Merge pull request #323 from databasus/develop

Develop

.github/workflows/ci-release.yml

@@ -81,6 +81,11 @@ jobs:
           cd frontend
           npm run lint
 
+      - name: Build frontend
+        run: |
+          cd frontend
+          npm run build
+
   test-frontend:
     runs-on: ubuntu-latest
     needs: [lint-frontend]

.gitignore

@@ -1,3 +1,4 @@
+ansible/
 postgresus_data/
 postgresus-data/
 databasus-data/
@@ -9,4 +10,5 @@ node_modules/
 /articles
 
 .DS_Store
-/scripts
+/scripts
+.vscode/settings.json

.pre-commit-config.yaml

@@ -18,6 +18,13 @@ repos:
         files: ^frontend/.*\.(ts|tsx|js|jsx)$
         pass_filenames: false
 
+      - id: frontend-build
+        name: Frontend Build
+        entry: bash -c "cd frontend && npm run build"
+        language: system
+        files: ^frontend/.*\.(ts|tsx|js|jsx|json|css)$
+        pass_filenames: false
+
   # Backend checks
   - repo: local
     hooks:

AGENTS.md

@@ -573,15 +573,15 @@ var (
 
 func SetupDependencies() {
     wasAlreadySetup := isSetup.Load()
-    
+
     setupOnce.Do(func() {
         // Initialize dependencies here
         someService.SetDependency(otherService)
         anotherService.AddListener(listener)
-        
+
         isSetup.Store(true)
     })
-    
+
     if wasAlreadySetup {
         logger.GetLogger().Warn("SetupDependencies called multiple times, ignoring subsequent call")
     }
@@ -630,14 +630,14 @@ type BackgroundService struct {
 
 func (s *BackgroundService) Run(ctx context.Context) {
     wasAlreadyRun := s.hasRun.Load()
-    
+
     s.runOnce.Do(func() {
         s.hasRun.Store(true)
-        
+
         // Existing infinite loop logic
         ticker := time.NewTicker(1 * time.Minute)
         defer ticker.Stop()
-        
+
         for {
             select {
             case <-ctx.Done():
@@ -647,7 +647,7 @@ func (s *BackgroundService) Run(ctx context.Context) {
             }
         }
     })
-    
+
     if wasAlreadyRun {
         panic(fmt.Sprintf("%T.Run() called multiple times", s))
     }
@@ -766,6 +766,43 @@ Use these naming patterns:
 - Consolidate similar test patterns across different test files
 - Make tests more readable and maintainable for other developers
 
+**Clean Up Test Data:**
+
+- If the feature supports cleanup operations (DELETE endpoints, cleanup methods), use them in tests
+- Clean up resources after test execution to avoid test data pollution
+- Use `defer` statements or explicit cleanup calls at the end of tests
+- Prioritize using API methods for cleanup (not direct database deletion)
+- Examples:
+  - CRUD features: delete created records via DELETE endpoint
+  - File uploads: remove uploaded files
+  - Background jobs: stop schedulers or cancel running tasks
+- Skip cleanup only when:
+  - Tests run in isolated transactions that auto-rollback
+  - Cleanup endpoint doesn't exist yet
+  - Test explicitly validates failure scenarios where cleanup isn't possible
+
+**Example:**
+
+```go
+func Test_BackupLifecycle_CreateAndDelete(t *testing.T) {
+    router := createTestRouter()
+    workspace := workspaces_testing.CreateTestWorkspace("Test", owner)
+
+    // Create backup config
+    config := createBackupConfig(t, router, workspace.ID, owner.Token)
+
+    // Cleanup at end of test
+    defer deleteBackupConfig(t, router, workspace.ID, config.ID, owner.Token)
+
+    // Test operations...
+    triggerBackup(t, router, workspace.ID, config.ID, owner.Token)
+
+    // Verify backup was created
+    backups := getBackups(t, router, workspace.ID, owner.Token)
+    assert.NotEmpty(t, backups)
+}
+```
+
 #### Testing Utilities Structure
 
 **Create `testing.go` or `testing/testing.go` files with common utilities:**

Dockerfile

@@ -251,6 +251,27 @@ fi
 # PostgreSQL 17 binary paths
 PG_BIN="/usr/lib/postgresql/17/bin"
 
+# Generate runtime configuration for frontend
+echo "Generating runtime configuration..."
+
+# Detect if email is configured (both SMTP_HOST and DATABASUS_URL must be set)
+if [ -n "\${SMTP_HOST:-}" ] && [ -n "\${DATABASUS_URL:-}" ]; then
+  IS_EMAIL_CONFIGURED="true"
+else
+  IS_EMAIL_CONFIGURED="false"
+fi
+
+cat > /app/ui/build/runtime-config.js <<JSEOF
+// Runtime configuration injected at container startup
+// This file is generated dynamically and should not be edited manually
+window.__RUNTIME_CONFIG__ = {
+  IS_CLOUD: '\${IS_CLOUD:-false}',
+  GITHUB_CLIENT_ID: '\${GITHUB_CLIENT_ID:-}',
+  GOOGLE_CLIENT_ID: '\${GOOGLE_CLIENT_ID:-}',
+  IS_EMAIL_CONFIGURED: '\$IS_EMAIL_CONFIGURED'
+};
+JSEOF
+
 # Ensure proper ownership of data directory
 echo "Setting up data directory permissions..."
 mkdir -p /databasus-data/pgdata
@@ -372,6 +393,32 @@ SQL
 
 # Start the main application
 echo "Starting Databasus application..."
+
+# Check and warn about external database/Valkey usage
+if [ -n "\${DANGEROUS_EXTERNAL_DATABASE_DSN:-}" ]; then
+    echo ""
+    echo "=========================================="
+    echo "WARNING: Using external database"
+    echo "=========================================="
+    echo "DANGEROUS_EXTERNAL_DATABASE_DSN is set."
+    echo "Application will connect to external PostgreSQL instead of internal instance."
+    echo "Internal PostgreSQL is still running in the background."
+    echo "=========================================="
+    echo ""
+fi
+
+if [ -n "\${DANGEROUS_VALKEY_HOST:-}" ]; then
+    echo ""
+    echo "=========================================="
+    echo "WARNING: Using external Valkey"
+    echo "=========================================="
+    echo "DANGEROUS_VALKEY_HOST is set."
+    echo "Application will connect to external Valkey instead of internal instance."
+    echo "Internal Valkey is still running in the background."
+    echo "=========================================="
+    echo ""
+fi
+
 exec ./main
 EOF
 

backend/.env.development.example

@@ -6,6 +6,8 @@ DEV_DB_PASSWORD=Q1234567
 ENV_MODE=development
 # logging
 SHOW_DB_INSTALLATION_VERIFICATION_LOGS=true
+VICTORIA_LOGS_URL=http://localhost:9428
+VICTORIA_LOGS_PASSWORD=devpassword
 # tests
 TEST_LOCALHOST=localhost
 IS_SKIP_EXTERNAL_RESOURCES_TESTS=false

backend/.gitignore

@@ -18,4 +18,5 @@ pgdata-for-restore/
 temp/
 cmd.exe
 temp/
-valkey-data/
+valkey-data/
+victoria-logs-data/

backend/cmd/main.go

@@ -185,6 +185,9 @@ func startServerWithGracefulShutdown(log *slog.Logger, app *gin.Engine) {
 	<-quit
 	log.Info("Shutdown signal received")
 
+	// Gracefully shutdown VictoriaLogs writer
+	logger.ShutdownVictoriaLogs(5 * time.Second)
+
 	// The context is used to inform the server it has 10 seconds to finish
 	// the request it is currently handling
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
@@ -272,6 +275,10 @@ func runBackgroundTasks(log *slog.Logger) {
 			backuping.GetBackupsScheduler().Run(ctx)
 		})
 
+		go runWithPanicLogging(log, "backup cleaner background service", func() {
+			backuping.GetBackupCleaner().Run(ctx)
+		})
+
 		go runWithPanicLogging(log, "restore background service", func() {
 			restoring.GetRestoresScheduler().Run(ctx)
 		})

backend/docker-compose.yml.example

@@ -34,6 +34,20 @@ services:
       retries: 5
       start_period: 20s
 
+  # VictoriaLogs for external logging
+  victoria-logs:
+    image: victoriametrics/victoria-logs:latest
+    container_name: victoria-logs
+    ports:
+      - "9428:9428"
+    command:
+      - -storageDataPath=/victoria-logs-data
+      - -retentionPeriod=7d
+      - -httpAuth.password=devpassword
+    volumes:
+      - ./victoria-logs-data:/victoria-logs-data
+    restart: unless-stopped
+
   # Test MinIO container
   test-minio:
     image: minio/minio:latest

backend/internal/config/config.go

@@ -22,13 +22,22 @@ const (
 
 type EnvVariables struct {
 	IsTesting            bool
-	DatabaseDsn          string            `env:"DATABASE_DSN"         required:"true"`
 	EnvMode              env_utils.EnvMode `env:"ENV_MODE"             required:"true"`
 	PostgresesInstallDir string            `env:"POSTGRES_INSTALL_DIR"`
 	MysqlInstallDir      string            `env:"MYSQL_INSTALL_DIR"`
 	MariadbInstallDir    string            `env:"MARIADB_INSTALL_DIR"`
 	MongodbInstallDir    string            `env:"MONGODB_INSTALL_DIR"`
 
+	// Internal database
+	DatabaseDsn string `env:"DATABASE_DSN"    required:"true"`
+	// Internal Valkey
+	ValkeyHost     string `env:"VALKEY_HOST"     required:"true"`
+	ValkeyPort     string `env:"VALKEY_PORT"     required:"true"`
+	ValkeyUsername string `env:"VALKEY_USERNAME" required:"true"`
+	ValkeyPassword string `env:"VALKEY_PASSWORD" required:"true"`
+	ValkeyIsSsl    bool   `env:"VALKEY_IS_SSL"   required:"true"`
+
+	IsCloud       bool   `env:"IS_CLOUD"`
 	TestLocalhost string `env:"TEST_LOCALHOST"`
 
 	ShowDbInstallationVerificationLogs bool `env:"SHOW_DB_INSTALLATION_VERIFICATION_LOGS"`
@@ -89,13 +98,6 @@ type EnvVariables struct {
 	TestMongodb70Port string `env:"TEST_MONGODB_70_PORT"`
 	TestMongodb82Port string `env:"TEST_MONGODB_82_PORT"`
 
-	// Valkey
-	ValkeyHost     string `env:"VALKEY_HOST"     required:"true"`
-	ValkeyPort     string `env:"VALKEY_PORT"     required:"true"`
-	ValkeyUsername string `env:"VALKEY_USERNAME"`
-	ValkeyPassword string `env:"VALKEY_PASSWORD"`
-	ValkeyIsSsl    bool   `env:"VALKEY_IS_SSL"   required:"true"`
-
 	// oauth
 	GitHubClientID     string `env:"GITHUB_CLIENT_ID"`
 	GitHubClientSecret string `env:"GITHUB_CLIENT_SECRET"`
@@ -112,6 +114,15 @@ type EnvVariables struct {
 	TestSupabaseUsername string `env:"TEST_SUPABASE_USERNAME"`
 	TestSupabasePassword string `env:"TEST_SUPABASE_PASSWORD"`
 	TestSupabaseDatabase string `env:"TEST_SUPABASE_DATABASE"`
+
+	// SMTP configuration (optional)
+	SMTPHost     string `env:"SMTP_HOST"`
+	SMTPPort     int    `env:"SMTP_PORT"`
+	SMTPUser     string `env:"SMTP_USER"`
+	SMTPPassword string `env:"SMTP_PASSWORD"`
+
+	// Application URL (optional) - used for email links
+	DatabasusURL string `env:"DATABASUS_URL"`
 }
 
 var (
@@ -182,6 +193,11 @@ func loadEnvVariables() {
 		env.IsSkipExternalResourcesTests = false
 	}
 
+	// Set default value for IsCloud if not defined
+	if os.Getenv("IS_CLOUD") == "" {
+		env.IsCloud = false
+	}
+
 	for _, arg := range os.Args {
 		if strings.Contains(arg, "test") {
 			env.IsTesting = true
@@ -189,6 +205,14 @@ func loadEnvVariables() {
 		}
 	}
 
+	// Check for external database override
+	if externalDsn := os.Getenv("DANGEROUS_EXTERNAL_DATABASE_DSN"); externalDsn != "" {
+		log.Warn(
+			"Using DANGEROUS_EXTERNAL_DATABASE_DSN - connecting to external database instead of internal PostgreSQL",
+		)
+		env.DatabaseDsn = externalDsn
+	}
+
 	if env.DatabaseDsn == "" {
 		log.Error("DATABASE_DSN is empty")
 		os.Exit(1)
@@ -259,6 +283,27 @@ func loadEnvVariables() {
 		os.Exit(1)
 	}
 
+	// Check for external Valkey override
+	if externalValkeyHost := os.Getenv("DANGEROUS_VALKEY_HOST"); externalValkeyHost != "" {
+		log.Warn(
+			"Using DANGEROUS_VALKEY_* variables - connecting to external Valkey instead of internal instance",
+		)
+		env.ValkeyHost = externalValkeyHost
+
+		if externalValkeyPort := os.Getenv("DANGEROUS_VALKEY_PORT"); externalValkeyPort != "" {
+			env.ValkeyPort = externalValkeyPort
+		}
+		if externalValkeyUsername := os.Getenv("DANGEROUS_VALKEY_USERNAME"); externalValkeyUsername != "" {
+			env.ValkeyUsername = externalValkeyUsername
+		}
+		if externalValkeyPassword := os.Getenv("DANGEROUS_VALKEY_PASSWORD"); externalValkeyPassword != "" {
+			env.ValkeyPassword = externalValkeyPassword
+		}
+		if externalValkeyIsSsl := os.Getenv("DANGEROUS_VALKEY_IS_SSL"); externalValkeyIsSsl != "" {
+			env.ValkeyIsSsl = externalValkeyIsSsl == "true"
+		}
+	}
+
 	// Store the data and temp folders one level below the root
 	// (projectRoot/databasus-data -> /databasus-data)
 	env.DataFolder = filepath.Join(filepath.Dir(backendRoot), "databasus-data", "backups")

backend/internal/features/backups/backups/backuping/backuper.go

@@ -70,16 +70,18 @@ func (n *BackuperNode) Run(ctx context.Context) {
 		}
 
 		backupHandler := func(backupID uuid.UUID, isCallNotifier bool) {
-			n.MakeBackup(backupID, isCallNotifier)
-			if err := n.backupNodesRegistry.PublishBackupCompletion(n.nodeID, backupID); err != nil {
-				n.logger.Error(
-					"Failed to publish backup completion",
-					"error",
-					err,
-					"backupID",
-					backupID,
-				)
-			}
+			go func() {
+				n.MakeBackup(backupID, isCallNotifier)
+				if err := n.backupNodesRegistry.PublishBackupCompletion(n.nodeID, backupID); err != nil {
+					n.logger.Error(
+						"Failed to publish backup completion",
+						"error",
+						err,
+						"backupID",
+						backupID,
+					)
+				}
+			}()
 		}
 
 		err := n.backupNodesRegistry.SubscribeNodeForBackupsAssignment(n.nodeID, backupHandler)
@@ -157,21 +159,41 @@ func (n *BackuperNode) MakeBackup(backupID uuid.UUID, isCallNotifier bool) {
 
 	start := time.Now().UTC()
 
+	ctx, cancel := context.WithCancel(context.Background())
+	n.backupCancelManager.RegisterTask(backup.ID, cancel)
+	defer n.backupCancelManager.UnregisterTask(backup.ID)
+
 	backupProgressListener := func(
 		completedMBs float64,
 	) {
 		backup.BackupSizeMb = completedMBs
 		backup.BackupDurationMs = time.Since(start).Milliseconds()
 
+		// Check size limit (0 = unlimited)
+		if backupConfig.MaxBackupSizeMB > 0 &&
+			completedMBs > float64(backupConfig.MaxBackupSizeMB) {
+			errMsg := fmt.Sprintf(
+				"backup size (%.2f MB) exceeded maximum allowed size (%d MB)",
+				completedMBs,
+				backupConfig.MaxBackupSizeMB,
+			)
+
+			backup.Status = backups_core.BackupStatusFailed
+			backup.IsSkipRetry = true
+			backup.FailMessage = &errMsg
+			if err := n.backupRepository.Save(backup); err != nil {
+				n.logger.Error("Failed to save backup with size exceeded error", "error", err)
+			}
+			cancel() // Cancel the backup context
+
+			return
+		}
+
 		if err := n.backupRepository.Save(backup); err != nil {
 			n.logger.Error("Failed to update backup progress", "error", err)
 		}
 	}
 
-	ctx, cancel := context.WithCancel(context.Background())
-	n.backupCancelManager.RegisterTask(backup.ID, cancel)
-	defer n.backupCancelManager.UnregisterTask(backup.ID)
-
 	backupMetadata, err := n.createBackupUseCase.Execute(
 		ctx,
 		backup.ID,
@@ -181,6 +203,29 @@ func (n *BackuperNode) MakeBackup(backupID uuid.UUID, isCallNotifier bool) {
 		backupProgressListener,
 	)
 	if err != nil {
+		// Check if backup was already marked as failed by progress listener (e.g., size limit exceeded)
+		// If so, skip error handling to avoid overwriting the status
+		currentBackup, fetchErr := n.backupRepository.FindByID(backup.ID)
+		if fetchErr == nil && currentBackup.Status == backups_core.BackupStatusFailed {
+			n.logger.Warn(
+				"Backup already marked as failed by progress listener, skipping error handling",
+				"backupId",
+				backup.ID,
+				"failMessage",
+				*currentBackup.FailMessage,
+			)
+
+			// Still call notification for size limit failures
+			n.SendBackupNotification(
+				backupConfig,
+				currentBackup,
+				backups_config.NotificationBackupFailed,
+				currentBackup.FailMessage,
+			)
+
+			return
+		}
+
 		errMsg := err.Error()
 
 		// Log detailed error information for debugging

backend/internal/features/backups/backups/backuping/backuper_test.go

@@ -1,13 +1,10 @@
 package backuping
 
 import (
-	"context"
-	"errors"
 	"strings"
 	"testing"
 	"time"
 
-	common "databasus-backend/internal/features/backups/backups/common"
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
@@ -18,7 +15,6 @@ import (
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	cache_utils "databasus-backend/internal/util/cache"
 
-	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )
@@ -158,35 +154,120 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 	})
 }
 
-type CreateFailedBackupUsecase struct {
-}
+func Test_BackupSizeLimits(t *testing.T) {
+	cache_utils.ClearAllCache()
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
 
-func (uc *CreateFailedBackupUsecase) Execute(
-	ctx context.Context,
-	backupID uuid.UUID,
-	backupConfig *backups_config.BackupConfig,
-	database *databases.Database,
-	storage *storages.Storage,
-	backupProgressListener func(completedMBs float64),
-) (*common.BackupMetadata, error) {
-	backupProgressListener(10)
-	return nil, errors.New("backup failed")
-}
+	defer func() {
+		// cleanup backups first
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
 
-type CreateSuccessBackupUsecase struct{}
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
 
-func (uc *CreateSuccessBackupUsecase) Execute(
-	ctx context.Context,
-	backupID uuid.UUID,
-	backupConfig *backups_config.BackupConfig,
-	database *databases.Database,
-	storage *storages.Storage,
-	backupProgressListener func(completedMBs float64),
-) (*common.BackupMetadata, error) {
-	backupProgressListener(10)
-	return &common.BackupMetadata{
-		EncryptionSalt: nil,
-		EncryptionIV:   nil,
-		Encryption:     backups_config.BackupEncryptionNone,
-	}, nil
+	t.Run("UnlimitedSize_MaxBackupSizeMBIsZero_BackupCompletes", func(t *testing.T) {
+		// Enable backups with unlimited size (0)
+		backupConfig := backups_config.EnableBackupsForTestDatabase(database.ID, storage)
+		backupConfig.MaxBackupSizeMB = 0 // unlimited
+		backupConfig, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+		assert.NoError(t, err)
+
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.createBackupUseCase = &CreateLargeBackupUsecase{}
+
+		// Create a backup record
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+
+		backuperNode.MakeBackup(backup.ID, false)
+
+		// Verify backup completed successfully even with large size
+		updatedBackup, err := backupRepository.FindByID(backup.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, backups_core.BackupStatusCompleted, updatedBackup.Status)
+		assert.Equal(t, float64(10000), updatedBackup.BackupSizeMb)
+		assert.Nil(t, updatedBackup.FailMessage)
+	})
+
+	t.Run("SizeExceeded_BackupFailedWithIsSkipRetry", func(t *testing.T) {
+		// Enable backups with 5 MB limit
+		backupConfig := backups_config.EnableBackupsForTestDatabase(database.ID, storage)
+		backupConfig.MaxBackupSizeMB = 5
+		backupConfig, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+		assert.NoError(t, err)
+
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.createBackupUseCase = &CreateProgressiveBackupUsecase{}
+
+		// Create a backup record
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+
+		backuperNode.MakeBackup(backup.ID, false)
+
+		// Verify backup was marked as failed with IsSkipRetry=true
+		updatedBackup, err := backupRepository.FindByID(backup.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, backups_core.BackupStatusFailed, updatedBackup.Status)
+		assert.True(t, updatedBackup.IsSkipRetry)
+		assert.NotNil(t, updatedBackup.FailMessage)
+		assert.Contains(t, *updatedBackup.FailMessage, "exceeded maximum allowed size")
+		assert.Contains(t, *updatedBackup.FailMessage, "10.00 MB")
+		assert.Contains(t, *updatedBackup.FailMessage, "5 MB")
+		assert.Greater(t, updatedBackup.BackupSizeMb, float64(5))
+	})
+
+	t.Run("SizeWithinLimit_BackupCompletes", func(t *testing.T) {
+		// Enable backups with 100 MB limit
+		backupConfig := backups_config.EnableBackupsForTestDatabase(database.ID, storage)
+		backupConfig.MaxBackupSizeMB = 100
+		backupConfig, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+		assert.NoError(t, err)
+
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.createBackupUseCase = &CreateMediumBackupUsecase{}
+
+		// Create a backup record
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+
+		backuperNode.MakeBackup(backup.ID, false)
+
+		// Verify backup completed successfully
+		updatedBackup, err := backupRepository.FindByID(backup.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, backups_core.BackupStatusCompleted, updatedBackup.Status)
+		assert.Equal(t, float64(50), updatedBackup.BackupSizeMb)
+		assert.Nil(t, updatedBackup.FailMessage)
+	})
 }

backend/internal/features/backups/backups/backuping/cleaner.go

@@ -0,0 +1,242 @@
+package backuping
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/google/uuid"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/storages"
+	util_encryption "databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/period"
+)
+
+const (
+	cleanerTickerInterval = 1 * time.Minute
+)
+
+type BackupCleaner struct {
+	backupRepository      *backups_core.BackupRepository
+	storageService        *storages.StorageService
+	backupConfigService   *backups_config.BackupConfigService
+	fieldEncryptor        util_encryption.FieldEncryptor
+	logger                *slog.Logger
+	backupRemoveListeners []backups_core.BackupRemoveListener
+
+	runOnce sync.Once
+	hasRun  atomic.Bool
+}
+
+func (c *BackupCleaner) Run(ctx context.Context) {
+	wasAlreadyRun := c.hasRun.Load()
+
+	c.runOnce.Do(func() {
+		c.hasRun.Store(true)
+
+		if ctx.Err() != nil {
+			return
+		}
+
+		ticker := time.NewTicker(cleanerTickerInterval)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if err := c.cleanOldBackups(); err != nil {
+					c.logger.Error("Failed to clean old backups", "error", err)
+				}
+
+				if err := c.cleanExceededBackups(); err != nil {
+					c.logger.Error("Failed to clean exceeded backups", "error", err)
+				}
+			}
+		}
+	})
+
+	if wasAlreadyRun {
+		panic(fmt.Sprintf("%T.Run() called multiple times", c))
+	}
+}
+
+func (c *BackupCleaner) DeleteBackup(backup *backups_core.Backup) error {
+	for _, listener := range c.backupRemoveListeners {
+		if err := listener.OnBeforeBackupRemove(backup); err != nil {
+			return err
+		}
+	}
+
+	storage, err := c.storageService.GetStorageByID(backup.StorageID)
+	if err != nil {
+		return err
+	}
+
+	err = storage.DeleteFile(c.fieldEncryptor, backup.ID)
+	if err != nil {
+		// we do not return error here, because sometimes clean up performed
+		// before unavailable storage removal or change - therefore we should
+		// proceed even in case of error. It's possible that some S3 or
+		// storage is not available yet, it should not block us
+		c.logger.Error("Failed to delete backup file", "error", err)
+	}
+
+	return c.backupRepository.DeleteByID(backup.ID)
+}
+
+func (c *BackupCleaner) AddBackupRemoveListener(listener backups_core.BackupRemoveListener) {
+	c.backupRemoveListeners = append(c.backupRemoveListeners, listener)
+}
+
+func (c *BackupCleaner) cleanOldBackups() error {
+	enabledBackupConfigs, err := c.backupConfigService.GetBackupConfigsWithEnabledBackups()
+	if err != nil {
+		return err
+	}
+
+	for _, backupConfig := range enabledBackupConfigs {
+		backupStorePeriod := backupConfig.StorePeriod
+
+		if backupStorePeriod == period.PeriodForever {
+			continue
+		}
+
+		storeDuration := backupStorePeriod.ToDuration()
+		dateBeforeBackupsShouldBeDeleted := time.Now().UTC().Add(-storeDuration)
+
+		oldBackups, err := c.backupRepository.FindBackupsBeforeDate(
+			backupConfig.DatabaseID,
+			dateBeforeBackupsShouldBeDeleted,
+		)
+		if err != nil {
+			c.logger.Error(
+				"Failed to find old backups for database",
+				"databaseId",
+				backupConfig.DatabaseID,
+				"error",
+				err,
+			)
+			continue
+		}
+
+		for _, backup := range oldBackups {
+			if err := c.DeleteBackup(backup); err != nil {
+				c.logger.Error("Failed to delete old backup", "backupId", backup.ID, "error", err)
+				continue
+			}
+
+			c.logger.Info(
+				"Deleted old backup",
+				"backupId",
+				backup.ID,
+				"databaseId",
+				backupConfig.DatabaseID,
+			)
+		}
+	}
+
+	return nil
+}
+
+func (c *BackupCleaner) cleanExceededBackups() error {
+	enabledBackupConfigs, err := c.backupConfigService.GetBackupConfigsWithEnabledBackups()
+	if err != nil {
+		return err
+	}
+
+	for _, backupConfig := range enabledBackupConfigs {
+		if backupConfig.MaxBackupsTotalSizeMB <= 0 {
+			continue
+		}
+
+		if err := c.cleanExceededBackupsForDatabase(
+			backupConfig.DatabaseID,
+			backupConfig.MaxBackupsTotalSizeMB,
+		); err != nil {
+			c.logger.Error(
+				"Failed to clean exceeded backups for database",
+				"databaseId",
+				backupConfig.DatabaseID,
+				"error",
+				err,
+			)
+			continue
+		}
+	}
+
+	return nil
+}
+
+func (c *BackupCleaner) cleanExceededBackupsForDatabase(
+	databaseID uuid.UUID,
+	limitperDbMB int64,
+) error {
+	for {
+		backupsTotalSizeMB, err := c.backupRepository.GetTotalSizeByDatabase(databaseID)
+		if err != nil {
+			return err
+		}
+
+		if backupsTotalSizeMB <= float64(limitperDbMB) {
+			break
+		}
+
+		oldestBackups, err := c.backupRepository.FindOldestByDatabaseExcludingInProgress(
+			databaseID,
+			1,
+		)
+		if err != nil {
+			return err
+		}
+
+		if len(oldestBackups) == 0 {
+			c.logger.Warn(
+				"No backups to delete but still over limit",
+				"databaseId",
+				databaseID,
+				"totalSizeMB",
+				backupsTotalSizeMB,
+				"limitMB",
+				limitperDbMB,
+			)
+			break
+		}
+
+		backup := oldestBackups[0]
+		if err := c.DeleteBackup(backup); err != nil {
+			c.logger.Error(
+				"Failed to delete exceeded backup",
+				"backupId",
+				backup.ID,
+				"databaseId",
+				databaseID,
+				"error",
+				err,
+			)
+			return err
+		}
+
+		c.logger.Info(
+			"Deleted exceeded backup",
+			"backupId",
+			backup.ID,
+			"databaseId",
+			databaseID,
+			"backupSizeMB",
+			backup.BackupSizeMb,
+			"totalSizeMB",
+			backupsTotalSizeMB,
+			"limitMB",
+			limitperDbMB,
+		)
+	}
+
+	return nil
+}

backend/internal/features/backups/backups/backuping/cleaner_test.go

@@ -0,0 +1,595 @@
+package backuping
+
+import (
+	"testing"
+	"time"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/intervals"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	users_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
+	"databasus-backend/internal/storage"
+	"databasus-backend/internal/util/period"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_CleanOldBackups_DeletesBackupsOlderThanStorePeriod(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		StorageID:        &storage.ID,
+		BackupIntervalID: interval.ID,
+		BackupInterval:   interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create backups with different ages
+	now := time.Now().UTC()
+	oldBackup1 := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    now.Add(-10 * 24 * time.Hour), // 10 days old
+	}
+	oldBackup2 := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    now.Add(-8 * 24 * time.Hour), // 8 days old
+	}
+	recentBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    now.Add(-3 * 24 * time.Hour), // 3 days old
+	}
+
+	err = backupRepository.Save(oldBackup1)
+	assert.NoError(t, err)
+	err = backupRepository.Save(oldBackup2)
+	assert.NoError(t, err)
+	err = backupRepository.Save(recentBackup)
+	assert.NoError(t, err)
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanOldBackups()
+	assert.NoError(t, err)
+
+	// Verify old backups deleted, recent backup remains
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 1, len(remainingBackups))
+	assert.Equal(t, recentBackup.ID, remainingBackups[0].ID)
+}
+
+func Test_CleanOldBackups_SkipsDatabaseWithForeverStorePeriod(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodForever,
+		StorageID:        &storage.ID,
+		BackupIntervalID: interval.ID,
+		BackupInterval:   interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create very old backup
+	oldBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    time.Now().UTC().Add(-365 * 24 * time.Hour), // 1 year old
+	}
+	err = backupRepository.Save(oldBackup)
+	assert.NoError(t, err)
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanOldBackups()
+	assert.NoError(t, err)
+
+	// Verify backup still exists
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 1, len(remainingBackups))
+	assert.Equal(t, oldBackup.ID, remainingBackups[0].ID)
+}
+
+func Test_CleanExceededBackups_WhenUnderLimit_NoBackupsDeleted(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:            database.ID,
+		IsBackupsEnabled:      true,
+		StorePeriod:           period.PeriodForever,
+		StorageID:             &storage.ID,
+		MaxBackupsTotalSizeMB: 100, // 100 MB limit
+		BackupIntervalID:      interval.ID,
+		BackupInterval:        interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create 3 backups totaling 50MB (under limit)
+	for i := 0; i < 3; i++ {
+		backup := &backups_core.Backup{
+			ID:           uuid.New(),
+			DatabaseID:   database.ID,
+			StorageID:    storage.ID,
+			Status:       backups_core.BackupStatusCompleted,
+			BackupSizeMb: 16.67,
+			CreatedAt:    time.Now().UTC().Add(-time.Duration(i) * time.Hour),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+	}
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanExceededBackups()
+	assert.NoError(t, err)
+
+	// Verify all backups remain
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 3, len(remainingBackups))
+}
+
+func Test_CleanExceededBackups_WhenOverLimit_DeletesOldestBackups(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:            database.ID,
+		IsBackupsEnabled:      true,
+		StorePeriod:           period.PeriodForever,
+		StorageID:             &storage.ID,
+		MaxBackupsTotalSizeMB: 30, // 30 MB limit
+		BackupIntervalID:      interval.ID,
+		BackupInterval:        interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create 5 backups of 10MB each (total 50MB, over 30MB limit)
+	now := time.Now().UTC()
+	var backupIDs []uuid.UUID
+	for i := 0; i < 5; i++ {
+		backup := &backups_core.Backup{
+			ID:           uuid.New(),
+			DatabaseID:   database.ID,
+			StorageID:    storage.ID,
+			Status:       backups_core.BackupStatusCompleted,
+			BackupSizeMb: 10,
+			CreatedAt:    now.Add(-time.Duration(4-i) * time.Hour), // Oldest first
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+		backupIDs = append(backupIDs, backup.ID)
+	}
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanExceededBackups()
+	assert.NoError(t, err)
+
+	// Verify 2 oldest backups deleted, 3 newest remain
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 3, len(remainingBackups))
+
+	// Check that the newest 3 backups remain
+	remainingIDs := make(map[uuid.UUID]bool)
+	for _, backup := range remainingBackups {
+		remainingIDs[backup.ID] = true
+	}
+	assert.False(t, remainingIDs[backupIDs[0]]) // Oldest deleted
+	assert.False(t, remainingIDs[backupIDs[1]]) // 2nd oldest deleted
+	assert.True(t, remainingIDs[backupIDs[2]])  // 3rd remains
+	assert.True(t, remainingIDs[backupIDs[3]])  // 4th remains
+	assert.True(t, remainingIDs[backupIDs[4]])  // Newest remains
+}
+
+func Test_CleanExceededBackups_SkipsInProgressBackups(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:            database.ID,
+		IsBackupsEnabled:      true,
+		StorePeriod:           period.PeriodForever,
+		StorageID:             &storage.ID,
+		MaxBackupsTotalSizeMB: 50, // 50 MB limit
+		BackupIntervalID:      interval.ID,
+		BackupInterval:        interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	now := time.Now().UTC()
+
+	// Create 3 completed backups of 30MB each
+	completedBackups := make([]*backups_core.Backup, 3)
+	for i := 0; i < 3; i++ {
+		backup := &backups_core.Backup{
+			ID:           uuid.New(),
+			DatabaseID:   database.ID,
+			StorageID:    storage.ID,
+			Status:       backups_core.BackupStatusCompleted,
+			BackupSizeMb: 30,
+			CreatedAt:    now.Add(-time.Duration(3-i) * time.Hour),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+		completedBackups[i] = backup
+	}
+
+	// Create 1 in-progress backup (should be excluded from size calculation and deletion)
+	inProgressBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusInProgress,
+		BackupSizeMb: 10,
+		CreatedAt:    now,
+	}
+	err = backupRepository.Save(inProgressBackup)
+	assert.NoError(t, err)
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanExceededBackups()
+	assert.NoError(t, err)
+
+	// Verify: only completed backups deleted, in-progress remains
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+
+	// Should have in-progress + 1 completed (total 40MB completed + 10MB in-progress)
+	assert.GreaterOrEqual(t, len(remainingBackups), 2)
+
+	// Verify in-progress backup still exists
+	var inProgressFound bool
+	for _, backup := range remainingBackups {
+		if backup.ID == inProgressBackup.ID {
+			inProgressFound = true
+			assert.Equal(t, backups_core.BackupStatusInProgress, backup.Status)
+		}
+	}
+	assert.True(t, inProgressFound, "In-progress backup should not be deleted")
+}
+
+func Test_CleanExceededBackups_WithZeroLimit_SkipsDatabase(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:            database.ID,
+		IsBackupsEnabled:      true,
+		StorePeriod:           period.PeriodForever,
+		StorageID:             &storage.ID,
+		MaxBackupsTotalSizeMB: 0, // No size limit
+		BackupIntervalID:      interval.ID,
+		BackupInterval:        interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create large backups
+	for i := 0; i < 10; i++ {
+		backup := &backups_core.Backup{
+			ID:           uuid.New(),
+			DatabaseID:   database.ID,
+			StorageID:    storage.ID,
+			Status:       backups_core.BackupStatusCompleted,
+			BackupSizeMb: 100,
+			CreatedAt:    time.Now().UTC().Add(-time.Duration(i) * time.Hour),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+	}
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanExceededBackups()
+	assert.NoError(t, err)
+
+	// Verify all backups remain
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 10, len(remainingBackups))
+}
+
+func Test_GetTotalSizeByDatabase_CalculatesCorrectly(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create completed backups
+	completedBackup1 := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10.5,
+		CreatedAt:    time.Now().UTC(),
+	}
+	completedBackup2 := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 20.3,
+		CreatedAt:    time.Now().UTC(),
+	}
+	// Create failed backup (should be included)
+	failedBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusFailed,
+		BackupSizeMb: 5.2,
+		CreatedAt:    time.Now().UTC(),
+	}
+	// Create in-progress backup (should be excluded)
+	inProgressBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusInProgress,
+		BackupSizeMb: 100,
+		CreatedAt:    time.Now().UTC(),
+	}
+
+	err := backupRepository.Save(completedBackup1)
+	assert.NoError(t, err)
+	err = backupRepository.Save(completedBackup2)
+	assert.NoError(t, err)
+	err = backupRepository.Save(failedBackup)
+	assert.NoError(t, err)
+	err = backupRepository.Save(inProgressBackup)
+	assert.NoError(t, err)
+
+	// Calculate total size
+	totalSize, err := backupRepository.GetTotalSizeByDatabase(database.ID)
+	assert.NoError(t, err)
+
+	// Should be 10.5 + 20.3 + 5.2 = 36.0 (excluding in-progress 100)
+	assert.InDelta(t, 36.0, totalSize, 0.1)
+}
+
+// Mock listener for testing
+type mockBackupRemoveListener struct {
+	onBeforeBackupRemove func(*backups_core.Backup) error
+}
+
+func (m *mockBackupRemoveListener) OnBeforeBackupRemove(backup *backups_core.Backup) error {
+	if m.onBeforeBackupRemove != nil {
+		return m.onBeforeBackupRemove(backup)
+	}
+
+	return nil
+}
+
+// Test_DeleteBackup_WhenStorageDeleteFails_BackupStillRemovedFromDatabase verifies resilience
+// when storage becomes unavailable. Even if storage.DeleteFile fails (e.g., storage is offline,
+// credentials changed, or storage was deleted), the backup record should still be removed from
+// the database. This prevents orphaned backup records when storage is no longer accessible.
+func Test_DeleteBackup_WhenStorageDeleteFails_BackupStillRemovedFromDatabase(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	testStorage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, testStorage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(testStorage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	backup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    testStorage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    time.Now().UTC(),
+	}
+	err := backupRepository.Save(backup)
+	assert.NoError(t, err)
+
+	cleaner := GetBackupCleaner()
+
+	err = cleaner.DeleteBackup(backup)
+	assert.NoError(t, err, "DeleteBackup should succeed even when storage file doesn't exist")
+
+	deletedBackup, err := backupRepository.FindByID(backup.ID)
+	assert.Error(t, err, "Backup should not exist in database")
+	assert.Nil(t, deletedBackup)
+}
+
+func createTestInterval() *intervals.Interval {
+	timeOfDay := "04:00"
+	interval := &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+
+	err := storage.GetDb().Create(interval).Error
+	if err != nil {
+		panic(err)
+	}
+
+	return interval
+}

backend/internal/features/backups/backups/backuping/di.go

@@ -24,6 +24,17 @@ var backupRepository = &backups_core.BackupRepository{}
 
 var taskCancelManager = tasks_cancellation.GetTaskCancelManager()
 
