feat: add Vault password integration, hook policy controls, and comprehensive backup test coverage

- Add Vault-managed password support as preferred authentication method (vault.ReadFromVault)
- Add HooksPolicy to Settings with enabled flag and allowed_commands allowlist
- Add RunHookWithSettings() to enforce hook policy and replace direct exec calls
- Add ResolveRepositoryNameFromConfig() helper to centralize repository resolution logic
- Add recordPasswordSource() and recordRepositoryResolution() metrics

Author: CodeMonkeyCybersecurity

.github/workflows/ci.yml

@@ -33,6 +33,9 @@ jobs:
       - name: Run unit tests with race and coverage
         run: go test -short -race -coverprofile=unit.coverage.out -covermode=atomic ./pkg/...
 
+      - name: Run backup-focused unit tests with coverage
+        run: go test -short -race -coverprofile=backup.unit.coverage.out -covermode=atomic ./pkg/backup/...
+
       - name: Enforce unit coverage >= 70%
         run: |
           COVERAGE=$(go tool cover -func=unit.coverage.out | awk '/^total:/ {gsub("%","",$3); print $3}')
@@ -74,6 +77,7 @@ jobs:
           name: ci-unit-artifacts
           path: |
             unit.coverage.out
+            backup.unit.coverage.out
             flaky-summary.txt
 
   ci-integration:

cmd/backup/quick.go

@@ -154,31 +154,34 @@ func resolveQuickBackupRepository(rc *eos_io.RuntimeContext) (string, backup.Rep
 		return "", backup.Repository{}, fmt.Errorf("loading backup configuration: %w", err)
 	}
 
-	repoName := strings.TrimSpace(config.DefaultRepository)
-	if repoName != "" {
-		if _, ok := config.Repositories[repoName]; !ok {
-			return "", backup.Repository{}, fmt.Errorf("default repository %q not found in configuration", repoName)
-		}
+	if repoName, err := backup.ResolveRepositoryNameFromConfig(config, ""); err == nil {
 		repo := config.Repositories[repoName]
+		backup.RecordRepositoryResolution("quick_default", true)
 		logger.Info("Using default repository for quick backup",
 			zap.String("repository", repoName))
 		return repoName, repo, nil
+	} else if config.DefaultRepository != "" {
+		backup.RecordRepositoryResolution("quick_default", false)
+		return "", backup.Repository{}, err
 	}
 
-	if _, ok := config.Repositories[backup.QuickBackupRepositoryName]; ok {
-		repo := config.Repositories[backup.QuickBackupRepositoryName]
+	if repoName, err := backup.ResolveRepositoryNameFromConfig(config, backup.QuickBackupRepositoryName); err == nil {
+		repo := config.Repositories[repoName]
+		backup.RecordRepositoryResolution("quick_named", true)
 		logger.Info("Using quick backup repository from configuration",
 			zap.String("repository", backup.QuickBackupRepositoryName))
-		return backup.QuickBackupRepositoryName, repo, nil
+		return repoName, repo, nil
 	}
 
 	if len(config.Repositories) == 0 {
+		backup.RecordRepositoryResolution("quick_default", false)
 		return "", backup.Repository{}, fmt.Errorf("no repositories configured; add at least one in %s", backup.ConfigFile)
 	}
 
 	if len(config.Repositories) == 1 {
 		for name := range config.Repositories {
 			repo := config.Repositories[name]
+			backup.RecordRepositoryResolution("quick_single_repo", true)
 			logger.Info("Using sole configured repository for quick backup",
 				zap.String("repository", name))
 			return name, repo, nil
@@ -191,6 +194,7 @@ func resolveQuickBackupRepository(rc *eos_io.RuntimeContext) (string, backup.Rep
 	}
 	sort.Strings(repoNames)
 
+	backup.RecordRepositoryResolution("quick_single_repo", false)
 	return "", backup.Repository{}, eos_err.NewExpectedError(rc.Ctx, fmt.Errorf(
 		"multiple repositories configured (%s) but no default_repository set; update %s to select one",
 		strings.Join(repoNames, ", "), backup.ConfigFile))

