Merge pull request #440 from databasus/develop

FIX (local storage): Add fallback for file movement via renaming to s…

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,44 @@
+---
+name: Bug Report
+about: Report a bug or unexpected behavior in Databasus
+labels: bug
+---
+
+## Databasus version (screenshot)
+
+It is displayed in the bottom left corner of the Databasus UI. Please attach screenshot, not just version text
+
+<!-- e.g. 1.4.2 -->
+
+## Operating system and architecture
+
+<!-- e.g. Ubuntu 22.04 x64, macOS 14 ARM, Windows 11 x64 -->
+
+## Database type and version (optional, for DB-related bugs)
+
+<!-- e.g. PostgreSQL 16 in Docker, MySQL 8.0 installed on server, MariaDB 11.4 in AWS Cloud -->
+
+## Describe the bug (please write manually, do not ask AI to summarize)
+
+**What happened:**
+
+**What I expected:**
+
+## Steps to reproduce
+
+1.
+2.
+3.
+
+## Have you asked AI how to solve the issue?
+
+<!-- Using AI to diagnose issues before filing a bug report helps narrow down root causes. -->
+
+- [ ] Claude Sonnet 4.6 or newer
+- [ ] ChatGPT 5.2 or newer
+- [ ] No
+
+
+## Additional context / logs
+
+<!-- Screenshots, error messages, relevant log output, etc. -->

.github/workflows/ci-release.yml

@@ -11,7 +11,7 @@ jobs:
   lint-backend:
     runs-on: self-hosted
     container:
-      image: golang:1.24.9
+      image: golang:1.26.1
       volumes:
         - /runner-cache/go-pkg:/go/pkg/mod
         - /runner-cache/go-build:/root/.cache/go-build
@@ -32,7 +32,7 @@ jobs:
 
       - name: Install golangci-lint
         run: |
-          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.2
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.3
           echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
 
       - name: Install swag for swagger generation
@@ -86,6 +86,39 @@ jobs:
           cd frontend
           npm run build
 
+  lint-agent:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26.1"
+          cache-dependency-path: agent/go.sum
+
+      - name: Download Go modules
+        run: |
+          cd agent
+          go mod download
+
+      - name: Install golangci-lint
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.3
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+
+      - name: Run golangci-lint
+        run: |
+          cd agent
+          golangci-lint run
+
+      - name: Verify go mod tidy
+        run: |
+          cd agent
+          go mod tidy
+          git diff --exit-code go.mod go.sum || (echo "go mod tidy made changes, please run 'go mod tidy' and commit the changes" && exit 1)
+
   test-frontend:
     runs-on: ubuntu-latest
     needs: [lint-frontend]
@@ -108,11 +141,55 @@ jobs:
           cd frontend
           npm run test
 
+  test-agent:
+    runs-on: ubuntu-latest
+    needs: [lint-agent]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26.1"
+          cache-dependency-path: agent/go.sum
+
+      - name: Download Go modules
+        run: |
+          cd agent
+          go mod download
+
+      - name: Run Go tests
+        run: |
+          cd agent
+          go test -count=1 -failfast ./internal/...
+
+  e2e-agent:
+    runs-on: ubuntu-latest
+    needs: [lint-agent]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Run e2e tests
+        run: |
+          cd agent
+          make e2e
+
+      - name: Cleanup
+        if: always()
+        run: |
+          cd agent/e2e
+          docker compose down -v --rmi local || true
+          rm -rf artifacts || true
+
+  # Self-hosted: performant high-frequency CPU is used to start many containers and run tests fast. Tests
+  # step is bottle-neck, because we need a lot of containers and cannot parallelize tests due to shared resources
   test-backend:
     runs-on: self-hosted
     needs: [lint-backend]
     container:
-      image: golang:1.24.9
+      image: golang:1.26.1
       options: --privileged -v /var/run/docker.sock:/var/run/docker.sock --add-host=host.docker.internal:host-gateway
       volumes:
         - /runner-cache/go-pkg:/go/pkg/mod
@@ -407,7 +484,7 @@ jobs:
       - name: Run database migrations
         run: |
           cd backend
-          go install github.com/pressly/goose/v3/cmd/goose@latest
+          go install github.com/pressly/goose/v3/cmd/goose@v3.24.3
           goose up
 
       - name: Run Go tests
@@ -441,7 +518,7 @@ jobs:
     runs-on: self-hosted
     container:
       image: node:20
-    needs: [test-backend, test-frontend]
+    needs: [test-backend, test-frontend, test-agent, e2e-agent]
     if: ${{ github.ref == 'refs/heads/main' && !contains(github.event.head_commit.message, '[skip-release]') }}
     outputs:
       should_release: ${{ steps.version_bump.outputs.should_release }}
@@ -534,7 +611,7 @@ jobs:
 
   build-only:
     runs-on: self-hosted
-    needs: [test-backend, test-frontend]
+    needs: [test-backend, test-frontend, test-agent, e2e-agent]
     if: ${{ github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[skip-release]') }}
     steps:
       - name: Clean workspace

.gitignore

@@ -5,6 +5,7 @@ databasus-data/
 .env
 pgdata/
 docker-compose.yml
+!agent/e2e/docker-compose.yml
 node_modules/
 .idea
 /articles
@@ -12,3 +13,4 @@ node_modules/
 .DS_Store
 /scripts
 .vscode/settings.json
+.claude

.pre-commit-config.yaml

@@ -41,3 +41,20 @@ repos:
         language: system
         files: ^backend/.*\.go$
         pass_filenames: false
+
+  # Agent checks
+  - repo: local
+    hooks:
+      - id: agent-format-and-lint
+        name: Agent Format & Lint (golangci-lint)
+        entry: bash -c "cd agent && golangci-lint fmt ./internal/... ./cmd/... && golangci-lint run ./internal/... ./cmd/..."
+        language: system
+        files: ^agent/.*\.go$
+        pass_filenames: false
+
+      - id: agent-go-mod-tidy
+        name: Agent Go Mod Tidy
+        entry: bash -c "cd agent && go mod tidy"
+        language: system
+        files: ^agent/.*\.go$
+        pass_filenames: false

CLAUDE.md

@@ -0,0 +1 @@
+Look at @AGENTS.md

Dockerfile

@@ -22,7 +22,7 @@ RUN npm run build
 
 # ========= BUILD BACKEND =========
 # Backend build stage
-FROM --platform=$BUILDPLATFORM golang:1.24.9 AS backend-build
+FROM --platform=$BUILDPLATFORM golang:1.26.1 AS backend-build
 
 # Make TARGET args available early so tools built here match the final image arch
 ARG TARGETOS
@@ -66,13 +66,52 @@ RUN CGO_ENABLED=0 \
   go build -o /app/main ./cmd/main.go
 
 
+# ========= BUILD AGENT =========
+# Builds the databasus-agent CLI binary for BOTH x86_64 and ARM64.
+# Both architectures are always built because:
+# - Databasus server runs on one arch (e.g. amd64)
+# - The agent runs on remote PostgreSQL servers that may be on a
+#   different arch (e.g. arm64)
+# - The backend serves the correct binary based on the agent's
+#   ?arch= query parameter
+#
+# We cross-compile from the build platform (no QEMU needed) because the
+# agent is pure Go with zero C dependencies.
+# CGO_ENABLED=0 produces fully static binaries — no glibc/musl dependency,
+# so the agent runs on any Linux distro (Alpine, Debian, Ubuntu, RHEL, etc.).
+# APP_VERSION is baked into the binary via -ldflags so the agent can
+# compare its version against the server and auto-update when needed.
+FROM --platform=$BUILDPLATFORM golang:1.26.1 AS agent-build
+
+ARG APP_VERSION=dev
+
+WORKDIR /agent
+
+COPY agent/go.mod ./
+RUN go mod download
+
+COPY agent/ ./
+
+# Build for x86_64 (amd64) — static binary, no glibc dependency
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -ldflags "-X main.Version=${APP_VERSION}" \
+    -o /agent-binaries/databasus-agent-linux-amd64 ./cmd/main.go
+
+# Build for ARM64 (arm64) — static binary, no glibc dependency
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=arm64 \
+    go build -ldflags "-X main.Version=${APP_VERSION}" \
+    -o /agent-binaries/databasus-agent-linux-arm64 ./cmd/main.go
+
+
 # ========= RUNTIME =========
 FROM debian:bookworm-slim
 
 # Add version metadata to runtime image
 ARG APP_VERSION=dev
+ARG TARGETARCH
 LABEL org.opencontainers.image.version=$APP_VERSION
 ENV APP_VERSION=$APP_VERSION
+ENV CONTAINER_ARCH=$TARGETARCH
 
 # Set production mode for Docker containers
 ENV ENV_MODE=production
@@ -218,6 +257,10 @@ COPY backend/migrations ./migrations
 # Copy UI files
 COPY --from=backend-build /app/ui/build ./ui/build
 
+# Copy agent binaries (both architectures) — served by the backend
+# at GET /api/v1/system/agent?arch=amd64|arm64
+COPY --from=agent-build /agent-binaries ./agent-binaries
+
 # Copy .env file (with fallback to .env.production.example)
 COPY backend/.env* /app/
 RUN if [ ! -f /app/.env ]; then \
@@ -269,7 +312,8 @@ window.__RUNTIME_CONFIG__ = {
   GITHUB_CLIENT_ID: '\${GITHUB_CLIENT_ID:-}',
   GOOGLE_CLIENT_ID: '\${GOOGLE_CLIENT_ID:-}',
   IS_EMAIL_CONFIGURED: '\$IS_EMAIL_CONFIGURED',
-  CLOUDFLARE_TURNSTILE_SITE_KEY: '\${CLOUDFLARE_TURNSTILE_SITE_KEY:-}'
+  CLOUDFLARE_TURNSTILE_SITE_KEY: '\${CLOUDFLARE_TURNSTILE_SITE_KEY:-}',
+  CONTAINER_ARCH: '\${CONTAINER_ARCH:-unknown}'
 };
 JSEOF
 
@@ -394,6 +438,8 @@ fi
 # Create database and set password for postgres user
 echo "Setting up database and user..."
 gosu postgres \$PG_BIN/psql -p 5437 -h localhost -d postgres << 'SQL'
+
+# We use stub password, because internal DB is not exposed outside container
 ALTER USER postgres WITH PASSWORD 'Q1234567';
 SELECT 'CREATE DATABASE databasus OWNER postgres'
 WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'databasus')

README.md

@@ -2,7 +2,7 @@
   <img src="assets/logo.svg" alt="Databasus Logo" width="250"/>
 
   <h3>Backup tool for PostgreSQL, MySQL and MongoDB</h3>
-  <p>Databasus is a free, open source and self-hosted tool to backup databases (with focus on PostgreSQL). Make backups with different storages (S3, Google Drive, FTP, etc.) and notifications about progress (Slack, Discord, Telegram, etc.). Previously known as Postgresus (see migration guide).</p>
+  <p>Databasus is a free, open source and self-hosted tool to backup databases (with focus on PostgreSQL). Make backups with different storages (S3, Google Drive, FTP, etc.) and notifications about progress (Slack, Discord, Telegram, etc.)</p>
   
   <!-- Badges -->
    [![PostgreSQL](https://img.shields.io/badge/PostgreSQL-336791?logo=postgresql&logoColor=white)](https://www.postgresql.org/)
@@ -41,7 +41,7 @@
 
 - **PostgreSQL**: 12, 13, 14, 15, 16, 17 and 18
 - **MySQL**: 5.7, 8 and 9
-- **MariaDB**: 10 and 11
+- **MariaDB**: 10, 11 and 12
 - **MongoDB**: 4, 5, 6, 7 and 8
 
 ### 🔄 **Scheduled backups**
@@ -55,7 +55,7 @@
 - **Time period**: Keep backups for a fixed duration (e.g., 7 days, 3 months, 1 year)
 - **Count**: Keep a fixed number of the most recent backups (e.g., last 30)
 - **GFS (Grandfather-Father-Son)**: Layered retention — keep hourly, daily, weekly, monthly and yearly backups independently for fine-grained long-term history (enterprises requirement)
-- **Size limits**: Set per-backup and total storage size caps to control storage гыфпу
+- **Size limits**: Set per-backup and total storage size caps to control storage usage
 
 ### 🗄️ **Multiple storage destinations** <a href="https://databasus.com/storages">(view supported)</a>
 
@@ -261,12 +261,17 @@ Also you can join our large community of developers, DBAs and DevOps engineers o
 
 There have been questions about AI usage in project development in issues and discussions. As the project focuses on security, reliability and production usage, it's important to explain how AI is used in the development process.
 
+First of all, we are proud to say that Databasus has been accepted into both [Claude for Open Source](https://claude.com/contact-sales/claude-for-oss) by Anthropic and [Codex for Open Source](https://developers.openai.com/codex/community/codex-for-oss/) by OpenAI in March 2026. For us it is one more signal that the project was recognized as important open-source software and was as critical infrastructure worth supporting independently by two of the world's leading AI companies. Read more at [databasus.com/faq](https://databasus.com/faq#oss-programs).
+
+Despite of this, we have the following rules how AI is used in the development process:
+
 AI is used as a helper for:
 
 - verification of code quality and searching for vulnerabilities
 - cleaning up and improving documentation, comments and code
 - assistance during development
 - double-checking PRs and commits after human review
+- additional security analysis of PRs via Codex Security
 
 AI is not used for:
 

agent/.env.example

@@ -0,0 +1 @@
+ENV_MODE=development

agent/.gitignore

@@ -0,0 +1,24 @@
+main
+.env
+docker-compose.yml
+!e2e/docker-compose.yml
+pgdata
+pgdata_test/
+mysqldata/
+mariadbdata/
+main.exe
+swagger/
+swagger/*
+swagger/docs.go
+swagger/swagger.json
+swagger/swagger.yaml
+postgresus-backend.exe
+databasus-backend.exe
+ui/build/*
+pgdata-for-restore/
+temp/
+cmd.exe
+temp/
+valkey-data/
+victoria-logs-data/
+databasus.json

agent/.golangci.yml

@@ -0,0 +1,41 @@
+version: "2"
+
+run:
+  timeout: 5m
+  tests: false
+  concurrency: 4
+
+linters:
+  default: standard
+  enable:
+    - funcorder
+    - bodyclose
+    - errorlint
+    - gocritic
+    - unconvert
+    - misspell
+    - errname
+    - noctx
+    - modernize
+
+  settings:
+    errcheck:
+      check-type-assertions: true
+
+formatters:
+  enable:
+    - gofumpt
+    - golines
+    - gci
+
+  settings:
+    golines:
+      max-len: 120
+    gofumpt:
+      module-path: databasus-agent
+      extra-rules: true
+    gci:
+      sections:
+        - standard
+        - default
+        - localmodule

agent/Makefile

@@ -0,0 +1,26 @@
+.PHONY: run build test lint e2e e2e-clean
+
+# Usage: make run ARGS="start --pg-host localhost"
+run:
+	go run cmd/main.go $(ARGS)
+
+build:
+	CGO_ENABLED=0 go build -ldflags "-X main.Version=$(VERSION)" -o databasus-agent ./cmd/main.go
+
+test:
+	go test -count=1 -failfast ./internal/...
+
+lint:
+	golangci-lint fmt ./cmd/... ./internal/... ./e2e/... && golangci-lint run ./cmd/... ./internal/... ./e2e/...
+
+e2e:
+	cd e2e && docker compose build
+	cd e2e && docker compose run --rm e2e-agent-builder
+	cd e2e && docker compose up -d e2e-postgres e2e-mock-server
+	cd e2e && docker compose run --rm e2e-agent-runner
+	cd e2e && docker compose run --rm e2e-agent-docker
+	cd e2e && docker compose down -v
+
+e2e-clean:
+	cd e2e && docker compose down -v --rmi local
+	rm -rf e2e/artifacts

agent/cmd/main.go

@@ -0,0 +1,170 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"databasus-agent/internal/config"
+	"databasus-agent/internal/features/start"
+	"databasus-agent/internal/features/upgrade"
+	"databasus-agent/internal/logger"
+)
+
+var Version = "dev"
+
+func main() {
+	if len(os.Args) < 2 {
+		printUsage()
+		os.Exit(1)
+	}
+
+	switch os.Args[1] {
+	case "start":
+		runStart(os.Args[2:])
+	case "stop":
+		runStop()
+	case "status":
+		runStatus()
+	case "restore":
+		runRestore(os.Args[2:])
+	case "version":
+		fmt.Println(Version)
+	default:
+		fmt.Fprintf(os.Stderr, "unknown command: %s\n", os.Args[1])
+		printUsage()
+		os.Exit(1)
+	}
+}
+
+func runStart(args []string) {
+	fs := flag.NewFlagSet("start", flag.ExitOnError)
+
+	isDebug := fs.Bool("debug", false, "Enable debug logging")
+	isSkipUpdate := fs.Bool("skip-update", false, "Skip auto-update check")
+
+	cfg := &config.Config{}
+	cfg.LoadFromJSONAndArgs(fs, args)
+
+	if err := cfg.SaveToJSON(); err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to save config: %v\n", err)
+	}
+
+	logger.Init(*isDebug)
+	log := logger.GetLogger()
+
+	isDev := checkIsDevelopment()
+	runUpdateCheck(cfg.DatabasusHost, *isSkipUpdate, isDev, log)
+
+	if err := start.Run(cfg, log); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func runStop() {
+	logger.Init(false)
+	logger.GetLogger().Info("stop: stub — not yet implemented")
+}
+
+func runStatus() {
+	logger.Init(false)
+	logger.GetLogger().Info("status: stub — not yet implemented")
+}
+
+func runRestore(args []string) {
+	fs := flag.NewFlagSet("restore", flag.ExitOnError)
+
+	targetDir := fs.String("target-dir", "", "Target pgdata directory")
+	backupID := fs.String("backup-id", "", "Full backup UUID (optional)")
+	targetTime := fs.String("target-time", "", "PITR target time in RFC3339 (optional)")
+	isYes := fs.Bool("yes", false, "Skip confirmation prompt")
+	isDebug := fs.Bool("debug", false, "Enable debug logging")
+	isSkipUpdate := fs.Bool("skip-update", false, "Skip auto-update check")
+
+	cfg := &config.Config{}
+	cfg.LoadFromJSONAndArgs(fs, args)
+
+	if err := cfg.SaveToJSON(); err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to save config: %v\n", err)
+	}
+
+	logger.Init(*isDebug)
+	log := logger.GetLogger()
+
+	isDev := checkIsDevelopment()
+	runUpdateCheck(cfg.DatabasusHost, *isSkipUpdate, isDev, log)
+
+	log.Info("restore: stub — not yet implemented",
+		"targetDir", *targetDir,
+		"backupId", *backupID,
+		"targetTime", *targetTime,
+		"yes", *isYes,
+	)
+}
+
+func printUsage() {
+	fmt.Fprintln(os.Stderr, "Usage: databasus-agent <command> [flags]")
+	fmt.Fprintln(os.Stderr, "")
+	fmt.Fprintln(os.Stderr, "Commands:")
+	fmt.Fprintln(os.Stderr, "  start    Start the agent (WAL archiving + basebackups)")
+	fmt.Fprintln(os.Stderr, "  stop     Stop a running agent")
+	fmt.Fprintln(os.Stderr, "  status   Show agent status")
+	fmt.Fprintln(os.Stderr, "  restore  Restore a database from backup")
+	fmt.Fprintln(os.Stderr, "  version  Print agent version")
+}
+
+func runUpdateCheck(host string, isSkipUpdate, isDev bool, log *slog.Logger) {
+	if isSkipUpdate {
+		return
+	}
+
+	if host == "" {
+		return
+	}
+
+	if err := upgrade.CheckAndUpdate(host, Version, isDev, log); err != nil {
+		log.Error("Auto-update failed", "error", err)
+		os.Exit(1)
+	}
+}
+
+func checkIsDevelopment() bool {
+	dir, err := os.Getwd()
+	if err != nil {
+		return false
+	}
+
+	for range 3 {
+		if data, err := os.ReadFile(filepath.Join(dir, ".env")); err == nil {
+			return parseEnvMode(data)
+		}
+
+		if _, err := os.Stat(filepath.Join(dir, "go.mod")); err == nil {
+			return false
+		}
+
+		dir = filepath.Dir(dir)
+	}
+
+	return false
+}
+
+func parseEnvMode(data []byte) bool {
+	for line := range strings.SplitSeq(string(data), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+
+		parts := strings.SplitN(line, "=", 2)
+		if len(parts) == 2 && strings.TrimSpace(parts[0]) == "ENV_MODE" {
+			return strings.TrimSpace(parts[1]) == "development"
+		}
+	}
+
+	return false
+}

agent/e2e/.gitignore

@@ -0,0 +1 @@
+artifacts/

agent/e2e/Dockerfile.agent-builder

@@ -0,0 +1,13 @@
+# Builds agent binaries with different versions so
+# we can test upgrade behavior (v1 -> v2)
+FROM golang:1.26.1-alpine AS build
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 go build -ldflags "-X main.Version=v1.0.0" -o /out/agent-v1 ./cmd/main.go
+RUN CGO_ENABLED=0 go build -ldflags "-X main.Version=v2.0.0" -o /out/agent-v2 ./cmd/main.go
+
+FROM alpine:3.21
+COPY --from=build /out/ /out/
+CMD ["cp", "-v", "/out/agent-v1", "/out/agent-v2", "/artifacts/"]

agent/e2e/Dockerfile.agent-docker

@@ -0,0 +1,8 @@
+# Runs pg_basebackup-via-docker-exec test (test 5) which tests
+# that the agent can connect to Postgres inside Docker container
+FROM docker:27-cli
+
+RUN apk add --no-cache bash curl
+
+WORKDIR /tmp
+ENTRYPOINT []

agent/e2e/Dockerfile.agent-runner

@@ -0,0 +1,14 @@
+# Runs upgrade and host-mode pg_basebackup tests (tests 1-4). Needs
+# Postgres client tools to be installed inside the system
+FROM debian:bookworm-slim
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+      ca-certificates curl gnupg2 postgresql-common && \
+    /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \
+    apt-get install -y --no-install-recommends \
+      postgresql-client-17 && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /tmp
+ENTRYPOINT []

agent/e2e/Dockerfile.mock-server

@@ -0,0 +1,10 @@
+# Mock databasus API server for version checks and binary downloads. Just
+# serves static responses and files from the `artifacts` directory.
+FROM golang:1.26.1-alpine AS build
+WORKDIR /app
+COPY mock-server/main.go .
+RUN CGO_ENABLED=0 go build -o mock-server main.go
+
+FROM alpine:3.21
+COPY --from=build /app/mock-server /usr/local/bin/mock-server
+ENTRYPOINT ["mock-server"]

agent/e2e/docker-compose.yml

@@ -0,0 +1,64 @@
+services:
+  e2e-agent-builder:
+    build:
+      context: ..
+      dockerfile: e2e/Dockerfile.agent-builder
+    volumes:
+      - ./artifacts:/artifacts
+    container_name: e2e-agent-builder
+
+  e2e-postgres:
+    image: postgres:17
+    environment:
+      POSTGRES_DB: testdb
+      POSTGRES_USER: testuser
+      POSTGRES_PASSWORD: testpassword
+    container_name: e2e-agent-postgres
+    command: postgres -c wal_level=replica -c max_wal_senders=3
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U testuser -d testdb"]
+      interval: 2s
+      timeout: 5s
+      retries: 30
+
+  e2e-mock-server:
+    build:
+      context: .
+      dockerfile: Dockerfile.mock-server
+    volumes:
+      - ./artifacts:/artifacts:ro
+    container_name: e2e-mock-server
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:4050/health"]
+      interval: 2s
+      timeout: 5s
+      retries: 10
+
+  e2e-agent-runner:
+    build:
+      context: .
+      dockerfile: Dockerfile.agent-runner
+    volumes:
+      - ./artifacts:/opt/agent/artifacts:ro
+      - ./scripts:/opt/agent/scripts:ro
+    depends_on:
+      e2e-postgres:
+        condition: service_healthy
+      e2e-mock-server:
+        condition: service_healthy
+    container_name: e2e-agent-runner
+    command: ["bash", "/opt/agent/scripts/run-all.sh", "host"]
+
+  e2e-agent-docker:
+    build:
+      context: .
+      dockerfile: Dockerfile.agent-docker
+    volumes:
+      - ./artifacts:/opt/agent/artifacts:ro
+      - ./scripts:/opt/agent/scripts:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+    depends_on:
+      e2e-postgres:
+        condition: service_healthy
+    container_name: e2e-agent-docker
+    command: ["bash", "/opt/agent/scripts/run-all.sh", "docker"]

agent/e2e/mock-server/main.go

@@ -0,0 +1,84 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"sync"
+)
+
+type server struct {
+	mu         sync.RWMutex
+	version    string
+	binaryPath string
+}
+
+func main() {
+	version := "v2.0.0"
+	binaryPath := "/artifacts/agent-v2"
+	port := "4050"
+
+	s := &server{version: version, binaryPath: binaryPath}
+
+	http.HandleFunc("/api/v1/system/version", s.handleVersion)
+	http.HandleFunc("/api/v1/system/agent", s.handleAgentDownload)
+	http.HandleFunc("/mock/set-version", s.handleSetVersion)
+	http.HandleFunc("/health", s.handleHealth)
+
+	addr := ":" + port
+	log.Printf("Mock server starting on %s (version=%s, binary=%s)", addr, version, binaryPath)
+
+	if err := http.ListenAndServe(addr, nil); err != nil {
+		log.Fatalf("Server failed: %v", err)
+	}
+}
+
+func (s *server) handleVersion(w http.ResponseWriter, r *http.Request) {
+	s.mu.RLock()
+	v := s.version
+	s.mu.RUnlock()
+
+	log.Printf("GET /api/v1/system/version -> %s", v)
+
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(map[string]string{"version": v})
+}
+
+func (s *server) handleAgentDownload(w http.ResponseWriter, r *http.Request) {
+	s.mu.RLock()
+	path := s.binaryPath
+	s.mu.RUnlock()
+
+	log.Printf("GET /api/v1/system/agent (arch=%s) -> serving %s", r.URL.Query().Get("arch"), path)
+
+	http.ServeFile(w, r, path)
+}
+
+func (s *server) handleSetVersion(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "POST only", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var body struct {
+		Version string `json:"version"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	s.mu.Lock()
+	s.version = body.Version
+	s.mu.Unlock()
+
+	log.Printf("POST /mock/set-version -> %s", body.Version)
+
+	_, _ = fmt.Fprintf(w, "version set to %s", body.Version)
+}
+
+func (s *server) handleHealth(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(http.StatusOK)
+	_, _ = w.Write([]byte("ok"))
+}

agent/e2e/scripts/run-all.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -euo pipefail
+
+MODE="${1:-host}"
+SCRIPT_DIR="$(dirname "$0")"
+PASSED=0
+FAILED=0
+
+run_test() {
+  local name="$1"
+  local script="$2"
+
+  echo ""
+  echo "========================================"
+  echo "  $name"
+  echo "========================================"
+
+  if bash "$script"; then
+    echo "  PASSED: $name"
+    PASSED=$((PASSED + 1))
+  else
+    echo "  FAILED: $name"
+    FAILED=$((FAILED + 1))
+  fi
+}
+
+if [ "$MODE" = "host" ]; then
+  run_test "Test 1: Upgrade success (v1 -> v2)" "$SCRIPT_DIR/test-upgrade-success.sh"
+  run_test "Test 2: Upgrade skip (version matches)" "$SCRIPT_DIR/test-upgrade-skip.sh"
+  run_test "Test 3: pg_basebackup in PATH" "$SCRIPT_DIR/test-pg-host-path.sh"
+  run_test "Test 4: pg_basebackup via bindir" "$SCRIPT_DIR/test-pg-host-bindir.sh"
+
+elif [ "$MODE" = "docker" ]; then
+  run_test "Test 5: pg_basebackup via docker exec" "$SCRIPT_DIR/test-pg-docker-exec.sh"
+
+else
+  echo "Unknown mode: $MODE (expected 'host' or 'docker')"
+  exit 1
+fi
+
+echo ""
+echo "========================================"
+echo "  Results: $PASSED passed, $FAILED failed"
+echo "========================================"
+
+if [ "$FAILED" -gt 0 ]; then
+  exit 1
+fi

agent/e2e/scripts/test-pg-docker-exec.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+PG_CONTAINER="e2e-agent-postgres"
+
+# Copy agent binary
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Verify docker CLI works and PG container is accessible
+if ! docker exec "$PG_CONTAINER" pg_basebackup --version > /dev/null 2>&1; then
+  echo "FAIL: Cannot reach pg_basebackup inside container $PG_CONTAINER (test setup issue)"
+  exit 1
+fi
+
+# Run start with --skip-update and pg-type=docker
+echo "Running agent start (pg_basebackup via docker exec)..."
+OUTPUT=$("$AGENT" start \
+  --skip-update \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --wal-dir /tmp/wal \
+  --pg-type docker \
+  --pg-docker-container-name "$PG_CONTAINER" 2>&1)
+
+EXIT_CODE=$?
+echo "$OUTPUT"
+
+if [ "$EXIT_CODE" -ne 0 ]; then
+  echo "FAIL: Agent exited with code $EXIT_CODE"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "pg_basebackup verified (docker)"; then
+  echo "FAIL: Expected output to contain 'pg_basebackup verified (docker)'"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "PostgreSQL connection verified"; then
+  echo "FAIL: Expected output to contain 'PostgreSQL connection verified'"
+  exit 1
+fi
+
+echo "pg_basebackup found via docker exec and DB connection verified"