+var backupCleaner = &BackupCleaner{
+	backupRepository:      backupRepository,
+	storageService:        storages.GetStorageService(),
+	backupConfigService:   backups_config.GetBackupConfigService(),
+	fieldEncryptor:        encryption.GetFieldEncryptor(),
+	logger:                logger.GetLogger(),
+	backupRemoveListeners: []backups_core.BackupRemoveListener{},
+	runOnce:               sync.Once{},
+	hasRun:                atomic.Bool{},
+}
+
 var backupNodesRegistry = &BackupNodesRegistry{
 	client:            cache_utils.GetValkeyClient(),
 	logger:            logger.GetLogger(),
@@ -59,7 +70,6 @@ var backuperNode = &BackuperNode{
 var backupsScheduler = &BackupsScheduler{
 	backupRepository:      backupRepository,
 	backupConfigService:   backups_config.GetBackupConfigService(),
-	storageService:        storages.GetStorageService(),
 	taskCancelManager:     taskCancelManager,
 	backupNodesRegistry:   backupNodesRegistry,
 	lastBackupTime:        time.Now().UTC(),
@@ -81,3 +91,7 @@ func GetBackuperNode() *BackuperNode {
 func GetBackupNodesRegistry() *BackupNodesRegistry {
 	return backupNodesRegistry
 }
+
+func GetBackupCleaner() *BackupCleaner {
+	return backupCleaner
+}

backend/internal/features/backups/backups/backuping/mocks.go

@@ -1,8 +1,18 @@
 package backuping
 
 import (
-	"databasus-backend/internal/features/notifiers"
+	"context"
+	"errors"
+	"sync/atomic"
+	"time"
 
+	common "databasus-backend/internal/features/backups/backups/common"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/mock"
 )
 
@@ -17,3 +27,168 @@ func (m *MockNotificationSender) SendNotification(
 ) {
 	m.Called(notifier, title, message)
 }
+
+type CreateFailedBackupUsecase struct{}
+
+func (uc *CreateFailedBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(10)
+	return nil, errors.New("backup failed")
+}
+
+type CreateSuccessBackupUsecase struct{}
+
+func (uc *CreateSuccessBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(10)
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+// CreateLargeBackupUsecase simulates a large backup (10000 MB)
+type CreateLargeBackupUsecase struct{}
+
+func (uc *CreateLargeBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(10000)
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+// CreateProgressiveBackupUsecase simulates progressive size updates that exceed limit
+type CreateProgressiveBackupUsecase struct{}
+
+func (uc *CreateProgressiveBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	// Simulate progressive backup that grows beyond limit
+	backupProgressListener(1)
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	backupProgressListener(3)
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	backupProgressListener(5)
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	backupProgressListener(10) // This exceeds the 5 MB limit
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	// Should not reach here due to cancellation
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+// CreateMediumBackupUsecase simulates a 50 MB backup
+type CreateMediumBackupUsecase struct{}
+
+func (uc *CreateMediumBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(50)
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+// MockTrackingBackupUsecase tracks backup use case calls for testing parallel execution
+type MockTrackingBackupUsecase struct {
+	callCount       atomic.Int32
+	calledBackupIDs chan uuid.UUID
+}
+
+func NewMockTrackingBackupUsecase() *MockTrackingBackupUsecase {
+	return &MockTrackingBackupUsecase{
+		calledBackupIDs: make(chan uuid.UUID, 10),
+	}
+}
+
+func (m *MockTrackingBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	m.callCount.Add(1)
+
+	// Send backup ID to channel (non-blocking)
+	select {
+	case m.calledBackupIDs <- backupID:
+	default:
+	}
+
+	// Simulate backup work
+	time.Sleep(100 * time.Millisecond)
+	backupProgressListener(10)
+
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+func (m *MockTrackingBackupUsecase) GetCallCount() int32 {
+	return m.callCount.Load()
+}
+
+func (m *MockTrackingBackupUsecase) GetCalledBackupIDs() []uuid.UUID {
+	ids := []uuid.UUID{}
+	for {
+		select {
+		case id := <-m.calledBackupIDs:
+			ids = append(ids, id)
+		default:
+			return ids
+		}
+	}
+}

backend/internal/features/backups/backups/backuping/scheduler.go

@@ -13,10 +13,7 @@ import (
 	"databasus-backend/internal/config"
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
-	"databasus-backend/internal/features/storages"
 	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
-	"databasus-backend/internal/util/encryption"
-	"databasus-backend/internal/util/period"
 )
 
 const (
@@ -28,7 +25,6 @@ const (
 type BackupsScheduler struct {
 	backupRepository    *backups_core.BackupRepository
 	backupConfigService *backups_config.BackupConfigService
-	storageService      *storages.StorageService
 	taskCancelManager   *task_cancellation.TaskCancelManager
 	backupNodesRegistry *BackupNodesRegistry
 
@@ -84,10 +80,6 @@ func (s *BackupsScheduler) Run(ctx context.Context) {
 			case <-ctx.Done():
 				return
 			case <-ticker.C:
-				if err := s.cleanOldBackups(); err != nil {
-					s.logger.Error("Failed to clean old backups", "error", err)
-				}
-
 				if err := s.checkDeadNodesAndFailBackups(); err != nil {
 					s.logger.Error("Failed to check dead nodes and fail backups", "error", err)
 				}
@@ -111,49 +103,6 @@ func (s *BackupsScheduler) IsSchedulerRunning() bool {
 	return s.lastBackupTime.After(time.Now().UTC().Add(-schedulerHealthcheckThreshold))
 }
 
-func (s *BackupsScheduler) failBackupsInProgress() error {
-	backupsInProgress, err := s.backupRepository.FindByStatus(backups_core.BackupStatusInProgress)
-	if err != nil {
-		return err
-	}
-
-	for _, backup := range backupsInProgress {
-		if err := s.taskCancelManager.CancelTask(backup.ID); err != nil {
-			s.logger.Error(
-				"Failed to cancel backup via task cancel manager",
-				"backupId",
-				backup.ID,
-				"error",
-				err,
-			)
-		}
-
-		backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(backup.DatabaseID)
-		if err != nil {
-			s.logger.Error("Failed to get backup config by database ID", "error", err)
-			continue
-		}
-
-		failMessage := "Backup failed due to application restart"
-		backup.FailMessage = &failMessage
-		backup.Status = backups_core.BackupStatusFailed
-		backup.BackupSizeMb = 0
-
-		s.backuperNode.SendBackupNotification(
-			backupConfig,
-			backup,
-			backups_config.NotificationBackupFailed,
-			&failMessage,
-		)
-
-		if err := s.backupRepository.Save(backup); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
 func (s *BackupsScheduler) StartBackup(databaseID uuid.UUID, isCallNotifier bool) {
 	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(databaseID)
 	if err != nil {
@@ -166,6 +115,33 @@ func (s *BackupsScheduler) StartBackup(databaseID uuid.UUID, isCallNotifier bool
 		return
 	}
 
+	// Check for existing in-progress backups
+	inProgressBackups, err := s.backupRepository.FindByDatabaseIdAndStatus(
+		databaseID,
+		backups_core.BackupStatusInProgress,
+	)
+	if err != nil {
+		s.logger.Error(
+			"Failed to check for in-progress backups",
+			"databaseId",
+			databaseID,
+			"error",
+			err,
+		)
+		return
+	}
+
+	if len(inProgressBackups) > 0 {
+		s.logger.Warn(
+			"Backup already in progress for database, skipping new backup",
+			"databaseId",
+			databaseID,
+			"existingBackupId",
+			inProgressBackups[0].ID,
+		)
+		return
+	}
+
 	leastBusyNodeID, err := s.calculateLeastBusyNode()
 	if err != nil {
 		s.logger.Error(
@@ -178,6 +154,7 @@ func (s *BackupsScheduler) StartBackup(databaseID uuid.UUID, isCallNotifier bool
 		return
 	}
 
+	fmt.Println("make backup")
 	backup := &backups_core.Backup{
 		DatabaseID:   backupConfig.DatabaseID,
 		StorageID:    *backupConfig.StorageID,
@@ -266,6 +243,10 @@ func (s *BackupsScheduler) GetRemainedBackupTryCount(lastBackup *backups_core.Ba
 		return 0
 	}
 
+	if lastBackup.IsSkipRetry {
+		return 0
+	}
+
 	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(lastBackup.DatabaseID)
 	if err != nil {
 		s.logger.Error("Failed to get backup config by database ID", "error", err)
@@ -298,74 +279,6 @@ func (s *BackupsScheduler) GetRemainedBackupTryCount(lastBackup *backups_core.Ba
 	return maxFailedTriesCount - len(lastFailedBackups)
 }
 
-func (s *BackupsScheduler) cleanOldBackups() error {
-	enabledBackupConfigs, err := s.backupConfigService.GetBackupConfigsWithEnabledBackups()
-	if err != nil {
-		return err
-	}
-
-	for _, backupConfig := range enabledBackupConfigs {
-		backupStorePeriod := backupConfig.StorePeriod
-
-		if backupStorePeriod == period.PeriodForever {
-			continue
-		}
-
-		storeDuration := backupStorePeriod.ToDuration()
-		dateBeforeBackupsShouldBeDeleted := time.Now().UTC().Add(-storeDuration)
-
-		oldBackups, err := s.backupRepository.FindBackupsBeforeDate(
-			backupConfig.DatabaseID,
-			dateBeforeBackupsShouldBeDeleted,
-		)
-		if err != nil {
-			s.logger.Error(
-				"Failed to find old backups for database",
-				"databaseId",
-				backupConfig.DatabaseID,
-				"error",
-				err,
-			)
-			continue
-		}
-
-		for _, backup := range oldBackups {
-			storage, err := s.storageService.GetStorageByID(backup.StorageID)
-			if err != nil {
-				s.logger.Error(
-					"Failed to get storage by ID",
-					"storageId",
-					backup.StorageID,
-					"error",
-					err,
-				)
-				continue
-			}
-
-			encryptor := encryption.GetFieldEncryptor()
-			err = storage.DeleteFile(encryptor, backup.ID)
-			if err != nil {
-				s.logger.Error("Failed to delete backup file", "backupId", backup.ID, "error", err)
-			}
-
-			if err := s.backupRepository.DeleteByID(backup.ID); err != nil {
-				s.logger.Error("Failed to delete old backup", "backupId", backup.ID, "error", err)
-				continue
-			}
-
-			s.logger.Info(
-				"Deleted old backup",
-				"backupId",
-				backup.ID,
-				"databaseId",
-				backupConfig.DatabaseID,
-			)
-		}
-	}
-
-	return nil
-}
-
 func (s *BackupsScheduler) runPendingBackups() error {
 	enabledBackupConfigs, err := s.backupConfigService.GetBackupConfigsWithEnabledBackups()
 	if err != nil {
@@ -414,6 +327,49 @@ func (s *BackupsScheduler) runPendingBackups() error {
 	return nil
 }
 
+func (s *BackupsScheduler) failBackupsInProgress() error {
+	backupsInProgress, err := s.backupRepository.FindByStatus(backups_core.BackupStatusInProgress)
+	if err != nil {
+		return err
+	}
+
+	for _, backup := range backupsInProgress {
+		if err := s.taskCancelManager.CancelTask(backup.ID); err != nil {
+			s.logger.Error(
+				"Failed to cancel backup via task cancel manager",
+				"backupId",
+				backup.ID,
+				"error",
+				err,
+			)
+		}
+
+		backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(backup.DatabaseID)
+		if err != nil {
+			s.logger.Error("Failed to get backup config by database ID", "error", err)
+			continue
+		}
+
+		failMessage := "Backup failed due to application restart"
+		backup.FailMessage = &failMessage
+		backup.Status = backups_core.BackupStatusFailed
+		backup.BackupSizeMb = 0
+
+		s.backuperNode.SendBackupNotification(
+			backupConfig,
+			backup,
+			backups_config.NotificationBackupFailed,
+			&failMessage,
+		)
+
+		if err := s.backupRepository.Save(backup); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (s *BackupsScheduler) calculateLeastBusyNode() (*uuid.UUID, error) {
 	nodes, err := s.backupNodesRegistry.GetAvailableNodes()
 	if err != nil {

backend/internal/features/backups/backups/backuping/scheduler_test.go

@@ -1033,3 +1033,289 @@ func Test_StartBackup_WhenBackupFails_DecrementsActiveTaskCount(t *testing.T) {
 
 	time.Sleep(200 * time.Millisecond)
 }
+
+func Test_StartBackup_WhenBackupAlreadyInProgress_SkipsNewBackup(t *testing.T) {
+	cache_utils.ClearAllCache()
+	backuperNode := CreateTestBackuperNode()
+	cancel := StartBackuperNodeForTest(t, backuperNode)
+	defer StopBackuperNodeForTest(t, cancel, backuperNode)
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		storages.RemoveTestStorage(storage.ID)
+		notifiers.RemoveTestNotifier(notifier)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create an in-progress backup manually
+	inProgressBackup := &backups_core.Backup{
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusInProgress,
+		BackupSizeMb: 0,
+		CreatedAt:    time.Now().UTC(),
+	}
+	err = backupRepository.Save(inProgressBackup)
+	assert.NoError(t, err)
+
+	// Try to start a new backup - should be skipped
+	GetBackupsScheduler().StartBackup(database.ID, false)
+
+	time.Sleep(200 * time.Millisecond)
+
+	// Verify only 1 backup exists (the original in-progress one)
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 1)
+	assert.Equal(t, backups_core.BackupStatusInProgress, backups[0].Status)
+	assert.Equal(t, inProgressBackup.ID, backups[0].ID)
+
+	time.Sleep(200 * time.Millisecond)
+}
+
+func Test_RunPendingBackups_WhenLastBackupFailedWithIsSkipRetry_SkipsBackupEvenWithRetriesEnabled(
+	t *testing.T,
+) {
+	cache_utils.ClearAllCache()
+	backuperNode := CreateTestBackuperNode()
+	cancel := StartBackuperNodeForTest(t, backuperNode)
+	defer StopBackuperNodeForTest(t, cancel, backuperNode)
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		storages.RemoveTestStorage(storage.ID)
+		notifiers.RemoveTestNotifier(notifier)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Enable backups with retries enabled and high retry count
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+	backupConfig.IsRetryIfFailed = true
+	backupConfig.MaxFailedTriesCount = 5
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create a failed backup with IsSkipRetry set to true
+	failMessage := "backup failed due to size limit exceeded"
+	backupRepository.Save(&backups_core.Backup{
+		DatabaseID: database.ID,
+		StorageID:  storage.ID,
+
+		Status:      backups_core.BackupStatusFailed,
+		FailMessage: &failMessage,
+		IsSkipRetry: true,
+
+		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
+	})
+
+	// Verify GetRemainedBackupTryCount returns 0 even though retries are enabled
+	lastBackup, err := backupRepository.FindLastByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.NotNil(t, lastBackup)
+
+	remainedTries := GetBackupsScheduler().GetRemainedBackupTryCount(lastBackup)
+	assert.Equal(t, 0, remainedTries, "Should return 0 tries when IsSkipRetry is true")
+
+	// Run the scheduler
+	GetBackupsScheduler().runPendingBackups()
+
+	time.Sleep(100 * time.Millisecond)
+
+	// Verify no new backup was created (still only 1 backup exists)
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 1, "No retry should be attempted when IsSkipRetry is true")
+
+	time.Sleep(200 * time.Millisecond)
+}
+
+func Test_StartBackup_When2BackupsStartedForDifferentDatabases_BothUseCasesAreCalled(t *testing.T) {
+	cache_utils.ClearAllCache()
+
+	// Create mock tracking use case
+	mockUseCase := NewMockTrackingBackupUsecase()
+
+	// Create BackuperNode with mock use case
+	backuperNode := CreateTestBackuperNodeWithUseCase(mockUseCase)
+	cancel := StartBackuperNodeForTest(t, backuperNode)
+	defer StopBackuperNodeForTest(t, cancel, backuperNode)
+
+	// Create scheduler
+	scheduler := CreateTestScheduler()
+	schedulerCancel := StartSchedulerForTest(t, scheduler)
+	defer schedulerCancel()
+
+	// Setup test data
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+
+	// Create 2 separate databases
+	database1 := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+	database2 := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		// Cleanup backups for database1
+		backups1, _ := backupRepository.FindByDatabaseID(database1.ID)
+		for _, backup := range backups1 {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		// Cleanup backups for database2
+		backups2, _ := backupRepository.FindByDatabaseID(database2.ID)
+		for _, backup := range backups2 {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database1)
+		databases.RemoveTestDatabase(database2)
+		time.Sleep(50 * time.Millisecond)
+		storages.RemoveTestStorage(storage.ID)
+		notifiers.RemoveTestNotifier(notifier)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Enable backups for database1
+	backupConfig1, err := backups_config.GetBackupConfigService().
+		GetBackupConfigByDbId(database1.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig1.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig1.IsBackupsEnabled = true
+	backupConfig1.StorePeriod = period.PeriodWeek
+	backupConfig1.Storage = storage
+	backupConfig1.StorageID = &storage.ID
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig1)
+	assert.NoError(t, err)
+
+	// Enable backups for database2
+	backupConfig2, err := backups_config.GetBackupConfigService().
+		GetBackupConfigByDbId(database2.ID)
+	assert.NoError(t, err)
+
+	backupConfig2.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig2.IsBackupsEnabled = true
+	backupConfig2.StorePeriod = period.PeriodWeek
+	backupConfig2.Storage = storage
+	backupConfig2.StorageID = &storage.ID
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig2)
+	assert.NoError(t, err)
+
+	// Start 2 backups simultaneously
+	t.Log("Starting backup for database1")
+	scheduler.StartBackup(database1.ID, false)
+
+	t.Log("Starting backup for database2")
+	scheduler.StartBackup(database2.ID, false)
+
+	// Wait up to 10 seconds for both backups to complete
+	t.Log("Waiting for both backups to complete...")
+
+	success := assert.Eventually(t, func() bool {
+		callCount := mockUseCase.GetCallCount()
+		t.Logf("Current call count: %d/2", callCount)
+		return callCount == 2
+	}, 10*time.Second, 200*time.Millisecond, "Both use cases should be called within 10 seconds")
+
+	if !success {
+		t.Logf("Test failed: Only %d out of 2 use cases were called", mockUseCase.GetCallCount())
+	}
+
+	// Verify both backup IDs were received
+	calledBackupIDs := mockUseCase.GetCalledBackupIDs()
+	t.Logf("Called backup IDs: %v", calledBackupIDs)
+	assert.Len(t, calledBackupIDs, 2, "Both backup IDs should be tracked")
+
+	// Verify both backups exist in repository and are completed
+	backups1, err := backupRepository.FindByDatabaseID(database1.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups1, 1, "Database1 should have 1 backup")
+	if len(backups1) > 0 {
+		t.Logf("Database1 backup status: %s", backups1[0].Status)
+	}
+
+	backups2, err := backupRepository.FindByDatabaseID(database2.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups2, 1, "Database2 should have 1 backup")
+	if len(backups2) > 0 {
+		t.Logf("Database2 backup status: %s", backups2[0].Status)
+	}
+
+	// Verify both backups completed successfully
+	if len(backups1) > 0 {
+		assert.Equal(t, backups_core.BackupStatusCompleted, backups1[0].Status,
+			"Database1 backup should be completed")
+	}
+
+	if len(backups2) > 0 {
+		assert.Equal(t, backups_core.BackupStatusCompleted, backups2[0].Status,
+			"Database2 backup should be completed")
+	}
+
+	time.Sleep(200 * time.Millisecond)
+}

backend/internal/features/backups/backups/backuping/testing.go

@@ -55,19 +55,38 @@ func CreateTestBackuperNode() *BackuperNode {
 	}
 }
 
+func CreateTestBackuperNodeWithUseCase(useCase backups_core.CreateBackupUsecase) *BackuperNode {
+	return &BackuperNode{
+		databaseService:     databases.GetDatabaseService(),
+		fieldEncryptor:      encryption.GetFieldEncryptor(),
+		workspaceService:    workspaces_services.GetWorkspaceService(),
+		backupRepository:    backupRepository,
+		backupConfigService: backups_config.GetBackupConfigService(),
+		storageService:      storages.GetStorageService(),
+		notificationSender:  notifiers.GetNotifierService(),
+		backupCancelManager: taskCancelManager,
+		backupNodesRegistry: backupNodesRegistry,
+		logger:              logger.GetLogger(),
+		createBackupUseCase: useCase,
+		nodeID:              uuid.New(),
+		lastHeartbeat:       time.Time{},
+		runOnce:             sync.Once{},
+		hasRun:              atomic.Bool{},
+	}
+}
+
 func CreateTestScheduler() *BackupsScheduler {
 	return &BackupsScheduler{
-		backupRepository,
-		backups_config.GetBackupConfigService(),
-		storages.GetStorageService(),
-		taskCancelManager,
-		backupNodesRegistry,
-		time.Now().UTC(),
-		logger.GetLogger(),
-		make(map[uuid.UUID]BackupToNodeRelation),
-		CreateTestBackuperNode(),
-		sync.Once{},
-		atomic.Bool{},
+		backupRepository:      backupRepository,
+		backupConfigService:   backups_config.GetBackupConfigService(),
+		taskCancelManager:     taskCancelManager,
+		backupNodesRegistry:   backupNodesRegistry,
+		lastBackupTime:        time.Now().UTC(),
+		logger:                logger.GetLogger(),
+		backupToNodeRelations: make(map[uuid.UUID]BackupToNodeRelation),
+		backuperNode:          CreateTestBackuperNode(),
+		runOnce:               sync.Once{},
+		hasRun:                atomic.Bool{},
 	}
 }
 

backend/internal/features/backups/backups/controller_test.go

@@ -80,7 +80,7 @@ func Test_GetBackups_PermissionsEnforced(t *testing.T) {
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-			database, _ := createTestDatabaseWithBackups(workspace, owner, router)
+			database, _, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -122,6 +122,12 @@ func Test_GetBackups_PermissionsEnforced(t *testing.T) {
 			} else {
 				assert.Contains(t, string(testResp.Body), "insufficient permissions")
 			}
+
+			// Cleanup
+			databases.RemoveTestDatabase(database)
+			time.Sleep(50 * time.Millisecond)
+			storages.RemoveTestStorage(storage.ID)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -218,6 +224,10 @@ func Test_CreateBackup_PermissionsEnforced(t *testing.T) {
 			} else {
 				assert.Contains(t, string(testResp.Body), "insufficient permissions")
 			}
+
+			// Cleanup
+			databases.RemoveTestDatabase(database)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -261,6 +271,10 @@ func Test_CreateBackup_AuditLogWritten(t *testing.T) {
 		}
 	}
 	assert.True(t, found, "Audit log for backup creation not found")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_DeleteBackup_PermissionsEnforced(t *testing.T) {
@@ -314,7 +328,7 @@ func Test_DeleteBackup_PermissionsEnforced(t *testing.T) {
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-			database, backup := createTestDatabaseWithBackups(workspace, owner, router)
+			database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -358,6 +372,12 @@ func Test_DeleteBackup_PermissionsEnforced(t *testing.T) {
 				assert.NoError(t, err)
 				assert.Equal(t, 0, len(response.Backups))
 			}
+
+			// Cleanup
+			databases.RemoveTestDatabase(database)
+			time.Sleep(50 * time.Millisecond)
+			storages.RemoveTestStorage(storage.ID)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -367,7 +387,7 @@ func Test_DeleteBackup_AuditLogWritten(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	database, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	test_utils.MakeDeleteRequest(
 		t,
@@ -398,6 +418,12 @@ func Test_DeleteBackup_AuditLogWritten(t *testing.T) {
 		}
 	}
 	assert.True(t, found, "Audit log for backup deletion not found")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_GenerateDownloadToken_PermissionsEnforced(t *testing.T) {
@@ -444,7 +470,7 @@ func Test_GenerateDownloadToken_PermissionsEnforced(t *testing.T) {
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-			_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+			database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -488,6 +514,12 @@ func Test_GenerateDownloadToken_PermissionsEnforced(t *testing.T) {
 			} else {
 				assert.Contains(t, string(testResp.Body), "insufficient permissions")
 			}
+
+			// Cleanup
+			databases.RemoveTestDatabase(database)
+			time.Sleep(50 * time.Millisecond)
+			storages.RemoveTestStorage(storage.ID)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -497,7 +529,7 @@ func Test_DownloadBackup_WithValidToken_Success(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	// Generate download token
 	var tokenResponse backups_download.GenerateDownloadTokenResponse
@@ -524,6 +556,12 @@ func Test_DownloadBackup_WithValidToken_Success(t *testing.T) {
 	contentDisposition := testResp.Headers.Get("Content-Disposition")
 	assert.Contains(t, contentDisposition, "attachment")
 	assert.Contains(t, contentDisposition, tokenResponse.Filename)
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_DownloadBackup_WithoutToken_Unauthorized(t *testing.T) {
@@ -531,7 +569,7 @@ func Test_DownloadBackup_WithoutToken_Unauthorized(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	// Try to download without token
 	testResp := test_utils.MakeGetRequest(
@@ -543,6 +581,12 @@ func Test_DownloadBackup_WithoutToken_Unauthorized(t *testing.T) {
 	)
 
 	assert.Contains(t, string(testResp.Body), "download token is required")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_DownloadBackup_WithInvalidToken_Unauthorized(t *testing.T) {
@@ -550,7 +594,7 @@ func Test_DownloadBackup_WithInvalidToken_Unauthorized(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	// Try to download with invalid token
 	testResp := test_utils.MakeGetRequest(
@@ -562,6 +606,12 @@ func Test_DownloadBackup_WithInvalidToken_Unauthorized(t *testing.T) {
 	)
 
 	assert.Contains(t, string(testResp.Body), "invalid or expired download token")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_DownloadBackup_WithExpiredToken_Unauthorized(t *testing.T) {
@@ -569,7 +619,7 @@ func Test_DownloadBackup_WithExpiredToken_Unauthorized(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	database, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	// Get user for token generation
 	userService := users_services.GetUserService()
@@ -611,6 +661,12 @@ func Test_DownloadBackup_WithExpiredToken_Unauthorized(t *testing.T) {
 		}
 	}
 	assert.False(t, found, "Audit log should NOT be created for failed download with expired token")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_DownloadBackup_TokenUsedOnce_CannotReuseToken(t *testing.T) {
@@ -618,7 +674,7 @@ func Test_DownloadBackup_TokenUsedOnce_CannotReuseToken(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	// Generate download token
 	var tokenResponse backups_download.GenerateDownloadTokenResponse
@@ -651,6 +707,12 @@ func Test_DownloadBackup_TokenUsedOnce_CannotReuseToken(t *testing.T) {
 	)
 
 	assert.Contains(t, string(testResp.Body), "invalid or expired download token")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_DownloadBackup_WithDifferentBackupToken_Unauthorized(t *testing.T) {
@@ -705,6 +767,13 @@ func Test_DownloadBackup_WithDifferentBackupToken_Unauthorized(t *testing.T) {
 	)
 
 	assert.Contains(t, string(testResp.Body), "invalid or expired download token")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database1)
+	databases.RemoveTestDatabase(database2)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_DownloadBackup_AuditLogWritten(t *testing.T) {
@@ -712,7 +781,7 @@ func Test_DownloadBackup_AuditLogWritten(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	database, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	// Generate download token
 	var tokenResponse backups_download.GenerateDownloadTokenResponse
@@ -756,6 +825,12 @@ func Test_DownloadBackup_AuditLogWritten(t *testing.T) {
 		}
 	}
 	assert.True(t, found, "Audit log for backup download not found")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_DownloadBackup_ProperFilenameForPostgreSQL(t *testing.T) {
@@ -856,6 +931,12 @@ func Test_DownloadBackup_ProperFilenameForPostgreSQL(t *testing.T) {
 				contentDisposition,
 				"Filename should contain timestamp",
 			)
+
+			// Cleanup
+			databases.RemoveTestDatabase(database)
+			time.Sleep(50 * time.Millisecond)
+			storages.RemoveTestStorage(storage.ID)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -948,6 +1029,12 @@ func Test_CancelBackup_InProgressBackup_SuccessfullyCancelled(t *testing.T) {
 		}
 	}
 	assert.True(t, foundCancelLog, "Cancel audit log should be created")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_ConcurrentDownloadPrevention(t *testing.T) {
@@ -955,7 +1042,7 @@ func Test_ConcurrentDownloadPrevention(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	database, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	var token1Response backups_download.GenerateDownloadTokenResponse
 	test_utils.MakePostRequestAndUnmarshal(
@@ -1003,6 +1090,12 @@ func Test_ConcurrentDownloadPrevention(t *testing.T) {
 	if !service.IsDownloadInProgress(owner.UserID) {
 		t.Log("Warning: First download completed before we could test concurrency")
 		<-downloadComplete
+
+		// Cleanup before early return
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
 		return
 	}
 
@@ -1049,6 +1142,12 @@ func Test_ConcurrentDownloadPrevention(t *testing.T) {
 	t.Log(
 		"Successfully prevented concurrent downloads and allowed subsequent downloads after completion",
 	)
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_GenerateDownloadToken_BlockedWhenDownloadInProgress(t *testing.T) {
@@ -1056,7 +1155,7 @@ func Test_GenerateDownloadToken_BlockedWhenDownloadInProgress(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	database, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	var token1Response backups_download.GenerateDownloadTokenResponse
 	test_utils.MakePostRequestAndUnmarshal(
@@ -1092,6 +1191,12 @@ func Test_GenerateDownloadToken_BlockedWhenDownloadInProgress(t *testing.T) {
 	if !service.IsDownloadInProgress(owner.UserID) {
 		t.Log("Warning: First download completed before we could test token generation blocking")
 		<-downloadComplete
+
+		// Cleanup before early return
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
 		return
 	}
 
@@ -1131,6 +1236,12 @@ func Test_GenerateDownloadToken_BlockedWhenDownloadInProgress(t *testing.T) {
 	t.Log(
 		"Successfully blocked token generation during download and allowed generation after completion",
 	)
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func createTestRouter() *gin.Engine {
@@ -1222,7 +1333,7 @@ func createTestDatabaseWithBackups(
 	workspace *workspaces_models.Workspace,
 	owner *users_dto.SignInResponseDTO,
 	router *gin.Engine,
-) (*databases.Database, *backups_core.Backup) {
+) (*databases.Database, *backups_core.Backup, *storages.Storage) {
 	database := createTestDatabase("Test Database", workspace.ID, owner.Token, router)
 	storage := createTestStorage(workspace.ID)
 
@@ -1242,7 +1353,7 @@ func createTestDatabaseWithBackups(
 
 	backup := createTestBackup(database, owner)
 
-	return database, backup
+	return database, backup, storage
 }
 
 func createTestBackup(
@@ -1320,7 +1431,7 @@ func Test_BandwidthThrottling_SingleDownload_Uses75Percent(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
 
-	_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+	database, backup, storage := createTestDatabaseWithBackups(workspace, owner, router)
 
 	bandwidthManager := backups_download.GetBandwidthManager()
 	initialCount := bandwidthManager.GetActiveDownloadCount()
@@ -1370,6 +1481,12 @@ func Test_BandwidthThrottling_SingleDownload_Uses75Percent(t *testing.T) {
 	time.Sleep(50 * time.Millisecond)
 	finalCount := bandwidthManager.GetActiveDownloadCount()
 	assert.Equal(t, initialCount, finalCount, "Download should be unregistered after completion")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_BandwidthThrottling_MultipleDownloads_ShareBandwidth(t *testing.T) {
@@ -1489,6 +1606,12 @@ func Test_BandwidthThrottling_MultipleDownloads_ShareBandwidth(t *testing.T) {
 	time.Sleep(100 * time.Millisecond)
 	finalCount := bandwidthManager.GetActiveDownloadCount()
 	assert.Equal(t, initialCount, finalCount, "All downloads should be unregistered")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_BandwidthThrottling_DynamicAdjustment(t *testing.T) {
@@ -1577,4 +1700,10 @@ func Test_BandwidthThrottling_DynamicAdjustment(t *testing.T) {
 	time.Sleep(100 * time.Millisecond)
 	finalCount := bandwidthManager.GetActiveDownloadCount()
 	assert.Equal(t, initialCount, finalCount, "All downloads completed and unregistered")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }

backend/internal/features/backups/backups/core/model.go

@@ -15,6 +15,7 @@ type Backup struct {
 
 	Status      BackupStatus `json:"status"      gorm:"column:status;not null"`
 	FailMessage *string      `json:"failMessage" gorm:"column:fail_message"`
+	IsSkipRetry bool         `json:"isSkipRetry" gorm:"column:is_skip_retry;type:boolean;not null"`
 
 	BackupSizeMb float64 `json:"backupSizeMb" gorm:"column:backup_size_mb;default:0"`
 

backend/internal/features/backups/backups/core/repository.go

@@ -212,3 +212,36 @@ func (r *BackupRepository) CountByDatabaseID(databaseID uuid.UUID) (int64, error
 
 	return count, nil
 }
+
+func (r *BackupRepository) GetTotalSizeByDatabase(databaseID uuid.UUID) (float64, error) {
+	var totalSize float64
+
+	if err := storage.
+		GetDb().
+		Model(&Backup{}).
+		Select("COALESCE(SUM(backup_size_mb), 0)").
+		Where("database_id = ? AND status != ?", databaseID, BackupStatusInProgress).
+		Scan(&totalSize).Error; err != nil {
+		return 0, err
+	}
+
+	return totalSize, nil
+}
+
+func (r *BackupRepository) FindOldestByDatabaseExcludingInProgress(
+	databaseID uuid.UUID,
+	limit int,
+) ([]*Backup, error) {
+	var backups []*Backup
+
+	if err := storage.
+		GetDb().
+		Where("database_id = ? AND status != ?", databaseID, BackupStatusInProgress).
+		Order("created_at ASC").
+		Limit(limit).
+		Find(&backups).Error; err != nil {
+		return nil, err
+	}
+
+	return backups, nil
+}

backend/internal/features/backups/backups/di.go

@@ -25,22 +25,23 @@ var backupRepository = &backups_core.BackupRepository{}
 var taskCancelManager = task_cancellation.GetTaskCancelManager()
 
 var backupService = &BackupService{
-	databaseService:        databases.GetDatabaseService(),
-	storageService:         storages.GetStorageService(),
-	backupRepository:       backupRepository,
-	notifierService:        notifiers.GetNotifierService(),
-	notificationSender:     notifiers.GetNotifierService(),
-	backupConfigService:    backups_config.GetBackupConfigService(),
-	secretKeyService:       encryption_secrets.GetSecretKeyService(),
-	fieldEncryptor:         encryption.GetFieldEncryptor(),
-	createBackupUseCase:    usecases.GetCreateBackupUsecase(),
-	logger:                 logger.GetLogger(),
-	backupRemoveListeners:  []backups_core.BackupRemoveListener{},
-	workspaceService:       workspaces_services.GetWorkspaceService(),
-	auditLogService:        audit_logs.GetAuditLogService(),
-	taskCancelManager:      taskCancelManager,
-	downloadTokenService:   backups_download.GetDownloadTokenService(),
-	backupSchedulerService: backuping.GetBackupsScheduler(),
+	databases.GetDatabaseService(),
+	storages.GetStorageService(),
+	backupRepository,
+	notifiers.GetNotifierService(),
+	notifiers.GetNotifierService(),
+	backups_config.GetBackupConfigService(),
+	encryption_secrets.GetSecretKeyService(),
+	encryption.GetFieldEncryptor(),
+	usecases.GetCreateBackupUsecase(),
+	logger.GetLogger(),
+	[]backups_core.BackupRemoveListener{},
+	workspaces_services.GetWorkspaceService(),
+	audit_logs.GetAuditLogService(),
+	taskCancelManager,
+	backups_download.GetDownloadTokenService(),
+	backuping.GetBackupsScheduler(),
+	backuping.GetBackupCleaner(),
 }
 
 var backupController = &BackupController{

backend/internal/features/backups/backups/service.go

@@ -46,6 +46,7 @@ type BackupService struct {
 	taskCancelManager      *task_cancellation.TaskCancelManager
 	downloadTokenService   *backups_download.DownloadTokenService
 	backupSchedulerService *backuping.BackupsScheduler
+	backupCleaner          *backuping.BackupCleaner
 }
 
 func (s *BackupService) AddBackupRemoveListener(listener backups_core.BackupRemoveListener) {
@@ -189,7 +190,7 @@ func (s *BackupService) DeleteBackup(
 		database.WorkspaceID,
 	)
 
