Merge pull request #448 from databasus/develop

FIX (agent): Fix lock test
2026-04-06 00:32:03 +02:00 · 2026-03-17 16:41:47 +03:00 · 2026-03-17 16:41:07 +03:00 · 2026-03-17 16:36:45 +03:00 · 2026-03-17 16:33:00 +03:00 · 2026-03-17 14:55:16 +03:00
332 changed files with 17329 additions and 2501 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,44 @@
+---
+name: Bug Report
+about: Report a bug or unexpected behavior in Databasus
+labels: bug
+---
+
+## Databasus version (screenshot)
+
+It is displayed in the bottom left corner of the Databasus UI. Please attach screenshot, not just version text
+
+<!-- e.g. 1.4.2 -->
+
+## Operating system and architecture
+
+<!-- e.g. Ubuntu 22.04 x64, macOS 14 ARM, Windows 11 x64 -->
+
+## Database type and version (optional, for DB-related bugs)
+
+<!-- e.g. PostgreSQL 16 in Docker, MySQL 8.0 installed on server, MariaDB 11.4 in AWS Cloud -->
+
+## Describe the bug (please write manually, do not ask AI to summarize)
+
+**What happened:**
+
+**What I expected:**
+
+## Steps to reproduce
+
+1.
+2.
+3.
+
+## Have you asked AI how to solve the issue?
+
+<!-- Using AI to diagnose issues before filing a bug report helps narrow down root causes. -->
+
+- [ ] Claude Sonnet 4.6 or newer
+- [ ] ChatGPT 5.2 or newer
+- [ ] No
+
+
+## Additional context / logs
+
+<!-- Screenshots, error messages, relevant log output, etc. -->
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -11,7 +11,7 @@ jobs:
  lint-backend:
    runs-on: self-hosted
    container:
-      image: golang:1.24.9
+      image: golang:1.26.1
      volumes:
        - /runner-cache/go-pkg:/go/pkg/mod
        - /runner-cache/go-build:/root/.cache/go-build
@@ -32,7 +32,7 @@ jobs:

      - name: Install golangci-lint
        run: |
-          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.2
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.3
          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH

      - name: Install swag for swagger generation
@@ -86,6 +86,39 @@ jobs:
          cd frontend
          npm run build

+  lint-agent:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26.1"
+          cache-dependency-path: agent/go.sum
+
+      - name: Download Go modules
+        run: |
+          cd agent
+          go mod download
+
+      - name: Install golangci-lint
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.3
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+
+      - name: Run golangci-lint
+        run: |
+          cd agent
+          golangci-lint run
+
+      - name: Verify go mod tidy
+        run: |
+          cd agent
+          go mod tidy
+          git diff --exit-code go.mod go.sum || (echo "go mod tidy made changes, please run 'go mod tidy' and commit the changes" && exit 1)
+
  test-frontend:
    runs-on: ubuntu-latest
    needs: [lint-frontend]
@@ -108,11 +141,55 @@ jobs:
          cd frontend
          npm run test

+  test-agent:
+    runs-on: ubuntu-latest
+    needs: [lint-agent]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26.1"
+          cache-dependency-path: agent/go.sum
+
+      - name: Download Go modules
+        run: |
+          cd agent
+          go mod download
+
+      - name: Run Go tests
+        run: |
+          cd agent
+          go test -count=1 -failfast ./internal/...
+
+  e2e-agent:
+    runs-on: ubuntu-latest
+    needs: [lint-agent]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Run e2e tests
+        run: |
+          cd agent
+          make e2e
+
+      - name: Cleanup
+        if: always()
+        run: |
+          cd agent/e2e
+          docker compose down -v --rmi local || true
+          rm -rf artifacts || true
+
+  # Self-hosted: performant high-frequency CPU is used to start many containers and run tests fast. Tests
+  # step is bottle-neck, because we need a lot of containers and cannot parallelize tests due to shared resources
  test-backend:
    runs-on: self-hosted
    needs: [lint-backend]
    container:
-      image: golang:1.24.9
+      image: golang:1.26.1
      options: --privileged -v /var/run/docker.sock:/var/run/docker.sock --add-host=host.docker.internal:host-gateway
      volumes:
        - /runner-cache/go-pkg:/go/pkg/mod
@@ -407,7 +484,7 @@ jobs:
      - name: Run database migrations
        run: |
          cd backend
-          go install github.com/pressly/goose/v3/cmd/goose@latest
+          go install github.com/pressly/goose/v3/cmd/goose@v3.24.3
          goose up

      - name: Run Go tests
@@ -441,7 +518,7 @@ jobs:
    runs-on: self-hosted
    container:
      image: node:20
-    needs: [test-backend, test-frontend]
+    needs: [test-backend, test-frontend, test-agent, e2e-agent]
    if: ${{ github.ref == 'refs/heads/main' && !contains(github.event.head_commit.message, '[skip-release]') }}
    outputs:
      should_release: ${{ steps.version_bump.outputs.should_release }}
@@ -534,7 +611,7 @@ jobs:

  build-only:
    runs-on: self-hosted
-    needs: [test-backend, test-frontend]
+    needs: [test-backend, test-frontend, test-agent, e2e-agent]
    if: ${{ github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[skip-release]') }}
    steps:
      - name: Clean workspace
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@ databasus-data/
 .env
 pgdata/
 docker-compose.yml
+!agent/e2e/docker-compose.yml
 node_modules/
 .idea
 /articles
@@ -12,3 +13,4 @@ node_modules/
 .DS_Store
 /scripts
 .vscode/settings.json
+.claude
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -41,3 +41,20 @@ repos:
        language: system
        files: ^backend/.*\.go$
        pass_filenames: false
+
+  # Agent checks
+  - repo: local
+    hooks:
+      - id: agent-format-and-lint
+        name: Agent Format & Lint (golangci-lint)
+        entry: bash -c "cd agent && golangci-lint fmt ./internal/... ./cmd/... && golangci-lint run ./internal/... ./cmd/..."
+        language: system
+        files: ^agent/.*\.go$
+        pass_filenames: false
+
+      - id: agent-go-mod-tidy
+        name: Agent Go Mod Tidy
+        entry: bash -c "cd agent && go mod tidy"
+        language: system
+        files: ^agent/.*\.go$
+        pass_filenames: false
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,35 +1,37 @@
 # Agent Rules and Guidelines

-This document contains all coding standards, conventions and best practices recommended for the Databasus project.
+This document contains all coding standards, conventions and best practices recommended for the TgTaps project.
 This is NOT a strict set of rules, but a set of recommendations to help you write better code.

 ---

 ## Table of Contents

- [Engineering Philosophy](#engineering-philosophy)
- [Backend Guidelines](#backend-guidelines)
-  - [Code Style](#code-style)
+- [Engineering philosophy](#engineering-philosophy)
+- [Backend guidelines](#backend-guidelines)
+  - [Code style](#code-style)
+  - [Boolean naming](#boolean-naming)
+  - [Add reasonable new lines between logical statements](#add-reasonable-new-lines-between-logical-statements)
  - [Comments](#comments)
  - [Controllers](#controllers)
-  - [Dependency Injection (DI)](#dependency-injection-di)
+  - [Dependency injection (DI)](#dependency-injection-di)
  - [Migrations](#migrations)
  - [Refactoring](#refactoring)
  - [Testing](#testing)
-  - [Time Handling](#time-handling)
-  - [CRUD Examples](#crud-examples)
- [Frontend Guidelines](#frontend-guidelines)
-  - [React Component Structure](#react-component-structure)
+  - [Time handling](#time-handling)
+  - [CRUD examples](#crud-examples)
+- [Frontend guidelines](#frontend-guidelines)
+  - [React component structure](#react-component-structure)

 ---

-## Engineering Philosophy
+## Engineering philosophy

 **Think like a skeptical senior engineer and code reviewer. Don't just do what was asked—also think about what should have been asked.**

 ⚠️ **Balance vigilance with pragmatism:** Catch real issues, not theoretical ones. Don't let perfect be the enemy of good.

-### Task Context Assessment:
+### Task context assessment:

 **First, assess the task scope:**

@@ -38,7 +40,7 @@ This is NOT a strict set of rules, but a set of recommendations to help you writ
 - **Complex** (architecture, security, performance-critical): Full analysis required
 - **Unclear** (ambiguous requirements): Always clarify assumptions first

-### For Non-Trivial Tasks:
+### For non-trivial tasks:

 1. **Restate the objective and list assumptions** (explicit + implicit)
   - If any assumption is shaky, call it out clearly
@@ -71,7 +73,11 @@ This is NOT a strict set of rules, but a set of recommendations to help you writ
   - Patch the answer accordingly
   - Verify edge cases are handled

-### Application Guidelines:
+7. **Fix the reason, not the symptom:**
+   - If you find a bug or issue, ask "Why did this happen?" and fix the root cause
+   - Avoid quick fixes that don't address underlying problems
+
+### Application guidelines:

 **Scale your response to the task:**

@@ -84,9 +90,39 @@ This is NOT a strict set of rules, but a set of recommendations to help you writ

 ---

-## Backend Guidelines
+## Backend guidelines

-### Code Style
+### Naming
+
+Variables and functions naming are the most important part of code readability. Always choose descriptive and meaningful names that clearly indicate the purpose and intent of the code.
+
+Avoid abbreviations, unless they are widely accepted and unambiguous (e.g., `ID`, `URL`, `HTTP`). Use consistent naming conventions across the codebase.
+
+Do not use one-two letters. For example:
+
+Bad:
+
+```
+    u := users.getUser()
+
+	pr, pw := io.Pipe()
+
+    r := bufio.NewReader(pr)
+```
+
+Good:
+
+```
+    user := users.GetUser()
+
+    pipeReader, pipeWriter := io.Pipe()
+
+    bufferedReader := bufio.NewReader(pipeReader)
+```
+
+Exclusion: widely used variables like "db", "ctx", "req", "res", etc.
+
+### Code style

 **Always place private methods to the bottom of file**

@@ -94,7 +130,7 @@ This rule applies to ALL Go files including tests, services, controllers, reposi

 In Go, exported (public) functions/methods start with uppercase letters, while unexported (private) ones start with lowercase letters.

-#### Structure Order:
+#### Structure order:

 1. Type definitions and constants
 2. Public methods/functions (uppercase)
@@ -227,7 +263,7 @@ func (c *ProjectController) extractProjectID(ctx *gin.Context) uuid.UUID {
 }
 ```

-#### Key Points:
+#### Key points:

 - **Exported/Public** = starts with uppercase letter (CreateUser, GetProject)
 - **Unexported/Private** = starts with lowercase letter (validateUser, handleError)
@@ -237,13 +273,13 @@ func (c *ProjectController) extractProjectID(ctx *gin.Context) uuid.UUID {

 ---

-### Boolean Naming
+### Boolean naming

 **Always prefix boolean variables with verbs like `is`, `has`, `was`, `should`, `can`, etc.**

 This makes the code more readable and clearly indicates that the variable represents a true/false state.

-#### Good Examples:
+#### Good examples:

 ```go
 type User struct {
@@ -265,7 +301,7 @@ wasCompleted := false
 hasPermission := checkPermissions()
 ```

-#### Bad Examples:
+#### Bad examples:

 ```go
 type User struct {
@@ -286,7 +322,7 @@ completed := false   // Should be: wasCompleted
 permission := true   // Should be: hasPermission
 ```

-#### Common Boolean Prefixes:
+#### Common boolean prefixes:

 - **is** - current state (IsActive, IsValid, IsEnabled)
 - **has** - possession or presence (HasAccess, HasPermission, HasError)
@@ -297,6 +333,167 @@ permission := true   // Should be: hasPermission

 ---

+### Add reasonable new lines between logical statements
+
+**Add blank lines between logical blocks to improve code readability.**
+
+Separate different logical operations within a function with blank lines. This makes the code flow clearer and helps identify distinct steps in the logic.
+
+#### Guidelines:
+
+- Add blank line before final `return` statement
+- Add blank line after variable declarations before using them
+- Add blank line between error handling and subsequent logic
+- Add blank line between different logical operations
+
+#### Bad example (without spacing):
+
+```go
+func (t *Task) BeforeSave(tx *gorm.DB) error {
+	if len(t.Messages) > 0 {
+		messagesBytes, err := json.Marshal(t.Messages)
+		if err != nil {
+			return err
+		}
+		t.MessagesJSON = string(messagesBytes)
+	}
+	return nil
+}
+
+func (t *Task) AfterFind(tx *gorm.DB) error {
+	if t.MessagesJSON != "" {
+		var messages []onewin_dto.TaskCompletionMessage
+		if err := json.Unmarshal([]byte(t.MessagesJSON), &messages); err != nil {
+			return err
+		}
+		t.Messages = messages
+	}
+	return nil
+}
+```
+
+#### Good example (with proper spacing):
+
+```go
+func (t *Task) BeforeSave(tx *gorm.DB) error {
+	if len(t.Messages) > 0 {
+		messagesBytes, err := json.Marshal(t.Messages)
+		if err != nil {
+			return err
+		}
+
+		t.MessagesJSON = string(messagesBytes)
+	}
+
+	return nil
+}
+
+func (t *Task) AfterFind(tx *gorm.DB) error {
+	if t.MessagesJSON != "" {
+		var messages []onewin_dto.TaskCompletionMessage
+		if err := json.Unmarshal([]byte(t.MessagesJSON), &messages); err != nil {
+			return err
+		}
+
+		t.Messages = messages
+	}
+
+	return nil
+}
+```
+
+#### More examples:
+
+**Service method with multiple operations:**
+
+```go
+func (s *UserService) CreateUser(request *CreateUserRequest) (*User, error) {
+	// Validate input
+	if err := s.validateUserRequest(request); err != nil {
+		return nil, err
+	}
+
+	// Create user entity
+	user := &User{
+		ID:    uuid.New(),
+		Name:  request.Name,
+		Email: request.Email,
+	}
+
+	// Save to database
+	if err := s.repository.Create(user); err != nil {
+		return nil, err
+	}
+
+	// Send notification
+	s.notificationService.SendWelcomeEmail(user.Email)
+
+	return user, nil
+}
+```
+
+**Repository method with query building:**
+
+```go
+func (r *Repository) GetFiltered(filters *Filters) ([]*Entity, error) {
+	query := storage.GetDb().Model(&Entity{})
+
+	if filters.Status != "" {
+		query = query.Where("status = ?", filters.Status)
+	}
+
+	if filters.CreatedAfter != nil {
+		query = query.Where("created_at > ?", filters.CreatedAfter)
+	}
+
+	var entities []*Entity
+	if err := query.Find(&entities).Error; err != nil {
+		return nil, err
+	}
+
+	return entities, nil
+}
+```
+
+**Repository method with error handling:**
+
+Bad (without spacing):
+
+```go
+func (r *Repository) FindById(id uuid.UUID) (*models.Task, error) {
+	var task models.Task
+	result := storage.GetDb().Where("id = ?", id).First(&task)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, errors.New("task not found")
+		}
+		return nil, result.Error
+	}
+	return &task, nil
+}
+```
+
+Good (with proper spacing):
+
+```go
+func (r *Repository) FindById(id uuid.UUID) (*models.Task, error) {
+	var task models.Task
+
+	result := storage.GetDb().Where("id = ?", id).First(&task)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, errors.New("task not found")
+		}
+
+		return nil, result.Error
+	}
+
+	return &task, nil
+}
+```
+
+---
+
 ### Comments

 #### Guidelines
@@ -305,13 +502,14 @@ permission := true   // Should be: hasPermission
 2. **Functions and variables should have meaningful names** - Code should be self-documenting
 3. **Comments for unclear code only** - Only add comments when code logic isn't immediately clear

-#### Key Principles:
+#### Key principles:

 - **Code should tell a story** - Use descriptive variable and function names
 - **Comments explain WHY, not WHAT** - The code shows what happens, comments explain business logic or complex decisions
 - **Prefer refactoring over commenting** - If code needs explaining, consider making it clearer instead
 - **API documentation is required** - Swagger comments for all HTTP endpoints are mandatory
 - **Complex algorithms deserve comments** - Mathematical formulas, business rules, or non-obvious optimizations
+- **Do not write summary sections in .md files unless directly requested** - Avoid adding "Summary" or "Conclusion" sections at the end of documentation files unless the user explicitly asks for them

 #### Example of useless comments:

@@ -343,7 +541,7 @@ func CreateValidLogItems(count int, uniqueID string) []logs_receiving.LogItemReq

 ### Controllers

-#### Controller Guidelines:
+#### Controller guidelines:

 1. **When we write controller:**
   - We combine all routes to single controller
@@ -475,7 +673,7 @@ func (c *AuditLogController) GetUserAuditLogs(ctx *gin.Context) {

 ---

-### Dependency Injection (DI)
+### Dependency injection (DI)

 For DI files use **implicit fields declaration styles** (especially for controllers, services, repositories, use cases, etc., not simple data structures).

@@ -503,7 +701,7 @@ var orderController = &OrderController{

 **This is needed to avoid forgetting to update DI style when we add new dependency.**

-#### Force Such Usage
+#### Force such usage

 Please force such usage if file look like this (see some services\controllers\repos definitions and getters):

@@ -549,13 +747,13 @@ func GetOrderRepository() *repositories.OrderRepository {
 }
 ```

-#### SetupDependencies() Pattern
+#### SetupDependencies() pattern

 **All `SetupDependencies()` functions must use sync.Once to ensure idempotent execution.**

 This pattern allows `SetupDependencies()` to be safely called multiple times (especially in tests) while ensuring the actual setup logic executes only once.

-**Implementation Pattern:**
+**Implementation pattern:**

 ```go
 package feature
@@ -588,7 +786,7 @@ func SetupDependencies() {
 }
 ```

-**Why This Pattern:**
+**Why this pattern:**

 - **Tests can call multiple times**: Test setup often calls `SetupDependencies()` multiple times without issues
 - **Thread-safe**: Works correctly with concurrent calls (nanoseconds or seconds apart)
@@ -604,13 +802,13 @@ func SetupDependencies() {

 ---

-### Background Services
+### Background services

 **All background service `Run()` methods must panic if called multiple times to prevent corrupted states.**

 Background services run infinite loops and must never be started twice on the same instance. Multiple calls indicate a serious bug that would cause duplicate goroutines, resource leaks, and data corruption.

-**Implementation Pattern:**
+**Implementation pattern:**

 ```go
 package feature
@@ -654,14 +852,14 @@ func (s *BackgroundService) Run(ctx context.Context) {
 }
 ```

-**Why Panic Instead of Warning:**
+**Why panic instead of warning:**

 - **Prevents corruption**: Multiple `Run()` calls would create duplicate goroutines consuming resources
 - **Fails fast**: Catches critical bugs immediately in tests and production
 - **Clear indication**: Panic clearly indicates a serious programming error
 - **Applies everywhere**: Same protection in tests and production

-**When This Applies:**
+**When this applies:**

 - All background services with infinite loops
 - Registry services (BackupNodesRegistry, RestoreNodesRegistry)
@@ -727,14 +925,14 @@ You can shortify, make more readable, improve code quality, etc. Common logic ca

 **After writing tests, always launch them and verify that they pass.**

-#### Test Naming Format
+#### Test naming format

 Use these naming patterns:

 - `Test_WhatWeDo_WhatWeExpect`
 - `Test_WhatWeDo_WhichConditions_WhatWeExpect`

-#### Examples from Real Codebase:
+#### Examples from real codebase:

 - `Test_CreateApiKey_WhenUserIsProjectOwner_ApiKeyCreated`
 - `Test_UpdateProject_WhenUserIsProjectAdmin_ProjectUpdated`
@@ -742,22 +940,22 @@ Use these naming patterns:
 - `Test_GetProjectAuditLogs_WithDifferentUserRoles_EnforcesPermissionsCorrectly`
 - `Test_ProjectLifecycleE2E_CompletesSuccessfully`

-#### Testing Philosophy
+#### Testing philosophy

-**Prefer Controllers Over Unit Tests:**
+**Prefer controllers over unit tests:**

 - Test through HTTP endpoints via controllers whenever possible
 - Avoid testing repositories, services in isolation - test via API instead
 - Only use unit tests for complex model logic when no API exists
 - Name test files `controller_test.go` or `service_test.go`, not `integration_test.go`

-**Extract Common Logic to Testing Utilities:**
+**Extract common logic to testing utilities:**

 - Create `testing.go` or `testing/testing.go` files for shared test utilities
 - Extract router creation, user setup, models creation helpers (in API, not just structs creation)
 - Reuse common patterns across different test files

-**Refactor Existing Tests:**
+**Refactor existing tests:**

 - When working with existing tests, always look for opportunities to refactor and improve
 - Extract repetitive setup code to common utilities
@@ -766,7 +964,7 @@ Use these naming patterns:
 - Consolidate similar test patterns across different test files
 - Make tests more readable and maintainable for other developers

-**Clean Up Test Data:**
+**Clean up test data:**

 - If the feature supports cleanup operations (DELETE endpoints, cleanup methods), use them in tests
 - Clean up resources after test execution to avoid test data pollution
@@ -803,7 +1001,7 @@ func Test_BackupLifecycle_CreateAndDelete(t *testing.T) {
 }
 ```

-#### Testing Utilities Structure
+#### Testing utilities structure

 **Create `testing.go` or `testing/testing.go` files with common utilities:**

@@ -839,7 +1037,7 @@ func AddMemberToProject(project *projects_models.Project, member *users_dto.Sign
 }
 ```

-#### Controller Test Examples
+#### Controller test examples

 **Permission-based testing:**

@@ -906,7 +1104,7 @@ func Test_ProjectLifecycleE2E_CompletesSuccessfully(t *testing.T) {

 ---

-### Time Handling
+### Time handling

 **Always use `time.Now().UTC()` instead of `time.Now()`**

@@ -914,7 +1112,7 @@ This ensures consistent timezone handling across the application.

 ---

-### CRUD Examples
+### CRUD examples

 This is an example of complete CRUD implementation structure:

@@ -1578,9 +1776,9 @@ func createTimedLog(db *gorm.DB, userID *uuid.UUID, message string, createdAt ti

 ---

-## Frontend Guidelines
+## Frontend guidelines

-### React Component Structure
+### React component structure

 Write React components with the following structure:

