cancellable and bounded (streaming category analysis, PVESH timeouts, filesystem IO timeouts). It also improves compatibility diagnostics, rollback handling, and test robustness.

• PBS staged restore: API-first + UI-driven reconciliation (Merge vs Clean 1:1):

  • Added PBS notifications backup/restore, including notifications.cfg / notifications-priv.cfg and a generated notifications_summary.json.
  • Implemented API-based PBS apply (proxmox-backup-manager) with strict 1:1 reconciliation support and controlled fallbacks.
  • Moved PBS restore reconciliation out of backup.env and into an interactive restore-time choice:
    • Merge: non-destructive behavior; skips destructive/API-unavailable actions.
    • Clean (1:1): strict reconcile allowed; file-based fallbacks are permitted when needed.
  • Introduced a dedicated final staged phase for PBS API-backed applies (node, datastores, remotes, jobs, notifications):
    • File-based config apply runs while PBS services remain stopped.
    • The final API phase may temporarily start services, applies API-backed categories, and then attempts to stop services again.
  • Improved PBS API/UI error reporting: capture and surface API availability errors, and return a descriptive error when Merge mode skips API-applied categories.
  • Hardened PBS list parsing (sanitized keys, stricter rows, descriptive errors with row indexes and available keys).
  • Improved deterministic cleanup ordering for notifications in strict mode (matchers cleaned before endpoints to avoid reference-blocked cleanup).

• Chunking + reassembly for large artifacts (and better selective restore matching):

  • Implemented smart file chunking with metadata (SHA256, .chunked markers) and robust chunk write logic.
  • Added ReassembleChunkedFiles after extract:
    • Discovers chunks (numeric sort), concatenates, validates integrity, reapplies chmod/chown/mtime, and restores metadata.
  • Improved selective restore path matching and mapping of chunk artifacts back to original paths (originalPathFromChunk) to reduce missed matches.
  • Added extensive unit test coverage for chunking, discovery, validation, and reassembly behavior.

• Backup prefiltering + structured-config safety (less damage, better stats):

  • Enhanced backup prefiltering with detailed stats, symlink skipping, and safer normalization rules.
  • Avoids normalization of known structured config roots:
    • /etc/proxmox-backup, /etc/pve, /etc/ssh, /etc/pam.d, /etc/systemd/system.
  • Normalization helpers now return (changed bool) and normalization is limited to safe text normalization (no sorting).
  • Added recovery for malformed/flattened PBS datastore.cfg:
    • Detect duplicate keys and attempt to restore content from pbs_datastore_inventory.json using a lightweight inventory parser.
  • Added a new prefilter-manual CLI command to run the prefilter standalone (custom root/max-size/log-level).

• Restore staging dirs: secure lifecycle, cleanup, and safer defaults:

  • Added secure staging directory creation under /tmp/proxsave/restore-stage-*:
    • 0700 permissions, PID-aware naming, unique creation via MkdirTemp with timestamp/pid pattern.
  • Added cleanupOldRestoreStageDirs() and wired it into orchestrator startup/UI paths to remove aged staging dirs.
  • Added PROXSAVE_PRESERVE_RESTORE_STAGING and preserve-on-warnings behavior (including staged installs/network), plus auto-removal after successful clean restores.
  • Improved logs around staging creation/cleanup and documented the behavior.

• Streamed + cancellable category analysis with safe fallback:

  • AnalyzeBackupCategories now accepts a context and scans archives streaming (O(1) memory), enabling cancellation and better error handling.
  • Avoids double-closing underlying files from decompression readers.
  • Detects category availability on-the-fly and exposes an injectable analysis function for testing.
  • Falls back to a safe full restore with a user-facing message when analysis fails; added tests (including truncated-tar error handling).

• Broader context cancellation support and restore code hardening:

  • Added ctx.Err() checks in long-running loops (backup history/replication aggregation) for early cancellation.
  • Ensured restore apply paths handle nil contexts safely (createBundle, decrypt TUI, guardMountPoint, access control applies).
  • Introduced a context-aware reader (contextReader) so large io.Copy operations can be cancelled cleanly.
  • Refactored many restore internals: tighter error checks, reduced unused parameters, improved confirm/preview messaging, and clearer restore destination warnings.