-	return s.deleteBackup(backup)
+	return s.backupCleaner.DeleteBackup(backup)
 }
 
 func (s *BackupService) GetBackup(backupID uuid.UUID) (*backups_core.Backup, error) {
@@ -292,29 +293,6 @@ func (s *BackupService) GetBackupFile(
 	return reader, backup, database, nil
 }
 
-func (s *BackupService) deleteBackup(backup *backups_core.Backup) error {
-	for _, listener := range s.backupRemoveListeners {
-		if err := listener.OnBeforeBackupRemove(backup); err != nil {
-			return err
-		}
-	}
-
-	storage, err := s.storageService.GetStorageByID(backup.StorageID)
-	if err != nil {
-		return err
-	}
-
-	err = storage.DeleteFile(s.fieldEncryptor, backup.ID)
-	if err != nil {
-		// we do not return error here, because sometimes clean up performed
-		// before unavailable storage removal or change - therefore we should
-		// proceed even in case of error
-		s.logger.Error("Failed to delete backup file", "error", err)
-	}
-
-	return s.backupRepository.DeleteByID(backup.ID)
-}
-
 func (s *BackupService) deleteDbBackups(databaseID uuid.UUID) error {
 	dbBackupsInProgress, err := s.backupRepository.FindByDatabaseIdAndStatus(
 		databaseID,
@@ -336,7 +314,7 @@ func (s *BackupService) deleteDbBackups(databaseID uuid.UUID) error {
 	}
 
 	for _, dbBackup := range dbBackups {
-		err := s.deleteBackup(dbBackup)
+		err := s.backupCleaner.DeleteBackup(dbBackup)
 		if err != nil {
 			return err
 		}

backend/internal/features/backups/config/controller.go

@@ -16,6 +16,7 @@ type BackupConfigController struct {
 
 func (c *BackupConfigController) RegisterRoutes(router *gin.RouterGroup) {
 	router.POST("/backup-configs/save", c.SaveBackupConfig)
+	router.GET("/backup-configs/database/:id/plan", c.GetDatabasePlan)
 	router.GET("/backup-configs/database/:id", c.GetBackupConfigByDbID)
 	router.GET("/backup-configs/storage/:id/is-using", c.IsStorageUsing)
 	router.GET("/backup-configs/storage/:id/databases-count", c.CountDatabasesForStorage)
@@ -92,6 +93,39 @@ func (c *BackupConfigController) GetBackupConfigByDbID(ctx *gin.Context) {
 	ctx.JSON(http.StatusOK, backupConfig)
 }
 
+// GetDatabasePlan
+// @Summary Get database plan by database ID
+// @Description Get the plan limits for a specific database (max backup size, max total size, max storage period)
+// @Tags backup-configs
+// @Produce json
+// @Param id path string true "Database ID"
+// @Success 200 {object} plans.DatabasePlan
+// @Failure 400 {object} map[string]string "Invalid database ID"
+// @Failure 401 {object} map[string]string "User not authenticated"
+// @Failure 404 {object} map[string]string "Database not found or access denied"
+// @Router /backup-configs/database/{id}/plan [get]
+func (c *BackupConfigController) GetDatabasePlan(ctx *gin.Context) {
+	user, ok := users_middleware.GetUserFromContext(ctx)
+	if !ok {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
+		return
+	}
+
+	id, err := uuid.Parse(ctx.Param("id"))
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid database ID"})
+		return
+	}
+
+	plan, err := c.backupConfigService.GetDatabasePlan(user, id)
+	if err != nil {
+		ctx.JSON(http.StatusNotFound, gin.H{"error": "database plan not found"})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, plan)
+}
+
 // IsStorageUsing
 // @Summary Check if storage is being used
 // @Description Check if a storage is currently being used by any backup configuration

backend/internal/features/backups/config/controller_test.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"strconv"
 	"testing"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -16,11 +17,14 @@ import (
 	"databasus-backend/internal/features/databases/databases/postgresql"
 	"databasus-backend/internal/features/intervals"
 	"databasus-backend/internal/features/notifiers"
+	plans "databasus-backend/internal/features/plan"
 	"databasus-backend/internal/features/storages"
+	local_storage "databasus-backend/internal/features/storages/models/local"
 	users_enums "databasus-backend/internal/features/users/enums"
 	users_testing "databasus-backend/internal/features/users/testing"
 	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
+	"databasus-backend/internal/storage"
 	"databasus-backend/internal/util/period"
 	test_utils "databasus-backend/internal/util/testing"
 	"databasus-backend/internal/util/tools"
@@ -89,6 +93,11 @@ func Test_SaveBackupConfig_PermissionsEnforced(t *testing.T) {
 
 			database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 
+			defer func() {
+				databases.RemoveTestDatabase(database)
+				workspaces_testing.RemoveTestWorkspace(workspace, router)
+			}()
+
 			var testUserToken string
 			if tt.isGlobalAdmin {
 				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
@@ -152,6 +161,11 @@ func Test_SaveBackupConfig_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t *test
 
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
 	nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
 	timeOfDay := "04:00"
@@ -242,6 +256,11 @@ func Test_GetBackupConfigByDbID_PermissionsEnforced(t *testing.T) {
 
 			database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 
+			defer func() {
+				databases.RemoveTestDatabase(database)
+				workspaces_testing.RemoveTestWorkspace(workspace, router)
+			}()
+
 			var testUserToken string
 			if tt.isGlobalAdmin {
 				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
@@ -290,6 +309,11 @@ func Test_GetBackupConfigByDbID_ReturnsDefaultConfigForNewDatabase(t *testing.T)
 
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
 	var response BackupConfig
 	test_utils.MakeGetRequestAndUnmarshal(
 		t,
@@ -300,14 +324,214 @@ func Test_GetBackupConfigByDbID_ReturnsDefaultConfigForNewDatabase(t *testing.T)
 		&response,
 	)
 
+	var plan plans.DatabasePlan
+
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/database/"+database.ID.String()+"/plan",
+		"Bearer "+owner.Token,
+		http.StatusOK,
+		&plan,
+	)
+
 	assert.Equal(t, database.ID, response.DatabaseID)
 	assert.False(t, response.IsBackupsEnabled)
-	assert.Equal(t, period.PeriodWeek, response.StorePeriod)
+	assert.Equal(t, plan.MaxStoragePeriod, response.StorePeriod)
+	assert.Equal(t, plan.MaxBackupSizeMB, response.MaxBackupSizeMB)
+	assert.Equal(t, plan.MaxBackupsTotalSizeMB, response.MaxBackupsTotalSizeMB)
 	assert.True(t, response.IsRetryIfFailed)
 	assert.Equal(t, 3, response.MaxFailedTriesCount)
 	assert.NotNil(t, response.BackupInterval)
 }
 
+func Test_GetDatabasePlan_ForNewDatabase_PlanAlwaysReturned(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	var response plans.DatabasePlan
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/database/"+database.ID.String()+"/plan",
+		"Bearer "+owner.Token,
+		http.StatusOK,
+		&response,
+	)
+
+	assert.Equal(t, database.ID, response.DatabaseID)
+	assert.NotNil(t, response.MaxBackupSizeMB)
+	assert.NotNil(t, response.MaxBackupsTotalSizeMB)
+	assert.NotEmpty(t, response.MaxStoragePeriod)
+}
+
+func Test_SaveBackupConfig_WhenPlanLimitsAreAdjusted_ValidationEnforced(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Get plan via API (triggers auto-creation)
+	var plan plans.DatabasePlan
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/database/"+database.ID.String()+"/plan",
+		"Bearer "+owner.Token,
+		http.StatusOK,
+		&plan,
+	)
+
+	assert.Equal(t, database.ID, plan.DatabaseID)
+
+	// Adjust plan limits directly in database to fixed restrictive values
+	err := storage.GetDb().Model(&plans.DatabasePlan{}).
+		Where("database_id = ?", database.ID).
+		Updates(map[string]any{
+			"max_backup_size_mb":        100,
+			"max_backups_total_size_mb": 1000,
+			"max_storage_period":        period.PeriodMonth,
+		}).Error
+	assert.NoError(t, err)
+
+	// Test 1: Try to save backup config with exceeded backup size limit
+	timeOfDay := "04:00"
+	backupConfigExceededSize := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:       true,
+		MaxFailedTriesCount:   3,
+		Encryption:            BackupEncryptionNone,
+		MaxBackupSizeMB:       200, // Exceeds limit of 100
+		MaxBackupsTotalSizeMB: 800,
+	}
+
+	respExceededSize := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		backupConfigExceededSize,
+		http.StatusBadRequest,
+	)
+	assert.Contains(t, string(respExceededSize.Body), "max backup size exceeds plan limit")
+
+	// Test 2: Try to save backup config with exceeded total size limit
+	backupConfigExceededTotal := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:       true,
+		MaxFailedTriesCount:   3,
+		Encryption:            BackupEncryptionNone,
+		MaxBackupSizeMB:       50,
+		MaxBackupsTotalSizeMB: 2000, // Exceeds limit of 1000
+	}
+
+	respExceededTotal := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		backupConfigExceededTotal,
+		http.StatusBadRequest,
+	)
+	assert.Contains(t, string(respExceededTotal.Body), "max total backups size exceeds plan limit")
+
+	// Test 3: Try to save backup config with exceeded storage period limit
+	backupConfigExceededPeriod := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodYear, // Exceeds limit of Month
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:       true,
+		MaxFailedTriesCount:   3,
+		Encryption:            BackupEncryptionNone,
+		MaxBackupSizeMB:       80,
+		MaxBackupsTotalSizeMB: 800,
+	}
+
+	respExceededPeriod := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		backupConfigExceededPeriod,
+		http.StatusBadRequest,
+	)
+	assert.Contains(t, string(respExceededPeriod.Body), "storage period exceeds plan limit")
+
+	// Test 4: Save backup config within all limits - should succeed
+	backupConfigValid := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek, // Within Month limit
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:       true,
+		MaxFailedTriesCount:   3,
+		Encryption:            BackupEncryptionNone,
+		MaxBackupSizeMB:       80,  // Within 100 limit
+		MaxBackupsTotalSizeMB: 800, // Within 1000 limit
+	}
+
+	var responseValid BackupConfig
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		backupConfigValid,
+		http.StatusOK,
+		&responseValid,
+	)
+
+	assert.Equal(t, database.ID, responseValid.DatabaseID)
+	assert.Equal(t, int64(80), responseValid.MaxBackupSizeMB)
+	assert.Equal(t, int64(800), responseValid.MaxBackupsTotalSizeMB)
+	assert.Equal(t, period.PeriodWeek, responseValid.StorePeriod)
+}
+
 func Test_IsStorageUsing_PermissionsEnforced(t *testing.T) {
 	tests := []struct {
 		name               string
@@ -340,6 +564,10 @@ func Test_IsStorageUsing_PermissionsEnforced(t *testing.T) {
 			)
 			storage := createTestStorage(workspace.ID)
 
+			defer func() {
+				workspaces_testing.RemoveTestWorkspace(workspace, router)
+			}()
+
 			var testUserToken string
 			if tt.isStorageOwner {
 				testUserToken = storageOwner.Token
@@ -372,10 +600,6 @@ func Test_IsStorageUsing_PermissionsEnforced(t *testing.T) {
 				)
 				assert.Contains(t, string(testResp.Body), "error")
 			}
-
-			// Cleanup
-			storages.RemoveTestStorage(storage.ID)
-			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -387,6 +611,11 @@ func Test_SaveBackupConfig_WithEncryptionNone_ConfigSaved(t *testing.T) {
 
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	request := BackupConfig{
 		DatabaseID:       database.ID,
@@ -426,6 +655,11 @@ func Test_SaveBackupConfig_WithEncryptionEncrypted_ConfigSaved(t *testing.T) {
 
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	request := BackupConfig{
 		DatabaseID:       database.ID,
@@ -536,6 +770,15 @@ func Test_TransferDatabase_PermissionsEnforced(t *testing.T) {
 
 			targetStorage := createTestStorage(targetWorkspace.ID)
 
+			defer func() {
+				// Cleanup in correct order to avoid foreign key violations
+				databases.RemoveTestDatabase(database)
+				time.Sleep(50 * time.Millisecond) // Wait for cascade delete of backup_config
+				storages.RemoveTestStorage(targetStorage.ID)
+				workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+				workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+			}()
+
 			var testUserToken string
 			if tt.isGlobalAdmin {
 				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
@@ -628,6 +871,12 @@ func Test_TransferDatabase_NonMemberInSourceWorkspace_CannotTransfer(t *testing.
 		router,
 	)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	request := TransferDatabaseRequest{
 		TargetWorkspaceID: targetWorkspace.ID,
 	}
@@ -668,6 +917,12 @@ func Test_TransferDatabase_NonMemberInTargetWorkspace_CannotTransfer(t *testing.
 		router,
 	)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	request := TransferDatabaseRequest{
 		TargetWorkspaceID: targetWorkspace.ID,
 	}
@@ -695,6 +950,13 @@ func Test_TransferDatabase_ToNewStorage_DatabaseTransferd(t *testing.T) {
 	sourceStorage := createTestStorage(sourceWorkspace.ID)
 	targetStorage := createTestStorage(targetWorkspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		time.Sleep(200 * time.Millisecond) // Wait for cascading deletes
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	backupConfigRequest := BackupConfig{
 		DatabaseID:       database.ID,
@@ -774,6 +1036,13 @@ func Test_TransferDatabase_WithExistingStorage_DatabaseAndStorageTransferd(t *te
 	database := createTestDatabaseViaAPI("Test Database", sourceWorkspace.ID, owner.Token, router)
 	storage := createTestStorage(sourceWorkspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		time.Sleep(200 * time.Millisecond) // Wait for cascading deletes
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	backupConfigRequest := BackupConfig{
 		DatabaseID:       database.ID,
@@ -863,6 +1132,14 @@ func Test_TransferDatabase_StorageHasOtherDBs_CannotTransfer(t *testing.T) {
 	)
 	storage := createTestStorage(sourceWorkspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database1)
+		databases.RemoveTestDatabase(database2)
+		time.Sleep(200 * time.Millisecond) // Wait for cascading deletes
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	backupConfigRequest1 := BackupConfig{
 		DatabaseID:       database1.ID,
@@ -945,6 +1222,14 @@ func Test_TransferDatabase_WithNotifiers_NotifiersTransferred(t *testing.T) {
 	targetStorage := createTestStorage(targetWorkspace.ID)
 	notifier := notifiers.CreateTestNotifier(sourceWorkspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		time.Sleep(200 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	database.Notifiers = []notifiers.Notifier{*notifier}
 	var updatedDatabase databases.Database
 	test_utils.MakePostRequestAndUnmarshal(
@@ -1048,6 +1333,15 @@ func Test_TransferDatabase_NotifierHasOtherDBs_NotifierSkipped(t *testing.T) {
 	targetStorage := createTestStorage(targetWorkspace.ID)
 	sharedNotifier := notifiers.CreateTestNotifier(sourceWorkspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database1)
+		databases.RemoveTestDatabase(database2)
+		time.Sleep(200 * time.Millisecond)
+		notifiers.RemoveTestNotifier(sharedNotifier)
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	database1.Notifiers = []notifiers.Notifier{*sharedNotifier}
 	test_utils.MakePostRequest(
 		t,
@@ -1160,6 +1454,16 @@ func Test_TransferDatabase_WithMultipleNotifiers_OnlyExclusiveOnesTransferred(t
 	exclusiveNotifier := notifiers.CreateTestNotifier(sourceWorkspace.ID)
 	sharedNotifier := notifiers.CreateTestNotifier(sourceWorkspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database1)
+		databases.RemoveTestDatabase(database2)
+		time.Sleep(200 * time.Millisecond)
+		notifiers.RemoveTestNotifier(exclusiveNotifier)
+		notifiers.RemoveTestNotifier(sharedNotifier)
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	database1.Notifiers = []notifiers.Notifier{*exclusiveNotifier, *sharedNotifier}
 	test_utils.MakePostRequest(
 		t,
@@ -1271,6 +1575,14 @@ func Test_TransferDatabase_WithTargetNotifiers_NotifiersAssigned(t *testing.T) {
 	targetStorage := createTestStorage(targetWorkspace.ID)
 	targetNotifier := notifiers.CreateTestNotifier(targetWorkspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		time.Sleep(200 * time.Millisecond)
+		notifiers.RemoveTestNotifier(targetNotifier)
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	backupConfigRequest := BackupConfig{
 		DatabaseID:       database.ID,
@@ -1342,6 +1654,15 @@ func Test_TransferDatabase_TargetNotifierFromDifferentWorkspace_ReturnsBadReques
 	targetStorage := createTestStorage(targetWorkspace.ID)
 	wrongNotifier := notifiers.CreateTestNotifier(otherWorkspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		time.Sleep(200 * time.Millisecond)
+		notifiers.RemoveTestNotifier(wrongNotifier)
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(otherWorkspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	backupConfigRequest := BackupConfig{
 		DatabaseID:       database.ID,
@@ -1399,6 +1720,14 @@ func Test_TransferDatabase_TargetStorageFromDifferentWorkspace_ReturnsBadRequest
 	sourceStorage := createTestStorage(sourceWorkspace.ID)
 	wrongStorage := createTestStorage(otherWorkspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		time.Sleep(200 * time.Millisecond)
+		workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+		workspaces_testing.RemoveTestWorkspace(otherWorkspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	backupConfigRequest := BackupConfig{
 		DatabaseID:       database.ID,
@@ -1443,6 +1772,115 @@ func Test_TransferDatabase_TargetStorageFromDifferentWorkspace_ReturnsBadRequest
 	assert.Contains(t, string(testResp.Body), "target storage does not belong to target workspace")
 }
 
+func Test_SaveBackupConfig_WithSystemStorage_CanBeUsedByAnyDatabase(t *testing.T) {
+	router := createTestRouterWithStorageForTransfer()
+
+	owner1 := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	owner2 := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+
+	workspaceA := workspaces_testing.CreateTestWorkspace("Workspace A", owner1, router)
+	workspaceB := workspaces_testing.CreateTestWorkspace("Workspace B", owner2, router)
+
+	databaseA := createTestDatabaseViaAPI("Database A", workspaceA.ID, owner1.Token, router)
+
+	// Test 1: Regular storage from workspace B cannot be used by database in workspace A
+	regularStorageB := createTestStorage(workspaceB.ID)
+
+	timeOfDay := "04:00"
+	backupConfigWithRegularStorage := BackupConfig{
+		DatabaseID:       databaseA.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		StorageID: &regularStorageB.ID,
+		Storage:   regularStorageB,
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
+	}
+
+	respRegular := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner1.Token,
+		backupConfigWithRegularStorage,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(respRegular.Body), "storage does not belong to the same workspace")
+
+	// Test 2: System storage from workspace B CAN be used by database in workspace A
+	systemStorageB := &storages.Storage{
+		WorkspaceID:  workspaceB.ID,
+		Type:         storages.StorageTypeLocal,
+		Name:         "Test System Storage " + uuid.New().String(),
+		IsSystem:     true,
+		LocalStorage: &local_storage.LocalStorage{},
+	}
+
+	var savedSystemStorage storages.Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		*systemStorageB,
+		http.StatusOK,
+		&savedSystemStorage,
+	)
+
+	assert.True(t, savedSystemStorage.IsSystem)
+
+	backupConfigWithSystemStorage := BackupConfig{
+		DatabaseID:       databaseA.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		StorageID: &savedSystemStorage.ID,
+		Storage:   &savedSystemStorage,
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
+	}
+
+	var savedConfig BackupConfig
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner1.Token,
+		backupConfigWithSystemStorage,
+		http.StatusOK,
+		&savedConfig,
+	)
+
+	assert.Equal(t, databaseA.ID, savedConfig.DatabaseID)
+	assert.NotNil(t, savedConfig.StorageID)
+	assert.Equal(t, savedSystemStorage.ID, *savedConfig.StorageID)
+	assert.True(t, savedConfig.IsBackupsEnabled)
+
+	// Cleanup: database first (cascades to backup_config), then storages, then workspaces
+	databases.RemoveTestDatabase(databaseA)
+	storages.RemoveTestStorage(regularStorageB.ID)
+	storages.RemoveTestStorage(savedSystemStorage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspaceA, router)
+	workspaces_testing.RemoveTestWorkspace(workspaceB, router)
+}
+
 func createTestDatabaseViaAPI(
 	name string,
 	workspaceID uuid.UUID,

backend/internal/features/backups/config/di.go

@@ -6,6 +6,7 @@ import (
 
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/notifiers"
+	plans "databasus-backend/internal/features/plan"
 	"databasus-backend/internal/features/storages"
 	workspaces_services "databasus-backend/internal/features/workspaces/services"
 	"databasus-backend/internal/util/logger"
@@ -18,6 +19,7 @@ var backupConfigService = &BackupConfigService{
 	storages.GetStorageService(),
 	notifiers.GetNotifierService(),
 	workspaces_services.GetWorkspaceService(),
+	plans.GetDatabasePlanService(),
 	nil,
 }
 var backupConfigController = &BackupConfigController{

backend/internal/features/backups/config/model.go

@@ -1,7 +1,9 @@
 package backups_config
 
 import (
+	"databasus-backend/internal/config"
 	"databasus-backend/internal/features/intervals"
+	plans "databasus-backend/internal/features/plan"
 	"databasus-backend/internal/features/storages"
 	"databasus-backend/internal/util/period"
 	"errors"
@@ -31,6 +33,11 @@ type BackupConfig struct {
 	MaxFailedTriesCount int  `json:"maxFailedTriesCount" gorm:"column:max_failed_tries_count;type:int;not null"`
 
 	Encryption BackupEncryption `json:"encryption" gorm:"column:encryption;type:text;not null;default:'NONE'"`
+
+	// MaxBackupSizeMB limits individual backup size. 0 = unlimited.
+	MaxBackupSizeMB int64 `json:"maxBackupSizeMb"       gorm:"column:max_backup_size_mb;type:int;not null"`
+	// MaxBackupsTotalSizeMB limits total size of all backups. 0 = unlimited.
+	MaxBackupsTotalSizeMB int64 `json:"maxBackupsTotalSizeMb" gorm:"column:max_backups_total_size_mb;type:int;not null"`
 }
 
 func (h *BackupConfig) TableName() string {
@@ -70,7 +77,7 @@ func (b *BackupConfig) AfterFind(tx *gorm.DB) error {
 	return nil
 }
 
-func (b *BackupConfig) Validate() error {
+func (b *BackupConfig) Validate(plan *plans.DatabasePlan) error {
 	// Backup interval is required either as ID or as object
 	if b.BackupIntervalID == uuid.Nil && b.BackupInterval == nil {
 		return errors.New("backup interval is required")
@@ -89,20 +96,59 @@ func (b *BackupConfig) Validate() error {
 		return errors.New("encryption must be NONE or ENCRYPTED")
 	}
 
+	if config.GetEnv().IsCloud {
+		if b.Encryption != BackupEncryptionEncrypted {
+			return errors.New("encryption is mandatory for cloud storage")
+		}
+	}
+
+	if b.MaxBackupSizeMB < 0 {
+		return errors.New("max backup size must be non-negative")
+	}
+
+	if b.MaxBackupsTotalSizeMB < 0 {
+		return errors.New("max backups total size must be non-negative")
+	}
+
+	// Validate against plan limits
+	// Check storage period limit
+	if plan.MaxStoragePeriod != period.PeriodForever {
+		if b.StorePeriod.CompareTo(plan.MaxStoragePeriod) > 0 {
+			return errors.New("storage period exceeds plan limit")
+		}
+	}
+
+	// Check max backup size limit (0 in plan means unlimited)
+	if plan.MaxBackupSizeMB > 0 {
+		if b.MaxBackupSizeMB == 0 || b.MaxBackupSizeMB > plan.MaxBackupSizeMB {
+			return errors.New("max backup size exceeds plan limit")
+		}
+	}
+
+	// Check max total backups size limit (0 in plan means unlimited)
+	if plan.MaxBackupsTotalSizeMB > 0 {
+		if b.MaxBackupsTotalSizeMB == 0 ||
+			b.MaxBackupsTotalSizeMB > plan.MaxBackupsTotalSizeMB {
+			return errors.New("max total backups size exceeds plan limit")
+		}
+	}
+
 	return nil
 }
 
 func (b *BackupConfig) Copy(newDatabaseID uuid.UUID) *BackupConfig {
 	return &BackupConfig{
-		DatabaseID:          newDatabaseID,
-		IsBackupsEnabled:    b.IsBackupsEnabled,
-		StorePeriod:         b.StorePeriod,
-		BackupIntervalID:    uuid.Nil,
-		BackupInterval:      b.BackupInterval.Copy(),
-		StorageID:           b.StorageID,
-		SendNotificationsOn: b.SendNotificationsOn,
-		IsRetryIfFailed:     b.IsRetryIfFailed,
-		MaxFailedTriesCount: b.MaxFailedTriesCount,
-		Encryption:          b.Encryption,
+		DatabaseID:            newDatabaseID,
+		IsBackupsEnabled:      b.IsBackupsEnabled,
+		StorePeriod:           b.StorePeriod,
+		BackupIntervalID:      uuid.Nil,
+		BackupInterval:        b.BackupInterval.Copy(),
+		StorageID:             b.StorageID,
+		SendNotificationsOn:   b.SendNotificationsOn,
+		IsRetryIfFailed:       b.IsRetryIfFailed,
+		MaxFailedTriesCount:   b.MaxFailedTriesCount,
+		Encryption:            b.Encryption,
+		MaxBackupSizeMB:       b.MaxBackupSizeMB,
+		MaxBackupsTotalSizeMB: b.MaxBackupsTotalSizeMB,
 	}
 }

backend/internal/features/backups/config/model_test.go

@@ -0,0 +1,391 @@
+package backups_config
+
+import (
+	"testing"
+
+	"databasus-backend/internal/features/intervals"
+	plans "databasus-backend/internal/features/plan"
+	"databasus-backend/internal/util/period"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Validate_WhenStoragePeriodIsWeekAndPlanAllowsMonth_ValidationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.StorePeriod = period.PeriodWeek
+
+	plan := createUnlimitedPlan()
+	plan.MaxStoragePeriod = period.PeriodMonth
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenStoragePeriodIsYearAndPlanAllowsMonth_ValidationFails(t *testing.T) {
+	config := createValidBackupConfig()
+	config.StorePeriod = period.PeriodYear
+
+	plan := createUnlimitedPlan()
+	plan.MaxStoragePeriod = period.PeriodMonth
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "storage period exceeds plan limit")
+}
+
+func Test_Validate_WhenStoragePeriodIsForeverAndPlanAllowsForever_ValidationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.StorePeriod = period.PeriodForever
+
+	plan := createUnlimitedPlan()
+	plan.MaxStoragePeriod = period.PeriodForever
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenStoragePeriodIsForeverAndPlanAllowsYear_ValidationFails(t *testing.T) {
+	config := createValidBackupConfig()
+	config.StorePeriod = period.PeriodForever
+
+	plan := createUnlimitedPlan()
+	plan.MaxStoragePeriod = period.PeriodYear
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "storage period exceeds plan limit")
+}
+
+func Test_Validate_WhenStoragePeriodEqualsExactPlanLimit_ValidationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.StorePeriod = period.PeriodMonth
+
+	plan := createUnlimitedPlan()
+	plan.MaxStoragePeriod = period.PeriodMonth
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenBackupSize100MBAndPlanAllows500MB_ValidationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupSizeMB = 100
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupSizeMB = 500
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenBackupSize500MBAndPlanAllows100MB_ValidationFails(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupSizeMB = 500
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupSizeMB = 100
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "max backup size exceeds plan limit")
+}
+
+func Test_Validate_WhenBackupSizeIsUnlimitedAndPlanAllowsUnlimited_ValidationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupSizeMB = 0
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupSizeMB = 0
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenBackupSizeIsUnlimitedAndPlanHas500MBLimit_ValidationFails(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupSizeMB = 0
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupSizeMB = 500
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "max backup size exceeds plan limit")
+}
+
+func Test_Validate_WhenBackupSizeEqualsExactPlanLimit_ValidationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupSizeMB = 500
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupSizeMB = 500
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenTotalSize1GBAndPlanAllows5GB_ValidationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupsTotalSizeMB = 1000
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupsTotalSizeMB = 5000
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenTotalSize5GBAndPlanAllows1GB_ValidationFails(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupsTotalSizeMB = 5000
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupsTotalSizeMB = 1000
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "max total backups size exceeds plan limit")
+}
+
+func Test_Validate_WhenTotalSizeIsUnlimitedAndPlanAllowsUnlimited_ValidationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupsTotalSizeMB = 0
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupsTotalSizeMB = 0
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenTotalSizeIsUnlimitedAndPlanHas1GBLimit_ValidationFails(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupsTotalSizeMB = 0
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupsTotalSizeMB = 1000
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "max total backups size exceeds plan limit")
+}
+
+func Test_Validate_WhenTotalSizeEqualsExactPlanLimit_ValidationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupsTotalSizeMB = 5000
+
+	plan := createUnlimitedPlan()
+	plan.MaxBackupsTotalSizeMB = 5000
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenAllLimitsAreUnlimitedInPlan_AnyConfigurationPasses(t *testing.T) {
+	config := createValidBackupConfig()
+	config.StorePeriod = period.PeriodForever
+	config.MaxBackupSizeMB = 0
+	config.MaxBackupsTotalSizeMB = 0
+
+	plan := createUnlimitedPlan()
+
+	err := config.Validate(plan)
+	assert.NoError(t, err)
+}
+
+func Test_Validate_WhenMultipleLimitsExceeded_ValidationFailsWithFirstError(t *testing.T) {
+	config := createValidBackupConfig()
+	config.StorePeriod = period.PeriodYear
+	config.MaxBackupSizeMB = 500
+	config.MaxBackupsTotalSizeMB = 5000
+
+	plan := createUnlimitedPlan()
+	plan.MaxStoragePeriod = period.PeriodMonth
+	plan.MaxBackupSizeMB = 100
+	plan.MaxBackupsTotalSizeMB = 1000
+
+	err := config.Validate(plan)
+	assert.Error(t, err)
+	assert.EqualError(t, err, "storage period exceeds plan limit")
+}
+
+func Test_Validate_WhenConfigHasInvalidIntervalButPlanIsValid_ValidationFailsOnInterval(
+	t *testing.T,
+) {
+	config := createValidBackupConfig()
+	config.BackupIntervalID = uuid.Nil
+	config.BackupInterval = nil
+
+	plan := createUnlimitedPlan()
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "backup interval is required")
+}
+
+func Test_Validate_WhenIntervalIsMissing_ValidationFailsRegardlessOfPlan(t *testing.T) {
+	config := createValidBackupConfig()
+	config.BackupIntervalID = uuid.Nil
+	config.BackupInterval = nil
+
+	plan := createUnlimitedPlan()
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "backup interval is required")
+}
+
+func Test_Validate_WhenRetryEnabledButMaxTriesIsZero_ValidationFailsRegardlessOfPlan(t *testing.T) {
+	config := createValidBackupConfig()
+	config.IsRetryIfFailed = true
+	config.MaxFailedTriesCount = 0
+
+	plan := createUnlimitedPlan()
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "max failed tries count must be greater than 0")
+}
+
+func Test_Validate_WhenEncryptionIsInvalid_ValidationFailsRegardlessOfPlan(t *testing.T) {
+	config := createValidBackupConfig()
+	config.Encryption = "INVALID"
+
+	plan := createUnlimitedPlan()
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "encryption must be NONE or ENCRYPTED")
+}
+
+func Test_Validate_WhenStoragePeriodIsEmpty_ValidationFails(t *testing.T) {
+	config := createValidBackupConfig()
+	config.StorePeriod = ""
+
+	plan := createUnlimitedPlan()
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "store period is required")
+}
+
+func Test_Validate_WhenMaxBackupSizeIsNegative_ValidationFails(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupSizeMB = -100
+
+	plan := createUnlimitedPlan()
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "max backup size must be non-negative")
+}
+
+func Test_Validate_WhenMaxTotalSizeIsNegative_ValidationFails(t *testing.T) {
+	config := createValidBackupConfig()
+	config.MaxBackupsTotalSizeMB = -1000
+
+	plan := createUnlimitedPlan()
+
+	err := config.Validate(plan)
+	assert.EqualError(t, err, "max backups total size must be non-negative")
+}
+
+func Test_Validate_WhenPlanLimitsAreAtBoundary_ValidationWorks(t *testing.T) {
+	tests := []struct {
+		name          string
+		configPeriod  period.Period
+		planPeriod    period.Period
+		configSize    int64
+		planSize      int64
+		configTotal   int64
+		planTotal     int64
+		shouldSucceed bool
+	}{
+		{
+			name:          "all values just under limit",
+			configPeriod:  period.PeriodWeek,
+			planPeriod:    period.PeriodMonth,
+			configSize:    99,
+			planSize:      100,
+			configTotal:   999,
+			planTotal:     1000,
+			shouldSucceed: true,
+		},
+		{
+			name:          "all values equal to limit",
+			configPeriod:  period.PeriodMonth,
+			planPeriod:    period.PeriodMonth,
+			configSize:    100,
+			planSize:      100,
+			configTotal:   1000,
+			planTotal:     1000,
+			shouldSucceed: true,
+		},
+		{
+			name:          "period just over limit",
+			configPeriod:  period.Period3Month,
+			planPeriod:    period.PeriodMonth,
+			configSize:    100,
+			planSize:      100,
+			configTotal:   1000,
+			planTotal:     1000,
+			shouldSucceed: false,
+		},
+		{
+			name:          "size just over limit",
+			configPeriod:  period.PeriodMonth,
+			planPeriod:    period.PeriodMonth,
+			configSize:    101,
+			planSize:      100,
+			configTotal:   1000,
+			planTotal:     1000,
+			shouldSucceed: false,
+		},
+		{
+			name:          "total size just over limit",
+			configPeriod:  period.PeriodMonth,
+			planPeriod:    period.PeriodMonth,
+			configSize:    100,
+			planSize:      100,
+			configTotal:   1001,
+			planTotal:     1000,
+			shouldSucceed: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			config := createValidBackupConfig()
+			config.StorePeriod = tt.configPeriod
+			config.MaxBackupSizeMB = tt.configSize
+			config.MaxBackupsTotalSizeMB = tt.configTotal
+
+			plan := createUnlimitedPlan()
+			plan.MaxStoragePeriod = tt.planPeriod
+			plan.MaxBackupSizeMB = tt.planSize
+			plan.MaxBackupsTotalSizeMB = tt.planTotal
+
+			err := config.Validate(plan)
+			if tt.shouldSucceed {
+				assert.NoError(t, err)
+			} else {
+				assert.Error(t, err)
+			}
+		})
+	}
+}
+
+func createValidBackupConfig() *BackupConfig {
+	intervalID := uuid.New()
+	return &BackupConfig{
+		DatabaseID:            uuid.New(),
+		IsBackupsEnabled:      true,
+		StorePeriod:           period.PeriodMonth,
+		BackupIntervalID:      intervalID,
+		BackupInterval:        &intervals.Interval{ID: intervalID},
+		SendNotificationsOn:   []BackupNotificationType{},
+		IsRetryIfFailed:       false,
+		MaxFailedTriesCount:   3,
+		Encryption:            BackupEncryptionNone,
+		MaxBackupSizeMB:       100,
+		MaxBackupsTotalSizeMB: 1000,
+	}
+}
+
+func createUnlimitedPlan() *plans.DatabasePlan {
+	return &plans.DatabasePlan{
+		DatabaseID:            uuid.New(),
+		MaxBackupSizeMB:       0,
+		MaxBackupsTotalSizeMB: 0,
+		MaxStoragePeriod:      period.PeriodForever,
+	}
+}

backend/internal/features/backups/config/notifiers_test.go

@@ -26,6 +26,12 @@ func Test_AttachNotifierFromSameWorkspace_SuccessfullyAttached(t *testing.T) {
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 	notifier := notifiers.CreateTestNotifier(workspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		notifiers.RemoveTestNotifier(notifier)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
 	database.Notifiers = []notifiers.Notifier{*notifier}
 
 	var response databases.Database
@@ -55,6 +61,13 @@ func Test_AttachNotifierFromDifferentWorkspace_ReturnsForbidden(t *testing.T) {
 	workspace2 := workspaces_testing.CreateTestWorkspace("Workspace 2", owner2, router)
 	notifier := notifiers.CreateTestNotifier(workspace2.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		notifiers.RemoveTestNotifier(notifier)
+		workspaces_testing.RemoveTestWorkspace(workspace1, router)
+		workspaces_testing.RemoveTestWorkspace(workspace2, router)
+	}()
+
 	database.Notifiers = []notifiers.Notifier{*notifier}
 
 	testResp := test_utils.MakePostRequest(
@@ -77,6 +90,12 @@ func Test_DeleteNotifierWithAttachedDatabases_CannotDelete(t *testing.T) {
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 	notifier := notifiers.CreateTestNotifier(workspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		notifiers.RemoveTestNotifier(notifier)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
 	database.Notifiers = []notifiers.Notifier{*notifier}
 
 	var response databases.Database
@@ -114,6 +133,13 @@ func Test_TransferNotifierWithAttachedDatabase_CannotTransfer(t *testing.T) {
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 	notifier := notifiers.CreateTestNotifier(workspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		notifiers.RemoveTestNotifier(notifier)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	database.Notifiers = []notifiers.Notifier{*notifier}
 
 	var response databases.Database

backend/internal/features/backups/config/service.go

@@ -6,10 +6,10 @@ import (
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/intervals"
 	"databasus-backend/internal/features/notifiers"
+	plans "databasus-backend/internal/features/plan"
 	"databasus-backend/internal/features/storages"
 	users_models "databasus-backend/internal/features/users/models"
 	workspaces_services "databasus-backend/internal/features/workspaces/services"
-	"databasus-backend/internal/util/period"
 