@@ -1614,7 +1812,7 @@ export const ReactComponent = ({ someValue }: Props): JSX.Element => {
 }
 ```

-#### Structure Order:
+#### Structure order:

 1. **Props interface** - Define component props
 2. **Helper functions** (outside component) - Pure utility functions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+Look at @AGENTS.md
--- a/64
+++ b/64
@@ -22,7 +22,7 @@ RUN npm run build

 # ========= BUILD BACKEND =========
 # Backend build stage
-FROM --platform=$BUILDPLATFORM golang:1.24.9 AS backend-build
+FROM --platform=$BUILDPLATFORM golang:1.26.1 AS backend-build

 # Make TARGET args available early so tools built here match the final image arch
 ARG TARGETOS
@@ -66,13 +66,52 @@ RUN CGO_ENABLED=0 \
  go build -o /app/main ./cmd/main.go


+# ========= BUILD AGENT =========
+# Builds the databasus-agent CLI binary for BOTH x86_64 and ARM64.
+# Both architectures are always built because:
+# - Databasus server runs on one arch (e.g. amd64)
+# - The agent runs on remote PostgreSQL servers that may be on a
+#   different arch (e.g. arm64)
+# - The backend serves the correct binary based on the agent's
+#   ?arch= query parameter
+#
+# We cross-compile from the build platform (no QEMU needed) because the
+# agent is pure Go with zero C dependencies.
+# CGO_ENABLED=0 produces fully static binaries — no glibc/musl dependency,
+# so the agent runs on any Linux distro (Alpine, Debian, Ubuntu, RHEL, etc.).
+# APP_VERSION is baked into the binary via -ldflags so the agent can
+# compare its version against the server and auto-update when needed.
+FROM --platform=$BUILDPLATFORM golang:1.26.1 AS agent-build
+
+ARG APP_VERSION=dev
+
+WORKDIR /agent
+
+COPY agent/go.mod ./
+RUN go mod download
+
+COPY agent/ ./
+
+# Build for x86_64 (amd64) — static binary, no glibc dependency
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -ldflags "-X main.Version=${APP_VERSION}" \
+    -o /agent-binaries/databasus-agent-linux-amd64 ./cmd/main.go
+
+# Build for ARM64 (arm64) — static binary, no glibc dependency
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=arm64 \
+    go build -ldflags "-X main.Version=${APP_VERSION}" \
+    -o /agent-binaries/databasus-agent-linux-arm64 ./cmd/main.go
+
+
 # ========= RUNTIME =========
 FROM debian:bookworm-slim

 # Add version metadata to runtime image
 ARG APP_VERSION=dev
+ARG TARGETARCH
 LABEL org.opencontainers.image.version=$APP_VERSION
 ENV APP_VERSION=$APP_VERSION
+ENV CONTAINER_ARCH=$TARGETARCH

 # Set production mode for Docker containers
 ENV ENV_MODE=production
@@ -218,6 +257,10 @@ COPY backend/migrations ./migrations
 # Copy UI files
 COPY --from=backend-build /app/ui/build ./ui/build

+# Copy agent binaries (both architectures) — served by the backend
+# at GET /api/v1/system/agent?arch=amd64|arm64
+COPY --from=agent-build /agent-binaries ./agent-binaries
+
 # Copy .env file (with fallback to .env.production.example)
 COPY backend/.env* /app/
 RUN if [ ! -f /app/.env ]; then \
@@ -268,10 +311,21 @@ window.__RUNTIME_CONFIG__ = {
  IS_CLOUD: '\${IS_CLOUD:-false}',
  GITHUB_CLIENT_ID: '\${GITHUB_CLIENT_ID:-}',
  GOOGLE_CLIENT_ID: '\${GOOGLE_CLIENT_ID:-}',
-  IS_EMAIL_CONFIGURED: '\$IS_EMAIL_CONFIGURED'
+  IS_EMAIL_CONFIGURED: '\$IS_EMAIL_CONFIGURED',
+  CLOUDFLARE_TURNSTILE_SITE_KEY: '\${CLOUDFLARE_TURNSTILE_SITE_KEY:-}',
+  CONTAINER_ARCH: '\${CONTAINER_ARCH:-unknown}'
 };
 JSEOF

+# Inject analytics script if provided (only if not already injected)
+if [ -n "\${ANALYTICS_SCRIPT:-}" ]; then
+  if ! grep -q "rybbit.databasus.com" /app/ui/build/index.html 2>/dev/null; then
+    echo "Injecting analytics script..."
+    sed -i "s#</head>#  \${ANALYTICS_SCRIPT}\\
+  </head>#" /app/ui/build/index.html
+  fi
+fi
+
 # Ensure proper ownership of data directory
 echo "Setting up data directory permissions..."
 mkdir -p /databasus-data/pgdata
@@ -384,6 +438,8 @@ fi
 # Create database and set password for postgres user
 echo "Setting up database and user..."
 gosu postgres \$PG_BIN/psql -p 5437 -h localhost -d postgres << 'SQL'
+
+# We use stub password, because internal DB is not exposed outside container
 ALTER USER postgres WITH PASSWORD 'Q1234567';
 SELECT 'CREATE DATABASE databasus OWNER postgres'
 WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'databasus')
@@ -422,6 +478,8 @@ fi
 exec ./main
 EOF

+LABEL org.opencontainers.image.source="https://github.com/databasus/databasus"
+
 RUN chmod +x /app/start.sh

 EXPOSE 4005
@@ -430,4 +488,4 @@ EXPOSE 4005
 VOLUME ["/databasus-data"]

 ENTRYPOINT ["/app/start.sh"]
-CMD []
+CMD []
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
  <img src="assets/logo.svg" alt="Databasus Logo" width="250"/>

  <h3>Backup tool for PostgreSQL, MySQL and MongoDB</h3>
-  <p>Databasus is a free, open source and self-hosted tool to backup databases (with focus on PostgreSQL). Make backups with different storages (S3, Google Drive, FTP, etc.) and notifications about progress (Slack, Discord, Telegram, etc.). Previously known as Postgresus (see migration guide).</p>
+  <p>Databasus is a free, open source and self-hosted tool to backup databases (with focus on PostgreSQL). Make backups with different storages (S3, Google Drive, FTP, etc.) and notifications about progress (Slack, Discord, Telegram, etc.)</p>
  
  <!-- Badges -->
   [![PostgreSQL](https://img.shields.io/badge/PostgreSQL-336791?logo=postgresql&logoColor=white)](https://www.postgresql.org/)
@@ -11,7 +11,7 @@
  [![MongoDB](https://img.shields.io/badge/MongoDB-47A248?logo=mongodb&logoColor=white)](https://www.mongodb.com/)
  <br />
  [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
-  [![Docker Pulls](https://img.shields.io/docker/pulls/rostislavdugin/postgresus?color=brightgreen)](https://hub.docker.com/r/rostislavdugin/postgresus)
+  [![Docker Pulls](https://img.shields.io/docker/pulls/databasus/databasus?color=brightgreen)](https://hub.docker.com/r/databasus/databasus)
  [![Platform](https://img.shields.io/badge/platform-linux%20%7C%20macos%20%7C%20windows-lightgrey)](https://github.com/databasus/databasus)
  [![Self Hosted](https://img.shields.io/badge/self--hosted-yes-brightgreen)](https://github.com/databasus/databasus)
  [![Open Source](https://img.shields.io/badge/open%20source-❤️-red)](https://github.com/databasus/databasus)
@@ -31,8 +31,6 @@
  <img src="assets/dashboard-dark.svg" alt="Databasus Dark Dashboard" width="800" style="margin-bottom: 10px;"/>

  <img src="assets/dashboard.svg" alt="Databasus Dashboard" width="800"/>
-  
- 
 </div>

 ---
@@ -43,7 +41,7 @@

 - **PostgreSQL**: 12, 13, 14, 15, 16, 17 and 18
 - **MySQL**: 5.7, 8 and 9
- **MariaDB**: 10 and 11
+- **MariaDB**: 10, 11 and 12
 - **MongoDB**: 4, 5, 6, 7 and 8

 ### 🔄 **Scheduled backups**
@@ -52,6 +50,13 @@
 - **Precise timing**: run backups at specific times (e.g., 4 AM during low traffic)
 - **Smart compression**: 4-8x space savings with balanced compression (~20% overhead)

+### 🗑️ **Retention policies**
+
+- **Time period**: Keep backups for a fixed duration (e.g., 7 days, 3 months, 1 year)
+- **Count**: Keep a fixed number of the most recent backups (e.g., last 30)
+- **GFS (Grandfather-Father-Son)**: Layered retention — keep hourly, daily, weekly, monthly and yearly backups independently for fine-grained long-term history (enterprises requirement)
+- **Size limits**: Set per-backup and total storage size caps to control storage usage
+
 ### 🗄️ **Multiple storage destinations** <a href="https://databasus.com/storages">(view supported)</a>

 - **Local storage**: Keep backups on your VPS/server
@@ -71,6 +76,8 @@
 - **Encryption for secrets**: Any sensitive data is encrypted and never exposed, even in logs or error messages
 - **Read-only user**: Databasus uses a read-only user by default for backups and never stores anything that can modify your data

+It is also important for Databasus that you are able to decrypt and restore backups from storages (local, S3, etc.) without Databasus itself. To do so, read our guide on [how to recover directly from storage](https://databasus.com/how-to-recover-without-databasus). We avoid "vendor lock-in" even to open source tool!
+
 ### 👥 **Suitable for teams** <a href="https://databasus.com/access-management">(docs)</a>

 - **Workspaces**: Group databases, notifiers and storages for different projects or teams
@@ -220,8 +227,9 @@ For more options (NodePort, TLS, HTTPRoute for Gateway API), see the [Helm chart
 3. **Configure schedule**: Choose from hourly, daily, weekly, monthly or cron intervals
 4. **Set database connection**: Enter your database credentials and connection details
 5. **Choose storage**: Select where to store your backups (local, S3, Google Drive, etc.)
-6. **Add notifications** (optional): Configure email, Telegram, Slack, or webhook notifications
-7. **Save and start**: Databasus will validate settings and begin the backup schedule
+6. **Configure retention policy**: Choose time period, count or GFS to control how long backups are kept
+7. **Add notifications** (optional): Configure email, Telegram, Slack, or webhook notifications
+8. **Save and start**: Databasus will validate settings and begin the backup schedule

 ### 🔑 Resetting password <a href="https://databasus.com/password">(docs)</a>

@@ -233,66 +241,37 @@ docker exec -it databasus ./main --new-password="YourNewSecurePassword123" --ema

 Replace `admin` with the actual email address of the user whose password you want to reset.

+### 💾 Backuping Databasus itself
+
+After installation, it is also recommended to <a href="https://databasus.com/faq/#backup-databasus">backup your Databasus itself</a> or, at least, to copy secret key used for encryption (30 seconds is needed). So you are able to restore from your encrypted backups if you lose access to the server with Databasus or it is corrupted.
+
 ---

 ## 📝 License

 This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENSE) file for details

---
-
 ## 🤝 Contributing

 Contributions are welcome! Read the <a href="https://databasus.com/contribute">contributing guide</a> for more details, priorities and rules. If you want to contribute but don't know where to start, message me on Telegram [@rostislav_dugin](https://t.me/rostislav_dugin)

 Also you can join our large community of developers, DBAs and DevOps engineers on Telegram [@databasus_community](https://t.me/databasus_community).

--
-
-## 📖 Migration guide
-
-Databasus is the new name for Postgresus. You can stay with latest version of Postgresus if you wish. If you want to migrate - follow installation steps for Databasus itself.
-
-Just renaming an image is not enough as Postgresus and Databasus use different data folders and internal database naming.
-
-You can put a new Databasus image with updated volume near the old Postgresus and run it (stop Postgresus before):
-
-```
-services:
-  databasus:
-    container_name: databasus
-    image: databasus/databasus:latest
-    ports:
-      - "4005:4005"
-    volumes:
-      - ./databasus-data:/databasus-data
-    restart: unless-stopped
-```
-
-Then manually move databases from Postgresus to Databasus.
-
-### Why was Postgresus renamed to Databasus?
-
-Databasus has been developed since 2023. It was internal tool to backup production and home projects databases. In start of 2025 it was released as open source project on GitHub. By the end of 2025 it became popular and the time for renaming has come in December 2025.
-
-It was an important step for the project to grow. Actually, there are a couple of reasons:
-
-1. Postgresus is no longer a little tool that just adds UI for pg_dump for little projects. It became a tool both for individual users, DevOps, DBAs, teams, companies and even large enterprises. Tens of thousands of users use Postgresus every day. Postgresus grew into a reliable backup management tool. Initial positioning is no longer suitable: the project is not just a UI wrapper, it's a solid backup management system now (despite it's still easy to use).
-
-2. New databases are supported: although the primary focus is PostgreSQL (with 100% support in the most efficient way) and always will be, Databasus added support for MySQL, MariaDB and MongoDB. Later more databases will be supported.
-
-3. Trademark issue: "postgres" is a trademark of PostgreSQL Inc. and cannot be used in the project name. So for safety and legal reasons, we had to rename the project.
-
 ## AI disclaimer

 There have been questions about AI usage in project development in issues and discussions. As the project focuses on security, reliability and production usage, it's important to explain how AI is used in the development process.

+First of all, we are proud to say that Databasus has been accepted into both [Claude for Open Source](https://claude.com/contact-sales/claude-for-oss) by Anthropic and [Codex for Open Source](https://developers.openai.com/codex/community/codex-for-oss/) by OpenAI in March 2026. For us it is one more signal that the project was recognized as important open-source software and was as critical infrastructure worth supporting independently by two of the world's leading AI companies. Read more at [databasus.com/faq](https://databasus.com/faq#oss-programs).
+
+Despite of this, we have the following rules how AI is used in the development process:
+
 AI is used as a helper for:

 - verification of code quality and searching for vulnerabilities
 - cleaning up and improving documentation, comments and code
 - assistance during development
 - double-checking PRs and commits after human review
+- additional security analysis of PRs via Codex Security

 AI is not used for:

--- a/agent/.env.example
+++ b/agent/.env.example
@@ -0,0 +1 @@
+ENV_MODE=development
--- a/agent/.gitignore
+++ b/agent/.gitignore
@@ -0,0 +1,26 @@
+main
+.env
+docker-compose.yml
+!e2e/docker-compose.yml
+pgdata
+pgdata_test/
+mysqldata/
+mariadbdata/
+main.exe
+swagger/
+swagger/*
+swagger/docs.go
+swagger/swagger.json
+swagger/swagger.yaml
+postgresus-backend.exe
+databasus-backend.exe
+ui/build/*
+pgdata-for-restore/
+temp/
+cmd.exe
+temp/
+valkey-data/
+victoria-logs-data/
+databasus.json
+.test-tmp/
+databasus.log
--- a/agent/.golangci.yml
+++ b/agent/.golangci.yml
@@ -0,0 +1,41 @@
+version: "2"
+
+run:
+  timeout: 5m
+  tests: false
+  concurrency: 4
+
+linters:
+  default: standard
+  enable:
+    - funcorder
+    - bodyclose
+    - errorlint
+    - gocritic
+    - unconvert
+    - misspell
+    - errname
+    - noctx
+    - modernize
+
+  settings:
+    errcheck:
+      check-type-assertions: true
+
+formatters:
+  enable:
+    - gofumpt
+    - golines
+    - gci
+
+  settings:
+    golines:
+      max-len: 120
+    gofumpt:
+      module-path: databasus-agent
+      extra-rules: true
+    gci:
+      sections:
+        - standard
+        - default
+        - localmodule
--- a/agent/Makefile
+++ b/agent/Makefile
@@ -0,0 +1,26 @@
+.PHONY: run build test lint e2e e2e-clean
+
+# Usage: make run ARGS="start --pg-host localhost"
+run:
+	go run cmd/main.go $(ARGS)
+
+build:
+	CGO_ENABLED=0 go build -ldflags "-X main.Version=$(VERSION)" -o databasus-agent ./cmd/main.go
+
+test:
+	go test -count=1 -failfast ./internal/...
+
+lint:
+	golangci-lint fmt ./cmd/... ./internal/... ./e2e/... && golangci-lint run ./cmd/... ./internal/... ./e2e/...
+
+e2e:
+	cd e2e && docker compose build
+	cd e2e && docker compose run --rm e2e-agent-builder
+	cd e2e && docker compose up -d e2e-postgres e2e-mock-server
+	cd e2e && docker compose run --rm e2e-agent-runner
+	cd e2e && docker compose run --rm e2e-agent-docker
+	cd e2e && docker compose down -v
+
+e2e-clean:
+	cd e2e && docker compose down -v --rmi local
+	rm -rf e2e/artifacts
--- a/agent/cmd/main.go
+++ b/agent/cmd/main.go
@@ -0,0 +1,227 @@
+package main
+
+import (
+	"errors"
+	"flag"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+
+	"databasus-agent/internal/config"
+	"databasus-agent/internal/features/api"
+	"databasus-agent/internal/features/start"
+	"databasus-agent/internal/features/upgrade"
+	"databasus-agent/internal/logger"
+)
+
+var Version = "dev"
+
+func main() {
+	if len(os.Args) < 2 {
+		printUsage()
+		os.Exit(1)
+	}
+
+	switch os.Args[1] {
+	case "start":
+		runStart(os.Args[2:])
+	case "_run":
+		runDaemon(os.Args[2:])
+	case "stop":
+		runStop()
+	case "status":
+		runStatus()
+	case "restore":
+		runRestore(os.Args[2:])
+	case "version":
+		fmt.Println(Version)
+	default:
+		fmt.Fprintf(os.Stderr, "unknown command: %s\n", os.Args[1])
+		printUsage()
+		os.Exit(1)
+	}
+}
+
+func runStart(args []string) {
+	fs := flag.NewFlagSet("start", flag.ExitOnError)
+
+	isSkipUpdate := fs.Bool("skip-update", false, "Skip auto-update check")
+
+	cfg := &config.Config{}
+	cfg.LoadFromJSONAndArgs(fs, args)
+
+	if err := cfg.SaveToJSON(); err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to save config: %v\n", err)
+	}
+
+	log := logger.GetLogger()
+
+	isDev := checkIsDevelopment()
+	runUpdateCheck(cfg.DatabasusHost, *isSkipUpdate, isDev, log)
+
+	if err := start.Start(cfg, Version, isDev, log); err != nil {
+		if errors.Is(err, upgrade.ErrUpgradeRestart) {
+			reexecAfterUpgrade(log)
+		}
+
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func runDaemon(args []string) {
+	fs := flag.NewFlagSet("_run", flag.ExitOnError)
+
+	if err := fs.Parse(args); err != nil {
+		os.Exit(1)
+	}
+
+	log := logger.GetLogger()
+
+	cfg := &config.Config{}
+	cfg.LoadFromJSON()
+
+	if err := start.RunDaemon(cfg, Version, checkIsDevelopment(), log); err != nil {
+		if errors.Is(err, upgrade.ErrUpgradeRestart) {
+			reexecAfterUpgrade(log)
+		}
+
+		log.Error("Agent exited with error", "error", err)
+		os.Exit(1)
+	}
+}
+
+func runStop() {
+	log := logger.GetLogger()
+
+	if err := start.Stop(log); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func runStatus() {
+	log := logger.GetLogger()
+
+	if err := start.Status(log); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func runRestore(args []string) {
+	fs := flag.NewFlagSet("restore", flag.ExitOnError)
+
+	targetDir := fs.String("target-dir", "", "Target pgdata directory")
+	backupID := fs.String("backup-id", "", "Full backup UUID (optional)")
+	targetTime := fs.String("target-time", "", "PITR target time in RFC3339 (optional)")
+	isYes := fs.Bool("yes", false, "Skip confirmation prompt")
+	isSkipUpdate := fs.Bool("skip-update", false, "Skip auto-update check")
+
+	cfg := &config.Config{}
+	cfg.LoadFromJSONAndArgs(fs, args)
+
+	if err := cfg.SaveToJSON(); err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to save config: %v\n", err)
+	}
+
+	log := logger.GetLogger()
+
+	isDev := checkIsDevelopment()
+	runUpdateCheck(cfg.DatabasusHost, *isSkipUpdate, isDev, log)
+
+	log.Info("restore: stub — not yet implemented",
+		"targetDir", *targetDir,
+		"backupId", *backupID,
+		"targetTime", *targetTime,
+		"yes", *isYes,
+	)
+}
+
+func printUsage() {
+	fmt.Fprintln(os.Stderr, "Usage: databasus-agent <command> [flags]")
+	fmt.Fprintln(os.Stderr, "")
+	fmt.Fprintln(os.Stderr, "Commands:")
+	fmt.Fprintln(os.Stderr, "  start    Start the agent (WAL archiving + basebackups)")
+	fmt.Fprintln(os.Stderr, "  stop     Stop a running agent")
+	fmt.Fprintln(os.Stderr, "  status   Show agent status")
+	fmt.Fprintln(os.Stderr, "  restore  Restore a database from backup")
+	fmt.Fprintln(os.Stderr, "  version  Print agent version")
+}
+
+func runUpdateCheck(host string, isSkipUpdate, isDev bool, log *slog.Logger) {
+	if isSkipUpdate {
+		return
+	}
+
+	if host == "" {
+		return
+	}
+
+	apiClient := api.NewClient(host, "", log)
+
+	isUpgraded, err := upgrade.CheckAndUpdate(apiClient, Version, isDev, log)
+	if err != nil {
+		log.Error("Auto-update failed", "error", err)
+		os.Exit(1)
+	}
+
+	if isUpgraded {
+		reexecAfterUpgrade(log)
+	}
+}
+
+func checkIsDevelopment() bool {
+	dir, err := os.Getwd()
+	if err != nil {
+		return false
+	}
+
+	for range 3 {
+		if data, err := os.ReadFile(filepath.Join(dir, ".env")); err == nil {
+			return parseEnvMode(data)
+		}
+
+		if _, err := os.Stat(filepath.Join(dir, "go.mod")); err == nil {
+			return false
+		}
+
+		dir = filepath.Dir(dir)
+	}
+
+	return false
+}
+
+func parseEnvMode(data []byte) bool {
+	for line := range strings.SplitSeq(string(data), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+
+		parts := strings.SplitN(line, "=", 2)
+		if len(parts) == 2 && strings.TrimSpace(parts[0]) == "ENV_MODE" {
+			return strings.TrimSpace(parts[1]) == "development"
+		}
+	}
+
+	return false
+}
+
+func reexecAfterUpgrade(log *slog.Logger) {
+	selfPath, err := os.Executable()
+	if err != nil {
+		log.Error("Failed to resolve executable for re-exec", "error", err)
+		os.Exit(1)
+	}
+
+	log.Info("Re-executing after upgrade...")
+
+	if err := syscall.Exec(selfPath, os.Args, os.Environ()); err != nil {
+		log.Error("Failed to re-exec after upgrade", "error", err)
+		os.Exit(1)
+	}
+}
--- a/agent/e2e/.gitignore
+++ b/agent/e2e/.gitignore
@@ -0,0 +1 @@
+artifacts/
--- a/agent/e2e/Dockerfile.agent-builder
+++ b/agent/e2e/Dockerfile.agent-builder
@@ -0,0 +1,13 @@
+# Builds agent binaries with different versions so
+# we can test upgrade behavior (v1 -> v2)
+FROM golang:1.26.1-alpine AS build
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 go build -ldflags "-X main.Version=v1.0.0" -o /out/agent-v1 ./cmd/main.go
+RUN CGO_ENABLED=0 go build -ldflags "-X main.Version=v2.0.0" -o /out/agent-v2 ./cmd/main.go
+
+FROM alpine:3.21
+COPY --from=build /out/ /out/
+CMD ["cp", "-v", "/out/agent-v1", "/out/agent-v2", "/artifacts/"]
--- a/agent/e2e/Dockerfile.agent-docker
+++ b/agent/e2e/Dockerfile.agent-docker
@@ -0,0 +1,8 @@
+# Runs pg_basebackup-via-docker-exec test (test 5) which tests
+# that the agent can connect to Postgres inside Docker container
+FROM docker:27-cli
+
+RUN apk add --no-cache bash curl
+
+WORKDIR /tmp
+ENTRYPOINT []
--- a/agent/e2e/Dockerfile.agent-runner
+++ b/agent/e2e/Dockerfile.agent-runner
@@ -0,0 +1,14 @@
+# Runs upgrade and host-mode pg_basebackup tests (tests 1-4). Needs
+# Postgres client tools to be installed inside the system
+FROM debian:bookworm-slim
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+      ca-certificates curl gnupg2 postgresql-common && \
+    /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \
+    apt-get install -y --no-install-recommends \
+      postgresql-client-17 && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /tmp
+ENTRYPOINT []
--- a/agent/e2e/Dockerfile.mock-server
+++ b/agent/e2e/Dockerfile.mock-server
@@ -0,0 +1,10 @@
+# Mock databasus API server for version checks and binary downloads. Just
+# serves static responses and files from the `artifacts` directory.
+FROM golang:1.26.1-alpine AS build
+WORKDIR /app
+COPY mock-server/main.go .
+RUN CGO_ENABLED=0 go build -o mock-server main.go
+
+FROM alpine:3.21
+COPY --from=build /app/mock-server /usr/local/bin/mock-server
+ENTRYPOINT ["mock-server"]
--- a/agent/e2e/docker-compose.yml
+++ b/agent/e2e/docker-compose.yml
@@ -0,0 +1,64 @@
+services:
+  e2e-agent-builder:
+    build:
+      context: ..
+      dockerfile: e2e/Dockerfile.agent-builder
+    volumes:
+      - ./artifacts:/artifacts
+    container_name: e2e-agent-builder
+
+  e2e-postgres:
+    image: postgres:17
+    environment:
+      POSTGRES_DB: testdb
+      POSTGRES_USER: testuser
+      POSTGRES_PASSWORD: testpassword
+    container_name: e2e-agent-postgres
+    command: postgres -c wal_level=replica -c max_wal_senders=3
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U testuser -d testdb"]
+      interval: 2s
+      timeout: 5s
+      retries: 30
+
+  e2e-mock-server:
+    build:
+      context: .
+      dockerfile: Dockerfile.mock-server
+    volumes:
+      - ./artifacts:/artifacts:ro
+    container_name: e2e-mock-server
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:4050/health"]
+      interval: 2s
+      timeout: 5s
+      retries: 10
+
+  e2e-agent-runner:
+    build:
+      context: .
+      dockerfile: Dockerfile.agent-runner
+    volumes:
+      - ./artifacts:/opt/agent/artifacts:ro
+      - ./scripts:/opt/agent/scripts:ro
+    depends_on:
+      e2e-postgres:
+        condition: service_healthy
+      e2e-mock-server:
+        condition: service_healthy
+    container_name: e2e-agent-runner
+    command: ["bash", "/opt/agent/scripts/run-all.sh", "host"]
+
+  e2e-agent-docker:
+    build:
+      context: .
+      dockerfile: Dockerfile.agent-docker
+    volumes:
+      - ./artifacts:/opt/agent/artifacts:ro
+      - ./scripts:/opt/agent/scripts:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+    depends_on:
+      e2e-postgres:
+        condition: service_healthy
+    container_name: e2e-agent-docker
+    command: ["bash", "/opt/agent/scripts/run-all.sh", "docker"]
--- a/agent/e2e/mock-server/main.go
+++ b/agent/e2e/mock-server/main.go
@@ -0,0 +1,108 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"sync"
+)
+
+type server struct {
+	mu         sync.RWMutex
+	version    string
+	binaryPath string
+}
+
+func main() {
+	version := "v2.0.0"
+	binaryPath := "/artifacts/agent-v2"
+	port := "4050"
+
+	s := &server{version: version, binaryPath: binaryPath}
+
+	http.HandleFunc("/api/v1/system/version", s.handleVersion)
+	http.HandleFunc("/api/v1/system/agent", s.handleAgentDownload)
+	http.HandleFunc("/mock/set-version", s.handleSetVersion)
+	http.HandleFunc("/mock/set-binary-path", s.handleSetBinaryPath)
+	http.HandleFunc("/health", s.handleHealth)
+
+	addr := ":" + port
+	log.Printf("Mock server starting on %s (version=%s, binary=%s)", addr, version, binaryPath)
+
+	if err := http.ListenAndServe(addr, nil); err != nil {
+		log.Fatalf("Server failed: %v", err)
+	}
+}
+
+func (s *server) handleVersion(w http.ResponseWriter, r *http.Request) {
+	s.mu.RLock()
+	v := s.version
+	s.mu.RUnlock()
+
+	log.Printf("GET /api/v1/system/version -> %s", v)
+
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(map[string]string{"version": v})
+}
+
+func (s *server) handleAgentDownload(w http.ResponseWriter, r *http.Request) {
+	s.mu.RLock()
+	path := s.binaryPath
+	s.mu.RUnlock()
+
+	log.Printf("GET /api/v1/system/agent (arch=%s) -> serving %s", r.URL.Query().Get("arch"), path)
+
+	http.ServeFile(w, r, path)
+}
+
+func (s *server) handleSetVersion(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "POST only", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var body struct {
+		Version string `json:"version"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	s.mu.Lock()
+	s.version = body.Version
+	s.mu.Unlock()
+
+	log.Printf("POST /mock/set-version -> %s", body.Version)
+
+	_, _ = fmt.Fprintf(w, "version set to %s", body.Version)
+}
+
+func (s *server) handleSetBinaryPath(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "POST only", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var body struct {
+		BinaryPath string `json:"binaryPath"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	s.mu.Lock()
+	s.binaryPath = body.BinaryPath
+	s.mu.Unlock()
+
+	log.Printf("POST /mock/set-binary-path -> %s", body.BinaryPath)
+
+	_, _ = fmt.Fprintf(w, "binary path set to %s", body.BinaryPath)
+}
+
+func (s *server) handleHealth(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(http.StatusOK)