agent/e2e/scripts/test-pg-host-bindir.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+CUSTOM_BIN_DIR="/opt/pg/bin"
+
+# Copy agent binary
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Move pg_basebackup out of PATH into custom directory
+mkdir -p "$CUSTOM_BIN_DIR"
+cp "$(which pg_basebackup)" "$CUSTOM_BIN_DIR/pg_basebackup"
+
+# Hide the system one by prepending an empty dir to PATH
+export PATH="/opt/empty-path:$PATH"
+mkdir -p /opt/empty-path
+
+# Verify pg_basebackup is NOT directly callable from default location
+# (we copied it, but the original is still there in debian — so we test
+# that the agent uses the custom dir, not PATH, by checking the output)
+
+# Run start with --skip-update and custom bin dir
+echo "Running agent start (pg_basebackup via --pg-host-bin-dir)..."
+OUTPUT=$("$AGENT" start \
+  --skip-update \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --wal-dir /tmp/wal \
+  --pg-type host \
+  --pg-host-bin-dir "$CUSTOM_BIN_DIR" 2>&1)
+
+EXIT_CODE=$?
+echo "$OUTPUT"
+
+if [ "$EXIT_CODE" -ne 0 ]; then
+  echo "FAIL: Agent exited with code $EXIT_CODE"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "pg_basebackup verified"; then
+  echo "FAIL: Expected output to contain 'pg_basebackup verified'"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "PostgreSQL connection verified"; then
+  echo "FAIL: Expected output to contain 'PostgreSQL connection verified'"
+  exit 1
+fi
+
+echo "pg_basebackup found via custom bin dir and DB connection verified"

agent/e2e/scripts/test-pg-host-path.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+
+# Copy agent binary
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Verify pg_basebackup is in PATH
+if ! which pg_basebackup > /dev/null 2>&1; then
+  echo "FAIL: pg_basebackup not found in PATH (test setup issue)"
+  exit 1
+fi
+
+# Run start with --skip-update and pg-type=host
+echo "Running agent start (pg_basebackup in PATH)..."
+OUTPUT=$("$AGENT" start \
+  --skip-update \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --wal-dir /tmp/wal \
+  --pg-type host 2>&1)
+
+EXIT_CODE=$?
+echo "$OUTPUT"
+
+if [ "$EXIT_CODE" -ne 0 ]; then
+  echo "FAIL: Agent exited with code $EXIT_CODE"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "pg_basebackup verified"; then
+  echo "FAIL: Expected output to contain 'pg_basebackup verified'"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "PostgreSQL connection verified"; then
+  echo "FAIL: Expected output to contain 'PostgreSQL connection verified'"
+  exit 1
+fi
+
+echo "pg_basebackup found in PATH and DB connection verified"

agent/e2e/scripts/test-upgrade-skip.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+
+# Set mock server to return v1.0.0 (same as agent)
+curl -sf -X POST http://e2e-mock-server:4050/mock/set-version \
+  -H "Content-Type: application/json" \
+  -d '{"version":"v1.0.0"}'
+
+# Copy v1 binary to writable location
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Verify initial version
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v1.0.0" ]; then
+  echo "FAIL: Expected initial version v1.0.0, got $VERSION"
+  exit 1
+fi
+
+# Run start — agent should see version matches and skip upgrade
+echo "Running agent start (expecting upgrade skip)..."
+OUTPUT=$("$AGENT" start \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --wal-dir /tmp/wal \
+  --pg-type host 2>&1) || true
+
+echo "$OUTPUT"
+
+# Verify output contains "up to date"
+if ! echo "$OUTPUT" | grep -qi "up to date"; then
+  echo "FAIL: Expected output to contain 'up to date'"
+  exit 1
+fi
+
+# Verify binary is still v1
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v1.0.0" ]; then
+  echo "FAIL: Expected version v1.0.0 (unchanged), got $VERSION"
+  exit 1
+fi
+
+echo "Upgrade correctly skipped, version still $VERSION"

agent/e2e/scripts/test-upgrade-success.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+
+# Ensure mock server returns v2.0.0
+curl -sf -X POST http://e2e-mock-server:4050/mock/set-version \
+  -H "Content-Type: application/json" \
+  -d '{"version":"v2.0.0"}'
+
+# Copy v1 binary to writable location
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Verify initial version
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v1.0.0" ]; then
+  echo "FAIL: Expected initial version v1.0.0, got $VERSION"
+  exit 1
+fi
+echo "Initial version: $VERSION"
+
+# Run start — agent will:
+# 1. Fetch version from mock (v2.0.0 != v1.0.0)
+# 2. Download v2 binary from mock
+# 3. Replace itself on disk
+# 4. Re-exec with same args
+# 5. Re-exec'd v2 fetches version (v2.0.0 == v2.0.0) → skips update
+# 6. Proceeds to start → verifies pg_basebackup + DB → exits 0 (stub)
+echo "Running agent start (expecting upgrade v1 -> v2)..."
+OUTPUT=$("$AGENT" start \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --wal-dir /tmp/wal \
+  --pg-type host 2>&1) || true
+
+echo "$OUTPUT"
+
+# Verify binary on disk is now v2
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v2.0.0" ]; then
+  echo "FAIL: Expected upgraded version v2.0.0, got $VERSION"
+  exit 1
+fi
+
+echo "Binary upgraded successfully to $VERSION"

agent/go.mod

@@ -0,0 +1,19 @@
+module databasus-agent
+
+go 1.26.1
+
+require (
+	github.com/jackc/pgx/v5 v5.8.0
+	github.com/stretchr/testify v1.11.1
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

agent/go.sum

@@ -0,0 +1,35 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
+github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

agent/internal/config/config.go

@@ -0,0 +1,267 @@
+package config
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"os"
+
+	"databasus-agent/internal/logger"
+)
+
+var log = logger.GetLogger()
+
+const configFileName = "databasus.json"
+
+type Config struct {
+	DatabasusHost          string `json:"databasusHost"`
+	DbID                   string `json:"dbId"`
+	Token                  string `json:"token"`
+	PgHost                 string `json:"pgHost"`
+	PgPort                 int    `json:"pgPort"`
+	PgUser                 string `json:"pgUser"`
+	PgPassword             string `json:"pgPassword"`
+	PgType                 string `json:"pgType"`
+	PgHostBinDir           string `json:"pgHostBinDir"`
+	PgDockerContainerName  string `json:"pgDockerContainerName"`
+	WalDir                 string `json:"walDir"`
+	IsDeleteWalAfterUpload *bool  `json:"deleteWalAfterUpload"`
+
+	flags parsedFlags
+}
+
+// LoadFromJSONAndArgs reads databasus.json into the struct
+// and overrides JSON values with any explicitly provided CLI flags.
+func (c *Config) LoadFromJSONAndArgs(fs *flag.FlagSet, args []string) {
+	c.loadFromJSON()
+	c.applyDefaults()
+	c.initSources()
+
+	c.flags.databasusHost = fs.String(
+		"databasus-host",
+		"",
+		"Databasus server URL (e.g. http://your-server:4005)",
+	)
+	c.flags.dbID = fs.String("db-id", "", "Database ID")
+	c.flags.token = fs.String("token", "", "Agent token")
+	c.flags.pgHost = fs.String("pg-host", "", "PostgreSQL host")
+	c.flags.pgPort = fs.Int("pg-port", 0, "PostgreSQL port")
+	c.flags.pgUser = fs.String("pg-user", "", "PostgreSQL user")
+	c.flags.pgPassword = fs.String("pg-password", "", "PostgreSQL password")
+	c.flags.pgType = fs.String("pg-type", "", "PostgreSQL type: host or docker")
+	c.flags.pgHostBinDir = fs.String("pg-host-bin-dir", "", "Path to PG bin directory (host mode)")
+	c.flags.pgDockerContainerName = fs.String("pg-docker-container-name", "", "Docker container name (docker mode)")
+	c.flags.walDir = fs.String("wal-dir", "", "Path to WAL queue directory")
+
+	if err := fs.Parse(args); err != nil {
+		os.Exit(1)
+	}
+
+	c.applyFlags()
+	log.Info("========= Loading config ============")
+	c.logConfigSources()
+	log.Info("========= Config has been loaded ====")
+}
+
+// SaveToJSON writes the current struct to databasus.json.
+func (c *Config) SaveToJSON() error {
+	data, err := json.MarshalIndent(c, "", "  ")
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(configFileName, data, 0o644)
+}
+
+func (c *Config) loadFromJSON() {
+	data, err := os.ReadFile(configFileName)
+	if err != nil {
+		if os.IsNotExist(err) {
+			log.Info("No databasus.json found, will create on save")
+			return
+		}
+
+		log.Warn("Failed to read databasus.json", "error", err)
+
+		return
+	}
+
+	if err := json.Unmarshal(data, c); err != nil {
+		log.Warn("Failed to parse databasus.json", "error", err)
+
+		return
+	}
+
+	log.Info("Configuration loaded from " + configFileName)
+}
+
+func (c *Config) applyDefaults() {
+	if c.PgPort == 0 {
+		c.PgPort = 5432
+	}
+
+	if c.PgType == "" {
+		c.PgType = "host"
+	}
+
+	if c.IsDeleteWalAfterUpload == nil {
+		v := true
+		c.IsDeleteWalAfterUpload = &v
+	}
+}
+
+func (c *Config) initSources() {
+	c.flags.sources = map[string]string{
+		"databasus-host":           "not configured",
+		"db-id":                    "not configured",
+		"token":                    "not configured",
+		"pg-host":                  "not configured",
+		"pg-port":                  "not configured",
+		"pg-user":                  "not configured",
+		"pg-password":              "not configured",
+		"pg-type":                  "not configured",
+		"pg-host-bin-dir":          "not configured",
+		"pg-docker-container-name": "not configured",
+		"wal-dir":                  "not configured",
+		"delete-wal-after-upload":  "not configured",
+	}
+
+	if c.DatabasusHost != "" {
+		c.flags.sources["databasus-host"] = configFileName
+	}
+
+	if c.DbID != "" {
+		c.flags.sources["db-id"] = configFileName
+	}
+
+	if c.Token != "" {
+		c.flags.sources["token"] = configFileName
+	}
+
+	if c.PgHost != "" {
+		c.flags.sources["pg-host"] = configFileName
+	}
+
+	// PgPort always has a value after applyDefaults
+	c.flags.sources["pg-port"] = configFileName
+
+	if c.PgUser != "" {
+		c.flags.sources["pg-user"] = configFileName
+	}
+
+	if c.PgPassword != "" {
+		c.flags.sources["pg-password"] = configFileName
+	}
+
+	// PgType always has a value after applyDefaults
+	c.flags.sources["pg-type"] = configFileName
+
+	if c.PgHostBinDir != "" {
+		c.flags.sources["pg-host-bin-dir"] = configFileName
+	}
+
+	if c.PgDockerContainerName != "" {
+		c.flags.sources["pg-docker-container-name"] = configFileName
+	}
+
+	if c.WalDir != "" {
+		c.flags.sources["wal-dir"] = configFileName
+	}
+
+	// IsDeleteWalAfterUpload always has a value after applyDefaults
+	c.flags.sources["delete-wal-after-upload"] = configFileName
+}
+
+func (c *Config) applyFlags() {
+	if c.flags.databasusHost != nil && *c.flags.databasusHost != "" {
+		c.DatabasusHost = *c.flags.databasusHost
+		c.flags.sources["databasus-host"] = "command line args"
+	}
+
+	if c.flags.dbID != nil && *c.flags.dbID != "" {
+		c.DbID = *c.flags.dbID
+		c.flags.sources["db-id"] = "command line args"
+	}
+
+	if c.flags.token != nil && *c.flags.token != "" {
+		c.Token = *c.flags.token
+		c.flags.sources["token"] = "command line args"
+	}
+
+	if c.flags.pgHost != nil && *c.flags.pgHost != "" {
+		c.PgHost = *c.flags.pgHost
+		c.flags.sources["pg-host"] = "command line args"
+	}
+
+	if c.flags.pgPort != nil && *c.flags.pgPort != 0 {
+		c.PgPort = *c.flags.pgPort
+		c.flags.sources["pg-port"] = "command line args"
+	}
+
+	if c.flags.pgUser != nil && *c.flags.pgUser != "" {
+		c.PgUser = *c.flags.pgUser
+		c.flags.sources["pg-user"] = "command line args"
+	}
+
+	if c.flags.pgPassword != nil && *c.flags.pgPassword != "" {
+		c.PgPassword = *c.flags.pgPassword
+		c.flags.sources["pg-password"] = "command line args"
+	}
+
+	if c.flags.pgType != nil && *c.flags.pgType != "" {
+		c.PgType = *c.flags.pgType
+		c.flags.sources["pg-type"] = "command line args"
+	}
+
+	if c.flags.pgHostBinDir != nil && *c.flags.pgHostBinDir != "" {
+		c.PgHostBinDir = *c.flags.pgHostBinDir
+		c.flags.sources["pg-host-bin-dir"] = "command line args"
+	}
+
+	if c.flags.pgDockerContainerName != nil && *c.flags.pgDockerContainerName != "" {
+		c.PgDockerContainerName = *c.flags.pgDockerContainerName
+		c.flags.sources["pg-docker-container-name"] = "command line args"
+	}
+
+	if c.flags.walDir != nil && *c.flags.walDir != "" {
+		c.WalDir = *c.flags.walDir
+		c.flags.sources["wal-dir"] = "command line args"
+	}
+}
+
+func (c *Config) logConfigSources() {
+	log.Info("databasus-host", "value", c.DatabasusHost, "source", c.flags.sources["databasus-host"])
+	log.Info("db-id", "value", c.DbID, "source", c.flags.sources["db-id"])
+	log.Info("token", "value", maskSensitive(c.Token), "source", c.flags.sources["token"])
+	log.Info("pg-host", "value", c.PgHost, "source", c.flags.sources["pg-host"])
+	log.Info("pg-port", "value", c.PgPort, "source", c.flags.sources["pg-port"])
+	log.Info("pg-user", "value", c.PgUser, "source", c.flags.sources["pg-user"])
+	log.Info("pg-password", "value", maskSensitive(c.PgPassword), "source", c.flags.sources["pg-password"])
+	log.Info("pg-type", "value", c.PgType, "source", c.flags.sources["pg-type"])
+	log.Info("pg-host-bin-dir", "value", c.PgHostBinDir, "source", c.flags.sources["pg-host-bin-dir"])
+	log.Info(
+		"pg-docker-container-name",
+		"value",
+		c.PgDockerContainerName,
+		"source",
+		c.flags.sources["pg-docker-container-name"],
+	)
+	log.Info("wal-dir", "value", c.WalDir, "source", c.flags.sources["wal-dir"])
+	log.Info(
+		"delete-wal-after-upload",
+		"value",
+		fmt.Sprintf("%v", *c.IsDeleteWalAfterUpload),
+		"source",
+		c.flags.sources["delete-wal-after-upload"],
+	)
+}
+
+func maskSensitive(value string) string {
+	if value == "" {
+		return "(not set)"
+	}
+
+	visibleLen := max(len(value)/4, 1)
+
+	return value[:visibleLen] + "***"
+}

agent/internal/config/config_test.go

@@ -0,0 +1,301 @@
+package config
+
+import (
+	"encoding/json"
+	"flag"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_LoadFromJSONAndArgs_ValuesLoadedFromJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost: "http://json-host:4005",
+		DbID:          "json-db-id",
+		Token:         "json-token",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{})
+
+	assert.Equal(t, "http://json-host:4005", cfg.DatabasusHost)
+	assert.Equal(t, "json-db-id", cfg.DbID)
+	assert.Equal(t, "json-token", cfg.Token)
+}
+
+func Test_LoadFromJSONAndArgs_ValuesLoadedFromArgs_WhenNoJSON(t *testing.T) {
+	setupTempDir(t)
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--databasus-host", "http://arg-host:4005",
+		"--db-id", "arg-db-id",
+		"--token", "arg-token",
+	})
+
+	assert.Equal(t, "http://arg-host:4005", cfg.DatabasusHost)
+	assert.Equal(t, "arg-db-id", cfg.DbID)
+	assert.Equal(t, "arg-token", cfg.Token)
+}
+
+func Test_LoadFromJSONAndArgs_ArgsOverrideJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost: "http://json-host:4005",
+		DbID:          "json-db-id",
+		Token:         "json-token",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--databasus-host", "http://arg-host:9999",
+		"--db-id", "arg-db-id-override",
+		"--token", "arg-token-override",
+	})
+
+	assert.Equal(t, "http://arg-host:9999", cfg.DatabasusHost)
+	assert.Equal(t, "arg-db-id-override", cfg.DbID)
+	assert.Equal(t, "arg-token-override", cfg.Token)
+}
+
+func Test_LoadFromJSONAndArgs_PartialArgsOverrideJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost: "http://json-host:4005",
+		DbID:          "json-db-id",
+		Token:         "json-token",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--databasus-host", "http://arg-host-only:4005",
+	})
+
+	assert.Equal(t, "http://arg-host-only:4005", cfg.DatabasusHost)
+	assert.Equal(t, "json-db-id", cfg.DbID)
+	assert.Equal(t, "json-token", cfg.Token)
+}
+
+func Test_SaveToJSON_ConfigSavedCorrectly(t *testing.T) {
+	setupTempDir(t)
+
+	deleteWal := true
+	cfg := &Config{
+		DatabasusHost:          "http://save-host:4005",
+		DbID:                   "save-db-id",
+		Token:                  "save-token",
+		IsDeleteWalAfterUpload: &deleteWal,
+	}
+
+	err := cfg.SaveToJSON()
+	require.NoError(t, err)
+
+	saved := readConfigJSON(t)
+
+	assert.Equal(t, "http://save-host:4005", saved.DatabasusHost)
+	assert.Equal(t, "save-db-id", saved.DbID)
+	assert.Equal(t, "save-token", saved.Token)
+}
+
+func Test_SaveToJSON_AfterArgsOverrideJSON_SavedFileContainsMergedValues(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost: "http://json-host:4005",
+		DbID:          "json-db-id",
+		Token:         "json-token",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--databasus-host", "http://override-host:9999",
+	})
+
+	err := cfg.SaveToJSON()
+	require.NoError(t, err)
+
+	saved := readConfigJSON(t)
+
+	assert.Equal(t, "http://override-host:9999", saved.DatabasusHost)
+	assert.Equal(t, "json-db-id", saved.DbID)
+	assert.Equal(t, "json-token", saved.Token)
+}
+
+func Test_LoadFromJSONAndArgs_PgFieldsLoadedFromJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	deleteWal := false
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost:          "http://json-host:4005",
+		DbID:                   "json-db-id",
+		Token:                  "json-token",
+		PgHost:                 "pg-json-host",
+		PgPort:                 5433,
+		PgUser:                 "pg-json-user",
+		PgPassword:             "pg-json-pass",
+		PgType:                 "docker",
+		PgHostBinDir:           "/usr/bin",
+		PgDockerContainerName:  "pg-container",
+		WalDir:                 "/opt/wal",
+		IsDeleteWalAfterUpload: &deleteWal,
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{})
+
+	assert.Equal(t, "pg-json-host", cfg.PgHost)
+	assert.Equal(t, 5433, cfg.PgPort)
+	assert.Equal(t, "pg-json-user", cfg.PgUser)
+	assert.Equal(t, "pg-json-pass", cfg.PgPassword)
+	assert.Equal(t, "docker", cfg.PgType)
+	assert.Equal(t, "/usr/bin", cfg.PgHostBinDir)
+	assert.Equal(t, "pg-container", cfg.PgDockerContainerName)
+	assert.Equal(t, "/opt/wal", cfg.WalDir)
+	assert.Equal(t, false, *cfg.IsDeleteWalAfterUpload)
+}
+
+func Test_LoadFromJSONAndArgs_PgFieldsLoadedFromArgs(t *testing.T) {
+	setupTempDir(t)
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--pg-host", "arg-pg-host",
+		"--pg-port", "5433",
+		"--pg-user", "arg-pg-user",
+		"--pg-password", "arg-pg-pass",
+		"--pg-type", "docker",
+		"--pg-host-bin-dir", "/custom/bin",
+		"--pg-docker-container-name", "my-pg",
+		"--wal-dir", "/var/wal",
+	})
+
+	assert.Equal(t, "arg-pg-host", cfg.PgHost)
+	assert.Equal(t, 5433, cfg.PgPort)
+	assert.Equal(t, "arg-pg-user", cfg.PgUser)
+	assert.Equal(t, "arg-pg-pass", cfg.PgPassword)
+	assert.Equal(t, "docker", cfg.PgType)
+	assert.Equal(t, "/custom/bin", cfg.PgHostBinDir)
+	assert.Equal(t, "my-pg", cfg.PgDockerContainerName)
+	assert.Equal(t, "/var/wal", cfg.WalDir)
+}
+
+func Test_LoadFromJSONAndArgs_PgArgsOverrideJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		PgHost: "json-host",
+		PgPort: 5432,
+		PgUser: "json-user",
+		PgType: "host",
+		WalDir: "/json/wal",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--pg-host", "arg-host",
+		"--pg-port", "5433",
+		"--pg-user", "arg-user",
+		"--pg-type", "docker",
+		"--pg-docker-container-name", "my-container",
+		"--wal-dir", "/arg/wal",
+	})
+
+	assert.Equal(t, "arg-host", cfg.PgHost)
+	assert.Equal(t, 5433, cfg.PgPort)
+	assert.Equal(t, "arg-user", cfg.PgUser)
+	assert.Equal(t, "docker", cfg.PgType)
+	assert.Equal(t, "my-container", cfg.PgDockerContainerName)
+	assert.Equal(t, "/arg/wal", cfg.WalDir)
+}
+
+func Test_LoadFromJSONAndArgs_DefaultsApplied_WhenNoJSONAndNoArgs(t *testing.T) {
+	setupTempDir(t)
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{})
+
+	assert.Equal(t, 5432, cfg.PgPort)
+	assert.Equal(t, "host", cfg.PgType)
+	require.NotNil(t, cfg.IsDeleteWalAfterUpload)
+	assert.Equal(t, true, *cfg.IsDeleteWalAfterUpload)
+}
+
+func Test_SaveToJSON_PgFieldsSavedCorrectly(t *testing.T) {
+	setupTempDir(t)
+
+	deleteWal := false
+	cfg := &Config{
+		DatabasusHost:          "http://host:4005",
+		DbID:                   "db-id",
+		Token:                  "token",
+		PgHost:                 "pg-host",
+		PgPort:                 5433,
+		PgUser:                 "pg-user",
+		PgPassword:             "pg-pass",
+		PgType:                 "docker",
+		PgHostBinDir:           "/usr/bin",
+		PgDockerContainerName:  "pg-container",
+		WalDir:                 "/opt/wal",
+		IsDeleteWalAfterUpload: &deleteWal,
+	}
+
+	err := cfg.SaveToJSON()
+	require.NoError(t, err)
+
+	saved := readConfigJSON(t)
+
+	assert.Equal(t, "pg-host", saved.PgHost)
+	assert.Equal(t, 5433, saved.PgPort)
+	assert.Equal(t, "pg-user", saved.PgUser)
+	assert.Equal(t, "pg-pass", saved.PgPassword)
+	assert.Equal(t, "docker", saved.PgType)
+	assert.Equal(t, "/usr/bin", saved.PgHostBinDir)
+	assert.Equal(t, "pg-container", saved.PgDockerContainerName)
+	assert.Equal(t, "/opt/wal", saved.WalDir)
+	require.NotNil(t, saved.IsDeleteWalAfterUpload)
+	assert.Equal(t, false, *saved.IsDeleteWalAfterUpload)
+}
+
+func setupTempDir(t *testing.T) string {
+	t.Helper()
+
+	origDir, err := os.Getwd()
+	require.NoError(t, err)
+
+	dir := t.TempDir()
+	require.NoError(t, os.Chdir(dir))
+
+	t.Cleanup(func() { os.Chdir(origDir) })
+
+	return dir
+}
+
+func writeConfigJSON(t *testing.T, dir string, cfg Config) {
+	t.Helper()
+
+	data, err := json.MarshalIndent(cfg, "", "  ")
+	require.NoError(t, err)
+
+	require.NoError(t, os.WriteFile(dir+"/"+configFileName, data, 0o644))
+}
+
+func readConfigJSON(t *testing.T) Config {
+	t.Helper()
+
+	data, err := os.ReadFile(configFileName)
+	require.NoError(t, err)
+
+	var cfg Config
+	require.NoError(t, json.Unmarshal(data, &cfg))
+
+	return cfg
+}

agent/internal/config/dto.go

@@ -0,0 +1,17 @@
+package config
+
+type parsedFlags struct {
+	databasusHost         *string
+	dbID                  *string
+	token                 *string
+	pgHost                *string
+	pgPort                *int
+	pgUser                *string
+	pgPassword            *string
+	pgType                *string
+	pgHostBinDir          *string
+	pgDockerContainerName *string
+	walDir                *string
+
+	sources map[string]string
+}

agent/internal/features/start/start.go

@@ -0,0 +1,179 @@
+package start
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/jackc/pgx/v5"
+
+	"databasus-agent/internal/config"
+)
+
+const (
+	pgBasebackupVerifyTimeout = 10 * time.Second
+	dbVerifyTimeout           = 10 * time.Second
+)
+
+func Run(cfg *config.Config, log *slog.Logger) error {
+	if err := validateConfig(cfg); err != nil {
+		return err
+	}
+
+	if err := verifyPgBasebackup(cfg, log); err != nil {
+		return err
+	}
+
+	if err := verifyDatabase(cfg, log); err != nil {
+		return err
+	}
+
+	log.Info("start: stub — not yet implemented",
+		"dbId", cfg.DbID,
+		"hasToken", cfg.Token != "",
+	)
+
+	return nil
+}
+
+func validateConfig(cfg *config.Config) error {
+	if cfg.DatabasusHost == "" {
+		return errors.New("argument databasus-host is required")
+	}
+
+	if cfg.DbID == "" {
+		return errors.New("argument db-id is required")
+	}
+
+	if cfg.Token == "" {
+		return errors.New("argument token is required")
+	}
+
+	if cfg.PgHost == "" {
+		return errors.New("argument pg-host is required")
+	}
+
+	if cfg.PgPort <= 0 {
+		return errors.New("argument pg-port must be a positive number")
+	}
+
+	if cfg.PgUser == "" {
+		return errors.New("argument pg-user is required")
+	}
+
+	if cfg.PgType != "host" && cfg.PgType != "docker" {
+		return fmt.Errorf("argument pg-type must be 'host' or 'docker', got '%s'", cfg.PgType)
+	}
+
+	if cfg.WalDir == "" {
+		return errors.New("argument wal-dir is required")
+	}
+
+	if cfg.PgType == "docker" && cfg.PgDockerContainerName == "" {
+		return errors.New("argument pg-docker-container-name is required when pg-type is 'docker'")
+	}
+
+	return nil
+}
+
+func verifyPgBasebackup(cfg *config.Config, log *slog.Logger) error {
+	switch cfg.PgType {
+	case "host":
+		return verifyPgBasebackupHost(cfg, log)
+	case "docker":
+		return verifyPgBasebackupDocker(cfg, log)
+	default:
+		return fmt.Errorf("unexpected pg-type: %s", cfg.PgType)
+	}
+}
+
+func verifyPgBasebackupHost(cfg *config.Config, log *slog.Logger) error {
+	binary := "pg_basebackup"
+	if cfg.PgHostBinDir != "" {
+		binary = filepath.Join(cfg.PgHostBinDir, "pg_basebackup")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), pgBasebackupVerifyTimeout)
+	defer cancel()
+
+	output, err := exec.CommandContext(ctx, binary, "--version").CombinedOutput()
+	if err != nil {
+		if cfg.PgHostBinDir != "" {
+			return fmt.Errorf(
+				"pg_basebackup not found at '%s': %w. Verify pg-host-bin-dir is correct",
+				binary, err,
+			)
+		}
+
+		return fmt.Errorf(
+			"pg_basebackup not found in PATH: %w. Install PostgreSQL client tools or set pg-host-bin-dir",
+			err,
+		)
+	}
+
+	log.Info("pg_basebackup verified", "version", strings.TrimSpace(string(output)))
+
+	return nil
+}
+
+func verifyPgBasebackupDocker(cfg *config.Config, log *slog.Logger) error {
+	ctx, cancel := context.WithTimeout(context.Background(), pgBasebackupVerifyTimeout)
+	defer cancel()
+
+	output, err := exec.CommandContext(ctx,
+		"docker", "exec", cfg.PgDockerContainerName,
+		"pg_basebackup", "--version",
+	).CombinedOutput()
+	if err != nil {
+		return fmt.Errorf(
+			"pg_basebackup not available in container '%s': %w. "+
+				"Check that the container is running and pg_basebackup is installed inside it",
+			cfg.PgDockerContainerName, err,
+		)
+	}
+
+	log.Info("pg_basebackup verified (docker)",
+		"container", cfg.PgDockerContainerName,
+		"version", strings.TrimSpace(string(output)),
+	)
+
+	return nil
+}
+
+func verifyDatabase(cfg *config.Config, log *slog.Logger) error {
+	connStr := fmt.Sprintf(
+		"host=%s port=%d user=%s password=%s dbname=postgres sslmode=disable",
+		cfg.PgHost, cfg.PgPort, cfg.PgUser, cfg.PgPassword,
+	)
+
+	ctx, cancel := context.WithTimeout(context.Background(), dbVerifyTimeout)
+	defer cancel()
+
+	conn, err := pgx.Connect(ctx, connStr)
+	if err != nil {
+		return fmt.Errorf(
+			"failed to connect to PostgreSQL at %s:%d as user '%s': %w",
+			cfg.PgHost, cfg.PgPort, cfg.PgUser, err,
+		)
+	}
+	defer func() { _ = conn.Close(ctx) }()
+
+	if err := conn.Ping(ctx); err != nil {
+		return fmt.Errorf("PostgreSQL ping failed at %s:%d: %w",
+			cfg.PgHost, cfg.PgPort, err,
+		)
+	}
+
+	log.Info("PostgreSQL connection verified",
+		"host", cfg.PgHost,
+		"port", cfg.PgPort,
+		"user", cfg.PgUser,
+	)
+
+	return nil
+}

