fix: address P0/P1 security and reliability issues in restic session backups

Security (P0):
- Remove password from structured logs to prevent credential leakage to
  centralized log systems (Splunk, Datadog, etc.)

Reliability (P1):
- Add dependency checks for jq and flock before installing backup scripts
- Add flock to prune script using same lock file as backup script to
  prevent concurrent runs and restic lock contention
- Add ValidateResticDuration() to validate --keep-within input before
  script generation, preventing runtime prune failures
- Deprecate --use-restic flag (restic is now mandatory) with clear warning
  message when user explicitly sets --use-restic=false

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: CodeMonkeyCybersecurity

cmd/create/code.go

@@ -89,6 +89,14 @@ func init() {
 	CreateCodeCmd.Flags().Bool("skip-session-backups", false, "Skip setting up automatic session backups")
 	CreateCodeCmd.Flags().String("backup-interval", "hourly", "Session backup frequency: 30min, hourly, 6hours, daily")
 
+	// Restic backup flags
+	CreateCodeCmd.Flags().Bool("use-restic", true, "[DEPRECATED] Restic is now mandatory; this flag is ignored")
+	CreateCodeCmd.Flags().String("keep-within", "48h", "Keep all snapshots within this duration")
+	CreateCodeCmd.Flags().Int("keep-hourly", 24, "Number of hourly snapshots to keep after keep-within")
+	CreateCodeCmd.Flags().Int("keep-daily", 7, "Number of daily snapshots to keep")
+	CreateCodeCmd.Flags().Int("keep-weekly", 4, "Number of weekly snapshots to keep")
+	CreateCodeCmd.Flags().Int("keep-monthly", 12, "Number of monthly snapshots to keep")
+
 	// Network flags
 	CreateCodeCmd.Flags().StringSlice("allowed-networks", []string{},
 		"Additional CIDR ranges to allow SSH from (e.g., 203.0.113.0/24)")
@@ -171,6 +179,31 @@ func runCreateCode(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string)
 		config.SessionBackupInterval = parseBackupInterval(backupInterval)
 	}
 
+	// Restic backup flags
+	if useRestic, err := cmd.Flags().GetBool("use-restic"); err == nil {
+		config.UseRestic = useRestic
+	}
+
+	if keepWithin, err := cmd.Flags().GetString("keep-within"); err == nil {
+		config.ResticKeepWithin = keepWithin
+	}
+
+	if keepHourly, err := cmd.Flags().GetInt("keep-hourly"); err == nil {
+		config.ResticKeepHourly = keepHourly
+	}
+
+	if keepDaily, err := cmd.Flags().GetInt("keep-daily"); err == nil {
+		config.ResticKeepDaily = keepDaily
+	}
+
+	if keepWeekly, err := cmd.Flags().GetInt("keep-weekly"); err == nil {
+		config.ResticKeepWeekly = keepWeekly
+	}
+
+	if keepMonthly, err := cmd.Flags().GetInt("keep-monthly"); err == nil {
+		config.ResticKeepMonthly = keepMonthly
+	}
+
 	// Windsurf-specific flags
 	if skipConnCheck, err := cmd.Flags().GetBool("skip-connectivity-check"); err == nil {
 		config.SkipConnectivityCheck = skipConnCheck

pkg/remotecode/install.go

@@ -89,13 +89,21 @@ func Install(rc *eos_io.RuntimeContext, config *Config) (*InstallResult, error)
 		}
 	}
 
-	// INTERVENE - Set up session backups
+	// INTERVENE - Set up session backups (restic-based with deduplication)
 	if config.SetupSessionBackups && !config.SkipSessionBackups {
-		logger.Info("Setting up coding session backups")
+		logger.Info("Setting up coding session backups (restic)")
 		backupConfig := &SessionBackupConfig{
 			User:         config.User,
 			CronInterval: config.SessionBackupInterval,
 			DryRun:       config.DryRun,
+			UseRestic:    config.UseRestic,
+			RetentionPolicy: &ResticRetentionPolicy{
+				KeepWithin:  config.ResticKeepWithin,
+				KeepHourly:  config.ResticKeepHourly,
+				KeepDaily:   config.ResticKeepDaily,
+				KeepWeekly:  config.ResticKeepWeekly,
+				KeepMonthly: config.ResticKeepMonthly,
+			},
 		}
 		backupResult, err := SetupSessionBackups(rc, backupConfig)
 		if err != nil {