• PVE service management and restore ordering correctness:

  • Centralized PVE cluster service management into a single ordered list.
  • Stop order is now correct and tested (reverse order: pvestatd → pveproxy → pvedaemon → pve-cluster), start uses forward order.
  • Updated docs/diagrams to reflect the corrected stop sequence.

• Security hardening and rollback artifact robustness:

  • Hardened permissions for rollback artifacts and markers to 0600 (archive, scripts, marker/location files).
  • Ensured rollback log files are created before writing markers/scripts.
  • Removed redundant shebang lines from generated rollback scripts.
  • Ensured firewall rollback disarm cleans up scripts, logging failures without failing the flow; added tests.

• Compatibility messaging, warnings, and UX improvements:

  • ValidateCompatibility now produces clearer warnings/errors when backup/system type cannot be detected (includes type info where available).
  • Final restore summary now reflects logged warnings (logger.HasWarnings()), with unit test coverage.
  • Fixed category toggle/deselection logic so deselecting truly removes entries from the selection map; selection counts now reflect len(selected).
  • Improved logStep messages to include step index for clearer progress tracing.

• Bounded execution to avoid hangs: PVESH and filesystem IO timeouts:

  • Added PVESH_TIMEOUT and applied per-call timeouts to pvesh operations.
  • Extended PVE storage parsing to capture runtime fields (active, enabled, status) with tolerant parsing of bool/int/string forms:
    • Includes runtime info in logs and can skip storages that appear unavailable to reduce hangs.
  • Added FS_IO_TIMEOUT and a new internal/safefs bounded probe layer (stat, readdir, statfs) to avoid blocking on unreachable mounts.
  • Propagated IO timeouts through datastore/storage sampling, directory/file sampling, PXAR metadata collection, and report generation; timeouts are handled gracefully with warnings/skips.
  • Fixed pvesh context cancellation handling and tightened deps signatures for command/run/lookpath to accept contexts/timeouts.

• Collector refactor: bounded filesystem sampler replaces legacy PXAR sampling:

  • Replaced the complex fanout-based PXAR sampling implementation with a simpler bounded sampler (fs_sampling_bounded).
  • Removed deprecated PXAR tuning options and related code paths/fields from CollectorConfig.
  • Updated docs/templates:
    • Cleaned up legacy env mappings for PXAR knobs.
    • Simplified public config examples and clarified sampling semantics.
    • Noted include/exclude pattern reuse for PVE datastore sampling.

• Lock-file correctness and CI hygiene:

  • Lock checks now parse pid/host/time metadata, perform same-host PID liveness checks (injectable killFunc), and remove stale locks when appropriate.
  • Prevented tests from creating a --progress artifact; removed stale artifacts before runs.
  • Hardened rclone-copy stubs to reject empty or flag-like destinations (starting with --) to avoid accidental writes.
  • General test cleanup and refactors to accommodate new context/timeouts and API behavior.

• Build/versioning improvements:

  • Makefile VERSION derivation now produces stable dev-style version strings (tag + dev count + sha + .dirty handling) for both build and build-release.

• Dependencies:

  • Bumped golang.org/x/term to 0.40.0.
  • Bumped golang.org/x/crypto to 0.48.0.

Breaking/behavior changes to note:

• PBS restore reconciliation is now selected interactively (Merge vs Clean 1:1). The previous env-driven RESTORE_PBS_APPLY_MODE / RESTORE_PBS_STRICT settings were removed.
• Several legacy PXAR tuning knobs were removed as the collector moved to a bounded sampling implementation.

Overall: more reliable PBS restores (API-first with explicit operator intent), better handling of large artifacts via chunking, safer staging with stronger permissions and cleanup, and fewer hangs thanks to bounded IO and cancellable workflows.