cmd/backup/update.go

@@ -93,13 +93,13 @@ Examples:
 		if profile.Hooks != nil && len(profile.Hooks.PreBackup) > 0 {
 			logger.Info("Running pre-backup hooks")
 			for _, hook := range profile.Hooks.PreBackup {
-				if err := backup.RunHook(rc.Ctx, logger, hook); err != nil {
+				if err := backup.RunHookWithSettings(rc.Ctx, logger, hook, config.Settings); err != nil {
 					logger.Error("Pre-backup hook failed",
 						zap.String("hook", hook),
 						zap.Error(err))
 					if profile.Hooks.OnError != nil {
 						for _, errorHook := range profile.Hooks.OnError {
-							_ = backup.RunHook(rc.Ctx, logger, errorHook)
+							_ = backup.RunHookWithSettings(rc.Ctx, logger, errorHook, config.Settings)
 						}
 					}
 					return fmt.Errorf("pre-backup hook failed: %w", err)
@@ -122,7 +122,7 @@ Examples:
 			// Run error hooks
 			if profile.Hooks != nil && profile.Hooks.OnError != nil {
 				for _, hook := range profile.Hooks.OnError {
-					_ = backup.RunHook(rc.Ctx, logger, hook)
+					_ = backup.RunHookWithSettings(rc.Ctx, logger, hook, config.Settings)
 				}
 			}
 			return err
@@ -132,7 +132,7 @@ Examples:
 		if profile.Hooks != nil && len(profile.Hooks.PostBackup) > 0 {
 			logger.Info("Running post-backup hooks")
 			for _, hook := range profile.Hooks.PostBackup {
-				if err := backup.RunHook(rc.Ctx, logger, hook); err != nil {
+				if err := backup.RunHookWithSettings(rc.Ctx, logger, hook, config.Settings); err != nil {
 					logger.Warn("Post-backup hook failed",
 						zap.String("hook", hook),
 						zap.Error(err))

docs/backup-observability-runbook.md

@@ -0,0 +1,46 @@
+# Backup Observability Runbook
+
+## Metrics Endpoint
+
+Backup telemetry is exported via Go `expvar` at `/debug/vars`.
+
+Key maps:
+
+- `backup_repository_resolution_total`
+- `backup_config_load_total`
+- `backup_config_source_total`
+- `backup_password_source_total`
+- `backup_hook_decision_total`
+
+## High-Signal Keys
+
+Config and path drift:
+
+- `backup_config_load_total.permission_denied_failure`
+- `backup_config_source_total.canonical_success`
+- `backup_config_source_total.legacy_success`
+- `backup_config_source_total.defaults_success`
+
+Credential source health:
+
+- `backup_password_source_total.vault_success`
+- `backup_password_source_total.vault_failure`
+- `backup_password_source_total.repo_env_success`
+- `backup_password_source_total.secrets_env_success`
+
+Hook policy enforcement:
+
+- `backup_hook_decision_total.allowlist_execute_success`
+- `backup_hook_decision_total.deny_not_allowlisted_failure`
+- `backup_hook_decision_total.deny_bad_arguments_failure`
+- `backup_hook_decision_total.disabled_failure`
+
+## Recommended Alerts
+
+- Config access regression:
+  Trigger if `permission_denied_failure` increases over a 5-minute window.
+- Secret hygiene regression:
+  Trigger if `repo_env_success` or `secrets_env_success` grows faster than `vault_success`.
+- Hook policy pressure:
+  Trigger if `deny_not_allowlisted_failure` spikes and `allowlist_execute_success` drops.
+

pkg/backup/client.go

@@ -18,6 +18,7 @@ import (
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/eos_io"
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/interaction"
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/shared"
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/vault"
 	"github.com/uptrace/opentelemetry-go-extra/otelzap"
 	"go.uber.org/zap"
 )
@@ -270,83 +271,137 @@ func (c *Client) handleRepositoryNotInitialized(resticOutput string) error {
 func (c *Client) getRepositoryPassword() (string, error) {
 	logger := otelzap.Ctx(c.rc.Ctx)
 
-	// 1. Repository-local password file (created by quick backup generator)
+	// 1. Vault-managed secret (preferred when Vault is configured)
+	if isVaultConfigured() {
+		if password, err := c.readPasswordFromVault(); err == nil {
+			recordPasswordSource("vault", true)
+			return password, nil
+		} else {
+			recordPasswordSource("vault", false)
+			logger.Warn("Failed to read repository password from Vault",
+				zap.String("repository", c.repository.Name),
+				zap.Error(err))
+		}
+	}
+
+	// 2. Repository-local password file (created by quick backup generator)
 	localPasswordPath := filepath.Join(c.repository.URL, ".password")
 	if password, err := readPasswordFile(localPasswordPath); err == nil {
+		recordPasswordSource("repo_password_file", true)
 		logger.Debug("Using repository-local password file",
 			zap.String("path", localPasswordPath))
 		return password, nil
 	} else if err != nil && !errors.Is(err, os.ErrNotExist) {
+		recordPasswordSource("repo_password_file", false)
 		logger.Warn("Failed to read repository-local password file",
 			zap.String("path", localPasswordPath),
 			zap.Error(err))
 	}
 