 	"github.com/google/uuid"
 )
@@ -20,6 +20,7 @@ type BackupConfigService struct {
 	storageService         *storages.StorageService
 	notifierService        *notifiers.NotifierService
 	workspaceService       *workspaces_services.WorkspaceService
+	databasePlanService    *plans.DatabasePlanService
 
 	dbStorageChangeListener BackupConfigStorageChangeListener
 }
@@ -45,7 +46,12 @@ func (s *BackupConfigService) SaveBackupConfigWithAuth(
 	user *users_models.User,
 	backupConfig *BackupConfig,
 ) (*BackupConfig, error) {
-	if err := backupConfig.Validate(); err != nil {
+	plan, err := s.databasePlanService.GetDatabasePlan(backupConfig.DatabaseID)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := backupConfig.Validate(plan); err != nil {
 		return nil, err
 	}
 
@@ -71,7 +77,7 @@ func (s *BackupConfigService) SaveBackupConfigWithAuth(
 		if err != nil {
 			return nil, err
 		}
-		if storage.WorkspaceID != *database.WorkspaceID {
+		if storage.WorkspaceID != *database.WorkspaceID && !storage.IsSystem {
 			return nil, errors.New("storage does not belong to the same workspace as the database")
 		}
 	}
@@ -82,7 +88,12 @@ func (s *BackupConfigService) SaveBackupConfigWithAuth(
 func (s *BackupConfigService) SaveBackupConfig(
 	backupConfig *BackupConfig,
 ) (*BackupConfig, error) {
-	if err := backupConfig.Validate(); err != nil {
+	plan, err := s.databasePlanService.GetDatabasePlan(backupConfig.DatabaseID)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := backupConfig.Validate(plan); err != nil {
 		return nil, err
 	}
 
@@ -120,6 +131,18 @@ func (s *BackupConfigService) GetBackupConfigByDbIdWithAuth(
 	return s.GetBackupConfigByDbId(databaseID)
 }
 
+func (s *BackupConfigService) GetDatabasePlan(
+	user *users_models.User,
+	databaseID uuid.UUID,
+) (*plans.DatabasePlan, error) {
+	_, err := s.databaseService.GetDatabase(user, databaseID)
+	if err != nil {
+		return nil, err
+	}
+
+	return s.databasePlanService.GetDatabasePlan(databaseID)
+}
+
 func (s *BackupConfigService) GetBackupConfigByDbId(
 	databaseID uuid.UUID,
 ) (*BackupConfig, error) {
@@ -194,12 +217,19 @@ func (s *BackupConfigService) CreateDisabledBackupConfig(databaseID uuid.UUID) e
 func (s *BackupConfigService) initializeDefaultConfig(
 	databaseID uuid.UUID,
 ) error {
+	plan, err := s.databasePlanService.GetDatabasePlan(databaseID)
+	if err != nil {
+		return err
+	}
+
 	timeOfDay := "04:00"
 
-	_, err := s.backupConfigRepository.Save(&BackupConfig{
-		DatabaseID:       databaseID,
-		IsBackupsEnabled: false,
-		StorePeriod:      period.PeriodWeek,
+	_, err = s.backupConfigRepository.Save(&BackupConfig{
+		DatabaseID:            databaseID,
+		IsBackupsEnabled:      false,
+		StorePeriod:           plan.MaxStoragePeriod,
+		MaxBackupSizeMB:       plan.MaxBackupSizeMB,
+		MaxBackupsTotalSizeMB: plan.MaxBackupsTotalSizeMB,
 		BackupInterval: &intervals.Interval{
 			Interval:  intervals.IntervalDaily,
 			TimeOfDay: &timeOfDay,

backend/internal/features/backups/config/storages_test.go

@@ -27,6 +27,12 @@ func Test_AttachStorageFromSameWorkspace_SuccessfullyAttached(t *testing.T) {
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 	storage := createTestStorage(workspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	request := BackupConfig{
 		DatabaseID:       database.ID,
@@ -72,6 +78,13 @@ func Test_AttachStorageFromDifferentWorkspace_ReturnsForbidden(t *testing.T) {
 	workspace2 := workspaces_testing.CreateTestWorkspace("Workspace 2", owner2, router)
 	storage := createTestStorage(workspace2.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace1, router)
+		workspaces_testing.RemoveTestWorkspace(workspace2, router)
+	}()
+
 	timeOfDay := "04:00"
 	request := BackupConfig{
 		DatabaseID:       database.ID,
@@ -110,6 +123,12 @@ func Test_DeleteStorageWithAttachedDatabases_CannotDelete(t *testing.T) {
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 	storage := createTestStorage(workspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	request := BackupConfig{
 		DatabaseID:       database.ID,
@@ -163,6 +182,13 @@ func Test_TransferStorageWithAttachedDatabase_CannotTransfer(t *testing.T) {
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 	storage := createTestStorage(workspace.ID)
 
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+		workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+	}()
+
 	timeOfDay := "04:00"
 	request := BackupConfig{
 		DatabaseID:       database.ID,

backend/internal/features/databases/controller_test.go

@@ -25,80 +25,6 @@ import (
 	"databasus-backend/internal/util/tools"
 )
 
-func createTestRouter() *gin.Engine {
-	router := workspaces_testing.CreateTestRouter(
-		workspaces_controllers.GetWorkspaceController(),
-		workspaces_controllers.GetMembershipController(),
-		GetDatabaseController(),
-	)
-	return router
-}
-
-func getTestPostgresConfig() *postgresql.PostgresqlDatabase {
-	env := config.GetEnv()
-	port, err := strconv.Atoi(env.TestPostgres16Port)
-	if err != nil {
-		panic(fmt.Sprintf("Failed to parse TEST_POSTGRES_16_PORT: %v", err))
-	}
-
-	testDbName := "testdb"
-	return &postgresql.PostgresqlDatabase{
-		Version:  tools.PostgresqlVersion16,
-		Host:     config.GetEnv().TestLocalhost,
-		Port:     port,
-		Username: "testuser",
-		Password: "testpassword",
-		Database: &testDbName,
-		CpuCount: 1,
-	}
-}
-
-func getTestMariadbConfig() *mariadb.MariadbDatabase {
-	env := config.GetEnv()
-	portStr := env.TestMariadb1011Port
-	if portStr == "" {
-		portStr = "33111"
-	}
-	port, err := strconv.Atoi(portStr)
-	if err != nil {
-		panic(fmt.Sprintf("Failed to parse TEST_MARIADB_1011_PORT: %v", err))
-	}
-
-	testDbName := "testdb"
-	return &mariadb.MariadbDatabase{
-		Version:  tools.MariadbVersion1011,
-		Host:     config.GetEnv().TestLocalhost,
-		Port:     port,
-		Username: "testuser",
-		Password: "testpassword",
-		Database: &testDbName,
-	}
-}
-
-func getTestMongodbConfig() *mongodb.MongodbDatabase {
-	env := config.GetEnv()
-	portStr := env.TestMongodb70Port
-	if portStr == "" {
-		portStr = "27070"
-	}
-	port, err := strconv.Atoi(portStr)
-	if err != nil {
-		panic(fmt.Sprintf("Failed to parse TEST_MONGODB_70_PORT: %v", err))
-	}
-
-	return &mongodb.MongodbDatabase{
-		Version:      tools.MongodbVersion7,
-		Host:         config.GetEnv().TestLocalhost,
-		Port:         port,
-		Username:     "root",
-		Password:     "rootpassword",
-		Database:     "testdb",
-		AuthDatabase: "admin",
-		IsHttps:      false,
-		CpuCount:     1,
-	}
-}
-
 func Test_CreateDatabase_PermissionsEnforced(t *testing.T) {
 	tests := []struct {
 		name               string
@@ -142,6 +68,7 @@ func Test_CreateDatabase_PermissionsEnforced(t *testing.T) {
 			router := createTestRouter()
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -180,6 +107,7 @@ func Test_CreateDatabase_PermissionsEnforced(t *testing.T) {
 			)
 
 			if tt.expectSuccess {
+				defer RemoveTestDatabase(&response)
 				assert.Equal(t, "Test Database", response.Name)
 				assert.NotEqual(t, uuid.Nil, response.ID)
 			} else {
@@ -193,6 +121,7 @@ func Test_CreateDatabase_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t *testin
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
@@ -258,8 +187,10 @@ func Test_UpdateDatabase_PermissionsEnforced(t *testing.T) {
 			router := createTestRouter()
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+			defer RemoveTestDatabase(database)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -305,8 +236,10 @@ func Test_UpdateDatabase_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t *testin
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	defer RemoveTestDatabase(database)
 
 	nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	database.Name = "Hacked Name"
@@ -366,6 +299,7 @@ func Test_DeleteDatabase_PermissionsEnforced(t *testing.T) {
 			router := createTestRouter()
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
 
@@ -396,6 +330,7 @@ func Test_DeleteDatabase_PermissionsEnforced(t *testing.T) {
 			)
 
 			if !tt.expectSuccess {
+				defer RemoveTestDatabase(database)
 				assert.Contains(t, string(testResp.Body), "insufficient permissions")
 			}
 		})
@@ -439,8 +374,10 @@ func Test_GetDatabase_PermissionsEnforced(t *testing.T) {
 			router := createTestRouter()
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+			defer RemoveTestDatabase(database)
 
 			var testUser string
 			if tt.isGlobalAdmin {
@@ -517,9 +454,12 @@ func Test_GetDatabasesByWorkspace_PermissionsEnforced(t *testing.T) {
 			router := createTestRouter()
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
-			createTestDatabaseViaAPI("Database 1", workspace.ID, owner.Token, router)
-			createTestDatabaseViaAPI("Database 2", workspace.ID, owner.Token, router)
+			db1 := createTestDatabaseViaAPI("Database 1", workspace.ID, owner.Token, router)
+			defer RemoveTestDatabase(db1)
+			db2 := createTestDatabaseViaAPI("Database 2", workspace.ID, owner.Token, router)
+			defer RemoveTestDatabase(db2)
 
 			var testUser string
 			if tt.isGlobalAdmin {
@@ -561,10 +501,14 @@ func Test_GetDatabasesByWorkspace_WhenMultipleDatabasesExist_ReturnsCorrectCount
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
-	createTestDatabaseViaAPI("Database 1", workspace.ID, owner.Token, router)
-	createTestDatabaseViaAPI("Database 2", workspace.ID, owner.Token, router)
-	createTestDatabaseViaAPI("Database 3", workspace.ID, owner.Token, router)
+	db1 := createTestDatabaseViaAPI("Database 1", workspace.ID, owner.Token, router)
+	defer RemoveTestDatabase(db1)
+	db2 := createTestDatabaseViaAPI("Database 2", workspace.ID, owner.Token, router)
+	defer RemoveTestDatabase(db2)
+	db3 := createTestDatabaseViaAPI("Database 3", workspace.ID, owner.Token, router)
+	defer RemoveTestDatabase(db3)
 
 	var response []Database
 	test_utils.MakeGetRequestAndUnmarshal(
@@ -583,14 +527,19 @@ func Test_GetDatabasesByWorkspace_EnsuresCrossWorkspaceIsolation(t *testing.T) {
 	router := createTestRouter()
 	owner1 := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace1 := workspaces_testing.CreateTestWorkspace("Workspace 1", owner1, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace1, router)
 
 	owner2 := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace2 := workspaces_testing.CreateTestWorkspace("Workspace 2", owner2, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace2, router)
 
-	createTestDatabaseViaAPI("Workspace1 DB1", workspace1.ID, owner1.Token, router)
-	createTestDatabaseViaAPI("Workspace1 DB2", workspace1.ID, owner1.Token, router)
+	workspace1Db1 := createTestDatabaseViaAPI("Workspace1 DB1", workspace1.ID, owner1.Token, router)
+	defer RemoveTestDatabase(workspace1Db1)
+	workspace1Db2 := createTestDatabaseViaAPI("Workspace1 DB2", workspace1.ID, owner1.Token, router)
+	defer RemoveTestDatabase(workspace1Db2)
 
-	createTestDatabaseViaAPI("Workspace2 DB1", workspace2.ID, owner2.Token, router)
+	workspace2Db1 := createTestDatabaseViaAPI("Workspace2 DB1", workspace2.ID, owner2.Token, router)
+	defer RemoveTestDatabase(workspace2Db1)
 
 	var workspace1Dbs []Database
 	test_utils.MakeGetRequestAndUnmarshal(
@@ -667,8 +616,10 @@ func Test_CopyDatabase_PermissionsEnforced(t *testing.T) {
 			router := createTestRouter()
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+			defer RemoveTestDatabase(database)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -700,6 +651,7 @@ func Test_CopyDatabase_PermissionsEnforced(t *testing.T) {
 			)
 
 			if tt.expectSuccess {
+				defer RemoveTestDatabase(&response)
 				assert.NotEqual(t, database.ID, response.ID)
 				assert.Contains(t, response.Name, "(Copy)")
 			} else {
@@ -713,8 +665,10 @@ func Test_CopyDatabase_CopyStaysInSameWorkspace(t *testing.T) {
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	defer RemoveTestDatabase(database)
 
 	var response Database
 	test_utils.MakePostRequestAndUnmarshal(
@@ -727,139 +681,14 @@ func Test_CopyDatabase_CopyStaysInSameWorkspace(t *testing.T) {
 		&response,
 	)
 
+	defer RemoveTestDatabase(&response)
+
 	assert.NotEqual(t, database.ID, response.ID)
 	assert.Equal(t, "Test Database (Copy)", response.Name)
 	assert.Equal(t, workspace.ID, *response.WorkspaceID)
 	assert.Equal(t, database.Type, response.Type)
 }
 
-func Test_TestConnection_PermissionsEnforced(t *testing.T) {
-	tests := []struct {
-		name                    string
-		isMember                bool
-		isGlobalAdmin           bool
-		expectAccessGranted     bool
-		expectedStatusCodeOnErr int
-	}{
-		{
-			name:                    "workspace member can test connection",
-			isMember:                true,
-			isGlobalAdmin:           false,
-			expectAccessGranted:     true,
-			expectedStatusCodeOnErr: http.StatusBadRequest,
-		},
-		{
-			name:                    "non-member cannot test connection",
-			isMember:                false,
-			isGlobalAdmin:           false,
-			expectAccessGranted:     false,
-			expectedStatusCodeOnErr: http.StatusBadRequest,
-		},
-		{
-			name:                    "global admin can test connection",
-			isMember:                false,
-			isGlobalAdmin:           true,
-			expectAccessGranted:     true,
-			expectedStatusCodeOnErr: http.StatusBadRequest,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			router := createTestRouter()
-			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
-
-			database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
-
-			var testUser string
-			if tt.isGlobalAdmin {
-				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-				testUser = admin.Token
-			} else if tt.isMember {
-				testUser = owner.Token
-			} else {
-				nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
-				testUser = nonMember.Token
-			}
-
-			w := workspaces_testing.MakeAPIRequest(
-				router,
-				"POST",
-				"/api/v1/databases/"+database.ID.String()+"/test-connection",
-				"Bearer "+testUser,
-				nil,
-			)
-
-			body := w.Body.String()
-
-			if tt.expectAccessGranted {
-				assert.True(
-					t,
-					w.Code == http.StatusOK ||
-						(w.Code == http.StatusBadRequest && strings.Contains(body, "connect")),
-					"Expected 200 OK or 400 with connection error, got %d: %s",
-					w.Code,
-					body,
-				)
-			} else {
-				assert.Equal(t, tt.expectedStatusCodeOnErr, w.Code)
-				assert.Contains(t, body, "insufficient permissions")
-			}
-		})
-	}
-}
-
-func createTestDatabaseViaAPI(
-	name string,
-	workspaceID uuid.UUID,
-	token string,
-	router *gin.Engine,
-) *Database {
-	env := config.GetEnv()
-	port, err := strconv.Atoi(env.TestPostgres16Port)
-	if err != nil {
-		panic(fmt.Sprintf("Failed to parse TEST_POSTGRES_16_PORT: %v", err))
-	}
-
-	testDbName := "testdb"
-	request := Database{
-		Name:        name,
-		WorkspaceID: &workspaceID,
-		Type:        DatabaseTypePostgres,
-		Postgresql: &postgresql.PostgresqlDatabase{
-			Version:  tools.PostgresqlVersion16,
-			Host:     config.GetEnv().TestLocalhost,
-			Port:     port,
-			Username: "testuser",
-			Password: "testpassword",
-			Database: &testDbName,
-			CpuCount: 1,
-		},
-	}
-
-	w := workspaces_testing.MakeAPIRequest(
-		router,
-		"POST",
-		"/api/v1/databases/create",
-		"Bearer "+token,
-		request,
-	)
-
-	if w.Code != http.StatusCreated {
-		panic(
-			fmt.Sprintf("Failed to create database. Status: %d, Body: %s", w.Code, w.Body.String()),
-		)
-	}
-
-	var database Database
-	if err := json.Unmarshal(w.Body.Bytes(), &database); err != nil {
-		panic(err)
-	}
-
-	return &database
-}
-
 func Test_CreateDatabase_PasswordIsEncryptedInDB(t *testing.T) {
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
@@ -1141,3 +970,206 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 		})
 	}
 }
+
+func Test_TestConnection_PermissionsEnforced(t *testing.T) {
+	tests := []struct {
+		name                    string
+		isMember                bool
+		isGlobalAdmin           bool
+		expectAccessGranted     bool
+		expectedStatusCodeOnErr int
+	}{
+		{
+			name:                    "workspace member can test connection",
+			isMember:                true,
+			isGlobalAdmin:           false,
+			expectAccessGranted:     true,
+			expectedStatusCodeOnErr: http.StatusBadRequest,
+		},
+		{
+			name:                    "non-member cannot test connection",
+			isMember:                false,
+			isGlobalAdmin:           false,
+			expectAccessGranted:     false,
+			expectedStatusCodeOnErr: http.StatusBadRequest,
+		},
+		{
+			name:                    "global admin can test connection",
+			isMember:                false,
+			isGlobalAdmin:           true,
+			expectAccessGranted:     true,
+			expectedStatusCodeOnErr: http.StatusBadRequest,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			router := createTestRouter()
+			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
+			database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+			defer RemoveTestDatabase(database)
+
+			var testUser string
+			if tt.isGlobalAdmin {
+				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+				testUser = admin.Token
+			} else if tt.isMember {
+				testUser = owner.Token
+			} else {
+				nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
+				testUser = nonMember.Token
+			}
+
+			w := workspaces_testing.MakeAPIRequest(
+				router,
+				"POST",
+				"/api/v1/databases/"+database.ID.String()+"/test-connection",
+				"Bearer "+testUser,
+				nil,
+			)
+
+			body := w.Body.String()
+
+			if tt.expectAccessGranted {
+				assert.True(
+					t,
+					w.Code == http.StatusOK ||
+						(w.Code == http.StatusBadRequest && strings.Contains(body, "connect")),
+					"Expected 200 OK or 400 with connection error, got %d: %s",
+					w.Code,
+					body,
+				)
+			} else {
+				assert.Equal(t, tt.expectedStatusCodeOnErr, w.Code)
+				assert.Contains(t, body, "insufficient permissions")
+			}
+		})
+	}
+}
+
+func createTestDatabaseViaAPI(
+	name string,
+	workspaceID uuid.UUID,
+	token string,
+	router *gin.Engine,
+) *Database {
+	env := config.GetEnv()
+	port, err := strconv.Atoi(env.TestPostgres16Port)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_POSTGRES_16_PORT: %v", err))
+	}
+
+	testDbName := "testdb"
+	request := Database{
+		Name:        name,
+		WorkspaceID: &workspaceID,
+		Type:        DatabaseTypePostgres,
+		Postgresql: &postgresql.PostgresqlDatabase{
+			Version:  tools.PostgresqlVersion16,
+			Host:     config.GetEnv().TestLocalhost,
+			Port:     port,
+			Username: "testuser",
+			Password: "testpassword",
+			Database: &testDbName,
+			CpuCount: 1,
+		},
+	}
+
+	w := workspaces_testing.MakeAPIRequest(
+		router,
+		"POST",
+		"/api/v1/databases/create",
+		"Bearer "+token,
+		request,
+	)
+
+	if w.Code != http.StatusCreated {
+		panic(
+			fmt.Sprintf("Failed to create database. Status: %d, Body: %s", w.Code, w.Body.String()),
+		)
+	}
+
+	var database Database
+	if err := json.Unmarshal(w.Body.Bytes(), &database); err != nil {
+		panic(err)
+	}
+
+	return &database
+}
+
+func createTestRouter() *gin.Engine {
+	router := workspaces_testing.CreateTestRouter(
+		workspaces_controllers.GetWorkspaceController(),
+		workspaces_controllers.GetMembershipController(),
+		GetDatabaseController(),
+	)
+	return router
+}
+
+func getTestPostgresConfig() *postgresql.PostgresqlDatabase {
+	env := config.GetEnv()
+	port, err := strconv.Atoi(env.TestPostgres16Port)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_POSTGRES_16_PORT: %v", err))
+	}
+
+	testDbName := "testdb"
+	return &postgresql.PostgresqlDatabase{
+		Version:  tools.PostgresqlVersion16,
+		Host:     config.GetEnv().TestLocalhost,
+		Port:     port,
+		Username: "testuser",
+		Password: "testpassword",
+		Database: &testDbName,
+		CpuCount: 1,
+	}
+}
+
+func getTestMariadbConfig() *mariadb.MariadbDatabase {
+	env := config.GetEnv()
+	portStr := env.TestMariadb1011Port
+	if portStr == "" {
+		portStr = "33111"
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_MARIADB_1011_PORT: %v", err))
+	}
+
+	testDbName := "testdb"
+	return &mariadb.MariadbDatabase{
+		Version:  tools.MariadbVersion1011,
+		Host:     config.GetEnv().TestLocalhost,
+		Port:     port,
+		Username: "testuser",
+		Password: "testpassword",
+		Database: &testDbName,
+	}
+}
+
+func getTestMongodbConfig() *mongodb.MongodbDatabase {
+	env := config.GetEnv()
+	portStr := env.TestMongodb70Port
+	if portStr == "" {
+		portStr = "27070"
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_MONGODB_70_PORT: %v", err))
+	}
+
+	return &mongodb.MongodbDatabase{
+		Version:      tools.MongodbVersion7,
+		Host:         config.GetEnv().TestLocalhost,
+		Port:         port,
+		Username:     "root",
+		Password:     "rootpassword",
+		Database:     "testdb",
+		AuthDatabase: "admin",
+		IsHttps:      false,
+		CpuCount:     1,
+	}
+}

backend/internal/features/databases/databases/mariadb/model.go

@@ -515,9 +515,13 @@ func detectPrivileges(ctx context.Context, db *sql.DB, database string) (string,
 	hasProcess := false
 	hasAllPrivileges := false
 
+	// Escape underscores to match MariaDB's grant output format
+	// MariaDB escapes _ as \_ in SHOW GRANTS output
+	// Pattern matches either literal _ or escaped \_
+	escapedDbName := strings.ReplaceAll(regexp.QuoteMeta(database), "_", `(_|\\_)`)
 	dbPatternStr := fmt.Sprintf(
 		`(?i)ON\s+[\x60'"]?%s[\x60'"]?\s*\.\s*\*`,
-		regexp.QuoteMeta(database),
+		escapedDbName,
 	)
 	dbPattern := regexp.MustCompile(dbPatternStr)
 	globalPattern := regexp.MustCompile(`(?i)ON\s+\*\s*\.\s*\*`)

backend/internal/features/databases/databases/mariadb/model_test.go

@@ -694,6 +694,115 @@ func Test_TestConnection_DatabaseWithUnderscores_Success(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func Test_TestConnection_DatabaseWithUnderscoresAndAllPrivileges_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MariadbVersion
+		port    string
+	}{
+		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
+		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
+		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
+		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
+		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
+		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
+		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
+		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
+		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
+		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
+		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMariadbContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			underscoreDbName := "test_all_db"
+
+			_, err := container.DB.Exec(
+				fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", underscoreDbName),
+			)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf("CREATE DATABASE `%s`", underscoreDbName))
+			assert.NoError(t, err)
+
+			defer func() {
+				_, _ = container.DB.Exec(
+					fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", underscoreDbName),
+				)
+			}()
+
+			underscoreDSN := fmt.Sprintf(
+				"%s:%s@tcp(%s:%d)/%s?parseTime=true",
+				container.Username,
+				container.Password,
+				container.Host,
+				container.Port,
+				underscoreDbName,
+			)
+			underscoreDB, err := sqlx.Connect("mysql", underscoreDSN)
+			assert.NoError(t, err)
+			defer underscoreDB.Close()
+
+			_, err = underscoreDB.Exec(`
+				CREATE TABLE all_priv_test (
+					id INT AUTO_INCREMENT PRIMARY KEY,
+					data VARCHAR(255) NOT NULL
+				)
+			`)
+			assert.NoError(t, err)
+
+			_, err = underscoreDB.Exec(`INSERT INTO all_priv_test (data) VALUES ('test1')`)
+			assert.NoError(t, err)
+
+			allPrivUsername := fmt.Sprintf("allpriv%s", uuid.New().String()[:8])
+			allPrivPassword := "allprivpass123"
+
+			_, err = underscoreDB.Exec(fmt.Sprintf(
+				"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+				allPrivUsername,
+				allPrivPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = underscoreDB.Exec(fmt.Sprintf(
+				"GRANT ALL PRIVILEGES ON `%s`.* TO '%s'@'%%'",
+				underscoreDbName,
+				allPrivUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = underscoreDB.Exec("FLUSH PRIVILEGES")
+			assert.NoError(t, err)
+
+			defer dropUserSafe(underscoreDB, allPrivUsername)
+
+			mariadbModel := &MariadbDatabase{
+				Version:  tc.version,
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: allPrivUsername,
+				Password: allPrivPassword,
+				Database: &underscoreDbName,
+				IsHttps:  false,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mariadbModel.TestConnection(logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.NotEmpty(t, mariadbModel.Privileges)
+			assert.Contains(t, mariadbModel.Privileges, "SELECT")
+			assert.Contains(t, mariadbModel.Privileges, "SHOW VIEW")
+		})
+	}
+}
+
 type MariadbContainer struct {
 	Host     string
 	Port     int

backend/internal/features/databases/databases/mysql/model.go

@@ -489,9 +489,13 @@ func detectPrivileges(ctx context.Context, db *sql.DB, database string) (string,
 	hasProcess := false
 	hasAllPrivileges := false
 
+	// Escape underscores to match MySQL's grant output format
+	// MySQL escapes _ as \_ in SHOW GRANTS output
+	// Pattern matches either literal _ or escaped \_
+	escapedDbName := strings.ReplaceAll(regexp.QuoteMeta(database), "_", `(_|\\_)`)
 	dbPatternStr := fmt.Sprintf(
 		`(?i)ON\s+[\x60'"]?%s[\x60'"]?\s*\.\s*\*`,
-		regexp.QuoteMeta(database),
+		escapedDbName,
 	)
 	dbPattern := regexp.MustCompile(dbPatternStr)
 	globalPattern := regexp.MustCompile(`(?i)ON\s+\*\s*\.\s*\*`)

backend/internal/features/databases/databases/mysql/model_test.go

@@ -674,6 +674,112 @@ func Test_TestConnection_DatabaseWithUnderscores_Success(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func Test_TestConnection_DatabaseWithUnderscoresAndAllPrivileges_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MysqlVersion
+		port    string
+	}{
+		{"MySQL 5.7", tools.MysqlVersion57, env.TestMysql57Port},
+		{"MySQL 8.0", tools.MysqlVersion80, env.TestMysql80Port},
+		{"MySQL 8.4", tools.MysqlVersion84, env.TestMysql84Port},
+		{"MySQL 9", tools.MysqlVersion9, env.TestMysql90Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMysqlContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			underscoreDbName := "test_all_db"
+
+			_, err := container.DB.Exec(
+				fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", underscoreDbName),
+			)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf("CREATE DATABASE `%s`", underscoreDbName))
+			assert.NoError(t, err)
+
+			defer func() {
+				_, _ = container.DB.Exec(
+					fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", underscoreDbName),
+				)
+			}()
+
+			underscoreDSN := fmt.Sprintf(
+				"%s:%s@tcp(%s:%d)/%s?parseTime=true",
+				container.Username,
+				container.Password,
+				container.Host,
+				container.Port,
+				underscoreDbName,
+			)
+			underscoreDB, err := sqlx.Connect("mysql", underscoreDSN)
+			assert.NoError(t, err)
+			defer underscoreDB.Close()
+
+			_, err = underscoreDB.Exec(`
+				CREATE TABLE all_priv_test (
+					id INT AUTO_INCREMENT PRIMARY KEY,
+					data VARCHAR(255) NOT NULL
+				)
+			`)
+			assert.NoError(t, err)
+
+			_, err = underscoreDB.Exec(`INSERT INTO all_priv_test (data) VALUES ('test1')`)
+			assert.NoError(t, err)
+
+			allPrivUsername := fmt.Sprintf("allpriv_%s", uuid.New().String()[:8])
+			allPrivPassword := "allprivpass123"
+
+			_, err = underscoreDB.Exec(fmt.Sprintf(
+				"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+				allPrivUsername,
+				allPrivPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = underscoreDB.Exec(fmt.Sprintf(
+				"GRANT ALL PRIVILEGES ON `%s`.* TO '%s'@'%%'",
+				underscoreDbName,
+				allPrivUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = underscoreDB.Exec("FLUSH PRIVILEGES")
+			assert.NoError(t, err)
+
+			defer func() {
+				_, _ = container.DB.Exec(
+					fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", allPrivUsername),
+				)
+			}()
+
+			mysqlModel := &MysqlDatabase{
+				Version:  tc.version,
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: allPrivUsername,
+				Password: allPrivPassword,
+				Database: &underscoreDbName,
+				IsHttps:  false,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mysqlModel.TestConnection(logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.NotEmpty(t, mysqlModel.Privileges)
+			assert.Contains(t, mysqlModel.Privileges, "SELECT")
+			assert.Contains(t, mysqlModel.Privileges, "SHOW VIEW")
+		})
+	}
+}
+
 type MysqlContainer struct {
 	Host     string
 	Port     int

backend/internal/features/databases/databases/postgresql/model.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgconn"
 	"gorm.io/gorm"
 )
 
@@ -394,10 +395,13 @@ func (p *PostgresqlDatabase) IsUserReadOnly(
 //
 // This method performs the following operations atomically in a single transaction:
 // 1. Creates a PostgreSQL user with a UUID-based password
-// 2. Grants CONNECT privilege on the database
-// 3. Grants USAGE on all non-system schemas
-// 4. Grants SELECT on all existing tables and sequences
-// 5. Sets default privileges for future tables and sequences
+// 2. Revokes CREATE privilege on public schema from PUBLIC role
+// 3. Grants CONNECT privilege on the database
+// 4. Discovers all user-created schemas
+// 5. Grants USAGE on all non-system schemas
+// 6. Grants SELECT on all existing tables and sequences
+// 7. Sets default privileges for future tables and sequences
+// 8. Verifies user creation before committing
 //
 // Security features:
 // - Username format: "databasus-{8-char-uuid}" for uniqueness
@@ -487,33 +491,56 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(
 			return "", "", fmt.Errorf("failed to create user: %w", err)
 		}
 
-		// Step 1.5: Revoke CREATE privilege from PUBLIC role on public schema
+		// Step 2: Check if public schema exists and revoke CREATE privilege if it does
 		// This is necessary because all PostgreSQL users inherit CREATE privilege on the
 		// public schema through the PUBLIC role. This is a one-time operation that affects
 		// the entire database, making it more secure by default.
 		// Note: This only affects the public schema; other schemas are unaffected.
-		_, err = tx.Exec(ctx, `REVOKE CREATE ON SCHEMA public FROM PUBLIC`)
-		if err != nil {
-			logger.Error("Failed to revoke CREATE on public from PUBLIC", "error", err)
-			if !strings.Contains(err.Error(), "schema \"public\" does not exist") &&
-				!strings.Contains(err.Error(), "permission denied") {
-				return "", "", fmt.Errorf("failed to revoke CREATE from PUBLIC: %w", err)
-			}
-		}
-
-		// Now revoke from the specific user as well (belt and suspenders)
-		_, err = tx.Exec(ctx, fmt.Sprintf(`REVOKE CREATE ON SCHEMA public FROM "%s"`, baseUsername))
-		if err != nil {
-			logger.Error(
-				"Failed to revoke CREATE on public schema from user",
-				"error",
-				err,
-				"username",
-				baseUsername,
+		var publicSchemaExists bool
+		err = tx.QueryRow(ctx, `
+			SELECT EXISTS(
+				SELECT 1 FROM information_schema.schemata 
+				WHERE schema_name = 'public'
 			)
+		`).Scan(&publicSchemaExists)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to check if public schema exists: %w", err)
 		}
 
-		// Step 2: Grant database connection privilege and revoke TEMP
+		if publicSchemaExists {
+			// Revoke CREATE from PUBLIC role (affects all users)
+			_, err = tx.Exec(ctx, `REVOKE CREATE ON SCHEMA public FROM PUBLIC`)
+			if err != nil {
+				if strings.Contains(err.Error(), "permission denied") {
+					logger.Warn(
+						"Failed to revoke CREATE on public from PUBLIC (permission denied)",
+						"error",
+						err,
+					)
+				} else {
+					return "", "", fmt.Errorf("failed to revoke CREATE from PUBLIC on existing public schema: %w", err)
+				}
+			}
+
+			// Now revoke from the specific user as well (belt and suspenders)
+			_, err = tx.Exec(
+				ctx,
+				fmt.Sprintf(`REVOKE CREATE ON SCHEMA public FROM "%s"`, baseUsername),
+			)
+			if err != nil {
+				logger.Warn(
+					"Failed to revoke CREATE on public schema from user",
+					"error",
+					err,
+					"username",
+					baseUsername,
+				)
+			}
+		} else {
+			logger.Info("Public schema does not exist, skipping CREATE privilege revocation")
+		}
+
+		// Step 3: Grant database connection privilege and revoke TEMP
 		_, err = tx.Exec(
 			ctx,
 			fmt.Sprintf(`GRANT CONNECT ON DATABASE "%s" TO "%s"`, *p.Database, baseUsername),
@@ -537,7 +564,7 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(
 			logger.Warn("Failed to revoke TEMP privilege", "error", err, "username", baseUsername)
 		}
 