Changelog

• 9469d02 Sync dev to main (#158)
• 5d571a2 Verify/repair PBS notifications after restore

v0.13.6

ProxSave v0.13.6

🧱 Quieter PVE ACL logging, atomic staged restores, and more reliable tests

• PVE ACL clarity + less log noise: Expanded docs around BACKUP_PVE_ACL (users/roles/groups/ACL; domains/realms optional) and made domains.cfg optional so it’s not warned/counted as missing on default standalone PVE installs.
• Atomic writes for staged restores: Introduced a centralized atomic write + inherited metadata utility (fs_atomic) and switched staged-apply paths (network, PBS, PVE, firewall, HA, notifications) to write atomically while enforcing final ownership/permissions (avoids umask-related issues). Removed duplicate atomic write implementation.
• Ownership/permissions inheritance improvements: Staged restores now inherit uid/gid/mode from the nearest existing parent (including repairing common root:root group regressions) with additional unit tests and updated docs.
• Durability hardening: writeFileAtomic now fsyncs file data and fsyncs the parent directory (treating unsupported dir fsync as non-fatal). Added a safe default case in rclone discovery to skip unsupported switch branches.
• Test reliability: Orchestrator tests now use isolated temp dirs via a fully populated CheckerConfig, avoid repo lock-file reliance, and include better cleanup. Added FS operation hooks to make atomic-write tests hermetic without requiring root.
• Docs/README updates: Updated RESTORE/TROUBLESHOOTING guidance for atomic/staged behavior and PBS permission recovery; refreshed README and credits; updated .backup.lock metadata.

Overall: cleaner PVE ACL reporting, safer staged restores via durable atomic writes with correct ownership, and a sturdier, less flaky test suite.

Changelog

• ed09735 Sync dev to main (#147)

v0.13.5

ProxSave v0.13.5

🧩 Config var expansion, clearer docs, and correct PVE ACL collection

• Config var expansion: Added ${VAR} / $VAR expansion for scalar config values (config keys first, then environment) with caching + cycle protection; preserves historical BASE_DIR behavior. Includes unit tests.
• Docs/templates updated: Documented expansion behavior and clarified backup.env values are resolved by ProxSave without requiring export.
• PVE ACL correctness: Aligned collection and docs with Proxmox behavior (ACLs live in user.cfg), updated collector logic and tests accordingly.

Overall: more flexible configuration, clearer guidance, and more accurate PVE ACL handling.

Changelog

• 7ebae93 Sync dev to main (#143)

v0.13.4

ProxSave v0.13.4

🧰 More granular collectors, clearer end-of-run summaries, and safer restore UX refinements

This release tightens operational clarity and configurability across backup and restore workflows. It adds issue capture with end-of-run summaries, introduces finer PBS collection toggles with clearer logging, improves PVE manifest/cluster handling, prunes deprecated env keys during upgrades, and refines restore interaction and network rollback UX for more reliable operation on constrained terminals (IPMI/serial). It also improves notifier ergonomics with automatic email recipient detection and bumps the Go toolchain.