+	_, _ = w.Write([]byte("ok"))
+}
--- a/agent/e2e/scripts/run-all.sh
+++ b/agent/e2e/scripts/run-all.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+set -euo pipefail
+
+MODE="${1:-host}"
+SCRIPT_DIR="$(dirname "$0")"
+PASSED=0
+FAILED=0
+
+run_test() {
+  local name="$1"
+  local script="$2"
+
+  echo ""
+  echo "========================================"
+  echo "  $name"
+  echo "========================================"
+
+  if bash "$script"; then
+    echo "  PASSED: $name"
+    PASSED=$((PASSED + 1))
+  else
+    echo "  FAILED: $name"
+    FAILED=$((FAILED + 1))
+  fi
+}
+
+if [ "$MODE" = "host" ]; then
+  run_test "Test 1: Upgrade success (v1 -> v2)" "$SCRIPT_DIR/test-upgrade-success.sh"
+  run_test "Test 2: Upgrade skip (version matches)" "$SCRIPT_DIR/test-upgrade-skip.sh"
+  run_test "Test 3: Background upgrade (v1 -> v2 while running)" "$SCRIPT_DIR/test-upgrade-background.sh"
+  run_test "Test 4: pg_basebackup in PATH" "$SCRIPT_DIR/test-pg-host-path.sh"
+  run_test "Test 5: pg_basebackup via bindir" "$SCRIPT_DIR/test-pg-host-bindir.sh"
+
+elif [ "$MODE" = "docker" ]; then
+  run_test "Test 6: pg_basebackup via docker exec" "$SCRIPT_DIR/test-pg-docker-exec.sh"
+
+else
+  echo "Unknown mode: $MODE (expected 'host' or 'docker')"
+  exit 1
+fi
+
+echo ""
+echo "========================================"
+echo "  Results: $PASSED passed, $FAILED failed"
+echo "========================================"
+
+if [ "$FAILED" -gt 0 ]; then
+  exit 1
+fi
--- a/agent/e2e/scripts/test-pg-docker-exec.sh
+++ b/agent/e2e/scripts/test-pg-docker-exec.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+PG_CONTAINER="e2e-agent-postgres"
+
+# Cleanup from previous runs
+pkill -f "test-agent" 2>/dev/null || true
+for i in $(seq 1 20); do
+  pgrep -f "test-agent" > /dev/null 2>&1 || break
+  sleep 0.5
+done
+pkill -9 -f "test-agent" 2>/dev/null || true
+sleep 0.5
+rm -f "$AGENT" "$AGENT.update" databasus.lock databasus.log databasus.log.old databasus.json 2>/dev/null || true
+
+# Copy agent binary
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Verify docker CLI works and PG container is accessible
+if ! docker exec "$PG_CONTAINER" pg_basebackup --version > /dev/null 2>&1; then
+  echo "FAIL: Cannot reach pg_basebackup inside container $PG_CONTAINER (test setup issue)"
+  exit 1
+fi
+
+# Run start with --skip-update and pg-type=docker
+echo "Running agent start (pg_basebackup via docker exec)..."
+OUTPUT=$("$AGENT" start \
+  --skip-update \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --pg-wal-dir /tmp/wal \
+  --pg-type docker \
+  --pg-docker-container-name "$PG_CONTAINER" 2>&1)
+
+EXIT_CODE=$?
+echo "$OUTPUT"
+
+if [ "$EXIT_CODE" -ne 0 ]; then
+  echo "FAIL: Agent exited with code $EXIT_CODE"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "pg_basebackup verified (docker)"; then
+  echo "FAIL: Expected output to contain 'pg_basebackup verified (docker)'"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "PostgreSQL connection verified"; then
+  echo "FAIL: Expected output to contain 'PostgreSQL connection verified'"
+  exit 1
+fi
+
+echo "pg_basebackup found via docker exec and DB connection verified"
--- a/agent/e2e/scripts/test-pg-host-bindir.sh
+++ b/agent/e2e/scripts/test-pg-host-bindir.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+CUSTOM_BIN_DIR="/opt/pg/bin"
+
+# Cleanup from previous runs
+pkill -f "test-agent" 2>/dev/null || true
+for i in $(seq 1 20); do
+  pgrep -f "test-agent" > /dev/null 2>&1 || break
+  sleep 0.5
+done
+pkill -9 -f "test-agent" 2>/dev/null || true
+sleep 0.5
+rm -f "$AGENT" "$AGENT.update" databasus.lock databasus.log databasus.log.old databasus.json 2>/dev/null || true
+
+# Copy agent binary
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Move pg_basebackup out of PATH into custom directory
+mkdir -p "$CUSTOM_BIN_DIR"
+cp "$(which pg_basebackup)" "$CUSTOM_BIN_DIR/pg_basebackup"
+
+# Hide the system one by prepending an empty dir to PATH
+export PATH="/opt/empty-path:$PATH"
+mkdir -p /opt/empty-path
+
+# Verify pg_basebackup is NOT directly callable from default location
+# (we copied it, but the original is still there in debian — so we test
+# that the agent uses the custom dir, not PATH, by checking the output)
+
+# Run start with --skip-update and custom bin dir
+echo "Running agent start (pg_basebackup via --pg-host-bin-dir)..."
+OUTPUT=$("$AGENT" start \
+  --skip-update \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --pg-wal-dir /tmp/wal \
+  --pg-type host \
+  --pg-host-bin-dir "$CUSTOM_BIN_DIR" 2>&1)
+
+EXIT_CODE=$?
+echo "$OUTPUT"
+
+if [ "$EXIT_CODE" -ne 0 ]; then
+  echo "FAIL: Agent exited with code $EXIT_CODE"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "pg_basebackup verified"; then
+  echo "FAIL: Expected output to contain 'pg_basebackup verified'"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "PostgreSQL connection verified"; then
+  echo "FAIL: Expected output to contain 'PostgreSQL connection verified'"
+  exit 1
+fi
+
+echo "pg_basebackup found via custom bin dir and DB connection verified"
--- a/agent/e2e/scripts/test-pg-host-path.sh
+++ b/agent/e2e/scripts/test-pg-host-path.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+
+# Cleanup from previous runs
+pkill -f "test-agent" 2>/dev/null || true
+for i in $(seq 1 20); do
+  pgrep -f "test-agent" > /dev/null 2>&1 || break
+  sleep 0.5
+done
+pkill -9 -f "test-agent" 2>/dev/null || true
+sleep 0.5
+rm -f "$AGENT" "$AGENT.update" databasus.lock databasus.log databasus.log.old databasus.json 2>/dev/null || true
+
+# Copy agent binary
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Verify pg_basebackup is in PATH
+if ! which pg_basebackup > /dev/null 2>&1; then
+  echo "FAIL: pg_basebackup not found in PATH (test setup issue)"
+  exit 1
+fi
+
+# Run start with --skip-update and pg-type=host
+echo "Running agent start (pg_basebackup in PATH)..."
+OUTPUT=$("$AGENT" start \
+  --skip-update \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --pg-wal-dir /tmp/wal \
+  --pg-type host 2>&1)
+
+EXIT_CODE=$?
+echo "$OUTPUT"
+
+if [ "$EXIT_CODE" -ne 0 ]; then
+  echo "FAIL: Agent exited with code $EXIT_CODE"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "pg_basebackup verified"; then
+  echo "FAIL: Expected output to contain 'pg_basebackup verified'"
+  exit 1
+fi
+
+if ! echo "$OUTPUT" | grep -q "PostgreSQL connection verified"; then
+  echo "FAIL: Expected output to contain 'PostgreSQL connection verified'"
+  exit 1
+fi
+
+echo "pg_basebackup found in PATH and DB connection verified"
--- a/agent/e2e/scripts/test-upgrade-background.sh
+++ b/agent/e2e/scripts/test-upgrade-background.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+
+# Cleanup from previous runs
+pkill -f "test-agent" 2>/dev/null || true
+for i in $(seq 1 20); do
+  pgrep -f "test-agent" > /dev/null 2>&1 || break
+  sleep 0.5
+done
+pkill -9 -f "test-agent" 2>/dev/null || true
+sleep 0.5
+rm -f "$AGENT" "$AGENT.update" databasus.lock databasus.log databasus.log.old databasus.json 2>/dev/null || true
+
+# Set mock server to v1.0.0 (same as agent — no sync upgrade on start)
+curl -sf -X POST http://e2e-mock-server:4050/mock/set-version \
+  -H "Content-Type: application/json" \
+  -d '{"version":"v1.0.0"}'
+
+curl -sf -X POST http://e2e-mock-server:4050/mock/set-binary-path \
+  -H "Content-Type: application/json" \
+  -d '{"binaryPath":"/artifacts/agent-v1"}'
+
+# Copy v1 binary to writable location
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Verify initial version
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v1.0.0" ]; then
+  echo "FAIL: Expected initial version v1.0.0, got $VERSION"
+  exit 1
+fi
+echo "Initial version: $VERSION"
+
+# Start agent as daemon (versions match → no sync upgrade)
+mkdir -p /tmp/wal
+"$AGENT" start \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --pg-wal-dir /tmp/wal \
+  --pg-type host
+
+echo "Agent started as daemon, waiting for stabilization..."
+sleep 2
+
+# Change mock server to v2.0.0 and point to v2 binary
+curl -sf -X POST http://e2e-mock-server:4050/mock/set-version \
+  -H "Content-Type: application/json" \
+  -d '{"version":"v2.0.0"}'
+
+curl -sf -X POST http://e2e-mock-server:4050/mock/set-binary-path \
+  -H "Content-Type: application/json" \
+  -d '{"binaryPath":"/artifacts/agent-v2"}'
+
+echo "Mock server updated to v2.0.0, waiting for background upgrade..."
+
+# Poll for upgrade (timeout 60s, poll every 3s)
+DEADLINE=$((SECONDS + 60))
+while [ $SECONDS -lt $DEADLINE ]; do
+  VERSION=$("$AGENT" version)
+  if [ "$VERSION" = "v2.0.0" ]; then
+    echo "Binary upgraded to $VERSION"
+    break
+  fi
+  sleep 3
+done
+
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v2.0.0" ]; then
+  echo "FAIL: Expected v2.0.0 after background upgrade, got $VERSION"
+  cat databasus.log 2>/dev/null || true
+  exit 1
+fi
+
+# Verify agent is still running after restart
+sleep 2
+"$AGENT" status || true
+
+# Cleanup
+"$AGENT" stop || true
+
+echo "Background upgrade test passed"
--- a/agent/e2e/scripts/test-upgrade-skip.sh
+++ b/agent/e2e/scripts/test-upgrade-skip.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+
+# Cleanup from previous runs
+pkill -f "test-agent" 2>/dev/null || true
+for i in $(seq 1 20); do
+  pgrep -f "test-agent" > /dev/null 2>&1 || break
+  sleep 0.5
+done
+pkill -9 -f "test-agent" 2>/dev/null || true
+sleep 0.5
+rm -f "$AGENT" "$AGENT.update" databasus.lock databasus.log databasus.log.old databasus.json 2>/dev/null || true
+
+# Set mock server to return v1.0.0 (same as agent)
+curl -sf -X POST http://e2e-mock-server:4050/mock/set-version \
+  -H "Content-Type: application/json" \
+  -d '{"version":"v1.0.0"}'
+
+# Copy v1 binary to writable location
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Verify initial version
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v1.0.0" ]; then
+  echo "FAIL: Expected initial version v1.0.0, got $VERSION"
+  exit 1
+fi
+
+# Run start — agent should see version matches and skip upgrade
+echo "Running agent start (expecting upgrade skip)..."
+OUTPUT=$("$AGENT" start \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --pg-wal-dir /tmp/wal \
+  --pg-type host 2>&1) || true
+
+echo "$OUTPUT"
+
+# Verify output contains "up to date"
+if ! echo "$OUTPUT" | grep -qi "up to date"; then
+  echo "FAIL: Expected output to contain 'up to date'"
+  exit 1
+fi
+
+# Verify binary is still v1
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v1.0.0" ]; then
+  echo "FAIL: Expected version v1.0.0 (unchanged), got $VERSION"
+  exit 1
+fi
+
+echo "Upgrade correctly skipped, version still $VERSION"
--- a/agent/e2e/scripts/test-upgrade-success.sh
+++ b/agent/e2e/scripts/test-upgrade-success.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+set -euo pipefail
+
+ARTIFACTS="/opt/agent/artifacts"
+AGENT="/tmp/test-agent"
+
+# Cleanup from previous runs
+pkill -f "test-agent" 2>/dev/null || true
+for i in $(seq 1 20); do
+  pgrep -f "test-agent" > /dev/null 2>&1 || break
+  sleep 0.5
+done
+pkill -9 -f "test-agent" 2>/dev/null || true
+sleep 0.5
+rm -f "$AGENT" "$AGENT.update" databasus.lock databasus.log databasus.log.old databasus.json 2>/dev/null || true
+
+# Ensure mock server returns v2.0.0 and serves v2 binary
+curl -sf -X POST http://e2e-mock-server:4050/mock/set-version \
+  -H "Content-Type: application/json" \
+  -d '{"version":"v2.0.0"}'
+
+curl -sf -X POST http://e2e-mock-server:4050/mock/set-binary-path \
+  -H "Content-Type: application/json" \
+  -d '{"binaryPath":"/artifacts/agent-v2"}'
+
+# Copy v1 binary to writable location
+cp "$ARTIFACTS/agent-v1" "$AGENT"
+chmod +x "$AGENT"
+
+# Verify initial version
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v1.0.0" ]; then
+  echo "FAIL: Expected initial version v1.0.0, got $VERSION"
+  exit 1
+fi
+echo "Initial version: $VERSION"
+
+# Run start — agent will:
+# 1. Fetch version from mock (v2.0.0 != v1.0.0)
+# 2. Download v2 binary from mock
+# 3. Replace itself on disk
+# 4. Re-exec with same args
+# 5. Re-exec'd v2 fetches version (v2.0.0 == v2.0.0) → skips update
+# 6. Proceeds to start → verifies pg_basebackup + DB → exits 0 (stub)
+echo "Running agent start (expecting upgrade v1 -> v2)..."
+OUTPUT=$("$AGENT" start \
+  --databasus-host http://e2e-mock-server:4050 \
+  --db-id test-db-id \
+  --token test-token \
+  --pg-host e2e-postgres \
+  --pg-port 5432 \
+  --pg-user testuser \
+  --pg-password testpassword \
+  --pg-wal-dir /tmp/wal \
+  --pg-type host 2>&1) || true
+
+echo "$OUTPUT"
+
+# Verify binary on disk is now v2
+VERSION=$("$AGENT" version)
+if [ "$VERSION" != "v2.0.0" ]; then
+  echo "FAIL: Expected upgraded version v2.0.0, got $VERSION"
+  exit 1
+fi
+
+echo "Binary upgraded successfully to $VERSION"
--- a/agent/go.mod
+++ b/agent/go.mod
@@ -0,0 +1,22 @@
+module databasus-agent
+
+go 1.26.1
+
+require (
+	github.com/go-resty/resty/v2 v2.17.2
+	github.com/jackc/pgx/v5 v5.8.0
+	github.com/klauspost/compress v1.18.4
+	github.com/stretchr/testify v1.11.1
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
--- a/agent/go.sum
+++ b/agent/go.sum
@@ -0,0 +1,43 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-resty/resty/v2 v2.17.2 h1:FQW5oHYcIlkCNrMD2lloGScxcHJ0gkjshV3qcQAyHQk=
+github.com/go-resty/resty/v2 v2.17.2/go.mod h1:kCKZ3wWmwJaNc7S29BRtUhJwy7iqmn+2mLtQrOyQlVA=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
+github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
+github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/agent/internal/config/config.go
+++ b/agent/internal/config/config.go
@@ -0,0 +1,272 @@
+package config
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"os"
+
+	"databasus-agent/internal/logger"
+)
+
+var log = logger.GetLogger()
+
+const configFileName = "databasus.json"
+
+type Config struct {
+	DatabasusHost          string `json:"databasusHost"`
+	DbID                   string `json:"dbId"`
+	Token                  string `json:"token"`
+	PgHost                 string `json:"pgHost"`
+	PgPort                 int    `json:"pgPort"`
+	PgUser                 string `json:"pgUser"`
+	PgPassword             string `json:"pgPassword"`
+	PgType                 string `json:"pgType"`
+	PgHostBinDir           string `json:"pgHostBinDir"`
+	PgDockerContainerName  string `json:"pgDockerContainerName"`
+	PgWalDir               string `json:"pgWalDir"`
+	IsDeleteWalAfterUpload *bool  `json:"deleteWalAfterUpload"`
+
+	flags parsedFlags
+}
+
+// LoadFromJSONAndArgs reads databasus.json into the struct
+// and overrides JSON values with any explicitly provided CLI flags.
+func (c *Config) LoadFromJSONAndArgs(fs *flag.FlagSet, args []string) {
+	c.loadFromJSON()
+	c.applyDefaults()
+	c.initSources()
+
+	c.flags.databasusHost = fs.String(
+		"databasus-host",
+		"",
+		"Databasus server URL (e.g. http://your-server:4005)",
+	)
+	c.flags.dbID = fs.String("db-id", "", "Database ID")
+	c.flags.token = fs.String("token", "", "Agent token")
+	c.flags.pgHost = fs.String("pg-host", "", "PostgreSQL host")
+	c.flags.pgPort = fs.Int("pg-port", 0, "PostgreSQL port")
+	c.flags.pgUser = fs.String("pg-user", "", "PostgreSQL user")
+	c.flags.pgPassword = fs.String("pg-password", "", "PostgreSQL password")
+	c.flags.pgType = fs.String("pg-type", "", "PostgreSQL type: host or docker")
+	c.flags.pgHostBinDir = fs.String("pg-host-bin-dir", "", "Path to PG bin directory (host mode)")
+	c.flags.pgDockerContainerName = fs.String("pg-docker-container-name", "", "Docker container name (docker mode)")
+	c.flags.pgWalDir = fs.String("pg-wal-dir", "", "Path to WAL queue directory")
+
+	if err := fs.Parse(args); err != nil {
+		os.Exit(1)
+	}
+
+	c.applyFlags()
+	log.Info("========= Loading config ============")
+	c.logConfigSources()
+	log.Info("========= Config has been loaded ====")
+}
+
+// SaveToJSON writes the current struct to databasus.json.
+func (c *Config) SaveToJSON() error {
+	data, err := json.MarshalIndent(c, "", "  ")
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(configFileName, data, 0o644)
+}
+
+func (c *Config) LoadFromJSON() {
+	c.loadFromJSON()
+	c.applyDefaults()
+}
+
+func (c *Config) loadFromJSON() {
+	data, err := os.ReadFile(configFileName)
+	if err != nil {
+		if os.IsNotExist(err) {
+			log.Info("No databasus.json found, will create on save")
+			return
+		}
+
+		log.Warn("Failed to read databasus.json", "error", err)
+
+		return
+	}
+
+	if err := json.Unmarshal(data, c); err != nil {
+		log.Warn("Failed to parse databasus.json", "error", err)
+
+		return
+	}
+
+	log.Info("Configuration loaded from " + configFileName)
+}
+
+func (c *Config) applyDefaults() {
+	if c.PgPort == 0 {
+		c.PgPort = 5432
+	}
+
+	if c.PgType == "" {
+		c.PgType = "host"
+	}
+
+	if c.IsDeleteWalAfterUpload == nil {
+		v := true
+		c.IsDeleteWalAfterUpload = &v
+	}
+}
+
+func (c *Config) initSources() {
+	c.flags.sources = map[string]string{
+		"databasus-host":           "not configured",
+		"db-id":                    "not configured",
+		"token":                    "not configured",
+		"pg-host":                  "not configured",
+		"pg-port":                  "not configured",
+		"pg-user":                  "not configured",
+		"pg-password":              "not configured",
+		"pg-type":                  "not configured",
+		"pg-host-bin-dir":          "not configured",
+		"pg-docker-container-name": "not configured",
+		"pg-wal-dir":               "not configured",
+		"delete-wal-after-upload":  "not configured",
+	}
+
+	if c.DatabasusHost != "" {
+		c.flags.sources["databasus-host"] = configFileName
+	}
+
+	if c.DbID != "" {
+		c.flags.sources["db-id"] = configFileName
+	}
+
+	if c.Token != "" {
+		c.flags.sources["token"] = configFileName
+	}
+
+	if c.PgHost != "" {
+		c.flags.sources["pg-host"] = configFileName
+	}
+
+	// PgPort always has a value after applyDefaults
+	c.flags.sources["pg-port"] = configFileName
+
+	if c.PgUser != "" {
+		c.flags.sources["pg-user"] = configFileName
+	}
+
+	if c.PgPassword != "" {
+		c.flags.sources["pg-password"] = configFileName
+	}
+
+	// PgType always has a value after applyDefaults
+	c.flags.sources["pg-type"] = configFileName
+
+	if c.PgHostBinDir != "" {
+		c.flags.sources["pg-host-bin-dir"] = configFileName
+	}
+
+	if c.PgDockerContainerName != "" {
+		c.flags.sources["pg-docker-container-name"] = configFileName
+	}
+
+	if c.PgWalDir != "" {
+		c.flags.sources["pg-wal-dir"] = configFileName
+	}
+
+	// IsDeleteWalAfterUpload always has a value after applyDefaults
+	c.flags.sources["delete-wal-after-upload"] = configFileName
+}
+
+func (c *Config) applyFlags() {
+	if c.flags.databasusHost != nil && *c.flags.databasusHost != "" {
+		c.DatabasusHost = *c.flags.databasusHost
+		c.flags.sources["databasus-host"] = "command line args"
+	}
+
+	if c.flags.dbID != nil && *c.flags.dbID != "" {
+		c.DbID = *c.flags.dbID
+		c.flags.sources["db-id"] = "command line args"
+	}
+
+	if c.flags.token != nil && *c.flags.token != "" {
+		c.Token = *c.flags.token
+		c.flags.sources["token"] = "command line args"
+	}
+
+	if c.flags.pgHost != nil && *c.flags.pgHost != "" {
+		c.PgHost = *c.flags.pgHost
+		c.flags.sources["pg-host"] = "command line args"
+	}
+
+	if c.flags.pgPort != nil && *c.flags.pgPort != 0 {
+		c.PgPort = *c.flags.pgPort
+		c.flags.sources["pg-port"] = "command line args"
+	}
+
+	if c.flags.pgUser != nil && *c.flags.pgUser != "" {
+		c.PgUser = *c.flags.pgUser
+		c.flags.sources["pg-user"] = "command line args"
+	}
+
+	if c.flags.pgPassword != nil && *c.flags.pgPassword != "" {
+		c.PgPassword = *c.flags.pgPassword
+		c.flags.sources["pg-password"] = "command line args"
+	}
+
+	if c.flags.pgType != nil && *c.flags.pgType != "" {
+		c.PgType = *c.flags.pgType
+		c.flags.sources["pg-type"] = "command line args"
+	}
+
+	if c.flags.pgHostBinDir != nil && *c.flags.pgHostBinDir != "" {
+		c.PgHostBinDir = *c.flags.pgHostBinDir
+		c.flags.sources["pg-host-bin-dir"] = "command line args"
+	}
+
+	if c.flags.pgDockerContainerName != nil && *c.flags.pgDockerContainerName != "" {
+		c.PgDockerContainerName = *c.flags.pgDockerContainerName
+		c.flags.sources["pg-docker-container-name"] = "command line args"
+	}
+
+	if c.flags.pgWalDir != nil && *c.flags.pgWalDir != "" {
+		c.PgWalDir = *c.flags.pgWalDir
+		c.flags.sources["pg-wal-dir"] = "command line args"
+	}
+}
+
+func (c *Config) logConfigSources() {
+	log.Info("databasus-host", "value", c.DatabasusHost, "source", c.flags.sources["databasus-host"])
+	log.Info("db-id", "value", c.DbID, "source", c.flags.sources["db-id"])
+	log.Info("token", "value", maskSensitive(c.Token), "source", c.flags.sources["token"])
+	log.Info("pg-host", "value", c.PgHost, "source", c.flags.sources["pg-host"])
+	log.Info("pg-port", "value", c.PgPort, "source", c.flags.sources["pg-port"])
+	log.Info("pg-user", "value", c.PgUser, "source", c.flags.sources["pg-user"])
+	log.Info("pg-password", "value", maskSensitive(c.PgPassword), "source", c.flags.sources["pg-password"])
+	log.Info("pg-type", "value", c.PgType, "source", c.flags.sources["pg-type"])
+	log.Info("pg-host-bin-dir", "value", c.PgHostBinDir, "source", c.flags.sources["pg-host-bin-dir"])
+	log.Info(
+		"pg-docker-container-name",
+		"value",
+		c.PgDockerContainerName,
+		"source",
+		c.flags.sources["pg-docker-container-name"],
+	)
+	log.Info("pg-wal-dir", "value", c.PgWalDir, "source", c.flags.sources["pg-wal-dir"])
+	log.Info(
+		"delete-wal-after-upload",
+		"value",
+		fmt.Sprintf("%v", *c.IsDeleteWalAfterUpload),
+		"source",
+		c.flags.sources["delete-wal-after-upload"],
+	)
+}
+
+func maskSensitive(value string) string {
+	if value == "" {
+		return "(not set)"
+	}
+
+	visibleLen := max(len(value)/4, 1)
+
+	return value[:visibleLen] + "***"
+}
--- a/agent/internal/config/config_test.go
+++ b/agent/internal/config/config_test.go
@@ -0,0 +1,301 @@
+package config
+
+import (
+	"encoding/json"
+	"flag"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_LoadFromJSONAndArgs_ValuesLoadedFromJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost: "http://json-host:4005",
+		DbID:          "json-db-id",
+		Token:         "json-token",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{})
+
+	assert.Equal(t, "http://json-host:4005", cfg.DatabasusHost)
+	assert.Equal(t, "json-db-id", cfg.DbID)
+	assert.Equal(t, "json-token", cfg.Token)
+}
+
+func Test_LoadFromJSONAndArgs_ValuesLoadedFromArgs_WhenNoJSON(t *testing.T) {
+	setupTempDir(t)
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--databasus-host", "http://arg-host:4005",
+		"--db-id", "arg-db-id",
+		"--token", "arg-token",
+	})
+
+	assert.Equal(t, "http://arg-host:4005", cfg.DatabasusHost)
+	assert.Equal(t, "arg-db-id", cfg.DbID)
+	assert.Equal(t, "arg-token", cfg.Token)
+}
+
+func Test_LoadFromJSONAndArgs_ArgsOverrideJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost: "http://json-host:4005",
+		DbID:          "json-db-id",
+		Token:         "json-token",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--databasus-host", "http://arg-host:9999",
+		"--db-id", "arg-db-id-override",
+		"--token", "arg-token-override",
+	})
+
+	assert.Equal(t, "http://arg-host:9999", cfg.DatabasusHost)
+	assert.Equal(t, "arg-db-id-override", cfg.DbID)
+	assert.Equal(t, "arg-token-override", cfg.Token)
+}
+
+func Test_LoadFromJSONAndArgs_PartialArgsOverrideJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost: "http://json-host:4005",
+		DbID:          "json-db-id",
+		Token:         "json-token",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--databasus-host", "http://arg-host-only:4005",
+	})
+
+	assert.Equal(t, "http://arg-host-only:4005", cfg.DatabasusHost)
+	assert.Equal(t, "json-db-id", cfg.DbID)
+	assert.Equal(t, "json-token", cfg.Token)
+}
+
+func Test_SaveToJSON_ConfigSavedCorrectly(t *testing.T) {
+	setupTempDir(t)
+
+	deleteWal := true
+	cfg := &Config{
+		DatabasusHost:          "http://save-host:4005",
+		DbID:                   "save-db-id",
+		Token:                  "save-token",
+		IsDeleteWalAfterUpload: &deleteWal,
+	}
+
+	err := cfg.SaveToJSON()
+	require.NoError(t, err)
+
+	saved := readConfigJSON(t)
+
+	assert.Equal(t, "http://save-host:4005", saved.DatabasusHost)
+	assert.Equal(t, "save-db-id", saved.DbID)
+	assert.Equal(t, "save-token", saved.Token)
+}
+
+func Test_SaveToJSON_AfterArgsOverrideJSON_SavedFileContainsMergedValues(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost: "http://json-host:4005",
+		DbID:          "json-db-id",
+		Token:         "json-token",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--databasus-host", "http://override-host:9999",
+	})
+
+	err := cfg.SaveToJSON()
+	require.NoError(t, err)
+
+	saved := readConfigJSON(t)
+
+	assert.Equal(t, "http://override-host:9999", saved.DatabasusHost)
+	assert.Equal(t, "json-db-id", saved.DbID)
+	assert.Equal(t, "json-token", saved.Token)
+}
+
+func Test_LoadFromJSONAndArgs_PgFieldsLoadedFromJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	deleteWal := false
+	writeConfigJSON(t, dir, Config{
+		DatabasusHost:          "http://json-host:4005",
+		DbID:                   "json-db-id",
+		Token:                  "json-token",
+		PgHost:                 "pg-json-host",
+		PgPort:                 5433,
+		PgUser:                 "pg-json-user",
+		PgPassword:             "pg-json-pass",
+		PgType:                 "docker",
+		PgHostBinDir:           "/usr/bin",
+		PgDockerContainerName:  "pg-container",
+		PgWalDir:               "/opt/wal",
+		IsDeleteWalAfterUpload: &deleteWal,
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{})
+
+	assert.Equal(t, "pg-json-host", cfg.PgHost)
+	assert.Equal(t, 5433, cfg.PgPort)
+	assert.Equal(t, "pg-json-user", cfg.PgUser)
+	assert.Equal(t, "pg-json-pass", cfg.PgPassword)
+	assert.Equal(t, "docker", cfg.PgType)
+	assert.Equal(t, "/usr/bin", cfg.PgHostBinDir)
+	assert.Equal(t, "pg-container", cfg.PgDockerContainerName)
+	assert.Equal(t, "/opt/wal", cfg.PgWalDir)
+	assert.Equal(t, false, *cfg.IsDeleteWalAfterUpload)
+}
+
+func Test_LoadFromJSONAndArgs_PgFieldsLoadedFromArgs(t *testing.T) {
+	setupTempDir(t)
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--pg-host", "arg-pg-host",
+		"--pg-port", "5433",
+		"--pg-user", "arg-pg-user",
+		"--pg-password", "arg-pg-pass",
+		"--pg-type", "docker",
+		"--pg-host-bin-dir", "/custom/bin",
+		"--pg-docker-container-name", "my-pg",
+		"--pg-wal-dir", "/var/wal",
+	})
+
+	assert.Equal(t, "arg-pg-host", cfg.PgHost)
+	assert.Equal(t, 5433, cfg.PgPort)
+	assert.Equal(t, "arg-pg-user", cfg.PgUser)
+	assert.Equal(t, "arg-pg-pass", cfg.PgPassword)
+	assert.Equal(t, "docker", cfg.PgType)
+	assert.Equal(t, "/custom/bin", cfg.PgHostBinDir)
+	assert.Equal(t, "my-pg", cfg.PgDockerContainerName)
+	assert.Equal(t, "/var/wal", cfg.PgWalDir)
+}
+
+func Test_LoadFromJSONAndArgs_PgArgsOverrideJSON(t *testing.T) {
+	dir := setupTempDir(t)
+	writeConfigJSON(t, dir, Config{
+		PgHost:   "json-host",
+		PgPort:   5432,
+		PgUser:   "json-user",
+		PgType:   "host",
+		PgWalDir: "/json/wal",
+	})
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{
+		"--pg-host", "arg-host",
+		"--pg-port", "5433",
+		"--pg-user", "arg-user",
+		"--pg-type", "docker",
+		"--pg-docker-container-name", "my-container",