-	// 2. Global secrets directory fallback (used by managed repositories)
+	// 3. Global secrets directory fallback (used by managed repositories)
 	secretsPasswordPath := filepath.Join(secretsDirPath, fmt.Sprintf("%s.password", c.repository.Name))
 	if password, err := readPasswordFile(secretsPasswordPath); err == nil {
+		recordPasswordSource("secrets_password_file", true)
 		logger.Debug("Using secrets directory password file",
 			zap.String("path", secretsPasswordPath))
 		return password, nil
 	} else if err != nil && !errors.Is(err, os.ErrNotExist) {
+		recordPasswordSource("secrets_password_file", false)
 		logger.Warn("Failed to read secrets directory password file",
 			zap.String("path", secretsPasswordPath),
 			zap.Error(err))
 	}
 
-	// 3. Repository `.env` file (temporary secret storage during Vault testing)
+	// 4. Repository `.env` file (compatibility fallback)
 	envPath := filepath.Join(c.repository.URL, ".env")
 	if password, err := readPasswordFromEnvFile(envPath); err == nil {
+		recordPasswordSource("repo_env", true)
 		logger.Debug("Using repository .env file for restic password",
 			zap.String("path", envPath))
 		return password, nil
 	} else if err != nil && !errors.Is(err, os.ErrNotExist) {
+		recordPasswordSource("repo_env", false)
 		logger.Warn("Failed to read repository .env file",
 			zap.String("path", envPath),
 			zap.Error(err))
 	}
 
-	// 4a. Secrets directory .env file (fallback for non-local repositories)
+	// 5. Secrets directory .env file (fallback for non-local repositories)
 	secretsEnvPath := filepath.Join(secretsDirPath, fmt.Sprintf("%s.env", c.repository.Name))
 	if password, err := readPasswordFromEnvFile(secretsEnvPath); err == nil {
+		recordPasswordSource("secrets_env", true)
 		logger.Debug("Using secrets .env file for restic password",
 			zap.String("path", secretsEnvPath))
 		return password, nil
 	} else if err != nil && !errors.Is(err, os.ErrNotExist) {
+		recordPasswordSource("secrets_env", false)
 		logger.Warn("Failed to read secrets .env file",
 			zap.String("path", secretsEnvPath),
 			zap.Error(err))
 	}
 
-	// 4. Environment variable overrides (least preferred, but supported for manual ops)
-	if password := strings.TrimSpace(os.Getenv("RESTIC_PASSWORD")); password != "" {
-		logger.Warn("Using RESTIC_PASSWORD environment variable; prefer password files for security")
-		return password, nil
-	}
-
+	// 6. Environment variable overrides (least preferred)
 	if passwordFile := strings.TrimSpace(os.Getenv("RESTIC_PASSWORD_FILE")); passwordFile != "" {
 		if password, err := readPasswordFile(passwordFile); err == nil {
+			recordPasswordSource("env_var", true)
 			logger.Warn("Using RESTIC_PASSWORD_FILE override; prefer managed password files",
 				zap.String("path", passwordFile))
 			return password, nil
 		}
+		recordPasswordSource("env_var", false)
+	}
+
+	// 7. Raw environment variable override
+	if password := strings.TrimSpace(os.Getenv("RESTIC_PASSWORD")); password != "" {
+		recordPasswordSource("env_var", true)
+		logger.Warn("Using RESTIC_PASSWORD environment variable; prefer password files for security")
+		return password, nil
 	}
 
 	missingErr := fmt.Errorf("restic repository password not found; expected password file at %s, secrets fallback at %s, or RESTIC_PASSWORD in %s",
 		localPasswordPath, secretsPasswordPath, envPath)
 