• End-of-run issue capture and summary reporting:
  • Logger now captures WARNING/ERROR/CRITICAL lines as sanitized single-line “issue entries” for later reporting.
  • Added thread-safe accessors for warning/error counts and collected issue lines.
  • Final-run summaries can now print the captured issue lines to surface root causes quickly.
• Granular PBS collection toggles + clearer logs:
  • Added fine-grained PBS flags to independently enable/disable subcomponents (S3 endpoints, node config, ACME accounts/plugins, metric servers, traffic control, PBS network config).
  • Collector/orchestrator logic now respects these flags (exclude files, skip commands/snapshots when disabled), with clearer per-file status messages via disable hints.
  • Updated docs, tests, and env templates to reflect the new options.
• Improved PVE manifest logging and cluster handling:
  • populatePVEManifest now always initializes the manifest and uses structured logging options for consistent, descriptive output.
  • Better “not found” accounting and richer record descriptions (including disable hints) for PVE config items.
  • Refined cluster logic to separate BACKUP_CLUSTER_CONFIG gating from node/cluster-specific actions; improved copy/skip logging and tuned log levels for firewall, VZDump, and Ceph detection.
  • Added a template note explaining that enabled-but-unconfigured features may emit warnings and can be disabled via BACKUP_* flags.
• Config/upgrade cleanup: prune deprecated keys and fully populate results:
  • Removed BASE_DIR and CRON_* from generated backup.env (BASE_DIR is auto-detected; cron is managed via crontab).
  • Config upgrade now prunes deprecated keys (BASE_DIR, CRON_SCHEDULE, CRON_HOUR, CRON_MINUTE), emits a warning, and avoids rewriting unless missing keys were added or deprecated lines were removed.
  • Even when no content changes occur, UpgradeResult is now fully populated (MissingKeys, ExtraKeys, CaseConflictKeys, PreservedValues, Warnings) for consistent caller behavior.
• Network parsing and rollback UI improvements:
  • Network snapshot IP extraction now robustly returns the primary address with CIDR, handles whitespace/tokenization safely, and prefers IPv4 when available (with unit tests for IPv4/IPv6/CIDR and missing snapshots).
  • Added suppressPVEChecks for cluster restores to skip PVE-specific health checks and adjust network health options.
  • Restore UI messaging improved with observed/original IP context and reconnect-host guidance.
  • applyNetworkWithRollbackWithUI now returns a constructed NetworkApplyNotCommittedError for richer downstream reporting.
• Prompt UX reliability on constrained terminals:
  • Removed live-updating countdown prompts in CLI/TUI and replaced them with a single-line deadline display (HH:MM:SS + total seconds).
  • Simplified input handling to use ReadLineWithContext directly, avoiding carriage-return update issues on IPMI/serial consoles while preserving timeout/cancel behavior.
• Email notifier: recipient auto-detection:
  • Implemented automatic recipient discovery for root@pam across Proxmox platforms:
    • Try pvesh first, fall back to pveum / proxmox-backup-manager, and finally parse user.cfg from PVE/PBS locations.
  • Added helpers for redaction and truncated diagnostics, improved debug logging, expanded tests, and updated CONFIGURATION/TROUBLESHOOTING docs with quick verification steps.
• Maintenance and tooling:
  • Cleaned up duplicated parse comments above Config.parse.
  • Bumped Go toolchain to 1.25.7.

Overall: more configurable backups (especially PBS), clearer and more actionable run summaries, cleaner env upgrades with deprecated-key pruning, and a more robust restore/operator experience—especially on real-world consoles and clustered restores.

Changelog

• dbd5b7c Sync dev to main (#138)

v0.13.3

ProxSave v0.13.3

🧩 Cleaner config upgrade diffs, smarter key insertion, and clearer upgrade reporting

This maintenance release improves the configuration upgrade experience by making upgrades more readable and less disruptive: missing template keys are inserted in a way that respects the user’s existing ordering, unanchored keys are grouped into a dedicated upgrade section, and upgrade results expose clearer summaries (including case-only conflicts). It also improves operator visibility by logging exactly which keys were added, and completes additional Italian → English comment/template text translations.

• Better visibility after upgrades: When an upgrade adds missing keys, ProxSave now logs an Info message showing the count and a comma-separated list of newly introduced keys (cfgUpgradeResult.MissingKeys).
• Insert missing template keys without reshuffling user config:
  • Config upgrade logic now preserves user key positions and inserts missing template entries near related “anchor” keys to avoid unnecessary rewrites.
  • parseEnvValues records per-key source ranges and computeConfigUpgrade builds ordered insert operations (sorted) to merge template lines into the original file with minimal diffs.
  • Improved handling for block (multi-line) values while preserving extra keys and casing-related warnings.
• Dedicated upgrade section for unanchored keys:
  • Missing entries that have no nearby anchor are collected and appended under a single # Added by upgrade section (with appropriate spacing) instead of being inserted arbitrarily.
  • Template order is tracked via an index field to keep appended entries stable and predictable.
• Clearer casing conflict behavior and reporting:
  • Improved warning wording for case-only differences (“preserved with original casing”).
  • Added CaseConflictKeys to the upgrade result and preserved case-conflict keys in place instead of treating them as extra keys.
  • Updated CLI output to print case-conflict summaries for dry-run and upgrade flows.
• Consistent upgrade result state: MissingKeys is now always populated (empty slice when none are missing) to avoid inconsistent result handling by callers.
• Documentation and comment language consistency: Translated remaining Italian comments and user-facing template/docs text to English (including backup.env template comments), with no functional behavior changes.