agent/internal/features/upgrade/dto.go

@@ -0,0 +1,5 @@
+package upgrade
+
+type versionResponse struct {
+	Version string `json:"version"`
+}

agent/internal/features/upgrade/upgrader.go

@@ -0,0 +1,154 @@
+package upgrade
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"syscall"
+	"time"
+)
+
+func CheckAndUpdate(databasusHost, currentVersion string, isDev bool, log *slog.Logger) error {
+	if isDev {
+		log.Info("Skipping update check (development mode)")
+		return nil
+	}
+
+	serverVersion, err := fetchServerVersion(databasusHost, log)
+	if err != nil {
+		return fmt.Errorf(
+			"unable to check version, please verify Databasus server is available at %s: %w",
+			databasusHost,
+			err,
+		)
+	}
+
+	if serverVersion == currentVersion {
+		log.Info("Agent version is up to date", "version", currentVersion)
+		return nil
+	}
+
+	log.Info("Updating agent...", "current", currentVersion, "target", serverVersion)
+
+	selfPath, err := os.Executable()
+	if err != nil {
+		return fmt.Errorf("failed to determine executable path: %w", err)
+	}
+
+	tempPath := selfPath + ".update"
+
+	defer func() {
+		_ = os.Remove(tempPath)
+	}()
+
+	if err := downloadBinary(databasusHost, tempPath); err != nil {
+		return fmt.Errorf("failed to download update: %w", err)
+	}
+
+	if err := os.Chmod(tempPath, 0o755); err != nil {
+		return fmt.Errorf("failed to set permissions on update: %w", err)
+	}
+
+	if err := verifyBinary(tempPath, serverVersion); err != nil {
+		return fmt.Errorf("update verification failed: %w", err)
+	}
+
+	if err := os.Rename(tempPath, selfPath); err != nil {
+		return fmt.Errorf("failed to replace binary (try --skip-update if this persists): %w", err)
+	}
+
+	log.Info("Update complete, re-executing...")
+
+	return syscall.Exec(selfPath, os.Args, os.Environ())
+}
+
+func fetchServerVersion(host string, log *slog.Logger) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	client := &http.Client{Timeout: 10 * time.Second}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, host+"/api/v1/system/version", nil)
+	if err != nil {
+		return "", err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Warn("Could not reach server for update check, continuing", "error", err)
+		return "", err
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		log.Warn(
+			"Server returned non-OK status for version check, continuing",
+			"status",
+			resp.StatusCode,
+		)
+		return "", fmt.Errorf("status %d", resp.StatusCode)
+	}
+
+	var ver versionResponse
+	if err := json.NewDecoder(resp.Body).Decode(&ver); err != nil {
+		log.Warn("Failed to parse server version response, continuing", "error", err)
+		return "", err
+	}
+
+	return ver.Version, nil
+}
+
+func downloadBinary(host, destPath string) error {
+	url := fmt.Sprintf("%s/api/v1/system/agent?arch=%s", host, runtime.GOARCH)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("server returned %d for agent download", resp.StatusCode)
+	}
+
+	f, err := os.Create(destPath)
+	if err != nil {
+		return err
+	}
+	defer func() { _ = f.Close() }()
+
+	_, err = io.Copy(f, resp.Body)
+
+	return err
+}
+
+func verifyBinary(binaryPath, expectedVersion string) error {
+	cmd := exec.CommandContext(context.Background(), binaryPath, "version")
+
+	output, err := cmd.Output()
+	if err != nil {
+		return fmt.Errorf("binary failed to execute: %w", err)
+	}
+
+	got := strings.TrimSpace(string(output))
+	if got != expectedVersion {
+		return fmt.Errorf("version mismatch: expected %q, got %q", expectedVersion, got)
+	}
+
+	return nil
+}

agent/internal/logger/logger.go

@@ -0,0 +1,45 @@
+package logger
+
+import (
+	"log/slog"
+	"os"
+	"sync"
+	"time"
+)
+
+var (
+	loggerInstance *slog.Logger
+	once           sync.Once
+)
+
+func Init(isDebug bool) {
+	level := slog.LevelInfo
+	if isDebug {
+		level = slog.LevelDebug
+	}
+
+	once.Do(func() {
+		loggerInstance = slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
+			Level: level,
+			ReplaceAttr: func(groups []string, a slog.Attr) slog.Attr {
+				if a.Key == slog.TimeKey {
+					a.Value = slog.StringValue(time.Now().Format("2006/01/02 15:04:05"))
+				}
+				if a.Key == slog.LevelKey {
+					return slog.Attr{}
+				}
+
+				return a
+			},
+		}))
+	})
+}
+
+// GetLogger returns a singleton slog.Logger that logs to the console
+func GetLogger() *slog.Logger {
+	if loggerInstance == nil {
+		Init(false)
+	}
+
+	return loggerInstance
+}

backend/.golangci.yml

@@ -7,6 +7,16 @@ run:
 
 linters:
   default: standard
+  enable:
+    - funcorder
+    - bodyclose
+    - errorlint
+    - gocritic
+    - unconvert
+    - misspell
+    - errname
+    - noctx
+    - modernize
 
   settings:
     errcheck:
@@ -14,6 +24,18 @@ linters:
 
 formatters:
   enable:
-    - gofmt
+    - gofumpt
     - golines
-    - goimports
+    - gci
+
+  settings:
+    golines:
+      max-len: 120
+    gofumpt:
+      module-path: databasus-backend
+      extra-rules: true
+    gci:
+      sections:
+        - standard
+        - default
+        - localmodule

backend/cmd/main.go

@@ -12,11 +12,18 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/gin-contrib/cors"
+	"github.com/gin-contrib/gzip"
+	"github.com/gin-gonic/gin"
+	swaggerFiles "github.com/swaggo/files"
+	ginSwagger "github.com/swaggo/gin-swagger"
+
 	"databasus-backend/internal/config"
 	"databasus-backend/internal/features/audit_logs"
-	"databasus-backend/internal/features/backups/backups"
 	"databasus-backend/internal/features/backups/backups/backuping"
+	backups_controllers "databasus-backend/internal/features/backups/backups/controllers"
 	backups_download "databasus-backend/internal/features/backups/backups/download"
+	backups_services "databasus-backend/internal/features/backups/backups/services"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/disk"
@@ -27,7 +34,9 @@ import (
 	"databasus-backend/internal/features/restores"
 	"databasus-backend/internal/features/restores/restoring"
 	"databasus-backend/internal/features/storages"
+	system_agent "databasus-backend/internal/features/system/agent"
 	system_healthcheck "databasus-backend/internal/features/system/healthcheck"
+	system_version "databasus-backend/internal/features/system/version"
 	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
 	users_controllers "databasus-backend/internal/features/users/controllers"
 	users_middleware "databasus-backend/internal/features/users/middleware"
@@ -38,12 +47,6 @@ import (
 	files_utils "databasus-backend/internal/util/files"
 	"databasus-backend/internal/util/logger"
 	_ "databasus-backend/swagger" // swagger docs
-
-	"github.com/gin-contrib/cors"
-	"github.com/gin-contrib/gzip"
-	"github.com/gin-gonic/gin"
-	swaggerFiles "github.com/swaggo/files"
-	ginSwagger "github.com/swaggo/gin-swagger"
 )
 
 // @title Databasus Backend API
@@ -80,7 +83,6 @@ func main() {
 		config.GetEnv().TempFolder,
 		config.GetEnv().DataFolder,
 	})
-
 	if err != nil {
 		log.Error("Failed to ensure directories", "error", err)
 		os.Exit(1)
@@ -147,7 +149,7 @@ func handlePasswordReset(log *slog.Logger) {
 	resetPassword(*email, *newPassword, log)
 }
 
-func resetPassword(email string, newPassword string, log *slog.Logger) {
+func resetPassword(email, newPassword string, log *slog.Logger) {
 	log.Info("Resetting password...")
 
 	userService := users_services.GetUserService()
@@ -209,7 +211,11 @@ func setUpRoutes(r *gin.Engine) {
 	userController := users_controllers.GetUserController()
 	userController.RegisterRoutes(v1)
 	system_healthcheck.GetHealthcheckController().RegisterRoutes(v1)
-	backups.GetBackupController().RegisterPublicRoutes(v1)
+	system_version.GetVersionController().RegisterRoutes(v1)
+	system_agent.GetAgentController().RegisterRoutes(v1)
+	backups_controllers.GetBackupController().RegisterPublicRoutes(v1)
+	backups_controllers.GetPostgresWalBackupController().RegisterRoutes(v1)
+	databases.GetDatabaseController().RegisterPublicRoutes(v1)
 
 	// Setup auth middleware
 	userService := users_services.GetUserService()
@@ -226,7 +232,7 @@ func setUpRoutes(r *gin.Engine) {
 	notifiers.GetNotifierController().RegisterRoutes(protected)
 	storages.GetStorageController().RegisterRoutes(protected)
 	databases.GetDatabaseController().RegisterRoutes(protected)
-	backups.GetBackupController().RegisterRoutes(protected)
+	backups_controllers.GetBackupController().RegisterRoutes(protected)
 	restores.GetRestoreController().RegisterRoutes(protected)
 	healthcheck_config.GetHealthcheckConfigController().RegisterRoutes(protected)
 	healthcheck_attempt.GetHealthcheckAttemptController().RegisterRoutes(protected)
@@ -238,7 +244,7 @@ func setUpRoutes(r *gin.Engine) {
 
 func setUpDependencies() {
 	databases.SetupDependencies()
-	backups.SetupDependencies()
+	backups_services.SetupDependencies()
 	restores.SetupDependencies()
 	healthcheck_config.SetupDependencies()
 	audit_logs.SetupDependencies()
@@ -347,7 +353,9 @@ func generateSwaggerDocs(log *slog.Logger) {
 		return
 	}
 
-	cmd := exec.Command("swag", "init", "-d", currentDir, "-g", "cmd/main.go", "-o", "swagger")
+	cmd := exec.CommandContext(
+		context.Background(), "swag", "init", "-d", currentDir, "-g", "cmd/main.go", "-o", "swagger",
+	)
 
 	output, err := cmd.CombinedOutput()
 	if err != nil {
@@ -361,7 +369,7 @@ func generateSwaggerDocs(log *slog.Logger) {
 func runMigrations(log *slog.Logger) {
 	log.Info("Running database migrations...")
 
-	cmd := exec.Command("goose", "-dir", "./migrations", "up")
+	cmd := exec.CommandContext(context.Background(), "goose", "-dir", "./migrations", "up")
 	cmd.Env = append(
 		os.Environ(),
 		"GOOSE_DRIVER=postgres",

backend/go.mod

@@ -1,6 +1,6 @@
 module databasus-backend
 
-go 1.24.9
+go 1.26.1
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0

backend/internal/config/config.go

@@ -1,9 +1,6 @@
 package config
 
 import (
-	env_utils "databasus-backend/internal/util/env"
-	"databasus-backend/internal/util/logger"
-	"databasus-backend/internal/util/tools"
 	"os"
 	"path/filepath"
 	"strings"
@@ -11,6 +8,10 @@ import (
 
 	"github.com/ilyakaznacheev/cleanenv"
 	"github.com/joho/godotenv"
+
+	env_utils "databasus-backend/internal/util/env"
+	"databasus-backend/internal/util/logger"
+	"databasus-backend/internal/util/tools"
 )
 
 var log = logger.GetLogger()
@@ -29,7 +30,7 @@ type EnvVariables struct {
 	MongodbInstallDir    string            `env:"MONGODB_INSTALL_DIR"`
 
 	// Internal database
-	DatabaseDsn string `env:"DATABASE_DSN"    required:"true"`
+	DatabaseDsn string `env:"DATABASE_DSN" required:"true"`
 	// Internal Valkey
 	ValkeyHost     string `env:"VALKEY_HOST"     required:"true"`
 	ValkeyPort     string `env:"VALKEY_PORT"     required:"true"`
@@ -124,6 +125,7 @@ type EnvVariables struct {
 	SMTPPort     int    `env:"SMTP_PORT"`
 	SMTPUser     string `env:"SMTP_USER"`
 	SMTPPassword string `env:"SMTP_PASSWORD"`
+	SMTPFrom     string `env:"SMTP_FROM"`
 
 	// Application URL (optional) - used for email links
 	DatabasusURL string `env:"DATABASUS_URL"`

backend/internal/features/audit_logs/background_service_test.go

@@ -1,17 +1,17 @@
 package audit_logs
 
 import (
-	"databasus-backend/internal/storage"
 	"fmt"
 	"testing"
 	"time"
 
-	user_enums "databasus-backend/internal/features/users/enums"
-	users_testing "databasus-backend/internal/features/users/testing"
-
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"gorm.io/gorm"
+
+	user_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+	"databasus-backend/internal/storage"
 )
 
 func Test_CleanOldAuditLogs_DeletesLogsOlderThanOneYear(t *testing.T) {

backend/internal/features/audit_logs/controller.go

@@ -4,10 +4,10 @@ import (
 	"errors"
 	"net/http"
 
-	user_models "databasus-backend/internal/features/users/models"
-
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+
+	user_models "databasus-backend/internal/features/users/models"
 )
 
 type AuditLogController struct {

backend/internal/features/audit_logs/controller_test.go

@@ -6,15 +6,15 @@ import (
 	"testing"
 	"time"
 
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+
 	user_enums "databasus-backend/internal/features/users/enums"
 	users_middleware "databasus-backend/internal/features/users/middleware"
 	users_services "databasus-backend/internal/features/users/services"
 	users_testing "databasus-backend/internal/features/users/testing"
 	test_utils "databasus-backend/internal/util/testing"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 )
 
 func Test_GetGlobalAuditLogs_WithDifferentUserRoles_EnforcesPermissionsCorrectly(t *testing.T) {

backend/internal/features/audit_logs/di.go

@@ -8,14 +8,18 @@ import (
 	"databasus-backend/internal/util/logger"
 )
 
-var auditLogRepository = &AuditLogRepository{}
-var auditLogService = &AuditLogService{
-	auditLogRepository,
-	logger.GetLogger(),
-}
+var (
+	auditLogRepository = &AuditLogRepository{}
+	auditLogService    = &AuditLogService{
+		auditLogRepository,
+		logger.GetLogger(),
+	}
+)
+
 var auditLogController = &AuditLogController{
 	auditLogService,
 }
+
 var auditLogBackgroundService = &AuditLogBackgroundService{
 	auditLogService: auditLogService,
 	logger:          logger.GetLogger(),

backend/internal/features/audit_logs/repository.go

@@ -1,10 +1,11 @@
 package audit_logs
 
 import (
-	"databasus-backend/internal/storage"
 	"time"
 
 	"github.com/google/uuid"
+
+	"databasus-backend/internal/storage"
 )
 
 type AuditLogRepository struct{}
@@ -21,7 +22,7 @@ func (r *AuditLogRepository) GetGlobal(
 	limit, offset int,
 	beforeDate *time.Time,
 ) ([]*AuditLogDTO, error) {
-	var auditLogs = make([]*AuditLogDTO, 0)
+	auditLogs := make([]*AuditLogDTO, 0)
 
 	sql := `
 		SELECT 
@@ -37,7 +38,7 @@ func (r *AuditLogRepository) GetGlobal(
 		LEFT JOIN users u ON al.user_id = u.id
 		LEFT JOIN workspaces w ON al.workspace_id = w.id`
 
-	args := []interface{}{}
+	args := []any{}
 
 	if beforeDate != nil {
 		sql += " WHERE al.created_at < ?"
@@ -57,7 +58,7 @@ func (r *AuditLogRepository) GetByUser(
 	limit, offset int,
 	beforeDate *time.Time,
 ) ([]*AuditLogDTO, error) {
-	var auditLogs = make([]*AuditLogDTO, 0)
+	auditLogs := make([]*AuditLogDTO, 0)
 
 	sql := `
 		SELECT 
@@ -74,7 +75,7 @@ func (r *AuditLogRepository) GetByUser(
 		LEFT JOIN workspaces w ON al.workspace_id = w.id
 		WHERE al.user_id = ?`
 
-	args := []interface{}{userID}
+	args := []any{userID}
 
 	if beforeDate != nil {
 		sql += " AND al.created_at < ?"
@@ -94,7 +95,7 @@ func (r *AuditLogRepository) GetByWorkspace(
 	limit, offset int,
 	beforeDate *time.Time,
 ) ([]*AuditLogDTO, error) {
-	var auditLogs = make([]*AuditLogDTO, 0)
+	auditLogs := make([]*AuditLogDTO, 0)
 
 	sql := `
 		SELECT 
@@ -111,7 +112,7 @@ func (r *AuditLogRepository) GetByWorkspace(
 		LEFT JOIN workspaces w ON al.workspace_id = w.id
 		WHERE al.workspace_id = ?`
 
-	args := []interface{}{workspaceID}
+	args := []any{workspaceID}
 
 	if beforeDate != nil {
 		sql += " AND al.created_at < ?"

backend/internal/features/audit_logs/service.go

@@ -4,10 +4,10 @@ import (
 	"log/slog"
 	"time"
 
+	"github.com/google/uuid"
+
 	user_enums "databasus-backend/internal/features/users/enums"
 	user_models "databasus-backend/internal/features/users/models"
-
-	"github.com/google/uuid"
 )
 
 type AuditLogService struct {

backend/internal/features/audit_logs/service_test.go

@@ -4,11 +4,11 @@ import (
 	"testing"
 	"time"
 
-	user_enums "databasus-backend/internal/features/users/enums"
-	users_testing "databasus-backend/internal/features/users/testing"
-
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+
+	user_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
 )
 
 func Test_AuditLogs_WorkspaceSpecificLogs(t *testing.T) {

backend/internal/features/backups/backups/backuping/backuper_test.go

@@ -5,6 +5,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
@@ -14,9 +17,6 @@ import (
 	users_testing "databasus-backend/internal/features/users/testing"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	cache_utils "databasus-backend/internal/util/cache"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 )
 
 func Test_BackupExecuted_NotificationSent(t *testing.T) {

backend/internal/features/backups/backups/backuping/cleaner.go

@@ -80,8 +80,7 @@ func (c *BackupCleaner) DeleteBackup(backup *backups_core.Backup) error {
 		return err
 	}
 
-	err = storage.DeleteFile(c.fieldEncryptor, backup.FileName)
-	if err != nil {
+	if err := storage.DeleteFile(c.fieldEncryptor, backup.FileName); err != nil {
 		// we do not return error here, because sometimes clean up performed
 		// before unavailable storage removal or change - therefore we should
 		// proceed even in case of error. It's possible that some S3 or
@@ -408,6 +407,10 @@ func buildGFSKeepSet(
 ) map[uuid.UUID]bool {
 	keep := make(map[uuid.UUID]bool)
 
+	if len(backups) == 0 {
+		return keep
+	}
+
 	hoursSeen := make(map[string]bool)
 	daysSeen := make(map[string]bool)
 	weeksSeen := make(map[string]bool)
@@ -416,6 +419,54 @@ func buildGFSKeepSet(
 
 	hoursKept, daysKept, weeksKept, monthsKept, yearsKept := 0, 0, 0, 0, 0
 
+	// Compute per-level time-window cutoffs so higher-frequency slots
+	// cannot absorb backups that belong to lower-frequency levels.
+	ref := backups[0].CreatedAt
+
+	rawHourlyCutoff := ref.Add(-time.Duration(hours) * time.Hour)
+	rawDailyCutoff := ref.Add(-time.Duration(days) * 24 * time.Hour)
+	rawWeeklyCutoff := ref.Add(-time.Duration(weeks) * 7 * 24 * time.Hour)
+	rawMonthlyCutoff := ref.AddDate(0, -months, 0)
+	rawYearlyCutoff := ref.AddDate(-years, 0, 0)
+
+	// Hierarchical capping: each level's window cannot extend further back
+	// than the nearest active lower-frequency level's window.
+	yearlyCutoff := rawYearlyCutoff
+
+	monthlyCutoff := rawMonthlyCutoff
+	if years > 0 {
+		monthlyCutoff = laterOf(monthlyCutoff, yearlyCutoff)
+	}
+
+	weeklyCutoff := rawWeeklyCutoff
+	if months > 0 {
+		weeklyCutoff = laterOf(weeklyCutoff, monthlyCutoff)
+	} else if years > 0 {
+		weeklyCutoff = laterOf(weeklyCutoff, yearlyCutoff)
+	}
+
+	dailyCutoff := rawDailyCutoff
+	switch {
+	case weeks > 0:
+		dailyCutoff = laterOf(dailyCutoff, weeklyCutoff)
+	case months > 0:
+		dailyCutoff = laterOf(dailyCutoff, monthlyCutoff)
+	case years > 0:
+		dailyCutoff = laterOf(dailyCutoff, yearlyCutoff)
+	}
+
+	hourlyCutoff := rawHourlyCutoff
+	switch {
+	case days > 0:
+		hourlyCutoff = laterOf(hourlyCutoff, dailyCutoff)
+	case weeks > 0:
+		hourlyCutoff = laterOf(hourlyCutoff, weeklyCutoff)
+	case months > 0:
+		hourlyCutoff = laterOf(hourlyCutoff, monthlyCutoff)
+	case years > 0:
+		hourlyCutoff = laterOf(hourlyCutoff, yearlyCutoff)
+	}
+
 	for _, backup := range backups {
 		t := backup.CreatedAt
 
@@ -426,31 +477,31 @@ func buildGFSKeepSet(
 		monthKey := t.Format("2006-01")
 		yearKey := t.Format("2006")
 
-		if hours > 0 && hoursKept < hours && !hoursSeen[hourKey] {
+		if hours > 0 && hoursKept < hours && !hoursSeen[hourKey] && t.After(hourlyCutoff) {
 			keep[backup.ID] = true
 			hoursSeen[hourKey] = true
 			hoursKept++
 		}
 
-		if days > 0 && daysKept < days && !daysSeen[dayKey] {
+		if days > 0 && daysKept < days && !daysSeen[dayKey] && t.After(dailyCutoff) {
 			keep[backup.ID] = true
 			daysSeen[dayKey] = true
 			daysKept++
 		}
 
-		if weeks > 0 && weeksKept < weeks && !weeksSeen[weekKey] {
+		if weeks > 0 && weeksKept < weeks && !weeksSeen[weekKey] && t.After(weeklyCutoff) {
 			keep[backup.ID] = true
 			weeksSeen[weekKey] = true
 			weeksKept++
 		}
 
-		if months > 0 && monthsKept < months && !monthsSeen[monthKey] {
+		if months > 0 && monthsKept < months && !monthsSeen[monthKey] && t.After(monthlyCutoff) {
 			keep[backup.ID] = true
 			monthsSeen[monthKey] = true
 			monthsKept++
 		}
 
-		if years > 0 && yearsKept < years && !yearsSeen[yearKey] {
+		if years > 0 && yearsKept < years && !yearsSeen[yearKey] && t.After(yearlyCutoff) {
 			keep[backup.ID] = true
 			yearsSeen[yearKey] = true
 			yearsKept++
@@ -459,3 +510,11 @@ func buildGFSKeepSet(
 
 	return keep
 }
+
+func laterOf(a, b time.Time) time.Time {
+	if a.After(b) {
+		return a
+	}
+
+	return b
+}

backend/internal/features/backups/backups/backuping/cleaner_test.go

@@ -4,6 +4,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
@@ -15,9 +18,6 @@ import (
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	"databasus-backend/internal/storage"
 	"databasus-backend/internal/util/period"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 )
 
 func Test_CleanOldBackups_DeletesBackupsOlderThanRetentionTimePeriod(t *testing.T) {
@@ -697,160 +697,6 @@ func Test_CleanByCount_DoesNotDeleteInProgressBackups(t *testing.T) {
 	assert.True(t, inProgressFound, "In-progress backup should not be deleted by count policy")
 }
 
-func Test_CleanByGFS_KeepsCorrectBackupsPerSlot(t *testing.T) {
-	router := CreateTestRouter()
-	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	defer func() {
-		backups, _ := backupRepository.FindByDatabaseID(database.ID)
-		for _, backup := range backups {
-			backupRepository.DeleteByID(backup.ID)
-		}
-
-		databases.RemoveTestDatabase(database)
-		time.Sleep(50 * time.Millisecond)
-		notifiers.RemoveTestNotifier(notifier)
-		storages.RemoveTestStorage(storage.ID)
-		workspaces_testing.RemoveTestWorkspace(workspace, router)
-	}()
-
-	interval := createTestInterval()
-
-	backupConfig := &backups_config.BackupConfig{
-		DatabaseID:          database.ID,
-		IsBackupsEnabled:    true,
-		RetentionPolicyType: backups_config.RetentionPolicyTypeGFS,
-		RetentionGfsDays:    3,
-		RetentionGfsWeeks:   0,
-		RetentionGfsMonths:  0,
-		RetentionGfsYears:   0,
-		StorageID:           &storage.ID,
-		BackupIntervalID:    interval.ID,
-		BackupInterval:      interval,
-	}
-	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	now := time.Now().UTC()
-
-	// Create 5 backups on 5 different days; only the 3 newest days should be kept
-	var backupIDs []uuid.UUID
-	for i := 0; i < 5; i++ {
-		backup := &backups_core.Backup{
-			ID:           uuid.New(),
-			DatabaseID:   database.ID,
-			StorageID:    storage.ID,
-			Status:       backups_core.BackupStatusCompleted,
-			BackupSizeMb: 10,
-			CreatedAt:    now.Add(-time.Duration(4-i) * 24 * time.Hour).Truncate(24 * time.Hour),
-		}
-		err = backupRepository.Save(backup)
-		assert.NoError(t, err)
-		backupIDs = append(backupIDs, backup.ID)
-	}
-
-	cleaner := GetBackupCleaner()
-	err = cleaner.cleanByRetentionPolicy()
-	assert.NoError(t, err)
-
-	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Equal(t, 3, len(remainingBackups))
-
-	remainingIDs := make(map[uuid.UUID]bool)
-	for _, backup := range remainingBackups {
-		remainingIDs[backup.ID] = true
-	}
-	assert.False(t, remainingIDs[backupIDs[0]], "Oldest daily backup should be deleted")
-	assert.False(t, remainingIDs[backupIDs[1]], "2nd oldest daily backup should be deleted")
-	assert.True(t, remainingIDs[backupIDs[2]], "3rd backup should remain")
-	assert.True(t, remainingIDs[backupIDs[3]], "4th backup should remain")
-	assert.True(t, remainingIDs[backupIDs[4]], "Newest backup should remain")
-}
-
-func Test_CleanByGFS_WithWeeklyAndMonthlySlots_KeepsWiderSpread(t *testing.T) {
-	router := CreateTestRouter()
-	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	defer func() {
-		backups, _ := backupRepository.FindByDatabaseID(database.ID)
-		for _, backup := range backups {
-			backupRepository.DeleteByID(backup.ID)
-		}
-
-		databases.RemoveTestDatabase(database)
-		time.Sleep(50 * time.Millisecond)
-		notifiers.RemoveTestNotifier(notifier)
-		storages.RemoveTestStorage(storage.ID)
-		workspaces_testing.RemoveTestWorkspace(workspace, router)
-	}()
-
-	interval := createTestInterval()
-
-	backupConfig := &backups_config.BackupConfig{
-		DatabaseID:          database.ID,
-		IsBackupsEnabled:    true,
-		RetentionPolicyType: backups_config.RetentionPolicyTypeGFS,
-		RetentionGfsDays:    2,
-		RetentionGfsWeeks:   2,
-		RetentionGfsMonths:  1,
-		RetentionGfsYears:   0,
-		StorageID:           &storage.ID,
-		BackupIntervalID:    interval.ID,
-		BackupInterval:      interval,
-	}
-	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	now := time.Now().UTC()
-
-	// Create one backup per week for 6 weeks (each on Monday of that week)
-	// GFS should keep: 2 daily (most recent 2 unique days) + 2 weekly + 1 monthly = up to 5 unique
-	var createdIDs []uuid.UUID
-	for i := 0; i < 6; i++ {
-		weekOffset := time.Duration(5-i) * 7 * 24 * time.Hour
-		backup := &backups_core.Backup{
-			ID:           uuid.New(),
-			DatabaseID:   database.ID,
-			StorageID:    storage.ID,
-			Status:       backups_core.BackupStatusCompleted,
-			BackupSizeMb: 10,
-			CreatedAt:    now.Add(-weekOffset).Truncate(24 * time.Hour),
-		}
-		err = backupRepository.Save(backup)
-		assert.NoError(t, err)
-		createdIDs = append(createdIDs, backup.ID)
-	}
-
-	cleaner := GetBackupCleaner()
-	err = cleaner.cleanByRetentionPolicy()
-	assert.NoError(t, err)
-
-	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-
-	// We should have at most 5 backups kept (2 daily + 2 weekly + 1 monthly, but with overlap possible)
-	// The exact count depends on how many unique periods are covered
-	assert.LessOrEqual(t, len(remainingBackups), 5)
-	assert.GreaterOrEqual(t, len(remainingBackups), 1)
-
-	// The two most recent backups should always be retained (daily slots)
-	remainingIDs := make(map[uuid.UUID]bool)
-	for _, backup := range remainingBackups {
-		remainingIDs[backup.ID] = true
-	}
-	assert.True(t, remainingIDs[createdIDs[4]], "Second newest backup should be retained (daily)")
-	assert.True(t, remainingIDs[createdIDs[5]], "Newest backup should be retained (daily)")
-}
-
 // Test_DeleteBackup_WhenStorageDeleteFails_BackupStillRemovedFromDatabase verifies resilience
 // when storage becomes unavailable. Even if storage.DeleteFile fails (e.g., storage is offline,
 // credentials changed, or storage was deleted), the backup record should still be removed from
@@ -897,292 +743,6 @@ func Test_DeleteBackup_WhenStorageDeleteFails_BackupStillRemovedFromDatabase(t *
 	assert.Nil(t, deletedBackup)
 }
 