+		"--pg-wal-dir", "/arg/wal",
+	})
+
+	assert.Equal(t, "arg-host", cfg.PgHost)
+	assert.Equal(t, 5433, cfg.PgPort)
+	assert.Equal(t, "arg-user", cfg.PgUser)
+	assert.Equal(t, "docker", cfg.PgType)
+	assert.Equal(t, "my-container", cfg.PgDockerContainerName)
+	assert.Equal(t, "/arg/wal", cfg.PgWalDir)
+}
+
+func Test_LoadFromJSONAndArgs_DefaultsApplied_WhenNoJSONAndNoArgs(t *testing.T) {
+	setupTempDir(t)
+
+	cfg := &Config{}
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+	cfg.LoadFromJSONAndArgs(fs, []string{})
+
+	assert.Equal(t, 5432, cfg.PgPort)
+	assert.Equal(t, "host", cfg.PgType)
+	require.NotNil(t, cfg.IsDeleteWalAfterUpload)
+	assert.Equal(t, true, *cfg.IsDeleteWalAfterUpload)
+}
+
+func Test_SaveToJSON_PgFieldsSavedCorrectly(t *testing.T) {
+	setupTempDir(t)
+
+	deleteWal := false
+	cfg := &Config{
+		DatabasusHost:          "http://host:4005",
+		DbID:                   "db-id",
+		Token:                  "token",
+		PgHost:                 "pg-host",
+		PgPort:                 5433,
+		PgUser:                 "pg-user",
+		PgPassword:             "pg-pass",
+		PgType:                 "docker",
+		PgHostBinDir:           "/usr/bin",
+		PgDockerContainerName:  "pg-container",
+		PgWalDir:               "/opt/wal",
+		IsDeleteWalAfterUpload: &deleteWal,
+	}
+
+	err := cfg.SaveToJSON()
+	require.NoError(t, err)
+
+	saved := readConfigJSON(t)
+
+	assert.Equal(t, "pg-host", saved.PgHost)
+	assert.Equal(t, 5433, saved.PgPort)
+	assert.Equal(t, "pg-user", saved.PgUser)
+	assert.Equal(t, "pg-pass", saved.PgPassword)
+	assert.Equal(t, "docker", saved.PgType)
+	assert.Equal(t, "/usr/bin", saved.PgHostBinDir)
+	assert.Equal(t, "pg-container", saved.PgDockerContainerName)
+	assert.Equal(t, "/opt/wal", saved.PgWalDir)
+	require.NotNil(t, saved.IsDeleteWalAfterUpload)
+	assert.Equal(t, false, *saved.IsDeleteWalAfterUpload)
+}
+
+func setupTempDir(t *testing.T) string {
+	t.Helper()
+
+	origDir, err := os.Getwd()
+	require.NoError(t, err)
+
+	dir := t.TempDir()
+	require.NoError(t, os.Chdir(dir))
+
+	t.Cleanup(func() { os.Chdir(origDir) })
+
+	return dir
+}
+
+func writeConfigJSON(t *testing.T, dir string, cfg Config) {
+	t.Helper()
+
+	data, err := json.MarshalIndent(cfg, "", "  ")
+	require.NoError(t, err)
+
+	require.NoError(t, os.WriteFile(dir+"/"+configFileName, data, 0o644))
+}
+
+func readConfigJSON(t *testing.T) Config {
+	t.Helper()
+
+	data, err := os.ReadFile(configFileName)
+	require.NoError(t, err)
+
+	var cfg Config
+	require.NoError(t, json.Unmarshal(data, &cfg))
+
+	return cfg
+}
--- a/agent/internal/config/dto.go
+++ b/agent/internal/config/dto.go
@@ -0,0 +1,17 @@
+package config
+
+type parsedFlags struct {
+	databasusHost         *string
+	dbID                  *string
+	token                 *string
+	pgHost                *string
+	pgPort                *int
+	pgUser                *string
+	pgPassword            *string
+	pgType                *string
+	pgHostBinDir          *string
+	pgDockerContainerName *string
+	pgWalDir              *string
+
+	sources map[string]string
+}
--- a/agent/internal/features/api/api.go
+++ b/agent/internal/features/api/api.go
@@ -0,0 +1,288 @@
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/go-resty/resty/v2"
+)
+
+const (
+	chainValidPath     = "/api/v1/backups/postgres/wal/is-wal-chain-valid-since-last-full-backup"
+	nextBackupTimePath = "/api/v1/backups/postgres/wal/next-full-backup-time"
+	walUploadPath      = "/api/v1/backups/postgres/wal/upload/wal"
+	fullStartPath      = "/api/v1/backups/postgres/wal/upload/full-start"
+	fullCompletePath   = "/api/v1/backups/postgres/wal/upload/full-complete"
+	reportErrorPath    = "/api/v1/backups/postgres/wal/error"
+	versionPath        = "/api/v1/system/version"
+	agentBinaryPath    = "/api/v1/system/agent"
+
+	apiCallTimeout   = 30 * time.Second
+	maxRetryAttempts = 3
+	retryBaseDelay   = 1 * time.Second
+)
+
+type Client struct {
+	json   *resty.Client
+	stream *resty.Client
+	host   string
+	log    *slog.Logger
+}
+
+func NewClient(host, token string, log *slog.Logger) *Client {
+	setAuth := func(_ *resty.Client, req *resty.Request) error {
+		if token != "" {
+			req.SetHeader("Authorization", token)
+		}
+
+		return nil
+	}
+
+	jsonClient := resty.New().
+		SetTimeout(apiCallTimeout).
+		SetRetryCount(maxRetryAttempts - 1).
+		SetRetryWaitTime(retryBaseDelay).
+		SetRetryMaxWaitTime(4 * retryBaseDelay).
+		AddRetryCondition(func(resp *resty.Response, err error) bool {
+			return err != nil || resp.StatusCode() >= 500
+		}).
+		OnBeforeRequest(setAuth)
+
+	streamClient := resty.New().
+		OnBeforeRequest(setAuth)
+
+	return &Client{
+		json:   jsonClient,
+		stream: streamClient,
+		host:   host,
+		log:    log,
+	}
+}
+
+func (c *Client) CheckWalChainValidity(ctx context.Context) (*WalChainValidityResponse, error) {
+	var resp WalChainValidityResponse
+
+	httpResp, err := c.json.R().
+		SetContext(ctx).
+		SetResult(&resp).
+		Get(c.buildURL(chainValidPath))
+	if err != nil {
+		return nil, err
+	}
+
+	if err := c.checkResponse(httpResp, "check WAL chain validity"); err != nil {
+		return nil, err
+	}
+
+	return &resp, nil
+}
+
+func (c *Client) GetNextFullBackupTime(ctx context.Context) (*NextFullBackupTimeResponse, error) {
+	var resp NextFullBackupTimeResponse
+
+	httpResp, err := c.json.R().
+		SetContext(ctx).
+		SetResult(&resp).
+		Get(c.buildURL(nextBackupTimePath))
+	if err != nil {
+		return nil, err
+	}
+
+	if err := c.checkResponse(httpResp, "get next full backup time"); err != nil {
+		return nil, err
+	}
+
+	return &resp, nil
+}
+
+func (c *Client) ReportBackupError(ctx context.Context, errMsg string) error {
+	httpResp, err := c.json.R().
+		SetContext(ctx).
+		SetBody(reportErrorRequest{Error: errMsg}).
+		Post(c.buildURL(reportErrorPath))
+	if err != nil {
+		return err
+	}
+
+	return c.checkResponse(httpResp, "report backup error")
+}
+
+func (c *Client) UploadBasebackup(
+	ctx context.Context,
+	body io.Reader,
+) (*UploadBasebackupResponse, error) {
+	resp, err := c.stream.R().
+		SetContext(ctx).
+		SetBody(body).
+		SetHeader("Content-Type", "application/octet-stream").
+		SetDoNotParseResponse(true).
+		Post(c.buildURL(fullStartPath))
+	if err != nil {
+		return nil, fmt.Errorf("upload request: %w", err)
+	}
+	defer func() { _ = resp.RawBody().Close() }()
+
+	if resp.StatusCode() != http.StatusOK {
+		respBody, _ := io.ReadAll(resp.RawBody())
+
+		return nil, fmt.Errorf("upload failed with status %d: %s", resp.StatusCode(), string(respBody))
+	}
+
+	var result UploadBasebackupResponse
+	if err := json.NewDecoder(resp.RawBody()).Decode(&result); err != nil {
+		return nil, fmt.Errorf("decode upload response: %w", err)
+	}
+
+	return &result, nil
+}
+
+func (c *Client) FinalizeBasebackup(
+	ctx context.Context,
+	backupID string,
+	startSegment string,
+	stopSegment string,
+) error {
+	resp, err := c.json.R().
+		SetContext(ctx).
+		SetBody(finalizeBasebackupRequest{
+			BackupID:     backupID,
+			StartSegment: startSegment,
+			StopSegment:  stopSegment,
+		}).
+		Post(c.buildURL(fullCompletePath))
+	if err != nil {
+		return fmt.Errorf("finalize request: %w", err)
+	}
+
+	if resp.StatusCode() != http.StatusOK {
+		return fmt.Errorf("finalize failed with status %d: %s", resp.StatusCode(), resp.String())
+	}
+
+	return nil
+}
+
+func (c *Client) FinalizeBasebackupWithError(
+	ctx context.Context,
+	backupID string,
+	errMsg string,
+) error {
+	resp, err := c.json.R().
+		SetContext(ctx).
+		SetBody(finalizeBasebackupRequest{
+			BackupID: backupID,
+			Error:    &errMsg,
+		}).
+		Post(c.buildURL(fullCompletePath))
+	if err != nil {
+		return fmt.Errorf("finalize-with-error request: %w", err)
+	}
+
+	if resp.StatusCode() != http.StatusOK {
+		return fmt.Errorf("finalize-with-error failed with status %d: %s", resp.StatusCode(), resp.String())
+	}
+
+	return nil
+}
+
+func (c *Client) UploadWalSegment(
+	ctx context.Context,
+	segmentName string,
+	body io.Reader,
+) (*UploadWalSegmentResult, error) {
+	resp, err := c.stream.R().
+		SetContext(ctx).
+		SetBody(body).
+		SetHeader("Content-Type", "application/octet-stream").
+		SetHeader("X-Wal-Segment-Name", segmentName).
+		SetDoNotParseResponse(true).
+		Post(c.buildURL(walUploadPath))
+	if err != nil {
+		return nil, fmt.Errorf("upload request: %w", err)
+	}
+	defer func() { _ = resp.RawBody().Close() }()
+
+	switch resp.StatusCode() {
+	case http.StatusNoContent:
+		return &UploadWalSegmentResult{IsGapDetected: false}, nil
+
+	case http.StatusConflict:
+		var errResp uploadErrorResponse
+
+		if err := json.NewDecoder(resp.RawBody()).Decode(&errResp); err != nil {
+			return &UploadWalSegmentResult{IsGapDetected: true}, nil
+		}
+
+		return &UploadWalSegmentResult{
+			IsGapDetected:       true,
+			ExpectedSegmentName: errResp.ExpectedSegmentName,
+			ReceivedSegmentName: errResp.ReceivedSegmentName,
+		}, nil
+
+	default:
+		respBody, _ := io.ReadAll(resp.RawBody())
+
+		return nil, fmt.Errorf("upload failed with status %d: %s", resp.StatusCode(), string(respBody))
+	}
+}
+
+func (c *Client) FetchServerVersion(ctx context.Context) (string, error) {
+	var ver versionResponse
+
+	httpResp, err := c.json.R().
+		SetContext(ctx).
+		SetResult(&ver).
+		Get(c.buildURL(versionPath))
+	if err != nil {
+		return "", err
+	}
+
+	if err := c.checkResponse(httpResp, "fetch server version"); err != nil {
+		return "", err
+	}
+
+	return ver.Version, nil
+}
+
+func (c *Client) DownloadAgentBinary(ctx context.Context, arch, destPath string) error {
+	resp, err := c.stream.R().
+		SetContext(ctx).
+		SetQueryParam("arch", arch).
+		SetDoNotParseResponse(true).
+		Get(c.buildURL(agentBinaryPath))
+	if err != nil {
+		return err
+	}
+	defer func() { _ = resp.RawBody().Close() }()
+
+	if resp.StatusCode() != http.StatusOK {
+		return fmt.Errorf("server returned %d for agent download", resp.StatusCode())
+	}
+
+	f, err := os.Create(destPath)
+	if err != nil {
+		return err
+	}
+	defer func() { _ = f.Close() }()
+
+	_, err = io.Copy(f, resp.RawBody())
+
+	return err
+}
+
+func (c *Client) buildURL(path string) string {
+	return c.host + path
+}
+
+func (c *Client) checkResponse(resp *resty.Response, method string) error {
+	if resp.StatusCode() >= 400 {
+		return fmt.Errorf("%s: server returned status %d: %s", method, resp.StatusCode(), resp.String())
+	}
+
+	return nil
+}
--- a/agent/internal/features/api/dto.go
+++ b/agent/internal/features/api/dto.go
@@ -0,0 +1,44 @@
+package api
+
+import "time"
+
+type WalChainValidityResponse struct {
+	IsValid               bool   `json:"isValid"`
+	Error                 string `json:"error,omitempty"`
+	LastContiguousSegment string `json:"lastContiguousSegment,omitempty"`
+}
+
+type NextFullBackupTimeResponse struct {
+	NextFullBackupTime *time.Time `json:"nextFullBackupTime"`
+}
+
+type UploadWalSegmentResult struct {
+	IsGapDetected       bool
+	ExpectedSegmentName string
+	ReceivedSegmentName string
+}
+
+type reportErrorRequest struct {
+	Error string `json:"error"`
+}
+
+type versionResponse struct {
+	Version string `json:"version"`
+}
+
+type UploadBasebackupResponse struct {
+	BackupID string `json:"backupId"`
+}
+
+type finalizeBasebackupRequest struct {
+	BackupID     string  `json:"backupId"`
+	StartSegment string  `json:"startSegment"`
+	StopSegment  string  `json:"stopSegment"`
+	Error        *string `json:"error,omitempty"`
+}
+
+type uploadErrorResponse struct {
+	Error               string `json:"error"`
+	ExpectedSegmentName string `json:"expectedSegmentName"`
+	ReceivedSegmentName string `json:"receivedSegmentName"`
+}
--- a/agent/internal/features/full_backup/backuper.go
+++ b/agent/internal/features/full_backup/backuper.go
@@ -0,0 +1,292 @@
+package full_backup
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sync/atomic"
+	"time"
+
+	"github.com/klauspost/compress/zstd"
+
+	"databasus-agent/internal/config"
+	"databasus-agent/internal/features/api"
+)
+
+const (
+	checkInterval = 30 * time.Second
+	retryDelay    = 1 * time.Minute
+	uploadTimeout = 30 * time.Minute
+)
+
+var retryDelayOverride *time.Duration
+
+type CmdBuilder func(ctx context.Context) *exec.Cmd
+
+// FullBackuper runs pg_basebackup when the WAL chain is broken or a scheduled backup is due.
+//
+// Every 30 seconds it checks two conditions via the Databasus API:
+//  1. WAL chain validity — if broken or no full backup exists, triggers an immediate basebackup.
+//  2. Scheduled backup time — if the next full backup time has passed, triggers a basebackup.
+//
+// Only one basebackup runs at a time (guarded by atomic bool).
+// On failure the error is reported to the server and the backup retries after 1 minute, indefinitely.
+// WAL segment uploads (handled by wal.Streamer) continue independently and are not paused.
+//
+// pg_basebackup runs as "pg_basebackup -Ft -D - -X none --verbose". Stdout (tar) is zstd-compressed
+// and uploaded to the server. Stderr is parsed for WAL start/stop segment names (LSN → segment arithmetic).
+type FullBackuper struct {
+	cfg        *config.Config
+	apiClient  *api.Client
+	log        *slog.Logger
+	isRunning  atomic.Bool
+	cmdBuilder CmdBuilder
+}
+
+func NewFullBackuper(cfg *config.Config, apiClient *api.Client, log *slog.Logger) *FullBackuper {
+	backuper := &FullBackuper{
+		cfg:       cfg,
+		apiClient: apiClient,
+		log:       log,
+	}
+
+	backuper.cmdBuilder = backuper.defaultCmdBuilder
+
+	return backuper
+}
+
+func (backuper *FullBackuper) Run(ctx context.Context) {
+	backuper.log.Info("Full backuper started")
+
+	backuper.checkAndRunIfNeeded(ctx)
+
+	ticker := time.NewTicker(checkInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			backuper.log.Info("Full backuper stopping")
+			return
+		case <-ticker.C:
+			backuper.checkAndRunIfNeeded(ctx)
+		}
+	}
+}
+
+func (backuper *FullBackuper) checkAndRunIfNeeded(ctx context.Context) {
+	if backuper.isRunning.Load() {
+		backuper.log.Debug("Skipping check: basebackup already in progress")
+		return
+	}
+
+	chainResp, err := backuper.apiClient.CheckWalChainValidity(ctx)
+	if err != nil {
+		backuper.log.Error("Failed to check WAL chain validity", "error", err)
+		return
+	}
+
+	if !chainResp.IsValid {
+		backuper.log.Info("WAL chain is invalid, triggering basebackup",
+			"error", chainResp.Error,
+			"lastContiguousSegment", chainResp.LastContiguousSegment,
+		)
+
+		backuper.runBasebackupWithRetry(ctx)
+
+		return
+	}
+
+	nextTimeResp, err := backuper.apiClient.GetNextFullBackupTime(ctx)
+	if err != nil {
+		backuper.log.Error("Failed to check next full backup time", "error", err)
+		return
+	}
+
+	if nextTimeResp.NextFullBackupTime == nil || !nextTimeResp.NextFullBackupTime.After(time.Now().UTC()) {
+		backuper.log.Info("Scheduled full backup is due, triggering basebackup")
+		backuper.runBasebackupWithRetry(ctx)
+
+		return
+	}
+
+	backuper.log.Debug("No basebackup needed",
+		"nextFullBackupTime", nextTimeResp.NextFullBackupTime,
+	)
+}
+
+func (backuper *FullBackuper) runBasebackupWithRetry(ctx context.Context) {
+	if !backuper.isRunning.CompareAndSwap(false, true) {
+		backuper.log.Debug("Skipping basebackup: already running")
+		return
+	}
+	defer backuper.isRunning.Store(false)
+
+	for {
+		if ctx.Err() != nil {
+			return
+		}
+
+		backuper.log.Info("Starting pg_basebackup")
+
+		err := backuper.executeAndUploadBasebackup(ctx)
+		if err == nil {
+			backuper.log.Info("Basebackup completed successfully")
+			return
+		}
+
+		backuper.log.Error("Basebackup failed", "error", err)
+		backuper.reportError(ctx, err.Error())
+
+		delay := retryDelay
+		if retryDelayOverride != nil {
+			delay = *retryDelayOverride
+		}
+
+		backuper.log.Info("Retrying basebackup after delay", "delay", delay)
+
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.After(delay):
+		}
+	}
+}
+
+func (backuper *FullBackuper) executeAndUploadBasebackup(ctx context.Context) error {
+	cmd := backuper.cmdBuilder(ctx)
+
+	var stderrBuf bytes.Buffer
+	cmd.Stderr = &stderrBuf
+
+	stdoutPipe, err := cmd.StdoutPipe()
+	if err != nil {
+		return fmt.Errorf("create stdout pipe: %w", err)
+	}
+
+	if err := cmd.Start(); err != nil {
+		return fmt.Errorf("start pg_basebackup: %w", err)
+	}
+
+	// Phase 1: Stream compressed data via io.Pipe directly to the API.
+	pipeReader, pipeWriter := io.Pipe()
+	go backuper.compressAndStream(pipeWriter, stdoutPipe)
+
+	uploadCtx, cancel := context.WithTimeout(ctx, uploadTimeout)
+	defer cancel()
+
+	uploadResp, uploadErr := backuper.apiClient.UploadBasebackup(uploadCtx, pipeReader)
+
+	cmdErr := cmd.Wait()
+
+	if uploadErr != nil {
+		return fmt.Errorf("upload basebackup: %w", uploadErr)
+	}
+
+	if cmdErr != nil {
+		errMsg := fmt.Sprintf("pg_basebackup exited with error: %v (stderr: %s)", cmdErr, stderrBuf.String())
+		_ = backuper.apiClient.FinalizeBasebackupWithError(ctx, uploadResp.BackupID, errMsg)
+
+		return fmt.Errorf("pg_basebackup: %w", cmdErr)
+	}
+
+	// Phase 2: Parse stderr for WAL segments and finalize the backup.
+	stderrStr := stderrBuf.String()
+	backuper.log.Debug("pg_basebackup stderr", "stderr", stderrStr)
+
+	startSegment, stopSegment, err := ParseBasebackupStderr(stderrStr)
+	if err != nil {
+		errMsg := fmt.Sprintf("parse pg_basebackup stderr: %v", err)
+		_ = backuper.apiClient.FinalizeBasebackupWithError(ctx, uploadResp.BackupID, errMsg)
+
+		return fmt.Errorf("parse pg_basebackup stderr: %w", err)
+	}
+
+	backuper.log.Info("Basebackup WAL segments parsed",
+		"startSegment", startSegment,
+		"stopSegment", stopSegment,
+		"backupId", uploadResp.BackupID,
+	)
+
+	if err := backuper.apiClient.FinalizeBasebackup(ctx, uploadResp.BackupID, startSegment, stopSegment); err != nil {
+		return fmt.Errorf("finalize basebackup: %w", err)
+	}
+
+	return nil
+}
+
+func (backuper *FullBackuper) compressAndStream(pipeWriter *io.PipeWriter, reader io.Reader) {
+	encoder, err := zstd.NewWriter(pipeWriter,
+		zstd.WithEncoderLevel(zstd.EncoderLevelFromZstd(5)),
+		zstd.WithEncoderCRC(true),
+	)
+	if err != nil {
+		_ = pipeWriter.CloseWithError(fmt.Errorf("create zstd encoder: %w", err))
+		return
+	}
+
+	if _, err := io.Copy(encoder, reader); err != nil {
+		_ = encoder.Close()
+		_ = pipeWriter.CloseWithError(fmt.Errorf("compress: %w", err))
+		return
+	}
+
+	if err := encoder.Close(); err != nil {
+		_ = pipeWriter.CloseWithError(fmt.Errorf("close encoder: %w", err))
+		return
+	}
+
+	_ = pipeWriter.Close()
+}
+
+func (backuper *FullBackuper) reportError(ctx context.Context, errMsg string) {
+	if err := backuper.apiClient.ReportBackupError(ctx, errMsg); err != nil {
+		backuper.log.Error("Failed to report error to server", "error", err)
+	}
+}
+
+func (backuper *FullBackuper) defaultCmdBuilder(ctx context.Context) *exec.Cmd {
+	switch backuper.cfg.PgType {
+	case "docker":
+		return backuper.buildDockerCmd(ctx)
+	default:
+		return backuper.buildHostCmd(ctx)
+	}
+}
+
+func (backuper *FullBackuper) buildHostCmd(ctx context.Context) *exec.Cmd {
+	binary := "pg_basebackup"
+	if backuper.cfg.PgHostBinDir != "" {
+		binary = filepath.Join(backuper.cfg.PgHostBinDir, "pg_basebackup")
+	}
+
+	cmd := exec.CommandContext(ctx, binary,
+		"-Ft", "-D", "-", "-X", "none", "--verbose",
+		"-h", backuper.cfg.PgHost,
+		"-p", fmt.Sprintf("%d", backuper.cfg.PgPort),
+		"-U", backuper.cfg.PgUser,
+	)
+
+	cmd.Env = append(os.Environ(), "PGPASSWORD="+backuper.cfg.PgPassword)
+
+	return cmd
+}
+
+func (backuper *FullBackuper) buildDockerCmd(ctx context.Context) *exec.Cmd {
+	cmd := exec.CommandContext(ctx, "docker", "exec",
+		"-e", "PGPASSWORD="+backuper.cfg.PgPassword,
+		"-i", backuper.cfg.PgDockerContainerName,
+		"pg_basebackup",
+		"-Ft", "-D", "-", "-X", "none", "--verbose",
+		"-h", backuper.cfg.PgHost,
+		"-p", fmt.Sprintf("%d", backuper.cfg.PgPort),
+		"-U", backuper.cfg.PgUser,
+	)
+
+	return cmd
+}
--- a/agent/internal/features/full_backup/backuper_test.go
+++ b/agent/internal/features/full_backup/backuper_test.go
@@ -0,0 +1,671 @@
+package full_backup
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"os/exec"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/klauspost/compress/zstd"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"databasus-agent/internal/config"
+	"databasus-agent/internal/features/api"
+	"databasus-agent/internal/logger"
+)
+
+const (
+	testChainValidPath     = "/api/v1/backups/postgres/wal/is-wal-chain-valid-since-last-full-backup"
+	testNextBackupTimePath = "/api/v1/backups/postgres/wal/next-full-backup-time"
+	testFullStartPath      = "/api/v1/backups/postgres/wal/upload/full-start"
+	testFullCompletePath   = "/api/v1/backups/postgres/wal/upload/full-complete"
+	testReportErrorPath    = "/api/v1/backups/postgres/wal/error"
+
+	testBackupID = "test-backup-id-1234"
+)
+
+func Test_RunFullBackup_WhenChainBroken_BasebackupTriggered(t *testing.T) {
+	var mu sync.Mutex
+	var uploadReceived bool
+	var uploadHeaders http.Header
+	var finalizeReceived bool
+	var finalizeBody map[string]any
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{
+				IsValid:               false,
+				Error:                 "wal_chain_broken",
+				LastContiguousSegment: "000000010000000100000011",
+			})
+		case testFullStartPath:
+			mu.Lock()
+			uploadReceived = true
+			uploadHeaders = r.Header.Clone()
+			mu.Unlock()
+
+			_, _ = io.ReadAll(r.Body)
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			mu.Lock()
+			finalizeReceived = true
+			_ = json.NewDecoder(r.Body).Decode(&finalizeBody)
+			mu.Unlock()
+
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "test-backup-data", validStderr())
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	go fb.Run(ctx)
+	waitForCondition(t, func() bool {
+		mu.Lock()
+		defer mu.Unlock()
+		return finalizeReceived
+	}, 5*time.Second)
+	cancel()
+
+	mu.Lock()
+	defer mu.Unlock()
+
+	assert.True(t, uploadReceived)
+	assert.Equal(t, "application/octet-stream", uploadHeaders.Get("Content-Type"))
+	assert.Equal(t, "test-token", uploadHeaders.Get("Authorization"))
+
+	assert.True(t, finalizeReceived)
+	assert.Equal(t, testBackupID, finalizeBody["backupId"])
+	assert.Equal(t, "000000010000000000000002", finalizeBody["startSegment"])
+	assert.Equal(t, "000000010000000000000002", finalizeBody["stopSegment"])
+}
+
+func Test_RunFullBackup_WhenScheduledBackupDue_BasebackupTriggered(t *testing.T) {
+	var mu sync.Mutex
+	var finalizeReceived bool
+
+	pastTime := time.Now().UTC().Add(-1 * time.Hour)
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{IsValid: true})
+		case testNextBackupTimePath:
+			writeJSON(w, api.NextFullBackupTimeResponse{NextFullBackupTime: &pastTime})
+		case testFullStartPath:
+			_, _ = io.ReadAll(r.Body)
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			mu.Lock()
+			finalizeReceived = true
+			mu.Unlock()
+
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "scheduled-backup-data", validStderr())
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	go fb.Run(ctx)
+	waitForCondition(t, func() bool {
+		mu.Lock()
+		defer mu.Unlock()
+		return finalizeReceived
+	}, 5*time.Second)
+	cancel()
+
+	mu.Lock()
+	defer mu.Unlock()
+
+	assert.True(t, finalizeReceived)
+}
+
+func Test_RunFullBackup_WhenNoFullBackupExists_ImmediateBasebackupTriggered(t *testing.T) {
+	var mu sync.Mutex
+	var finalizeReceived bool
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{
+				IsValid: false,
+				Error:   "no_full_backup",
+			})
+		case testFullStartPath:
+			_, _ = io.ReadAll(r.Body)
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			mu.Lock()
+			finalizeReceived = true
+			mu.Unlock()
+
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "first-backup-data", validStderr())
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	go fb.Run(ctx)
+	waitForCondition(t, func() bool {
+		mu.Lock()
+		defer mu.Unlock()
+		return finalizeReceived
+	}, 5*time.Second)
+	cancel()
+
+	mu.Lock()
+	defer mu.Unlock()
+
+	assert.True(t, finalizeReceived)
+}
+
+func Test_RunFullBackup_WhenUploadFails_RetriesAfterDelay(t *testing.T) {
+	var mu sync.Mutex
+	var uploadAttempts int
+	var errorReported bool
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{
+				IsValid: false,
+				Error:   "no_full_backup",
+			})
+		case testFullStartPath:
+			_, _ = io.ReadAll(r.Body)
+
+			mu.Lock()
+			uploadAttempts++
+			attempt := uploadAttempts
+			mu.Unlock()
+
+			if attempt == 1 {
+				w.WriteHeader(http.StatusInternalServerError)
+				_, _ = w.Write([]byte(`{"error":"storage unavailable"}`))
+				return
+			}
+
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			w.WriteHeader(http.StatusOK)
+		case testReportErrorPath:
+			mu.Lock()
+			errorReported = true
+			mu.Unlock()
+
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "retry-backup-data", validStderr())
+
+	origRetryDelay := retryDelay
+	setRetryDelay(100 * time.Millisecond)
+	defer setRetryDelay(origRetryDelay)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	go fb.Run(ctx)
+	waitForCondition(t, func() bool {
+		mu.Lock()
+		defer mu.Unlock()
+		return uploadAttempts >= 2
+	}, 10*time.Second)
+	cancel()
+
+	mu.Lock()
+	defer mu.Unlock()
+
+	assert.GreaterOrEqual(t, uploadAttempts, 2)
+	assert.True(t, errorReported)
+}
+
+func Test_RunFullBackup_WhenAlreadyRunning_SkipsExecution(t *testing.T) {
+	var mu sync.Mutex
+	var uploadCount int
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{
+				IsValid: false,
+				Error:   "no_full_backup",
+			})
+		case testFullStartPath:
+			_, _ = io.ReadAll(r.Body)
+
+			mu.Lock()
+			uploadCount++
+			mu.Unlock()
+
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "data", validStderr())
+
+	fb.isRunning.Store(true)
+
+	fb.checkAndRunIfNeeded(context.Background())
+
+	mu.Lock()
+	count := uploadCount
+	mu.Unlock()
+
+	assert.Equal(t, 0, count, "should not trigger backup when already running")
+}
+
+func Test_RunFullBackup_WhenContextCancelled_StopsCleanly(t *testing.T) {
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{
+				IsValid: false,
+				Error:   "no_full_backup",
+			})
+		case testFullStartPath:
+			_, _ = io.ReadAll(r.Body)
+			w.WriteHeader(http.StatusInternalServerError)
+		case testFullCompletePath:
+			w.WriteHeader(http.StatusOK)
+		case testReportErrorPath:
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "data", validStderr())
+
+	origRetryDelay := retryDelay
+	setRetryDelay(5 * time.Second)
+	defer setRetryDelay(origRetryDelay)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 500*time.Millisecond)
+	defer cancel()
+
+	done := make(chan struct{})
+	go func() {
+		fb.Run(ctx)
+		close(done)
+	}()
+
+	select {
+	case <-done:
+	case <-time.After(5 * time.Second):
+		t.Fatal("Run should have stopped after context cancellation")
+	}
+}
+
+func Test_RunFullBackup_WhenChainValidAndNotScheduled_NoBasebackupTriggered(t *testing.T) {
+	var uploadReceived atomic.Bool
+
+	futureTime := time.Now().UTC().Add(24 * time.Hour)
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{IsValid: true})
+		case testNextBackupTimePath:
+			writeJSON(w, api.NextFullBackupTimeResponse{NextFullBackupTime: &futureTime})
+		case testFullStartPath:
+			uploadReceived.Store(true)
+
+			_, _ = io.ReadAll(r.Body)
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "data", validStderr())