-		// Step 3: Discover all user-created schemas
+		// Step 4: Discover all user-created schemas
 		rows, err := tx.Query(ctx, `
 			SELECT schema_name
 			FROM information_schema.schemata
@@ -562,7 +589,7 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(
 			return "", "", fmt.Errorf("error iterating schemas: %w", err)
 		}
 
-		// Step 4: Grant USAGE on each schema and explicitly prevent CREATE
+		// Step 5: Grant USAGE on each schema and explicitly prevent CREATE
 		for _, schema := range schemas {
 			// Revoke CREATE specifically (handles inheritance from PUBLIC role)
 			_, err = tx.Exec(
@@ -591,7 +618,7 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(
 			}
 		}
 
-		// Step 5: Grant SELECT on ALL existing tables and sequences
+		// Step 6: Grant SELECT on ALL existing tables and sequences
 		grantSelectSQL := fmt.Sprintf(`
 			DO $$
 			DECLARE
@@ -613,7 +640,7 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(
 			return "", "", fmt.Errorf("failed to grant select on tables: %w", err)
 		}
 
-		// Step 6: Set default privileges for FUTURE tables and sequences
+		// Step 7: Set default privileges for FUTURE tables and sequences
 		defaultPrivilegesSQL := fmt.Sprintf(`
 			DO $$
 			DECLARE
@@ -635,7 +662,7 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(
 			return "", "", fmt.Errorf("failed to set default privileges: %w", err)
 		}
 
-		// Step 7: Verify user creation before committing
+		// Step 8: Verify user creation before committing
 		var verifyUsername string
 		err = tx.QueryRow(ctx, fmt.Sprintf(`SELECT rolname FROM pg_roles WHERE rolname = '%s'`, baseUsername)).
 			Scan(&verifyUsername)
@@ -851,7 +878,15 @@ func checkBackupPermissions(
 		}
 
 		if err != nil {
-			return fmt.Errorf("cannot check SELECT privileges: %w", err)
+			// If the user doesn't have USAGE on the schema, has_table_privilege will fail
+			// with "permission denied for schema". This means they definitely don't have
+			// SELECT privileges, so treat this as missing permissions rather than an error.
+			var pgErr *pgconn.PgError
+			if errors.As(err, &pgErr) && pgErr.Code == "42501" { // insufficient_privilege
+				selectableTableCount = 0
+			} else {
+				return fmt.Errorf("cannot check SELECT privileges: %w", err)
+			}
 		}
 		if selectableTableCount == 0 {
 			missingPrivileges = append(missingPrivileges, "SELECT on tables")

backend/internal/features/databases/databases/postgresql/model_test.go

@@ -709,6 +709,344 @@ func Test_CreateReadOnlyUser_Supabase_UserCanReadButNotWrite(t *testing.T) {
 	assert.Contains(t, err.Error(), "permission denied")
 }
 
+func Test_CreateReadOnlyUser_WithPublicSchema_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version string
+		port    string
+	}{
+		{"PostgreSQL 12", "12", env.TestPostgres12Port},
+		{"PostgreSQL 13", "13", env.TestPostgres13Port},
+		{"PostgreSQL 14", "14", env.TestPostgres14Port},
+		{"PostgreSQL 15", "15", env.TestPostgres15Port},
+		{"PostgreSQL 16", "16", env.TestPostgres16Port},
+		{"PostgreSQL 17", "17", env.TestPostgres17Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToPostgresContainer(t, tc.port)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`
+				DROP TABLE IF EXISTS public_schema_test CASCADE;
+				CREATE TABLE public_schema_test (
+					id SERIAL PRIMARY KEY,
+					data TEXT NOT NULL
+				);
+				INSERT INTO public_schema_test (data) VALUES ('test1'), ('test2');
+			`)
+			assert.NoError(t, err)
+
+			pgModel := createPostgresModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			username, password, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.NotEmpty(t, username)
+			assert.NotEmpty(t, password)
+			assert.True(t, strings.HasPrefix(username, "databasus-"))
+
+			readOnlyModel := &PostgresqlDatabase{
+				Version:  pgModel.Version,
+				Host:     pgModel.Host,
+				Port:     pgModel.Port,
+				Username: username,
+				Password: password,
+				Database: pgModel.Database,
+				IsHttps:  false,
+			}
+
+			isReadOnly, privileges, err := readOnlyModel.IsUserReadOnly(
+				ctx,
+				logger,
+				nil,
+				uuid.New(),
+			)
+			assert.NoError(t, err)
+			assert.True(t, isReadOnly, "User should be read-only")
+			assert.Empty(t, privileges, "Read-only user should have no write privileges")
+
+			readOnlyDSN := fmt.Sprintf(
+				"host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+				container.Host,
+				container.Port,
+				username,
+				password,
+				container.Database,
+			)
+			readOnlyConn, err := sqlx.Connect("postgres", readOnlyDSN)
+			assert.NoError(t, err)
+			defer readOnlyConn.Close()
+
+			var count int
+			err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM public_schema_test")
+			assert.NoError(t, err)
+			assert.Equal(t, 2, count)
+
+			_, err = readOnlyConn.Exec(
+				"INSERT INTO public_schema_test (data) VALUES ('should-fail')",
+			)
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "permission denied")
+
+			_, err = readOnlyConn.Exec("CREATE TABLE public.hack_table (id INT)")
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "permission denied")
+
+			_, err = container.DB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
+			if err != nil {
+				t.Logf("Warning: Failed to drop owned objects: %v", err)
+			}
+			_, err = container.DB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, username))
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func Test_CreateReadOnlyUser_WithoutPublicSchema_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version string
+		port    string
+	}{
+		{"PostgreSQL 12", "12", env.TestPostgres12Port},
+		{"PostgreSQL 13", "13", env.TestPostgres13Port},
+		{"PostgreSQL 14", "14", env.TestPostgres14Port},
+		{"PostgreSQL 15", "15", env.TestPostgres15Port},
+		{"PostgreSQL 16", "16", env.TestPostgres16Port},
+		{"PostgreSQL 17", "17", env.TestPostgres17Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToPostgresContainer(t, tc.port)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`
+				DROP SCHEMA IF EXISTS public CASCADE;
+				DROP SCHEMA IF EXISTS app_schema CASCADE;
+				DROP SCHEMA IF EXISTS data_schema CASCADE;
+				CREATE SCHEMA app_schema;
+				CREATE SCHEMA data_schema;
+				CREATE TABLE app_schema.users (
+					id SERIAL PRIMARY KEY,
+					username TEXT NOT NULL
+				);
+				CREATE TABLE data_schema.records (
+					id SERIAL PRIMARY KEY,
+					info TEXT NOT NULL
+				);
+				INSERT INTO app_schema.users (username) VALUES ('user1'), ('user2');
+				INSERT INTO data_schema.records (info) VALUES ('record1'), ('record2');
+			`)
+			assert.NoError(t, err)
+
+			pgModel := createPostgresModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			username, password, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err, "CreateReadOnlyUser should succeed without public schema")
+			assert.NotEmpty(t, username)
+			assert.NotEmpty(t, password)
+			assert.True(t, strings.HasPrefix(username, "databasus-"))
+
+			readOnlyModel := &PostgresqlDatabase{
+				Version:  pgModel.Version,
+				Host:     pgModel.Host,
+				Port:     pgModel.Port,
+				Username: username,
+				Password: password,
+				Database: pgModel.Database,
+				IsHttps:  false,
+			}
+
+			isReadOnly, privileges, err := readOnlyModel.IsUserReadOnly(
+				ctx,
+				logger,
+				nil,
+				uuid.New(),
+			)
+			assert.NoError(t, err)
+			assert.True(t, isReadOnly, "User should be read-only")
+			assert.Empty(t, privileges, "Read-only user should have no write privileges")
+
+			readOnlyDSN := fmt.Sprintf(
+				"host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+				container.Host,
+				container.Port,
+				username,
+				password,
+				container.Database,
+			)
+			readOnlyConn, err := sqlx.Connect("postgres", readOnlyDSN)
+			assert.NoError(t, err)
+			defer readOnlyConn.Close()
+
+			var userCount int
+			err = readOnlyConn.Get(&userCount, "SELECT COUNT(*) FROM app_schema.users")
+			assert.NoError(t, err)
+			assert.Equal(t, 2, userCount)
+
+			var recordCount int
+			err = readOnlyConn.Get(&recordCount, "SELECT COUNT(*) FROM data_schema.records")
+			assert.NoError(t, err)
+			assert.Equal(t, 2, recordCount)
+
+			_, err = readOnlyConn.Exec(
+				"INSERT INTO app_schema.users (username) VALUES ('should-fail')",
+			)
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "permission denied")
+
+			_, err = readOnlyConn.Exec("CREATE TABLE app_schema.hack_table (id INT)")
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "permission denied")
+
+			_, err = readOnlyConn.Exec("CREATE TABLE data_schema.hack_table (id INT)")
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "permission denied")
+
+			_, err = container.DB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
+			if err != nil {
+				t.Logf("Warning: Failed to drop owned objects: %v", err)
+			}
+			_, err = container.DB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, username))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`
+				DROP SCHEMA IF EXISTS app_schema CASCADE;
+				DROP SCHEMA IF EXISTS data_schema CASCADE;
+				CREATE SCHEMA IF NOT EXISTS public;
+			`)
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func Test_CreateReadOnlyUser_PublicSchemaExistsButNoPermissions_ReturnsError(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version string
+		port    string
+	}{
+		{"PostgreSQL 12", "12", env.TestPostgres12Port},
+		{"PostgreSQL 13", "13", env.TestPostgres13Port},
+		{"PostgreSQL 14", "14", env.TestPostgres14Port},
+		{"PostgreSQL 15", "15", env.TestPostgres15Port},
+		{"PostgreSQL 16", "16", env.TestPostgres16Port},
+		{"PostgreSQL 17", "17", env.TestPostgres17Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToPostgresContainer(t, tc.port)
+			defer container.DB.Close()
+
+			limitedAdminUsername := fmt.Sprintf("limited_admin_%s", uuid.New().String()[:8])
+			limitedAdminPassword := "limited_password_123"
+
+			_, err := container.DB.Exec(`
+				CREATE SCHEMA IF NOT EXISTS public;
+				DROP TABLE IF EXISTS public.permission_test_table CASCADE;
+				CREATE TABLE public.permission_test_table (
+					id SERIAL PRIMARY KEY,
+					data TEXT NOT NULL
+				);
+				INSERT INTO public.permission_test_table (data) VALUES ('test1');
+			`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`GRANT CREATE ON SCHEMA public TO PUBLIC`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				`CREATE USER "%s" WITH PASSWORD '%s' LOGIN CREATEROLE`,
+				limitedAdminUsername,
+				limitedAdminPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				`GRANT CONNECT ON DATABASE "%s" TO "%s"`,
+				container.Database,
+				limitedAdminUsername,
+			))
+			assert.NoError(t, err)
+
+			defer func() {
+				_, _ = container.DB.Exec(
+					fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, limitedAdminUsername),
+				)
+				_, _ = container.DB.Exec(
+					fmt.Sprintf(`DROP USER IF EXISTS "%s"`, limitedAdminUsername),
+				)
+				_, _ = container.DB.Exec(`REVOKE CREATE ON SCHEMA public FROM PUBLIC`)
+			}()
+
+			limitedAdminDSN := fmt.Sprintf(
+				"host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+				container.Host,
+				container.Port,
+				limitedAdminUsername,
+				limitedAdminPassword,
+				container.Database,
+			)
+			limitedAdminConn, err := sqlx.Connect("postgres", limitedAdminDSN)
+			assert.NoError(t, err)
+			defer limitedAdminConn.Close()
+
+			pgModel := &PostgresqlDatabase{
+				Version:  tools.GetPostgresqlVersionEnum(tc.version),
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: limitedAdminUsername,
+				Password: limitedAdminPassword,
+				Database: &container.Database,
+				IsHttps:  false,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			username, password, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+			assert.Error(
+				t,
+				err,
+				"CreateReadOnlyUser should fail when admin lacks permissions to secure public schema",
+			)
+			if err != nil {
+				errorMsg := err.Error()
+				hasExpectedError := strings.Contains(
+					errorMsg,
+					"failed to revoke CREATE from PUBLIC on existing public schema",
+				) ||
+					strings.Contains(errorMsg, "permission denied for schema public") ||
+					strings.Contains(errorMsg, "failed to grant")
+				assert.True(
+					t,
+					hasExpectedError,
+					"Error should indicate permission issues with public schema, got: %s",
+					errorMsg,
+				)
+			}
+			assert.Empty(t, username)
+			assert.Empty(t, password)
+		})
+	}
+}
+
 func Test_Validate_WhenLocalhostAndDatabasus_ReturnsError(t *testing.T) {
 	testCases := []struct {
 		name     string

backend/internal/features/databases/model.go

@@ -1,6 +1,7 @@
 package databases
 
 import (
+	"context"
 	"databasus-backend/internal/features/databases/databases/mariadb"
 	"databasus-backend/internal/features/databases/databases/mongodb"
 	"databasus-backend/internal/features/databases/databases/mysql"
@@ -84,6 +85,25 @@ func (d *Database) TestConnection(
 	return d.getSpecificDatabase().TestConnection(logger, encryptor, d.ID)
 }
 
+func (d *Database) IsUserReadOnly(
+	ctx context.Context,
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+) (bool, []string, error) {
+	switch d.Type {
+	case DatabaseTypePostgres:
+		return d.Postgresql.IsUserReadOnly(ctx, logger, encryptor, d.ID)
+	case DatabaseTypeMysql:
+		return d.Mysql.IsUserReadOnly(ctx, logger, encryptor, d.ID)
+	case DatabaseTypeMariadb:
+		return d.Mariadb.IsUserReadOnly(ctx, logger, encryptor, d.ID)
+	case DatabaseTypeMongodb:
+		return d.Mongodb.IsUserReadOnly(ctx, logger, encryptor, d.ID)
+	default:
+		return false, nil, errors.New("read-only check not supported for this database type")
+	}
+}
+
 func (d *Database) HideSensitiveData() {
 	d.getSpecificDatabase().HideSensitiveData()
 }

backend/internal/features/databases/service.go

@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"time"
 
+	"databasus-backend/internal/config"
 	audit_logs "databasus-backend/internal/features/audit_logs"
 	"databasus-backend/internal/features/databases/databases/mariadb"
 	"databasus-backend/internal/features/databases/databases/mongodb"
@@ -86,6 +87,23 @@ func (s *DatabaseService) CreateDatabase(
 		return nil, fmt.Errorf("failed to auto-detect database data: %w", err)
 	}
 
+	if config.GetEnv().IsCloud {
+		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+		defer cancel()
+
+		isReadOnly, permissions, err := database.IsUserReadOnly(ctx, s.logger, s.fieldEncryptor)
+		if err != nil {
+			return nil, fmt.Errorf("failed to verify user permissions: %w", err)
+		}
+
+		if !isReadOnly {
+			return nil, fmt.Errorf(
+				"in cloud mode, only read-only database users are allowed (user has permissions: %v)",
+				permissions,
+			)
+		}
+	}
+
 	if err := database.EncryptSensitiveFields(s.fieldEncryptor); err != nil {
 		return nil, fmt.Errorf("failed to encrypt sensitive fields: %w", err)
 	}
@@ -153,6 +171,27 @@ func (s *DatabaseService) UpdateDatabase(
 		return fmt.Errorf("failed to auto-detect database data: %w", err)
 	}
 
+	if config.GetEnv().IsCloud {
+		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+		defer cancel()
+
+		isReadOnly, permissions, err := existingDatabase.IsUserReadOnly(
+			ctx,
+			s.logger,
+			s.fieldEncryptor,
+		)
+		if err != nil {
+			return fmt.Errorf("failed to verify user permissions: %w", err)
+		}
+
+		if !isReadOnly {
+			return fmt.Errorf(
+				"in cloud mode, only read-only database users are allowed (user has permissions: %v)",
+				permissions,
+			)
+		}
+	}
+
 	if err := existingDatabase.EncryptSensitiveFields(s.fieldEncryptor); err != nil {
 		return fmt.Errorf("failed to encrypt sensitive fields: %w", err)
 	}
@@ -649,38 +688,7 @@ func (s *DatabaseService) IsUserReadOnly(
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 
-	switch usingDatabase.Type {
-	case DatabaseTypePostgres:
-		return usingDatabase.Postgresql.IsUserReadOnly(
-			ctx,
-			s.logger,
-			s.fieldEncryptor,
-			usingDatabase.ID,
-		)
-	case DatabaseTypeMysql:
-		return usingDatabase.Mysql.IsUserReadOnly(
-			ctx,
-			s.logger,
-			s.fieldEncryptor,
-			usingDatabase.ID,
-		)
-	case DatabaseTypeMariadb:
-		return usingDatabase.Mariadb.IsUserReadOnly(
-			ctx,
-			s.logger,
-			s.fieldEncryptor,
-			usingDatabase.ID,
-		)
-	case DatabaseTypeMongodb:
-		return usingDatabase.Mongodb.IsUserReadOnly(
-			ctx,
-			s.logger,
-			s.fieldEncryptor,
-			usingDatabase.ID,
-		)
-	default:
-		return false, nil, errors.New("read-only check not supported for this database type")
-	}
+	return usingDatabase.IsUserReadOnly(ctx, s.logger, s.fieldEncryptor)
 }
 
 func (s *DatabaseService) CreateReadOnlyUser(

backend/internal/features/databases/testing.go

@@ -10,6 +10,7 @@ import (
 	"databasus-backend/internal/features/databases/databases/postgresql"
 	"databasus-backend/internal/features/notifiers"
 	"databasus-backend/internal/features/storages"
+	"databasus-backend/internal/storage"
 	"databasus-backend/internal/util/tools"
 
 	"github.com/google/uuid"
@@ -104,6 +105,19 @@ func CreateTestDatabase(
 }
 
 func RemoveTestDatabase(database *Database) {
+	// Delete backups and backup configs associated with this database
+	// We hardcode SQL here because we cannot call backups feature due to DI inversion
+	// (databases package cannot import backups package as backups already imports databases)
+	db := storage.GetDb()
+
+	if err := db.Exec("DELETE FROM backups WHERE database_id = ?", database.ID).Error; err != nil {
+		panic(fmt.Sprintf("failed to delete backups: %v", err))
+	}
+
+	if err := db.Exec("DELETE FROM backup_configs WHERE database_id = ?", database.ID).Error; err != nil {
+		panic(fmt.Sprintf("failed to delete backup config: %v", err))
+	}
+
 	err := databaseRepository.Delete(database.ID)
 	if err != nil {
 		panic(err)

backend/internal/features/disk/service.go

@@ -12,6 +12,15 @@ import (
 type DiskService struct{}
 
 func (s *DiskService) GetDiskUsage() (*DiskUsage, error) {
+	if config.GetEnv().IsCloud {
+		return &DiskUsage{
+			Platform:        PlatformLinux,
+			TotalSpaceBytes: 100,
+			UsedSpaceBytes:  0,
+			FreeSpaceBytes:  100,
+		}, nil
+	}
+
 	platform := s.detectPlatform()
 
 	var path string

backend/internal/features/email/di.go

@@ -0,0 +1,22 @@
+package email
+
+import (
+	"databasus-backend/internal/config"
+	"databasus-backend/internal/util/logger"
+)
+
+var env = config.GetEnv()
+var log = logger.GetLogger()
+
+var emailSMTPSender = &EmailSMTPSender{
+	log,
+	env.SMTPHost,
+	env.SMTPPort,
+	env.SMTPUser,
+	env.SMTPPassword,
+	env.SMTPHost != "" && env.SMTPPort != 0,
+}
+
+func GetEmailSMTPSender() *EmailSMTPSender {
+	return emailSMTPSender
+}

backend/internal/features/email/email.go

@@ -0,0 +1,245 @@
+package email
+
+import (
+	"crypto/tls"
+	"fmt"
+	"log/slog"
+	"mime"
+	"net"
+	"net/smtp"
+	"time"
+)
+
+const (
+	ImplicitTLSPort  = 465
+	DefaultTimeout   = 5 * time.Second
+	DefaultHelloName = "localhost"
+	MIMETypeHTML     = "text/html"
+	MIMECharsetUTF8  = "UTF-8"
+)
+
+type EmailSMTPSender struct {
+	logger       *slog.Logger
+	smtpHost     string
+	smtpPort     int
+	smtpUser     string
+	smtpPassword string
+	isConfigured bool
+}
+
+func (s *EmailSMTPSender) SendEmail(to, subject, body string) error {
+	if !s.isConfigured {
+		s.logger.Warn("Skipping email send, SMTP not initialized", "to", to, "subject", subject)
+		return nil
+	}
+
+	from := s.smtpUser
+	if from == "" {
+		from = "noreply@" + s.smtpHost
+	}
+
+	emailContent := s.buildEmailContent(to, subject, body, from)
+	isAuthRequired := s.smtpUser != "" && s.smtpPassword != ""
+
+	if s.smtpPort == ImplicitTLSPort {
+		return s.sendImplicitTLS(to, from, emailContent, isAuthRequired)
+	}
+
+	return s.sendStartTLS(to, from, emailContent, isAuthRequired)
+}
+
+func (s *EmailSMTPSender) buildEmailContent(to, subject, body, from string) []byte {
+	// Encode Subject header using RFC 2047 to avoid SMTPUTF8 requirement
+	encodedSubject := encodeRFC2047(subject)
+	subjectHeader := fmt.Sprintf("Subject: %s\r\n", encodedSubject)
+	dateHeader := fmt.Sprintf("Date: %s\r\n", time.Now().UTC().Format(time.RFC1123Z))
+
+	mimeHeaders := fmt.Sprintf(
+		"MIME-version: 1.0;\nContent-Type: %s; charset=\"%s\";\n\n",
+		MIMETypeHTML,
+		MIMECharsetUTF8,
+	)
+
+	// Encode From header display name if it contains non-ASCII
+	encodedFrom := encodeRFC2047(from)
+	fromHeader := fmt.Sprintf("From: %s\r\n", encodedFrom)
+
+	toHeader := fmt.Sprintf("To: %s\r\n", to)
+
+	return []byte(fromHeader + toHeader + subjectHeader + dateHeader + mimeHeaders + body)
+}
+
+func (s *EmailSMTPSender) sendImplicitTLS(
+	to, from string,
+	emailContent []byte,
+	isAuthRequired bool,
+) error {
+	createClient := func() (*smtp.Client, func(), error) {
+		return s.createImplicitTLSClient()
+	}
+
+	client, cleanup, err := s.authenticateWithRetry(createClient, isAuthRequired)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	return s.sendEmail(client, to, from, emailContent)
+}
+
+func (s *EmailSMTPSender) sendStartTLS(
+	to, from string,
+	emailContent []byte,
+	isAuthRequired bool,
+) error {
+	createClient := func() (*smtp.Client, func(), error) {
+		return s.createStartTLSClient()
+	}
+
+	client, cleanup, err := s.authenticateWithRetry(createClient, isAuthRequired)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	return s.sendEmail(client, to, from, emailContent)
+}
+
+func (s *EmailSMTPSender) createImplicitTLSClient() (*smtp.Client, func(), error) {
+	addr := net.JoinHostPort(s.smtpHost, fmt.Sprintf("%d", s.smtpPort))
+	tlsConfig := &tls.Config{ServerName: s.smtpHost}
+	dialer := &net.Dialer{Timeout: DefaultTimeout}
+
+	conn, err := tls.DialWithDialer(dialer, "tcp", addr, tlsConfig)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+
+	client, err := smtp.NewClient(conn, s.smtpHost)
+	if err != nil {
+		_ = conn.Close()
+		return nil, nil, fmt.Errorf("failed to create SMTP client: %w", err)
+	}
+
+	return client, func() { _ = client.Quit() }, nil
+}
+
+func (s *EmailSMTPSender) createStartTLSClient() (*smtp.Client, func(), error) {
+	addr := net.JoinHostPort(s.smtpHost, fmt.Sprintf("%d", s.smtpPort))
+	dialer := &net.Dialer{Timeout: DefaultTimeout}
+
+	conn, err := dialer.Dial("tcp", addr)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+
+	client, err := smtp.NewClient(conn, s.smtpHost)
+	if err != nil {
+		_ = conn.Close()
+		return nil, nil, fmt.Errorf("failed to create SMTP client: %w", err)
+	}
+
+	if err := client.Hello(DefaultHelloName); err != nil {
+		_ = client.Quit()
+		_ = conn.Close()
+		return nil, nil, fmt.Errorf("SMTP hello failed: %w", err)
+	}
+
+	if ok, _ := client.Extension("STARTTLS"); ok {
+		if err := client.StartTLS(&tls.Config{ServerName: s.smtpHost}); err != nil {
+			_ = client.Quit()
+			_ = conn.Close()
+			return nil, nil, fmt.Errorf("STARTTLS failed: %w", err)
+		}
+	}
+
+	return client, func() { _ = client.Quit() }, nil
+}
+
+func (s *EmailSMTPSender) authenticateWithRetry(
+	createClient func() (*smtp.Client, func(), error),
+	isAuthRequired bool,
+) (*smtp.Client, func(), error) {
+	client, cleanup, err := createClient()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if !isAuthRequired {
+		return client, cleanup, nil
+	}
+
+	// Try PLAIN auth first
+	plainAuth := smtp.PlainAuth("", s.smtpUser, s.smtpPassword, s.smtpHost)
+	if err := client.Auth(plainAuth); err == nil {
+		return client, cleanup, nil
+	}
+
+	// PLAIN auth failed, connection may be closed - recreate and try LOGIN auth
+	cleanup()
+
+	client, cleanup, err = createClient()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	loginAuth := &loginAuth{username: s.smtpUser, password: s.smtpPassword}
+	if err := client.Auth(loginAuth); err != nil {
+		cleanup()
+		return nil, nil, fmt.Errorf("SMTP authentication failed: %w", err)
+	}
+
+	return client, cleanup, nil
+}
+
+func (s *EmailSMTPSender) sendEmail(client *smtp.Client, to, from string, content []byte) error {
+	if err := client.Mail(from); err != nil {
+		return fmt.Errorf("failed to set sender: %w", err)
+	}
+
+	if err := client.Rcpt(to); err != nil {
+		return fmt.Errorf("failed to set recipient: %w", err)
+	}
+
+	writer, err := client.Data()
+	if err != nil {
+		return fmt.Errorf("failed to get data writer: %w", err)
+	}
+
+	if _, err = writer.Write(content); err != nil {
+		return fmt.Errorf("failed to write email content: %w", err)
+	}
+
+	if err = writer.Close(); err != nil {
+		return fmt.Errorf("failed to close data writer: %w", err)
+	}
+
+	return nil
+}
+
+func encodeRFC2047(s string) string {
+	return mime.QEncoding.Encode("UTF-8", s)
+}
+
+type loginAuth struct {
+	username string
+	password string
+}
+
+func (a *loginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
+	return "LOGIN", []byte{}, nil
+}
+
+func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
+	if more {
+		switch string(fromServer) {
+		case "Username:", "User Name\x00":
+			return []byte(a.username), nil
+		case "Password:", "Password\x00":
+			return []byte(a.password), nil
+		default:
+			return []byte(a.username), nil
+		}
+	}
+	return nil, nil
+}

backend/internal/features/healthcheck/attempt/controller_test.go

@@ -144,6 +144,10 @@ func Test_GetAttemptsByDatabase_PermissionsEnforced(t *testing.T) {
 				)
 				assert.Contains(t, string(testResp.Body), "forbidden")
 			}
+
+			// Cleanup
+			databases.RemoveTestDatabase(database)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -181,6 +185,10 @@ func Test_GetAttemptsByDatabase_FiltersByAfterDate(t *testing.T) {
 	for _, attempt := range response {
 		assert.True(t, attempt.CreatedAt.After(afterDate) || attempt.CreatedAt.Equal(afterDate))
 	}
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_GetAttemptsByDatabase_ReturnsEmptyListForNewDatabase(t *testing.T) {
@@ -201,6 +209,10 @@ func Test_GetAttemptsByDatabase_ReturnsEmptyListForNewDatabase(t *testing.T) {
 	)
 
 	assert.Equal(t, 0, len(response))
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func createTestDatabaseViaAPI(

backend/internal/features/healthcheck/config/controller_test.go

@@ -130,6 +130,10 @@ func Test_SaveHealthcheckConfig_PermissionsEnforced(t *testing.T) {
 				)
 				assert.Contains(t, string(testResp.Body), "insufficient permissions")
 			}
+
+			// Cleanup
+			databases.RemoveTestDatabase(database)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -162,6 +166,10 @@ func Test_SaveHealthcheckConfig_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t
 	)
 
 	assert.Contains(t, string(testResp.Body), "insufficient permissions")
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func Test_GetHealthcheckConfig_PermissionsEnforced(t *testing.T) {
@@ -268,6 +276,10 @@ func Test_GetHealthcheckConfig_PermissionsEnforced(t *testing.T) {
 				)
 				assert.Contains(t, string(testResp.Body), "insufficient permissions")
 			}
+
+			// Cleanup
+			databases.RemoveTestDatabase(database)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -295,6 +307,10 @@ func Test_GetHealthcheckConfig_ReturnsDefaultConfigForNewDatabase(t *testing.T)
 	assert.Equal(t, 1, response.IntervalMinutes)
 	assert.Equal(t, 3, response.AttemptsBeforeConcideredAsDown)
 	assert.Equal(t, 7, response.StoreAttemptsDays)
+
+	// Cleanup
+	databases.RemoveTestDatabase(database)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
 func createTestDatabaseViaAPI(

backend/internal/features/notifiers/models/email_notifier/model.go

@@ -130,6 +130,7 @@ func (e *EmailNotifier) buildEmailContent(heading, message, from string) []byte
 	// This ensures compatibility with SMTP servers that don't support SMTPUTF8
 	encodedSubject := encodeRFC2047(heading)
 	subject := fmt.Sprintf("Subject: %s\r\n", encodedSubject)
+	dateHeader := fmt.Sprintf("Date: %s\r\n", time.Now().UTC().Format(time.RFC1123Z))
 
 	mimeHeaders := fmt.Sprintf(
 		"MIME-version: 1.0;\nContent-Type: %s; charset=\"%s\";\n\n",
@@ -143,7 +144,7 @@ func (e *EmailNotifier) buildEmailContent(heading, message, from string) []byte
 
 	toHeader := fmt.Sprintf("To: %s\r\n", e.TargetEmail)
 
-	return []byte(fromHeader + toHeader + subject + mimeHeaders + message)
+	return []byte(fromHeader + toHeader + subject + dateHeader + mimeHeaders + message)
 }
 
 func (e *EmailNotifier) sendImplicitTLS(

backend/internal/features/plan/di.go

@@ -0,0 +1,20 @@
+package plans
+
+import (
+	"databasus-backend/internal/util/logger"
+)
+
+var databasePlanRepository = &DatabasePlanRepository{}
+
+var databasePlanService = &DatabasePlanService{
+	databasePlanRepository,
+	logger.GetLogger(),
+}
+
+func GetDatabasePlanService() *DatabasePlanService {
+	return databasePlanService
+}
+
+func GetDatabasePlanRepository() *DatabasePlanRepository {
+	return databasePlanRepository
+}

backend/internal/features/plan/model.go

@@ -0,0 +1,19 @@
+package plans
+
+import (
+	"databasus-backend/internal/util/period"
+
+	"github.com/google/uuid"
+)
+
+type DatabasePlan struct {
+	DatabaseID uuid.UUID `json:"databaseId" gorm:"column:database_id;type:uuid;primaryKey;not null"`
+
+	MaxBackupSizeMB       int64         `json:"maxBackupSizeMb"       gorm:"column:max_backup_size_mb;type:int;not null"`
+	MaxBackupsTotalSizeMB int64         `json:"maxBackupsTotalSizeMb" gorm:"column:max_backups_total_size_mb;type:int;not null"`
+	MaxStoragePeriod      period.Period `json:"maxStoragePeriod"      gorm:"column:max_storage_period;type:text;not null"`
+}
+
+func (p *DatabasePlan) TableName() string {
+	return "database_plans"
+}

backend/internal/features/plan/repository.go

@@ -0,0 +1,27 @@
+package plans
+
+import (
+	"databasus-backend/internal/storage"
+
+	"github.com/google/uuid"
+)
+
+type DatabasePlanRepository struct{}
+
+func (r *DatabasePlanRepository) GetDatabasePlan(databaseID uuid.UUID) (*DatabasePlan, error) {
+	var databasePlan DatabasePlan
+
+	if err := storage.GetDb().Where("database_id = ?", databaseID).First(&databasePlan).Error; err != nil {
+		if err.Error() == "record not found" {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return &databasePlan, nil
+}
+
+func (r *DatabasePlanRepository) CreateDatabasePlan(databasePlan *DatabasePlan) error {
+	return storage.GetDb().Create(&databasePlan).Error
+}

backend/internal/features/plan/service.go

@@ -0,0 +1,67 @@
+package plans
+
+import (
+	"databasus-backend/internal/config"
+	"databasus-backend/internal/util/period"
+	"log/slog"
+
+	"github.com/google/uuid"
+)
+
+type DatabasePlanService struct {
+	databasePlanRepository *DatabasePlanRepository
+	logger                 *slog.Logger
+}
+
+func (s *DatabasePlanService) GetDatabasePlan(databaseID uuid.UUID) (*DatabasePlan, error) {
+	plan, err := s.databasePlanRepository.GetDatabasePlan(databaseID)
+	if err != nil {
+		return nil, err
+	}
+
+	if plan == nil {
+		s.logger.Info("no database plan found, creating default plan", "databaseID", databaseID)
+
+		defaultPlan := s.createDefaultDatabasePlan(databaseID)
+
+		err := s.databasePlanRepository.CreateDatabasePlan(defaultPlan)
+		if err != nil {
+			s.logger.Error("failed to create default database plan", "error", err)
+			return nil, err
+		}
+
+		return defaultPlan, nil
+	}
+
+	return plan, nil
+}
+
+func (s *DatabasePlanService) createDefaultDatabasePlan(databaseID uuid.UUID) *DatabasePlan {
+	var plan DatabasePlan
+
+	isCloud := config.GetEnv().IsCloud
+	if isCloud {
+		s.logger.Info("creating default database plan for cloud", "databaseID", databaseID)
+
+		// for playground we set limited storages enough to test,
+		// but not too expensive to provide it for Databasus
+		plan = DatabasePlan{
+			DatabaseID:            databaseID,
+			MaxBackupSizeMB:       100,  // ~ 1.5GB database
+			MaxBackupsTotalSizeMB: 4000, // ~ 30 daily backups + 10 manual backups
+			MaxStoragePeriod:      period.PeriodWeek,
+		}
+	} else {
+		s.logger.Info("creating default database plan for self hosted", "databaseID", databaseID)
+
+		// by default - everything is unlimited in self hosted mode
+		plan = DatabasePlan{
+			DatabaseID:            databaseID,
+			MaxBackupSizeMB:       0,
+			MaxBackupsTotalSizeMB: 0,
+			MaxStoragePeriod:      period.PeriodForever,
+		}
+	}
+
+	return &plan
+}

backend/internal/features/restores/controller_test.go

@@ -46,8 +46,10 @@ func Test_GetRestores_WhenUserIsWorkspaceMember_RestoresReturned(t *testing.T) {
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	database, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	defer cleanupDatabaseWithBackup(database, backup)
 
 	var restores []*restores_core.Restore
 	test_utils.MakeGetRequestAndUnmarshal(
@@ -68,8 +70,10 @@ func Test_GetRestores_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t *testing.T
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
-	_, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	database, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	defer cleanupDatabaseWithBackup(database, backup)
 
 	nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
@@ -88,8 +92,10 @@ func Test_GetRestores_WhenUserIsGlobalAdmin_RestoresReturned(t *testing.T) {
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
-	_, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	database, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	defer cleanupDatabaseWithBackup(database, backup)
 
 	admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
 
@@ -114,8 +120,10 @@ func Test_RestoreBackup_WhenUserIsWorkspaceMember_RestoreInitiated(t *testing.T)
 
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
-	_, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	database, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	defer cleanupDatabaseWithBackup(database, backup)
 
 	request := restores_core.RestoreBackupRequest{
 		PostgresqlDatabase: &postgresql.PostgresqlDatabase{
@@ -143,8 +151,10 @@ func Test_RestoreBackup_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t *testing
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
-	_, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	database, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	defer cleanupDatabaseWithBackup(database, backup)
 
 	nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
@@ -178,8 +188,10 @@ func Test_RestoreBackup_WithIsExcludeExtensions_FlagPassedCorrectly(t *testing.T
 
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
-	_, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	database, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	defer cleanupDatabaseWithBackup(database, backup)
 
 	request := restores_core.RestoreBackupRequest{
 		PostgresqlDatabase: &postgresql.PostgresqlDatabase{
@@ -212,8 +224,10 @@ func Test_RestoreBackup_AuditLogWritten(t *testing.T) {
 