-func Test_CleanByGFS_WithHourlySlots_KeepsCorrectBackups(t *testing.T) {
-	router := CreateTestRouter()
-	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
-	testStorage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, testStorage, notifier)
-
-	defer func() {
-		backups, _ := backupRepository.FindByDatabaseID(database.ID)
-		for _, backup := range backups {
-			backupRepository.DeleteByID(backup.ID)
-		}
-
-		databases.RemoveTestDatabase(database)
-		time.Sleep(50 * time.Millisecond)
-		notifiers.RemoveTestNotifier(notifier)
-		storages.RemoveTestStorage(testStorage.ID)
-		workspaces_testing.RemoveTestWorkspace(workspace, router)
-	}()
-
-	interval := createTestInterval()
-
-	backupConfig := &backups_config.BackupConfig{
-		DatabaseID:          database.ID,
-		IsBackupsEnabled:    true,
-		RetentionPolicyType: backups_config.RetentionPolicyTypeGFS,
-		RetentionGfsHours:   3,
-		StorageID:           &testStorage.ID,
-		BackupIntervalID:    interval.ID,
-		BackupInterval:      interval,
-	}
-	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	now := time.Now().UTC()
-
-	// Create 5 backups spaced 1 hour apart; only the 3 newest hours should be kept
-	var backupIDs []uuid.UUID
-	for i := 0; i < 5; i++ {
-		backup := &backups_core.Backup{
-			ID:           uuid.New(),
-			DatabaseID:   database.ID,
-			StorageID:    testStorage.ID,
-			Status:       backups_core.BackupStatusCompleted,
-			BackupSizeMb: 10,
-			CreatedAt:    now.Add(-time.Duration(4-i) * time.Hour).Truncate(time.Hour),
-		}
-		err = backupRepository.Save(backup)
-		assert.NoError(t, err)
-		backupIDs = append(backupIDs, backup.ID)
-	}
-
-	cleaner := GetBackupCleaner()
-	err = cleaner.cleanByRetentionPolicy()
-	assert.NoError(t, err)
-
-	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Equal(t, 3, len(remainingBackups))
-
-	remainingIDs := make(map[uuid.UUID]bool)
-	for _, backup := range remainingBackups {
-		remainingIDs[backup.ID] = true
-	}
-	assert.False(t, remainingIDs[backupIDs[0]], "Oldest hourly backup should be deleted")
-	assert.False(t, remainingIDs[backupIDs[1]], "2nd oldest hourly backup should be deleted")
-	assert.True(t, remainingIDs[backupIDs[2]], "3rd backup should remain")
-	assert.True(t, remainingIDs[backupIDs[3]], "4th backup should remain")
-	assert.True(t, remainingIDs[backupIDs[4]], "Newest backup should remain")
-}
-
-func Test_BuildGFSKeepSet(t *testing.T) {
-	// Fixed reference time: a Wednesday mid-month to avoid boundary edge cases in the default tests.
-	// Use time.Date for determinism across test runs.
-	ref := time.Date(2025, 6, 18, 12, 0, 0, 0, time.UTC) // Wednesday, 2025-06-18
-
-	day := 24 * time.Hour
-	week := 7 * day
-
-	newBackup := func(createdAt time.Time) *backups_core.Backup {
-		return &backups_core.Backup{ID: uuid.New(), CreatedAt: createdAt}
-	}
-
-	// backupsEveryDay returns n backups, newest-first, each 1 day apart.
-	backupsEveryDay := func(n int) []*backups_core.Backup {
-		bs := make([]*backups_core.Backup, n)
-		for i := 0; i < n; i++ {
-			bs[i] = newBackup(ref.Add(-time.Duration(i) * day))
-		}
-		return bs
-	}
-
-	// backupsEveryWeek returns n backups, newest-first, each 7 days apart.
-	backupsEveryWeek := func(n int) []*backups_core.Backup {
-		bs := make([]*backups_core.Backup, n)
-		for i := 0; i < n; i++ {
-			bs[i] = newBackup(ref.Add(-time.Duration(i) * week))
-		}
-		return bs
-	}
-
-	hour := time.Hour
-
-	// backupsEveryHour returns n backups, newest-first, each 1 hour apart.
-	backupsEveryHour := func(n int) []*backups_core.Backup {
-		bs := make([]*backups_core.Backup, n)
-		for i := 0; i < n; i++ {
-			bs[i] = newBackup(ref.Add(-time.Duration(i) * hour))
-		}
-		return bs
-	}
-
-	tests := []struct {
-		name         string
-		backups      []*backups_core.Backup
-		hours        int
-		days         int
-		weeks        int
-		months       int
-		years        int
-		keptIndices  []int   // which indices in backups should be kept
-		deletedRange *[2]int // optional: all indices in [from, to) must be deleted
-	}{
-		{
-			name:        "OnlyHourlySlots_KeepsNewest3Of5",
-			backups:     backupsEveryHour(5),
-			hours:       3,
-			keptIndices: []int{0, 1, 2},
-		},
-		{
-			name: "SameHourDedup_OnlyNewestKeptForHourlySlot",
-			backups: []*backups_core.Backup{
-				newBackup(ref.Truncate(hour).Add(45 * time.Minute)),
-				newBackup(ref.Truncate(hour).Add(10 * time.Minute)),
-			},
-			hours:       1,
-			keptIndices: []int{0},
-		},
-		{
-			name:        "OnlyDailySlots_KeepsNewest3Of5",
-			backups:     backupsEveryDay(5),
-			days:        3,
-			keptIndices: []int{0, 1, 2},
-		},
-		{
-			name:        "OnlyDailySlots_FewerBackupsThanSlots_KeepsAll",
-			backups:     backupsEveryDay(2),
-			days:        5,
-			keptIndices: []int{0, 1},
-		},
-		{
-			name:        "OnlyWeeklySlots_KeepsNewest2Weeks",
-			backups:     backupsEveryWeek(4),
-			weeks:       2,
-			keptIndices: []int{0, 1},
-		},
-		{
-			name: "OnlyMonthlySlots_KeepsNewest2Months",
-			backups: []*backups_core.Backup{
-				newBackup(time.Date(2025, 6, 1, 12, 0, 0, 0, time.UTC)),
-				newBackup(time.Date(2025, 5, 1, 12, 0, 0, 0, time.UTC)),
-				newBackup(time.Date(2025, 4, 1, 12, 0, 0, 0, time.UTC)),
-			},
-			months:      2,
-			keptIndices: []int{0, 1},
-		},
-		{
-			name: "OnlyYearlySlots_KeepsNewest2Years",
-			backups: []*backups_core.Backup{
-				newBackup(time.Date(2025, 6, 1, 12, 0, 0, 0, time.UTC)),
-				newBackup(time.Date(2024, 6, 1, 12, 0, 0, 0, time.UTC)),
-				newBackup(time.Date(2023, 6, 1, 12, 0, 0, 0, time.UTC)),
-			},
-			years:       2,
-			keptIndices: []int{0, 1},
-		},
-		{
-			name: "SameDayDedup_OnlyNewestKeptForDailySlot",
-			backups: []*backups_core.Backup{
-				// Two backups on the same day; newest-first order
-				newBackup(ref.Truncate(day).Add(10 * time.Hour)),
-				newBackup(ref.Truncate(day).Add(2 * time.Hour)),
-			},
-			days:        1,
-			keptIndices: []int{0},
-		},
-		{
-			name: "SameWeekDedup_OnlyNewestKeptForWeeklySlot",
-			backups: []*backups_core.Backup{
-				// ref is Wednesday; add Thursday of same week
-				newBackup(ref.Add(1 * day)), // Thursday same week
-				newBackup(ref),              // Wednesday same week
-			},
-			weeks:       1,
-			keptIndices: []int{0},
-		},
-		{
-			name: "AdditiveSlots_NewestFillsDailyAndWeeklyAndMonthly",
-			// Newest backup fills daily + weekly + monthly simultaneously
-			backups: []*backups_core.Backup{
-				newBackup(time.Date(2025, 6, 18, 12, 0, 0, 0, time.UTC)), // newest
-				newBackup(time.Date(2025, 6, 11, 12, 0, 0, 0, time.UTC)), // 1 week ago
-				newBackup(time.Date(2025, 5, 18, 12, 0, 0, 0, time.UTC)), // 1 month ago
-				newBackup(time.Date(2025, 4, 18, 12, 0, 0, 0, time.UTC)), // 2 months ago
-			},
-			days:        1,
-			weeks:       2,
-			months:      2,
-			keptIndices: []int{0, 1, 2},
-		},
-		{
-			name: "YearBoundary_CorrectlySplitsAcrossYears",
-			backups: []*backups_core.Backup{
-				newBackup(time.Date(2025, 1, 1, 12, 0, 0, 0, time.UTC)),
-				newBackup(time.Date(2024, 12, 31, 12, 0, 0, 0, time.UTC)),
-				newBackup(time.Date(2024, 6, 1, 12, 0, 0, 0, time.UTC)),
-				newBackup(time.Date(2023, 6, 1, 12, 0, 0, 0, time.UTC)),
-			},
-			years:       2,
-			keptIndices: []int{0, 1}, // 2025 and 2024 kept; 2024-06 and 2023 deleted
-		},
-		{
-			name: "ISOWeekBoundary_Jan1UsesCorrectISOWeek",
-			// 2025-01-01 is ISO week 1 of 2025; 2024-12-28 is ISO week 52 of 2024
-			backups: []*backups_core.Backup{
-				newBackup(time.Date(2025, 1, 1, 12, 0, 0, 0, time.UTC)),   // ISO week 2025-W01
-				newBackup(time.Date(2024, 12, 28, 12, 0, 0, 0, time.UTC)), // ISO week 2024-W52
-			},
-			weeks:       2,
-			keptIndices: []int{0, 1}, // different ISO weeks → both kept
-		},
-		{
-			name:        "EmptyBackups_ReturnsEmptyKeepSet",
-			backups:     []*backups_core.Backup{},
-			hours:       3,
-			days:        3,
-			weeks:       2,
-			months:      1,
-			years:       1,
-			keptIndices: []int{},
-		},
-		{
-			name:        "AllZeroSlots_KeepsNothing",
-			backups:     backupsEveryDay(5),
-			hours:       0,
-			days:        0,
-			weeks:       0,
-			months:      0,
-			years:       0,
-			keptIndices: []int{},
-		},
-		{
-			name:    "AllSlotsActive_FullCombination",
-			backups: backupsEveryWeek(12),
-			days:    2,
-			weeks:   3,
-			months:  2,
-			years:   1,
-			// 2 daily (indices 0,1) + 3rd weekly slot (index 2) + 2nd monthly slot (index 3 or later).
-			// Additive slots: newest fills daily+weekly+monthly+yearly; each subsequent week fills another weekly,
-			// and a backup ~4 weeks later fills the 2nd monthly slot.
-			keptIndices: []int{0, 1, 2, 3},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			keepSet := buildGFSKeepSet(tc.backups, tc.hours, tc.days, tc.weeks, tc.months, tc.years)
-
-			keptIndexSet := make(map[int]bool, len(tc.keptIndices))
-			for _, idx := range tc.keptIndices {
-				keptIndexSet[idx] = true
-			}
-
-			for i, backup := range tc.backups {
-				if keptIndexSet[i] {
-					assert.True(t, keepSet[backup.ID], "backup at index %d should be kept", i)
-				} else {
-					assert.False(t, keepSet[backup.ID], "backup at index %d should be deleted", i)
-				}
-			}
-		})
-	}
-}
-
 func Test_CleanByTimePeriod_SkipsRecentBackup_EvenIfOlderThanRetention(t *testing.T) {
 	router := CreateTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
@@ -1354,114 +914,6 @@ func Test_CleanByCount_SkipsRecentBackup_EvenIfOverLimit(t *testing.T) {
 	assert.True(t, remainingIDs[newestBackup.ID], "Newest backup should be preserved")
 }
 
-func Test_CleanByGFS_SkipsRecentBackup_WhenNotInKeepSet(t *testing.T) {
-	router := CreateTestRouter()
-	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	defer func() {
-		backups, _ := backupRepository.FindByDatabaseID(database.ID)
-		for _, backup := range backups {
-			backupRepository.DeleteByID(backup.ID)
-		}
-
-		databases.RemoveTestDatabase(database)
-		time.Sleep(50 * time.Millisecond)
-		notifiers.RemoveTestNotifier(notifier)
-		storages.RemoveTestStorage(storage.ID)
-		workspaces_testing.RemoveTestWorkspace(workspace, router)
-	}()
-
-	interval := createTestInterval()
-
-	// Keep only 1 daily slot. We create 2 old backups plus two recent backups on today.
-	// Backups are ordered newest-first, so the 15-min-old backup fills the single daily slot.
-	// The 30-min-old backup is the same day → not in the GFS keep-set, but it is still recent
-	// (within grace period) and must be preserved.
-	backupConfig := &backups_config.BackupConfig{
-		DatabaseID:          database.ID,
-		IsBackupsEnabled:    true,
-		RetentionPolicyType: backups_config.RetentionPolicyTypeGFS,
-		RetentionGfsDays:    1,
-		StorageID:           &storage.ID,
-		BackupIntervalID:    interval.ID,
-		BackupInterval:      interval,
-	}
-	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	now := time.Now().UTC()
-
-	oldBackup1 := &backups_core.Backup{
-		ID:           uuid.New(),
-		DatabaseID:   database.ID,
-		StorageID:    storage.ID,
-		Status:       backups_core.BackupStatusCompleted,
-		BackupSizeMb: 10,
-		CreatedAt:    now.Add(-3 * 24 * time.Hour).Truncate(24 * time.Hour),
-	}
-	oldBackup2 := &backups_core.Backup{
-		ID:           uuid.New(),
-		DatabaseID:   database.ID,
-		StorageID:    storage.ID,
-		Status:       backups_core.BackupStatusCompleted,
-		BackupSizeMb: 10,
-		CreatedAt:    now.Add(-2 * 24 * time.Hour).Truncate(24 * time.Hour),
-	}
-	// Newest backup today — will fill the single GFS daily slot.
-	newestTodayBackup := &backups_core.Backup{
-		ID:           uuid.New(),
-		DatabaseID:   database.ID,
-		StorageID:    storage.ID,
-		Status:       backups_core.BackupStatusCompleted,
-		BackupSizeMb: 10,
-		CreatedAt:    now.Add(-15 * time.Minute),
-	}
-	// Slightly older backup, also today — NOT in GFS keep-set (duplicate day),
-	// but within the 60-minute grace period so it must survive.
-	recentNotInKeepSet := &backups_core.Backup{
-		ID:           uuid.New(),
-		DatabaseID:   database.ID,
-		StorageID:    storage.ID,
-		Status:       backups_core.BackupStatusCompleted,
-		BackupSizeMb: 10,
-		CreatedAt:    now.Add(-30 * time.Minute),
-	}
-
-	for _, b := range []*backups_core.Backup{oldBackup1, oldBackup2, newestTodayBackup, recentNotInKeepSet} {
-		err = backupRepository.Save(b)
-		assert.NoError(t, err)
-	}
-
-	cleaner := GetBackupCleaner()
-	err = cleaner.cleanByRetentionPolicy()
-	assert.NoError(t, err)
-
-	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-
-	remainingIDs := make(map[uuid.UUID]bool)
-	for _, backup := range remainingBackups {
-		remainingIDs[backup.ID] = true
-	}
-
-	assert.False(t, remainingIDs[oldBackup1.ID], "Old backup 1 should be deleted by GFS")
-	assert.False(t, remainingIDs[oldBackup2.ID], "Old backup 2 should be deleted by GFS")
-	assert.True(
-		t,
-		remainingIDs[newestTodayBackup.ID],
-		"Newest backup fills GFS daily slot and must remain",
-	)
-	assert.True(
-		t,
-		remainingIDs[recentNotInKeepSet.ID],
-		"Recent backup not in keep-set must be preserved by grace period",
-	)
-}
-
 func Test_CleanExceededBackups_SkipsRecentBackup_WhenOverTotalSizeLimit(t *testing.T) {
 	router := CreateTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)

backend/internal/features/backups/backups/backuping/mocks.go

@@ -6,15 +6,15 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/mock"
+
 	common "databasus-backend/internal/features/backups/backups/common"
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/notifiers"
 	"databasus-backend/internal/features/storages"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/mock"
 )
 
 type MockNotificationSender struct {

backend/internal/features/backups/backups/backuping/registry.go

@@ -10,10 +10,10 @@ import (
 	"sync/atomic"
 	"time"
 
-	cache_utils "databasus-backend/internal/util/cache"
-
 	"github.com/google/uuid"
 	"github.com/valkey-io/valkey-go"
+
+	cache_utils "databasus-backend/internal/util/cache"
 )
 
 const (
@@ -415,7 +415,7 @@ func (r *BackupNodesRegistry) UnsubscribeNodeForBackupsAssignments() error {
 	return nil
 }
 
-func (r *BackupNodesRegistry) PublishBackupCompletion(nodeID uuid.UUID, backupID uuid.UUID) error {
+func (r *BackupNodesRegistry) PublishBackupCompletion(nodeID, backupID uuid.UUID) error {
 	ctx := context.Background()
 
 	message := BackupCompletionMessage{
@@ -437,7 +437,7 @@ func (r *BackupNodesRegistry) PublishBackupCompletion(nodeID uuid.UUID, backupID
 }
 
 func (r *BackupNodesRegistry) SubscribeForBackupsCompletions(
-	handler func(nodeID uuid.UUID, backupID uuid.UUID),
+	handler func(nodeID, backupID uuid.UUID),
 ) error {
 	ctx := context.Background()
 

backend/internal/features/backups/backups/backuping/registry_test.go

@@ -9,11 +9,11 @@ import (
 	"testing"
 	"time"
 
-	cache_utils "databasus-backend/internal/util/cache"
-	"databasus-backend/internal/util/logger"
-
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+
+	cache_utils "databasus-backend/internal/util/cache"
+	"databasus-backend/internal/util/logger"
 )
 
 func Test_HearthbeatNodeInRegistry_RegistersNodeWithTTL(t *testing.T) {
@@ -903,7 +903,7 @@ func Test_SubscribeForBackupsCompletions_ReceivesCompletedBackups(t *testing.T)
 
 	receivedBackupID := make(chan uuid.UUID, 1)
 	receivedNodeID := make(chan uuid.UUID, 1)
-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {
+	handler := func(nodeID, backupID uuid.UUID) {
 		receivedNodeID <- nodeID
 		receivedBackupID <- backupID
 	}
@@ -940,7 +940,7 @@ func Test_SubscribeForBackupsCompletions_ParsesJsonCorrectly(t *testing.T) {
 	defer registry.UnsubscribeForBackupsCompletions()
 
 	receivedBackups := make(chan uuid.UUID, 2)
-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {
+	handler := func(nodeID, backupID uuid.UUID) {
 		receivedBackups <- backupID
 	}
 
@@ -969,7 +969,7 @@ func Test_SubscribeForBackupsCompletions_HandlesInvalidJson(t *testing.T) {
 	defer registry.UnsubscribeForBackupsCompletions()
 
 	receivedBackupID := make(chan uuid.UUID, 1)
-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {
+	handler := func(nodeID, backupID uuid.UUID) {
 		receivedBackupID <- backupID
 	}
 
@@ -997,7 +997,7 @@ func Test_UnsubscribeForBackupsCompletions_StopsReceivingMessages(t *testing.T)
 	backupID2 := uuid.New()
 
 	receivedBackupID := make(chan uuid.UUID, 2)
-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {
+	handler := func(nodeID, backupID uuid.UUID) {
 		receivedBackupID <- backupID
 	}
 
@@ -1032,7 +1032,7 @@ func Test_SubscribeForBackupsCompletions_WhenAlreadySubscribed_ReturnsError(t *t
 	registry := createTestRegistry()
 	defer registry.UnsubscribeForBackupsCompletions()
 
-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {}
+	handler := func(nodeID, backupID uuid.UUID) {}
 
 	err := registry.SubscribeForBackupsCompletions(handler)
 	assert.NoError(t, err)
@@ -1064,9 +1064,9 @@ func Test_MultipleSubscribers_EachReceivesCompletionMessages(t *testing.T) {
 	receivedBackups2 := make(chan uuid.UUID, 3)
 	receivedBackups3 := make(chan uuid.UUID, 3)
 
-	handler1 := func(nodeID uuid.UUID, backupID uuid.UUID) { receivedBackups1 <- backupID }
-	handler2 := func(nodeID uuid.UUID, backupID uuid.UUID) { receivedBackups2 <- backupID }
-	handler3 := func(nodeID uuid.UUID, backupID uuid.UUID) { receivedBackups3 <- backupID }
+	handler1 := func(nodeID, backupID uuid.UUID) { receivedBackups1 <- backupID }
+	handler2 := func(nodeID, backupID uuid.UUID) { receivedBackups2 <- backupID }
+	handler3 := func(nodeID, backupID uuid.UUID) { receivedBackups3 <- backupID }
 
 	err := registry1.SubscribeForBackupsCompletions(handler1)
 	assert.NoError(t, err)

backend/internal/features/backups/backups/backuping/scheduler.go

@@ -15,7 +15,6 @@ import (
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
-	files_utils "databasus-backend/internal/util/files"
 )
 
 const (
@@ -171,13 +170,7 @@ func (s *BackupsScheduler) StartBackup(database *databases.Database, isCallNotif
 	timestamp := time.Now().UTC()
 
 	backup := &backups_core.Backup{
-		ID: backupID,
-		FileName: fmt.Sprintf(
-			"%s-%s-%s",
-			files_utils.SanitizeFilename(database.Name),
-			timestamp.Format("20060102-150405"),
-			backupID.String(),
-		),
+		ID:           backupID,
 		DatabaseID:   backupConfig.DatabaseID,
 		StorageID:    *backupConfig.StorageID,
 		Status:       backups_core.BackupStatusInProgress,
@@ -185,6 +178,8 @@ func (s *BackupsScheduler) StartBackup(database *databases.Database, isCallNotif
 		CreatedAt:    timestamp,
 	}
 
+	backup.GenerateFilename(database.Name)
+
 	if err := s.backupRepository.Save(backup); err != nil {
 		s.logger.Error(
 			"Failed to save backup",
@@ -446,7 +441,7 @@ func (s *BackupsScheduler) calculateLeastBusyNode() (*uuid.UUID, error) {
 	return &bestNode.ID, nil
 }
 
-func (s *BackupsScheduler) onBackupCompleted(nodeID uuid.UUID, backupID uuid.UUID) {
+func (s *BackupsScheduler) onBackupCompleted(nodeID, backupID uuid.UUID) {
 	// Verify this task is actually a backup (registry contains multiple task types)
 	_, err := s.backupRepository.FindByID(backupID)
 	if err != nil {

backend/internal/features/backups/backups/backuping/scheduler_test.go

@@ -1,6 +1,12 @@
 package backuping
 
 import (
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
@@ -12,11 +18,6 @@ import (
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	cache_utils "databasus-backend/internal/util/cache"
 	"databasus-backend/internal/util/period"
-	"testing"
-	"time"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 )
 
 func Test_RunPendingBackups_WhenLastBackupWasYesterday_CreatesNewBackup(t *testing.T) {

backend/internal/features/backups/backups/backuping/testing.go

@@ -8,6 +8,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	"databasus-backend/internal/features/backups/backups/usecases"
 	backups_config "databasus-backend/internal/features/backups/config"
@@ -19,9 +22,6 @@ import (
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	"databasus-backend/internal/util/encryption"
 	"databasus-backend/internal/util/logger"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
 )
 
 func CreateTestRouter() *gin.Engine {

backend/internal/features/backups/backups/common/dto.go

@@ -1,10 +1,11 @@
 package common
 
 import (
-	backups_config "databasus-backend/internal/features/backups/config"
 	"errors"
 
 	"github.com/google/uuid"
+
+	backups_config "databasus-backend/internal/features/backups/config"
 )
 
 type BackupMetadata struct {

backend/internal/features/backups/backups/common/interfaces.go

@@ -7,6 +7,10 @@ type CountingWriter struct {
 	BytesWritten int64
 }
 
+func NewCountingWriter(writer io.Writer) *CountingWriter {
+	return &CountingWriter{Writer: writer}
+}
+
 func (cw *CountingWriter) Write(p []byte) (n int, err error) {
 	n, err = cw.Writer.Write(p)
 	cw.BytesWritten += int64(n)
@@ -16,7 +20,3 @@ func (cw *CountingWriter) Write(p []byte) (n int, err error) {
 func (cw *CountingWriter) GetBytesWritten() int64 {
 	return cw.BytesWritten
 }
-
-func NewCountingWriter(writer io.Writer) *CountingWriter {
-	return &CountingWriter{Writer: writer}
-}

backend/internal/features/backups/backups/controllers/controller.go

@@ -1,12 +1,8 @@
-package backups
+package backups_controllers
 
 import (
 	"context"
-	backups_core "databasus-backend/internal/features/backups/backups/core"
-	backups_download "databasus-backend/internal/features/backups/backups/download"
-	"databasus-backend/internal/features/databases"
-	users_middleware "databasus-backend/internal/features/users/middleware"
-	files_utils "databasus-backend/internal/util/files"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -14,10 +10,18 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
+	backups_dto "databasus-backend/internal/features/backups/backups/dto"
+	backups_services "databasus-backend/internal/features/backups/backups/services"
+	"databasus-backend/internal/features/databases"
+	users_middleware "databasus-backend/internal/features/users/middleware"
+	files_utils "databasus-backend/internal/util/files"
 )
 
 type BackupController struct {
-	backupService *BackupService
+	backupService *backups_services.BackupService
 }
 
 func (c *BackupController) RegisterRoutes(router *gin.RouterGroup) {
@@ -42,7 +46,7 @@ func (c *BackupController) RegisterPublicRoutes(router *gin.RouterGroup) {
 // @Param database_id query string true "Database ID"
 // @Param limit query int false "Number of items per page" default(10)
 // @Param offset query int false "Offset for pagination" default(0)
-// @Success 200 {object} GetBackupsResponse
+// @Success 200 {object} backups_dto.GetBackupsResponse
 // @Failure 400
 // @Failure 401
 // @Failure 500
@@ -54,7 +58,7 @@ func (c *BackupController) GetBackups(ctx *gin.Context) {
 		return
 	}
 
-	var request GetBackupsRequest
+	var request backups_dto.GetBackupsRequest
 	if err := ctx.ShouldBindQuery(&request); err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -81,7 +85,7 @@ func (c *BackupController) GetBackups(ctx *gin.Context) {
 // @Tags backups
 // @Accept json
 // @Produce json
-// @Param request body MakeBackupRequest true "Backup creation data"
+// @Param request body backups_dto.MakeBackupRequest true "Backup creation data"
 // @Success 200 {object} map[string]string
 // @Failure 400
 // @Failure 401
@@ -94,7 +98,7 @@ func (c *BackupController) MakeBackup(ctx *gin.Context) {
 		return
 	}
 