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	go fb.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	assert.False(t, uploadReceived.Load(), "should not trigger backup when chain valid and not scheduled")
+}
+
+func Test_RunFullBackup_WhenStderrParsingFails_FinalizesWithErrorAndRetries(t *testing.T) {
+	var mu sync.Mutex
+	var errorReported bool
+	var finalizeWithErrorReceived bool
+	var finalizeBody map[string]any
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{
+				IsValid: false,
+				Error:   "no_full_backup",
+			})
+		case testFullStartPath:
+			_, _ = io.ReadAll(r.Body)
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			mu.Lock()
+			finalizeWithErrorReceived = true
+			_ = json.NewDecoder(r.Body).Decode(&finalizeBody)
+			mu.Unlock()
+
+			w.WriteHeader(http.StatusOK)
+		case testReportErrorPath:
+			mu.Lock()
+			errorReported = true
+			mu.Unlock()
+
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "data", "pg_basebackup: unexpected output with no LSN info")
+
+	origRetryDelay := retryDelay
+	setRetryDelay(100 * time.Millisecond)
+	defer setRetryDelay(origRetryDelay)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	go fb.Run(ctx)
+	waitForCondition(t, func() bool {
+		mu.Lock()
+		defer mu.Unlock()
+		return errorReported
+	}, 2*time.Second)
+	cancel()
+
+	mu.Lock()
+	defer mu.Unlock()
+
+	assert.True(t, errorReported)
+	assert.True(t, finalizeWithErrorReceived, "should finalize with error when stderr parsing fails")
+	assert.Equal(t, testBackupID, finalizeBody["backupId"])
+	assert.NotNil(t, finalizeBody["error"], "finalize should include error message")
+}
+
+func Test_RunFullBackup_WhenNextBackupTimeNull_BasebackupTriggered(t *testing.T) {
+	var mu sync.Mutex
+	var finalizeReceived bool
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{IsValid: true})
+		case testNextBackupTimePath:
+			writeJSON(w, api.NextFullBackupTimeResponse{NextFullBackupTime: nil})
+		case testFullStartPath:
+			_, _ = io.ReadAll(r.Body)
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			mu.Lock()
+			finalizeReceived = true
+			mu.Unlock()
+
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "first-run-data", validStderr())
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	go fb.Run(ctx)
+	waitForCondition(t, func() bool {
+		mu.Lock()
+		defer mu.Unlock()
+		return finalizeReceived
+	}, 5*time.Second)
+	cancel()
+
+	mu.Lock()
+	defer mu.Unlock()
+
+	assert.True(t, finalizeReceived)
+}
+
+func Test_RunFullBackup_WhenChainValidityReturns401_NoBasebackupTriggered(t *testing.T) {
+	var uploadReceived atomic.Bool
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			w.WriteHeader(http.StatusUnauthorized)
+			_, _ = w.Write([]byte(`{"error":"invalid token"}`))
+		case testFullStartPath:
+			uploadReceived.Store(true)
+
+			_, _ = io.ReadAll(r.Body)
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, "data", validStderr())
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	go fb.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	assert.False(t, uploadReceived.Load(), "should not trigger backup when API returns 401")
+}
+
+func Test_RunFullBackup_WhenUploadSucceeds_BodyIsZstdCompressed(t *testing.T) {
+	var mu sync.Mutex
+	var receivedBody []byte
+
+	server := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case testChainValidPath:
+			writeJSON(w, api.WalChainValidityResponse{
+				IsValid: false,
+				Error:   "no_full_backup",
+			})
+		case testFullStartPath:
+			body, _ := io.ReadAll(r.Body)
+
+			mu.Lock()
+			receivedBody = body
+			mu.Unlock()
+
+			writeJSON(w, map[string]string{"backupId": testBackupID})
+		case testFullCompletePath:
+			w.WriteHeader(http.StatusOK)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	originalContent := "test-backup-content-for-compression-check"
+	fb := newTestFullBackuper(server.URL)
+	fb.cmdBuilder = mockCmdBuilder(t, originalContent, validStderr())
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	go fb.Run(ctx)
+	waitForCondition(t, func() bool {
+		mu.Lock()
+		defer mu.Unlock()
+		return len(receivedBody) > 0
+	}, 5*time.Second)
+	cancel()
+
+	mu.Lock()
+	body := receivedBody
+	mu.Unlock()
+
+	decoder, err := zstd.NewReader(nil)
+	require.NoError(t, err)
+	defer decoder.Close()
+
+	decompressed, err := decoder.DecodeAll(body, nil)
+	require.NoError(t, err)
+	assert.Equal(t, originalContent, string(decompressed))
+}
+
+func newTestServer(t *testing.T, handler http.HandlerFunc) *httptest.Server {
+	t.Helper()
+
+	server := httptest.NewServer(handler)
+	t.Cleanup(server.Close)
+
+	return server
+}
+
+func newTestFullBackuper(serverURL string) *FullBackuper {
+	cfg := &config.Config{
+		DatabasusHost: serverURL,
+		DbID:          "test-db-id",
+		Token:         "test-token",
+		PgHost:        "localhost",
+		PgPort:        5432,
+		PgUser:        "postgres",
+		PgPassword:    "password",
+		PgType:        "host",
+	}
+
+	apiClient := api.NewClient(serverURL, cfg.Token, logger.GetLogger())
+
+	return NewFullBackuper(cfg, apiClient, logger.GetLogger())
+}
+
+func mockCmdBuilder(t *testing.T, stdoutContent, stderrContent string) CmdBuilder {
+	t.Helper()
+
+	return func(ctx context.Context) *exec.Cmd {
+		cmd := exec.CommandContext(ctx, os.Args[0],
+			"-test.run=TestHelperProcess",
+			"--",
+			stdoutContent,
+			stderrContent,
+		)
+
+		cmd.Env = append(os.Environ(), "GO_TEST_HELPER_PROCESS=1")
+
+		return cmd
+	}
+}
+
+func TestHelperProcess(t *testing.T) {
+	if os.Getenv("GO_TEST_HELPER_PROCESS") != "1" {
+		return
+	}
+
+	args := os.Args
+	for i, arg := range args {
+		if arg == "--" {
+			args = args[i+1:]
+			break
+		}
+	}
+
+	if len(args) >= 1 {
+		_, _ = fmt.Fprint(os.Stdout, args[0])
+	}
+
+	if len(args) >= 2 {
+		_, _ = fmt.Fprint(os.Stderr, args[1])
+	}
+
+	os.Exit(0)
+}
+
+func validStderr() string {
+	return `pg_basebackup: initiating base backup, waiting for checkpoint to complete
+pg_basebackup: checkpoint completed
+pg_basebackup: write-ahead log start point: 0/2000028, on timeline 1
+pg_basebackup: checkpoint redo point at 0/2000028
+pg_basebackup: write-ahead log end point: 0/2000100
+pg_basebackup: base backup completed`
+}
+
+func writeJSON(w http.ResponseWriter, v any) {
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := json.NewEncoder(w).Encode(v); err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+}
+
+func waitForCondition(t *testing.T, condition func() bool, timeout time.Duration) {
+	t.Helper()
+
+	deadline := time.Now().Add(timeout)
+
+	for time.Now().Before(deadline) {
+		if condition() {
+			return
+		}
+
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	t.Fatalf("condition not met within %v", timeout)
+}
+
+func setRetryDelay(d time.Duration) {
+	retryDelayOverride = &d
+}
+
+func init() {
+	retryDelayOverride = nil
+}
--- a/agent/internal/features/full_backup/stderr_parser.go
+++ b/agent/internal/features/full_backup/stderr_parser.go
@@ -0,0 +1,75 @@
+package full_backup
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+const defaultWalSegmentSize uint32 = 16 * 1024 * 1024 // 16 MB
+
+var (
+	startLSNRegex = regexp.MustCompile(`checkpoint redo point at ([0-9A-Fa-f]+/[0-9A-Fa-f]+)`)
+	stopLSNRegex  = regexp.MustCompile(`write-ahead log end point: ([0-9A-Fa-f]+/[0-9A-Fa-f]+)`)
+)
+
+func ParseBasebackupStderr(stderr string) (startSegment, stopSegment string, err error) {
+	startMatch := startLSNRegex.FindStringSubmatch(stderr)
+	if len(startMatch) < 2 {
+		return "", "", fmt.Errorf("failed to parse start WAL location from pg_basebackup stderr")
+	}
+
+	stopMatch := stopLSNRegex.FindStringSubmatch(stderr)
+	if len(stopMatch) < 2 {
+		return "", "", fmt.Errorf("failed to parse stop WAL location from pg_basebackup stderr")
+	}
+
+	startSegment, err = LSNToSegmentName(startMatch[1], 1, defaultWalSegmentSize)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to convert start LSN to segment name: %w", err)
+	}
+
+	stopSegment, err = LSNToSegmentName(stopMatch[1], 1, defaultWalSegmentSize)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to convert stop LSN to segment name: %w", err)
+	}
+
+	return startSegment, stopSegment, nil
+}
+
+func LSNToSegmentName(lsn string, timelineID, walSegmentSize uint32) (string, error) {
+	high, low, err := parseLSN(lsn)
+	if err != nil {
+		return "", err
+	}
+
+	segmentsPerXLogID := uint32(0x100000000 / uint64(walSegmentSize))
+	logID := high
+	segmentOffset := low / walSegmentSize
+
+	if segmentOffset >= segmentsPerXLogID {
+		return "", fmt.Errorf("segment offset %d exceeds segments per XLogId %d", segmentOffset, segmentsPerXLogID)
+	}
+
+	return fmt.Sprintf("%08X%08X%08X", timelineID, logID, segmentOffset), nil
+}
+
+func parseLSN(lsn string) (high, low uint32, err error) {
+	parts := strings.SplitN(lsn, "/", 2)
+	if len(parts) != 2 {
+		return 0, 0, fmt.Errorf("invalid LSN format: %q (expected X/Y)", lsn)
+	}
+
+	highVal, err := strconv.ParseUint(parts[0], 16, 32)
+	if err != nil {
+		return 0, 0, fmt.Errorf("invalid LSN high part %q: %w", parts[0], err)
+	}
+
+	lowVal, err := strconv.ParseUint(parts[1], 16, 32)
+	if err != nil {
+		return 0, 0, fmt.Errorf("invalid LSN low part %q: %w", parts[1], err)
+	}
+
+	return uint32(highVal), uint32(lowVal), nil
+}
--- a/agent/internal/features/full_backup/stderr_parser_test.go
+++ b/agent/internal/features/full_backup/stderr_parser_test.go
@@ -0,0 +1,162 @@
+package full_backup
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_ParseBasebackupStderr_WithPG17Output_ExtractsCorrectSegments(t *testing.T) {
+	stderr := `pg_basebackup: initiating base backup, waiting for checkpoint to complete
+pg_basebackup: checkpoint completed
+pg_basebackup: write-ahead log start point: 0/2000028, on timeline 1
+pg_basebackup: starting background WAL receiver
+pg_basebackup: checkpoint redo point at 0/2000028
+pg_basebackup: write-ahead log end point: 0/2000100
+pg_basebackup: waiting for background process to finish streaming ...
+pg_basebackup: syncing data to disk ...
+pg_basebackup: renaming backup_manifest.tmp to backup_manifest
+pg_basebackup: base backup completed`
+
+	startSeg, stopSeg, err := ParseBasebackupStderr(stderr)
+
+	require.NoError(t, err)
+	assert.Equal(t, "000000010000000000000002", startSeg)
+	assert.Equal(t, "000000010000000000000002", stopSeg)
+}
+
+func Test_ParseBasebackupStderr_WithPG15Output_ExtractsCorrectSegments(t *testing.T) {
+	stderr := `pg_basebackup: initiating base backup, waiting for checkpoint to complete
+pg_basebackup: checkpoint completed
+pg_basebackup: write-ahead log start point: 1/AB000028, on timeline 1
+pg_basebackup: checkpoint redo point at 1/AB000028
+pg_basebackup: write-ahead log end point: 1/AC000000
+pg_basebackup: base backup completed`
+
+	startSeg, stopSeg, err := ParseBasebackupStderr(stderr)
+
+	require.NoError(t, err)
+	assert.Equal(t, "0000000100000001000000AB", startSeg)
+	assert.Equal(t, "0000000100000001000000AC", stopSeg)
+}
+
+func Test_ParseBasebackupStderr_WithHighLogID_ExtractsCorrectSegments(t *testing.T) {
+	stderr := `pg_basebackup: checkpoint redo point at A/FF000028
+pg_basebackup: write-ahead log end point: B/1000000`
+
+	startSeg, stopSeg, err := ParseBasebackupStderr(stderr)
+
+	require.NoError(t, err)
+	assert.Equal(t, "000000010000000A000000FF", startSeg)
+	assert.Equal(t, "000000010000000B00000001", stopSeg)
+}
+
+func Test_ParseBasebackupStderr_WhenStartLSNMissing_ReturnsError(t *testing.T) {
+	stderr := `pg_basebackup: write-ahead log end point: 0/2000100
+pg_basebackup: base backup completed`
+
+	_, _, err := ParseBasebackupStderr(stderr)
+
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to parse start WAL location")
+}
+
+func Test_ParseBasebackupStderr_WhenStopLSNMissing_ReturnsError(t *testing.T) {
+	stderr := `pg_basebackup: checkpoint redo point at 0/2000028
+pg_basebackup: base backup completed`
+
+	_, _, err := ParseBasebackupStderr(stderr)
+
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to parse stop WAL location")
+}
+
+func Test_ParseBasebackupStderr_WhenEmptyStderr_ReturnsError(t *testing.T) {
+	_, _, err := ParseBasebackupStderr("")
+
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to parse start WAL location")
+}
+
+func Test_LSNToSegmentName_WithBoundaryValues_ConvertsCorrectly(t *testing.T) {
+	tests := []struct {
+		name     string
+		lsn      string
+		timeline uint32
+		segSize  uint32
+		expected string
+	}{
+		{
+			name:     "first segment",
+			lsn:      "0/1000000",
+			timeline: 1,
+			segSize:  16 * 1024 * 1024,
+			expected: "000000010000000000000001",
+		},
+		{
+			name:     "segment at boundary FF",
+			lsn:      "0/FF000000",
+			timeline: 1,
+			segSize:  16 * 1024 * 1024,
+			expected: "0000000100000000000000FF",
+		},
+		{
+			name:     "segment in second log file",
+			lsn:      "1/0",
+			timeline: 1,
+			segSize:  16 * 1024 * 1024,
+			expected: "000000010000000100000000",
+		},
+		{
+			name:     "segment with offset within 16MB",
+			lsn:      "0/200ABCD",
+			timeline: 1,
+			segSize:  16 * 1024 * 1024,
+			expected: "000000010000000000000002",
+		},
+		{
+			name:     "zero LSN",
+			lsn:      "0/0",
+			timeline: 1,
+			segSize:  16 * 1024 * 1024,
+			expected: "000000010000000000000000",
+		},
+		{
+			name:     "high timeline ID",
+			lsn:      "0/1000000",
+			timeline: 2,
+			segSize:  16 * 1024 * 1024,
+			expected: "000000020000000000000001",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := LSNToSegmentName(tt.lsn, tt.timeline, tt.segSize)
+
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func Test_LSNToSegmentName_WithInvalidLSN_ReturnsError(t *testing.T) {
+	tests := []struct {
+		name string
+		lsn  string
+	}{
+		{name: "no slash", lsn: "012345"},
+		{name: "empty string", lsn: ""},
+		{name: "invalid hex high", lsn: "GG/0"},
+		{name: "invalid hex low", lsn: "0/ZZ"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := LSNToSegmentName(tt.lsn, 1, 16*1024*1024)
+
+			require.Error(t, err)
+		})
+	}
+}
--- a/agent/internal/features/start/daemon.go
+++ b/agent/internal/features/start/daemon.go
@@ -0,0 +1,121 @@
+//go:build !windows
+
+package start
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"os"
+	"os/exec"
+	"syscall"
+	"time"
+)
+
+const (
+	logFileName        = "databasus.log"
+	stopTimeout        = 30 * time.Second
+	stopPollInterval   = 500 * time.Millisecond
+	daemonStartupDelay = 500 * time.Millisecond
+)
+
+func Stop(log *slog.Logger) error {
+	pid, err := ReadLockFilePID()
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return errors.New("agent is not running (no lock file found)")
+		}
+
+		return fmt.Errorf("failed to read lock file: %w", err)
+	}
+
+	if !isProcessAlive(pid) {
+		_ = os.Remove(lockFileName)
+		return fmt.Errorf("agent is not running (stale lock file removed, PID %d)", pid)
+	}
+
+	log.Info("Sending SIGTERM to agent", "pid", pid)
+
+	if err := syscall.Kill(pid, syscall.SIGTERM); err != nil {
+		return fmt.Errorf("failed to send SIGTERM to PID %d: %w", pid, err)
+	}
+
+	deadline := time.Now().Add(stopTimeout)
+	for time.Now().Before(deadline) {
+		if !isProcessAlive(pid) {
+			log.Info("Agent stopped", "pid", pid)
+			return nil
+		}
+
+		time.Sleep(stopPollInterval)
+	}
+
+	return fmt.Errorf("agent (PID %d) did not stop within %s — process may be stuck", pid, stopTimeout)
+}
+
+func Status(log *slog.Logger) error {
+	pid, err := ReadLockFilePID()
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			fmt.Println("Agent is not running")
+			return nil
+		}
+
+		return fmt.Errorf("failed to read lock file: %w", err)
+	}
+
+	if isProcessAlive(pid) {
+		fmt.Printf("Agent is running (PID %d)\n", pid)
+	} else {
+		fmt.Println("Agent is not running (stale lock file)")
+		_ = os.Remove(lockFileName)
+	}
+
+	return nil
+}
+
+func spawnDaemon(log *slog.Logger) (int, error) {
+	execPath, err := os.Executable()
+	if err != nil {
+		return 0, fmt.Errorf("failed to resolve executable path: %w", err)
+	}
+
+	args := []string{"_run"}
+
+	logFile, err := os.OpenFile(logFileName, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return 0, fmt.Errorf("failed to open log file %s: %w", logFileName, err)
+	}
+
+	cwd, err := os.Getwd()
+	if err != nil {
+		_ = logFile.Close()
+		return 0, fmt.Errorf("failed to get working directory: %w", err)
+	}
+
+	cmd := exec.CommandContext(context.Background(), execPath, args...)
+	cmd.Dir = cwd
+	cmd.Stderr = logFile
+	cmd.SysProcAttr = &syscall.SysProcAttr{Setsid: true}
+
+	if err := cmd.Start(); err != nil {
+		_ = logFile.Close()
+		return 0, fmt.Errorf("failed to start daemon process: %w", err)
+	}
+
+	pid := cmd.Process.Pid
+
+	// Detach — we don't wait for the child
+	_ = logFile.Close()
+
+	time.Sleep(daemonStartupDelay)
+
+	if !isProcessAlive(pid) {
+		return 0, fmt.Errorf("daemon process (PID %d) exited immediately — check %s for details", pid, logFileName)
+	}
+
+	log.Info("Daemon spawned", "pid", pid, "log", logFileName)
+
+	return pid, nil
+}
--- a/agent/internal/features/start/daemon_windows.go
+++ b/agent/internal/features/start/daemon_windows.go
@@ -0,0 +1,20 @@
+//go:build windows
+
+package start
+
+import (
+	"errors"
+	"log/slog"
+)
+
+func Stop(log *slog.Logger) error {
+	return errors.New("stop is not supported on Windows — use Ctrl+C in the terminal where the agent is running")
+}
+
+func Status(log *slog.Logger) error {
+	return errors.New("status is not supported on Windows — check the terminal where the agent is running")
+}
+
+func spawnDaemon(_ *slog.Logger) (int, error) {
+	return 0, errors.New("daemon mode is not supported on Windows")
+}
--- a/agent/internal/features/start/lock.go
+++ b/agent/internal/features/start/lock.go
@@ -0,0 +1,117 @@
+//go:build !windows
+
+package start
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"strconv"
+	"strings"
+	"syscall"
+)
+
+const lockFileName = "databasus.lock"
+
+func AcquireLock(log *slog.Logger) (*os.File, error) {
+	f, err := os.OpenFile(lockFileName, os.O_CREATE|os.O_RDWR, 0o644)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open lock file: %w", err)
+	}
+
+	err = syscall.Flock(int(f.Fd()), syscall.LOCK_EX|syscall.LOCK_NB)
+	if err == nil {
+		if err := writePID(f); err != nil {
+			_ = f.Close()
+			return nil, err
+		}
+
+		log.Info("Process lock acquired", "pid", os.Getpid(), "lockFile", lockFileName)
+
+		return f, nil
+	}
+
+	if !errors.Is(err, syscall.EWOULDBLOCK) {
+		_ = f.Close()
+		return nil, fmt.Errorf("failed to acquire lock: %w", err)
+	}
+
+	pid, pidErr := readLockPID(f)
+	_ = f.Close()
+
+	if pidErr != nil {
+		return nil, fmt.Errorf("another instance is already running")
+	}
+
+	return nil, fmt.Errorf("another instance is already running (PID %d)", pid)
+}
+
+func ReleaseLock(f *os.File) {
+	_ = syscall.Flock(int(f.Fd()), syscall.LOCK_UN)
+	_ = f.Close()
+	_ = os.Remove(lockFileName)
+}
+
+func ReadLockFilePID() (int, error) {
+	f, err := os.Open(lockFileName)
+	if err != nil {
+		return 0, err
+	}
+	defer func() { _ = f.Close() }()
+
+	return readLockPID(f)
+}
+
+func writePID(f *os.File) error {
+	if err := f.Truncate(0); err != nil {
+		return fmt.Errorf("failed to truncate lock file: %w", err)
+	}
+
+	if _, err := f.Seek(0, io.SeekStart); err != nil {
+		return fmt.Errorf("failed to seek lock file: %w", err)
+	}
+
+	if _, err := fmt.Fprintf(f, "%d\n", os.Getpid()); err != nil {
+		return fmt.Errorf("failed to write PID to lock file: %w", err)
+	}
+
+	return f.Sync()
+}
+
+func readLockPID(f *os.File) (int, error) {
+	if _, err := f.Seek(0, io.SeekStart); err != nil {
+		return 0, err
+	}
+
+	data, err := io.ReadAll(f)
+	if err != nil {
+		return 0, err
+	}
+
+	s := strings.TrimSpace(string(data))
+	if s == "" {
+		return 0, errors.New("lock file is empty")
+	}
+
+	pid, err := strconv.Atoi(s)
+	if err != nil {
+		return 0, fmt.Errorf("invalid PID in lock file: %w", err)
+	}
+
+	return pid, nil
+}
+
+func isProcessAlive(pid int) bool {
+	err := syscall.Kill(pid, 0)
+	if err == nil {
+		return true
+	}
+
+	if errors.Is(err, syscall.EPERM) {
+		return true
+	}
+
+	return false
+}
--- a/agent/internal/features/start/lock_test.go
+++ b/agent/internal/features/start/lock_test.go
@@ -0,0 +1,148 @@
+//go:build !windows
+
+package start
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"databasus-agent/internal/logger"
+)
+
+func Test_AcquireLock_LockFileCreatedWithPID(t *testing.T) {
+	setupTempDir(t)
+	log := logger.GetLogger()
+
+	lockFile, err := AcquireLock(log)
+	require.NoError(t, err)
+	defer ReleaseLock(lockFile)
+
+	data, err := os.ReadFile(lockFileName)
+	require.NoError(t, err)
+
+	pid, err := strconv.Atoi(strings.TrimSpace(string(data)))
+	require.NoError(t, err)
+	assert.Equal(t, os.Getpid(), pid)
+}
+
+func Test_AcquireLock_SecondAcquireFails_WhenFirstHeld(t *testing.T) {
+	setupTempDir(t)
+	log := logger.GetLogger()
+
+	first, err := AcquireLock(log)
+	require.NoError(t, err)
+	defer ReleaseLock(first)
+
+	second, err := AcquireLock(log)
+	assert.Nil(t, second)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "another instance is already running")
+	assert.Contains(t, err.Error(), fmt.Sprintf("PID %d", os.Getpid()))
+}
+
+func Test_AcquireLock_StaleLockReacquired_WhenProcessDead(t *testing.T) {
+	setupTempDir(t)
+	log := logger.GetLogger()
+
+	err := os.WriteFile(lockFileName, []byte("999999999\n"), 0o644)
+	require.NoError(t, err)
+
+	lockFile, err := AcquireLock(log)
+	require.NoError(t, err)
+	defer ReleaseLock(lockFile)
+
+	data, err := os.ReadFile(lockFileName)
+	require.NoError(t, err)
+
+	pid, err := strconv.Atoi(strings.TrimSpace(string(data)))
+	require.NoError(t, err)
+	assert.Equal(t, os.Getpid(), pid)
+}
+
+func Test_ReleaseLock_LockFileRemoved(t *testing.T) {
+	setupTempDir(t)
+	log := logger.GetLogger()
+
+	lockFile, err := AcquireLock(log)
+	require.NoError(t, err)
+
+	ReleaseLock(lockFile)
+
+	_, err = os.Stat(lockFileName)
+	assert.True(t, os.IsNotExist(err))
+}
+
+func Test_AcquireLock_ReacquiredAfterRelease(t *testing.T) {
+	setupTempDir(t)
+	log := logger.GetLogger()
+
+	first, err := AcquireLock(log)
+	require.NoError(t, err)
+	ReleaseLock(first)
+
+	second, err := AcquireLock(log)
+	require.NoError(t, err)
+	defer ReleaseLock(second)
+
+	data, err := os.ReadFile(lockFileName)
+	require.NoError(t, err)
+
+	pid, err := strconv.Atoi(strings.TrimSpace(string(data)))
+	require.NoError(t, err)
+	assert.Equal(t, os.Getpid(), pid)
+}
+
+func Test_isProcessAlive_ReturnsTrueForSelf(t *testing.T) {
+	assert.True(t, isProcessAlive(os.Getpid()))
+}
+
+func Test_isProcessAlive_ReturnsFalseForNonExistentPID(t *testing.T) {
+	assert.False(t, isProcessAlive(999999999))
+}
+
+func Test_readLockPID_ParsesValidPID(t *testing.T) {
+	setupTempDir(t)
+
+	f, err := os.CreateTemp("", "lock-test-*")
+	require.NoError(t, err)
+	defer os.Remove(f.Name())
+
+	_, err = f.WriteString("12345\n")
+	require.NoError(t, err)
+
+	pid, err := readLockPID(f)
+	require.NoError(t, err)
+	assert.Equal(t, 12345, pid)
+}
+
+func Test_readLockPID_ReturnsErrorForEmptyFile(t *testing.T) {
+	setupTempDir(t)
+
+	f, err := os.CreateTemp("", "lock-test-*")
+	require.NoError(t, err)
+	defer os.Remove(f.Name())
+
+	_, err = readLockPID(f)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "lock file is empty")
+}
+
+func setupTempDir(t *testing.T) string {
+	t.Helper()
+
+	origDir, err := os.Getwd()
+	require.NoError(t, err)
+
+	dir := t.TempDir()
+	require.NoError(t, os.Chdir(dir))
+
+	t.Cleanup(func() { _ = os.Chdir(origDir) })
+
+	return dir
+}
--- a/agent/internal/features/start/lock_watcher.go
+++ b/agent/internal/features/start/lock_watcher.go
@@ -0,0 +1,90 @@
+//go:build !windows
+
+package start
+
+import (
+	"context"
+	"log/slog"
+	"os"
+	"syscall"
+	"time"
+)
+
+const lockWatchInterval = 5 * time.Second
+
+type LockWatcher struct {
+	originalInode uint64
+	cancel        context.CancelFunc
+	log           *slog.Logger
+}
+
+func NewLockWatcher(lockFile *os.File, cancel context.CancelFunc, log *slog.Logger) (*LockWatcher, error) {
+	inode, err := getFileInode(lockFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LockWatcher{
+		originalInode: inode,
+		cancel:        cancel,
+		log:           log,
+	}, nil
+}
+
+func (w *LockWatcher) Run(ctx context.Context) {
+	ticker := time.NewTicker(lockWatchInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			w.check()
+		}
+	}
+}
+
+func (w *LockWatcher) check() {
+	info, err := os.Stat(lockFileName)
+	if err != nil {
+		w.log.Error("Lock file disappeared, shutting down", "file", lockFileName, "error", err)
+		w.cancel()
+
+		return
+	}
+
+	currentInode, err := getStatInode(info)
+	if err != nil {
+		w.log.Error("Failed to read lock file inode, shutting down", "error", err)
+		w.cancel()
+
+		return
+	}
+
+	if currentInode != w.originalInode {
+		w.log.Error("Lock file was replaced (inode changed), shutting down",
+			"originalInode", w.originalInode,
+			"currentInode", currentInode,
+		)
+		w.cancel()
+	}
+}
+
+func getFileInode(f *os.File) (uint64, error) {
+	info, err := f.Stat()
+	if err != nil {
+		return 0, err
+	}
+
+	return getStatInode(info)
+}
+
+func getStatInode(info os.FileInfo) (uint64, error) {
+	stat, ok := info.Sys().(*syscall.Stat_t)
+	if !ok {
+		return 0, os.ErrInvalid
+	}
+
+	return stat.Ino, nil
+}
--- a/agent/internal/features/start/lock_watcher_test.go
+++ b/agent/internal/features/start/lock_watcher_test.go
@@ -0,0 +1,110 @@
+//go:build !windows
+
+package start
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"databasus-agent/internal/logger"
+)
+
+func Test_NewLockWatcher_CapturesInode(t *testing.T) {
+	setupTempDir(t)
+	log := logger.GetLogger()
+
+	lockFile, err := AcquireLock(log)
+	require.NoError(t, err)
+	defer ReleaseLock(lockFile)
+
+	_, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	watcher, err := NewLockWatcher(lockFile, cancel, log)
+	require.NoError(t, err)
+	assert.NotZero(t, watcher.originalInode)
+}
+
+func Test_LockWatcher_FileUnchanged_ContextNotCancelled(t *testing.T) {
+	setupTempDir(t)
+	log := logger.GetLogger()
+
+	lockFile, err := AcquireLock(log)
+	require.NoError(t, err)
+	defer ReleaseLock(lockFile)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	watcher, err := NewLockWatcher(lockFile, cancel, log)
+	require.NoError(t, err)
+
+	watcher.check()
+	watcher.check()
+	watcher.check()
+
+	select {
+	case <-ctx.Done():
+		t.Fatal("context should not be cancelled when lock file is unchanged")
+	default:
+	}
+}
+
+func Test_LockWatcher_FileDeleted_CancelsContext(t *testing.T) {
+	setupTempDir(t)
+	log := logger.GetLogger()
+
+	lockFile, err := AcquireLock(log)
+	require.NoError(t, err)
+	defer ReleaseLock(lockFile)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	watcher, err := NewLockWatcher(lockFile, cancel, log)
+	require.NoError(t, err)
+
+	err = os.Remove(lockFileName)
+	require.NoError(t, err)
+
+	watcher.check()
+
+	select {
+	case <-ctx.Done():
+	default:
+		t.Fatal("context should be cancelled when lock file is deleted")
+	}
+}
+
+func Test_LockWatcher_FileReplacedWithDifferentInode_CancelsContext(t *testing.T) {
+	setupTempDir(t)
+	log := logger.GetLogger()
+
+	lockFile, err := AcquireLock(log)
+	require.NoError(t, err)
+	defer ReleaseLock(lockFile)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	watcher, err := NewLockWatcher(lockFile, cancel, log)