Overall: config upgrades are now more predictable and operator-friendly—minimal diffs, stable ordering, clearer summaries (including case conflicts), and better post-upgrade visibility of what changed.

Changelog

• e3d9e70 Sync dev to main (#135)

v0.13.2

ProxSave v0.13.2

🧾 Config upgrade fidelity, comment/case preservation, and actionable upgrade warnings

This fix release hardens the backup.env parsing and upgrade pipeline to be much more faithful to real-world configs. It improves handling of comments (inline and block), key casing, legacy export prefixes (with arbitrary whitespace), and multiline values, while adding non-fatal warnings that surface potential issues during plan/upgrade runs. The result is safer upgrades with fewer surprises and clearer operator feedback.

• More faithful env rewriting (SetEnvValue):
  • Skips commented lines and preserves indentation and inline comments when replacing values.
  • Detects and preserves an optional leading export token, normalizing whitespace (e.g. export FOO=...) instead of dropping it.
• Stronger parsing for real-world env files:
  • parseEnvFile/parseEnvValues now ignores comment-only lines inside multiline block values, and stores comment text alongside parsed values.
  • splitKeyValueRaw handles legacy export prefixes, extracts quoted/unquoted values more robustly, and returns parsed inline comments.
  • Normalizes env keys to uppercase for consistent lookups while remaining compatible with legacy/lowercase configs (including multiline and multi-value keys).
• Upgrade logic correctness and no-op detection:
  • computeConfigUpgrade uses case-insensitive lookups, tracks processed user keys, preserves original user casing for extra keys, and counts preserved values correctly.
  • Detects no-op upgrades by comparing rendered content to the original file content.
  • Ensures case-insensitive handling of block-value keys in the upgrade logic.
• Non-fatal upgrade warnings (surfaced in CLI):
  • Added Warnings []string to the upgrade result and propagated warnings end-to-end so they print during plan/upgrade operations.
  • Warns about duplicate template keys that differ only by case, case-collisions between user keys and template keys, and ignored non-KEY=VALUE lines (multiline behavior preserved).
• New shared parsing utilities + unified behavior:
  • Introduced string helpers (FindInlineCommentIndex, FindClosingQuoteIndex, SetEnvValue) to centralize handling of inline comments, escaped #, and quoted values.
  • Replaced local setEnvValue implementations to use the unified utility function across the codebase.
• Legacy export whitespace edge cases fixed:
  • Export detection now uses a Fields-based parse so export\t\tKEY=... works correctly and keys like exporter=... are not misidentified.
  • Added coverage for tabbed whitespace and multiple spacing variants.
• Preservation tests and regression coverage:
  • Added tests verifying inline comments are preserved through upgrades (including quoted # cases).
  • Added tests verifying block-style comment lines inside multiline variables are preserved.
  • Added tests for lowercase-key normalization across multiline and multi-value accumulation.
• Minor housekeeping:
  • Updated internal/orchestrator/.backup.lock (pid/time) as part of the changeset.

Overall: config upgrades are now safer and more predictable—comments and formatting are preserved, casing and legacy export syntax are handled correctly, and potential pitfalls are reported as clear, non-fatal warnings.

Changelog

• a2bd350 Sync dev to main (#132)

v0.13.1

ProxSave v0.13.1

🛠️ Smarter config upgrades, machine-readable upgrade output, and clearer upgrade UX

This patch release focuses on upgrade-time correctness and operator clarity, improving how backup.env is upgraded during binary upgrades. It adds a machine-readable JSON mode for config upgrades, wires automatic template-key merging into the upgrade flow, hardens multi-line env parsing/rendering, and refines prompts, previews, and error reporting for easier troubleshooting.