+	// 8. Interactive wizard fallback
 	password, wizardErr := c.runPasswordWizard(localPasswordPath, secretsPasswordPath, []string{envPath, secretsEnvPath})
 	if wizardErr == nil {
+		recordPasswordSource("wizard", true)
 		return password, nil
 	}
 	if wizardErr != nil && !errors.Is(wizardErr, errPasswordWizardSkipped) {
+		recordPasswordSource("wizard", false)
 		logger.Warn("Password setup wizard failed",
 			zap.Error(wizardErr))
 	}
 
 	return "", missingErr
 }
 
+func (c *Client) readPasswordFromVault() (string, error) {
+	var secret map[string]interface{}
+	vaultPath := fmt.Sprintf("%s/%s", VaultPasswordPathPrefix, c.repository.Name)
+	if err := vault.ReadFromVault(c.rc, vaultPath, &secret); err != nil {
+		return "", err
+	}
+
+	raw, ok := secret[VaultPasswordKey]
+	if !ok {
+		return "", fmt.Errorf("vault secret %q missing key %q", vaultPath, VaultPasswordKey)
+	}
+	password, ok := raw.(string)
+	if !ok {
+		return "", fmt.Errorf("vault secret %q contains non-string password", vaultPath)
+	}
+	password = strings.TrimSpace(password)
+	if password == "" {
+		return "", fmt.Errorf("vault secret %q contains empty password", vaultPath)
+	}
+	return password, nil
+}
+
+func isVaultConfigured() bool {
+	return strings.TrimSpace(os.Getenv("VAULT_ADDR")) != ""
+}
+
 // InitRepository initializes a new restic repository
 func (c *Client) InitRepository() error {
 	logger := otelzap.Ctx(c.rc.Ctx)
@@ -839,16 +894,9 @@ func (c *Client) executeHooks(hooks []string, hookType string) error {
 		ctx, cancel := context.WithTimeout(c.rc.Ctx, HookTimeout)
 		defer cancel()
 
-		cmd := exec.CommandContext(ctx, "sh", "-c", hookCmd)
-
-		// Capture output
-		var stdout, stderr bytes.Buffer
-		cmd.Stdout = &stdout
-		cmd.Stderr = &stderr
-
 		// Execute hook
 		start := time.Now()
-		err := cmd.Run()
+		err := RunHookWithSettings(ctx, logger, hookCmd, c.config.Settings)
 		duration := time.Since(start)
 
 		// Check for timeout
@@ -866,27 +914,14 @@ func (c *Client) executeHooks(hooks []string, hookType string) error {
 				zap.String("type", hookType),
 				zap.String("command", hookCmd),
 				zap.Duration("duration", duration),
-				zap.String("stdout", stdout.String()),
-				zap.String("stderr", stderr.String()),
 				zap.Error(err))
-			return fmt.Errorf("hook failed: %w\nstdout: %s\nstderr: %s",
-				err, stdout.String(), stderr.String())
+			return fmt.Errorf("hook failed: %w", err)
 		}
 
 		logger.Info("Hook completed successfully",
 			zap.String("type", hookType),
 			zap.String("command", hookCmd),
-			zap.Duration("duration", duration),
-			zap.Int("stdout_bytes", stdout.Len()),
-			zap.Int("stderr_bytes", stderr.Len()))
-
-		// Log output if present (for debugging)
-		if stdout.Len() > 0 {
-			logger.Debug("Hook stdout", zap.String("output", stdout.String()))
-		}
-		if stderr.Len() > 0 {
-			logger.Debug("Hook stderr", zap.String("output", stderr.String()))
-		}
+			zap.Duration("duration", duration))
 	}
 
 	logger.Info("All hooks completed successfully",

pkg/backup/client_test.go

@@ -3,6 +3,7 @@ package backup
 import (
 	"context"
 	"encoding/json"
+	"path/filepath"
 	"strings"
 	"testing"
 
@@ -17,6 +18,33 @@ func TestNewClient(t *testing.T) {
 		Log: logger,
 	}
 
+	tmpDir := t.TempDir()
+	configPath := filepath.Join(tmpDir, "backup.yaml")
+	origRead := configReadCandidates
+	origWritePath := configWritePath
+	origWriteDir := configWriteDir
+	t.Cleanup(func() {
+		configReadCandidates = origRead
+		configWritePath = origWritePath
+		configWriteDir = origWriteDir
+	})
+	configReadCandidates = []string{configPath}
+	configWritePath = configPath
+	configWriteDir = tmpDir
+
+	cfg := &Config{
+		DefaultRepository: "local",
+		Repositories: map[string]Repository{
+			"local": {Name: "local", Backend: "local", URL: filepath.Join(tmpDir, "repo")},
+		},
+		Profiles: map[string]Profile{
+			"system": {Name: "system", Repository: "local", Paths: []string{tmpDir}},
+		},
+	}
+	if err := SaveConfig(rc, cfg); err != nil {
+		t.Fatalf("SaveConfig() error = %v", err)
+	}
+
 	t.Run("create client with default config", func(t *testing.T) {
 		// This will use the default config since no config file exists
 		client, err := NewClient(rc, "local")