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	database, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	defer cleanupDatabaseWithBackup(database, backup)
 
 	request := restores_core.RestoreBackupRequest{
 		PostgresqlDatabase: &postgresql.PostgresqlDatabase{
@@ -296,12 +310,16 @@ func Test_RestoreBackup_DiskSpaceValidation(t *testing.T) {
 
 			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
+			var database *databases.Database
 			var backup *backups_core.Backup
+			var storage *storages.Storage
 			var request restores_core.RestoreBackupRequest
 
 			if tc.dbType == databases.DatabaseTypePostgres {
-				_, backup = createTestDatabaseWithBackupForRestore(workspace, owner, router)
+				database, backup = createTestDatabaseWithBackupForRestore(workspace, owner, router)
+				defer cleanupDatabaseWithBackup(database, backup)
 				request = restores_core.RestoreBackupRequest{
 					PostgresqlDatabase: &postgresql.PostgresqlDatabase{
 						Version:  tools.PostgresqlVersion16,
@@ -319,7 +337,16 @@ func Test_RestoreBackup_DiskSpaceValidation(t *testing.T) {
 					owner.Token,
 					router,
 				)
-				storage := createTestStorage(workspace.ID)
+				database = mysqlDB
+				storage = createTestStorage(workspace.ID)
+
+				defer func() {
+					// Cleanup in dependency order: backup -> database -> storage
+					cleanupBackup(backup)
+					databases.RemoveTestDatabase(mysqlDB)
+					time.Sleep(50 * time.Millisecond)
+					storages.RemoveTestStorage(storage.ID)
+				}()
 
 				configService := backups_config.GetBackupConfigService()
 				config, err := configService.GetBackupConfigByDbId(mysqlDB.ID)
@@ -332,6 +359,7 @@ func Test_RestoreBackup_DiskSpaceValidation(t *testing.T) {
 				assert.NoError(t, err)
 
 				backup = createTestBackup(mysqlDB, owner)
+
 				request = restores_core.RestoreBackupRequest{
 					MysqlDatabase: &mysql.MysqlDatabase{
 						Version:  tools.MysqlVersion80,
@@ -519,8 +547,10 @@ func Test_RestoreBackup_WithParallelRestoreInProgress_ReturnsError(t *testing.T)
 
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
-	_, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	database, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+	defer cleanupDatabaseWithBackup(database, backup)
 
 	request := restores_core.RestoreBackupRequest{
 		PostgresqlDatabase: &postgresql.PostgresqlDatabase{
@@ -741,3 +771,22 @@ func createTestBackup(
 
 	return backup
 }
+
+func cleanupDatabaseWithBackup(database *databases.Database, backup *backups_core.Backup) {
+	// Clean up in reverse dependency order
+	cleanupBackup(backup)
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+
+	// Clean up storage last (after database and backup are removed)
+	configService := backups_config.GetBackupConfigService()
+	config, err := configService.GetBackupConfigByDbId(database.ID)
+	if err == nil && config.StorageID != nil {
+		storages.RemoveTestStorage(*config.StorageID)
+	}
+}
+
+func cleanupBackup(backup *backups_core.Backup) {
+	repo := &backups_core.BackupRepository{}
+	repo.DeleteByID(backup.ID)
+}

backend/internal/features/restores/di.go

@@ -6,6 +6,7 @@ import (
 
 	audit_logs "databasus-backend/internal/features/audit_logs"
 	"databasus-backend/internal/features/backups/backups"
+	"databasus-backend/internal/features/backups/backups/backuping"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/disk"
@@ -51,6 +52,7 @@ func SetupDependencies() {
 
 	setupOnce.Do(func() {
 		backups.GetBackupService().AddBackupRemoveListener(restoreService)
+		backuping.GetBackupCleaner().AddBackupRemoveListener(restoreService)
 
 		isSetup.Store(true)
 	})

backend/internal/features/restores/service.go

@@ -1,6 +1,7 @@
 package restores
 
 import (
+	"databasus-backend/internal/config"
 	audit_logs "databasus-backend/internal/features/audit_logs"
 	"databasus-backend/internal/features/backups/backups"
 	backups_core "databasus-backend/internal/features/backups/backups/core"
@@ -127,6 +128,13 @@ func (s *RestoreService) RestoreBackupWithAuth(
 		return err
 	}
 
+	if config.GetEnv().IsCloud {
+		// in cloud mode we use only single thread mode,
+		// because otherwise we will exhaust local storage
+		// space (instead of streaming from S3 directly to DB)
+		requestDTO.PostgresqlDatabase.CpuCount = 1
+	}
+
 	if err := s.validateVersionCompatibility(backupDatabase, requestDTO); err != nil {
 		return err
 	}

backend/internal/features/restores/usecases/postgresql/restore_backup_uc.go

@@ -65,6 +65,13 @@ func (uc *RestorePostgresqlBackupUsecase) Execute(
 		return fmt.Errorf("target database name is required for pg_restore")
 	}
 
+	// Validate CPU count constraint for cloud environments
+	if config.GetEnv().IsCloud && pg.CpuCount > 1 {
+		return fmt.Errorf(
+			"parallel restore (CPU count > 1) is not supported in cloud mode due to storage constraints. Please use CPU count = 1",
+		)
+	}
+
 	pgBin := tools.GetPostgresqlExecutable(
 		pg.Version,
 		"pg_restore",

backend/internal/features/storages/controller_test.go

@@ -84,7 +84,7 @@ func Test_SaveNewStorage_StorageReturnedViaGet(t *testing.T) {
 
 	assert.Contains(t, storages, savedStorage)
 
-	deleteStorage(t, router, savedStorage.ID, workspace.ID, owner.Token)
+	deleteStorage(t, router, savedStorage.ID, owner.Token)
 	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
@@ -122,7 +122,169 @@ func Test_UpdateExistingStorage_UpdatedStorageReturnedViaGet(t *testing.T) {
 	assert.Equal(t, updatedName, updatedStorage.Name)
 	assert.Equal(t, savedStorage.ID, updatedStorage.ID)
 
-	deleteStorage(t, router, updatedStorage.ID, workspace.ID, owner.Token)
+	deleteStorage(t, router, updatedStorage.ID, owner.Token)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
+}
+
+func Test_CreateSystemStorage_OnlyAdminCanCreate_MemberGetsForbidden(t *testing.T) {
+	admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	member := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	router := createRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", admin, router)
+
+	// Admin can create system storage
+	systemStorage := createNewStorage(workspace.ID)
+	systemStorage.IsSystem = true
+
+	var savedStorage Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		*systemStorage,
+		http.StatusOK,
+		&savedStorage,
+	)
+
+	assert.True(t, savedStorage.IsSystem)
+	assert.Equal(t, systemStorage.Name, savedStorage.Name)
+
+	// Member cannot create system storage
+	memberSystemStorage := createNewStorage(workspace.ID)
+	memberSystemStorage.IsSystem = true
+
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+member.Token,
+		*memberSystemStorage,
+		http.StatusForbidden,
+	)
+	assert.Contains(t, string(resp.Body), "insufficient permissions")
+
+	deleteStorage(t, router, savedStorage.ID, admin.Token)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
+}
+
+func Test_UpdateStorageIsSystem_OnlyAdminCanUpdate_MemberGetsForbidden(t *testing.T) {
+	admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	member := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	router := createRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", admin, router)
+
+	// Create a regular storage
+	storage := createNewStorage(workspace.ID)
+	storage.IsSystem = false
+
+	var savedStorage Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		*storage,
+		http.StatusOK,
+		&savedStorage,
+	)
+
+	assert.False(t, savedStorage.IsSystem)
+
+	// Admin can update to system
+	savedStorage.IsSystem = true
+	var updatedStorage Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		savedStorage,
+		http.StatusOK,
+		&updatedStorage,
+	)
+
+	assert.True(t, updatedStorage.IsSystem)
+
+	// Member cannot update system storage
+	updatedStorage.Name = "Updated by member"
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+member.Token,
+		updatedStorage,
+		http.StatusForbidden,
+	)
+	assert.Contains(t, string(resp.Body), "insufficient permissions")
+
+	deleteStorage(t, router, updatedStorage.ID, admin.Token)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
+}
+
+func Test_UpdateSystemStorage_CannotChangeToPrivate_ReturnsBadRequest(t *testing.T) {
+	admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := createRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", admin, router)
+
+	// Create system storage
+	storage := createNewStorage(workspace.ID)
+	storage.IsSystem = true
+
+	var savedStorage Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		*storage,
+		http.StatusOK,
+		&savedStorage,
+	)
+
+	assert.True(t, savedStorage.IsSystem)
+
+	// Attempt to change system storage to non-system (should fail)
+	savedStorage.IsSystem = false
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		savedStorage,
+		http.StatusBadRequest,
+	)
+	assert.Contains(t, string(resp.Body), "system storage cannot be changed to non-system")
+
+	// Verify storage is still system
+	var retrievedStorage Storage
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages/%s", savedStorage.ID.String()),
+		"Bearer "+admin.Token,
+		http.StatusOK,
+		&retrievedStorage,
+	)
+	assert.True(t, retrievedStorage.IsSystem)
+
+	// Admin can update other fields while keeping IsSystem=true
+	savedStorage.IsSystem = true
+	savedStorage.Name = "Updated System Storage"
+	var updatedStorage Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		savedStorage,
+		http.StatusOK,
+		&updatedStorage,
+	)
+	assert.True(t, updatedStorage.IsSystem)
+	assert.Equal(t, "Updated System Storage", updatedStorage.Name)
+
+	deleteStorage(t, router, updatedStorage.ID, admin.Token)
 	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
@@ -205,7 +367,7 @@ func Test_TestExistingStorageConnection_ConnectionEstablished(t *testing.T) {
 
 	assert.Contains(t, string(response.Body), "successful")
 
-	deleteStorage(t, router, savedStorage.ID, workspace.ID, owner.Token)
+	deleteStorage(t, router, savedStorage.ID, owner.Token)
 	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
@@ -301,7 +463,14 @@ func Test_WorkspaceRolePermissions(t *testing.T) {
 				fmt.Sprintf("/api/v1/storages?workspace_id=%s", workspace.ID.String()),
 				"Bearer "+testUserToken, http.StatusOK, &storages,
 			)
-			assert.Len(t, storages, 1)
+			// Count only non-system storages for this workspace
+			nonSystemStorages := 0
+			for _, s := range storages {
+				if !s.IsSystem {
+					nonSystemStorages++
+				}
+			}
+			assert.Equal(t, 1, nonSystemStorages)
 
 			// Test CREATE storage
 			createStatusCode := http.StatusOK
@@ -356,16 +525,514 @@ func Test_WorkspaceRolePermissions(t *testing.T) {
 
 			// Cleanup
 			if tt.canCreate {
-				deleteStorage(t, router, savedStorage.ID, workspace.ID, owner.Token)
+				deleteStorage(t, router, savedStorage.ID, owner.Token)
 			}
 			if !tt.canDelete {
-				deleteStorage(t, router, ownerStorage.ID, workspace.ID, owner.Token)
+				deleteStorage(t, router, ownerStorage.ID, owner.Token)
 			}
 			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
 
+func Test_SystemStorage_AdminOnlyOperations(t *testing.T) {
+	tests := []struct {
+		name           string
+		operation      string
+		isAdmin        bool
+		expectSuccess  bool
+		expectedStatus int
+	}{
+		{
+			name:           "admin can create system storage",
+			operation:      "create",
+			isAdmin:        true,
+			expectSuccess:  true,
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "member cannot create system storage",
+			operation:      "create",
+			isAdmin:        false,
+			expectSuccess:  false,
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name:           "admin can update storage to make it system",
+			operation:      "update_to_system",
+			isAdmin:        true,
+			expectSuccess:  true,
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "member cannot update storage to make it system",
+			operation:      "update_to_system",
+			isAdmin:        false,
+			expectSuccess:  false,
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name:           "admin can update system storage",
+			operation:      "update_system",
+			isAdmin:        true,
+			expectSuccess:  true,
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "member cannot update system storage",
+			operation:      "update_system",
+			isAdmin:        false,
+			expectSuccess:  false,
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name:           "admin can delete system storage",
+			operation:      "delete",
+			isAdmin:        true,
+			expectSuccess:  true,
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "member cannot delete system storage",
+			operation:      "delete",
+			isAdmin:        false,
+			expectSuccess:  false,
+			expectedStatus: http.StatusForbidden,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			router := createRouter()
+			GetStorageService().SetStorageDatabaseCounter(&mockStorageDatabaseCounter{})
+
+			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+			var testUserToken string
+			if tt.isAdmin {
+				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+				testUserToken = admin.Token
+			} else {
+				member := users_testing.CreateTestUser(users_enums.UserRoleMember)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					member,
+					users_enums.WorkspaceRoleMember,
+					owner.Token,
+					router,
+				)
+				testUserToken = member.Token
+			}
+
+			switch tt.operation {
+			case "create":
+				systemStorage := &Storage{
+					WorkspaceID:  workspace.ID,
+					Type:         StorageTypeLocal,
+					Name:         "Test System Storage " + uuid.New().String(),
+					IsSystem:     true,
+					LocalStorage: &local_storage.LocalStorage{},
+				}
+
+				if tt.expectSuccess {
+					var savedStorage Storage
+					test_utils.MakePostRequestAndUnmarshal(
+						t,
+						router,
+						"/api/v1/storages",
+						"Bearer "+testUserToken,
+						*systemStorage,
+						tt.expectedStatus,
+						&savedStorage,
+					)
+					assert.NotEmpty(t, savedStorage.ID)
+					assert.True(t, savedStorage.IsSystem)
+					deleteStorage(t, router, savedStorage.ID, testUserToken)
+				} else {
+					resp := test_utils.MakePostRequest(
+						t,
+						router,
+						"/api/v1/storages",
+						"Bearer "+testUserToken,
+						*systemStorage,
+						tt.expectedStatus,
+					)
+					assert.Contains(t, string(resp.Body), "insufficient permissions")
+				}
+
+			case "update_to_system":
+				// Owner creates private storage first
+				privateStorage := createNewStorage(workspace.ID)
+				var savedStorage Storage
+				test_utils.MakePostRequestAndUnmarshal(
+					t,
+					router,
+					"/api/v1/storages",
+					"Bearer "+owner.Token,
+					*privateStorage,
+					http.StatusOK,
+					&savedStorage,
+				)
+
+				// Test user attempts to make it system
+				savedStorage.IsSystem = true
+				if tt.expectSuccess {
+					var updatedStorage Storage
+					test_utils.MakePostRequestAndUnmarshal(
+						t,
+						router,
+						"/api/v1/storages",
+						"Bearer "+testUserToken,
+						savedStorage,
+						tt.expectedStatus,
+						&updatedStorage,
+					)
+					assert.True(t, updatedStorage.IsSystem)
+					deleteStorage(t, router, savedStorage.ID, testUserToken)
+				} else {
+					resp := test_utils.MakePostRequest(
+						t,
+						router,
+						"/api/v1/storages",
+						"Bearer "+testUserToken,
+						savedStorage,
+						tt.expectedStatus,
+					)
+					assert.Contains(t, string(resp.Body), "insufficient permissions")
+					deleteStorage(t, router, savedStorage.ID, owner.Token)
+				}
+
+			case "update_system":
+				// Admin creates system storage first
+				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+				systemStorage := &Storage{
+					WorkspaceID:  workspace.ID,
+					Type:         StorageTypeLocal,
+					Name:         "Test System Storage " + uuid.New().String(),
+					IsSystem:     true,
+					LocalStorage: &local_storage.LocalStorage{},
+				}
+				var savedStorage Storage
+				test_utils.MakePostRequestAndUnmarshal(
+					t,
+					router,
+					"/api/v1/storages",
+					"Bearer "+admin.Token,
+					*systemStorage,
+					http.StatusOK,
+					&savedStorage,
+				)
+
+				// Test user attempts to update system storage
+				savedStorage.Name = "Updated System Storage " + uuid.New().String()
+				if tt.expectSuccess {
+					var updatedStorage Storage
+					test_utils.MakePostRequestAndUnmarshal(
+						t,
+						router,
+						"/api/v1/storages",
+						"Bearer "+testUserToken,
+						savedStorage,
+						tt.expectedStatus,
+						&updatedStorage,
+					)
+					assert.Equal(t, savedStorage.Name, updatedStorage.Name)
+					assert.True(t, updatedStorage.IsSystem)
+					deleteStorage(t, router, savedStorage.ID, testUserToken)
+				} else {
+					resp := test_utils.MakePostRequest(
+						t,
+						router,
+						"/api/v1/storages",
+						"Bearer "+testUserToken,
+						savedStorage,
+						tt.expectedStatus,
+					)
+					assert.Contains(t, string(resp.Body), "insufficient permissions")
+					deleteStorage(t, router, savedStorage.ID, admin.Token)
+				}
+
+			case "delete":
+				// Admin creates system storage first
+				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+				systemStorage := &Storage{
+					WorkspaceID:  workspace.ID,
+					Type:         StorageTypeLocal,
+					Name:         "Test System Storage " + uuid.New().String(),
+					IsSystem:     true,
+					LocalStorage: &local_storage.LocalStorage{},
+				}
+				var savedStorage Storage
+				test_utils.MakePostRequestAndUnmarshal(
+					t,
+					router,
+					"/api/v1/storages",
+					"Bearer "+admin.Token,
+					*systemStorage,
+					http.StatusOK,
+					&savedStorage,
+				)
+
+				// Test user attempts to delete system storage
+				if tt.expectSuccess {
+					test_utils.MakeDeleteRequest(
+						t,
+						router,
+						fmt.Sprintf("/api/v1/storages/%s", savedStorage.ID.String()),
+						"Bearer "+testUserToken,
+						tt.expectedStatus,
+					)
+				} else {
+					resp := test_utils.MakeDeleteRequest(
+						t,
+						router,
+						fmt.Sprintf("/api/v1/storages/%s", savedStorage.ID.String()),
+						"Bearer "+testUserToken,
+						tt.expectedStatus,
+					)
+					assert.Contains(t, string(resp.Body), "insufficient permissions")
+					deleteStorage(t, router, savedStorage.ID, admin.Token)
+				}
+			}
+
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
+		})
+	}
+}
+
+func Test_GetStorages_SystemStorageIncludedForAllUsers(t *testing.T) {
+	router := createRouter()
+	GetStorageService().SetStorageDatabaseCounter(&mockStorageDatabaseCounter{})
+
+	// Create two workspaces with different owners
+	ownerA := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	ownerB := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspaceA := workspaces_testing.CreateTestWorkspace("Workspace A", ownerA, router)
+	workspaceB := workspaces_testing.CreateTestWorkspace("Workspace B", ownerB, router)
+
+	// Create private storage in workspace A
+	privateStorageA := createNewStorage(workspaceA.ID)
+	var savedPrivateStorageA Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+ownerA.Token,
+		*privateStorageA,
+		http.StatusOK,
+		&savedPrivateStorageA,
+	)
+
+	// Admin creates system storage in workspace B
+	admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	systemStorageB := &Storage{
+		WorkspaceID:  workspaceB.ID,
+		Type:         StorageTypeLocal,
+		Name:         "Test System Storage B " + uuid.New().String(),
+		IsSystem:     true,
+		LocalStorage: &local_storage.LocalStorage{},
+	}
+	var savedSystemStorageB Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		*systemStorageB,
+		http.StatusOK,
+		&savedSystemStorageB,
+	)
+
+	// Test: User from workspace A should see both private storage A and system storage B
+	var storagesForWorkspaceA []Storage
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages?workspace_id=%s", workspaceA.ID.String()),
+		"Bearer "+ownerA.Token,
+		http.StatusOK,
+		&storagesForWorkspaceA,
+	)
+
+	assert.GreaterOrEqual(t, len(storagesForWorkspaceA), 2)
+	foundPrivateA := false
+	foundSystemB := false
+	for _, s := range storagesForWorkspaceA {
+		if s.ID == savedPrivateStorageA.ID {
+			foundPrivateA = true
+		}
+		if s.ID == savedSystemStorageB.ID {
+			foundSystemB = true
+		}
+	}
+	assert.True(t, foundPrivateA, "User from workspace A should see private storage A")
+	assert.True(t, foundSystemB, "User from workspace A should see system storage B")
+
+	// Test: User from workspace B should see system storage B
+	var storagesForWorkspaceB []Storage
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages?workspace_id=%s", workspaceB.ID.String()),
+		"Bearer "+ownerB.Token,
+		http.StatusOK,
+		&storagesForWorkspaceB,
+	)
+
+	assert.GreaterOrEqual(t, len(storagesForWorkspaceB), 1)
+	foundSystemBInWorkspaceB := false
+	for _, s := range storagesForWorkspaceB {
+		if s.ID == savedSystemStorageB.ID {
+			foundSystemBInWorkspaceB = true
+		}
+		// Should NOT see private storage from workspace A
+		assert.NotEqual(
+			t,
+			savedPrivateStorageA.ID,
+			s.ID,
+			"User from workspace B should not see private storage from workspace A",
+		)
+	}
+	assert.True(t, foundSystemBInWorkspaceB, "User from workspace B should see system storage B")
+
+	// Test: Outsider (not in any workspace) cannot access storages
+	outsider := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	test_utils.MakeGetRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages?workspace_id=%s", workspaceA.ID.String()),
+		"Bearer "+outsider.Token,
+		http.StatusForbidden,
+	)
+
+	// Cleanup
+	deleteStorage(t, router, savedPrivateStorageA.ID, ownerA.Token)
+	deleteStorage(t, router, savedSystemStorageB.ID, admin.Token)
+	workspaces_testing.RemoveTestWorkspace(workspaceA, router)
+	workspaces_testing.RemoveTestWorkspace(workspaceB, router)
+}
+
+func Test_GetSystemStorage_SensitiveDataHiddenForNonAdmin(t *testing.T) {
+	router := createRouter()
+	GetStorageService().SetStorageDatabaseCounter(&mockStorageDatabaseCounter{})
+
+	admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	member := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", member, router)
+
+	// Admin creates system S3 storage with credentials
+	systemS3Storage := &Storage{
+		WorkspaceID: workspace.ID,
+		Type:        StorageTypeS3,
+		Name:        "Test System S3 Storage " + uuid.New().String(),
+		IsSystem:    true,
+		S3Storage: &s3_storage.S3Storage{
+			S3Bucket:    "test-system-bucket",
+			S3Region:    "us-east-1",
+			S3AccessKey: "test-access-key-123",
+			S3SecretKey: "test-secret-key-456",
+			S3Endpoint:  "https://s3.amazonaws.com",
+		},
+	}
+
+	var savedStorage Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		*systemS3Storage,
+		http.StatusOK,
+		&savedStorage,
+	)
+
+	assert.NotEmpty(t, savedStorage.ID)
+	assert.True(t, savedStorage.IsSystem)
+
+	// Test: Admin retrieves system storage - should see S3Storage object with hidden sensitive fields
+	var adminView Storage
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages/%s", savedStorage.ID.String()),
+		"Bearer "+admin.Token,
+		http.StatusOK,
+		&adminView,
+	)
+
+	assert.NotNil(t, adminView.S3Storage, "Admin should see S3Storage object")
+	assert.Equal(t, "test-system-bucket", adminView.S3Storage.S3Bucket)
+	assert.Equal(t, "us-east-1", adminView.S3Storage.S3Region)
+	// Sensitive fields should be hidden (empty strings)
+	assert.Equal(
+		t,
+		"",
+		adminView.S3Storage.S3AccessKey,
+		"Admin should see hidden (empty) access key",
+	)
+	assert.Equal(
+		t,
+		"",
+		adminView.S3Storage.S3SecretKey,
+		"Admin should see hidden (empty) secret key",
+	)
+
+	// Test: Member retrieves system storage - should see storage but all specific data hidden
+	var memberView Storage
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages/%s", savedStorage.ID.String()),
+		"Bearer "+member.Token,
+		http.StatusOK,
+		&memberView,
+	)
+
+	assert.Equal(t, savedStorage.ID, memberView.ID)
+	assert.Equal(t, savedStorage.Name, memberView.Name)
+	assert.True(t, memberView.IsSystem)
+
+	// All storage type objects should be nil for non-admin viewing system storage
+	assert.Nil(t, memberView.S3Storage, "Non-admin should not see S3Storage object")
+	assert.Nil(t, memberView.LocalStorage, "Non-admin should not see LocalStorage object")
+	assert.Nil(
+		t,
+		memberView.GoogleDriveStorage,
+		"Non-admin should not see GoogleDriveStorage object",
+	)
+	assert.Nil(t, memberView.NASStorage, "Non-admin should not see NASStorage object")
+	assert.Nil(t, memberView.AzureBlobStorage, "Non-admin should not see AzureBlobStorage object")
+	assert.Nil(t, memberView.FTPStorage, "Non-admin should not see FTPStorage object")
+	assert.Nil(t, memberView.SFTPStorage, "Non-admin should not see SFTPStorage object")
+	assert.Nil(t, memberView.RcloneStorage, "Non-admin should not see RcloneStorage object")
+
+	// Test: Member can also see system storage in GetStorages list
+	var storages []Storage
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages?workspace_id=%s", workspace.ID.String()),
+		"Bearer "+member.Token,
+		http.StatusOK,
+		&storages,
+	)
+
+	foundSystemStorage := false
+	for _, s := range storages {
+		if s.ID == savedStorage.ID {
+			foundSystemStorage = true
+			assert.True(t, s.IsSystem)
+			assert.Nil(t, s.S3Storage, "Non-admin should not see S3Storage in list")
+		}
+	}
+	assert.True(t, foundSystemStorage, "System storage should be in list")
+
+	// Cleanup
+	deleteStorage(t, router, savedStorage.ID, admin.Token)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
+}
+
 func Test_UserNotInWorkspace_CannotAccessStorages(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	outsider := users_testing.CreateTestUser(users_enums.UserRoleMember)
@@ -417,7 +1084,7 @@ func Test_UserNotInWorkspace_CannotAccessStorages(t *testing.T) {
 		http.StatusForbidden,
 	)
 
-	deleteStorage(t, router, savedStorage.ID, workspace.ID, owner.Token)
+	deleteStorage(t, router, savedStorage.ID, owner.Token)
 	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
 
@@ -450,7 +1117,7 @@ func Test_CrossWorkspaceSecurity_CannotAccessStorageFromAnotherWorkspace(t *test
 	)
 	assert.Contains(t, string(response.Body), "insufficient permissions")
 
-	deleteStorage(t, router, savedStorage.ID, workspace1.ID, owner1.Token)
+	deleteStorage(t, router, savedStorage.ID, owner1.Token)
 	workspaces_testing.RemoveTestWorkspace(workspace1, router)
 	workspaces_testing.RemoveTestWorkspace(workspace2, router)
 }
@@ -986,6 +1653,10 @@ func Test_StorageSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				&finalRetrieved,
 			)
 			tc.verifyHiddenData(t, &finalRetrieved)
+
+			// Cleanup
+			deleteStorage(t, router, createdStorage.ID, owner.Token)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
 		})
 	}
 }
@@ -1122,10 +1793,10 @@ func Test_TransferStorage_PermissionsEnforced(t *testing.T) {
 				)
 				assert.Equal(t, targetWorkspace.ID, retrievedStorage.WorkspaceID)
 
-				deleteStorage(t, router, savedStorage.ID, targetWorkspace.ID, targetOwner.Token)
+				deleteStorage(t, router, savedStorage.ID, targetOwner.Token)
 			} else {
 				assert.Contains(t, string(testResp.Body), "insufficient permissions")
-				deleteStorage(t, router, savedStorage.ID, sourceWorkspace.ID, sourceOwner.Token)
+				deleteStorage(t, router, savedStorage.ID, sourceOwner.Token)
 			}
 
 			workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
@@ -1175,11 +1846,129 @@ func Test_TransferStorageNotManagableWorkspace_TransferFailed(t *testing.T) {
 		"insufficient permissions to manage storage in target workspace",
 	)
 
-	deleteStorage(t, router, savedStorage.ID, workspace1.ID, userA.Token)
+	deleteStorage(t, router, savedStorage.ID, userA.Token)
 	workspaces_testing.RemoveTestWorkspace(workspace1, router)
 	workspaces_testing.RemoveTestWorkspace(workspace2, router)
 }
 
+func Test_TransferSystemStorage_TransferBlocked(t *testing.T) {
+	router := createRouter()
+	GetStorageService().SetStorageDatabaseCounter(&mockStorageDatabaseCounter{})
+
+	admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	workspaceA := workspaces_testing.CreateTestWorkspace("Workspace A", admin, router)
+	workspaceB := workspaces_testing.CreateTestWorkspace("Workspace B", admin, router)
+
+	// Admin creates system storage in workspace A
+	systemStorage := &Storage{
+		WorkspaceID:  workspaceA.ID,
+		Type:         StorageTypeLocal,
+		Name:         "Test System Storage " + uuid.New().String(),
+		IsSystem:     true,
+		LocalStorage: &local_storage.LocalStorage{},
+	}
+	var savedSystemStorage Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		*systemStorage,
+		http.StatusOK,
+		&savedSystemStorage,
+	)
+
+	// Admin attempts to transfer system storage to workspace B - should be blocked
+	transferRequest := TransferStorageRequest{
+		TargetWorkspaceID: workspaceB.ID,
+	}
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages/%s/transfer", savedSystemStorage.ID.String()),
+		"Bearer "+admin.Token,
+		transferRequest,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(
+		t,
+		string(testResp.Body),
+		"system storage cannot be transferred",
+		"Transfer should fail with appropriate error message",
+	)
+
+	// Verify storage is still in workspace A
+	var retrievedStorage Storage
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages/%s", savedSystemStorage.ID.String()),
+		"Bearer "+admin.Token,
+		http.StatusOK,
+		&retrievedStorage,
+	)
+	assert.Equal(
+		t,
+		workspaceA.ID,
+		retrievedStorage.WorkspaceID,
+		"Storage should remain in workspace A",
+	)
+
+	// Test regression: Non-system storage can still be transferred
+	privateStorage := createNewStorage(workspaceA.ID)
+	var savedPrivateStorage Storage
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/storages",
+		"Bearer "+admin.Token,
+		*privateStorage,
+		http.StatusOK,
+		&savedPrivateStorage,
+	)
+
+	privateTransferResp := test_utils.MakePostRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages/%s/transfer", savedPrivateStorage.ID.String()),
+		"Bearer "+admin.Token,
+		transferRequest,
+		http.StatusOK,
+	)
+
+	assert.Contains(
+		t,
+		string(privateTransferResp.Body),
+		"transferred successfully",
+		"Private storage should be transferable",
+	)
+
+	// Verify private storage was transferred to workspace B
+	var transferredStorage Storage
+	test_utils.MakeGetRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages/%s", savedPrivateStorage.ID.String()),
+		"Bearer "+admin.Token,
+		http.StatusOK,
+		&transferredStorage,
+	)
+	assert.Equal(
+		t,
+		workspaceB.ID,
+		transferredStorage.WorkspaceID,
+		"Private storage should be in workspace B",
+	)
+
+	// Cleanup
+	deleteStorage(t, router, savedSystemStorage.ID, admin.Token)
+	deleteStorage(t, router, savedPrivateStorage.ID, admin.Token)
+	workspaces_testing.RemoveTestWorkspace(workspaceA, router)
+	workspaces_testing.RemoveTestWorkspace(workspaceB, router)
+}
+
 func createRouter() *gin.Engine {
 	gin.SetMode(gin.TestMode)
 	router := gin.New()
@@ -1212,12 +2001,13 @@ func verifyStorageData(t *testing.T, expected *Storage, actual *Storage) {
 	assert.Equal(t, expected.Name, actual.Name)
 	assert.Equal(t, expected.Type, actual.Type)
 	assert.Equal(t, expected.WorkspaceID, actual.WorkspaceID)
+	assert.Equal(t, expected.IsSystem, actual.IsSystem)
 }
 
 func deleteStorage(
 	t *testing.T,
 	router *gin.Engine,
-	storageID, workspaceID uuid.UUID,
+	storageID uuid.UUID,
 	token string,
 ) {
 	test_utils.MakeDeleteRequest(

backend/internal/features/storages/errors.go

@@ -33,4 +33,10 @@ var (
 	ErrStorageHasOtherAttachedDatabasesCannotTransfer = errors.New(
 		"storage has other attached databases and cannot be transferred",
 	)
+	ErrSystemStorageCannotBeTransferred = errors.New(
+		"system storage cannot be transferred between workspaces",
+	)
+	ErrSystemStorageCannotBeMadePrivate = errors.New(
+		"system storage cannot be changed to non-system",
+	)
 )

backend/internal/features/storages/model.go

@@ -24,6 +24,7 @@ type Storage struct {
 	Type          StorageType `json:"type"          gorm:"column:type;not null;type:text"`
 	Name          string      `json:"name"          gorm:"column:name;not null;type:text"`
 	LastSaveError *string     `json:"lastSaveError" gorm:"column:last_save_error;type:text"`
+	IsSystem      bool        `json:"isSystem"      gorm:"column:is_system;not null;default:false"`
 
 	// specific storage
 	LocalStorage       *local_storage.LocalStorage              `json:"localStorage"       gorm:"foreignKey:StorageID"`
@@ -86,6 +87,17 @@ func (s *Storage) HideSensitiveData() {
 	s.getSpecificStorage().HideSensitiveData()
 }
 
+func (s *Storage) HideAllData() {
+	s.LocalStorage = nil
+	s.S3Storage = nil
+	s.GoogleDriveStorage = nil
+	s.NASStorage = nil
+	s.AzureBlobStorage = nil
+	s.FTPStorage = nil
+	s.SFTPStorage = nil
+	s.RcloneStorage = nil
+}
+
 func (s *Storage) EncryptSensitiveData(encryptor encryption.FieldEncryptor) error {
 	return s.getSpecificStorage().EncryptSensitiveData(encryptor)
 }
@@ -93,6 +105,7 @@ func (s *Storage) EncryptSensitiveData(encryptor encryption.FieldEncryptor) erro
 func (s *Storage) Update(incoming *Storage) {
 	s.Name = incoming.Name
 	s.Type = incoming.Type
+	s.IsSystem = incoming.IsSystem
 
 	switch s.Type {
 	case StorageTypeLocal:

backend/internal/features/storages/models/ftp/model.go

@@ -285,30 +285,30 @@ func (f *FTPStorage) ensureDirectory(conn *ftp.ServerConn, path string) error {
 	}
 
 	parts := strings.Split(path, "/")
-	currentPath := ""
+
+	currentDir, err := conn.CurrentDir()
+	if err != nil {
+		return fmt.Errorf("failed to get current directory: %w", err)
+	}
+	defer func() {
+		_ = conn.ChangeDir(currentDir)
+	}()
 
 	for _, part := range parts {
 		if part == "" || part == "." {
 			continue
 		}
 
-		if currentPath == "" {
-			currentPath = part
-		} else {
-			currentPath = currentPath + "/" + part
-		}
-
-		err := conn.ChangeDir(currentPath)
+		err := conn.ChangeDir(part)
 		if err != nil {
-			err = conn.MakeDir(currentPath)
+			err = conn.MakeDir(part)
 			if err != nil {
-				return fmt.Errorf("failed to create directory '%s': %w", currentPath, err)
+				return fmt.Errorf("failed to create directory '%s': %w", part, err)
+			}
+			err = conn.ChangeDir(part)
+			if err != nil {
+				return fmt.Errorf("failed to change into directory '%s': %w", part, err)
 			}
-		}
-
-		err = conn.ChangeDirToParent()
-		if err != nil {
-			return fmt.Errorf("failed to change to parent directory: %w", err)
 		}
 	}
 

backend/internal/features/storages/repository.go

@@ -165,7 +165,7 @@ func (r *StorageRepository) FindByWorkspaceID(workspaceID uuid.UUID) ([]*Storage
 		Preload("FTPStorage").
 		Preload("SFTPStorage").
 		Preload("RcloneStorage").
-		Where("workspace_id = ?", workspaceID).
+		Where("workspace_id = ? OR is_system = TRUE", workspaceID).
 		Order("name ASC").
 		Find(&storages).Error; err != nil {
 		return nil, err

backend/internal/features/storages/service.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	audit_logs "databasus-backend/internal/features/audit_logs"
+	users_enums "databasus-backend/internal/features/users/enums"
 	users_models "databasus-backend/internal/features/users/models"
 	workspaces_services "databasus-backend/internal/features/workspaces/services"
 	"databasus-backend/internal/util/encryption"
@@ -38,6 +39,11 @@ func (s *StorageService) SaveStorage(
 
 	isUpdate := storage.ID != uuid.Nil
 
+	if storage.IsSystem && user.Role != users_enums.UserRoleAdmin {
+		// only admin can manage system storage
+		return ErrInsufficientPermissionsToManageStorage
+	}
+
 	if isUpdate {
 		existingStorage, err := s.storageRepository.FindByID(storage.ID)
 		if err != nil {
@@ -48,6 +54,10 @@ func (s *StorageService) SaveStorage(
 			return ErrStorageDoesNotBelongToWorkspace
 		}
 