+	require.NoError(t, err)
+
+	err = os.Remove(lockFileName)
+	require.NoError(t, err)
+
+	err = os.WriteFile(lockFileName, []byte("99999\n"), 0o644)
+	require.NoError(t, err)
+
+	watcher.check()
+
+	select {
+	case <-ctx.Done():
+	default:
+		t.Fatal("context should be cancelled when lock file inode changes")
+	}
+}
--- a/agent/internal/features/start/lock_watcher_windows.go
+++ b/agent/internal/features/start/lock_watcher_windows.go
@@ -0,0 +1,17 @@
+//go:build windows
+
+package start
+
+import (
+	"context"
+	"log/slog"
+	"os"
+)
+
+type LockWatcher struct{}
+
+func NewLockWatcher(_ *os.File, _ context.CancelFunc, _ *slog.Logger) (*LockWatcher, error) {
+	return &LockWatcher{}, nil
+}
+
+func (w *LockWatcher) Run(_ context.Context) {}
--- a/agent/internal/features/start/lock_windows.go
+++ b/agent/internal/features/start/lock_windows.go
@@ -0,0 +1,18 @@
+package start
+
+import (
+	"log/slog"
+	"os"
+)
+
+func AcquireLock(log *slog.Logger) (*os.File, error) {
+	log.Warn("Process locking is not supported on Windows, skipping")
+
+	return nil, nil
+}
+
+func ReleaseLock(f *os.File) {
+	if f != nil {
+		_ = f.Close()
+	}
+}
--- a/agent/internal/features/start/start.go
+++ b/agent/internal/features/start/start.go
@@ -0,0 +1,271 @@
+package start
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/jackc/pgx/v5"
+
+	"databasus-agent/internal/config"
+	"databasus-agent/internal/features/api"
+	full_backup "databasus-agent/internal/features/full_backup"
+	"databasus-agent/internal/features/upgrade"
+	"databasus-agent/internal/features/wal"
+)
+
+const (
+	pgBasebackupVerifyTimeout = 10 * time.Second
+	dbVerifyTimeout           = 10 * time.Second
+	minPgMajorVersion         = 15
+)
+
+func Start(cfg *config.Config, agentVersion string, isDev bool, log *slog.Logger) error {
+	if err := validateConfig(cfg); err != nil {
+		return err
+	}
+
+	if err := verifyPgBasebackup(cfg, log); err != nil {
+		return err
+	}
+
+	if err := verifyDatabase(cfg, log); err != nil {
+		return err
+	}
+
+	if runtime.GOOS == "windows" {
+		return RunDaemon(cfg, agentVersion, isDev, log)
+	}
+
+	pid, err := spawnDaemon(log)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Agent started in background (PID %d)\n", pid)
+
+	return nil
+}
+
+func RunDaemon(cfg *config.Config, agentVersion string, isDev bool, log *slog.Logger) error {
+	lockFile, err := AcquireLock(log)
+	if err != nil {
+		return err
+	}
+	defer ReleaseLock(lockFile)
+
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer cancel()
+
+	watcher, err := NewLockWatcher(lockFile, cancel, log)
+	if err != nil {
+		return fmt.Errorf("failed to initialize lock watcher: %w", err)
+	}
+	go watcher.Run(ctx)
+
+	apiClient := api.NewClient(cfg.DatabasusHost, cfg.Token, log)
+
+	var backgroundUpgrader *upgrade.BackgroundUpgrader
+	if agentVersion != "dev" && runtime.GOOS != "windows" {
+		backgroundUpgrader = upgrade.NewBackgroundUpgrader(apiClient, agentVersion, isDev, cancel, log)
+		go backgroundUpgrader.Run(ctx)
+	}
+
+	fullBackuper := full_backup.NewFullBackuper(cfg, apiClient, log)
+	go fullBackuper.Run(ctx)
+
+	streamer := wal.NewStreamer(cfg, apiClient, log)
+	streamer.Run(ctx)
+
+	if backgroundUpgrader != nil {
+		backgroundUpgrader.WaitForCompletion(30 * time.Second)
+
+		if backgroundUpgrader.IsUpgraded() {
+			return upgrade.ErrUpgradeRestart
+		}
+	}
+
+	log.Info("Agent stopped")
+
+	return nil
+}
+
+func validateConfig(cfg *config.Config) error {
+	if cfg.DatabasusHost == "" {
+		return errors.New("argument databasus-host is required")
+	}
+
+	if cfg.DbID == "" {
+		return errors.New("argument db-id is required")
+	}
+
+	if cfg.Token == "" {
+		return errors.New("argument token is required")
+	}
+
+	if cfg.PgHost == "" {
+		return errors.New("argument pg-host is required")
+	}
+
+	if cfg.PgPort <= 0 {
+		return errors.New("argument pg-port must be a positive number")
+	}
+
+	if cfg.PgUser == "" {
+		return errors.New("argument pg-user is required")
+	}
+
+	if cfg.PgType != "host" && cfg.PgType != "docker" {
+		return fmt.Errorf("argument pg-type must be 'host' or 'docker', got '%s'", cfg.PgType)
+	}
+
+	if cfg.PgWalDir == "" {
+		return errors.New("argument pg-wal-dir is required")
+	}
+
+	if cfg.PgType == "docker" && cfg.PgDockerContainerName == "" {
+		return errors.New("argument pg-docker-container-name is required when pg-type is 'docker'")
+	}
+
+	return nil
+}
+
+func verifyPgBasebackup(cfg *config.Config, log *slog.Logger) error {
+	switch cfg.PgType {
+	case "host":
+		return verifyPgBasebackupHost(cfg, log)
+	case "docker":
+		return verifyPgBasebackupDocker(cfg, log)
+	default:
+		return fmt.Errorf("unexpected pg-type: %s", cfg.PgType)
+	}
+}
+
+func verifyPgBasebackupHost(cfg *config.Config, log *slog.Logger) error {
+	binary := "pg_basebackup"
+	if cfg.PgHostBinDir != "" {
+		binary = filepath.Join(cfg.PgHostBinDir, "pg_basebackup")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), pgBasebackupVerifyTimeout)
+	defer cancel()
+
+	output, err := exec.CommandContext(ctx, binary, "--version").CombinedOutput()
+	if err != nil {
+		if cfg.PgHostBinDir != "" {
+			return fmt.Errorf(
+				"pg_basebackup not found at '%s': %w. Verify pg-host-bin-dir is correct",
+				binary, err,
+			)
+		}
+
+		return fmt.Errorf(
+			"pg_basebackup not found in PATH: %w. Install PostgreSQL client tools or set pg-host-bin-dir",
+			err,
+		)
+	}
+
+	log.Info("pg_basebackup verified", "version", strings.TrimSpace(string(output)))
+
+	return nil
+}
+
+func verifyPgBasebackupDocker(cfg *config.Config, log *slog.Logger) error {
+	ctx, cancel := context.WithTimeout(context.Background(), pgBasebackupVerifyTimeout)
+	defer cancel()
+
+	output, err := exec.CommandContext(ctx,
+		"docker", "exec", cfg.PgDockerContainerName,
+		"pg_basebackup", "--version",
+	).CombinedOutput()
+	if err != nil {
+		return fmt.Errorf(
+			"pg_basebackup not available in container '%s': %w. "+
+				"Check that the container is running and pg_basebackup is installed inside it",
+			cfg.PgDockerContainerName, err,
+		)
+	}
+
+	log.Info("pg_basebackup verified (docker)",
+		"container", cfg.PgDockerContainerName,
+		"version", strings.TrimSpace(string(output)),
+	)
+
+	return nil
+}
+
+func verifyDatabase(cfg *config.Config, log *slog.Logger) error {
+	connStr := fmt.Sprintf(
+		"host=%s port=%d user=%s password=%s dbname=postgres sslmode=disable",
+		cfg.PgHost, cfg.PgPort, cfg.PgUser, cfg.PgPassword,
+	)
+
+	ctx, cancel := context.WithTimeout(context.Background(), dbVerifyTimeout)
+	defer cancel()
+
+	conn, err := pgx.Connect(ctx, connStr)
+	if err != nil {
+		return fmt.Errorf(
+			"failed to connect to PostgreSQL at %s:%d as user '%s': %w",
+			cfg.PgHost, cfg.PgPort, cfg.PgUser, err,
+		)
+	}
+	defer func() { _ = conn.Close(ctx) }()
+
+	if err := conn.Ping(ctx); err != nil {
+		return fmt.Errorf("PostgreSQL ping failed at %s:%d: %w",
+			cfg.PgHost, cfg.PgPort, err,
+		)
+	}
+
+	var versionNumStr string
+	if err := conn.QueryRow(ctx, "SHOW server_version_num").Scan(&versionNumStr); err != nil {
+		return fmt.Errorf("failed to query PostgreSQL version: %w", err)
+	}
+
+	majorVersion, err := parsePgVersionNum(versionNumStr)
+	if err != nil {
+		return fmt.Errorf("failed to parse PostgreSQL version '%s': %w", versionNumStr, err)
+	}
+
+	if majorVersion < minPgMajorVersion {
+		return fmt.Errorf(
+			"PostgreSQL %d is not supported, minimum required version is %d",
+			majorVersion, minPgMajorVersion,
+		)
+	}
+
+	log.Info("PostgreSQL connection verified",
+		"host", cfg.PgHost,
+		"port", cfg.PgPort,
+		"user", cfg.PgUser,
+		"version", majorVersion,
+	)
+
+	return nil
+}
+
+func parsePgVersionNum(versionNumStr string) (int, error) {
+	versionNum, err := strconv.Atoi(strings.TrimSpace(versionNumStr))
+	if err != nil {
+		return 0, fmt.Errorf("invalid version number: %w", err)
+	}
+
+	if versionNum <= 0 {
+		return 0, fmt.Errorf("invalid version number: %d", versionNum)
+	}
+
+	majorVersion := versionNum / 10000
+
+	return majorVersion, nil
+}
--- a/agent/internal/features/start/start_test.go
+++ b/agent/internal/features/start/start_test.go
@@ -0,0 +1,84 @@
+package start
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_ParsePgVersionNum_SupportedVersions_ReturnsMajorVersion(t *testing.T) {
+	tests := []struct {
+		name          string
+		versionNumStr string
+		expectedMajor int
+	}{
+		{name: "PG 15.0", versionNumStr: "150000", expectedMajor: 15},
+		{name: "PG 15.4", versionNumStr: "150004", expectedMajor: 15},
+		{name: "PG 16.0", versionNumStr: "160000", expectedMajor: 16},
+		{name: "PG 16.3", versionNumStr: "160003", expectedMajor: 16},
+		{name: "PG 17.2", versionNumStr: "170002", expectedMajor: 17},
+		{name: "PG 18.0", versionNumStr: "180000", expectedMajor: 18},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			major, err := parsePgVersionNum(tt.versionNumStr)
+
+			require.NoError(t, err)
+			assert.Equal(t, tt.expectedMajor, major)
+			assert.GreaterOrEqual(t, major, minPgMajorVersion)
+		})
+	}
+}
+
+func Test_ParsePgVersionNum_UnsupportedVersions_ReturnsMajorVersionBelow15(t *testing.T) {
+	tests := []struct {
+		name          string
+		versionNumStr string
+		expectedMajor int
+	}{
+		{name: "PG 12.5", versionNumStr: "120005", expectedMajor: 12},
+		{name: "PG 13.0", versionNumStr: "130000", expectedMajor: 13},
+		{name: "PG 14.12", versionNumStr: "140012", expectedMajor: 14},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			major, err := parsePgVersionNum(tt.versionNumStr)
+
+			require.NoError(t, err)
+			assert.Equal(t, tt.expectedMajor, major)
+			assert.Less(t, major, minPgMajorVersion)
+		})
+	}
+}
+
+func Test_ParsePgVersionNum_InvalidInput_ReturnsError(t *testing.T) {
+	tests := []struct {
+		name          string
+		versionNumStr string
+	}{
+		{name: "empty string", versionNumStr: ""},
+		{name: "non-numeric", versionNumStr: "abc"},
+		{name: "negative number", versionNumStr: "-1"},
+		{name: "zero", versionNumStr: "0"},
+		{name: "float", versionNumStr: "15.4"},
+		{name: "whitespace only", versionNumStr: "   "},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := parsePgVersionNum(tt.versionNumStr)
+
+			require.Error(t, err)
+		})
+	}
+}
+
+func Test_ParsePgVersionNum_WithWhitespace_ParsesCorrectly(t *testing.T) {
+	major, err := parsePgVersionNum("  150004  ")
+
+	require.NoError(t, err)
+	assert.Equal(t, 15, major)
+}
--- a/agent/internal/features/upgrade/background_upgrader.go
+++ b/agent/internal/features/upgrade/background_upgrader.go
@@ -0,0 +1,88 @@
+package upgrade
+
+import (
+	"context"
+	"log/slog"
+	"sync/atomic"
+	"time"
+
+	"databasus-agent/internal/features/api"
+)
+
+const backgroundCheckInterval = 5 * time.Second
+
+type BackgroundUpgrader struct {
+	apiClient      *api.Client
+	currentVersion string
+	isDev          bool
+	cancel         context.CancelFunc
+	isUpgraded     atomic.Bool
+	log            *slog.Logger
+	done           chan struct{}
+}
+
+func NewBackgroundUpgrader(
+	apiClient *api.Client,
+	currentVersion string,
+	isDev bool,
+	cancel context.CancelFunc,
+	log *slog.Logger,
+) *BackgroundUpgrader {
+	return &BackgroundUpgrader{
+		apiClient,
+		currentVersion,
+		isDev,
+		cancel,
+		atomic.Bool{},
+		log,
+		make(chan struct{}),
+	}
+}
+
+func (u *BackgroundUpgrader) Run(ctx context.Context) {
+	defer close(u.done)
+
+	ticker := time.NewTicker(backgroundCheckInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			if u.checkAndUpgrade() {
+				return
+			}
+		}
+	}
+}
+
+func (u *BackgroundUpgrader) IsUpgraded() bool {
+	return u.isUpgraded.Load()
+}
+
+func (u *BackgroundUpgrader) WaitForCompletion(timeout time.Duration) {
+	select {
+	case <-u.done:
+	case <-time.After(timeout):
+	}
+}
+
+func (u *BackgroundUpgrader) checkAndUpgrade() bool {
+	isUpgraded, err := CheckAndUpdate(u.apiClient, u.currentVersion, u.isDev, u.log)
+	if err != nil {
+		u.log.Warn("Background update check failed", "error", err)
+
+		return false
+	}
+
+	if !isUpgraded {
+		return false
+	}
+
+	u.log.Info("Background upgrade complete, restarting...")
+	u.isUpgraded.Store(true)
+	u.cancel()
+
+	return true
+}
--- a/agent/internal/features/upgrade/errors.go
+++ b/agent/internal/features/upgrade/errors.go
@@ -0,0 +1,5 @@
+package upgrade
+
+import "errors"
+
+var ErrUpgradeRestart = errors.New("agent upgraded, restart required")
--- a/agent/internal/features/upgrade/upgrader.go
+++ b/agent/internal/features/upgrade/upgrader.go
@@ -0,0 +1,89 @@
+package upgrade
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+
+	"databasus-agent/internal/features/api"
+)
+
+// CheckAndUpdate checks if a new version is available and upgrades the binary on disk.
+// Returns (true, nil) if the binary was upgraded, (false, nil) if already up to date,
+// or (false, err) on failure. Callers are responsible for re-exec or restart signaling.
+func CheckAndUpdate(apiClient *api.Client, currentVersion string, isDev bool, log *slog.Logger) (bool, error) {
+	if isDev {
+		log.Info("Skipping update check (development mode)")
+
+		return false, nil
+	}
+
+	serverVersion, err := apiClient.FetchServerVersion(context.Background())
+	if err != nil {
+		log.Warn("Could not reach server for update check", "error", err)
+
+		return false, fmt.Errorf(
+			"unable to check version, please verify Databasus server is available: %w",
+			err,
+		)
+	}
+
+	if serverVersion == currentVersion {
+		log.Info("Agent version is up to date", "version", currentVersion)
+
+		return false, nil
+	}
+
+	log.Info("Updating agent...", "current", currentVersion, "target", serverVersion)
+
+	selfPath, err := os.Executable()
+	if err != nil {
+		return false, fmt.Errorf("failed to determine executable path: %w", err)
+	}
+
+	tempPath := selfPath + ".update"
+
+	defer func() {
+		_ = os.Remove(tempPath)
+	}()
+
+	if err := apiClient.DownloadAgentBinary(context.Background(), runtime.GOARCH, tempPath); err != nil {
+		return false, fmt.Errorf("failed to download update: %w", err)
+	}
+
+	if err := os.Chmod(tempPath, 0o755); err != nil {
+		return false, fmt.Errorf("failed to set permissions on update: %w", err)
+	}
+
+	if err := verifyBinary(tempPath, serverVersion); err != nil {
+		return false, fmt.Errorf("update verification failed: %w", err)
+	}
+
+	if err := os.Rename(tempPath, selfPath); err != nil {
+		return false, fmt.Errorf("failed to replace binary (try --skip-update if this persists): %w", err)
+	}
+
+	log.Info("Agent binary updated", "version", serverVersion)
+
+	return true, nil
+}
+
+func verifyBinary(binaryPath, expectedVersion string) error {
+	cmd := exec.CommandContext(context.Background(), binaryPath, "version")
+
+	output, err := cmd.Output()
+	if err != nil {
+		return fmt.Errorf("binary failed to execute: %w", err)
+	}
+
+	got := strings.TrimSpace(string(output))
+	if got != expectedVersion {
+		return fmt.Errorf("version mismatch: expected %q, got %q", expectedVersion, got)
+	}
+
+	return nil
+}
--- a/agent/internal/features/wal/streamer.go
+++ b/agent/internal/features/wal/streamer.go
@@ -0,0 +1,182 @@
+package wal
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/klauspost/compress/zstd"
+
+	"databasus-agent/internal/config"
+	"databasus-agent/internal/features/api"
+)
+
+const (
+	pollInterval  = 2 * time.Second
+	uploadTimeout = 5 * time.Minute
+)
+
+var segmentNameRegex = regexp.MustCompile(`^[0-9A-Fa-f]{24}$`)
+
+type Streamer struct {
+	cfg       *config.Config
+	apiClient *api.Client
+	log       *slog.Logger
+}
+
+func NewStreamer(cfg *config.Config, apiClient *api.Client, log *slog.Logger) *Streamer {
+	return &Streamer{
+		cfg:       cfg,
+		apiClient: apiClient,
+		log:       log,
+	}
+}
+
+func (s *Streamer) Run(ctx context.Context) {
+	s.log.Info("WAL streamer started", "pgWalDir", s.cfg.PgWalDir)
+
+	s.processQueue(ctx)
+
+	ticker := time.NewTicker(pollInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			s.log.Info("WAL streamer stopping")
+			return
+		case <-ticker.C:
+			s.processQueue(ctx)
+		}
+	}
+}
+
+func (s *Streamer) processQueue(ctx context.Context) {
+	segments, err := s.listSegments()
+	if err != nil {
+		s.log.Error("Failed to list WAL segments", "error", err)
+		return
+	}
+
+	for _, segmentName := range segments {
+		if ctx.Err() != nil {
+			return
+		}
+
+		if err := s.uploadSegment(ctx, segmentName); err != nil {
+			s.log.Error("Failed to upload WAL segment",
+				"segment", segmentName,
+				"error", err,
+			)
+			return
+		}
+	}
+}
+
+func (s *Streamer) listSegments() ([]string, error) {
+	entries, err := os.ReadDir(s.cfg.PgWalDir)
+	if err != nil {
+		return nil, fmt.Errorf("read wal dir: %w", err)
+	}
+
+	var segments []string
+
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+
+		name := entry.Name()
+
+		if strings.HasSuffix(name, ".tmp") {
+			continue
+		}
+
+		if !segmentNameRegex.MatchString(name) {
+			continue
+		}
+
+		segments = append(segments, name)
+	}
+
+	sort.Strings(segments)
+
+	return segments, nil
+}
+
+func (s *Streamer) uploadSegment(ctx context.Context, segmentName string) error {
+	filePath := filepath.Join(s.cfg.PgWalDir, segmentName)
+
+	pr, pw := io.Pipe()
+
+	go s.compressAndStream(pw, filePath)
+
+	uploadCtx, cancel := context.WithTimeout(ctx, uploadTimeout)
+	defer cancel()
+
+	result, err := s.apiClient.UploadWalSegment(uploadCtx, segmentName, pr)
+	if err != nil {
+		return err
+	}
+
+	if result.IsGapDetected {
+		s.log.Warn("WAL chain gap detected",
+			"segment", segmentName,
+			"expected", result.ExpectedSegmentName,
+			"received", result.ReceivedSegmentName,
+		)
+
+		return fmt.Errorf("gap detected for segment %s", segmentName)
+	}
+
+	s.log.Debug("WAL segment uploaded", "segment", segmentName)
+
+	if *s.cfg.IsDeleteWalAfterUpload {
+		if err := os.Remove(filePath); err != nil {
+			s.log.Warn("Failed to delete uploaded WAL segment",
+				"segment", segmentName,
+				"error", err,
+			)
+		}
+	}
+
+	return nil
+}
+
+func (s *Streamer) compressAndStream(pw *io.PipeWriter, filePath string) {
+	f, err := os.Open(filePath)
+	if err != nil {
+		_ = pw.CloseWithError(fmt.Errorf("open file: %w", err))
+		return
+	}
+	defer func() { _ = f.Close() }()
+
+	encoder, err := zstd.NewWriter(pw,
+		zstd.WithEncoderLevel(zstd.EncoderLevelFromZstd(5)),
+		zstd.WithEncoderCRC(true),
+	)
+	if err != nil {
+		_ = pw.CloseWithError(fmt.Errorf("create zstd encoder: %w", err))
+		return
+	}
+
+	if _, err := io.Copy(encoder, f); err != nil {
+		_ = encoder.Close()
+		_ = pw.CloseWithError(fmt.Errorf("compress: %w", err))
+		return
+	}
+
+	if err := encoder.Close(); err != nil {
+		_ = pw.CloseWithError(fmt.Errorf("close encoder: %w", err))
+		return
+	}
+
+	_ = pw.Close()
+}
--- a/agent/internal/features/wal/streamer_test.go
+++ b/agent/internal/features/wal/streamer_test.go
@@ -0,0 +1,348 @@
+package wal
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/klauspost/compress/zstd"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"databasus-agent/internal/config"
+	"databasus-agent/internal/features/api"
+	"databasus-agent/internal/logger"
+)
+
+func Test_UploadSegment_SingleSegment_ServerReceivesCorrectHeadersAndBody(t *testing.T) {
+	walDir := createTestWalDir(t)
+	segmentContent := []byte("test-wal-segment-data-for-upload")
+	writeTestSegment(t, walDir, "000000010000000100000001", segmentContent)
+
+	var receivedHeaders http.Header
+	var receivedBody []byte
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedHeaders = r.Header.Clone()
+
+		body, err := io.ReadAll(r.Body)
+		require.NoError(t, err)
+		receivedBody = body
+
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	streamer := newTestStreamer(walDir, server.URL)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	go streamer.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	require.NotNil(t, receivedHeaders)
+	assert.Equal(t, "test-token", receivedHeaders.Get("Authorization"))
+	assert.Equal(t, "application/octet-stream", receivedHeaders.Get("Content-Type"))
+	assert.Equal(t, "000000010000000100000001", receivedHeaders.Get("X-Wal-Segment-Name"))
+
+	decompressed := decompressZstd(t, receivedBody)
+	assert.Equal(t, segmentContent, decompressed)
+}
+
+func Test_UploadSegments_MultipleSegmentsOutOfOrder_UploadedInAscendingOrder(t *testing.T) {
+	walDir := createTestWalDir(t)
+	writeTestSegment(t, walDir, "000000010000000100000003", []byte("third"))
+	writeTestSegment(t, walDir, "000000010000000100000001", []byte("first"))
+	writeTestSegment(t, walDir, "000000010000000100000002", []byte("second"))
+
+	var mu sync.Mutex
+	var uploadOrder []string
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mu.Lock()
+		uploadOrder = append(uploadOrder, r.Header.Get("X-Wal-Segment-Name"))
+		mu.Unlock()
+
+		_, _ = io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	streamer := newTestStreamer(walDir, server.URL)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	go streamer.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	mu.Lock()
+	defer mu.Unlock()
+
+	require.Len(t, uploadOrder, 3)
+	assert.Equal(t, "000000010000000100000001", uploadOrder[0])
+	assert.Equal(t, "000000010000000100000002", uploadOrder[1])
+	assert.Equal(t, "000000010000000100000003", uploadOrder[2])
+}
+
+func Test_UploadSegments_DirectoryHasTmpFiles_TmpFilesIgnored(t *testing.T) {
+	walDir := createTestWalDir(t)
+	writeTestSegment(t, walDir, "000000010000000100000001", []byte("real segment"))
+	writeTestSegment(t, walDir, "000000010000000100000002.tmp", []byte("partial copy"))
+
+	var mu sync.Mutex
+	var uploadedSegments []string
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mu.Lock()
+		uploadedSegments = append(uploadedSegments, r.Header.Get("X-Wal-Segment-Name"))
+		mu.Unlock()
+
+		_, _ = io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	streamer := newTestStreamer(walDir, server.URL)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	go streamer.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	mu.Lock()
+	defer mu.Unlock()
+
+	require.Len(t, uploadedSegments, 1)
+	assert.Equal(t, "000000010000000100000001", uploadedSegments[0])
+}
+
+func Test_UploadSegment_DeleteEnabled_FileRemovedAfterUpload(t *testing.T) {
+	walDir := createTestWalDir(t)
+	segmentName := "000000010000000100000001"
+	writeTestSegment(t, walDir, segmentName, []byte("segment data"))
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	isDeleteEnabled := true
+	cfg := createTestConfig(walDir, server.URL)
+	cfg.IsDeleteWalAfterUpload = &isDeleteEnabled
+	apiClient := api.NewClient(server.URL, cfg.Token, logger.GetLogger())
+	streamer := NewStreamer(cfg, apiClient, logger.GetLogger())
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	go streamer.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	_, err := os.Stat(filepath.Join(walDir, segmentName))
+	assert.True(t, os.IsNotExist(err), "segment file should be deleted after successful upload")
+}
+
+func Test_UploadSegment_DeleteDisabled_FileKeptAfterUpload(t *testing.T) {
+	walDir := createTestWalDir(t)
+	segmentName := "000000010000000100000001"
+	writeTestSegment(t, walDir, segmentName, []byte("segment data"))
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	isDeleteDisabled := false
+	cfg := createTestConfig(walDir, server.URL)
+	cfg.IsDeleteWalAfterUpload = &isDeleteDisabled
+	apiClient := api.NewClient(server.URL, cfg.Token, logger.GetLogger())
+	streamer := NewStreamer(cfg, apiClient, logger.GetLogger())
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	go streamer.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	_, err := os.Stat(filepath.Join(walDir, segmentName))
+	assert.NoError(t, err, "segment file should be kept when delete is disabled")
+}
+
+func Test_UploadSegment_ServerReturns500_FileKeptInQueue(t *testing.T) {
+	walDir := createTestWalDir(t)
+	segmentName := "000000010000000100000001"
+	writeTestSegment(t, walDir, segmentName, []byte("segment data"))
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusInternalServerError)
+		_, _ = w.Write([]byte(`{"error":"internal server error"}`))
+	}))
+	defer server.Close()
+
+	streamer := newTestStreamer(walDir, server.URL)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	go streamer.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	_, err := os.Stat(filepath.Join(walDir, segmentName))
+	assert.NoError(t, err, "segment file should remain in queue after server error")
+}
+
+func Test_ProcessQueue_EmptyDirectory_NoUploads(t *testing.T) {
+	walDir := createTestWalDir(t)
+
+	uploadCount := 0
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		uploadCount++
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	streamer := newTestStreamer(walDir, server.URL)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	go streamer.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	assert.Equal(t, 0, uploadCount, "no uploads should occur for empty directory")
+}
+
+func Test_Run_ContextCancelled_StopsImmediately(t *testing.T) {
+	walDir := createTestWalDir(t)
+
+	streamer := newTestStreamer(walDir, "http://localhost:0")
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	done := make(chan struct{})
+	go func() {
+		streamer.Run(ctx)
+		close(done)
+	}()
+
+	select {
+	case <-done:
+	case <-time.After(2 * time.Second):
+		t.Fatal("Run should have stopped immediately when context is already cancelled")
+	}
+}
+
+func Test_UploadSegment_ServerReturns409_FileNotDeleted(t *testing.T) {
+	walDir := createTestWalDir(t)
+	segmentName := "000000010000000100000005"
+	writeTestSegment(t, walDir, segmentName, []byte("gap segment"))
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = io.ReadAll(r.Body)
+
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusConflict)
+
+		resp := map[string]string{
+			"error":               "gap_detected",
+			"expectedSegmentName": "000000010000000100000003",
+			"receivedSegmentName": segmentName,
+		}
+		_ = json.NewEncoder(w).Encode(resp)
+	}))
+	defer server.Close()
+
+	streamer := newTestStreamer(walDir, server.URL)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	go streamer.Run(ctx)
+	time.Sleep(500 * time.Millisecond)
+	cancel()
+
+	_, err := os.Stat(filepath.Join(walDir, segmentName))
+	assert.NoError(t, err, "segment file should not be deleted on gap detection")
+}
+
+func newTestStreamer(walDir, serverURL string) *Streamer {
+	cfg := createTestConfig(walDir, serverURL)
+	apiClient := api.NewClient(serverURL, cfg.Token, logger.GetLogger())
+
+	return NewStreamer(cfg, apiClient, logger.GetLogger())
+}
+
+func createTestWalDir(t *testing.T) string {
+	t.Helper()
+
+	baseDir := filepath.Join(".", ".test-tmp")
+	if err := os.MkdirAll(baseDir, 0o755); err != nil {
+		t.Fatalf("failed to create base test dir: %v", err)
+	}
+
+	dir, err := os.MkdirTemp(baseDir, t.Name()+"-*")
+	if err != nil {
+		t.Fatalf("failed to create test wal dir: %v", err)
+	}
+
+	t.Cleanup(func() {
+		_ = os.RemoveAll(dir)
+	})
+
+	return dir
+}
+
+func writeTestSegment(t *testing.T, dir, name string, content []byte) {
+	t.Helper()
+
+	if err := os.WriteFile(filepath.Join(dir, name), content, 0o644); err != nil {
+		t.Fatalf("failed to write test segment %s: %v", name, err)
+	}
+}
+
+func createTestConfig(walDir, serverURL string) *config.Config {
+	isDeleteEnabled := true
+