• Automatic config upgrade during binary upgrades: The upgrade flow now runs the newly installed binary to merge template changes into backup.env, adding missing keys while preserving existing values.
• Machine-readable upgrade mode: Added --upgrade-config-json to emit structured config-upgrade results suitable for automation and tooling, with robust error handling and diagnostics.
• Multi-line env value correctness: Implemented resilient parsing/rendering for block (multi-line) env values, preserving block entries and supporting multiple values per key.
• Refactored env parsing utilities: Introduced helpers (parseEnvValues, splitKeyValueRaw, renderEnvValue, findClosingQuoteLine) and updated computeConfigUpgrade to maintain fidelity of complex env structures.
• Clearer prompts and operator messaging: Upgrade prompts now explicitly mention that a backup will be created and backup.env may be updated; printUpgradeFooter reports detailed upgrade outcomes or errors.
• Improved previews and error reporting: Added a maximum JSON preview length for invalid JSON, improved parse errors to include the config path, and reported the starting line number for unterminated multi-line values.
• Test robustness across platforms: Normalized CRLF vs LF handling in tests to keep assertions deterministic on different environments.

Overall: safer and more transparent upgrades, better automation support via JSON output, and correct handling of complex backup.env values.

Changelog

• 9505c08 Sync dev to main (#129)

v0.13.0

ProxSave v0.13.0

🧭 Major restore/category overhaul, staged SAFE-apply expansion, and storage/mount-guard hardening

This is a major release that significantly evolves both backup layout and restore capabilities. It introduces a broader staged-apply model (especially for access control and notifications), adds new transactional and rollback-protected restore paths (firewall/HA), hardens storage safety with mount guards and smarter /etc/fstab handling (including stable device remapping), and makes backup collection more configurable via feature-based and pattern-based exclusions. Diagnostics are also centralized and the overall UX/logging is clearer and safer.