-	var request MakeBackupRequest
+	var request backups_dto.MakeBackupRequest
 	if err := ctx.ShouldBindJSON(&request); err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -195,7 +199,7 @@ func (c *BackupController) GenerateDownloadToken(ctx *gin.Context) {
 
 	response, err := c.backupService.GenerateDownloadToken(user, id)
 	if err != nil {
-		if err == backups_download.ErrDownloadAlreadyInProgress {
+		if errors.Is(err, backups_download.ErrDownloadAlreadyInProgress) {
 			ctx.JSON(
 				http.StatusConflict,
 				gin.H{
@@ -246,7 +250,7 @@ func (c *BackupController) GetFile(ctx *gin.Context) {
 
 	downloadToken, rateLimiter, err := c.backupService.ValidateDownloadToken(token)
 	if err != nil {
-		if err == backups_download.ErrDownloadAlreadyInProgress {
+		if errors.Is(err, backups_download.ErrDownloadAlreadyInProgress) {
 			ctx.JSON(
 				http.StatusConflict,
 				gin.H{
@@ -310,10 +314,6 @@ func (c *BackupController) GetFile(ctx *gin.Context) {
 	c.backupService.WriteAuditLogForDownload(downloadToken.UserID, backup, database)
 }
 
-type MakeBackupRequest struct {
-	DatabaseID uuid.UUID `json:"database_id" binding:"required"`
-}
-
 func (c *BackupController) generateBackupFilename(
 	backup *backups_core.Backup,
 	database *databases.Database,

backend/internal/features/backups/backups/controllers/controller_test.go

@@ -1,4 +1,4 @@
-package backups
+package backups_controllers
 
 import (
 	"context"
@@ -24,11 +24,14 @@ import (
 	backups_common "databasus-backend/internal/features/backups/backups/common"
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_download "databasus-backend/internal/features/backups/backups/download"
+	backups_dto "databasus-backend/internal/features/backups/backups/dto"
+	backups_services "databasus-backend/internal/features/backups/backups/services"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/databases/databases/postgresql"
 	"databasus-backend/internal/features/storages"
 	local_storage "databasus-backend/internal/features/storages/models/local"
+	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
 	users_dto "databasus-backend/internal/features/users/dto"
 	users_enums "databasus-backend/internal/features/users/enums"
 	users_services "databasus-backend/internal/features/users/services"
@@ -119,7 +122,7 @@ func Test_GetBackups_PermissionsEnforced(t *testing.T) {
 			)
 
 			if tt.expectSuccess {
-				var response GetBackupsResponse
+				var response backups_dto.GetBackupsResponse
 				err := json.Unmarshal(testResp.Body, &response)
 				assert.NoError(t, err)
 				assert.GreaterOrEqual(t, len(response.Backups), 1)
@@ -214,7 +217,7 @@ func Test_CreateBackup_PermissionsEnforced(t *testing.T) {
 				testUserToken = nonMember.Token
 			}
 
-			request := MakeBackupRequest{DatabaseID: database.ID}
+			request := backups_dto.MakeBackupRequest{DatabaseID: database.ID}
 			testResp := test_utils.MakePostRequest(
 				t,
 				router,
@@ -245,7 +248,7 @@ func Test_CreateBackup_AuditLogWritten(t *testing.T) {
 	database := createTestDatabase("Test Database", workspace.ID, owner.Token, router)
 	enableBackupForDatabase(database.ID)
 
-	request := MakeBackupRequest{DatabaseID: database.ID}
+	request := backups_dto.MakeBackupRequest{DatabaseID: database.ID}
 	test_utils.MakePostRequest(
 		t,
 		router,
@@ -373,7 +376,7 @@ func Test_DeleteBackup_PermissionsEnforced(t *testing.T) {
 				ownerUser, err := userService.GetUserFromToken(owner.Token)
 				assert.NoError(t, err)
 
-				response, err := GetBackupService().GetBackups(ownerUser, database.ID, 10, 0)
+				response, err := backups_services.GetBackupService().GetBackups(ownerUser, database.ID, 10, 0)
 				assert.NoError(t, err)
 				assert.Equal(t, 0, len(response.Backups))
 			}
@@ -999,7 +1002,7 @@ func Test_CancelBackup_InProgressBackup_SuccessfullyCancelled(t *testing.T) {
 	assert.NoError(t, err)
 
 	// Register a cancellable context for the backup
-	GetBackupService().taskCancelManager.RegisterTask(backup.ID, func() {})
+	task_cancellation.GetTaskCancelManager().RegisterTask(backup.ID, func() {})
 
 	resp := test_utils.MakePostRequest(
 		t,
@@ -1091,7 +1094,7 @@ func Test_ConcurrentDownloadPrevention(t *testing.T) {
 
 	time.Sleep(50 * time.Millisecond)
 
-	service := GetBackupService()
+	service := backups_services.GetBackupService()
 	if !service.IsDownloadInProgress(owner.UserID) {
 		t.Log("Warning: First download completed before we could test concurrency")
 		<-downloadComplete
@@ -1192,7 +1195,7 @@ func Test_GenerateDownloadToken_BlockedWhenDownloadInProgress(t *testing.T) {
 
 	time.Sleep(50 * time.Millisecond)
 
-	service := GetBackupService()
+	service := backups_services.GetBackupService()
 	if !service.IsDownloadInProgress(owner.UserID) {
 		t.Log("Warning: First download completed before we could test token generation blocking")
 		<-downloadComplete
@@ -1268,7 +1271,7 @@ func Test_MakeBackup_VerifyBackupAndMetadataFilesExistInStorage(t *testing.T) {
 	initialBackups, err := backupRepo.FindByDatabaseID(database.ID)
 	assert.NoError(t, err)
 
-	request := MakeBackupRequest{DatabaseID: database.ID}
+	request := backups_dto.MakeBackupRequest{DatabaseID: database.ID}
 	test_utils.MakePostRequest(
 		t,
 		router,
@@ -1502,7 +1505,7 @@ func createTestBackup(
 }
 
 func createExpiredDownloadToken(backupID, userID uuid.UUID) string {
-	tokenService := GetBackupService().downloadTokenService
+	tokenService := backups_download.GetDownloadTokenService()
 	token, err := tokenService.Generate(backupID, userID)
 	if err != nil {
 		panic(fmt.Sprintf("Failed to generate download token: %v", err))
@@ -1843,7 +1846,7 @@ func Test_DeleteBackup_RemovesBackupAndMetadataFilesFromDisk(t *testing.T) {
 	initialBackups, err := backupRepo.FindByDatabaseID(database.ID)
 	assert.NoError(t, err)
 
-	request := MakeBackupRequest{DatabaseID: database.ID}
+	request := backups_dto.MakeBackupRequest{DatabaseID: database.ID}
 	test_utils.MakePostRequest(
 		t,
 		router,

backend/internal/features/backups/backups/controllers/di.go

@@ -0,0 +1,23 @@
+package backups_controllers
+
+import (
+	backups_services "databasus-backend/internal/features/backups/backups/services"
+	"databasus-backend/internal/features/databases"
+)
+
+var backupController = &BackupController{
+	backups_services.GetBackupService(),
+}
+
+func GetBackupController() *BackupController {
+	return backupController
+}
+
+var postgresWalBackupController = &PostgreWalBackupController{
+	databases.GetDatabaseService(),
+	backups_services.GetWalService(),
+}
+
+func GetPostgresWalBackupController() *PostgreWalBackupController {
+	return postgresWalBackupController
+}

backend/internal/features/backups/backups/controllers/postgres_wal_controller.go

@@ -0,0 +1,291 @@
+package backups_controllers
+
+import (
+	"io"
+	"net/http"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_dto "databasus-backend/internal/features/backups/backups/dto"
+	backups_services "databasus-backend/internal/features/backups/backups/services"
+	"databasus-backend/internal/features/databases"
+)
+
+// PostgreWalBackupController handles WAL backup endpoints used by the databasus-cli agent.
+// Authentication is via a plain agent token in the Authorization header (no Bearer prefix).
+type PostgreWalBackupController struct {
+	databaseService *databases.DatabaseService
+	walService      *backups_services.PostgreWalBackupService
+}
+
+func (c *PostgreWalBackupController) RegisterRoutes(router *gin.RouterGroup) {
+	walRoutes := router.Group("/backups/postgres/wal")
+
+	walRoutes.GET("/next-full-backup-time", c.GetNextFullBackupTime)
+	walRoutes.POST("/error", c.ReportError)
+	walRoutes.POST("/upload", c.Upload)
+	walRoutes.GET("/restore/plan", c.GetRestorePlan)
+	walRoutes.GET("/restore/download", c.DownloadBackupFile)
+}
+
+// GetNextFullBackupTime
+// @Summary Get next full backup time
+// @Description Returns the next scheduled full basebackup time for the authenticated database
+// @Tags backups-wal
+// @Produce json
+// @Security AgentToken
+// @Success 200 {object} backups_dto.GetNextFullBackupTimeResponse
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/next-full-backup-time [get]
+func (c *PostgreWalBackupController) GetNextFullBackupTime(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	response, err := c.walService.GetNextFullBackupTime(database)
+	if err != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, response)
+}
+
+// ReportError
+// @Summary Report agent error
+// @Description Records a fatal error from the agent against the database record and marks it as errored
+// @Tags backups-wal
+// @Accept json
+// @Security AgentToken
+// @Param request body backups_dto.ReportErrorRequest true "Error details"
+// @Success 200
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/error [post]
+func (c *PostgreWalBackupController) ReportError(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	var request backups_dto.ReportErrorRequest
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if err := c.walService.ReportError(database, request.Error); err != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.Status(http.StatusOK)
+}
+
+// Upload
+// @Summary Stream upload a basebackup or WAL segment
+// @Description Accepts a zstd-compressed binary stream and stores it in the database's configured storage.
+// The server generates the storage filename; agents do not control the destination path.
+// For WAL segment uploads the server validates the WAL chain and returns 409 if a gap is detected
+// or 400 if no full backup exists yet (agent should trigger a full basebackup in both cases).
+// @Tags backups-wal
+// @Accept application/octet-stream
+// @Produce json
+// @Security AgentToken
+// @Param X-Upload-Type header string true "Upload type" Enums(basebackup, wal)
+// @Param X-Wal-Segment-Name header string false "24-hex WAL segment identifier (required for wal uploads, e.g. 0000000100000001000000AB)"
+// @Param X-Wal-Segment-Size header int false "WAL segment size in bytes reported by the PostgreSQL instance (default: 16777216)"
+// @Param fullBackupWalStartSegment query string false "First WAL segment needed to make the basebackup consistent (required for basebackup uploads)"
+// @Param fullBackupWalStopSegment query string false "Last WAL segment included in the basebackup (required for basebackup uploads)"
+// @Success 204
+// @Failure 400 {object} backups_dto.UploadGapResponse "No full backup exists (error: no_full_backup)"
+// @Failure 401 {object} map[string]string
+// @Failure 409 {object} backups_dto.UploadGapResponse "WAL chain gap detected (error: gap_detected)"
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/upload [post]
+func (c *PostgreWalBackupController) Upload(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	uploadType := backups_core.PgWalUploadType(ctx.GetHeader("X-Upload-Type"))
+	if uploadType != backups_core.PgWalUploadTypeBasebackup &&
+		uploadType != backups_core.PgWalUploadTypeWal {
+		ctx.JSON(
+			http.StatusBadRequest,
+			gin.H{"error": "X-Upload-Type must be 'basebackup' or 'wal'"},
+		)
+		return
+	}
+
+	walSegmentName := ""
+	if uploadType == backups_core.PgWalUploadTypeWal {
+		walSegmentName = ctx.GetHeader("X-Wal-Segment-Name")
+		if walSegmentName == "" {
+			ctx.JSON(
+				http.StatusBadRequest,
+				gin.H{"error": "X-Wal-Segment-Name is required for wal uploads"},
+			)
+			return
+		}
+	}
+
+	if uploadType == backups_core.PgWalUploadTypeBasebackup {
+		if ctx.Query("fullBackupWalStartSegment") == "" ||
+			ctx.Query("fullBackupWalStopSegment") == "" {
+			ctx.JSON(
+				http.StatusBadRequest,
+				gin.H{
+					"error": "fullBackupWalStartSegment and fullBackupWalStopSegment are required for basebackup uploads",
+				},
+			)
+			return
+		}
+	}
+
+	walSegmentSizeBytes := int64(0)
+	if raw := ctx.GetHeader("X-Wal-Segment-Size"); raw != "" {
+		parsed, parseErr := strconv.ParseInt(raw, 10, 64)
+		if parseErr != nil || parsed <= 0 {
+			ctx.JSON(
+				http.StatusBadRequest,
+				gin.H{"error": "X-Wal-Segment-Size must be a positive integer"},
+			)
+			return
+		}
+
+		walSegmentSizeBytes = parsed
+	}
+
+	gapResp, uploadErr := c.walService.UploadWal(
+		ctx.Request.Context(),
+		database,
+		uploadType,
+		walSegmentName,
+		ctx.Query("fullBackupWalStartSegment"),
+		ctx.Query("fullBackupWalStopSegment"),
+		walSegmentSizeBytes,
+		ctx.Request.Body,
+	)
+
+	if uploadErr != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": uploadErr.Error()})
+		return
+	}
+
+	if gapResp != nil {
+		if gapResp.Error == "no_full_backup" {
+			ctx.JSON(http.StatusBadRequest, gapResp)
+			return
+		}
+
+		ctx.JSON(http.StatusConflict, gapResp)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
+// GetRestorePlan
+// @Summary Get restore plan
+// @Description Resolves the full backup and all required WAL segments needed for recovery. Validates the WAL chain is continuous.
+// @Tags backups-wal
+// @Produce json
+// @Security AgentToken
+// @Param backupId query string false "UUID of a specific full backup to restore from; defaults to the most recent"
+// @Success 200 {object} backups_dto.GetRestorePlanResponse
+// @Failure 400 {object} map[string]string "Broken WAL chain or no backups available"
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/restore/plan [get]
+func (c *PostgreWalBackupController) GetRestorePlan(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	var backupID *uuid.UUID
+	if raw := ctx.Query("backupId"); raw != "" {
+		parsed, parseErr := uuid.Parse(raw)
+		if parseErr != nil {
+			ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid backupId format"})
+			return
+		}
+
+		backupID = &parsed
+	}
+
+	response, planErr, err := c.walService.GetRestorePlan(database, backupID)
+	if err != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	if planErr != nil {
+		ctx.JSON(http.StatusBadRequest, planErr)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, response)
+}
+
+// DownloadBackupFile
+// @Summary Download a backup or WAL segment file for restore
+// @Description Retrieves the backup file by ID (validated against the authenticated database), decrypts it server-side if encrypted, and streams the zstd-compressed result to the agent
+// @Tags backups-wal
+// @Produce application/octet-stream
+// @Security AgentToken
+// @Param backupId query string true "Backup ID from the restore plan response"
+// @Success 200 {file} file
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Router /backups/postgres/wal/restore/download [get]
+func (c *PostgreWalBackupController) DownloadBackupFile(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	backupIDRaw := ctx.Query("backupId")
+	if backupIDRaw == "" {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "backupId is required"})
+		return
+	}
+
+	backupID, err := uuid.Parse(backupIDRaw)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid backupId format"})
+		return
+	}
+
+	reader, err := c.walService.DownloadBackupFile(database, backupID)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	defer func() { _ = reader.Close() }()
+
+	ctx.Header("Content-Type", "application/octet-stream")
+	ctx.Status(http.StatusOK)
+
+	_, _ = io.Copy(ctx.Writer, reader)
+}
+
+func (c *PostgreWalBackupController) getDatabase(
+	ctx *gin.Context,
+) (*databases.Database, error) {
+	token := ctx.GetHeader("Authorization")
+	return c.databaseService.GetDatabaseByAgentToken(token)
+}

backend/internal/features/backups/backups/controllers/testing.go

@@ -1,17 +1,17 @@
-package backups
+package backups_controllers
 
 import (
 	"testing"
 	"time"
 
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
 )
 
 func CreateTestRouter() *gin.Engine {
@@ -41,7 +41,7 @@ func WaitForBackupCompletion(
 	deadline := time.Now().UTC().Add(timeout)
 
 	for time.Now().UTC().Before(deadline) {
-		backups, err := backupRepository.FindByDatabaseID(databaseID)
+		backups, err := backups_core.GetBackupRepository().FindByDatabaseID(databaseID)
 		if err != nil {
 			t.Logf("WaitForBackupCompletion: error finding backups: %v", err)
 			time.Sleep(50 * time.Millisecond)

backend/internal/features/backups/backups/core/di.go

@@ -0,0 +1,7 @@
+package backups_core
+
+var backupRepository = &BackupRepository{}
+
+func GetBackupRepository() *BackupRepository {
+	return backupRepository
+}

backend/internal/features/backups/backups/core/enums.go

@@ -8,3 +8,10 @@ const (
 	BackupStatusFailed     BackupStatus = "FAILED"
 	BackupStatusCanceled   BackupStatus = "CANCELED"
 )
+
+type PgWalUploadType string
+
+const (
+	PgWalUploadTypeBasebackup PgWalUploadType = "basebackup"
+	PgWalUploadTypeWal        PgWalUploadType = "wal"
+)

backend/internal/features/backups/backups/core/model.go

@@ -1,10 +1,20 @@
 package backups_core
 
 import (
-	backups_config "databasus-backend/internal/features/backups/config"
+	"fmt"
 	"time"
 
 	"github.com/google/uuid"
+
+	backups_config "databasus-backend/internal/features/backups/config"
+	files_utils "databasus-backend/internal/util/files"
+)
+
+type PgWalBackupType string
+
+const (
+	PgWalBackupTypeFullBackup PgWalBackupType = "PG_FULL_BACKUP"
+	PgWalBackupTypeWalSegment PgWalBackupType = "PG_WAL_SEGMENT"
 )
 
 type Backup struct {
@@ -26,5 +36,23 @@ type Backup struct {
 	EncryptionIV   *string                         `json:"-"          gorm:"column:encryption_iv"`
 	Encryption     backups_config.BackupEncryption `json:"encryption" gorm:"column:encryption;type:text;not null;default:'NONE'"`
 
+	// Postgres WAL backup specific fields
+	PgWalBackupType                 *PgWalBackupType `json:"pgWalBackupType"                 gorm:"column:pg_wal_backup_type;type:text"`
+	PgFullBackupWalStartSegmentName *string          `json:"pgFullBackupWalStartSegmentName" gorm:"column:pg_wal_start_segment;type:text"`
+	PgFullBackupWalStopSegmentName  *string          `json:"pgFullBackupWalStopSegmentName"  gorm:"column:pg_wal_stop_segment;type:text"`
+	PgVersion                       *string          `json:"pgVersion"                       gorm:"column:pg_version;type:text"`
+	PgWalSegmentName                *string          `json:"pgWalSegmentName"                gorm:"column:pg_wal_segment_name;type:text"`
+
 	CreatedAt time.Time `json:"createdAt" gorm:"column:created_at"`
 }
+
+func (b *Backup) GenerateFilename(dbName string) {
+	timestamp := time.Now().UTC()
+
+	b.FileName = fmt.Sprintf(
+		"%s-%s-%s",
+		files_utils.SanitizeFilename(dbName),
+		timestamp.Format("20060102-150405"),
+		b.ID.String(),
+	)
+}

backend/internal/features/backups/backups/core/repository.go

@@ -1,13 +1,13 @@
 package backups_core
 
 import (
-	"databasus-backend/internal/storage"
 	"errors"
-
 	"time"
 
 	"github.com/google/uuid"
 	"gorm.io/gorm"
+
+	"databasus-backend/internal/storage"
 )
 
 type BackupRepository struct{}
@@ -88,7 +88,7 @@ func (r *BackupRepository) FindLastByDatabaseID(databaseID uuid.UUID) (*Backup,
 		Where("database_id = ?", databaseID).
 		Order("created_at DESC").
 		First(&backup).Error; err != nil {
-		if err == gorm.ErrRecordNotFound {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, nil
 		}
 
@@ -245,3 +245,134 @@ func (r *BackupRepository) FindOldestByDatabaseExcludingInProgress(
 
 	return backups, nil
 }
+
+func (r *BackupRepository) FindCompletedFullWalBackupByID(
+	databaseID uuid.UUID,
+	backupID uuid.UUID,
+) (*Backup, error) {
+	var backup Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND id = ? AND pg_wal_backup_type = ? AND status = ?",
+			databaseID,
+			backupID,
+			PgWalBackupTypeFullBackup,
+			BackupStatusCompleted,
+		).
+		First(&backup).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return &backup, nil
+}
+
+func (r *BackupRepository) FindCompletedWalSegmentsAfter(
+	databaseID uuid.UUID,
+	afterSegmentName string,
+) ([]*Backup, error) {
+	var backups []*Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND pg_wal_backup_type = ? AND pg_wal_segment_name >= ? AND status = ?",
+			databaseID,
+			PgWalBackupTypeWalSegment,
+			afterSegmentName,
+			BackupStatusCompleted,
+		).
+		Order("pg_wal_segment_name ASC").
+		Find(&backups).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return backups, nil
+}
+
+func (r *BackupRepository) FindLastCompletedFullWalBackupByDatabaseID(
+	databaseID uuid.UUID,
+) (*Backup, error) {
+	var backup Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND pg_wal_backup_type = ? AND status = ?",
+			databaseID,
+			PgWalBackupTypeFullBackup,
+			BackupStatusCompleted,
+		).
+		Order("created_at DESC").
+		First(&backup).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return &backup, nil
+}
+
+func (r *BackupRepository) FindWalSegmentByName(
+	databaseID uuid.UUID,
+	segmentName string,
+) (*Backup, error) {
+	var backup Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND pg_wal_backup_type = ? AND pg_wal_segment_name = ?",
+			databaseID,
+			PgWalBackupTypeWalSegment,
+			segmentName,
+		).
+		First(&backup).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return &backup, nil
+}
+
+func (r *BackupRepository) FindLastWalSegmentAfter(
+	databaseID uuid.UUID,
+	afterSegmentName string,
+) (*Backup, error) {
+	var backup Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND pg_wal_backup_type = ? AND pg_wal_segment_name > ? AND status = ?",
+			databaseID,
+			PgWalBackupTypeWalSegment,
+			afterSegmentName,
+			BackupStatusCompleted,
+		).
+		Order("pg_wal_segment_name DESC").
+		First(&backup).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return &backup, nil
+}

backend/internal/features/backups/backups/download/di.go

@@ -13,9 +13,11 @@ var downloadTokenRepository = &DownloadTokenRepository{}
 
 var downloadTracker = NewDownloadTracker(cache_utils.GetValkeyClient())
 
-var bandwidthManager *BandwidthManager
-var downloadTokenService *DownloadTokenService
-var downloadTokenBackgroundService *DownloadTokenBackgroundService
+var (
+	bandwidthManager               *BandwidthManager
+	downloadTokenService           *DownloadTokenService
+	downloadTokenBackgroundService *DownloadTokenBackgroundService
+)
 
 func init() {
 	env := config.GetEnv()

backend/internal/features/backups/backups/download/rate_limiter.go

@@ -66,9 +66,7 @@ func (rl *RateLimiter) Wait(bytes int64) {
 		tokensNeeded := float64(bytes) - rl.availableTokens
 		waitTime := time.Duration(tokensNeeded/float64(rl.bytesPerSecond)*1000) * time.Millisecond
 
-		if waitTime < time.Millisecond {
-			waitTime = time.Millisecond
-		}
+		waitTime = max(waitTime, time.Millisecond)
 
 		rl.mu.Unlock()
 		time.Sleep(waitTime)

backend/internal/features/backups/backups/download/repository.go

@@ -2,12 +2,14 @@ package backups_download
 
 import (
 	"crypto/rand"
-	"databasus-backend/internal/storage"
 	"encoding/base64"
+	"errors"
 	"time"
 
 	"github.com/google/uuid"
 	"gorm.io/gorm"
+
+	"databasus-backend/internal/storage"
 )
 
 type DownloadTokenRepository struct{}
@@ -28,9 +30,8 @@ func (r *DownloadTokenRepository) FindByToken(token string) (*DownloadToken, err
 	err := storage.GetDb().
 		Where("token = ?", token).
 		First(&downloadToken).Error
-
 	if err != nil {
-		if err == gorm.ErrRecordNotFound {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, nil
 		}
 		return nil, err

backend/internal/features/backups/backups/download/tracking.go

@@ -1,12 +1,13 @@
 package backups_download
 
 import (
-	cache_utils "databasus-backend/internal/util/cache"
 	"errors"
 	"time"
 
 	"github.com/google/uuid"
 	"github.com/valkey-io/valkey-go"
+
+	cache_utils "databasus-backend/internal/util/cache"
 )
 
 const (
@@ -16,9 +17,7 @@ const (
 	downloadHeartbeatDelay = 3 * time.Second
 )
 
-var (
-	ErrDownloadAlreadyInProgress = errors.New("download already in progress for this user")
-)
+var ErrDownloadAlreadyInProgress = errors.New("download already in progress for this user")
 
 type DownloadTracker struct {
 	cache *cache_utils.CacheUtil[string]

backend/internal/features/backups/backups/dto.go

@@ -1,29 +0,0 @@
-package backups
-
-import (
-	backups_core "databasus-backend/internal/features/backups/backups/core"
-	"databasus-backend/internal/features/backups/backups/encryption"
-	"io"
-)
-
-type GetBackupsRequest struct {
-	DatabaseID string `form:"database_id" binding:"required"`
-	Limit      int    `form:"limit"`
-	Offset     int    `form:"offset"`
-}
-
-type GetBackupsResponse struct {
-	Backups []*backups_core.Backup `json:"backups"`
-	Total   int64                  `json:"total"`
-	Limit   int                    `json:"limit"`
-	Offset  int                    `json:"offset"`
-}
-
-type DecryptionReaderCloser struct {
-	*encryption.DecryptionReader
-	BaseReader io.ReadCloser
-}
-
-func (r *DecryptionReaderCloser) Close() error {
-	return r.BaseReader.Close()
-}

backend/internal/features/backups/backups/dto/dto.go

@@ -0,0 +1,79 @@
+package backups_dto
+
+import (
+	"io"
+	"time"
+
+	"github.com/google/uuid"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	"databasus-backend/internal/features/backups/backups/encryption"
+)
+
+type GetBackupsRequest struct {
+	DatabaseID string `form:"database_id" binding:"required"`
+	Limit      int    `form:"limit"`
+	Offset     int    `form:"offset"`
+}
+
+type GetBackupsResponse struct {
+	Backups []*backups_core.Backup `json:"backups"`
+	Total   int64                  `json:"total"`
+	Limit   int                    `json:"limit"`
+	Offset  int                    `json:"offset"`
+}
+
+type DecryptionReaderCloser struct {
+	*encryption.DecryptionReader
+	BaseReader io.ReadCloser
+}
+
+func (r *DecryptionReaderCloser) Close() error {
+	return r.BaseReader.Close()
+}
+
+type MakeBackupRequest struct {
+	DatabaseID uuid.UUID `json:"database_id" binding:"required"`
+}
+
+type GetNextFullBackupTimeResponse struct {
+	NextFullBackupTime *time.Time `json:"nextFullBackupTime"`
+}
+
+type ReportErrorRequest struct {
+	Error string `json:"error" binding:"required"`
+}
+
+type UploadGapResponse struct {
+	Error               string `json:"error"`
+	ExpectedSegmentName string `json:"expectedSegmentName"`
+	ReceivedSegmentName string `json:"receivedSegmentName"`
+}
+
+type RestorePlanFullBackup struct {
+	BackupID                  uuid.UUID `json:"id"`
+	FullBackupWalStartSegment string    `json:"fullBackupWalStartSegment"`
+	FullBackupWalStopSegment  string    `json:"fullBackupWalStopSegment"`
+	PgVersion                 string    `json:"pgVersion"`
+	CreatedAt                 time.Time `json:"createdAt"`
+	SizeBytes                 int64     `json:"sizeBytes"`
+}
+
+type RestorePlanWalSegment struct {
+	BackupID    uuid.UUID `json:"backupId"`
+	SegmentName string    `json:"segmentName"`
+	SizeBytes   int64     `json:"sizeBytes"`
+}
+
+type GetRestorePlanErrorResponse struct {
+	Error                 string `json:"error"`
+	Message               string `json:"message"`
+	LastContiguousSegment string `json:"lastContiguousSegment,omitempty"`
+}
+
+type GetRestorePlanResponse struct {
+	FullBackup             RestorePlanFullBackup   `json:"fullBackup"`
+	WalSegments            []RestorePlanWalSegment `json:"walSegments"`
+	TotalSizeBytes         int64                   `json:"totalSizeBytes"`
+	LatestAvailableSegment string                  `json:"latestAvailableSegment"`
+}

backend/internal/features/backups/backups/encryption/decrypting_reader.go

@@ -4,6 +4,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
 
@@ -69,7 +70,7 @@ func NewDecryptionReader(
 func (r *DecryptionReader) Read(p []byte) (n int, err error) {
 	for len(r.buffer) < len(p) && !r.eof {
 		if err := r.readAndDecryptChunk(); err != nil {
-			if err == io.EOF {
+			if errors.Is(err, io.EOF) {
 				r.eof = true
 				break
 			}

backend/internal/features/backups/backups/encryption/setup.go

@@ -0,0 +1,45 @@
+package encryption
+
+import (
+	"encoding/base64"
+	"fmt"
+	"io"
+
+	"github.com/google/uuid"
+)
+
+// EncryptionSetup holds the result of setting up encryption for a backup stream.
+type EncryptionSetup struct {
+	Writer      *EncryptionWriter
+	SaltBase64  string
+	NonceBase64 string
+}
+
+// SetupEncryptionWriter generates salt/nonce, creates an EncryptionWriter, and
+// returns the base64-encoded salt and nonce for storage on the backup record.
+func SetupEncryptionWriter(
+	baseWriter io.Writer,
+	masterKey string,
+	backupID uuid.UUID,
+) (*EncryptionSetup, error) {
+	salt, err := GenerateSalt()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate salt: %w", err)
+	}
+
+	nonce, err := GenerateNonce()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+
+	encWriter, err := NewEncryptionWriter(baseWriter, masterKey, backupID, salt, nonce)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create encryption writer: %w", err)
+	}
+
+	return &EncryptionSetup{
+		Writer:      encWriter,
+		SaltBase64:  base64.StdEncoding.EncodeToString(salt),
+		NonceBase64: base64.StdEncoding.EncodeToString(nonce),
+	}, nil
+}

backend/internal/features/backups/backups/services/di.go

@@ -1,4 +1,4 @@
-package backups
+package backups_services
 
 import (
 	"sync"
@@ -20,14 +20,12 @@ import (
 	"databasus-backend/internal/util/logger"
 )
 