+	return &config.Config{
+		DatabasusHost:          serverURL,
+		DbID:                   "test-db-id",
+		Token:                  "test-token",
+		PgWalDir:               walDir,
+		IsDeleteWalAfterUpload: &isDeleteEnabled,
+	}
+}
+
+func decompressZstd(t *testing.T, data []byte) []byte {
+	t.Helper()
+
+	decoder, err := zstd.NewReader(nil)
+	require.NoError(t, err)
+	defer decoder.Close()
+
+	decoded, err := decoder.DecodeAll(data, nil)
+	require.NoError(t, err)
+
+	return decoded
+}
--- a/agent/internal/logger/logger.go
+++ b/agent/internal/logger/logger.go
@@ -0,0 +1,119 @@
+package logger
+
+import (
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"sync"
+	"time"
+)
+
+const (
+	logFileName    = "databasus.log"
+	oldLogFileName = "databasus.log.old"
+	maxLogFileSize = 5 * 1024 * 1024 // 5MB
+)
+
+type rotatingWriter struct {
+	mu          sync.Mutex
+	file        *os.File
+	currentSize int64
+	maxSize     int64
+	logPath     string
+	oldLogPath  string
+}
+
+func (w *rotatingWriter) Write(p []byte) (int, error) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	if w.currentSize+int64(len(p)) > w.maxSize {
+		if err := w.rotate(); err != nil {
+			return 0, fmt.Errorf("failed to rotate log file: %w", err)
+		}
+	}
+
+	n, err := w.file.Write(p)
+	w.currentSize += int64(n)
+
+	return n, err
+}
+
+func (w *rotatingWriter) rotate() error {
+	if err := w.file.Close(); err != nil {
+		return fmt.Errorf("failed to close %s: %w", w.logPath, err)
+	}
+
+	if err := os.Remove(w.oldLogPath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove %s: %w", w.oldLogPath, err)
+	}
+
+	if err := os.Rename(w.logPath, w.oldLogPath); err != nil {
+		return fmt.Errorf("failed to rename %s to %s: %w", w.logPath, w.oldLogPath, err)
+	}
+
+	f, err := os.OpenFile(w.logPath, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return fmt.Errorf("failed to create new %s: %w", w.logPath, err)
+	}
+
+	w.file = f
+	w.currentSize = 0
+
+	return nil
+}
+
+var (
+	loggerInstance *slog.Logger
+	once           sync.Once
+)
+
+func GetLogger() *slog.Logger {
+	once.Do(func() {
+		initialize()
+	})
+
+	return loggerInstance
+}
+
+func initialize() {
+	writer := buildWriter()
+
+	loggerInstance = slog.New(slog.NewTextHandler(writer, &slog.HandlerOptions{
+		Level: slog.LevelInfo,
+		ReplaceAttr: func(groups []string, a slog.Attr) slog.Attr {
+			if a.Key == slog.TimeKey {
+				a.Value = slog.StringValue(time.Now().Format("2006/01/02 15:04:05"))
+			}
+			if a.Key == slog.LevelKey {
+				return slog.Attr{}
+			}
+
+			return a
+		},
+	}))
+}
+
+func buildWriter() io.Writer {
+	f, err := os.OpenFile(logFileName, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Warning: failed to open %s for logging: %v\n", logFileName, err)
+		return os.Stdout
+	}
+
+	var currentSize int64
+	if info, err := f.Stat(); err == nil {
+		currentSize = info.Size()
+	}
+
+	rw := &rotatingWriter{
+		file:        f,
+		currentSize: currentSize,
+		maxSize:     maxLogFileSize,
+		logPath:     logFileName,
+		oldLogPath:  oldLogFileName,
+	}
+
+	return io.MultiWriter(os.Stdout, rw)
+}
--- a/agent/internal/logger/logger_test.go
+++ b/agent/internal/logger/logger_test.go
@@ -0,0 +1,128 @@
+package logger
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_Write_DataWrittenToFile(t *testing.T) {
+	rw, logPath, _ := setupRotatingWriter(t, 1024)
+
+	data := []byte("hello world\n")
+	n, err := rw.Write(data)
+
+	require.NoError(t, err)
+	assert.Equal(t, len(data), n)
+	assert.Equal(t, int64(len(data)), rw.currentSize)
+
+	content, err := os.ReadFile(logPath)
+	require.NoError(t, err)
+	assert.Equal(t, string(data), string(content))
+}
+
+func Test_Write_WhenLimitExceeded_FileRotated(t *testing.T) {
+	rw, logPath, oldLogPath := setupRotatingWriter(t, 100)
+
+	firstData := []byte(strings.Repeat("A", 80))
+	_, err := rw.Write(firstData)
+	require.NoError(t, err)
+
+	secondData := []byte(strings.Repeat("B", 30))
+	_, err = rw.Write(secondData)
+	require.NoError(t, err)
+
+	oldContent, err := os.ReadFile(oldLogPath)
+	require.NoError(t, err)
+	assert.Equal(t, string(firstData), string(oldContent))
+
+	newContent, err := os.ReadFile(logPath)
+	require.NoError(t, err)
+	assert.Equal(t, string(secondData), string(newContent))
+
+	assert.Equal(t, int64(len(secondData)), rw.currentSize)
+}
+
+func Test_Write_WhenOldFileExists_OldFileReplaced(t *testing.T) {
+	rw, _, oldLogPath := setupRotatingWriter(t, 100)
+
+	require.NoError(t, os.WriteFile(oldLogPath, []byte("stale data"), 0o644))
+
+	_, err := rw.Write([]byte(strings.Repeat("A", 80)))
+	require.NoError(t, err)
+
+	_, err = rw.Write([]byte(strings.Repeat("B", 30)))
+	require.NoError(t, err)
+
+	oldContent, err := os.ReadFile(oldLogPath)
+	require.NoError(t, err)
+	assert.Equal(t, strings.Repeat("A", 80), string(oldContent))
+}
+
+func Test_Write_MultipleSmallWrites_CurrentSizeAccumulated(t *testing.T) {
+	rw, _, _ := setupRotatingWriter(t, 1024)
+
+	var totalWritten int64
+	for i := 0; i < 10; i++ {
+		data := []byte("line\n")
+		n, err := rw.Write(data)
+		require.NoError(t, err)
+
+		totalWritten += int64(n)
+	}
+
+	assert.Equal(t, totalWritten, rw.currentSize)
+	assert.Equal(t, int64(50), rw.currentSize)
+}
+
+func Test_Write_ExactlyAtBoundary_NoRotationUntilNextByte(t *testing.T) {
+	rw, logPath, oldLogPath := setupRotatingWriter(t, 100)
+
+	exactData := []byte(strings.Repeat("X", 100))
+	_, err := rw.Write(exactData)
+	require.NoError(t, err)
+
+	_, err = os.Stat(oldLogPath)
+	assert.True(t, os.IsNotExist(err), ".old file should not exist yet")
+
+	content, err := os.ReadFile(logPath)
+	require.NoError(t, err)
+	assert.Equal(t, string(exactData), string(content))
+
+	_, err = rw.Write([]byte("Z"))
+	require.NoError(t, err)
+
+	_, err = os.Stat(oldLogPath)
+	assert.NoError(t, err, ".old file should exist after exceeding limit")
+
+	assert.Equal(t, int64(1), rw.currentSize)
+}
+
+func setupRotatingWriter(t *testing.T, maxSize int64) (*rotatingWriter, string, string) {
+	t.Helper()
+
+	dir := t.TempDir()
+	logPath := filepath.Join(dir, "test.log")
+	oldLogPath := filepath.Join(dir, "test.log.old")
+
+	f, err := os.OpenFile(logPath, os.O_CREATE|os.O_WRONLY, 0o644)
+	require.NoError(t, err)
+
+	rw := &rotatingWriter{
+		file:        f,
+		currentSize: 0,
+		maxSize:     maxSize,
+		logPath:     logPath,
+		oldLogPath:  oldLogPath,
+	}
+
+	t.Cleanup(func() {
+		rw.file.Close()
+	})
+
+	return rw, logPath, oldLogPath
+}
--- a/backend/.env.development.example
+++ b/backend/.env.development.example
@@ -11,6 +11,9 @@ VICTORIA_LOGS_PASSWORD=devpassword
 # tests
 TEST_LOCALHOST=localhost
 IS_SKIP_EXTERNAL_RESOURCES_TESTS=false
+# cloudflare turnstile
+CLOUDFLARE_TURNSTILE_SITE_KEY=
+CLOUDFLARE_TURNSTILE_SECRET_KEY=
 # db
 DATABASE_DSN=host=dev-db user=postgres password=Q1234567 dbname=databasus port=5437 sslmode=disable
 DATABASE_URL=postgres://postgres:Q1234567@dev-db:5437/databasus?sslmode=disable
--- a/backend/.golangci.yml
+++ b/backend/.golangci.yml
@@ -7,6 +7,16 @@ run:

 linters:
  default: standard
+  enable:
+    - funcorder
+    - bodyclose
+    - errorlint
+    - gocritic
+    - unconvert
+    - misspell
+    - errname
+    - noctx
+    - modernize

  settings:
    errcheck:
@@ -14,6 +24,18 @@ linters:

 formatters:
  enable:
-    - gofmt
+    - gofumpt
    - golines
-    - goimports
+    - gci
+
+  settings:
+    golines:
+      max-len: 120
+    gofumpt:
+      module-path: databasus-backend
+      extra-rules: true
+    gci:
+      sections:
+        - standard
+        - default
+        - localmodule
--- a/backend/cmd/main.go
+++ b/backend/cmd/main.go
@@ -12,11 +12,18 @@ import (
 	"syscall"
 	"time"

+	"github.com/gin-contrib/cors"
+	"github.com/gin-contrib/gzip"
+	"github.com/gin-gonic/gin"
+	swaggerFiles "github.com/swaggo/files"
+	ginSwagger "github.com/swaggo/gin-swagger"
+
 	"databasus-backend/internal/config"
 	"databasus-backend/internal/features/audit_logs"
-	"databasus-backend/internal/features/backups/backups"
 	"databasus-backend/internal/features/backups/backups/backuping"
+	backups_controllers "databasus-backend/internal/features/backups/backups/controllers"
 	backups_download "databasus-backend/internal/features/backups/backups/download"
+	backups_services "databasus-backend/internal/features/backups/backups/services"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/disk"
@@ -27,7 +34,9 @@ import (
 	"databasus-backend/internal/features/restores"
 	"databasus-backend/internal/features/restores/restoring"
 	"databasus-backend/internal/features/storages"
+	system_agent "databasus-backend/internal/features/system/agent"
 	system_healthcheck "databasus-backend/internal/features/system/healthcheck"
+	system_version "databasus-backend/internal/features/system/version"
 	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
 	users_controllers "databasus-backend/internal/features/users/controllers"
 	users_middleware "databasus-backend/internal/features/users/middleware"
@@ -38,12 +47,6 @@ import (
 	files_utils "databasus-backend/internal/util/files"
 	"databasus-backend/internal/util/logger"
 	_ "databasus-backend/swagger" // swagger docs
-
-	"github.com/gin-contrib/cors"
-	"github.com/gin-contrib/gzip"
-	"github.com/gin-gonic/gin"
-	swaggerFiles "github.com/swaggo/files"
-	ginSwagger "github.com/swaggo/gin-swagger"
 )

 // @title Databasus Backend API
@@ -80,7 +83,6 @@ func main() {
 		config.GetEnv().TempFolder,
 		config.GetEnv().DataFolder,
 	})
-
 	if err != nil {
 		log.Error("Failed to ensure directories", "error", err)
 		os.Exit(1)
@@ -147,7 +149,7 @@ func handlePasswordReset(log *slog.Logger) {
 	resetPassword(*email, *newPassword, log)
 }

-func resetPassword(email string, newPassword string, log *slog.Logger) {
+func resetPassword(email, newPassword string, log *slog.Logger) {
 	log.Info("Resetting password...")

 	userService := users_services.GetUserService()
@@ -209,7 +211,11 @@ func setUpRoutes(r *gin.Engine) {
 	userController := users_controllers.GetUserController()
 	userController.RegisterRoutes(v1)
 	system_healthcheck.GetHealthcheckController().RegisterRoutes(v1)
-	backups.GetBackupController().RegisterPublicRoutes(v1)
+	system_version.GetVersionController().RegisterRoutes(v1)
+	system_agent.GetAgentController().RegisterRoutes(v1)
+	backups_controllers.GetBackupController().RegisterPublicRoutes(v1)
+	backups_controllers.GetPostgresWalBackupController().RegisterRoutes(v1)
+	databases.GetDatabaseController().RegisterPublicRoutes(v1)

 	// Setup auth middleware
 	userService := users_services.GetUserService()
@@ -226,7 +232,7 @@ func setUpRoutes(r *gin.Engine) {
 	notifiers.GetNotifierController().RegisterRoutes(protected)
 	storages.GetStorageController().RegisterRoutes(protected)
 	databases.GetDatabaseController().RegisterRoutes(protected)
-	backups.GetBackupController().RegisterRoutes(protected)
+	backups_controllers.GetBackupController().RegisterRoutes(protected)
 	restores.GetRestoreController().RegisterRoutes(protected)
 	healthcheck_config.GetHealthcheckConfigController().RegisterRoutes(protected)
 	healthcheck_attempt.GetHealthcheckAttemptController().RegisterRoutes(protected)
@@ -238,7 +244,7 @@ func setUpRoutes(r *gin.Engine) {

 func setUpDependencies() {
 	databases.SetupDependencies()
-	backups.SetupDependencies()
+	backups_services.SetupDependencies()
 	restores.SetupDependencies()
 	healthcheck_config.SetupDependencies()
 	audit_logs.SetupDependencies()
@@ -347,7 +353,9 @@ func generateSwaggerDocs(log *slog.Logger) {
 		return
 	}

-	cmd := exec.Command("swag", "init", "-d", currentDir, "-g", "cmd/main.go", "-o", "swagger")
+	cmd := exec.CommandContext(
+		context.Background(), "swag", "init", "-d", currentDir, "-g", "cmd/main.go", "-o", "swagger",
+	)

 	output, err := cmd.CombinedOutput()
 	if err != nil {
@@ -361,7 +369,7 @@ func generateSwaggerDocs(log *slog.Logger) {
 func runMigrations(log *slog.Logger) {
 	log.Info("Running database migrations...")

-	cmd := exec.Command("goose", "-dir", "./migrations", "up")
+	cmd := exec.CommandContext(context.Background(), "goose", "-dir", "./migrations", "up")
 	cmd.Env = append(
 		os.Environ(),
 		"GOOSE_DRIVER=postgres",
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,6 +1,6 @@
 module databasus-backend

-go 1.24.9
+go 1.26.1

 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -1,9 +1,6 @@
 package config

 import (
-	env_utils "databasus-backend/internal/util/env"
-	"databasus-backend/internal/util/logger"
-	"databasus-backend/internal/util/tools"
 	"os"
 	"path/filepath"
 	"strings"
@@ -11,6 +8,10 @@ import (

 	"github.com/ilyakaznacheev/cleanenv"
 	"github.com/joho/godotenv"
+
+	env_utils "databasus-backend/internal/util/env"
+	"databasus-backend/internal/util/logger"
+	"databasus-backend/internal/util/tools"
 )

 var log = logger.GetLogger()
@@ -29,7 +30,7 @@ type EnvVariables struct {
 	MongodbInstallDir    string            `env:"MONGODB_INSTALL_DIR"`

 	// Internal database
-	DatabaseDsn string `env:"DATABASE_DSN"    required:"true"`
+	DatabaseDsn string `env:"DATABASE_DSN" required:"true"`
 	// Internal Valkey
 	ValkeyHost     string `env:"VALKEY_HOST"     required:"true"`
 	ValkeyPort     string `env:"VALKEY_PORT"     required:"true"`
@@ -104,6 +105,10 @@ type EnvVariables struct {
 	GoogleClientID     string `env:"GOOGLE_CLIENT_ID"`
 	GoogleClientSecret string `env:"GOOGLE_CLIENT_SECRET"`

+	// Cloudflare Turnstile
+	CloudflareTurnstileSecretKey string `env:"CLOUDFLARE_TURNSTILE_SECRET_KEY"`
+	CloudflareTurnstileSiteKey   string `env:"CLOUDFLARE_TURNSTILE_SITE_KEY"`
+
 	// testing Telegram
 	TestTelegramBotToken string `env:"TEST_TELEGRAM_BOT_TOKEN"`
 	TestTelegramChatID   string `env:"TEST_TELEGRAM_CHAT_ID"`
@@ -120,6 +125,7 @@ type EnvVariables struct {
 	SMTPPort     int    `env:"SMTP_PORT"`
 	SMTPUser     string `env:"SMTP_USER"`
 	SMTPPassword string `env:"SMTP_PASSWORD"`
+	SMTPFrom     string `env:"SMTP_FROM"`

 	// Application URL (optional) - used for email links
 	DatabasusURL string `env:"DATABASUS_URL"`
--- a/backend/internal/features/audit_logs/background_service_test.go
+++ b/backend/internal/features/audit_logs/background_service_test.go
@@ -1,17 +1,17 @@
 package audit_logs

 import (
-	"databasus-backend/internal/storage"
 	"fmt"
 	"testing"
 	"time"

-	user_enums "databasus-backend/internal/features/users/enums"
-	users_testing "databasus-backend/internal/features/users/testing"
-
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"gorm.io/gorm"
+
+	user_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+	"databasus-backend/internal/storage"
 )

 func Test_CleanOldAuditLogs_DeletesLogsOlderThanOneYear(t *testing.T) {
--- a/backend/internal/features/audit_logs/controller.go
+++ b/backend/internal/features/audit_logs/controller.go
@@ -4,10 +4,10 @@ import (
 	"errors"
 	"net/http"

-	user_models "databasus-backend/internal/features/users/models"
-
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+
+	user_models "databasus-backend/internal/features/users/models"
 )

 type AuditLogController struct {
--- a/backend/internal/features/audit_logs/controller_test.go
+++ b/backend/internal/features/audit_logs/controller_test.go
@@ -6,15 +6,15 @@ import (
 	"testing"
 	"time"

+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+
 	user_enums "databasus-backend/internal/features/users/enums"
 	users_middleware "databasus-backend/internal/features/users/middleware"
 	users_services "databasus-backend/internal/features/users/services"
 	users_testing "databasus-backend/internal/features/users/testing"
 	test_utils "databasus-backend/internal/util/testing"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 )

 func Test_GetGlobalAuditLogs_WithDifferentUserRoles_EnforcesPermissionsCorrectly(t *testing.T) {
--- a/backend/internal/features/audit_logs/di.go
+++ b/backend/internal/features/audit_logs/di.go
@@ -8,14 +8,18 @@ import (
 	"databasus-backend/internal/util/logger"
 )

-var auditLogRepository = &AuditLogRepository{}
-var auditLogService = &AuditLogService{
-	auditLogRepository,
-	logger.GetLogger(),
-}
+var (
+	auditLogRepository = &AuditLogRepository{}
+	auditLogService    = &AuditLogService{
+		auditLogRepository,
+		logger.GetLogger(),
+	}
+)
+
 var auditLogController = &AuditLogController{
 	auditLogService,
 }
+
 var auditLogBackgroundService = &AuditLogBackgroundService{
 	auditLogService: auditLogService,
 	logger:          logger.GetLogger(),
--- a/backend/internal/features/audit_logs/repository.go
+++ b/backend/internal/features/audit_logs/repository.go
@@ -1,10 +1,11 @@
 package audit_logs

 import (
-	"databasus-backend/internal/storage"
 	"time"

 	"github.com/google/uuid"
+
+	"databasus-backend/internal/storage"
 )

 type AuditLogRepository struct{}
@@ -21,7 +22,7 @@ func (r *AuditLogRepository) GetGlobal(
 	limit, offset int,
 	beforeDate *time.Time,
 ) ([]*AuditLogDTO, error) {
-	var auditLogs = make([]*AuditLogDTO, 0)
+	auditLogs := make([]*AuditLogDTO, 0)

 	sql := `
 		SELECT 
@@ -37,7 +38,7 @@ func (r *AuditLogRepository) GetGlobal(
 		LEFT JOIN users u ON al.user_id = u.id
 		LEFT JOIN workspaces w ON al.workspace_id = w.id`

-	args := []interface{}{}
+	args := []any{}

 	if beforeDate != nil {
 		sql += " WHERE al.created_at < ?"
@@ -57,7 +58,7 @@ func (r *AuditLogRepository) GetByUser(
 	limit, offset int,
 	beforeDate *time.Time,
 ) ([]*AuditLogDTO, error) {
-	var auditLogs = make([]*AuditLogDTO, 0)
+	auditLogs := make([]*AuditLogDTO, 0)

 	sql := `
 		SELECT 
@@ -74,7 +75,7 @@ func (r *AuditLogRepository) GetByUser(
 		LEFT JOIN workspaces w ON al.workspace_id = w.id
 		WHERE al.user_id = ?`

-	args := []interface{}{userID}
+	args := []any{userID}

 	if beforeDate != nil {
 		sql += " AND al.created_at < ?"
@@ -94,7 +95,7 @@ func (r *AuditLogRepository) GetByWorkspace(
 	limit, offset int,
 	beforeDate *time.Time,
 ) ([]*AuditLogDTO, error) {
-	var auditLogs = make([]*AuditLogDTO, 0)
+	auditLogs := make([]*AuditLogDTO, 0)

 	sql := `
 		SELECT 
@@ -111,7 +112,7 @@ func (r *AuditLogRepository) GetByWorkspace(
 		LEFT JOIN workspaces w ON al.workspace_id = w.id
 		WHERE al.workspace_id = ?`

-	args := []interface{}{workspaceID}
+	args := []any{workspaceID}

 	if beforeDate != nil {
 		sql += " AND al.created_at < ?"
--- a/backend/internal/features/audit_logs/service.go
+++ b/backend/internal/features/audit_logs/service.go
@@ -4,10 +4,10 @@ import (
 	"log/slog"
 	"time"

+	"github.com/google/uuid"
+
 	user_enums "databasus-backend/internal/features/users/enums"
 	user_models "databasus-backend/internal/features/users/models"
-
-	"github.com/google/uuid"
 )

 type AuditLogService struct {
--- a/backend/internal/features/audit_logs/service_test.go
+++ b/backend/internal/features/audit_logs/service_test.go
@@ -4,11 +4,11 @@ import (
 	"testing"
 	"time"

-	user_enums "databasus-backend/internal/features/users/enums"
-	users_testing "databasus-backend/internal/features/users/testing"
-
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+
+	user_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
 )

 func Test_AuditLogs_WorkspaceSpecificLogs(t *testing.T) {
--- a/backend/internal/features/backups/backups/backuping/backuper.go
+++ b/backend/internal/features/backups/backups/backuping/backuper.go
@@ -1,7 +1,9 @@
 package backuping

 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -196,7 +198,7 @@ func (n *BackuperNode) MakeBackup(backupID uuid.UUID, isCallNotifier bool) {

 	backupMetadata, err := n.createBackupUseCase.Execute(
 		ctx,
-		backup.ID,
+		backup,
 		backupConfig,
 		database,
 		storage,
@@ -263,7 +265,7 @@ func (n *BackuperNode) MakeBackup(backupID uuid.UUID, isCallNotifier bool) {
 			// Delete partial backup from storage
 			storage, storageErr := n.storageService.GetStorageByID(backup.StorageID)
 			if storageErr == nil {
-				if deleteErr := storage.DeleteFile(n.fieldEncryptor, backup.ID); deleteErr != nil {
+				if deleteErr := storage.DeleteFile(n.fieldEncryptor, backup.FileName); deleteErr != nil {
 					n.logger.Error(
 						"Failed to delete partial backup file",
 						"backupId",
@@ -311,6 +313,13 @@ func (n *BackuperNode) MakeBackup(backupID uuid.UUID, isCallNotifier bool) {

 	// Update backup with encryption metadata if provided
 	if backupMetadata != nil {
+		backupMetadata.BackupID = backup.ID
+
+		if err := backupMetadata.Validate(); err != nil {
+			n.logger.Error("Failed to validate backup metadata", "error", err)
+			return
+		}
+
 		backup.EncryptionSalt = backupMetadata.EncryptionSalt
 		backup.EncryptionIV = backupMetadata.EncryptionIV
 		backup.Encryption = backupMetadata.Encryption
@@ -321,6 +330,39 @@ func (n *BackuperNode) MakeBackup(backupID uuid.UUID, isCallNotifier bool) {
 		return
 	}

+	// Save metadata file to storage
+	if backupMetadata != nil {
+		metadataJSON, err := json.Marshal(backupMetadata)
+		if err != nil {
+			n.logger.Error("Failed to marshal backup metadata to JSON",
+				"backupId", backup.ID,
+				"error", err,
+			)
+		} else {
+			metadataReader := bytes.NewReader(metadataJSON)
+			metadataFileName := backup.FileName + ".metadata"
+
+			if err := storage.SaveFile(
+				context.Background(),
+				n.fieldEncryptor,
+				n.logger,
+				metadataFileName,
+				metadataReader,
+			); err != nil {
+				n.logger.Error("Failed to save backup metadata file to storage",
+					"backupId", backup.ID,
+					"fileName", metadataFileName,
+					"error", err,
+				)
+			} else {
+				n.logger.Info("Backup metadata file saved successfully",
+					"backupId", backup.ID,
+					"fileName", metadataFileName,
+				)
+			}
+		}
+	}
+
 	// Update database last backup time
 	now := time.Now().UTC()
 	if updateErr := n.databaseService.SetLastBackupTime(databaseID, now); updateErr != nil {
--- a/backend/internal/features/backups/backups/backuping/backuper_test.go
+++ b/backend/internal/features/backups/backups/backuping/backuper_test.go
@@ -5,6 +5,9 @@ import (
 	"testing"
 	"time"

+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
@@ -14,9 +17,6 @@ import (
 	users_testing "databasus-backend/internal/features/users/testing"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	cache_utils "databasus-backend/internal/util/cache"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 )

 func Test_BackupExecuted_NotificationSent(t *testing.T) {
--- a/backend/internal/features/backups/backups/backuping/cleaner.go
+++ b/backend/internal/features/backups/backups/backuping/cleaner.go
@@ -18,7 +18,8 @@ import (
 )

 const (
-	cleanerTickerInterval = 1 * time.Minute
+	cleanerTickerInterval   = 1 * time.Minute
+	recentBackupGracePeriod = 60 * time.Minute
 )

 type BackupCleaner struct {
@@ -51,13 +52,17 @@ func (c *BackupCleaner) Run(ctx context.Context) {
 			case <-ctx.Done():
 				return
 			case <-ticker.C:
-				if err := c.cleanOldBackups(); err != nil {
-					c.logger.Error("Failed to clean old backups", "error", err)
+				if err := c.cleanByRetentionPolicy(); err != nil {
+					c.logger.Error("Failed to clean backups by retention policy", "error", err)
 				}

 				if err := c.cleanExceededBackups(); err != nil {
 					c.logger.Error("Failed to clean exceeded backups", "error", err)
 				}
+
+				if err := c.cleanStaleUploadedBasebackups(); err != nil {
+					c.logger.Error("Failed to clean stale uploaded basebackups", "error", err)
+				}
 			}
 		}
 	})
@@ -79,8 +84,7 @@ func (c *BackupCleaner) DeleteBackup(backup *backups_core.Backup) error {
 		return err
 	}

-	err = storage.DeleteFile(c.fieldEncryptor, backup.ID)
-	if err != nil {
+	if err := storage.DeleteFile(c.fieldEncryptor, backup.FileName); err != nil {
 		// we do not return error here, because sometimes clean up performed
 		// before unavailable storage removal or change - therefore we should
 		// proceed even in case of error. It's possible that some S3 or
@@ -88,6 +92,11 @@ func (c *BackupCleaner) DeleteBackup(backup *backups_core.Backup) error {
 		c.logger.Error("Failed to delete backup file", "error", err)
 	}

+	metadataFileName := backup.FileName + ".metadata"
+	if err := storage.DeleteFile(c.fieldEncryptor, metadataFileName); err != nil {
+		c.logger.Error("Failed to delete backup metadata file", "error", err)
+	}
+
 	return c.backupRepository.DeleteByID(backup.ID)
 }

@@ -95,49 +104,91 @@ func (c *BackupCleaner) AddBackupRemoveListener(listener backups_core.BackupRemo
 	c.backupRemoveListeners = append(c.backupRemoveListeners, listener)
 }

-func (c *BackupCleaner) cleanOldBackups() error {
+func (c *BackupCleaner) cleanStaleUploadedBasebackups() error {
+	staleBackups, err := c.backupRepository.FindStaleUploadedBasebackups(
+		time.Now().UTC().Add(-10 * time.Minute),
+	)
+	if err != nil {
+		return fmt.Errorf("failed to find stale uploaded basebackups: %w", err)
+	}
+
+	for _, backup := range staleBackups {
+		staleStorage, storageErr := c.storageService.GetStorageByID(backup.StorageID)
+		if storageErr != nil {
+			c.logger.Error(
+				"Failed to get storage for stale basebackup cleanup",
+				"backupId", backup.ID,
+				"storageId", backup.StorageID,
+				"error", storageErr,
+			)
+		} else {
+			if err := staleStorage.DeleteFile(c.fieldEncryptor, backup.FileName); err != nil {
+				c.logger.Error(
+					"Failed to delete stale basebackup file",
+					"backupId", backup.ID,
+					"fileName", backup.FileName,
+					"error", err,
+				)
+			}
+
+			metadataFileName := backup.FileName + ".metadata"
+			if err := staleStorage.DeleteFile(c.fieldEncryptor, metadataFileName); err != nil {
+				c.logger.Error(
+					"Failed to delete stale basebackup metadata file",
+					"backupId", backup.ID,
+					"fileName", metadataFileName,
+					"error", err,
+				)
+			}
+		}
+
+		failMsg := "basebackup finalization timed out after 10 minutes"
+		backup.Status = backups_core.BackupStatusFailed
+		backup.FailMessage = &failMsg
+
+		if err := c.backupRepository.Save(backup); err != nil {
+			c.logger.Error(
+				"Failed to mark stale uploaded basebackup as failed",
+				"backupId", backup.ID,
+				"error", err,
+			)
+			continue
+		}
+
+		c.logger.Info(
+			"Marked stale uploaded basebackup as failed and cleaned storage",
+			"backupId", backup.ID,
+			"databaseId", backup.DatabaseID,
+		)
+	}
+
+	return nil
+}
+
+func (c *BackupCleaner) cleanByRetentionPolicy() error {
 	enabledBackupConfigs, err := c.backupConfigService.GetBackupConfigsWithEnabledBackups()
 	if err != nil {
 		return err
 	}

 	for _, backupConfig := range enabledBackupConfigs {
-		backupStorePeriod := backupConfig.StorePeriod
+		var cleanErr error

-		if backupStorePeriod == period.PeriodForever {
-			continue
+		switch backupConfig.RetentionPolicyType {
+		case backups_config.RetentionPolicyTypeCount:
+			cleanErr = c.cleanByCount(backupConfig)
+		case backups_config.RetentionPolicyTypeGFS:
+			cleanErr = c.cleanByGFS(backupConfig)
+		default:
+			cleanErr = c.cleanByTimePeriod(backupConfig)
 		}

-		storeDuration := backupStorePeriod.ToDuration()
-		dateBeforeBackupsShouldBeDeleted := time.Now().UTC().Add(-storeDuration)
-
-		oldBackups, err := c.backupRepository.FindBackupsBeforeDate(
-			backupConfig.DatabaseID,
-			dateBeforeBackupsShouldBeDeleted,
-		)
-		if err != nil {
+		if cleanErr != nil {
 			c.logger.Error(