• Restore categories expanded + staged apply model upgraded:
  • Added new staged categories for PVE/PBS access control and notifications with dedicated restore UI hooks.
  • Added pbs_remotes, maintenance_pbs, and updated pbs_config to export-only (explicitly never writing full /etc/proxmox-backup back to the system; subsets are applied via staged categories).
  • Extended docs to explain handling types (Normal / Staged / Export-only) and introduced a “Pass 3” staged-apply phase in restore documentation.
• Access control restore reworked with safer semantics:
  • PVE access control now supports 1:1 file apply to pmxcfs for standalone restores, preserving root@pam safety rails and ensuring root@pam keeps Admin on /.
  • PBS access control restored 1:1, while preserving root@pam and its tokens/TFA from the fresh install for safety.
  • Added an access-control rollback workflow (timed rollback + dedicated rollback backup) to reduce risk when applying sensitive identity/ACL changes.
• Transactional restore additions (rollback-protected):
  • PVE firewall restore with transactional rollback timer, dedicated firewall rollback backup, and glob support for safety backup logic.
  • PVE HA restore via new pve_ha category with staged logic, rollback timer, confirmation workflow, and HA rollback backup integration.
  • Added PVE SDN staged restore handling (pve_sdn) with apply functions wired into the restore workflow.
• Storage safety: mount guards + cleanup mode + improved ordering:
  • Introduced mount guard logic for PBS and PVE to protect mountpoints when storage is offline during restore (avoid accidental writes).
  • Added --cleanup-guards mode (with validation against conflicting flags) and a testable cleanup implementation that safely handles hidden/overmounted guards.
  • Reordered restore workflow to run fstab merge before PBS datastore config, and added guard application hooks earlier in staging.
• Smarter /etc/fstab restore with stable device remapping:
  • Enhanced fstab restore to remap unstable /dev/* references to UUID/PARTUUID/LABEL using collected inventory (blkid/lsblk JSON/PBS inventory).
  • Improved SmartMergeFstab logic, user feedback, and added targeted tests for remapping and mount-guard interaction.
• Backup category/layout reorganization + centralized diagnostics:
  • Centralized all ProxSave-generated diagnostics under var/lib/proxsave-info/ and removed legacy scattered output directories.
  • Fixed home restore mapping by storing /home/* under ./home/<user> (avoids restoring into legacy /users/... paths).
  • Expanded/reshaped category set (e.g. network/ssl/services, storage_stack, user_data, proxsave_info export-only) and added glob support for category path matching (e.g. auto.*).
  • Kept backward compatibility for legacy backups (resolv.conf repair + NIC inventory fallbacks).
• Config snapshot collection now feature-aware (less noise, more intent):
  • Implemented selective feature-based exclusions for directory snapshots (without affecting other collectors).
  • PBS snapshot now excludes disabled-feature files (e.g. datastore.cfg, user.cfg, remote.cfg, sync.cfg, etc.) and logs per-file collection status.
  • PVE snapshot now respects feature flags for VM configs, firewall, ACL, jobs, cluster DB capture, corosync handling, and SSH key collection.
• Exclusion patterns applied across archive packing + metadata/report generation:
  • Added exclusion support to tar packing (match against host and archive paths; works with or without leading slashes).
  • Skips excluded files/dirs consistently across copy helpers, command output reports, manifest writing, and backup metadata generation.
  • Added collection outcome tracking via FilesNotFound / FilesSkipped counters and richer status reporting for skipped config paths.
• PBS coverage expansion (host/integrations, tape, S3, proxy/SSL):
  • Added staged PBS categories like pbs_host and pbs_tape, expanded datastore_pbs to include s3.cfg, and aligned categories/docs.
  • Enabled restore of PBS proxy configuration (proxy.cfg) and SSL assets (proxy.pem, proxy.key, ssl/) with updated tests/docs.
• Improved restore UX and safety guidance (TFA/WebAuthn and TTY issues):
  • Better guidance and UI logic for restoring TFA/WebAuthn, including recommendations for network + ssl and warnings about hostname/origin changes.
  • Enhanced restore workflow UI to handle unexpected EOF on input, warning about possible TTY loss and suggesting re-running interactively.
• Cloud backup discovery: clearer failures and timeout clarity:
  • Improved error handling/logging for manifest/metadata read errors during rclone-based discovery, with guidance for slow remotes and rclone failures.
  • Clarified RCLONE_TIMEOUT_CONNECTION as per-command during scanning (timer resets per rclone lsf/cat).
• Observability and logging improvements:
  • Improved update-check logging in main.go (more visible Info-level messages).
  • Refined log line classification and filtering to ignore DEBUG lines even if they contain error keywords; expanded tests.
• Collector refactors + storage inventory:
  • Split PBS datastore logic into dedicated modules and added a datastore inventory collector for advanced storage configs (LVM/ZFS/Multipath/iSCSI), critical files (including /etc/crypttab), and referenced keys.
  • Improved test hygiene and resource cleanup to prevent temp-directory leaks.
• Installer robustness and portability:
  • Added centralized HTTP helpers (fetch/download) using curl/wget and made GitHub release tag fetch more robust (prefer jq with regex fallback).
• Security and dependency updates:
  • Bumped dependencies including github.com/gdamore/tcell/v2 to 2.13.8, golang.org/x/term to 0.39.0, golang.org/x/crypto to 0.47.0, and golang.org/x/text to 0.33.0.
• Additional hardening and correctness fixes:
  • Input deadline handling now returns context.DeadlineExceeded (with tests) instead of mapping deadlines to abort errors.
  • Improved /proc/self/mountinfo path unescaping with manual octal decoding, out-of-range preservation, and thorough unit tests.
  • PVE pool apply now handles “already exists” gracefully and ensures comments are set; includes new tests.
  • Notification restore now redacts sensitive fields to prevent secret leakage in command errors; includes tests.

Overall: a big step forward in restore safety and capability—new staged/transactional workflows, safer access control handling, mount-guarded storage restores, smarter fstab recovery, a cleaner backup/category layout, and stronger exclusions, diagnostics, and test coverage.

Changelog

• fbd01e9 Sync dev to main (#127)