-var backupRepository = &backups_core.BackupRepository{}
-
 var taskCancelManager = task_cancellation.GetTaskCancelManager()
 
 var backupService = &BackupService{
 	databases.GetDatabaseService(),
 	storages.GetStorageService(),
-	backupRepository,
+	backups_core.GetBackupRepository(),
 	notifiers.GetNotifierService(),
 	notifiers.GetNotifierService(),
 	backups_config.GetBackupConfigService(),
@@ -44,16 +42,21 @@ var backupService = &BackupService{
 	backuping.GetBackupCleaner(),
 }
 
-var backupController = &BackupController{
-	backupService: backupService,
-}
-
 func GetBackupService() *BackupService {
 	return backupService
 }
 
-func GetBackupController() *BackupController {
-	return backupController
+var walService = &PostgreWalBackupService{
+	backups_config.GetBackupConfigService(),
+	backups_core.GetBackupRepository(),
+	encryption.GetFieldEncryptor(),
+	encryption_secrets.GetSecretKeyService(),
+	logger.GetLogger(),
+	backupService,
+}
+
+func GetWalService() *PostgreWalBackupService {
+	return walService
 }
 
 var (

backend/internal/features/backups/backups/services/postgres_wal_service.go

@@ -0,0 +1,613 @@
+package backups_services
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log/slog"
+	"time"
+
+	"github.com/google/uuid"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_dto "databasus-backend/internal/features/backups/backups/dto"
+	backup_encryption "databasus-backend/internal/features/backups/backups/encryption"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/databases/databases/postgresql"
+	encryption_secrets "databasus-backend/internal/features/encryption/secrets"
+	util_encryption "databasus-backend/internal/util/encryption"
+	util_wal "databasus-backend/internal/util/wal"
+)
+
+// PostgreWalBackupService handles WAL segment and basebackup uploads from the databasus-cli agent.
+type PostgreWalBackupService struct {
+	backupConfigService *backups_config.BackupConfigService
+	backupRepository    *backups_core.BackupRepository
+	fieldEncryptor      util_encryption.FieldEncryptor
+	secretKeyService    *encryption_secrets.SecretKeyService
+	logger              *slog.Logger
+	backupService       *BackupService
+}
+
+// UploadWal accepts a streaming WAL segment or basebackup upload from the agent.
+// For WAL segments it validates the WAL chain before accepting. Returns an UploadGapResponse
+// (409) when the chain is broken so the agent knows to trigger a full basebackup.
+func (s *PostgreWalBackupService) UploadWal(
+	ctx context.Context,
+	database *databases.Database,
+	uploadType backups_core.PgWalUploadType,
+	walSegmentName string,
+	fullBackupWalStartSegment string,
+	fullBackupWalStopSegment string,
+	walSegmentSizeBytes int64,
+	body io.Reader,
+) (*backups_dto.UploadGapResponse, error) {
+	if err := s.validateWalBackupType(database); err != nil {
+		return nil, err
+	}
+
+	if uploadType == backups_core.PgWalUploadTypeBasebackup {
+		if fullBackupWalStartSegment == "" || fullBackupWalStopSegment == "" {
+			return nil, fmt.Errorf(
+				"fullBackupWalStartSegment and fullBackupWalStopSegment are required for basebackup uploads",
+			)
+		}
+	}
+
+	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(database.ID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get backup config: %w", err)
+	}
+
+	if backupConfig.Storage == nil {
+		return nil, fmt.Errorf("no storage configured for database %s", database.ID)
+	}
+
+	if uploadType == backups_core.PgWalUploadTypeWal {
+		// Idempotency: check before chain validation so a successful re-upload is
+		// not misidentified as a gap.
+		existing, err := s.backupRepository.FindWalSegmentByName(database.ID, walSegmentName)
+		if err != nil {
+			return nil, fmt.Errorf("failed to check for duplicate WAL segment: %w", err)
+		}
+
+		if existing != nil {
+			return nil, nil
+		}
+
+		gapResp, err := s.validateWalChain(database.ID, walSegmentName, walSegmentSizeBytes)
+		if err != nil {
+			return nil, err
+		}
+
+		if gapResp != nil {
+			return gapResp, nil
+		}
+	}
+
+	backup := s.createBackupRecord(
+		database.ID,
+		backupConfig.Storage.ID,
+		uploadType,
+		database.Name,
+		walSegmentName,
+		fullBackupWalStartSegment,
+		fullBackupWalStopSegment,
+		backupConfig.Encryption,
+	)
+
+	if err := s.backupRepository.Save(backup); err != nil {
+		return nil, fmt.Errorf("failed to create backup record: %w", err)
+	}
+
+	sizeBytes, streamErr := s.streamToStorage(ctx, backup, backupConfig, body)
+	if streamErr != nil {
+		errMsg := streamErr.Error()
+		s.markFailed(backup, errMsg)
+
+		return nil, fmt.Errorf("upload failed: %w", streamErr)
+	}
+
+	s.markCompleted(backup, sizeBytes)
+
+	return nil, nil
+}
+
+func (s *PostgreWalBackupService) GetRestorePlan(
+	database *databases.Database,
+	backupID *uuid.UUID,
+) (*backups_dto.GetRestorePlanResponse, *backups_dto.GetRestorePlanErrorResponse, error) {
+	if err := s.validateWalBackupType(database); err != nil {
+		return nil, nil, err
+	}
+
+	fullBackup, err := s.resolveFullBackup(database.ID, backupID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if fullBackup == nil {
+		msg := "no full backups available for this database"
+		if backupID != nil {
+			msg = fmt.Sprintf("full backup %s not found or not completed", backupID)
+		}
+
+		return nil, &backups_dto.GetRestorePlanErrorResponse{
+			Error:   "no_backups",
+			Message: msg,
+		}, nil
+	}
+
+	startSegment := ""
+	if fullBackup.PgFullBackupWalStartSegmentName != nil {
+		startSegment = *fullBackup.PgFullBackupWalStartSegmentName
+	}
+
+	walSegments, err := s.backupRepository.FindCompletedWalSegmentsAfter(database.ID, startSegment)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to query WAL segments: %w", err)
+	}
+
+	chainErr := s.validateRestoreWalChain(fullBackup, walSegments)
+	if chainErr != nil {
+		return nil, chainErr, nil
+	}
+
+	fullBackupSizeBytes := int64(fullBackup.BackupSizeMb * 1024 * 1024)
+
+	pgVersion := ""
+	if fullBackup.PgVersion != nil {
+		pgVersion = *fullBackup.PgVersion
+	}
+
+	stopSegment := ""
+	if fullBackup.PgFullBackupWalStopSegmentName != nil {
+		stopSegment = *fullBackup.PgFullBackupWalStopSegmentName
+	}
+
+	response := &backups_dto.GetRestorePlanResponse{
+		FullBackup: backups_dto.RestorePlanFullBackup{
+			BackupID:                  fullBackup.ID,
+			FullBackupWalStartSegment: startSegment,
+			FullBackupWalStopSegment:  stopSegment,
+			PgVersion:                 pgVersion,
+			CreatedAt:                 fullBackup.CreatedAt,
+			SizeBytes:                 fullBackupSizeBytes,
+		},
+		TotalSizeBytes: fullBackupSizeBytes,
+	}
+
+	for _, seg := range walSegments {
+		segName := ""
+		if seg.PgWalSegmentName != nil {
+			segName = *seg.PgWalSegmentName
+		}
+
+		segSizeBytes := int64(seg.BackupSizeMb * 1024 * 1024)
+
+		response.WalSegments = append(response.WalSegments, backups_dto.RestorePlanWalSegment{
+			BackupID:    seg.ID,
+			SegmentName: segName,
+			SizeBytes:   segSizeBytes,
+		})
+
+		response.TotalSizeBytes += segSizeBytes
+		response.LatestAvailableSegment = segName
+	}
+
+	return response, nil, nil
+}
+
+// DownloadBackupFile returns a reader for a backup file belonging to the given database.
+// Decryption is handled transparently if the backup is encrypted.
+func (s *PostgreWalBackupService) DownloadBackupFile(
+	database *databases.Database,
+	backupID uuid.UUID,
+) (io.ReadCloser, error) {
+	if err := s.validateWalBackupType(database); err != nil {
+		return nil, err
+	}
+
+	backup, err := s.backupRepository.FindByID(backupID)
+	if err != nil {
+		return nil, fmt.Errorf("backup not found: %w", err)
+	}
+
+	if backup.DatabaseID != database.ID {
+		return nil, fmt.Errorf("backup does not belong to this database")
+	}
+
+	if backup.Status != backups_core.BackupStatusCompleted {
+		return nil, fmt.Errorf("backup is not completed")
+	}
+
+	return s.backupService.GetBackupReader(backupID)
+}
+
+func (s *PostgreWalBackupService) GetNextFullBackupTime(
+	database *databases.Database,
+) (*backups_dto.GetNextFullBackupTimeResponse, error) {
+	if err := s.validateWalBackupType(database); err != nil {
+		return nil, err
+	}
+
+	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(database.ID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get backup config: %w", err)
+	}
+
+	if backupConfig.BackupInterval == nil {
+		return nil, fmt.Errorf("no backup interval configured for database %s", database.ID)
+	}
+
+	lastFullBackup, err := s.backupRepository.FindLastCompletedFullWalBackupByDatabaseID(
+		database.ID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query last full backup: %w", err)
+	}
+
+	var lastBackupTime *time.Time
+	if lastFullBackup != nil {
+		lastBackupTime = &lastFullBackup.CreatedAt
+	}
+
+	now := time.Now().UTC()
+	nextTime := backupConfig.BackupInterval.NextTriggerTime(now, lastBackupTime)
+
+	return &backups_dto.GetNextFullBackupTimeResponse{
+		NextFullBackupTime: nextTime,
+	}, nil
+}
+
+// ReportError creates a FAILED backup record with the agent's error message.
+func (s *PostgreWalBackupService) ReportError(
+	database *databases.Database,
+	errorMsg string,
+) error {
+	if err := s.validateWalBackupType(database); err != nil {
+		return err
+	}
+
+	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(database.ID)
+	if err != nil {
+		return fmt.Errorf("failed to get backup config: %w", err)
+	}
+
+	if backupConfig.Storage == nil {
+		return fmt.Errorf("no storage configured for database %s", database.ID)
+	}
+
+	now := time.Now().UTC()
+	backup := &backups_core.Backup{
+		ID:          uuid.New(),
+		DatabaseID:  database.ID,
+		StorageID:   backupConfig.Storage.ID,
+		Status:      backups_core.BackupStatusFailed,
+		FailMessage: &errorMsg,
+		Encryption:  backupConfig.Encryption,
+		CreatedAt:   now,
+	}
+
+	backup.GenerateFilename(database.Name)
+
+	if err := s.backupRepository.Save(backup); err != nil {
+		return fmt.Errorf("failed to save error backup record: %w", err)
+	}
+
+	return nil
+}
+
+func (s *PostgreWalBackupService) validateWalChain(
+	databaseID uuid.UUID,
+	incomingSegment string,
+	walSegmentSizeBytes int64,
+) (*backups_dto.UploadGapResponse, error) {
+	fullBackup, err := s.backupRepository.FindLastCompletedFullWalBackupByDatabaseID(databaseID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query full backup: %w", err)
+	}
+
+	// No full backup exists yet: cannot accept WAL segments without a chain anchor.
+	if fullBackup == nil || fullBackup.PgFullBackupWalStopSegmentName == nil {
+		return &backups_dto.UploadGapResponse{
+			Error:               "no_full_backup",
+			ExpectedSegmentName: "",
+			ReceivedSegmentName: incomingSegment,
+		}, nil
+	}
+
+	stopSegment := *fullBackup.PgFullBackupWalStopSegmentName
+
+	lastWal, err := s.backupRepository.FindLastWalSegmentAfter(databaseID, stopSegment)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query last WAL segment: %w", err)
+	}
+
+	walCalculator := util_wal.NewWalCalculator(walSegmentSizeBytes)
+
+	var chainTail string
+	if lastWal != nil && lastWal.PgWalSegmentName != nil {
+		chainTail = *lastWal.PgWalSegmentName
+	} else {
+		chainTail = stopSegment
+	}
+
+	expectedNext, err := walCalculator.NextSegment(chainTail)
+	if err != nil {
+		return nil, fmt.Errorf("WAL arithmetic failed for %q: %w", chainTail, err)
+	}
+
+	if incomingSegment != expectedNext {
+		return &backups_dto.UploadGapResponse{
+			Error:               "gap_detected",
+			ExpectedSegmentName: expectedNext,
+			ReceivedSegmentName: incomingSegment,
+		}, nil
+	}
+
+	return nil, nil
+}
+
+func (s *PostgreWalBackupService) createBackupRecord(
+	databaseID uuid.UUID,
+	storageID uuid.UUID,
+	uploadType backups_core.PgWalUploadType,
+	dbName string,
+	walSegmentName string,
+	fullBackupWalStartSegment string,
+	fullBackupWalStopSegment string,
+	encryption backups_config.BackupEncryption,
+) *backups_core.Backup {
+	now := time.Now().UTC()
+
+	backup := &backups_core.Backup{
+		ID:         uuid.New(),
+		DatabaseID: databaseID,
+		StorageID:  storageID,
+		Status:     backups_core.BackupStatusInProgress,
+		Encryption: encryption,
+		CreatedAt:  now,
+	}
+
+	backup.GenerateFilename(dbName)
+
+	if uploadType == backups_core.PgWalUploadTypeBasebackup {
+		walBackupType := backups_core.PgWalBackupTypeFullBackup
+		backup.PgWalBackupType = &walBackupType
+
+		if fullBackupWalStartSegment != "" {
+			backup.PgFullBackupWalStartSegmentName = &fullBackupWalStartSegment
+		}
+
+		if fullBackupWalStopSegment != "" {
+			backup.PgFullBackupWalStopSegmentName = &fullBackupWalStopSegment
+		}
+	} else {
+		walBackupType := backups_core.PgWalBackupTypeWalSegment
+		backup.PgWalBackupType = &walBackupType
+		backup.PgWalSegmentName = &walSegmentName
+	}
+
+	return backup
+}
+
+func (s *PostgreWalBackupService) streamToStorage(
+	ctx context.Context,
+	backup *backups_core.Backup,
+	backupConfig *backups_config.BackupConfig,
+	body io.Reader,
+) (int64, error) {
+	if backupConfig.Encryption == backups_config.BackupEncryptionEncrypted {
+		return s.streamEncrypted(ctx, backup, backupConfig, body, backup.FileName)
+	}
+
+	return s.streamDirect(ctx, backupConfig, body, backup.FileName)
+}
+
+func (s *PostgreWalBackupService) streamDirect(
+	ctx context.Context,
+	backupConfig *backups_config.BackupConfig,
+	body io.Reader,
+	fileName string,
+) (int64, error) {
+	cr := &countingReader{r: body}
+
+	if err := backupConfig.Storage.SaveFile(ctx, s.fieldEncryptor, s.logger, fileName, cr); err != nil {
+		return 0, err
+	}
+
+	return cr.n, nil
+}
+
+func (s *PostgreWalBackupService) streamEncrypted(
+	ctx context.Context,
+	backup *backups_core.Backup,
+	backupConfig *backups_config.BackupConfig,
+	body io.Reader,
+	fileName string,
+) (int64, error) {
+	masterKey, err := s.secretKeyService.GetSecretKey()
+	if err != nil {
+		return 0, fmt.Errorf("failed to get master encryption key: %w", err)
+	}
+
+	pipeReader, pipeWriter := io.Pipe()
+
+	encryptionSetup, err := backup_encryption.SetupEncryptionWriter(
+		pipeWriter,
+		masterKey,
+		backup.ID,
+	)
+	if err != nil {
+		_ = pipeWriter.Close()
+		return 0, err
+	}
+
+	copyErrCh := make(chan error, 1)
+	go func() {
+		_, copyErr := io.Copy(encryptionSetup.Writer, body)
+		if copyErr != nil {
+			_ = encryptionSetup.Writer.Close()
+			_ = pipeWriter.CloseWithError(copyErr)
+			copyErrCh <- copyErr
+			return
+		}
+
+		if closeErr := encryptionSetup.Writer.Close(); closeErr != nil {
+			_ = pipeWriter.CloseWithError(closeErr)
+			copyErrCh <- closeErr
+			return
+		}
+
+		copyErrCh <- pipeWriter.Close()
+	}()
+
+	cr := &countingReader{r: pipeReader}
+	saveErr := backupConfig.Storage.SaveFile(ctx, s.fieldEncryptor, s.logger, fileName, cr)
+	copyErr := <-copyErrCh
+
+	if copyErr != nil {
+		return 0, copyErr
+	}
+
+	if saveErr != nil {
+		return 0, saveErr
+	}
+
+	backup.EncryptionSalt = &encryptionSetup.SaltBase64
+	backup.EncryptionIV = &encryptionSetup.NonceBase64
+
+	return cr.n, nil
+}
+
+func (s *PostgreWalBackupService) markCompleted(backup *backups_core.Backup, sizeBytes int64) {
+	backup.Status = backups_core.BackupStatusCompleted
+	backup.BackupSizeMb = float64(sizeBytes) / (1024 * 1024)
+
+	if err := s.backupRepository.Save(backup); err != nil {
+		s.logger.Error(
+			"failed to mark WAL backup as completed",
+			"backupId",
+			backup.ID,
+			"error",
+			err,
+		)
+	}
+}
+
+func (s *PostgreWalBackupService) markFailed(backup *backups_core.Backup, errMsg string) {
+	backup.Status = backups_core.BackupStatusFailed
+	backup.FailMessage = &errMsg
+
+	if err := s.backupRepository.Save(backup); err != nil {
+		s.logger.Error("failed to mark WAL backup as failed", "backupId", backup.ID, "error", err)
+	}
+}
+
+func (s *PostgreWalBackupService) resolveFullBackup(
+	databaseID uuid.UUID,
+	backupID *uuid.UUID,
+) (*backups_core.Backup, error) {
+	if backupID != nil {
+		return s.backupRepository.FindCompletedFullWalBackupByID(databaseID, *backupID)
+	}
+
+	return s.backupRepository.FindLastCompletedFullWalBackupByDatabaseID(databaseID)
+}
+
+func (s *PostgreWalBackupService) validateRestoreWalChain(
+	fullBackup *backups_core.Backup,
+	walSegments []*backups_core.Backup,
+) *backups_dto.GetRestorePlanErrorResponse {
+	if len(walSegments) == 0 {
+		return nil
+	}
+
+	stopSegment := ""
+	if fullBackup.PgFullBackupWalStopSegmentName != nil {
+		stopSegment = *fullBackup.PgFullBackupWalStopSegmentName
+	}
+
+	walCalculator := util_wal.NewWalCalculator(0)
+	expectedNext, err := walCalculator.NextSegment(stopSegment)
+	if err != nil {
+		return nil
+	}
+
+	for _, seg := range walSegments {
+		segName := ""
+		if seg.PgWalSegmentName != nil {
+			segName = *seg.PgWalSegmentName
+		}
+
+		cmp, cmpErr := walCalculator.Compare(segName, stopSegment)
+		if cmpErr != nil {
+			return nil
+		}
+
+		// Skip segments that are <= stopSegment (they are part of the basebackup range)
+		if cmp <= 0 {
+			continue
+		}
+
+		if segName != expectedNext {
+			lastContiguous := stopSegment
+			// Walk back to find the segment before the gap
+			for _, prev := range walSegments {
+				prevName := ""
+				if prev.PgWalSegmentName != nil {
+					prevName = *prev.PgWalSegmentName
+				}
+
+				prevCmp, _ := walCalculator.Compare(prevName, stopSegment)
+				if prevCmp <= 0 {
+					continue
+				}
+
+				if prevName == segName {
+					break
+				}
+
+				lastContiguous = prevName
+			}
+
+			return &backups_dto.GetRestorePlanErrorResponse{
+				Error: "wal_chain_broken",
+				Message: fmt.Sprintf(
+					"WAL chain has a gap after segment %s. Recovery is only possible up to this segment.",
+					lastContiguous,
+				),
+				LastContiguousSegment: lastContiguous,
+			}
+		}
+
+		expectedNext, err = walCalculator.NextSegment(segName)
+		if err != nil {
+			return nil
+		}
+	}
+
+	return nil
+}
+
+func (s *PostgreWalBackupService) validateWalBackupType(database *databases.Database) error {
+	if database.Postgresql == nil ||
+		database.Postgresql.BackupType != postgresql.PostgresBackupTypeWalV1 {
+		return fmt.Errorf("database %s is not configured for WAL backups", database.ID)
+	}
+	return nil
+}
+
+type countingReader struct {
+	r io.Reader
+	n int64
+}
+
+func (cr *countingReader) Read(p []byte) (n int, err error) {
+	n, err = cr.r.Read(p)
+	cr.n += int64(n)
+
+	return n, err
+}

backend/internal/features/backups/backups/services/service.go

@@ -1,4 +1,4 @@
-package backups
+package backups_services
 
 import (
 	"encoding/base64"
@@ -7,10 +7,13 @@ import (
 	"io"
 	"log/slog"
 
+	"github.com/google/uuid"
+
 	audit_logs "databasus-backend/internal/features/audit_logs"
 	"databasus-backend/internal/features/backups/backups/backuping"
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_download "databasus-backend/internal/features/backups/backups/download"
+	backups_dto "databasus-backend/internal/features/backups/backups/dto"
 	"databasus-backend/internal/features/backups/backups/encryption"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
@@ -22,8 +25,6 @@ import (
 	workspaces_services "databasus-backend/internal/features/workspaces/services"
 	util_encryption "databasus-backend/internal/util/encryption"
 	files_utils "databasus-backend/internal/util/files"
-
-	"github.com/google/uuid"
 )
 
 type BackupService struct {
@@ -108,7 +109,7 @@ func (s *BackupService) GetBackups(
 	user *users_models.User,
 	databaseID uuid.UUID,
 	limit, offset int,
-) (*GetBackupsResponse, error) {
+) (*backups_dto.GetBackupsResponse, error) {
 	database, err := s.databaseService.GetDatabaseByID(databaseID)
 	if err != nil {
 		return nil, err
@@ -143,7 +144,7 @@ func (s *BackupService) GetBackups(
 		return nil, err
 	}
 
-	return &GetBackupsResponse{
+	return &backups_dto.GetBackupsResponse{
 		Backups: backups,
 		Total:   total,
 		Limit:   limit,
@@ -274,7 +275,7 @@ func (s *BackupService) GetBackupFile(
 		database.WorkspaceID,
 	)
 
-	reader, err := s.getBackupReader(backupID)
+	reader, err := s.GetBackupReader(backupID)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -282,39 +283,9 @@ func (s *BackupService) GetBackupFile(
 	return reader, backup, database, nil
 }
 
-func (s *BackupService) deleteDbBackups(databaseID uuid.UUID) error {
-	dbBackupsInProgress, err := s.backupRepository.FindByDatabaseIdAndStatus(
-		databaseID,
-		backups_core.BackupStatusInProgress,
-	)
-	if err != nil {
-		return err
-	}
-
-	if len(dbBackupsInProgress) > 0 {
-		return errors.New("backup is in progress, storage cannot be removed")
-	}
-
-	dbBackups, err := s.backupRepository.FindByDatabaseID(
-		databaseID,
-	)
-	if err != nil {
-		return err
-	}
-
-	for _, dbBackup := range dbBackups {
-		err := s.backupCleaner.DeleteBackup(dbBackup)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// GetBackupReader returns a reader for the backup file
-// If encrypted, wraps with DecryptionReader
-func (s *BackupService) getBackupReader(backupID uuid.UUID) (io.ReadCloser, error) {
+// GetBackupReader returns a reader for the backup file.
+// If encrypted, wraps with DecryptionReader.
+func (s *BackupService) GetBackupReader(backupID uuid.UUID) (io.ReadCloser, error) {
 	backup, err := s.backupRepository.FindByID(backupID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to find backup: %w", err)
@@ -394,7 +365,7 @@ func (s *BackupService) getBackupReader(backupID uuid.UUID) (io.ReadCloser, erro
 
 	s.logger.Info("Returning encrypted backup with decryption", "backupId", backupID)
 
-	return &DecryptionReaderCloser{
+	return &backups_dto.DecryptionReaderCloser{
 		DecryptionReader: decryptionReader,
 		BaseReader:       fileReader,
 	}, nil
@@ -465,7 +436,7 @@ func (s *BackupService) GetBackupFileWithoutAuth(
 		return nil, nil, nil, err
 	}
 
-	reader, err := s.getBackupReader(backupID)
+	reader, err := s.GetBackupReader(backupID)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -501,6 +472,36 @@ func (s *BackupService) UnregisterDownload(userID uuid.UUID) {
 	s.downloadTokenService.UnregisterDownload(userID)
 }
 
+func (s *BackupService) deleteDbBackups(databaseID uuid.UUID) error {
+	dbBackupsInProgress, err := s.backupRepository.FindByDatabaseIdAndStatus(
+		databaseID,
+		backups_core.BackupStatusInProgress,
+	)
+	if err != nil {
+		return err
+	}
+
+	if len(dbBackupsInProgress) > 0 {
+		return errors.New("backup is in progress, storage cannot be removed")
+	}
+
+	dbBackups, err := s.backupRepository.FindByDatabaseID(
+		databaseID,
+	)
+	if err != nil {
+		return err
+	}
+
+	for _, dbBackup := range dbBackups {
+		err := s.backupCleaner.DeleteBackup(dbBackup)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (s *BackupService) generateBackupFilename(
 	backup *backups_core.Backup,
 	database *databases.Database,

backend/internal/features/backups/backups/usecases/mariadb/create_backup_uc.go

@@ -2,7 +2,6 @@ package usecases_mariadb
 
 import (
 	"context"
-	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -123,6 +122,10 @@ func (uc *CreateMariadbBackupUsecase) buildMariadbDumpArgs(
 
 	args = append(args, "--compress")
 
+	if !config.GetEnv().IsCloud {
+		args = append(args, "--max-allowed-packet=1G")
+	}
+
 	if mdb.IsHttps {
 		args = append(args, "--ssl")
 		args = append(args, "--skip-ssl-verify-server-cert")
@@ -276,10 +279,10 @@ func (uc *CreateMariadbBackupUsecase) createTempMyCnfFile(
 	password string,
 ) (string, error) {
 	tempFolder := config.GetEnv().TempFolder
-	if err := os.MkdirAll(tempFolder, 0700); err != nil {
+	if err := os.MkdirAll(tempFolder, 0o700); err != nil {
 		return "", fmt.Errorf("failed to ensure temp folder exists: %w", err)
 	}
-	if err := os.Chmod(tempFolder, 0700); err != nil {
+	if err := os.Chmod(tempFolder, 0o700); err != nil {
 		return "", fmt.Errorf("failed to set temp folder permissions: %w", err)
 	}
 
@@ -288,7 +291,7 @@ func (uc *CreateMariadbBackupUsecase) createTempMyCnfFile(
 		return "", fmt.Errorf("failed to create temp directory: %w", err)
 	}
 
-	if err := os.Chmod(tempDir, 0700); err != nil {
+	if err := os.Chmod(tempDir, 0o700); err != nil {
 		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to set temp directory permissions: %w", err)
 	}
@@ -308,7 +311,7 @@ port=%d
 		content += "ssl=false\n"
 	}
 
-	err = os.WriteFile(myCnfFile, []byte(content), 0600)
+	err = os.WriteFile(myCnfFile, []byte(content), 0o600)
 	if err != nil {
 		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
@@ -437,40 +440,22 @@ func (uc *CreateMariadbBackupUsecase) setupBackupEncryption(
 		return storageWriter, nil, metadata, nil
 	}
 
-	salt, err := backup_encryption.GenerateSalt()
-	if err != nil {
-		return nil, nil, metadata, fmt.Errorf("failed to generate salt: %w", err)
-	}
-
-	nonce, err := backup_encryption.GenerateNonce()
-	if err != nil {
-		return nil, nil, metadata, fmt.Errorf("failed to generate nonce: %w", err)
-	}
-
 	masterKey, err := uc.secretKeyService.GetSecretKey()
 	if err != nil {
 		return nil, nil, metadata, fmt.Errorf("failed to get master key: %w", err)
 	}
 