+		if existingStorage.IsSystem && !storage.IsSystem {
+			return ErrSystemStorageCannotBeMadePrivate
+		}
+
 		existingStorage.Update(storage)
 
 		if err := existingStorage.EncryptSensitiveData(s.fieldEncryptor); err != nil {
@@ -111,6 +121,11 @@ func (s *StorageService) DeleteStorage(
 		return ErrInsufficientPermissionsToManageStorage
 	}
 
+	if storage.IsSystem && user.Role != users_enums.UserRoleAdmin {
+		// only admin can manage system storage
+		return ErrInsufficientPermissionsToManageStorage
+	}
+
 	attachedDatabasesIDs, err := s.storageDatabaseCounter.GetStorageAttachedDatabasesIDs(storage.ID)
 	if err != nil {
 		return err
@@ -142,16 +157,22 @@ func (s *StorageService) GetStorage(
 		return nil, err
 	}
 
-	canView, _, err := s.workspaceService.CanUserAccessWorkspace(storage.WorkspaceID, user)
-	if err != nil {
-		return nil, err
-	}
-	if !canView {
-		return nil, ErrInsufficientPermissionsToViewStorage
+	if !storage.IsSystem {
+		canView, _, err := s.workspaceService.CanUserAccessWorkspace(storage.WorkspaceID, user)
+		if err != nil {
+			return nil, err
+		}
+		if !canView {
+			return nil, ErrInsufficientPermissionsToViewStorage
+		}
 	}
 
 	storage.HideSensitiveData()
 
+	if storage.IsSystem && user.Role != users_enums.UserRoleAdmin {
+		storage.HideAllData()
+	}
+
 	return storage, nil
 }
 
@@ -174,6 +195,10 @@ func (s *StorageService) GetStorages(
 
 	for _, storage := range storages {
 		storage.HideSensitiveData()
+
+		if storage.IsSystem && user.Role != users_enums.UserRoleAdmin {
+			storage.HideAllData()
+		}
 	}
 
 	return storages, nil
@@ -258,6 +283,10 @@ func (s *StorageService) TransferStorageToWorkspace(
 		return err
 	}
 
+	if existingStorage.IsSystem {
+		return ErrSystemStorageCannotBeTransferred
+	}
+
 	canManageSource, err := s.workspaceService.CanUserManageDBs(existingStorage.WorkspaceID, user)
 	if err != nil {
 		return err

backend/internal/features/system/healthcheck/controller.go

@@ -23,6 +23,18 @@ func (c *HealthcheckController) RegisterRoutes(router *gin.RouterGroup) {
 // @Failure 503 {object} HealthcheckResponse
 // @Router /system/health [get]
 func (c *HealthcheckController) CheckHealth(ctx *gin.Context) {
+	// Allow unrestricted CORS for health check endpoint
+	// This enables monitoring tools from any origin to check system health
+	ctx.Header("Access-Control-Allow-Origin", "*")
+	ctx.Header("Access-Control-Allow-Methods", "GET, OPTIONS")
+	ctx.Header("Access-Control-Allow-Headers", "Content-Type")
+
+	// Handle preflight OPTIONS request
+	if ctx.Request.Method == "OPTIONS" {
+		ctx.AbortWithStatus(http.StatusNoContent)
+		return
+	}
+
 	err := c.healthcheckService.IsHealthy()
 
 	if err == nil {

backend/internal/features/system/healthcheck/service.go

@@ -1,11 +1,14 @@
 package system_healthcheck
 
 import (
+	"context"
 	"databasus-backend/internal/config"
 	"databasus-backend/internal/features/backups/backups/backuping"
 	"databasus-backend/internal/features/disk"
 	"databasus-backend/internal/storage"
+	cache_utils "databasus-backend/internal/util/cache"
 	"errors"
+	"time"
 )
 
 type HealthcheckService struct {
@@ -15,6 +18,20 @@ type HealthcheckService struct {
 }
 
 func (s *HealthcheckService) IsHealthy() error {
+	return s.performHealthCheck()
+}
+
+func (s *HealthcheckService) performHealthCheck() error {
+	// Check if cache is available with PING
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	client := cache_utils.GetValkeyClient()
+	pingResult := client.Do(ctx, client.B().Ping().Build())
+	if pingResult.Error() != nil {
+		return errors.New("cannot connect to valkey")
+	}
+
 	diskUsage, err := s.diskService.GetDiskUsage()
 	if err != nil {
 		return errors.New("cannot get disk usage")
@@ -40,6 +57,7 @@ func (s *HealthcheckService) IsHealthy() error {
 	if config.GetEnv().IsProcessingNode {
 		if !s.backuperNode.IsBackuperRunning() {
 			return errors.New("backuper node is not running for more than 5 minutes")
+
 		}
 	}
 

backend/internal/features/users/controllers/password_reset_test.go

@@ -0,0 +1,593 @@
+package users_controllers
+
+import (
+	"net/http"
+	"testing"
+	"time"
+
+	users_dto "databasus-backend/internal/features/users/dto"
+	users_enums "databasus-backend/internal/features/users/enums"
+	users_models "databasus-backend/internal/features/users/models"
+	users_services "databasus-backend/internal/features/users/services"
+	users_testing "databasus-backend/internal/features/users/testing"
+	"databasus-backend/internal/storage"
+	test_utils "databasus-backend/internal/util/testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func Test_SendResetPasswordCode_WithValidEmail_CodeSent(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleMember)
+
+	request := users_dto.SendResetPasswordCodeRequestDTO{
+		Email: user.Email,
+	}
+
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/send-reset-password-code",
+		"",
+		request,
+		http.StatusOK,
+	)
+
+	assert.Equal(t, 1, len(mockEmailSender.SentEmails))
+	assert.Equal(t, user.Email, mockEmailSender.SentEmails[0].To)
+	assert.Contains(t, mockEmailSender.SentEmails[0].Subject, "Password Reset")
+}
+
+func Test_SendResetPasswordCode_WithNonExistentUser_ReturnsSuccess(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	request := users_dto.SendResetPasswordCodeRequestDTO{
+		Email: "nonexistent" + uuid.New().String() + "@example.com",
+	}
+
+	// Should return success to prevent enumeration attacks
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/send-reset-password-code",
+		"",
+		request,
+		http.StatusOK,
+	)
+
+	// But no email should be sent
+	assert.Equal(t, 0, len(mockEmailSender.SentEmails))
+}
+
+func Test_SendResetPasswordCode_WithInvitedUser_ReturnsBadRequest(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	adminUser := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	email := "invited" + uuid.New().String() + "@example.com"
+
+	inviteRequest := users_dto.InviteUserRequestDTO{
+		Email: email,
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/invite",
+		"Bearer "+adminUser.Token,
+		inviteRequest,
+		http.StatusOK,
+	)
+
+	request := users_dto.SendResetPasswordCodeRequestDTO{
+		Email: email,
+	}
+
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/send-reset-password-code",
+		"",
+		request,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(resp.Body), "only active users")
+}
+
+func Test_SendResetPasswordCode_WithRateLimitExceeded_ReturnsTooManyRequests(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleMember)
+
+	request := users_dto.SendResetPasswordCodeRequestDTO{
+		Email: user.Email,
+	}
+
+	// Make 3 requests (should succeed)
+	for range 3 {
+		test_utils.MakePostRequest(
+			t,
+			router,
+			"/api/v1/users/send-reset-password-code",
+			"",
+			request,
+			http.StatusOK,
+		)
+	}
+
+	// 4th request should be rate limited
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/send-reset-password-code",
+		"",
+		request,
+		http.StatusTooManyRequests,
+	)
+
+	assert.Contains(t, string(resp.Body), "Rate limit exceeded")
+}
+
+func Test_SendResetPasswordCode_WithInvalidJSON_ReturnsBadRequest(t *testing.T) {
+	router := createUserTestRouter()
+
+	resp := test_utils.MakeRequest(t, router, test_utils.RequestOptions{
+		Method:         "POST",
+		URL:            "/api/v1/users/send-reset-password-code",
+		Body:           "invalid json",
+		ExpectedStatus: http.StatusBadRequest,
+	})
+
+	assert.Contains(t, string(resp.Body), "Invalid request format")
+}
+
+func Test_ResetPassword_WithValidCode_PasswordReset(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	email := "resettest" + uuid.New().String() + "@example.com"
+	oldPassword := "oldpassword123"
+	newPassword := "newpassword456"
+
+	// Create user
+	signupRequest := users_dto.SignUpRequestDTO{
+		Email:    email,
+		Password: oldPassword,
+		Name:     "Test User",
+	}
+	test_utils.MakePostRequest(t, router, "/api/v1/users/signup", "", signupRequest, http.StatusOK)
+
+	// Request reset code
+	sendCodeRequest := users_dto.SendResetPasswordCodeRequestDTO{
+		Email: email,
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/send-reset-password-code",
+		"",
+		sendCodeRequest,
+		http.StatusOK,
+	)
+
+	// Extract code from email
+	assert.Equal(t, 1, len(mockEmailSender.SentEmails))
+	emailBody := mockEmailSender.SentEmails[0].Body
+	code := extractCodeFromEmail(emailBody)
+	t.Logf("Extracted code: %s from email body (length: %d)", code, len(code))
+	assert.NotEmpty(t, code, "Code should be extracted from email")
+	assert.Len(t, code, 6, "Code should be 6 digits")
+
+	// Reset password
+	resetRequest := users_dto.ResetPasswordRequestDTO{
+		Email:       email,
+		Code:        code,
+		NewPassword: newPassword,
+	}
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/reset-password",
+		"",
+		resetRequest,
+		http.StatusOK,
+	)
+	if resp.StatusCode != http.StatusOK {
+		t.Logf("Reset password failed with body: %s", string(resp.Body))
+	}
+
+	// Verify old password doesn't work
+	oldSigninRequest := users_dto.SignInRequestDTO{
+		Email:    email,
+		Password: oldPassword,
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/signin",
+		"",
+		oldSigninRequest,
+		http.StatusBadRequest,
+	)
+
+	// Verify new password works
+	newSigninRequest := users_dto.SignInRequestDTO{
+		Email:    email,
+		Password: newPassword,
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/signin",
+		"",
+		newSigninRequest,
+		http.StatusOK,
+	)
+}
+
+func Test_ResetPassword_WithExpiredCode_ReturnsBadRequest(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleMember)
+
+	// Create expired reset code directly in database
+	code := "123456"
+	hashedCode, _ := bcrypt.GenerateFromPassword([]byte(code), bcrypt.DefaultCost)
+	expiredCode := &users_models.PasswordResetCode{
+		ID:         uuid.New(),
+		UserID:     user.UserID,
+		HashedCode: string(hashedCode),
+		ExpiresAt:  time.Now().UTC().Add(-1 * time.Hour), // Expired 1 hour ago
+		IsUsed:     false,
+		CreatedAt:  time.Now().UTC().Add(-2 * time.Hour),
+	}
+	storage.GetDb().Create(expiredCode)
+
+	resetRequest := users_dto.ResetPasswordRequestDTO{
+		Email:       user.Email,
+		Code:        code,
+		NewPassword: "newpassword123",
+	}
+
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/reset-password",
+		"",
+		resetRequest,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(resp.Body), "invalid or expired")
+}
+
+func Test_ResetPassword_WithUsedCode_ReturnsBadRequest(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	email := "usedcode" + uuid.New().String() + "@example.com"
+
+	// Create user
+	signupRequest := users_dto.SignUpRequestDTO{
+		Email:    email,
+		Password: "password123",
+		Name:     "Test User",
+	}
+	test_utils.MakePostRequest(t, router, "/api/v1/users/signup", "", signupRequest, http.StatusOK)
+
+	// Request reset code
+	sendCodeRequest := users_dto.SendResetPasswordCodeRequestDTO{
+		Email: email,
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/send-reset-password-code",
+		"",
+		sendCodeRequest,
+		http.StatusOK,
+	)
+
+	code := extractCodeFromEmail(mockEmailSender.SentEmails[0].Body)
+
+	// Use code first time
+	resetRequest := users_dto.ResetPasswordRequestDTO{
+		Email:       email,
+		Code:        code,
+		NewPassword: "newpassword123",
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/reset-password",
+		"",
+		resetRequest,
+		http.StatusOK,
+	)
+
+	// Try to use same code again
+	resetRequest2 := users_dto.ResetPasswordRequestDTO{
+		Email:       email,
+		Code:        code,
+		NewPassword: "anotherpassword456",
+	}
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/reset-password",
+		"",
+		resetRequest2,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(resp.Body), "invalid or expired")
+}
+
+func Test_ResetPassword_WithWrongCode_ReturnsBadRequest(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleMember)
+
+	// Request reset code
+	sendCodeRequest := users_dto.SendResetPasswordCodeRequestDTO{
+		Email: user.Email,
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/send-reset-password-code",
+		"",
+		sendCodeRequest,
+		http.StatusOK,
+	)
+
+	// Try to reset with wrong code
+	resetRequest := users_dto.ResetPasswordRequestDTO{
+		Email:       user.Email,
+		Code:        "999999", // Wrong code
+		NewPassword: "newpassword123",
+	}
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/reset-password",
+		"",
+		resetRequest,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(resp.Body), "invalid")
+}
+
+func Test_ResetPassword_WithInvalidNewPassword_ReturnsBadRequest(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleMember)
+
+	resetRequest := users_dto.ResetPasswordRequestDTO{
+		Email:       user.Email,
+		Code:        "123456",
+		NewPassword: "short", // Too short
+	}
+
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/reset-password",
+		"",
+		resetRequest,
+		http.StatusBadRequest,
+	)
+}
+
+func Test_ResetPassword_EmailSendFailure_ReturnsError(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	mockEmailSender.ShouldFail = true
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleMember)
+
+	request := users_dto.SendResetPasswordCodeRequestDTO{
+		Email: user.Email,
+	}
+
+	resp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/send-reset-password-code",
+		"",
+		request,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(resp.Body), "failed to send email")
+}
+
+func Test_ResetPasswordFlow_E2E_CompletesSuccessfully(t *testing.T) {
+	router := createUserTestRouter()
+	mockEmailSender := users_testing.NewMockEmailSender()
+	users_services.GetUserService().SetEmailSender(mockEmailSender)
+
+	email := "e2e" + uuid.New().String() + "@example.com"
+	initialPassword := "initialpass123"
+	newPassword := "brandnewpass456"
+
+	// 1. Create user via signup
+	signupRequest := users_dto.SignUpRequestDTO{
+		Email:    email,
+		Password: initialPassword,
+		Name:     "E2E Test User",
+	}
+	test_utils.MakePostRequest(t, router, "/api/v1/users/signup", "", signupRequest, http.StatusOK)
+
+	// 2. Verify can sign in with initial password
+	signinRequest := users_dto.SignInRequestDTO{
+		Email:    email,
+		Password: initialPassword,
+	}
+	var signinResponse users_dto.SignInResponseDTO
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/users/signin",
+		"",
+		signinRequest,
+		http.StatusOK,
+		&signinResponse,
+	)
+	assert.NotEmpty(t, signinResponse.Token)
+
+	// 3. Request password reset code
+	sendCodeRequest := users_dto.SendResetPasswordCodeRequestDTO{
+		Email: email,
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/send-reset-password-code",
+		"",
+		sendCodeRequest,
+		http.StatusOK,
+	)
+
+	// 4. Verify email was sent
+	assert.Equal(t, 1, len(mockEmailSender.SentEmails))
+	code := extractCodeFromEmail(mockEmailSender.SentEmails[0].Body)
+	assert.NotEmpty(t, code)
+
+	// 5. Reset password using code
+	resetRequest := users_dto.ResetPasswordRequestDTO{
+		Email:       email,
+		Code:        code,
+		NewPassword: newPassword,
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/reset-password",
+		"",
+		resetRequest,
+		http.StatusOK,
+	)
+
+	// 6. Verify old password no longer works
+	oldSignin := users_dto.SignInRequestDTO{
+		Email:    email,
+		Password: initialPassword,
+	}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/users/signin",
+		"",
+		oldSignin,
+		http.StatusBadRequest,
+	)
+
+	// 7. Verify new password works
+	newSignin := users_dto.SignInRequestDTO{
+		Email:    email,
+		Password: newPassword,
+	}
+	var finalResponse users_dto.SignInResponseDTO
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/users/signin",
+		"",
+		newSignin,
+		http.StatusOK,
+		&finalResponse,
+	)
+	assert.NotEmpty(t, finalResponse.Token)
+}
+
+func Test_ResetPassword_WithInvalidJSON_ReturnsBadRequest(t *testing.T) {
+	router := createUserTestRouter()
+
+	resp := test_utils.MakeRequest(t, router, test_utils.RequestOptions{
+		Method:         "POST",
+		URL:            "/api/v1/users/reset-password",
+		Body:           "invalid json",
+		ExpectedStatus: http.StatusBadRequest,
+	})
+
+	assert.Contains(t, string(resp.Body), "Invalid request format")
+}
+
+// Helper function to extract 6-digit code from email HTML body
+func extractCodeFromEmail(emailBody string) string {
+	// Look for pattern: <h1 ... >CODE</h1>
+	// First find <h1
+	h1Start := 0
+	for i := 0; i < len(emailBody)-3; i++ {
+		if emailBody[i:i+3] == "<h1" {
+			h1Start = i
+			break
+		}
+	}
+
+	if h1Start == 0 {
+		return ""
+	}
+
+	// Find the > after <h1
+	contentStart := h1Start
+	for i := h1Start; i < len(emailBody); i++ {
+		if emailBody[i] == '>' {
+			contentStart = i + 1
+			break
+		}
+	}
+
+	// Find </h1>
+	contentEnd := contentStart
+	for i := contentStart; i < len(emailBody)-5; i++ {
+		if emailBody[i:i+5] == "</h1>" {
+			contentEnd = i
+			break
+		}
+	}
+
+	if contentEnd <= contentStart {
+		return ""
+	}
+
+	// Extract content and remove whitespace
+	content := emailBody[contentStart:contentEnd]
+	code := ""
+	for i := 0; i < len(content); i++ {
+		if isDigit(content[i]) {
+			code += string(content[i])
+		}
+	}
+
+	if len(code) == 6 {
+		return code
+	}
+
+	return ""
+}
+
+func isDigit(b byte) bool {
+	return b >= '0' && b <= '9'
+}

backend/internal/features/users/controllers/user_controller.go

@@ -28,6 +28,10 @@ func (c *UserController) RegisterRoutes(router *gin.RouterGroup) {
 	router.GET("/users/admin/has-password", c.IsAdminHasPassword)
 	router.POST("/users/admin/set-password", c.SetAdminPassword)
 
+	// Password reset (no auth required)
+	router.POST("/users/send-reset-password-code", c.SendResetPasswordCode)
+	router.POST("/users/reset-password", c.ResetPassword)
+
 	// OAuth callbacks
 	router.POST("/auth/github/callback", c.HandleGitHubOAuth)
 	router.POST("/auth/google/callback", c.HandleGoogleOAuth)
@@ -340,3 +344,70 @@ func (c *UserController) HandleGoogleOAuth(ctx *gin.Context) {
 
 	ctx.JSON(http.StatusOK, response)
 }
+
+// SendResetPasswordCode
+// @Summary Send password reset code
+// @Description Send a password reset code to the user's email
+// @Tags users
+// @Accept json
+// @Produce json
+// @Param request body users_dto.SendResetPasswordCodeRequestDTO true "Email address"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 429 {object} map[string]string
+// @Router /users/send-reset-password-code [post]
+func (c *UserController) SendResetPasswordCode(ctx *gin.Context) {
+	var request user_dto.SendResetPasswordCodeRequestDTO
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request format"})
+		return
+	}
+
+	allowed, _ := c.rateLimiter.CheckLimit(
+		request.Email,
+		"reset-password",
+		3,
+		1*time.Hour,
+	)
+	if !allowed {
+		ctx.JSON(
+			http.StatusTooManyRequests,
+			gin.H{"error": "Rate limit exceeded. Please try again later."},
+		)
+		return
+	}
+
+	err := c.userService.SendResetPasswordCode(request.Email)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{"message": "If the email exists, a reset code has been sent"})
+}
+
+// ResetPassword
+// @Summary Reset password with code
+// @Description Reset user password using the code sent via email
+// @Tags users
+// @Accept json
+// @Produce json
+// @Param request body users_dto.ResetPasswordRequestDTO true "Reset password data"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Router /users/reset-password [post]
+func (c *UserController) ResetPassword(ctx *gin.Context) {
+	var request user_dto.ResetPasswordRequestDTO
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request format"})
+		return
+	}
+
+	err := c.userService.ResetPassword(request.Email, request.Code, request.NewPassword)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{"message": "Password reset successfully"})
+}

backend/internal/features/users/dto/dto.go

@@ -92,3 +92,13 @@ type OAuthCallbackResponseDTO struct {
 	Token     string    `json:"token"`
 	IsNewUser bool      `json:"isNewUser"`
 }
+
+type SendResetPasswordCodeRequestDTO struct {
+	Email string `json:"email" binding:"required,email"`
+}
+
+type ResetPasswordRequestDTO struct {
+	Email       string `json:"email"       binding:"required,email"`
+	Code        string `json:"code"        binding:"required"`
+	NewPassword string `json:"newPassword" binding:"required,min=8"`
+}

backend/internal/features/users/interfaces/interfaces.go

@@ -7,3 +7,7 @@ import (
 type AuditLogWriter interface {
 	WriteAuditLog(message string, userID *uuid.UUID, workspaceID *uuid.UUID)
 }
+
+type EmailSender interface {
+	SendEmail(to, subject, body string) error
+}

backend/internal/features/users/models/password_reset_code.go

@@ -0,0 +1,24 @@
+package users_models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type PasswordResetCode struct {
+	ID         uuid.UUID `json:"id"        gorm:"column:id"`
+	UserID     uuid.UUID `json:"userId"    gorm:"column:user_id"`
+	HashedCode string    `json:"-"         gorm:"column:hashed_code"`
+	ExpiresAt  time.Time `json:"expiresAt" gorm:"column:expires_at"`
+	IsUsed     bool      `json:"isUsed"    gorm:"column:is_used"`
+	CreatedAt  time.Time `json:"createdAt" gorm:"column:created_at"`
+}
+
+func (PasswordResetCode) TableName() string {
+	return "password_reset_codes"
+}
+
+func (p *PasswordResetCode) IsValid() bool {
+	return !p.IsUsed && time.Now().UTC().Before(p.ExpiresAt)
+}

backend/internal/features/users/repositories/di.go

@@ -2,6 +2,7 @@ package users_repositories
 
 var userRepository = &UserRepository{}
 var usersSettingsRepository = &UsersSettingsRepository{}
+var passwordResetRepository = &PasswordResetRepository{}
 
 func GetUserRepository() *UserRepository {
 	return userRepository
@@ -10,3 +11,7 @@ func GetUserRepository() *UserRepository {
 func GetUsersSettingsRepository() *UsersSettingsRepository {
 	return usersSettingsRepository
 }
+
+func GetPasswordResetRepository() *PasswordResetRepository {
+	return passwordResetRepository
+}

backend/internal/features/users/repositories/password_reset_repository.go

@@ -0,0 +1,61 @@
+package users_repositories
+
+import (
+	"time"
+
+	users_models "databasus-backend/internal/features/users/models"
+	"databasus-backend/internal/storage"
+
+	"github.com/google/uuid"
+)
+
+type PasswordResetRepository struct{}
+
+func (r *PasswordResetRepository) CreateResetCode(code *users_models.PasswordResetCode) error {
+	if code.ID == uuid.Nil {
+		code.ID = uuid.New()
+	}
+
+	return storage.GetDb().Create(code).Error
+}
+
+func (r *PasswordResetRepository) GetValidCodeByUserID(
+	userID uuid.UUID,
+) (*users_models.PasswordResetCode, error) {
+	var code users_models.PasswordResetCode
+	err := storage.GetDb().
+		Where("user_id = ? AND is_used = ? AND expires_at > ?", userID, false, time.Now().UTC()).
+		Order("created_at DESC").
+		First(&code).Error
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &code, nil
+}
+
+func (r *PasswordResetRepository) MarkCodeAsUsed(codeID uuid.UUID) error {
+	return storage.GetDb().Model(&users_models.PasswordResetCode{}).
+		Where("id = ?", codeID).
+		Update("is_used", true).Error
+}
+
+func (r *PasswordResetRepository) DeleteExpiredCodes() error {
+	return storage.GetDb().
+		Where("expires_at < ?", time.Now().UTC()).
+		Delete(&users_models.PasswordResetCode{}).Error
+}
+
+func (r *PasswordResetRepository) CountRecentCodesByUserID(
+	userID uuid.UUID,
+	since time.Time,
+) (int64, error) {
+	var count int64
+
+	err := storage.GetDb().Model(&users_models.PasswordResetCode{}).
+		Where("user_id = ? AND created_at > ?", userID, since).
+		Count(&count).Error
+
+	return count, err
+}

backend/internal/features/users/services/di.go

@@ -1,6 +1,7 @@
 package users_services
 
 import (
+	"databasus-backend/internal/features/email"
 	"databasus-backend/internal/features/encryption/secrets"
 	users_repositories "databasus-backend/internal/features/users/repositories"
 )
@@ -10,6 +11,8 @@ var userService = &UserService{
 	secrets.GetSecretKeyService(),
 	settingsService,
 	nil,
+	email.GetEmailSMTPSender(),
+	users_repositories.GetPasswordResetRepository(),
 }
 var settingsService = &SettingsService{
 	users_repositories.GetUsersSettingsRepository(),

backend/internal/features/users/services/user_services.go

@@ -2,6 +2,7 @@ package users_services
 
 import (
 	"context"
+	"crypto/rand"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -27,16 +28,22 @@ import (
 )
 
 type UserService struct {
-	userRepository   *users_repositories.UserRepository
-	secretKeyService *secrets.SecretKeyService
-	settingsService  *SettingsService
-	auditLogWriter   users_interfaces.AuditLogWriter
+	userRepository          *users_repositories.UserRepository
+	secretKeyService        *secrets.SecretKeyService
+	settingsService         *SettingsService
+	auditLogWriter          users_interfaces.AuditLogWriter
+	emailSender             users_interfaces.EmailSender
+	passwordResetRepository *users_repositories.PasswordResetRepository
 }
 
 func (s *UserService) SetAuditLogWriter(writer users_interfaces.AuditLogWriter) {
 	s.auditLogWriter = writer
 }
 
+func (s *UserService) SetEmailSender(sender users_interfaces.EmailSender) {
+	s.emailSender = sender
+}
+
 func (s *UserService) SignUp(request *users_dto.SignUpRequestDTO) error {
 	existingUser, err := s.userRepository.GetUserByEmail(request.Email)
 	if err != nil {
@@ -798,3 +805,164 @@ func (s *UserService) fetchGitHubPrimaryEmail(
 
 	return "", errors.New("github account has no accessible email")
 }
+
+func (s *UserService) SendResetPasswordCode(email string) error {
+	user, err := s.userRepository.GetUserByEmail(email)
+	if err != nil {
+		return fmt.Errorf("failed to get user: %w", err)
+	}
+
+	// Silently succeed for non-existent users to prevent enumeration attacks
+	if user == nil {
+		return nil
+	}
+
+	// Only active users can reset passwords
+	if user.Status != users_enums.UserStatusActive {
+		return errors.New("only active users can reset their password")
+	}
+
+	// Check rate limiting - max 3 codes per hour
+	oneHourAgo := time.Now().UTC().Add(-1 * time.Hour)
+	recentCount, err := s.passwordResetRepository.CountRecentCodesByUserID(user.ID, oneHourAgo)
+	if err != nil {
+		return fmt.Errorf("failed to check rate limit: %w", err)
+	}
+
+	if recentCount >= 3 {
+		return errors.New("too many password reset attempts, please try again later")
+	}
+
+	// Generate 6-digit random code using crypto/rand for better randomness
+	codeNum := make([]byte, 4)
+	_, err = io.ReadFull(rand.Reader, codeNum)
+	if err != nil {
+		return fmt.Errorf("failed to generate random code: %w", err)
+	}
+
+	// Convert bytes to uint32 and modulo to get 6 digits
+	randomInt := uint32(
+		codeNum[0],
+	)<<24 | uint32(
+		codeNum[1],
+	)<<16 | uint32(
+		codeNum[2],
+	)<<8 | uint32(
+		codeNum[3],
+	)
+	code := fmt.Sprintf("%06d", randomInt%1000000)
+
+	// Hash the code
+	hashedCode, err := bcrypt.GenerateFromPassword([]byte(code), bcrypt.DefaultCost)
+	if err != nil {
+		return fmt.Errorf("failed to hash code: %w", err)
+	}
+
+	// Store in database with 1 hour expiration
+	resetCode := &users_models.PasswordResetCode{
+		ID:         uuid.New(),
+		UserID:     user.ID,
+		HashedCode: string(hashedCode),
+		ExpiresAt:  time.Now().UTC().Add(1 * time.Hour),
+		IsUsed:     false,
+		CreatedAt:  time.Now().UTC(),
+	}
+
+	if err := s.passwordResetRepository.CreateResetCode(resetCode); err != nil {
+		return fmt.Errorf("failed to create reset code: %w", err)
+	}
+
+	// Send email with code
+	if s.emailSender != nil {
+		subject := "Password Reset Code"
+		body := fmt.Sprintf(`
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+</head>
+<body style="margin: 0; padding: 0; font-family: Arial, sans-serif; background-color: #f4f4f4;">
+    <div style="max-width: 600px; margin: 0 auto; background-color: #ffffff; padding: 20px;">
+        <h2 style="color: #333333; margin-bottom: 20px;">Password Reset Request</h2>
+        <p style="color: #666666; line-height: 1.6; margin-bottom: 20px;">
+            You have requested to reset your password. Please use the following code to complete the password reset process:
+        </p>
+        <div style="background-color: #f8f9fa; border: 2px solid #e9ecef; border-radius: 8px; padding: 20px; text-align: center; margin: 30px 0;">
+            <h1 style="color: #2c3e50; font-size: 36px; margin: 0; letter-spacing: 8px; font-family: monospace;">%s</h1>
+        </div>
+        <p style="color: #666666; line-height: 1.6; margin-bottom: 20px;">
+            This code will expire in <strong>1 hour</strong>.
+        </p>
+        <p style="color: #666666; line-height: 1.6; margin-bottom: 20px;">
+            If you did not request a password reset, please ignore this email. Your password will remain unchanged.
+        </p>
+        <hr style="border: none; border-top: 1px solid #e9ecef; margin: 30px 0;">
+        <p style="color: #999999; font-size: 12px; line-height: 1.6;">
+            This is an automated message. Please do not reply to this email.
+        </p>
+    </div>
+</body>
+</html>
+`, code)
+
+		if err := s.emailSender.SendEmail(user.Email, subject, body); err != nil {
+			return fmt.Errorf("failed to send email: %w", err)
+		}
+	}
+
+	// Audit log
+	if s.auditLogWriter != nil {
+		s.auditLogWriter.WriteAuditLog(
+			fmt.Sprintf("Password reset code sent to: %s", user.Email),
+			&user.ID,
+			nil,
+		)
+	}
+
+	return nil
+}
+
+func (s *UserService) ResetPassword(email, code, newPassword string) error {
+	user, err := s.userRepository.GetUserByEmail(email)
+	if err != nil {
+		return fmt.Errorf("failed to get user: %w", err)
+	}
+
+	if user == nil {
+		return errors.New("user with this email does not exist")
+	}
+
+	// Get valid reset code for user
+	resetCode, err := s.passwordResetRepository.GetValidCodeByUserID(user.ID)
+	if err != nil {
+		return errors.New("invalid or expired reset code")
+	}
+
+	// Verify code matches
+	err = bcrypt.CompareHashAndPassword([]byte(resetCode.HashedCode), []byte(code))
+	if err != nil {
+		return errors.New("invalid reset code")
+	}
+
+	// Mark code as used
+	if err := s.passwordResetRepository.MarkCodeAsUsed(resetCode.ID); err != nil {
+		return fmt.Errorf("failed to mark code as used: %w", err)
+	}
+
+	// Update user password
+	if err := s.ChangeUserPassword(user.ID, newPassword); err != nil {
+		return fmt.Errorf("failed to update password: %w", err)
+	}
+
+	// Audit log
+	if s.auditLogWriter != nil {
+		s.auditLogWriter.WriteAuditLog(
+			"Password reset via email code",
+			&user.ID,
+			nil,
+		)
+	}
+
+	return nil
+}

backend/internal/features/users/testing/mocks.go

@@ -0,0 +1,33 @@
+package users_testing
+
+import "errors"
+
+type MockEmailSender struct {
+	SentEmails []EmailCall
+	ShouldFail bool
+}
+
+type EmailCall struct {
+	To      string
+	Subject string
+	Body    string
+}
+
+func (m *MockEmailSender) SendEmail(to, subject, body string) error {
+	m.SentEmails = append(m.SentEmails, EmailCall{
+		To:      to,
+		Subject: subject,
+		Body:    body,
+	})
+	if m.ShouldFail {
+		return errors.New("mock email send failure")
+	}
+	return nil
+}
+
+func NewMockEmailSender() *MockEmailSender {
+	return &MockEmailSender{
+		SentEmails: []EmailCall{},
+		ShouldFail: false,
+	}
+}

backend/internal/features/workspaces/controllers/membership_controller_test.go

@@ -82,6 +82,8 @@ func Test_GetWorkspaceMembers_PermissionsEnforced(t *testing.T) {
 				owner,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -210,6 +212,8 @@ func Test_AddMemberToWorkspace_PermissionsEnforced(t *testing.T) {
 				owner,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -270,6 +274,8 @@ func Test_AddMemberToWorkspace_WhenUserIsAlreadyMember_ReturnsBadRequest(t *test
 	member := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
 	workspace, _ := workspaces_testing.CreateTestWorkspaceViaAPI("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
 	workspaces_testing.AddMemberToWorkspaceViaOwner(
 		workspace,
 		member,
@@ -302,6 +308,7 @@ func Test_AddMemberToWorkspace_WithNonExistentUser_ReturnsInvited(t *testing.T)
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
 	workspace, _ := workspaces_testing.CreateTestWorkspaceViaAPI("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	request := workspaces_dto.AddMemberRequestDTO{
 		Email: uuid.New().String() + "@example.com", // Non-existent user
@@ -332,6 +339,8 @@ func Test_AddMemberToWorkspace_WhenWorkspaceAdminTriesToAddAdmin_ReturnsBadReque
 	newMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
 	workspace, _ := workspaces_testing.CreateTestWorkspaceViaAPI("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
 	workspaces_testing.AddMemberToWorkspaceViaOwner(
 		workspace,
 		workspaceAdmin,
@@ -368,6 +377,8 @@ func Test_AddMemberToWorkspace_WhenWorkspaceAdminTriesToAddWorkspaceAdmin_Return
 	newMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
 	workspace, _ := workspaces_testing.CreateTestWorkspaceViaAPI("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
 	workspaces_testing.AddMemberToWorkspaceViaOwner(
 		workspace,
 		workspaceAdmin,
@@ -450,6 +461,8 @@ func Test_AddWorkspaceAdmin_PermissionsEnforced(t *testing.T) {
 				owner,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -561,6 +574,7 @@ func Test_InviteMemberToWorkspace_PermissionsEnforced(t *testing.T) {
 				owner,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -672,6 +686,7 @@ func Test_ChangeMemberRole_PermissionsEnforced(t *testing.T) {
 				owner,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			workspaces_testing.AddMemberToWorkspaceViaOwner(
 				workspace,
@@ -774,6 +789,7 @@ func Test_ChangeMemberRoleToAdmin_PermissionsEnforced(t *testing.T) {
 				owner,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			workspaces_testing.AddMemberToWorkspaceViaOwner(
 				workspace,
@@ -832,6 +848,7 @@ func Test_ChangeMemberRole_WhenChangingOwnRole_ReturnsBadRequest(t *testing.T) {
 	)
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace, _ := workspaces_testing.CreateTestWorkspaceViaAPI("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	request := workspaces_dto.ChangeMemberRoleRequestDTO{
 		Role: users_enums.WorkspaceRoleMember,
@@ -861,6 +878,7 @@ func Test_ChangeMemberRole_WhenChangingOwnerRole_ReturnsBadRequest(t *testing.T)
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
 	workspace, _ := workspaces_testing.CreateTestWorkspaceViaAPI("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	request := workspaces_dto.ChangeMemberRoleRequestDTO{
 		Role: users_enums.WorkspaceRoleMember,
@@ -941,6 +959,7 @@ func Test_RemoveMemberFromWorkspace_PermissionsEnforced(t *testing.T) {
 				owner,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			workspaces_testing.AddMemberToWorkspaceViaOwner(
 				workspace,
@@ -995,6 +1014,7 @@ func Test_RemoveMemberFromWorkspace_WhenRemovingOwner_ReturnsBadRequest(t *testi
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
 	workspace, _ := workspaces_testing.CreateTestWorkspaceViaAPI("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	resp := test_utils.MakeRequest(t, router, test_utils.RequestOptions{
 		Method: "DELETE",
@@ -1061,6 +1081,7 @@ func Test_RemoveWorkspaceAdmin_PermissionsEnforced(t *testing.T) {
 				owner,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			workspaces_testing.AddMemberToWorkspaceViaOwner(
 				workspace,
@@ -1165,6 +1186,7 @@ func Test_TransferWorkspaceOwnership_PermissionsEnforced(t *testing.T) {
 				owner,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			workspaces_testing.AddMemberToWorkspaceViaOwner(
 				workspace,
@@ -1225,6 +1247,7 @@ func Test_TransferWorkspaceOwnership_WhenNewOwnerIsNotMember_ReturnsBadRequest(t
 	nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
 	workspace, _ := workspaces_testing.CreateTestWorkspaceViaAPI("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	request := workspaces_dto.TransferOwnershipRequestDTO{
 		NewOwnerEmail: nonMember.Email,
@@ -1250,6 +1273,8 @@ func Test_TransferWorkspaceOwnership_ThereIsOnlyOneOwner_OldOwnerBecomeAdmin(t *
 	member := users_testing.CreateTestUser(users_enums.UserRoleMember)
 
