Add --debug flag and per-command timeouts for restic

Author: chiefMarlin

internal/backup/backup.go

@@ -29,6 +29,10 @@ func NewOrchestrator(cfg *config.Config, log *logger.Logger) *Orchestrator {
 	}
 }
 
+func (o *Orchestrator) SetDebug(debug bool) {
+	o.runner.Debug = debug
+}
+
 // Run executes the full backup pipeline:
 // preflight -> unlock -> init -> backup (with retry) -> check -> forget -> notify
 func (o *Orchestrator) Run(ctx context.Context) error {

internal/restic/restic.go

@@ -21,8 +21,9 @@ const (
 )
 
 type Runner struct {
-	cfg *config.Config
-	log *logger.Logger
+	cfg   *config.Config
+	log   *logger.Logger
+	Debug bool
 }
 
 type Result struct {
@@ -36,10 +37,10 @@ func NewRunner(cfg *config.Config, log *logger.Logger) *Runner {
 	return &Runner{cfg: cfg, log: log}
 }
 
-// redactedEnv returns the restic env vars with secrets masked, formatted as
-// a copy-pasteable command prefix.
-func (r *Runner) redactedEnv() string {
-	redact := map[string]bool{
+// formatEnv returns the restic env vars formatted as a copy-pasteable command prefix.
+// If redact is true, secrets are masked with ***.
+func (r *Runner) formatEnv(redact bool) string {
+	secretKeys := map[string]bool{
 		"RESTIC_PASSWORD":       true,
 		"AWS_ACCESS_KEY_ID":     true,
 		"AWS_SECRET_ACCESS_KEY": true,
@@ -58,7 +59,7 @@ func (r *Runner) redactedEnv() string {
 		default:
 			continue
 		}
-		if redact[key] {
+		if redact && secretKeys[key] {
 			parts = append(parts, fmt.Sprintf("%s=***", key))
 		} else {
 			parts = append(parts, pair)
@@ -67,18 +68,35 @@ func (r *Runner) redactedEnv() string {
 	return strings.Join(parts, " ")
 }
 
+// commandTimeout returns a reasonable timeout based on the restic subcommand.
+// Short commands (unlock, version, snapshots, stats, init) get 2 minutes.
+// Long commands (backup, check, forget) get 4 hours.
+func commandTimeout(args []string) time.Duration {
+	if len(args) > 0 {
+		switch args[0] {
+		case "backup", "check", "forget":
+			return 4 * time.Hour
+		}
+	}
+	return 2 * time.Minute
+}
+
 // run executes a restic command with the configured environment.
 func (r *Runner) run(ctx context.Context, args ...string) (*Result, error) {
 	start := time.Now()
 
+	timeout := commandTimeout(args)
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
 	cmd := exec.CommandContext(ctx, r.cfg.ResticBinary, args...)
 	cmd.Env = r.cfg.ResticEnv()
 
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 
-	fullCmd := fmt.Sprintf("%s %s %s", r.redactedEnv(), r.cfg.ResticBinary, strings.Join(args, " "))
+	fullCmd := fmt.Sprintf("%s %s %s", r.formatEnv(!r.Debug), r.cfg.ResticBinary, strings.Join(args, " "))
 	r.log.Info("running restic", map[string]any{
 		"cmd": fullCmd,
 	})

main.go

@@ -64,6 +64,7 @@ func main() {
 	// All other commands need a config file
 	fs := flag.NewFlagSet(cmd, flag.ExitOnError)
 	configPath := fs.String("config", config.DefaultConfigPath(), "path to config file")
+	debug := fs.Bool("debug", false, "print full commands with credentials (for manual testing)")
 	fs.Parse(os.Args[2:])
 
 	cfg, err := config.Load(*configPath)
@@ -79,11 +80,11 @@ func main() {
 
 	switch cmd {
 	case "backup":
-		runBackup(ctx, cfg, log)
+		runBackup(ctx, cfg, log, *debug)
 	case "check":
-		runCheck(ctx, cfg, log)
+		runCheck(ctx, cfg, log, *debug)
 	case "status":
-		runStatus(ctx, cfg, log)
+		runStatus(ctx, cfg, log, *debug)
 	case "install":
 		runInstall(cfg, log, *configPath)
 	case "uninstall":
@@ -95,7 +96,13 @@ func main() {
 	}
 }
 
-func runBackup(ctx context.Context, cfg *config.Config, log *logger.Logger) {
+func newRunner(cfg *config.Config, log *logger.Logger, debug bool) *restic.Runner {
+	r := restic.NewRunner(cfg, log)
+	r.Debug = debug
+	return r
+}
+
+func runBackup(ctx context.Context, cfg *config.Config, log *logger.Logger, debug bool) {
 	// Acquire process lock — auto-clears stale locks from dead processes
 	lock, err := lockfile.New(0)
 	if err != nil {
@@ -109,14 +116,15 @@ func runBackup(ctx context.Context, cfg *config.Config, log *logger.Logger) {
 	defer lock.Release()
 
 	orch := backup.NewOrchestrator(cfg, log)
+	orch.SetDebug(debug)
 	if err := orch.Run(ctx); err != nil {
 		log.Error("backup failed", map[string]any{"error": err.Error()})
 		os.Exit(1)
 	}
 }
 
-func runCheck(ctx context.Context, cfg *config.Config, log *logger.Logger) {
-	runner := restic.NewRunner(cfg, log)
+func runCheck(ctx context.Context, cfg *config.Config, log *logger.Logger, debug bool) {
+	runner := newRunner(cfg, log, debug)
 
 	log.Info("running full integrity check with data read")
 	result, err := runner.Check(ctx, 100) // full read
@@ -138,8 +146,8 @@ func runCheck(ctx context.Context, cfg *config.Config, log *logger.Logger) {
 	log.Info("integrity check passed — all data verified")
 }
 
-func runStatus(ctx context.Context, cfg *config.Config, log *logger.Logger) {
-	runner := restic.NewRunner(cfg, log)
+func runStatus(ctx context.Context, cfg *config.Config, log *logger.Logger, debug bool) {
+	runner := newRunner(cfg, log, debug)
 
 	fmt.Println("=== Repository Snapshots ===")
 	result, err := runner.Snapshots(ctx)
@@ -202,6 +210,7 @@ Commands:
 
 Flags:
   --config     Path to config JSON file (default: restic-sentry.json next to binary)
+  --debug      Print full restic commands with credentials visible (for manual testing)
 
 Examples:
   restic-sentry install-restic                     # download restic