-	encWriter, err := backup_encryption.NewEncryptionWriter(
-		storageWriter,
-		masterKey,
-		backupID,
-		salt,
-		nonce,
-	)
+	encSetup, err := backup_encryption.SetupEncryptionWriter(storageWriter, masterKey, backupID)
 	if err != nil {
-		return nil, nil, metadata, fmt.Errorf("failed to create encrypting writer: %w", err)
+		return nil, nil, metadata, err
 	}
 
-	saltBase64 := base64.StdEncoding.EncodeToString(salt)
-	nonceBase64 := base64.StdEncoding.EncodeToString(nonce)
-	metadata.EncryptionSalt = &saltBase64
-	metadata.EncryptionIV = &nonceBase64
+	metadata.EncryptionSalt = &encSetup.SaltBase64
+	metadata.EncryptionIV = &encSetup.NonceBase64
 	metadata.Encryption = backups_config.BackupEncryptionEncrypted
 
 	uc.logger.Info("Encryption enabled for backup", "backupId", backupID)
-	return encWriter, encWriter, metadata, nil
+	return encSetup.Writer, encSetup.Writer, metadata, nil
 }
 
 func (uc *CreateMariadbBackupUsecase) cleanupOnCancellation(
@@ -563,8 +548,8 @@ func (uc *CreateMariadbBackupUsecase) buildMariadbDumpErrorMessage(
 		stderrStr,
 	)
 
-	exitErr, ok := waitErr.(*exec.ExitError)
-	if !ok {
+	var exitErr *exec.ExitError
+	if !errors.As(waitErr, &exitErr) {
 		return errors.New(errorMsg)
 	}
 

backend/internal/features/backups/backups/usecases/mongodb/create_backup_uc.go

@@ -2,7 +2,6 @@ package usecases_mongodb
 
 import (
 	"context"
-	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -277,41 +276,21 @@ func (uc *CreateMongodbBackupUsecase) setupBackupEncryption(
 		return storageWriter, nil, backupMetadata, nil
 	}
 
-	salt, err := backup_encryption.GenerateSalt()
-	if err != nil {
-		return nil, nil, backupMetadata, fmt.Errorf("failed to generate salt: %w", err)
-	}
-
-	nonce, err := backup_encryption.GenerateNonce()
-	if err != nil {
-		return nil, nil, backupMetadata, fmt.Errorf("failed to generate nonce: %w", err)
-	}
-
 	masterKey, err := uc.secretKeyService.GetSecretKey()
 	if err != nil {
 		return nil, nil, backupMetadata, fmt.Errorf("failed to get master key: %w", err)
 	}
 
-	encryptionWriter, err := backup_encryption.NewEncryptionWriter(
-		storageWriter,
-		masterKey,
-		backupID,
-		salt,
-		nonce,
-	)
+	encSetup, err := backup_encryption.SetupEncryptionWriter(storageWriter, masterKey, backupID)
 	if err != nil {
-		return nil, nil, backupMetadata, fmt.Errorf("failed to create encryption writer: %w", err)
+		return nil, nil, backupMetadata, err
 	}
 
-	saltBase64 := base64.StdEncoding.EncodeToString(salt)
-	nonceBase64 := base64.StdEncoding.EncodeToString(nonce)
-
-	backupMetadata.BackupID = backupID
 	backupMetadata.Encryption = backups_config.BackupEncryptionEncrypted
-	backupMetadata.EncryptionSalt = &saltBase64
-	backupMetadata.EncryptionIV = &nonceBase64
+	backupMetadata.EncryptionSalt = &encSetup.SaltBase64
+	backupMetadata.EncryptionIV = &encSetup.NonceBase64
 
-	return encryptionWriter, encryptionWriter, backupMetadata, nil
+	return encSetup.Writer, encSetup.Writer, backupMetadata, nil
 }
 
 func (uc *CreateMongodbBackupUsecase) copyWithShutdownCheck(

backend/internal/features/backups/backups/usecases/mysql/create_backup_uc.go

@@ -2,7 +2,6 @@ package usecases_mysql
 
 import (
 	"context"
-	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -119,7 +118,11 @@ func (uc *CreateMysqlBackupUsecase) buildMysqldumpArgs(my *mysqltypes.MysqlDatab
 		args = append(args, "--events")
 	}
 
-	args = append(args, uc.getNetworkCompressionArgs(my.Version)...)
+	args = append(args, uc.getNetworkCompressionArgs(my)...)
+
+	if !config.GetEnv().IsCloud {
+		args = append(args, "--max-allowed-packet=1G")
+	}
 
 	if my.IsHttps {
 		args = append(args, "--ssl-mode=REQUIRED")
@@ -132,15 +135,21 @@ func (uc *CreateMysqlBackupUsecase) buildMysqldumpArgs(my *mysqltypes.MysqlDatab
 	return args
 }
 
-func (uc *CreateMysqlBackupUsecase) getNetworkCompressionArgs(version tools.MysqlVersion) []string {
+func (uc *CreateMysqlBackupUsecase) getNetworkCompressionArgs(
+	my *mysqltypes.MysqlDatabase,
+) []string {
 	const zstdCompressionLevel = 5
 
-	switch version {
+	switch my.Version {
 	case tools.MysqlVersion80, tools.MysqlVersion84, tools.MysqlVersion9:
-		return []string{
-			"--compression-algorithms=zstd",
-			fmt.Sprintf("--zstd-compression-level=%d", zstdCompressionLevel),
+		if my.IsZstdSupported {
+			return []string{
+				"--compression-algorithms=zstd",
+				fmt.Sprintf("--zstd-compression-level=%d", zstdCompressionLevel),
+			}
 		}
+
+		return []string{"--compress"}
 	case tools.MysqlVersion57:
 		return []string{"--compress"}
 	default:
@@ -289,10 +298,10 @@ func (uc *CreateMysqlBackupUsecase) createTempMyCnfFile(
 	password string,
 ) (string, error) {
 	tempFolder := config.GetEnv().TempFolder
-	if err := os.MkdirAll(tempFolder, 0700); err != nil {
+	if err := os.MkdirAll(tempFolder, 0o700); err != nil {
 		return "", fmt.Errorf("failed to ensure temp folder exists: %w", err)
 	}
-	if err := os.Chmod(tempFolder, 0700); err != nil {
+	if err := os.Chmod(tempFolder, 0o700); err != nil {
 		return "", fmt.Errorf("failed to set temp folder permissions: %w", err)
 	}
 
@@ -301,7 +310,7 @@ func (uc *CreateMysqlBackupUsecase) createTempMyCnfFile(
 		return "", fmt.Errorf("failed to create temp directory: %w", err)
 	}
 
-	if err := os.Chmod(tempDir, 0700); err != nil {
+	if err := os.Chmod(tempDir, 0o700); err != nil {
 		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to set temp directory permissions: %w", err)
 	}
@@ -319,7 +328,7 @@ port=%d
 		content += "ssl-mode=REQUIRED\n"
 	}
 
-	err = os.WriteFile(myCnfFile, []byte(content), 0600)
+	err = os.WriteFile(myCnfFile, []byte(content), 0o600)
 	if err != nil {
 		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
@@ -448,40 +457,22 @@ func (uc *CreateMysqlBackupUsecase) setupBackupEncryption(
 		return storageWriter, nil, metadata, nil
 	}
 
-	salt, err := backup_encryption.GenerateSalt()
-	if err != nil {
-		return nil, nil, metadata, fmt.Errorf("failed to generate salt: %w", err)
-	}
-
-	nonce, err := backup_encryption.GenerateNonce()
-	if err != nil {
-		return nil, nil, metadata, fmt.Errorf("failed to generate nonce: %w", err)
-	}
-
 	masterKey, err := uc.secretKeyService.GetSecretKey()
 	if err != nil {
 		return nil, nil, metadata, fmt.Errorf("failed to get master key: %w", err)
 	}
 
-	encWriter, err := backup_encryption.NewEncryptionWriter(
-		storageWriter,
-		masterKey,
-		backupID,
-		salt,
-		nonce,
-	)
+	encSetup, err := backup_encryption.SetupEncryptionWriter(storageWriter, masterKey, backupID)
 	if err != nil {
-		return nil, nil, metadata, fmt.Errorf("failed to create encrypting writer: %w", err)
+		return nil, nil, metadata, err
 	}
 
-	saltBase64 := base64.StdEncoding.EncodeToString(salt)
-	nonceBase64 := base64.StdEncoding.EncodeToString(nonce)
-	metadata.EncryptionSalt = &saltBase64
-	metadata.EncryptionIV = &nonceBase64
+	metadata.EncryptionSalt = &encSetup.SaltBase64
+	metadata.EncryptionIV = &encSetup.NonceBase64
 	metadata.Encryption = backups_config.BackupEncryptionEncrypted
 
 	uc.logger.Info("Encryption enabled for backup", "backupId", backupID)
-	return encWriter, encWriter, metadata, nil
+	return encSetup.Writer, encSetup.Writer, metadata, nil
 }
 
 func (uc *CreateMysqlBackupUsecase) cleanupOnCancellation(
@@ -574,8 +565,8 @@ func (uc *CreateMysqlBackupUsecase) buildMysqldumpErrorMessage(
 		stderrStr,
 	)
 
-	exitErr, ok := waitErr.(*exec.ExitError)
-	if !ok {
+	var exitErr *exec.ExitError
+	if !errors.As(waitErr, &exitErr) {
 		return errors.New(errorMsg)
 	}
 
@@ -604,6 +595,15 @@ func (uc *CreateMysqlBackupUsecase) handleConnectionErrors(stderrStr string) err
 		)
 	}
 
+	if containsIgnoreCase(stderrStr, "compression algorithm") ||
+		containsIgnoreCase(stderrStr, "2066") {
+		return fmt.Errorf(
+			"MySQL connection failed due to unsupported compression algorithm. "+
+				"Try re-saving the database connection to re-detect compression support. stderr: %s",
+			stderrStr,
+		)
+	}
+
 	if containsIgnoreCase(stderrStr, "unknown database") {
 		return fmt.Errorf(
 			"MySQL database does not exist. stderr: %s",

backend/internal/features/backups/backups/usecases/postgresql/create_backup_uc.go

@@ -2,7 +2,6 @@ package usecases_postgresql
 
 import (
 	"context"
-	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -14,6 +13,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
+
 	"databasus-backend/internal/config"
 	common "databasus-backend/internal/features/backups/backups/common"
 	backups_core "databasus-backend/internal/features/backups/backups/core"
@@ -25,8 +26,6 @@ import (
 	"databasus-backend/internal/features/storages"
 	"databasus-backend/internal/util/encryption"
 	"databasus-backend/internal/util/tools"
-
-	"github.com/google/uuid"
 )
 
 const (
@@ -492,40 +491,22 @@ func (uc *CreatePostgresqlBackupUsecase) setupBackupEncryption(
 		return storageWriter, nil, metadata, nil
 	}
 
-	salt, err := backup_encryption.GenerateSalt()
-	if err != nil {
-		return nil, nil, metadata, fmt.Errorf("failed to generate salt: %w", err)
-	}
-
-	nonce, err := backup_encryption.GenerateNonce()
-	if err != nil {
-		return nil, nil, metadata, fmt.Errorf("failed to generate nonce: %w", err)
-	}
-
 	masterKey, err := uc.secretKeyService.GetSecretKey()
 	if err != nil {
 		return nil, nil, metadata, fmt.Errorf("failed to get master key: %w", err)
 	}
 
-	encWriter, err := backup_encryption.NewEncryptionWriter(
-		storageWriter,
-		masterKey,
-		backupID,
-		salt,
-		nonce,
-	)
+	encSetup, err := backup_encryption.SetupEncryptionWriter(storageWriter, masterKey, backupID)
 	if err != nil {
-		return nil, nil, metadata, fmt.Errorf("failed to create encrypting writer: %w", err)
+		return nil, nil, metadata, err
 	}
 
-	saltBase64 := base64.StdEncoding.EncodeToString(salt)
-	nonceBase64 := base64.StdEncoding.EncodeToString(nonce)
-	metadata.EncryptionSalt = &saltBase64
-	metadata.EncryptionIV = &nonceBase64
+	metadata.EncryptionSalt = &encSetup.SaltBase64
+	metadata.EncryptionIV = &encSetup.NonceBase64
 	metadata.Encryption = backups_config.BackupEncryptionEncrypted
 
 	uc.logger.Info("Encryption enabled for backup", "backupId", backupID)
-	return encWriter, encWriter, metadata, nil
+	return encSetup.Writer, encSetup.Writer, metadata, nil
 }
 
 func (uc *CreatePostgresqlBackupUsecase) cleanupOnCancellation(
@@ -614,8 +595,8 @@ func (uc *CreatePostgresqlBackupUsecase) buildPgDumpErrorMessage(
 	stderrStr := string(stderrOutput)
 	errorMsg := fmt.Sprintf("%s failed: %v – stderr: %s", filepath.Base(pgBin), waitErr, stderrStr)
 
-	exitErr, ok := waitErr.(*exec.ExitError)
-	if !ok {
+	var exitErr *exec.ExitError
+	if !errors.As(waitErr, &exitErr) {
 		return errors.New(errorMsg)
 	}
 
@@ -767,10 +748,10 @@ func (uc *CreatePostgresqlBackupUsecase) createTempPgpassFile(
 	)
 
 	tempFolder := config.GetEnv().TempFolder
-	if err := os.MkdirAll(tempFolder, 0700); err != nil {
+	if err := os.MkdirAll(tempFolder, 0o700); err != nil {
 		return "", fmt.Errorf("failed to ensure temp folder exists: %w", err)
 	}
-	if err := os.Chmod(tempFolder, 0700); err != nil {
+	if err := os.Chmod(tempFolder, 0o700); err != nil {
 		return "", fmt.Errorf("failed to set temp folder permissions: %w", err)
 	}
 
@@ -779,13 +760,13 @@ func (uc *CreatePostgresqlBackupUsecase) createTempPgpassFile(
 		return "", fmt.Errorf("failed to create temporary directory: %w", err)
 	}
 
-	if err := os.Chmod(tempDir, 0700); err != nil {
+	if err := os.Chmod(tempDir, 0o700); err != nil {
 		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to set temporary directory permissions: %w", err)
 	}
 
 	pgpassFile := filepath.Join(tempDir, ".pgpass")
-	err = os.WriteFile(pgpassFile, []byte(pgpassContent), 0600)
+	err = os.WriteFile(pgpassFile, []byte(pgpassContent), 0o600)
 	if err != nil {
 		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to write temporary .pgpass file: %w", err)

backend/internal/features/backups/config/controller.go

@@ -4,10 +4,10 @@ import (
 	"errors"
 	"net/http"
 
-	users_middleware "databasus-backend/internal/features/users/middleware"
-
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+
+	users_middleware "databasus-backend/internal/features/users/middleware"
 )
 
 type BackupConfigController struct {

backend/internal/features/backups/config/di.go

@@ -12,16 +12,19 @@ import (
 	"databasus-backend/internal/util/logger"
 )
 
-var backupConfigRepository = &BackupConfigRepository{}
-var backupConfigService = &BackupConfigService{
-	backupConfigRepository,
-	databases.GetDatabaseService(),
-	storages.GetStorageService(),
-	notifiers.GetNotifierService(),
-	workspaces_services.GetWorkspaceService(),
-	plans.GetDatabasePlanService(),
-	nil,
-}
+var (
+	backupConfigRepository = &BackupConfigRepository{}
+	backupConfigService    = &BackupConfigService{
+		backupConfigRepository,
+		databases.GetDatabaseService(),
+		storages.GetStorageService(),
+		notifiers.GetNotifierService(),
+		workspaces_services.GetWorkspaceService(),
+		plans.GetDatabasePlanService(),
+		nil,
+	}
+)
+
 var backupConfigController = &BackupConfigController{
 	backupConfigService,
 }

backend/internal/features/backups/config/model.go

@@ -1,16 +1,17 @@
 package backups_config
 
 import (
-	"databasus-backend/internal/config"
-	"databasus-backend/internal/features/intervals"
-	plans "databasus-backend/internal/features/plan"
-	"databasus-backend/internal/features/storages"
-	"databasus-backend/internal/util/period"
 	"errors"
 	"strings"
 
 	"github.com/google/uuid"
 	"gorm.io/gorm"
+
+	"databasus-backend/internal/config"
+	"databasus-backend/internal/features/intervals"
+	plans "databasus-backend/internal/features/plan"
+	"databasus-backend/internal/features/storages"
+	"databasus-backend/internal/util/period"
 )
 
 type BackupConfig struct {
@@ -43,7 +44,7 @@ type BackupConfig struct {
 	Encryption BackupEncryption `json:"encryption" gorm:"column:encryption;type:text;not null;default:'NONE'"`
 
 	// MaxBackupSizeMB limits individual backup size. 0 = unlimited.
-	MaxBackupSizeMB int64 `json:"maxBackupSizeMb"       gorm:"column:max_backup_size_mb;type:int;not null"`
+	MaxBackupSizeMB int64 `json:"maxBackupSizeMb" gorm:"column:max_backup_size_mb;type:int;not null"`
 	// MaxBackupsTotalSizeMB limits total size of all backups. 0 = unlimited.
 	MaxBackupsTotalSizeMB int64 `json:"maxBackupsTotalSizeMb" gorm:"column:max_backups_total_size_mb;type:int;not null"`
 }

backend/internal/features/backups/config/model_test.go

@@ -3,12 +3,12 @@ package backups_config
 import (
 	"testing"
 
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+
 	"databasus-backend/internal/features/intervals"
 	plans "databasus-backend/internal/features/plan"
 	"databasus-backend/internal/util/period"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 )
 
 func Test_Validate_WhenRetentionTimePeriodIsWeekAndPlanAllowsMonth_ValidationPasses(t *testing.T) {

backend/internal/features/backups/config/repository.go

@@ -1,11 +1,12 @@
 package backups_config
 
 import (
-	"databasus-backend/internal/storage"
 	"errors"
 
 	"github.com/google/uuid"
 	"gorm.io/gorm"
+
+	"databasus-backend/internal/storage"
 )
 
 type BackupConfigRepository struct{}
@@ -47,7 +48,6 @@ func (r *BackupConfigRepository) Save(
 
 		return nil
 	})
-
 	if err != nil {
 		return nil, err
 	}

backend/internal/features/backups/config/service.go

@@ -3,6 +3,8 @@ package backups_config
 import (
 	"errors"
 
+	"github.com/google/uuid"
+
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/intervals"
 	"databasus-backend/internal/features/notifiers"
@@ -10,8 +12,6 @@ import (
 	"databasus-backend/internal/features/storages"
 	users_models "databasus-backend/internal/features/users/models"
 	workspaces_services "databasus-backend/internal/features/workspaces/services"
-
-	"github.com/google/uuid"
 )
 
 type BackupConfigService struct {
@@ -214,39 +214,6 @@ func (s *BackupConfigService) CreateDisabledBackupConfig(databaseID uuid.UUID) e
 	return s.initializeDefaultConfig(databaseID)
 }
 
-func (s *BackupConfigService) initializeDefaultConfig(
-	databaseID uuid.UUID,
-) error {
-	plan, err := s.databasePlanService.GetDatabasePlan(databaseID)
-	if err != nil {
-		return err
-	}
-
-	timeOfDay := "04:00"
-
-	_, err = s.backupConfigRepository.Save(&BackupConfig{
-		DatabaseID:            databaseID,
-		IsBackupsEnabled:      false,
-		RetentionPolicyType:   RetentionPolicyTypeTimePeriod,
-		RetentionTimePeriod:   plan.MaxStoragePeriod,
-		MaxBackupSizeMB:       plan.MaxBackupSizeMB,
-		MaxBackupsTotalSizeMB: plan.MaxBackupsTotalSizeMB,
-		BackupInterval: &intervals.Interval{
-			Interval:  intervals.IntervalDaily,
-			TimeOfDay: &timeOfDay,
-		},
-		SendNotificationsOn: []BackupNotificationType{
-			NotificationBackupFailed,
-			NotificationBackupSuccess,
-		},
-		IsRetryIfFailed:     true,
-		MaxFailedTriesCount: 3,
-		Encryption:          BackupEncryptionNone,
-	})
-
-	return err
-}
-
 func (s *BackupConfigService) TransferDatabaseToWorkspace(
 	user *users_models.User,
 	databaseID uuid.UUID,
@@ -290,7 +257,8 @@ func (s *BackupConfigService) TransferDatabaseToWorkspace(
 		s.transferNotifiers(user, database, request.TargetWorkspaceID)
 	}
 
-	if request.IsTransferWithStorage {
+	switch {
+	case request.IsTransferWithStorage:
 		if backupConfig.StorageID == nil {
 			return ErrDatabaseHasNoStorage
 		}
@@ -315,7 +283,7 @@ func (s *BackupConfigService) TransferDatabaseToWorkspace(
 		if err != nil {
 			return err
 		}
-	} else if request.TargetStorageID != nil {
+	case request.TargetStorageID != nil:
 		targetStorage, err := s.storageService.GetStorageByID(*request.TargetStorageID)
 		if err != nil {
 			return err
@@ -332,7 +300,7 @@ func (s *BackupConfigService) TransferDatabaseToWorkspace(
 		if err != nil {
 			return err
 		}
-	} else {
+	default:
 		return ErrTargetStorageNotSpecified
 	}
 
@@ -351,6 +319,39 @@ func (s *BackupConfigService) TransferDatabaseToWorkspace(
 	return nil
 }
 
+func (s *BackupConfigService) initializeDefaultConfig(
+	databaseID uuid.UUID,
+) error {
+	plan, err := s.databasePlanService.GetDatabasePlan(databaseID)
+	if err != nil {
+		return err
+	}
+
+	timeOfDay := "04:00"
+
+	_, err = s.backupConfigRepository.Save(&BackupConfig{
+		DatabaseID:            databaseID,
+		IsBackupsEnabled:      false,
+		RetentionPolicyType:   RetentionPolicyTypeTimePeriod,
+		RetentionTimePeriod:   plan.MaxStoragePeriod,
+		MaxBackupSizeMB:       plan.MaxBackupSizeMB,
+		MaxBackupsTotalSizeMB: plan.MaxBackupsTotalSizeMB,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+			NotificationBackupSuccess,
+		},
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
+	})
+
+	return err
+}
+
 func (s *BackupConfigService) transferNotifiers(
 	user *users_models.User,
 	database *databases.Database,

backend/internal/features/backups/config/testing.go

@@ -1,11 +1,11 @@
 package backups_config
 
 import (
+	"github.com/google/uuid"
+
 	"databasus-backend/internal/features/intervals"
 	"databasus-backend/internal/features/storages"
 	"databasus-backend/internal/util/period"
-
-	"github.com/google/uuid"
 )
 
 func EnableBackupsForTestDatabase(

backend/internal/features/databases/controller.go

@@ -1,13 +1,14 @@
 package databases
 
 import (
-	users_middleware "databasus-backend/internal/features/users/middleware"
-	users_services "databasus-backend/internal/features/users/services"
-	workspaces_services "databasus-backend/internal/features/workspaces/services"
 	"net/http"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+
+	users_middleware "databasus-backend/internal/features/users/middleware"
+	users_services "databasus-backend/internal/features/users/services"
+	workspaces_services "databasus-backend/internal/features/workspaces/services"
 )
 
 type DatabaseController struct {
@@ -29,6 +30,11 @@ func (c *DatabaseController) RegisterRoutes(router *gin.RouterGroup) {
 	router.GET("/databases/notifier/:id/databases-count", c.CountDatabasesByNotifier)
 	router.POST("/databases/is-readonly", c.IsUserReadOnly)
 	router.POST("/databases/create-readonly-user", c.CreateReadOnlyUser)
+	router.POST("/databases/:id/regenerate-token", c.RegenerateAgentToken)
+}
+
+func (c *DatabaseController) RegisterPublicRoutes(router *gin.RouterGroup) {
+	router.POST("/databases/verify-token", c.VerifyAgentToken)
 }
 
 // CreateDatabase
@@ -438,3 +444,61 @@ func (c *DatabaseController) CreateReadOnlyUser(ctx *gin.Context) {
 		Password: password,
 	})
 }
+
+// RegenerateAgentToken
+// @Summary Regenerate agent token for a database
+// @Description Generate a new agent token for the database. The token is returned once and stored as a hash.
+// @Tags databases
+// @Produce json
+// @Security BearerAuth
+// @Param id path string true "Database ID"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Router /databases/{id}/regenerate-token [post]
+func (c *DatabaseController) RegenerateAgentToken(ctx *gin.Context) {
+	user, ok := users_middleware.GetUserFromContext(ctx)
+	if !ok {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
+		return
+	}
+
+	id, err := uuid.Parse(ctx.Param("id"))
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid database ID"})
+		return
+	}
+
+	token, err := c.databaseService.RegenerateAgentToken(user, id)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{"token": token})
+}
+
+// VerifyAgentToken
+// @Summary Verify agent token
+// @Description Verify that a given agent token is valid for any database
+// @Tags databases
+// @Accept json
+// @Produce json
+// @Param request body VerifyAgentTokenRequest true "Token to verify"
+// @Success 200 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Router /databases/verify-token [post]
+func (c *DatabaseController) VerifyAgentToken(ctx *gin.Context) {
+	var request VerifyAgentTokenRequest
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if err := c.databaseService.VerifyAgentToken(request.Token); err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{"message": "token is valid"})
+}

backend/internal/features/databases/controller_test.go

@@ -13,10 +13,13 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	"databasus-backend/internal/config"
+	"databasus-backend/internal/features/audit_logs"
 	"databasus-backend/internal/features/databases/databases/mariadb"
 	"databasus-backend/internal/features/databases/databases/mongodb"
 	"databasus-backend/internal/features/databases/databases/postgresql"
 	users_enums "databasus-backend/internal/features/users/enums"
+	users_middleware "databasus-backend/internal/features/users/middleware"
+	users_services "databasus-backend/internal/features/users/services"
 	users_testing "databasus-backend/internal/features/users/testing"
 	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
@@ -144,6 +147,66 @@ func Test_CreateDatabase_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t *testin
 	assert.Contains(t, string(testResp.Body), "insufficient permissions")
 }
 
+func Test_CreateDatabase_WalV1Type_NoConnectionFieldsRequired(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
+	request := Database{
+		Name:        "Test WAL Database",
+		WorkspaceID: &workspace.ID,
+		Type:        DatabaseTypePostgres,
+		Postgresql: &postgresql.PostgresqlDatabase{
+			BackupType: postgresql.PostgresBackupTypeWalV1,
+			CpuCount:   1,
+		},
+	}
+
+	var response Database
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/databases/create",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusCreated,
+		&response,
+	)
+	defer RemoveTestDatabase(&response)
+
+	assert.Equal(t, "Test WAL Database", response.Name)
+	assert.NotEqual(t, uuid.Nil, response.ID)
+}
+
+func Test_CreateDatabase_PgDumpType_ConnectionFieldsRequired(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
+	request := Database{
+		Name:        "Test PG_DUMP Database",
+		WorkspaceID: &workspace.ID,
+		Type:        DatabaseTypePostgres,
+		Postgresql: &postgresql.PostgresqlDatabase{
+			BackupType: postgresql.PostgresBackupTypePgDump,
+			CpuCount:   1,
+		},
+	}
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/databases/create",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(testResp.Body), "host is required")
+}
+
 func Test_UpdateDatabase_PermissionsEnforced(t *testing.T) {
 	tests := []struct {
 		name               string
@@ -256,6 +319,52 @@ func Test_UpdateDatabase_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t *testin
 	assert.Contains(t, string(testResp.Body), "insufficient permissions")
 }
 
+func Test_UpdateDatabase_WhenDatabaseTypeChanged_ReturnsBadRequest(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	defer RemoveTestDatabase(database)
+
+	database.Type = DatabaseTypeMysql
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/databases/update",
+		"Bearer "+owner.Token,
+		database,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(testResp.Body), "database type cannot be changed")
+}
+
+func Test_UpdateDatabase_WhenBackupTypeChanged_ReturnsBadRequest(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	defer RemoveTestDatabase(database)
+
+	database.Postgresql.BackupType = postgresql.PostgresBackupTypeWalV1
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/databases/update",
+		"Bearer "+owner.Token,
+		database,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(testResp.Body), "backup type cannot be changed")
+}
+
 func Test_DeleteDatabase_PermissionsEnforced(t *testing.T) {
 	tests := []struct {
 		name               string
@@ -753,7 +862,7 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 		name                string
 		databaseType        DatabaseType
 		createDatabase      func(workspaceID uuid.UUID) *Database
-		updateDatabase      func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database
+		updateDatabase      func(workspaceID, databaseID uuid.UUID) *Database
 		verifySensitiveData func(t *testing.T, database *Database)
 		verifyHiddenData    func(t *testing.T, database *Database)
 	}{
@@ -769,7 +878,7 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 					Postgresql:  pgConfig,
 				}
 			},
-			updateDatabase: func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database {
+			updateDatabase: func(workspaceID, databaseID uuid.UUID) *Database {
 				pgConfig := getTestPostgresConfig()
 				pgConfig.Password = ""
 				return &Database{
@@ -805,7 +914,7 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 					Mariadb:     mariaConfig,
 				}
 			},
-			updateDatabase: func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database {
+			updateDatabase: func(workspaceID, databaseID uuid.UUID) *Database {
 				mariaConfig := getTestMariadbConfig()
 				mariaConfig.Password = ""
 				return &Database{
@@ -841,7 +950,7 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 					Mongodb:     mongoConfig,
 				}
 			},
-			updateDatabase: func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database {
+			updateDatabase: func(workspaceID, databaseID uuid.UUID) *Database {
 				mongoConfig := getTestMongodbConfig()
 				mongoConfig.Password = ""
 				return &Database{
@@ -1050,6 +1159,87 @@ func Test_TestConnection_PermissionsEnforced(t *testing.T) {
 	}
 }
 