 	workspace, _ := workspaces_testing.CreateTestWorkspaceViaAPI("Test Workspace", owner, router)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+
 	workspaces_testing.AddMemberToWorkspaceViaOwner(
 		workspace,
 		member,

backend/internal/features/workspaces/controllers/workspace_controller_test.go

@@ -91,6 +91,10 @@ func Test_CreateWorkspace_PermissionsEnforced(t *testing.T) {
 				assert.Equal(t, workspaceName, response.Name)
 				assert.NotEqual(t, uuid.Nil, response.ID)
 				assert.Equal(t, users_enums.WorkspaceRoleOwner, *response.UserRole)
+
+				// Cleanup created workspace
+				workspace := &workspaces_models.Workspace{ID: response.ID}
+				workspaces_testing.RemoveTestWorkspace(workspace, router)
 			} else {
 				resp := test_utils.MakePostRequest(
 					t,
@@ -160,11 +164,14 @@ func Test_GetUserWorkspaces_WhenUserHasWorkspaces_ReturnsWorkspacesList(t *testi
 		user.Token,
 		router,
 	)
+	defer workspaces_testing.RemoveTestWorkspace(workspace1, router)
+
 	workspace2, _ := workspaces_testing.CreateTestWorkspaceWithToken(
 		"Workspace 2",
 		user.Token,
 		router,
 	)
+	defer workspaces_testing.RemoveTestWorkspace(workspace2, router)
 
 	var response workspaces_dto.ListWorkspacesResponseDTO
 	test_utils.MakeGetRequestAndUnmarshal(
@@ -258,6 +265,7 @@ func Test_GetSingleWorkspace_PermissionsEnforced(t *testing.T) {
 				owner.Token,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -369,6 +377,7 @@ func Test_UpdateWorkspace_PermissionsEnforced(t *testing.T) {
 				owner.Token,
 				router,
 			)
+			defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 			var testUserToken string
 			if tt.workspaceRole == users_enums.WorkspaceRoleOwner {
@@ -472,6 +481,10 @@ func Test_DeleteWorkspace_PermissionsEnforced(t *testing.T) {
 				owner.Token,
 				router,
 			)
+			// Only cleanup if the test doesn't successfully delete the workspace
+			if !tt.expectSuccess {
+				defer workspaces_testing.RemoveTestWorkspace(workspace, router)
+			}
 
 			var testUserToken string
 			if tt.isGlobalAdmin {
@@ -526,6 +539,7 @@ func Test_GetWorkspaceAuditLogs_WhenUserIsWorkspaceAdmin_ReturnsAuditLogs(t *tes
 		owner.Token,
 		router,
 	)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	workspaces_testing.AddMemberToWorkspace(
 		workspace,
@@ -565,11 +579,14 @@ func Test_GetWorkspaceAuditLogs_WithMultipleWorkspaces_ReturnsOnlyWorkspaceSpeci
 		owner1.Token,
 		router,
 	)
+	defer workspaces_testing.RemoveTestWorkspace(workspace1, router)
+
 	workspace2, _ := workspaces_testing.CreateTestWorkspaceWithToken(
 		workspaceName2,
 		owner2.Token,
 		router,
 	)
+	defer workspaces_testing.RemoveTestWorkspace(workspace2, router)
 
 	updateWorkspace1 := workspaces_models.Workspace{
 		Name: "Updated " + workspace1.Name,
@@ -656,6 +673,7 @@ func Test_GetWorkspaceAuditLogs_WithDifferentUserRoles_EnforcesPermissionsCorrec
 		owner.Token,
 		router,
 	)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	workspaces_testing.AddMemberToWorkspace(
 		workspace,
@@ -703,6 +721,7 @@ func Test_GetWorkspaceAuditLogs_WithoutAuthToken_ReturnsUnauthorized(t *testing.
 		owner.Token,
 		router,
 	)
+	defer workspaces_testing.RemoveTestWorkspace(workspace, router)
 
 	test_utils.MakeGetRequest(t, router,
 		"/api/v1/workspaces/"+workspace.ID.String()+"/audit-logs",

backend/internal/features/workspaces/interfaces/interfaces.go

@@ -5,3 +5,7 @@ import "github.com/google/uuid"
 type WorkspaceDeletionListener interface {
 	OnBeforeWorkspaceDeletion(workspaceID uuid.UUID) error
 }
+
+type EmailSender interface {
+	SendEmail(to, subject, body string) error
+}

backend/internal/features/workspaces/services/di.go

@@ -2,9 +2,11 @@ package workspaces_services
 
 import (
 	"databasus-backend/internal/features/audit_logs"
+	"databasus-backend/internal/features/email"
 	users_services "databasus-backend/internal/features/users/services"
 	workspaces_interfaces "databasus-backend/internal/features/workspaces/interfaces"
 	workspaces_repositories "databasus-backend/internal/features/workspaces/repositories"
+	"databasus-backend/internal/util/logger"
 )
 
 var workspaceRepository = &workspaces_repositories.WorkspaceRepository{}
@@ -26,6 +28,8 @@ var membershipService = &MembershipService{
 	audit_logs.GetAuditLogService(),
 	workspaceService,
 	users_services.GetSettingsService(),
+	email.GetEmailSMTPSender(),
+	logger.GetLogger(),
 }
 
 func GetWorkspaceService() *WorkspaceService {

backend/internal/features/workspaces/services/membership_service.go

@@ -2,7 +2,9 @@ package workspaces_services
 
 import (
 	"fmt"
+	"log/slog"
 
+	"databasus-backend/internal/config"
 	audit_logs "databasus-backend/internal/features/audit_logs"
 	users_dto "databasus-backend/internal/features/users/dto"
 	users_enums "databasus-backend/internal/features/users/enums"
@@ -10,6 +12,7 @@ import (
 	users_services "databasus-backend/internal/features/users/services"
 	workspaces_dto "databasus-backend/internal/features/workspaces/dto"
 	workspaces_errors "databasus-backend/internal/features/workspaces/errors"
+	workspaces_interfaces "databasus-backend/internal/features/workspaces/interfaces"
 	workspaces_models "databasus-backend/internal/features/workspaces/models"
 	workspaces_repositories "databasus-backend/internal/features/workspaces/repositories"
 
@@ -23,6 +26,8 @@ type MembershipService struct {
 	auditLogService      *audit_logs.AuditLogService
 	workspaceService     *WorkspaceService
 	settingsService      *users_services.SettingsService
+	emailSender          workspaces_interfaces.EmailSender
+	logger               *slog.Logger
 }
 
 func (s *MembershipService) GetMembers(
@@ -77,6 +82,12 @@ func (s *MembershipService) AddMember(
 			return nil, workspaces_errors.ErrInsufficientPermissionsToInviteUsers
 		}
 
+		// Get workspace details for email
+		workspace, err := s.workspaceRepository.GetWorkspaceByID(workspaceID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get workspace: %w", err)
+		}
+
 		inviteRequest := &users_dto.InviteUserRequestDTO{
 			Email:                 request.Email,
 			IntendedWorkspaceID:   &workspaceID,
@@ -88,6 +99,14 @@ func (s *MembershipService) AddMember(
 			return nil, err
 		}
 
+		// Send invitation email
+		subject := fmt.Sprintf("You've been invited to %s workspace", workspace.Name)
+		body := s.buildInvitationEmailHTML(workspace.Name, addedBy.Name, string(request.Role))
+
+		if err := s.emailSender.SendEmail(request.Email, subject, body); err != nil {
+			s.logger.Error("Failed to send invitation email", "email", request.Email, "error", err)
+		}
+
 		membership := &workspaces_models.WorkspaceMembership{
 			UserID:      inviteResponse.ID,
 			WorkspaceID: workspaceID,
@@ -339,3 +358,48 @@ func (s *MembershipService) validateCanManageMembership(
 
 	return nil
 }
+
+func (s *MembershipService) buildInvitationEmailHTML(
+	workspaceName, inviterName, role string,
+) string {
+	env := config.GetEnv()
+	signUpLink := ""
+	if env.DatabasusURL != "" {
+		signUpLink = fmt.Sprintf(`<p style="margin: 20px 0;">
+			<a href="%s/sign-up" style="display: inline-block; padding: 12px 24px; background-color: #0d6efd; color: white; text-decoration: none; border-radius: 4px;">
+				Sign up
+			</a>
+		</p>`, env.DatabasusURL)
+	} else {
+		signUpLink = `<p style="margin: 20px 0; color: #666;">
+			Please visit your Databasus instance to sign up and access the workspace.
+		</p>`
+	}
+
+	return fmt.Sprintf(`
+<!DOCTYPE html>
+<html>
+<head>
+	<meta charset="UTF-8">
+	<meta name="viewport" content="width=device-width, initial-scale=1.0">
+</head>
+<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+	<div style="background-color: #f8f9fa; border-radius: 8px; padding: 30px; margin: 20px 0;">
+		<h1 style="color: #0d6efd; margin-top: 0;">Workspace Invitation</h1>
+		
+		<p style="font-size: 16px; margin: 20px 0;">
+			<strong>%s</strong> has invited you to join the <strong>%s</strong> workspace as a <strong>%s</strong>.
+		</p>
+		
+		%s
+		
+		<hr style="border: none; border-top: 1px solid #dee2e6; margin: 30px 0;">
+		
+		<p style="font-size: 14px; color: #6c757d; margin: 0;">
+			This is an automated message from Databasus. If you didn't expect this invitation, you can safely ignore this email.
+		</p>
+	</div>
+</body>
+</html>
+	`, inviterName, workspaceName, role, signUpLink)
+}

backend/internal/features/workspaces/testing/mocks.go

@@ -0,0 +1,33 @@
+package workspaces_testing
+
+import "errors"
+
+type MockEmailSender struct {
+	SendEmailCalls []EmailCall
+	ShouldFail     bool
+}
+
+type EmailCall struct {
+	To      string
+	Subject string
+	Body    string
+}
+
+func (m *MockEmailSender) SendEmail(to, subject, body string) error {
+	m.SendEmailCalls = append(m.SendEmailCalls, EmailCall{
+		To:      to,
+		Subject: subject,
+		Body:    body,
+	})
+	if m.ShouldFail {
+		return errors.New("mock email send failure")
+	}
+	return nil
+}
+
+func NewMockEmailSender() *MockEmailSender {
+	return &MockEmailSender{
+		SendEmailCalls: []EmailCall{},
+		ShouldFail:     false,
+	}
+}

backend/internal/features/workspaces/testing/testing.go

@@ -375,7 +375,13 @@ func RemoveTestWorkspace(workspace *workspaces_models.Workspace, router *gin.Eng
 	membershipRepo := &workspaces_repositories.MembershipRepository{}
 	workspaceMembers, err := membershipRepo.GetWorkspaceMembers(workspace.ID)
 	if err != nil {
-		panic("Failed to get workspace members: " + err.Error())
+		// Workspace might already be deleted or doesn't exist, silently return
+		return
+	}
+
+	if len(workspaceMembers) == 0 {
+		// No members found, workspace might have been deleted, silently return
+		return
 	}
 
 	var ownerToken string
@@ -385,12 +391,16 @@ func RemoveTestWorkspace(workspace *workspaces_models.Workspace, router *gin.Eng
 
 			owner, err := userService.GetUserByID(m.UserID)
 			if err != nil {
-				panic("Failed to get owner user: " + err.Error())
+				// Owner user not found, workspace might be in inconsistent state, try direct deletion
+				_ = RemoveTestWorkspaceDirect(workspace.ID)
+				return
 			}
 
 			tokenResponse, err := userService.GenerateAccessToken(owner)
 			if err != nil {
-				panic("Failed to generate owner token: " + err.Error())
+				// Cannot generate token, try direct deletion
+				_ = RemoveTestWorkspaceDirect(workspace.ID)
+				return
 			}
 
 			ownerToken = tokenResponse.Token
@@ -399,7 +409,9 @@ func RemoveTestWorkspace(workspace *workspaces_models.Workspace, router *gin.Eng
 	}
 
 	if ownerToken == "" {
-		panic("No workspace owner found")
+		// No owner found, try direct deletion
+		_ = RemoveTestWorkspaceDirect(workspace.ID)
+		return
 	}
 
 	DeleteWorkspace(workspace, ownerToken, router)

backend/internal/storage/storage.go

@@ -46,8 +46,8 @@ func LoadMainDb() {
 		os.Exit(1)
 	}
 
-	sqlDB.SetMaxOpenConns(20)
-	sqlDB.SetMaxIdleConns(20)
+	sqlDB.SetMaxOpenConns(10)
+	sqlDB.SetMaxIdleConns(10)
 
 	db = database
 

backend/internal/util/logger/logger.go

@@ -1,48 +1,131 @@
 package logger
 
 import (
+	"fmt"
 	"log/slog"
 	"os"
+	"path/filepath"
 	"sync"
 	"time"
+
+	"github.com/joho/godotenv"
 )
 
 var (
-	loggerInstance *slog.Logger
-	once           sync.Once
+	loggerInstance     *slog.Logger
+	victoriaLogsWriter *VictoriaLogsWriter
+	once               sync.Once
+	shutdownOnce       sync.Once
+	envLoadOnce        sync.Once
 )
 
 // GetLogger returns a singleton slog.Logger that logs to the console
 func GetLogger() *slog.Logger {
 	once.Do(func() {
-		handler := slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
+		// Create stdout handler
+		stdoutHandler := slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
 			Level: slog.LevelInfo,
 			ReplaceAttr: func(groups []string, a slog.Attr) slog.Attr {
 				if a.Key == slog.TimeKey {
 					a.Value = slog.StringValue(time.Now().Format("2006/01/02 15:04:05"))
 				}
-
-				if a.Key == slog.MessageKey {
-					// Format the message to match the desired output format
-					return slog.Attr{
-						Key:   slog.MessageKey,
-						Value: slog.StringValue(a.Value.String()),
-					}
-				}
-
-				// Remove level and other attributes to get clean output
 				if a.Key == slog.LevelKey {
 					return slog.Attr{}
 				}
-
 				return a
 			},
 		})
 
-		loggerInstance = slog.New(handler)
+		// Try to initialize VictoriaLogs writer if configured
+		// Note: This will be called before config is fully loaded in some cases,
+		// so we need to handle that gracefully
+		victoriaLogsWriter = tryInitVictoriaLogs()
+
+		// Create multi-handler
+		multiHandler := NewMultiHandler(stdoutHandler, victoriaLogsWriter)
+		loggerInstance = slog.New(multiHandler)
 
 		loggerInstance.Info("Text structured logger initialized")
+		if victoriaLogsWriter != nil {
+			loggerInstance.Info("VictoriaLogs enabled")
+		} else {
+			loggerInstance.Info("VictoriaLogs disabled")
+		}
 	})
 
 	return loggerInstance
 }
+
+// ShutdownVictoriaLogs gracefully shuts down the VictoriaLogs writer
+func ShutdownVictoriaLogs(timeout time.Duration) {
+	shutdownOnce.Do(func() {
+		if victoriaLogsWriter != nil {
+			victoriaLogsWriter.Shutdown(timeout)
+		}
+	})
+}
+
+func tryInitVictoriaLogs() *VictoriaLogsWriter {
+	// Ensure .env is loaded before reading environment variables
+	ensureEnvLoaded()
+
+	// Try to get config - this may fail early in startup
+	url := getVictoriaLogsURL()
+	password := getVictoriaLogsPassword()
+
+	if url == "" {
+		fmt.Println("VictoriaLogs URL is not set")
+		return nil
+	}
+
+	return NewVictoriaLogsWriter(url, password)
+}
+
+func ensureEnvLoaded() {
+	envLoadOnce.Do(func() {
+		// Get current working directory
+		cwd, err := os.Getwd()
+		if err != nil {
+			fmt.Printf("Warning: could not get current working directory: %v\n", err)
+			cwd = "."
+		}
+
+		// Find backend root by looking for go.mod
+		backendRoot := cwd
+		for {
+			if _, err := os.Stat(filepath.Join(backendRoot, "go.mod")); err == nil {
+				break
+			}
+
+			parent := filepath.Dir(backendRoot)
+			if parent == backendRoot {
+				break
+			}
+
+			backendRoot = parent
+		}
+
+		// Try to load .env from various locations
+		envPaths := []string{
+			filepath.Join(cwd, ".env"),
+			filepath.Join(backendRoot, ".env"),
+		}
+
+		for _, path := range envPaths {
+			if err := godotenv.Load(path); err == nil {
+				fmt.Printf("Logger: loaded .env from %s\n", path)
+				return
+			}
+		}
+
+		fmt.Println("Logger: .env file not found, using existing environment variables")
+	})
+}
+
+func getVictoriaLogsURL() string {
+	return os.Getenv("VICTORIA_LOGS_URL")
+}
+
+func getVictoriaLogsPassword() string {
+	return os.Getenv("VICTORIA_LOGS_PASSWORD")
+}

backend/internal/util/logger/multi_handler.go

@@ -0,0 +1,59 @@
+package logger
+
+import (
+	"context"
+	"log/slog"
+)
+
+type MultiHandler struct {
+	stdoutHandler      slog.Handler
+	victoriaLogsWriter *VictoriaLogsWriter
+}
+
+func NewMultiHandler(
+	stdoutHandler slog.Handler,
+	victoriaLogsWriter *VictoriaLogsWriter,
+) *MultiHandler {
+	return &MultiHandler{
+		stdoutHandler:      stdoutHandler,
+		victoriaLogsWriter: victoriaLogsWriter,
+	}
+}
+
+func (h *MultiHandler) Enabled(ctx context.Context, level slog.Level) bool {
+	return h.stdoutHandler.Enabled(ctx, level)
+}
+
+func (h *MultiHandler) Handle(ctx context.Context, record slog.Record) error {
+	// Send to stdout handler
+	if err := h.stdoutHandler.Handle(ctx, record); err != nil {
+		return err
+	}
+
+	// Send to VictoriaLogs if configured
+	if h.victoriaLogsWriter != nil {
+		attrs := make(map[string]interface{})
+		record.Attrs(func(a slog.Attr) bool {
+			attrs[a.Key] = a.Value.Any()
+			return true
+		})
+
+		h.victoriaLogsWriter.Write(record.Level.String(), record.Message, attrs)
+	}
+
+	return nil
+}
+
+func (h *MultiHandler) WithAttrs(attrs []slog.Attr) slog.Handler {
+	return &MultiHandler{
+		stdoutHandler:      h.stdoutHandler.WithAttrs(attrs),
+		victoriaLogsWriter: h.victoriaLogsWriter,
+	}
+}
+
+func (h *MultiHandler) WithGroup(name string) slog.Handler {
+	return &MultiHandler{
+		stdoutHandler:      h.stdoutHandler.WithGroup(name),
+		victoriaLogsWriter: h.victoriaLogsWriter,
+	}
+}

backend/internal/util/logger/victorialogs_writer.go

@@ -0,0 +1,201 @@
+package logger
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"os"
+	"sync"
+	"time"
+)
+
+type logEntry struct {
+	Time    string         `json:"_time"`
+	Message string         `json:"_msg"`
+	Level   string         `json:"level"`
+	Attrs   map[string]any `json:",inline"`
+}
+
+type VictoriaLogsWriter struct {
+	url        string
+	password   string
+	httpClient *http.Client
+	logChannel chan logEntry
+	wg         sync.WaitGroup
+	once       sync.Once
+	ctx        context.Context
+	cancel     context.CancelFunc
+	logger     *slog.Logger
+}
+
+func NewVictoriaLogsWriter(url, password string) *VictoriaLogsWriter {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	writer := &VictoriaLogsWriter{
+		url:      url,
+		password: password,
+		httpClient: &http.Client{
+			Timeout: 10 * time.Second,
+		},
+		logChannel: make(chan logEntry, 1000),
+		ctx:        ctx,
+		cancel:     cancel,
+		logger:     slog.New(slog.NewTextHandler(os.Stdout, nil)),
+	}
+
+	// Start 3 worker goroutines
+	for range 3 {
+		writer.wg.Add(1)
+		go writer.worker()
+	}
+
+	return writer
+}
+
+func (w *VictoriaLogsWriter) Write(level, message string, attrs map[string]interface{}) {
+	entry := logEntry{
+		Time:    time.Now().UTC().Format(time.RFC3339Nano),
+		Message: message,
+		Level:   level,
+		Attrs:   attrs,
+	}
+
+	select {
+	case w.logChannel <- entry:
+		// Successfully queued
+	default:
+		// Channel is full, drop log with warning
+		w.logger.Warn("VictoriaLogs channel buffer full, dropping log entry")
+	}
+}
+
+func (w *VictoriaLogsWriter) worker() {
+	defer w.wg.Done()
+
+	batch := make([]logEntry, 0, 100)
+	ticker := time.NewTicker(1 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-w.ctx.Done():
+			w.flushBatch(batch)
+			return
+
+		case entry, ok := <-w.logChannel:
+			if !ok {
+				w.flushBatch(batch)
+				return
+			}
+
+			batch = append(batch, entry)
+
+			// Send batch if it reaches 100 entries
+			if len(batch) >= 100 {
+				w.sendBatch(batch)
+				batch = make([]logEntry, 0, 100)
+			}
+
+		case <-ticker.C:
+			if len(batch) > 0 {
+				w.sendBatch(batch)
+				batch = make([]logEntry, 0, 100)
+			}
+		}
+	}
+}
+
+func (w *VictoriaLogsWriter) sendBatch(entries []logEntry) {
+	backoffs := []time.Duration{0, 5 * time.Second, 30 * time.Second, 1 * time.Minute}
+
+	for attempt := range 4 {
+		if backoffs[attempt] > 0 {
+			time.Sleep(backoffs[attempt])
+		}
+
+		if err := w.sendHTTP(entries); err == nil {
+			return
+		} else if attempt == 3 {
+			w.logger.Error("VictoriaLogs failed to send logs after 4 attempts",
+				"error", err,
+				"entries_count", len(entries))
+		}
+	}
+}
+
+func (w *VictoriaLogsWriter) sendHTTP(entries []logEntry) error {
+	// Build JSON Lines payload
+	var buf bytes.Buffer
+	encoder := json.NewEncoder(&buf)
+
+	for _, entry := range entries {
+		if err := encoder.Encode(entry); err != nil {
+			return fmt.Errorf("failed to encode log entry: %w", err)
+		}
+	}
+
+	// Build request
+	url := fmt.Sprintf("%s/insert/jsonline?_stream_fields=level&_msg_field=_msg", w.url)
+	req, err := http.NewRequestWithContext(w.ctx, "POST", url, &buf)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	// Set headers
+	req.Header.Set("Content-Type", "application/x-ndjson")
+
+	// Set Basic Auth (password as username, empty password)
+	if w.password != "" {
+		auth := base64.StdEncoding.EncodeToString([]byte(w.password + ":"))
+		req.Header.Set("Authorization", "Basic "+auth)
+	}
+
+	// Send request
+	resp, err := w.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send request: %w", err)
+	}
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+
+	// Check response
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("VictoriaLogs returned status %d: %s", resp.StatusCode, string(body))
+	}
+
+	return nil
+}
+
+func (w *VictoriaLogsWriter) flushBatch(batch []logEntry) {
+	if len(batch) > 0 {
+		w.sendBatch(batch)
+	}
+}
+
+func (w *VictoriaLogsWriter) Shutdown(timeout time.Duration) {
+	w.once.Do(func() {
+		// Stop accepting new logs
+		w.cancel()
+
+		// Wait for workers to finish with timeout
+		done := make(chan struct{})
+		go func() {
+			w.wg.Wait()
+			close(done)
+		}()
+
+		select {
+		case <-done:
+			w.logger.Info("VictoriaLogs writer shutdown gracefully")
+		case <-time.After(timeout):
+			w.logger.Warn("VictoriaLogs writer shutdown timeout, some logs may be lost")
+		}
+	})
+}

backend/internal/util/period/enums.go

@@ -47,3 +47,36 @@ func (p Period) ToDuration() time.Duration {
 		panic("unknown period: " + string(p))
 	}
 }
+
+// CompareTo compares this period with another and returns:
+// -1 if p < other
+//
+//	0 if p == other
+//	1 if p > other
+//
+// FOREVER is treated as the longest period
+func (p Period) CompareTo(other Period) int {
+	if p == other {
+		return 0
+	}
+
+	d1 := p.ToDuration()
+	d2 := other.ToDuration()
+
+	// FOREVER has duration 0, but should be treated as longest period
+	if p == PeriodForever {
+		return 1
+	}
+	if other == PeriodForever {
+		return -1
+	}
+
+	if d1 < d2 {
+		return -1
+	}
+	if d1 > d2 {
+		return 1
+	}
+
+	return 0
+}

backend/migrations/20260119124334_add_backup_size_limits.sql

@@ -0,0 +1,23 @@
+-- +goose Up
+-- +goose StatementBegin
+
+ALTER TABLE backup_configs
+    ADD COLUMN max_backup_size_mb        BIGINT  NOT NULL DEFAULT 0,
+    ADD COLUMN max_backups_total_size_mb BIGINT  NOT NULL DEFAULT 0;
+
+ALTER TABLE backups
+    ADD COLUMN is_skip_retry             BOOLEAN NOT NULL DEFAULT FALSE;
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+ALTER TABLE backup_configs
+    DROP COLUMN IF EXISTS max_backups_total_size_mb,
+    DROP COLUMN IF EXISTS max_backup_size_mb;
+
+ALTER TABLE backups
+    DROP COLUMN IF EXISTS is_skip_retry;
+
+-- +goose StatementEnd

backend/migrations/20260122134856_add_database_plans_table.sql

@@ -0,0 +1,30 @@
+-- +goose Up
+-- +goose StatementBegin
+
+CREATE TABLE database_plans ( 
+    database_id               UUID PRIMARY KEY,
+    max_backup_size_mb        BIGINT NOT NULL,
+    max_backups_total_size_mb BIGINT NOT NULL,
+    max_storage_period        TEXT NOT NULL
+);
+
+ALTER TABLE database_plans
+    ADD CONSTRAINT fk_database_plans_database_id
+    FOREIGN KEY (database_id)
+    REFERENCES databases (id)
+    ON DELETE CASCADE;
+
+CREATE INDEX idx_database_plans_database_id ON database_plans (database_id);
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+DROP INDEX IF EXISTS idx_database_plans_database_id;
+
+ALTER TABLE database_plans DROP CONSTRAINT IF EXISTS fk_database_plans_database_id;
+
+DROP TABLE IF EXISTS database_plans;
+
+-- +goose StatementEnd

backend/migrations/20260122173935_add_is_system_to_storages.sql

@@ -0,0 +1,11 @@
+-- +goose Up
+-- +goose StatementBegin
+ALTER TABLE storages
+    ADD COLUMN is_system BOOLEAN NOT NULL DEFAULT FALSE;
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+ALTER TABLE storages
+    DROP COLUMN is_system;
+-- +goose StatementEnd

backend/migrations/20260127132617_add_cascade_delete_for_backups_and_databases.sql

@@ -0,0 +1,44 @@
+-- +goose Up
+-- +goose StatementBegin
+
+ALTER TABLE backups
+    DROP CONSTRAINT fk_backups_storage_id;
+
+ALTER TABLE backups
+    ADD CONSTRAINT fk_backups_storage_id
+    FOREIGN KEY (storage_id)
+    REFERENCES storages (id)
+    ON DELETE CASCADE;
+
+ALTER TABLE databases
+    DROP CONSTRAINT fk_databases_workspace_id;
+
+ALTER TABLE databases
+    ADD CONSTRAINT fk_databases_workspace_id
+    FOREIGN KEY (workspace_id)
+    REFERENCES workspaces (id)
+    ON DELETE CASCADE;
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+ALTER TABLE backups
+    DROP CONSTRAINT fk_backups_storage_id;
+
+ALTER TABLE backups
+    ADD CONSTRAINT fk_backups_storage_id
+    FOREIGN KEY (storage_id)
+    REFERENCES storages (id)
+    ON DELETE RESTRICT;
+
+ALTER TABLE databases
+    DROP CONSTRAINT fk_databases_workspace_id;
+
+ALTER TABLE databases
+    ADD CONSTRAINT fk_databases_workspace_id
+    FOREIGN KEY (workspace_id)
+    REFERENCES workspaces (id);
+
+-- +goose StatementEnd

backend/migrations/20260127140305_add_cascade_delete_for_backup_configs.sql

@@ -0,0 +1,26 @@
+-- +goose Up
+-- +goose StatementBegin
+
+ALTER TABLE backup_configs
+    DROP CONSTRAINT fk_backup_config_storage_id;
+
+ALTER TABLE backup_configs
+    ADD CONSTRAINT fk_backup_config_storage_id
+    FOREIGN KEY (storage_id)
+    REFERENCES storages (id)
+    ON DELETE CASCADE;
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+ALTER TABLE backup_configs
+    DROP CONSTRAINT fk_backup_config_storage_id;
+
+ALTER TABLE backup_configs
+    ADD CONSTRAINT fk_backup_config_storage_id
+    FOREIGN KEY (storage_id)
+    REFERENCES storages (id);
+
+-- +goose StatementEnd

backend/migrations/20260128115419_add_password_reset_codes.sql

@@ -0,0 +1,31 @@
+-- +goose Up
+-- +goose StatementBegin
+
+CREATE TABLE password_reset_codes (
+    id         UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id    UUID NOT NULL,
+    hashed_code TEXT NOT NULL,
+    expires_at TIMESTAMPTZ NOT NULL,
+    is_used    BOOLEAN NOT NULL DEFAULT FALSE,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+ALTER TABLE password_reset_codes
+    ADD CONSTRAINT fk_password_reset_codes_user_id
+    FOREIGN KEY (user_id)
+    REFERENCES users (id)
+    ON DELETE CASCADE;
+
+CREATE INDEX idx_password_reset_codes_user_id ON password_reset_codes (user_id);
+CREATE INDEX idx_password_reset_codes_expires_at ON password_reset_codes (expires_at);
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+DROP INDEX IF EXISTS idx_password_reset_codes_expires_at;
+DROP INDEX IF EXISTS idx_password_reset_codes_user_id;
+DROP TABLE IF EXISTS password_reset_codes;
+
+-- +goose StatementEnd

frontend/.env.development.example

@@ -1 +1,5 @@
-MODE=development
+MODE=development
+VITE_GITHUB_CLIENT_ID=
+VITE_GOOGLE_CLIENT_ID=
+VITE_IS_EMAIL_CONFIGURED=false
+VITE_IS_CLOUD=false

frontend/index.html

@@ -20,6 +20,7 @@
 
   <body>
     <div id="root"></div>
+    <script src="/runtime-config.js"></script>
     <script type="module" src="/src/main.tsx"></script>
   </body>
 </html>

frontend/package-lock.json

@@ -14,7 +14,6 @@
         "dayjs": "^1.11.13",
         "react": "^19.1.0",
         "react-dom": "^19.1.0",
-        "react-github-btn": "^1.4.0",
         "react-router": "^7.6.0",
         "recharts": "^3.2.0",
         "tailwindcss": "^4.1.7"
@@ -4272,12 +4271,6 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/github-buttons": {
-      "version": "2.29.1",
-      "resolved": "https://registry.npmjs.org/github-buttons/-/github-buttons-2.29.1.tgz",
-      "integrity": "sha512-TV3YgAKda5hPz75n7QXmGCsSzgVya1vvmBieebg3EB5ScmashTZ0FldViG1aU2d4V5rcAGrtQ7k5uAaCo0A4PA==",
-      "license": "BSD-2-Clause"
-    },
     "node_modules/glob": {
       "version": "10.5.0",
       "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
@@ -6759,18 +6752,6 @@
         "react": "^19.1.0"
       }
     },
-    "node_modules/react-github-btn": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/react-github-btn/-/react-github-btn-1.4.0.tgz",
-      "integrity": "sha512-lV4FYClAfjWnBfv0iNlJUGhamDgIq6TayD0kPZED6VzHWdpcHmPfsYOZ/CFwLfPv4Zp+F4m8QKTj0oy2HjiGXg==",
-      "license": "BSD-2-Clause",
-      "dependencies": {
-        "github-buttons": "^2.22.0"
-      },
-      "peerDependencies": {
-        "react": ">=16.3.0"
-      }
-    },
     "node_modules/react-is": {
       "version": "16.13.1",
       "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.13.1.tgz",

frontend/package.json

@@ -19,7 +19,6 @@
     "dayjs": "^1.11.13",
     "react": "^19.1.0",
     "react-dom": "^19.1.0",
-    "react-github-btn": "^1.4.0",
     "react-router": "^7.6.0",
     "recharts": "^3.2.0",
     "tailwindcss": "^4.1.7"

frontend/src/constants.ts

@@ -2,6 +2,7 @@ interface RuntimeConfig {
   IS_CLOUD?: string;
   GITHUB_CLIENT_ID?: string;
   GOOGLE_CLIENT_ID?: string;
+  IS_EMAIL_CONFIGURED?: string;
 }
 
 declare global {
@@ -27,7 +28,6 @@ export const GOOGLE_DRIVE_OAUTH_REDIRECT_URL = 'https://databasus.com/storages/g
 
 export const APP_VERSION = (import.meta.env.VITE_APP_VERSION as string) || 'dev';
 
-// First try runtime config, then build-time env var, then default to false
 export const IS_CLOUD =
   window.__RUNTIME_CONFIG__?.IS_CLOUD === 'true' || import.meta.env.VITE_IS_CLOUD === 'true';
 
@@ -37,6 +37,10 @@ export const GITHUB_CLIENT_ID =
 export const GOOGLE_CLIENT_ID =
   window.__RUNTIME_CONFIG__?.GOOGLE_CLIENT_ID || import.meta.env.VITE_GOOGLE_CLIENT_ID || '';
 
+export const IS_EMAIL_CONFIGURED =
+  window.__RUNTIME_CONFIG__?.IS_EMAIL_CONFIGURED === 'true' ||
+  import.meta.env.VITE_IS_EMAIL_CONFIGURED === 'true';
+
 export function getOAuthRedirectUri(): string {
   return `${window.location.origin}/auth/callback`;
 }

frontend/src/entity/backups/api/backupConfigApi.ts

@@ -1,6 +1,7 @@
 import { getApplicationServer } from '../../../constants';
 import RequestOptions from '../../../shared/api/RequestOptions';
 import { apiHelper } from '../../../shared/api/apiHelper';
+import type { DatabasePlan } from '../../plan';
 import type { BackupConfig } from '../model/BackupConfig';
 import type { TransferDatabaseRequest } from '../model/TransferDatabaseRequest';
 
@@ -54,4 +55,12 @@ export const backupConfigApi = {
       requestOptions,
     );
   },
+
+  async getDatabasePlan(databaseId: string) {
+    return apiHelper.fetchGetJson<DatabasePlan>(
+      `${getApplicationServer()}/api/v1/backup-configs/database/${databaseId}/plan`,
+      undefined,
+      true,
+    );
+  },
 };

frontend/src/entity/backups/index.ts

@@ -6,3 +6,4 @@ export type { BackupConfig } from './model/BackupConfig';
 export { BackupNotificationType } from './model/BackupNotificationType';
 export { BackupEncryption } from './model/BackupEncryption';
 export type { TransferDatabaseRequest } from './model/TransferDatabaseRequest';
+export type { DatabasePlan } from '../plan';

frontend/src/entity/backups/model/BackupConfig.ts

@@ -15,4 +15,7 @@ export interface BackupConfig {
   isRetryIfFailed: boolean;
   maxFailedTriesCount: number;
   encryption: BackupEncryption;
+
+  maxBackupSizeMb: number;
+  maxBackupsTotalSizeMb: number;
 }