+func Test_RegenerateAgentToken_ReturnsToken(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	defer RemoveTestDatabase(database)
+
+	var response map[string]string
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/databases/"+database.ID.String()+"/regenerate-token",
+		"Bearer "+owner.Token,
+		nil,
+		http.StatusOK,
+		&response,
+	)
+
+	assert.NotEmpty(t, response["token"])
+	assert.Len(t, response["token"], 32)
+
+	var updatedDatabase Database
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/databases/"+database.ID.String(),
+		"Bearer "+owner.Token,
+		http.StatusOK,
+		&updatedDatabase,
+	)
+	assert.True(t, updatedDatabase.IsAgentTokenGenerated)
+}
+
+func Test_VerifyAgentToken_WithValidToken_Succeeds(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	defer RemoveTestDatabase(database)
+
+	var regenerateResponse map[string]string
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/databases/"+database.ID.String()+"/regenerate-token",
+		"Bearer "+owner.Token,
+		nil,
+		http.StatusOK,
+		&regenerateResponse,
+	)
+
+	token := regenerateResponse["token"]
+	assert.NotEmpty(t, token)
+
+	w := workspaces_testing.MakeAPIRequest(
+		router,
+		"POST",
+		"/api/v1/databases/verify-token",
+		"",
+		VerifyAgentTokenRequest{Token: token},
+	)
+	assert.Equal(t, http.StatusOK, w.Code)
+}
+
+func Test_VerifyAgentToken_WithInvalidToken_Returns401(t *testing.T) {
+	router := createTestRouter()
+
+	w := workspaces_testing.MakeAPIRequest(
+		router,
+		"POST",
+		"/api/v1/databases/verify-token",
+		"",
+		VerifyAgentTokenRequest{Token: "invalidtoken00000000000000000000"},
+	)
+	assert.Equal(t, http.StatusUnauthorized, w.Code)
+}
+
 func createTestDatabaseViaAPI(
 	name string,
 	workspaceID uuid.UUID,
@@ -1101,11 +1291,20 @@ func createTestDatabaseViaAPI(
 }
 
 func createTestRouter() *gin.Engine {
-	router := workspaces_testing.CreateTestRouter(
-		workspaces_controllers.GetWorkspaceController(),
-		workspaces_controllers.GetMembershipController(),
-		GetDatabaseController(),
-	)
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+
+	v1 := router.Group("/api/v1")
+	protected := v1.Group("").Use(users_middleware.AuthMiddleware(users_services.GetUserService()))
+
+	workspaces_controllers.GetWorkspaceController().RegisterRoutes(protected.(*gin.RouterGroup))
+	workspaces_controllers.GetMembershipController().RegisterRoutes(protected.(*gin.RouterGroup))
+	GetDatabaseController().RegisterRoutes(protected.(*gin.RouterGroup))
+
+	GetDatabaseController().RegisterPublicRoutes(v1)
+
+	audit_logs.SetupDependencies()
+
 	return router
 }
 
@@ -1118,13 +1317,14 @@ func getTestPostgresConfig() *postgresql.PostgresqlDatabase {
 
 	testDbName := "testdb"
 	return &postgresql.PostgresqlDatabase{
-		Version:  tools.PostgresqlVersion16,
-		Host:     config.GetEnv().TestLocalhost,
-		Port:     port,
-		Username: "testuser",
-		Password: "testpassword",
-		Database: &testDbName,
-		CpuCount: 1,
+		BackupType: postgresql.PostgresBackupTypePgDump,
+		Version:    tools.PostgresqlVersion16,
+		Host:       config.GetEnv().TestLocalhost,
+		Port:       port,
+		Username:   "testuser",
+		Password:   "testpassword",
+		Database:   &testDbName,
+		CpuCount:   1,
 	}
 }
 

backend/internal/features/databases/databases/mariadb/model.go

@@ -12,11 +12,11 @@ import (
 	"strings"
 	"time"
 
-	"databasus-backend/internal/util/encryption"
-	"databasus-backend/internal/util/tools"
-
 	"github.com/go-sql-driver/mysql"
 	"github.com/google/uuid"
+
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/tools"
 )
 
 type MariadbDatabase struct {
@@ -391,7 +391,7 @@ func (m *MariadbDatabase) HasPrivilege(priv string) bool {
 }
 
 func HasPrivilege(privileges, priv string) bool {
-	for _, p := range strings.Split(privileges, ",") {
+	for p := range strings.SplitSeq(privileges, ",") {
 		if strings.TrimSpace(p) == priv {
 			return true
 		}
@@ -399,7 +399,7 @@ func HasPrivilege(privileges, priv string) bool {
 	return false
 }
 
-func (m *MariadbDatabase) buildDSN(password string, database string) string {
+func (m *MariadbDatabase) buildDSN(password, database string) string {
 	tlsConfig := "false"
 
 	if m.IsHttps {

backend/internal/features/databases/databases/mongodb/model.go

@@ -10,13 +10,13 @@ import (
 	"strings"
 	"time"
 
-	"databasus-backend/internal/util/encryption"
-	"databasus-backend/internal/util/tools"
-
 	"github.com/google/uuid"
 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/mongo"
 	"go.mongodb.org/mongo-driver/mongo/options"
+
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/tools"
 )
 
 type MongodbDatabase struct {
@@ -25,15 +25,16 @@ type MongodbDatabase struct {
 
 	Version tools.MongodbVersion `json:"version" gorm:"type:text;not null"`
 
-	Host         string `json:"host"         gorm:"type:text;not null"`
-	Port         *int   `json:"port"         gorm:"type:int"`
-	Username     string `json:"username"     gorm:"type:text;not null"`
-	Password     string `json:"password"     gorm:"type:text;not null"`
-	Database     string `json:"database"     gorm:"type:text;not null"`
-	AuthDatabase string `json:"authDatabase" gorm:"type:text;not null;default:'admin'"`
-	IsHttps      bool   `json:"isHttps"      gorm:"type:boolean;default:false"`
-	IsSrv        bool   `json:"isSrv"        gorm:"column:is_srv;type:boolean;not null;default:false"`
-	CpuCount     int    `json:"cpuCount"     gorm:"column:cpu_count;type:int;not null;default:1"`
+	Host               string `json:"host"               gorm:"type:text;not null"`
+	Port               *int   `json:"port"               gorm:"type:int"`
+	Username           string `json:"username"           gorm:"type:text;not null"`
+	Password           string `json:"password"           gorm:"type:text;not null"`
+	Database           string `json:"database"           gorm:"type:text;not null"`
+	AuthDatabase       string `json:"authDatabase"       gorm:"type:text;not null;default:'admin'"`
+	IsHttps            bool   `json:"isHttps"            gorm:"type:boolean;default:false"`
+	IsSrv              bool   `json:"isSrv"              gorm:"column:is_srv;type:boolean;not null;default:false"`
+	IsDirectConnection bool   `json:"isDirectConnection" gorm:"column:is_direct_connection;type:boolean;not null;default:false"`
+	CpuCount           int    `json:"cpuCount"           gorm:"column:cpu_count;type:int;not null;default:1"`
 }
 
 func (m *MongodbDatabase) TableName() string {
@@ -132,6 +133,7 @@ func (m *MongodbDatabase) Update(incoming *MongodbDatabase) {
 	m.AuthDatabase = incoming.AuthDatabase
 	m.IsHttps = incoming.IsHttps
 	m.IsSrv = incoming.IsSrv
+	m.IsDirectConnection = incoming.IsDirectConnection
 	m.CpuCount = incoming.CpuCount
 
 	if incoming.Password != "" {
@@ -432,7 +434,6 @@ func (m *MongodbDatabase) CreateReadOnlyUser(
 				},
 			}},
 		}).Err()
-
 		if err != nil {
 			if attempt < maxRetries-1 {
 				continue
@@ -450,6 +451,48 @@ func (m *MongodbDatabase) CreateReadOnlyUser(
 	return "", "", errors.New("failed to generate unique username after 3 attempts")
 }
 
+// BuildMongodumpURI builds a URI suitable for mongodump (without database in path)
+func (m *MongodbDatabase) BuildMongodumpURI(password string) string {
+	authDB := m.AuthDatabase
+	if authDB == "" {
+		authDB = "admin"
+	}
+
+	extraParams := ""
+	if m.IsHttps {
+		extraParams += "&tls=true&tlsInsecure=true"
+	}
+	if m.IsDirectConnection {
+		extraParams += "&directConnection=true"
+	}
+
+	if m.IsSrv {
+		return fmt.Sprintf(
+			"mongodb+srv://%s:%s@%s/?authSource=%s&connectTimeoutMS=15000%s",
+			url.QueryEscape(m.Username),
+			url.QueryEscape(password),
+			m.Host,
+			authDB,
+			extraParams,
+		)
+	}
+
+	port := 27017
+	if m.Port != nil {
+		port = *m.Port
+	}
+
+	return fmt.Sprintf(
+		"mongodb://%s:%s@%s:%d/?authSource=%s&connectTimeoutMS=15000%s",
+		url.QueryEscape(m.Username),
+		url.QueryEscape(password),
+		m.Host,
+		port,
+		authDB,
+		extraParams,
+	)
+}
+
 // buildConnectionURI builds a MongoDB connection URI
 func (m *MongodbDatabase) buildConnectionURI(password string) string {
 	authDB := m.AuthDatabase
@@ -457,9 +500,12 @@ func (m *MongodbDatabase) buildConnectionURI(password string) string {
 		authDB = "admin"
 	}
 
-	tlsParams := ""
+	extraParams := ""
 	if m.IsHttps {
-		tlsParams = "&tls=true&tlsInsecure=true"
+		extraParams += "&tls=true&tlsInsecure=true"
+	}
+	if m.IsDirectConnection {
+		extraParams += "&directConnection=true"
 	}
 
 	if m.IsSrv {
@@ -470,7 +516,7 @@ func (m *MongodbDatabase) buildConnectionURI(password string) string {
 			m.Host,
 			m.Database,
 			authDB,
-			tlsParams,
+			extraParams,
 		)
 	}
 
@@ -487,46 +533,7 @@ func (m *MongodbDatabase) buildConnectionURI(password string) string {
 		port,
 		m.Database,
 		authDB,
-		tlsParams,
-	)
-}
-
-// BuildMongodumpURI builds a URI suitable for mongodump (without database in path)
-func (m *MongodbDatabase) BuildMongodumpURI(password string) string {
-	authDB := m.AuthDatabase
-	if authDB == "" {
-		authDB = "admin"
-	}
-
-	tlsParams := ""
-	if m.IsHttps {
-		tlsParams = "&tls=true&tlsInsecure=true"
-	}
-
-	if m.IsSrv {
-		return fmt.Sprintf(
-			"mongodb+srv://%s:%s@%s/?authSource=%s&connectTimeoutMS=15000%s",
-			url.QueryEscape(m.Username),
-			url.QueryEscape(password),
-			m.Host,
-			authDB,
-			tlsParams,
-		)
-	}
-
-	port := 27017
-	if m.Port != nil {
-		port = *m.Port
-	}
-
-	return fmt.Sprintf(
-		"mongodb://%s:%s@%s:%d/?authSource=%s&connectTimeoutMS=15000%s",
-		url.QueryEscape(m.Username),
-		url.QueryEscape(password),
-		m.Host,
-		port,
-		authDB,
-		tlsParams,
+		extraParams,
 	)
 }
 

backend/internal/features/databases/databases/mongodb/model_test.go

@@ -631,6 +631,89 @@ func Test_Validate_SrvConnection_AllowsNullPort(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func Test_BuildConnectionURI_WithDirectConnection_ReturnsCorrectUri(t *testing.T) {
+	port := 27017
+	model := &MongodbDatabase{
+		Host:               "mongo.example.local",
+		Port:               &port,
+		Username:           "testuser",
+		Password:           "testpass123",
+		Database:           "mydb",
+		AuthDatabase:       "admin",
+		IsHttps:            false,
+		IsSrv:              false,
+		IsDirectConnection: true,
+	}
+
+	uri := model.buildConnectionURI("testpass123")
+
+	assert.Contains(t, uri, "mongodb://")
+	assert.Contains(t, uri, "directConnection=true")
+	assert.Contains(t, uri, "mongo.example.local:27017")
+	assert.Contains(t, uri, "authSource=admin")
+}
+
+func Test_BuildConnectionURI_WithoutDirectConnection_OmitsParam(t *testing.T) {
+	port := 27017
+	model := &MongodbDatabase{
+		Host:               "localhost",
+		Port:               &port,
+		Username:           "testuser",
+		Password:           "testpass123",
+		Database:           "mydb",
+		AuthDatabase:       "admin",
+		IsHttps:            false,
+		IsSrv:              false,
+		IsDirectConnection: false,
+	}
+
+	uri := model.buildConnectionURI("testpass123")
+
+	assert.NotContains(t, uri, "directConnection")
+}
+
+func Test_BuildMongodumpURI_WithDirectConnection_ReturnsCorrectUri(t *testing.T) {
+	port := 27017
+	model := &MongodbDatabase{
+		Host:               "mongo.example.local",
+		Port:               &port,
+		Username:           "testuser",
+		Password:           "testpass123",
+		Database:           "mydb",
+		AuthDatabase:       "admin",
+		IsHttps:            false,
+		IsSrv:              false,
+		IsDirectConnection: true,
+	}
+
+	uri := model.BuildMongodumpURI("testpass123")
+
+	assert.Contains(t, uri, "mongodb://")
+	assert.Contains(t, uri, "directConnection=true")
+	assert.NotContains(t, uri, "/mydb")
+}
+
+func Test_BuildConnectionURI_WithDirectConnectionAndTls_ReturnsBothParams(t *testing.T) {
+	port := 27017
+	model := &MongodbDatabase{
+		Host:               "mongo.example.local",
+		Port:               &port,
+		Username:           "testuser",
+		Password:           "testpass123",
+		Database:           "mydb",
+		AuthDatabase:       "admin",
+		IsHttps:            true,
+		IsSrv:              false,
+		IsDirectConnection: true,
+	}
+
+	uri := model.buildConnectionURI("testpass123")
+
+	assert.Contains(t, uri, "directConnection=true")
+	assert.Contains(t, uri, "tls=true")
+	assert.Contains(t, uri, "tlsInsecure=true")
+}
+
 func Test_Validate_StandardConnection_RequiresPort(t *testing.T) {
 	model := &MongodbDatabase{
 		Host:         "localhost",

backend/internal/features/databases/databases/mysql/model.go

@@ -12,11 +12,11 @@ import (
 	"strings"
 	"time"
 
-	"databasus-backend/internal/util/encryption"
-	"databasus-backend/internal/util/tools"
-
 	"github.com/go-sql-driver/mysql"
 	"github.com/google/uuid"
+
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/tools"
 )
 
 type MysqlDatabase struct {
@@ -25,13 +25,14 @@ type MysqlDatabase struct {
 
 	Version tools.MysqlVersion `json:"version" gorm:"type:text;not null"`
 
-	Host       string  `json:"host"       gorm:"type:text;not null"`
-	Port       int     `json:"port"       gorm:"type:int;not null"`
-	Username   string  `json:"username"   gorm:"type:text;not null"`
-	Password   string  `json:"password"   gorm:"type:text;not null"`
-	Database   *string `json:"database"   gorm:"type:text"`
-	IsHttps    bool    `json:"isHttps"    gorm:"type:boolean;default:false"`
-	Privileges string  `json:"privileges" gorm:"column:privileges;type:text;not null;default:''"`
+	Host            string  `json:"host"            gorm:"type:text;not null"`
+	Port            int     `json:"port"            gorm:"type:int;not null"`
+	Username        string  `json:"username"        gorm:"type:text;not null"`
+	Password        string  `json:"password"        gorm:"type:text;not null"`
+	Database        *string `json:"database"        gorm:"type:text"`
+	IsHttps         bool    `json:"isHttps"         gorm:"type:boolean;default:false"`
+	Privileges      string  `json:"privileges"      gorm:"column:privileges;type:text;not null;default:''"`
+	IsZstdSupported bool    `json:"isZstdSupported" gorm:"column:is_zstd_supported;type:boolean;not null;default:true"`
 }
 
 func (m *MysqlDatabase) TableName() string {
@@ -102,6 +103,7 @@ func (m *MysqlDatabase) TestConnection(
 		return err
 	}
 	m.Privileges = privileges
+	m.IsZstdSupported = detectZstdSupport(ctx, db)
 
 	if err := checkBackupPermissions(m.Privileges); err != nil {
 		return err
@@ -125,6 +127,7 @@ func (m *MysqlDatabase) Update(incoming *MysqlDatabase) {
 	m.Database = incoming.Database
 	m.IsHttps = incoming.IsHttps
 	m.Privileges = incoming.Privileges
+	m.IsZstdSupported = incoming.IsZstdSupported
 
 	if incoming.Password != "" {
 		m.Password = incoming.Password
@@ -185,6 +188,7 @@ func (m *MysqlDatabase) PopulateDbData(
 		return err
 	}
 	m.Privileges = privileges
+	m.IsZstdSupported = detectZstdSupport(ctx, db)
 
 	return nil
 }
@@ -223,6 +227,7 @@ func (m *MysqlDatabase) PopulateVersion(
 		return err
 	}
 	m.Version = detectedVersion
+	m.IsZstdSupported = detectZstdSupport(ctx, db)
 
 	return nil
 }
@@ -398,7 +403,7 @@ func HasPrivilege(privileges, priv string) bool {
 	return false
 }
 
-func (m *MysqlDatabase) buildDSN(password string, database string) string {
+func (m *MysqlDatabase) buildDSN(password, database string) string {
 	tlsConfig := "false"
 	allowCleartext := ""
 
@@ -575,6 +580,22 @@ func checkBackupPermissions(privileges string) error {
 	return nil
 }
 
+// detectZstdSupport checks if the MySQL server supports zstd network compression.
+// The protocol_compression_algorithms variable was introduced in MySQL 8.0.18.
+// Managed MySQL providers (e.g. PlanetScale) may not support zstd even on 8.0+.
+func detectZstdSupport(ctx context.Context, db *sql.DB) bool {
+	var varName, value string
+
+	err := db.QueryRowContext(ctx,
+		"SHOW VARIABLES LIKE 'protocol_compression_algorithms'",
+	).Scan(&varName, &value)
+	if err != nil {
+		return false
+	}
+
+	return strings.Contains(strings.ToLower(value), "zstd")
+}
+
 func decryptPasswordIfNeeded(
 	password string,
 	encryptor encryption.FieldEncryptor,

backend/internal/features/databases/databases/mysql/model_test.go

@@ -177,6 +177,38 @@ func Test_TestConnection_SufficientPermissions_Success(t *testing.T) {
 	}
 }
 
+func Test_TestConnection_DetectsZstdSupport(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name         string
+		version      tools.MysqlVersion
+		port         string
+		isExpectZstd bool
+	}{
+		{"MySQL 5.7", tools.MysqlVersion57, env.TestMysql57Port, false},
+		{"MySQL 8.0", tools.MysqlVersion80, env.TestMysql80Port, true},
+		{"MySQL 8.4", tools.MysqlVersion84, env.TestMysql84Port, true},
+		{"MySQL 9", tools.MysqlVersion9, env.TestMysql90Port, true},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMysqlContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			mysqlModel := createMysqlModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err := mysqlModel.TestConnection(logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.Equal(t, tc.isExpectZstd, mysqlModel.IsZstdSupported,
+				"IsZstdSupported mismatch for %s", tc.name)
+		})
+	}
+}
+
 func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
 	env := config.GetEnv()
 	cases := []struct {

backend/internal/features/databases/databases/postgresql/model.go

@@ -2,8 +2,6 @@ package postgresql
 
 import (
 	"context"
-	"databasus-backend/internal/util/encryption"
-	"databasus-backend/internal/util/tools"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -15,6 +13,17 @@ import (
 	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgconn"
 	"gorm.io/gorm"
+
+	"databasus-backend/internal/config"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/tools"
+)
+
+type PostgresBackupType string
+
+const (
+	PostgresBackupTypePgDump PostgresBackupType = "PG_DUMP"
+	PostgresBackupTypeWalV1  PostgresBackupType = "WAL_V1"
 )
 
 type PostgresqlDatabase struct {
@@ -24,11 +33,13 @@ type PostgresqlDatabase struct {
 
 	Version tools.PostgresqlVersion `json:"version" gorm:"type:text;not null"`
 
-	// connection data
-	Host     string  `json:"host"     gorm:"type:text;not null"`
-	Port     int     `json:"port"     gorm:"type:int;not null"`
-	Username string  `json:"username" gorm:"type:text;not null"`
-	Password string  `json:"password" gorm:"type:text;not null"`
+	BackupType PostgresBackupType `json:"backupType" gorm:"column:backup_type;type:text;not null;default:'PG_DUMP'"`
+
+	// connection data — required for PG_DUMP, optional for WAL_V1
+	Host     string  `json:"host"     gorm:"type:text"`
+	Port     int     `json:"port"     gorm:"type:int"`
+	Username string  `json:"username" gorm:"type:text"`
+	Password string  `json:"password" gorm:"type:text"`
 	Database *string `json:"database" gorm:"type:text"`
 	IsHttps  bool    `json:"isHttps"  gorm:"type:boolean;default:false"`
 
@@ -66,20 +77,30 @@ func (p *PostgresqlDatabase) AfterFind(_ *gorm.DB) error {
 }
 
 func (p *PostgresqlDatabase) Validate() error {
-	if p.Host == "" {
-		return errors.New("host is required")
+	if p.BackupType == "" {
+		p.BackupType = PostgresBackupTypePgDump
 	}
 
-	if p.Port == 0 {
-		return errors.New("port is required")
+	if p.BackupType == PostgresBackupTypePgDump && config.GetEnv().IsCloud {
+		return errors.New("PG_DUMP backup type is not supported in cloud mode")
 	}
 
-	if p.Username == "" {
-		return errors.New("username is required")
-	}
+	if p.BackupType == PostgresBackupTypePgDump {
+		if p.Host == "" {
+			return errors.New("host is required")
+		}
 
-	if p.Password == "" {
-		return errors.New("password is required")
+		if p.Port == 0 {
+			return errors.New("port is required")
+		}
+
+		if p.Username == "" {
+			return errors.New("username is required")
+		}
+
+		if p.Password == "" {
+			return errors.New("password is required")
+		}
 	}
 
 	if p.CpuCount <= 0 {
@@ -90,7 +111,7 @@ func (p *PostgresqlDatabase) Validate() error {
 	// Databasus runs an internal PostgreSQL instance that should not be backed up through the UI
 	// because it would expose internal metadata to non-system administrators.
 	// To properly backup Databasus, see: https://databasus.com/faq#backup-databasus
-	if p.Database != nil && *p.Database != "" {
+	if p.BackupType == PostgresBackupTypePgDump && p.Database != nil && *p.Database != "" {
 		localhostHosts := []string{
 			"localhost",
 			"127.0.0.1",
@@ -130,6 +151,10 @@ func (p *PostgresqlDatabase) TestConnection(
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
 ) error {
+	if p.BackupType == PostgresBackupTypeWalV1 {
+		return errors.New("test connection is not supported for WAL backup type")
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 
@@ -144,7 +169,21 @@ func (p *PostgresqlDatabase) HideSensitiveData() {
 	p.Password = ""
 }
 
+func (p *PostgresqlDatabase) ValidateUpdate(old *PostgresqlDatabase) error {
+	// BackupType cannot be changed after creation — the full backup structure
+	// (WAL hierarchy, storage files, cleanup logic) is built around
+	// the type chosen at creation time. Automatically migrating this state is
+	// error-prone; it is safer for the user to create a new database and
+	// remove the old one.
+	if old.BackupType != p.BackupType {
+		return errors.New("backup type cannot be changed; create a new database instead")
+	}
+
+	return nil
+}
+
 func (p *PostgresqlDatabase) Update(incoming *PostgresqlDatabase) {
+	p.BackupType = incoming.BackupType
 	p.Version = incoming.Version
 	p.Host = incoming.Host
 	p.Port = incoming.Port
@@ -181,6 +220,10 @@ func (p *PostgresqlDatabase) PopulateDbData(
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
 ) error {
+	if p.BackupType == PostgresBackupTypeWalV1 {
+		return nil
+	}
+
 	return p.PopulateVersion(logger, encryptor, databaseID)
 }
 
@@ -243,6 +286,10 @@ func (p *PostgresqlDatabase) IsUserReadOnly(
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
 ) (bool, []string, error) {
+	if p.BackupType == PostgresBackupTypeWalV1 {
+		return false, nil, errors.New("read-only check is not supported for WAL backup type")
+	}
+
 	password, err := decryptPasswordIfNeeded(p.Password, encryptor, databaseID)
 	if err != nil {
 		return false, nil, fmt.Errorf("failed to decrypt password: %w", err)
@@ -415,6 +462,10 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
 ) (string, string, error) {
+	if p.BackupType == PostgresBackupTypeWalV1 {
+		return "", "", errors.New("read-only user creation is not supported for WAL backup type")
+	}
+
 	password, err := decryptPasswordIfNeeded(p.Password, encryptor, databaseID)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to decrypt password: %w", err)
@@ -1062,7 +1113,7 @@ func checkBackupPermissions(
 }
 
 // buildConnectionStringForDB builds connection string for specific database
-func buildConnectionStringForDB(p *PostgresqlDatabase, dbName string, password string) string {
+func buildConnectionStringForDB(p *PostgresqlDatabase, dbName, password string) string {
 	sslMode := "disable"
 	if p.IsHttps {
 		sslMode = "require"
@@ -1102,8 +1153,8 @@ func isSupabaseConnection(host, username string) bool {
 }
 
 func extractSupabaseProjectID(username string) string {
-	if idx := strings.Index(username, "."); idx != -1 {
-		return username[idx+1:]
+	if _, after, found := strings.Cut(username, "."); found {
+		return after
 	}
 	return ""
 }

backend/internal/features/databases/dto.go

@@ -9,3 +9,7 @@ type IsReadOnlyResponse struct {
 	IsReadOnly bool     `json:"isReadOnly"`
 	Privileges []string `json:"privileges"`
 }
+
+type VerifyAgentTokenRequest struct {
+	Token string `json:"token" binding:"required"`
+}

backend/internal/features/databases/interfaces.go

@@ -1,10 +1,11 @@
 package databases
 
 import (
-	"databasus-backend/internal/util/encryption"
 	"log/slog"
 
 	"github.com/google/uuid"
+
+	"databasus-backend/internal/util/encryption"
 )
 
 type DatabaseValidator interface {

backend/internal/features/databases/model.go

@@ -2,17 +2,18 @@ package databases
 
 import (
 	"context"
+	"errors"
+	"log/slog"
+	"time"
+
+	"github.com/google/uuid"
+
 	"databasus-backend/internal/features/databases/databases/mariadb"
 	"databasus-backend/internal/features/databases/databases/mongodb"
 	"databasus-backend/internal/features/databases/databases/mysql"
 	"databasus-backend/internal/features/databases/databases/postgresql"
 	"databasus-backend/internal/features/notifiers"
 	"databasus-backend/internal/util/encryption"
-	"errors"
-	"log/slog"
-	"time"
-
-	"github.com/google/uuid"
 )
 
 type Database struct {
@@ -37,6 +38,9 @@ type Database struct {
 	LastBackupErrorMessage *string    `json:"lastBackupErrorMessage,omitempty" gorm:"column:last_backup_error_message;type:text"`
 
 	HealthStatus *HealthStatus `json:"healthStatus" gorm:"column:health_status;type:text;not null"`
+
+	AgentToken            *string `json:"-"                     gorm:"column:agent_token;type:text"`
+	IsAgentTokenGenerated bool    `json:"isAgentTokenGenerated" gorm:"column:is_agent_token_generated;not null;default:false"`
 }
 
 func (d *Database) Validate() error {
@@ -71,8 +75,19 @@ func (d *Database) Validate() error {
 }
 
 func (d *Database) ValidateUpdate(old, new Database) error {
+	// Database type cannot be changed after creation — the entire backup
+	// structure (storage files, schedulers, WAL hierarchy, etc.) is tied to
+	// the type at creation time. Recreating that state automatically is
+	// error-prone; it is safer for the user to create a new database and
+	// remove the old one.
 	if old.Type != new.Type {
-		return errors.New("database type is not allowed to change")
+		return errors.New("database type cannot be changed; create a new database instead")
+	}
+
+	if old.Type == DatabaseTypePostgres && old.Postgresql != nil && new.Postgresql != nil {
+		if err := new.Postgresql.ValidateUpdate(old.Postgresql); err != nil {
+			return err
+		}
 	}
 
 	return nil