-				"Failed to find old backups for database",
-				"databaseId",
-				backupConfig.DatabaseID,
-				"error",
-				err,
-			)
-			continue
-		}
-
-		for _, backup := range oldBackups {
-			if err := c.DeleteBackup(backup); err != nil {
-				c.logger.Error("Failed to delete old backup", "backupId", backup.ID, "error", err)
-				continue
-			}
-
-			c.logger.Info(
-				"Deleted old backup",
-				"backupId",
-				backup.ID,
-				"databaseId",
-				backupConfig.DatabaseID,
+				"Failed to clean backups by retention policy",
+				"databaseId", backupConfig.DatabaseID,
+				"policy", backupConfig.RetentionPolicyType,
+				"error", cleanErr,
 			)
 		}
 	}
@@ -174,6 +225,158 @@ func (c *BackupCleaner) cleanExceededBackups() error {
 	return nil
 }

+func (c *BackupCleaner) cleanByTimePeriod(backupConfig *backups_config.BackupConfig) error {
+	if backupConfig.RetentionTimePeriod == "" {
+		return nil
+	}
+
+	if backupConfig.RetentionTimePeriod == period.PeriodForever {
+		return nil
+	}
+
+	storeDuration := backupConfig.RetentionTimePeriod.ToDuration()
+	dateBeforeBackupsShouldBeDeleted := time.Now().UTC().Add(-storeDuration)
+
+	oldBackups, err := c.backupRepository.FindBackupsBeforeDate(
+		backupConfig.DatabaseID,
+		dateBeforeBackupsShouldBeDeleted,
+	)
+	if err != nil {
+		return fmt.Errorf(
+			"failed to find old backups for database %s: %w",
+			backupConfig.DatabaseID,
+			err,
+		)
+	}
+
+	for _, backup := range oldBackups {
+		if isRecentBackup(backup) {
+			continue
+		}
+
+		if err := c.DeleteBackup(backup); err != nil {
+			c.logger.Error("Failed to delete old backup", "backupId", backup.ID, "error", err)
+			continue
+		}
+
+		c.logger.Info(
+			"Deleted old backup",
+			"backupId", backup.ID,
+			"databaseId", backupConfig.DatabaseID,
+		)
+	}
+
+	return nil
+}
+
+func (c *BackupCleaner) cleanByCount(backupConfig *backups_config.BackupConfig) error {
+	if backupConfig.RetentionCount <= 0 {
+		return nil
+	}
+
+	completedBackups, err := c.backupRepository.FindByDatabaseIdAndStatus(
+		backupConfig.DatabaseID,
+		backups_core.BackupStatusCompleted,
+	)
+	if err != nil {
+		return fmt.Errorf(
+			"failed to find completed backups for database %s: %w",
+			backupConfig.DatabaseID,
+			err,
+		)
+	}
+
+	// completedBackups are ordered newest first; delete everything beyond position RetentionCount
+	if len(completedBackups) <= backupConfig.RetentionCount {
+		return nil
+	}
+
+	toDelete := completedBackups[backupConfig.RetentionCount:]
+	for _, backup := range toDelete {
+		if isRecentBackup(backup) {
+			continue
+		}
+
+		if err := c.DeleteBackup(backup); err != nil {
+			c.logger.Error(
+				"Failed to delete backup by count policy",
+				"backupId",
+				backup.ID,
+				"error",
+				err,
+			)
+			continue
+		}
+
+		c.logger.Info(
+			"Deleted backup by count policy",
+			"backupId", backup.ID,
+			"databaseId", backupConfig.DatabaseID,
+			"retentionCount", backupConfig.RetentionCount,
+		)
+	}
+
+	return nil
+}
+
+func (c *BackupCleaner) cleanByGFS(backupConfig *backups_config.BackupConfig) error {
+	if backupConfig.RetentionGfsHours <= 0 && backupConfig.RetentionGfsDays <= 0 &&
+		backupConfig.RetentionGfsWeeks <= 0 && backupConfig.RetentionGfsMonths <= 0 &&
+		backupConfig.RetentionGfsYears <= 0 {
+		return nil
+	}
+
+	completedBackups, err := c.backupRepository.FindByDatabaseIdAndStatus(
+		backupConfig.DatabaseID,
+		backups_core.BackupStatusCompleted,
+	)
+	if err != nil {
+		return fmt.Errorf(
+			"failed to find completed backups for database %s: %w",
+			backupConfig.DatabaseID,
+			err,
+		)
+	}
+
+	keepSet := buildGFSKeepSet(
+		completedBackups,
+		backupConfig.RetentionGfsHours,
+		backupConfig.RetentionGfsDays,
+		backupConfig.RetentionGfsWeeks,
+		backupConfig.RetentionGfsMonths,
+		backupConfig.RetentionGfsYears,
+	)
+
+	for _, backup := range completedBackups {
+		if keepSet[backup.ID] {
+			continue
+		}
+
+		if isRecentBackup(backup) {
+			continue
+		}
+
+		if err := c.DeleteBackup(backup); err != nil {
+			c.logger.Error(
+				"Failed to delete backup by GFS policy",
+				"backupId",
+				backup.ID,
+				"error",
+				err,
+			)
+			continue
+		}
+
+		c.logger.Info(
+			"Deleted backup by GFS policy",
+			"backupId", backup.ID,
+			"databaseId", backupConfig.DatabaseID,
+		)
+	}
+
+	return nil
+}
+
 func (c *BackupCleaner) cleanExceededBackupsForDatabase(
 	databaseID uuid.UUID,
 	limitperDbMB int64,
@@ -210,6 +413,21 @@ func (c *BackupCleaner) cleanExceededBackupsForDatabase(
 		}

 		backup := oldestBackups[0]
+		if isRecentBackup(backup) {
+			c.logger.Warn(
+				"Oldest backup is too recent to delete, stopping size cleanup",
+				"databaseId",
+				databaseID,
+				"backupId",
+				backup.ID,
+				"totalSizeMB",
+				backupsTotalSizeMB,
+				"limitMB",
+				limitperDbMB,
+			)
+			break
+		}
+
 		if err := c.DeleteBackup(backup); err != nil {
 			c.logger.Error(
 				"Failed to delete exceeded backup",
@@ -240,3 +458,128 @@ func (c *BackupCleaner) cleanExceededBackupsForDatabase(

 	return nil
 }
+
+func isRecentBackup(backup *backups_core.Backup) bool {
+	return time.Since(backup.CreatedAt) < recentBackupGracePeriod
+}
+
+// buildGFSKeepSet determines which backups to retain under the GFS rotation scheme.
+// Backups must be sorted newest-first. A backup can fill multiple slots simultaneously
+// (e.g. the newest backup of a year also fills the monthly, weekly, daily, and hourly slot).
+func buildGFSKeepSet(
+	backups []*backups_core.Backup,
+	hours, days, weeks, months, years int,
+) map[uuid.UUID]bool {
+	keep := make(map[uuid.UUID]bool)
+
+	if len(backups) == 0 {
+		return keep
+	}
+
+	hoursSeen := make(map[string]bool)
+	daysSeen := make(map[string]bool)
+	weeksSeen := make(map[string]bool)
+	monthsSeen := make(map[string]bool)
+	yearsSeen := make(map[string]bool)
+
+	hoursKept, daysKept, weeksKept, monthsKept, yearsKept := 0, 0, 0, 0, 0
+
+	// Compute per-level time-window cutoffs so higher-frequency slots
+	// cannot absorb backups that belong to lower-frequency levels.
+	ref := backups[0].CreatedAt
+
+	rawHourlyCutoff := ref.Add(-time.Duration(hours) * time.Hour)
+	rawDailyCutoff := ref.Add(-time.Duration(days) * 24 * time.Hour)
+	rawWeeklyCutoff := ref.Add(-time.Duration(weeks) * 7 * 24 * time.Hour)
+	rawMonthlyCutoff := ref.AddDate(0, -months, 0)
+	rawYearlyCutoff := ref.AddDate(-years, 0, 0)
+
+	// Hierarchical capping: each level's window cannot extend further back
+	// than the nearest active lower-frequency level's window.
+	yearlyCutoff := rawYearlyCutoff
+
+	monthlyCutoff := rawMonthlyCutoff
+	if years > 0 {
+		monthlyCutoff = laterOf(monthlyCutoff, yearlyCutoff)
+	}
+
+	weeklyCutoff := rawWeeklyCutoff
+	if months > 0 {
+		weeklyCutoff = laterOf(weeklyCutoff, monthlyCutoff)
+	} else if years > 0 {
+		weeklyCutoff = laterOf(weeklyCutoff, yearlyCutoff)
+	}
+
+	dailyCutoff := rawDailyCutoff
+	switch {
+	case weeks > 0:
+		dailyCutoff = laterOf(dailyCutoff, weeklyCutoff)
+	case months > 0:
+		dailyCutoff = laterOf(dailyCutoff, monthlyCutoff)
+	case years > 0:
+		dailyCutoff = laterOf(dailyCutoff, yearlyCutoff)
+	}
+
+	hourlyCutoff := rawHourlyCutoff
+	switch {
+	case days > 0:
+		hourlyCutoff = laterOf(hourlyCutoff, dailyCutoff)
+	case weeks > 0:
+		hourlyCutoff = laterOf(hourlyCutoff, weeklyCutoff)
+	case months > 0:
+		hourlyCutoff = laterOf(hourlyCutoff, monthlyCutoff)
+	case years > 0:
+		hourlyCutoff = laterOf(hourlyCutoff, yearlyCutoff)
+	}
+
+	for _, backup := range backups {
+		t := backup.CreatedAt
+
+		hourKey := t.Format("2006-01-02-15")
+		dayKey := t.Format("2006-01-02")
+		weekYear, week := t.ISOWeek()
+		weekKey := fmt.Sprintf("%d-%02d", weekYear, week)
+		monthKey := t.Format("2006-01")
+		yearKey := t.Format("2006")
+
+		if hours > 0 && hoursKept < hours && !hoursSeen[hourKey] && t.After(hourlyCutoff) {
+			keep[backup.ID] = true
+			hoursSeen[hourKey] = true
+			hoursKept++
+		}
+
+		if days > 0 && daysKept < days && !daysSeen[dayKey] && t.After(dailyCutoff) {
+			keep[backup.ID] = true
+			daysSeen[dayKey] = true
+			daysKept++
+		}
+
+		if weeks > 0 && weeksKept < weeks && !weeksSeen[weekKey] && t.After(weeklyCutoff) {
+			keep[backup.ID] = true
+			weeksSeen[weekKey] = true
+			weeksKept++
+		}
+
+		if months > 0 && monthsKept < months && !monthsSeen[monthKey] && t.After(monthlyCutoff) {
+			keep[backup.ID] = true
+			monthsSeen[monthKey] = true
+			monthsKept++
+		}
+
+		if years > 0 && yearsKept < years && !yearsSeen[yearKey] && t.After(yearlyCutoff) {
+			keep[backup.ID] = true
+			yearsSeen[yearKey] = true
+			yearsKept++
+		}
+	}
+
+	return keep
+}
+
+func laterOf(a, b time.Time) time.Time {
+	if a.After(b) {
+		return a
+	}
+
+	return b
+}
--- a/backend/internal/features/backups/backups/backuping/cleaner_gfs_test.go
+++ b/backend/internal/features/backups/backups/backuping/cleaner_gfs_test.go
--- a/backend/internal/features/backups/backups/backuping/cleaner_test.go
+++ b/backend/internal/features/backups/backups/backuping/cleaner_test.go
--- a/backend/internal/features/backups/backups/backuping/di.go
+++ b/backend/internal/features/backups/backups/backuping/di.go
@@ -25,24 +25,24 @@ var backupRepository = &backups_core.BackupRepository{}
 var taskCancelManager = tasks_cancellation.GetTaskCancelManager()

 var backupCleaner = &BackupCleaner{
-	backupRepository:      backupRepository,
-	storageService:        storages.GetStorageService(),
-	backupConfigService:   backups_config.GetBackupConfigService(),
-	fieldEncryptor:        encryption.GetFieldEncryptor(),
-	logger:                logger.GetLogger(),
-	backupRemoveListeners: []backups_core.BackupRemoveListener{},
-	runOnce:               sync.Once{},
-	hasRun:                atomic.Bool{},
+	backupRepository,
+	storages.GetStorageService(),
+	backups_config.GetBackupConfigService(),
+	encryption.GetFieldEncryptor(),
+	logger.GetLogger(),
+	[]backups_core.BackupRemoveListener{},
+	sync.Once{},
+	atomic.Bool{},
 }

 var backupNodesRegistry = &BackupNodesRegistry{
-	client:            cache_utils.GetValkeyClient(),
-	logger:            logger.GetLogger(),
-	timeout:           cache_utils.DefaultCacheTimeout,
-	pubsubBackups:     cache_utils.NewPubSubManager(),
-	pubsubCompletions: cache_utils.NewPubSubManager(),
-	runOnce:           sync.Once{},
-	hasRun:            atomic.Bool{},
+	cache_utils.GetValkeyClient(),
+	logger.GetLogger(),
+	cache_utils.DefaultCacheTimeout,
+	cache_utils.NewPubSubManager(),
+	cache_utils.NewPubSubManager(),
+	sync.Once{},
+	atomic.Bool{},
 }

 func getNodeID() uuid.UUID {
@@ -50,34 +50,35 @@ func getNodeID() uuid.UUID {
 }

 var backuperNode = &BackuperNode{
-	databaseService:     databases.GetDatabaseService(),
-	fieldEncryptor:      encryption.GetFieldEncryptor(),
-	workspaceService:    workspaces_services.GetWorkspaceService(),
-	backupRepository:    backupRepository,
-	backupConfigService: backups_config.GetBackupConfigService(),
-	storageService:      storages.GetStorageService(),
-	notificationSender:  notifiers.GetNotifierService(),
-	backupCancelManager: taskCancelManager,
-	backupNodesRegistry: backupNodesRegistry,
-	logger:              logger.GetLogger(),
-	createBackupUseCase: usecases.GetCreateBackupUsecase(),
-	nodeID:              getNodeID(),
-	lastHeartbeat:       time.Time{},
-	runOnce:             sync.Once{},
-	hasRun:              atomic.Bool{},
+	databases.GetDatabaseService(),
+	encryption.GetFieldEncryptor(),
+	workspaces_services.GetWorkspaceService(),
+	backupRepository,
+	backups_config.GetBackupConfigService(),
+	storages.GetStorageService(),
+	notifiers.GetNotifierService(),
+	taskCancelManager,
+	backupNodesRegistry,
+	logger.GetLogger(),
+	usecases.GetCreateBackupUsecase(),
+	getNodeID(),
+	time.Time{},
+	sync.Once{},
+	atomic.Bool{},
 }

 var backupsScheduler = &BackupsScheduler{
-	backupRepository:      backupRepository,
-	backupConfigService:   backups_config.GetBackupConfigService(),
-	taskCancelManager:     taskCancelManager,
-	backupNodesRegistry:   backupNodesRegistry,
-	lastBackupTime:        time.Now().UTC(),
-	logger:                logger.GetLogger(),
-	backupToNodeRelations: make(map[uuid.UUID]BackupToNodeRelation),
-	backuperNode:          backuperNode,
-	runOnce:               sync.Once{},
-	hasRun:                atomic.Bool{},
+	backupRepository,
+	backups_config.GetBackupConfigService(),
+	taskCancelManager,
+	backupNodesRegistry,
+	databases.GetDatabaseService(),
+	time.Now().UTC(),
+	logger.GetLogger(),
+	make(map[uuid.UUID]BackupToNodeRelation),
+	backuperNode,
+	sync.Once{},
+	atomic.Bool{},
 }

 func GetBackupsScheduler() *BackupsScheduler {
--- a/backend/internal/features/backups/backups/backuping/mocks.go
+++ b/backend/internal/features/backups/backups/backuping/mocks.go
@@ -6,14 +6,15 @@ import (
 	"sync/atomic"
 	"time"

+	"github.com/google/uuid"
+	"github.com/stretchr/testify/mock"
+
 	common "databasus-backend/internal/features/backups/backups/common"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/notifiers"
 	"databasus-backend/internal/features/storages"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/mock"
 )

 type MockNotificationSender struct {
@@ -32,7 +33,7 @@ type CreateFailedBackupUsecase struct{}

 func (uc *CreateFailedBackupUsecase) Execute(
 	ctx context.Context,
-	backupID uuid.UUID,
+	backup *backups_core.Backup,
 	backupConfig *backups_config.BackupConfig,
 	database *databases.Database,
 	storage *storages.Storage,
@@ -46,7 +47,7 @@ type CreateSuccessBackupUsecase struct{}

 func (uc *CreateSuccessBackupUsecase) Execute(
 	ctx context.Context,
-	backupID uuid.UUID,
+	backup *backups_core.Backup,
 	backupConfig *backups_config.BackupConfig,
 	database *databases.Database,
 	storage *storages.Storage,
@@ -65,7 +66,7 @@ type CreateLargeBackupUsecase struct{}

 func (uc *CreateLargeBackupUsecase) Execute(
 	ctx context.Context,
-	backupID uuid.UUID,
+	backup *backups_core.Backup,
 	backupConfig *backups_config.BackupConfig,
 	database *databases.Database,
 	storage *storages.Storage,
@@ -84,7 +85,7 @@ type CreateProgressiveBackupUsecase struct{}

 func (uc *CreateProgressiveBackupUsecase) Execute(
 	ctx context.Context,
-	backupID uuid.UUID,
+	backup *backups_core.Backup,
 	backupConfig *backups_config.BackupConfig,
 	database *databases.Database,
 	storage *storages.Storage,
@@ -124,7 +125,7 @@ type CreateMediumBackupUsecase struct{}

 func (uc *CreateMediumBackupUsecase) Execute(
 	ctx context.Context,
-	backupID uuid.UUID,
+	backup *backups_core.Backup,
 	backupConfig *backups_config.BackupConfig,
 	database *databases.Database,
 	storage *storages.Storage,
@@ -152,7 +153,7 @@ func NewMockTrackingBackupUsecase() *MockTrackingBackupUsecase {

 func (m *MockTrackingBackupUsecase) Execute(
 	ctx context.Context,
-	backupID uuid.UUID,
+	backup *backups_core.Backup,
 	backupConfig *backups_config.BackupConfig,
 	database *databases.Database,
 	storage *storages.Storage,
@@ -162,7 +163,7 @@ func (m *MockTrackingBackupUsecase) Execute(

 	// Send backup ID to channel (non-blocking)
 	select {
-	case m.calledBackupIDs <- backupID:
+	case m.calledBackupIDs <- backup.ID:
 	default:
 	}

--- a/backend/internal/features/backups/backups/backuping/registry.go
+++ b/backend/internal/features/backups/backups/backuping/registry.go
@@ -10,10 +10,10 @@ import (
 	"sync/atomic"
 	"time"

-	cache_utils "databasus-backend/internal/util/cache"
-
 	"github.com/google/uuid"
 	"github.com/valkey-io/valkey-go"
+
+	cache_utils "databasus-backend/internal/util/cache"
 )

 const (
@@ -415,7 +415,7 @@ func (r *BackupNodesRegistry) UnsubscribeNodeForBackupsAssignments() error {
 	return nil
 }

-func (r *BackupNodesRegistry) PublishBackupCompletion(nodeID uuid.UUID, backupID uuid.UUID) error {
+func (r *BackupNodesRegistry) PublishBackupCompletion(nodeID, backupID uuid.UUID) error {
 	ctx := context.Background()

 	message := BackupCompletionMessage{
@@ -437,7 +437,7 @@ func (r *BackupNodesRegistry) PublishBackupCompletion(nodeID uuid.UUID, backupID
 }

 func (r *BackupNodesRegistry) SubscribeForBackupsCompletions(
-	handler func(nodeID uuid.UUID, backupID uuid.UUID),
+	handler func(nodeID, backupID uuid.UUID),
 ) error {
 	ctx := context.Background()

--- a/backend/internal/features/backups/backups/backuping/registry_test.go
+++ b/backend/internal/features/backups/backups/backuping/registry_test.go
@@ -9,11 +9,11 @@ import (
 	"testing"
 	"time"

-	cache_utils "databasus-backend/internal/util/cache"
-	"databasus-backend/internal/util/logger"
-
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+
+	cache_utils "databasus-backend/internal/util/cache"
+	"databasus-backend/internal/util/logger"
 )

 func Test_HearthbeatNodeInRegistry_RegistersNodeWithTTL(t *testing.T) {
@@ -903,7 +903,7 @@ func Test_SubscribeForBackupsCompletions_ReceivesCompletedBackups(t *testing.T)

 	receivedBackupID := make(chan uuid.UUID, 1)
 	receivedNodeID := make(chan uuid.UUID, 1)
-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {
+	handler := func(nodeID, backupID uuid.UUID) {
 		receivedNodeID <- nodeID
 		receivedBackupID <- backupID
 	}
@@ -940,7 +940,7 @@ func Test_SubscribeForBackupsCompletions_ParsesJsonCorrectly(t *testing.T) {
 	defer registry.UnsubscribeForBackupsCompletions()

 	receivedBackups := make(chan uuid.UUID, 2)
-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {
+	handler := func(nodeID, backupID uuid.UUID) {
 		receivedBackups <- backupID
 	}

@@ -969,7 +969,7 @@ func Test_SubscribeForBackupsCompletions_HandlesInvalidJson(t *testing.T) {
 	defer registry.UnsubscribeForBackupsCompletions()

 	receivedBackupID := make(chan uuid.UUID, 1)
-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {
+	handler := func(nodeID, backupID uuid.UUID) {
 		receivedBackupID <- backupID
 	}

@@ -997,7 +997,7 @@ func Test_UnsubscribeForBackupsCompletions_StopsReceivingMessages(t *testing.T)
 	backupID2 := uuid.New()

 	receivedBackupID := make(chan uuid.UUID, 2)
-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {
+	handler := func(nodeID, backupID uuid.UUID) {
 		receivedBackupID <- backupID
 	}

@@ -1032,7 +1032,7 @@ func Test_SubscribeForBackupsCompletions_WhenAlreadySubscribed_ReturnsError(t *t
 	registry := createTestRegistry()
 	defer registry.UnsubscribeForBackupsCompletions()

-	handler := func(nodeID uuid.UUID, backupID uuid.UUID) {}
+	handler := func(nodeID, backupID uuid.UUID) {}

 	err := registry.SubscribeForBackupsCompletions(handler)
 	assert.NoError(t, err)
@@ -1064,9 +1064,9 @@ func Test_MultipleSubscribers_EachReceivesCompletionMessages(t *testing.T) {
 	receivedBackups2 := make(chan uuid.UUID, 3)
 	receivedBackups3 := make(chan uuid.UUID, 3)

-	handler1 := func(nodeID uuid.UUID, backupID uuid.UUID) { receivedBackups1 <- backupID }
-	handler2 := func(nodeID uuid.UUID, backupID uuid.UUID) { receivedBackups2 <- backupID }
-	handler3 := func(nodeID uuid.UUID, backupID uuid.UUID) { receivedBackups3 <- backupID }
+	handler1 := func(nodeID, backupID uuid.UUID) { receivedBackups1 <- backupID }
+	handler2 := func(nodeID, backupID uuid.UUID) { receivedBackups2 <- backupID }
+	handler3 := func(nodeID, backupID uuid.UUID) { receivedBackups3 <- backupID }

 	err := registry1.SubscribeForBackupsCompletions(handler1)
 	assert.NoError(t, err)
--- a/backend/internal/features/backups/backups/backuping/scheduler.go
+++ b/backend/internal/features/backups/backups/backuping/scheduler.go
@@ -13,6 +13,7 @@ import (
 	"databasus-backend/internal/config"
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
 	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
 )

@@ -27,6 +28,7 @@ type BackupsScheduler struct {
 	backupConfigService *backups_config.BackupConfigService
 	taskCancelManager   *task_cancellation.TaskCancelManager
 	backupNodesRegistry *BackupNodesRegistry
+	databaseService     *databases.DatabaseService

 	lastBackupTime time.Time
 	logger         *slog.Logger
@@ -103,28 +105,38 @@ func (s *BackupsScheduler) IsSchedulerRunning() bool {
 	return s.lastBackupTime.After(time.Now().UTC().Add(-schedulerHealthcheckThreshold))
 }

-func (s *BackupsScheduler) StartBackup(databaseID uuid.UUID, isCallNotifier bool) {
-	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(databaseID)
+func (s *BackupsScheduler) IsBackupNodesAvailable() bool {
+	nodes, err := s.backupNodesRegistry.GetAvailableNodes()
+	if err != nil {
+		s.logger.Error("Failed to get available nodes for health check", "error", err)
+		return false
+	}
+
+	return len(nodes) > 0
+}
+
+func (s *BackupsScheduler) StartBackup(database *databases.Database, isCallNotifier bool) {
+	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(database.ID)
 	if err != nil {
 		s.logger.Error("Failed to get backup config by database ID", "error", err)
 		return
 	}

 	if backupConfig.StorageID == nil {
-		s.logger.Error("Backup config storage ID is nil", "databaseId", databaseID)
+		s.logger.Error("Backup config storage ID is nil", "databaseId", database.ID)
 		return
 	}

 	// Check for existing in-progress backups
 	inProgressBackups, err := s.backupRepository.FindByDatabaseIdAndStatus(
-		databaseID,
+		database.ID,
 		backups_core.BackupStatusInProgress,
 	)
 	if err != nil {
 		s.logger.Error(
 			"Failed to check for in-progress backups",
 			"databaseId",
-			databaseID,
+			database.ID,
 			"error",
 			err,
 		)
@@ -135,7 +147,7 @@ func (s *BackupsScheduler) StartBackup(databaseID uuid.UUID, isCallNotifier bool
 		s.logger.Warn(
 			"Backup already in progress for database, skipping new backup",
 			"databaseId",
-			databaseID,
+			database.ID,
 			"existingBackupId",
 			inProgressBackups[0].ID,
 		)
@@ -154,15 +166,20 @@ func (s *BackupsScheduler) StartBackup(databaseID uuid.UUID, isCallNotifier bool
 		return
 	}

-	fmt.Println("make backup")
+	backupID := uuid.New()
+	timestamp := time.Now().UTC()
+
 	backup := &backups_core.Backup{
+		ID:           backupID,
 		DatabaseID:   backupConfig.DatabaseID,
 		StorageID:    *backupConfig.StorageID,
 		Status:       backups_core.BackupStatusInProgress,
 		BackupSizeMb: 0,
-		CreatedAt:    time.Now().UTC(),
+		CreatedAt:    timestamp,
 	}

+	backup.GenerateFilename(database.Name)
+
 	if err := s.backupRepository.Save(backup); err != nil {
 		s.logger.Error(
 			"Failed to save backup",
@@ -214,8 +231,8 @@ func (s *BackupsScheduler) StartBackup(databaseID uuid.UUID, isCallNotifier bool
 		s.backupToNodeRelations[*leastBusyNodeID] = relation
 	} else {
 		s.backupToNodeRelations[*leastBusyNodeID] = BackupToNodeRelation{
-			NodeID:     *leastBusyNodeID,
-			BackupsIDs: []uuid.UUID{backup.ID},
+			*leastBusyNodeID,
+			[]uuid.UUID{backup.ID},
 		}
 	}

@@ -319,7 +336,13 @@ func (s *BackupsScheduler) runPendingBackups() error {
 				backupConfig.BackupInterval.Interval,
 			)

-			s.StartBackup(backupConfig.DatabaseID, remainedBackupTryCount == 1)
+			database, err := s.databaseService.GetDatabaseByID(backupConfig.DatabaseID)
+			if err != nil {
+				s.logger.Error("Failed to get database by ID", "error", err)
+				continue
+			}
+
+			s.StartBackup(database, remainedBackupTryCount == 1)
 			continue
 		}
 	}
@@ -418,7 +441,7 @@ func (s *BackupsScheduler) calculateLeastBusyNode() (*uuid.UUID, error) {
 	return &bestNode.ID, nil
 }

-func (s *BackupsScheduler) onBackupCompleted(nodeID uuid.UUID, backupID uuid.UUID) {
+func (s *BackupsScheduler) onBackupCompleted(nodeID, backupID uuid.UUID) {
 	// Verify this task is actually a backup (registry contains multiple task types)
 	_, err := s.backupRepository.FindByID(backupID)
 	if err != nil {
--- a/backend/internal/features/backups/backups/backuping/scheduler_test.go
+++ b/backend/internal/features/backups/backups/backuping/scheduler_test.go
@@ -1,6 +1,12 @@
 package backuping

 import (
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
@@ -12,11 +18,6 @@ import (
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	cache_utils "databasus-backend/internal/util/cache"
 	"databasus-backend/internal/util/period"
-	"testing"
-	"time"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 )

 func Test_RunPendingBackups_WhenLastBackupWasYesterday_CreatesNewBackup(t *testing.T) {
@@ -57,7 +58,8 @@ func Test_RunPendingBackups_WhenLastBackupWasYesterday_CreatesNewBackup(t *testi
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID

@@ -126,7 +128,8 @@ func Test_RunPendingBackups_WhenLastBackupWasRecentlyCompleted_SkipsBackup(t *te
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID

@@ -194,7 +197,8 @@ func Test_RunPendingBackups_WhenLastBackupFailedAndRetriesDisabled_SkipsBackup(t
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID
 	backupConfig.IsRetryIfFailed = false
@@ -266,7 +270,8 @@ func Test_RunPendingBackups_WhenLastBackupFailedAndRetriesEnabled_CreatesNewBack
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID
 	backupConfig.IsRetryIfFailed = true
@@ -339,7 +344,8 @@ func Test_RunPendingBackups_WhenFailedBackupsExceedMaxRetries_SkipsBackup(t *tes
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID
 	backupConfig.IsRetryIfFailed = true
@@ -410,7 +416,8 @@ func Test_RunPendingBackups_WhenBackupsDisabled_SkipsBackup(t *testing.T) {
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = false
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID

@@ -479,7 +486,8 @@ func Test_CheckDeadNodesAndFailBackups_WhenNodeDies_FailsBackupAndCleansUpRegist
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID

@@ -492,7 +500,7 @@ func Test_CheckDeadNodesAndFailBackups_WhenNodeDies_FailsBackupAndCleansUpRegist
 	assert.NoError(t, err)

 	// Scheduler assigns backup to mock node
-	GetBackupsScheduler().StartBackup(database.ID, false)
+	GetBackupsScheduler().StartBackup(database, false)
 	time.Sleep(100 * time.Millisecond)

 	backups, err := backupRepository.FindByDatabaseID(database.ID)
@@ -582,7 +590,8 @@ func Test_OnBackupCompleted_WhenTaskIsNotBackup_SkipsProcessing(t *testing.T) {
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID

@@ -595,7 +604,7 @@ func Test_OnBackupCompleted_WhenTaskIsNotBackup_SkipsProcessing(t *testing.T) {
 	assert.NoError(t, err)

 	// Start a backup and assign it to the node
-	GetBackupsScheduler().StartBackup(database.ID, false)
+	GetBackupsScheduler().StartBackup(database, false)
 	time.Sleep(100 * time.Millisecond)

 	backups, err := backupRepository.FindByDatabaseID(database.ID)
@@ -759,7 +768,8 @@ func Test_FailBackupsInProgress_WhenSchedulerStarts_CancelsBackupsAndUpdatesStat
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID

@@ -872,7 +882,8 @@ func Test_StartBackup_WhenBackupCompletes_DecrementsActiveTaskCount(t *testing.T
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID

@@ -892,7 +903,7 @@ func Test_StartBackup_WhenBackupCompletes_DecrementsActiveTaskCount(t *testing.T
 	t.Logf("Initial active tasks: %d", initialActiveTasks)

 	// Start backup
-	scheduler.StartBackup(database.ID, false)
+	scheduler.StartBackup(database, false)

 	// Wait for backup to complete
 	WaitForBackupCompletion(t, database.ID, 0, 10*time.Second)
@@ -975,7 +986,8 @@ func Test_StartBackup_WhenBackupFails_DecrementsActiveTaskCount(t *testing.T) {
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID

@@ -995,7 +1007,7 @@ func Test_StartBackup_WhenBackupFails_DecrementsActiveTaskCount(t *testing.T) {
 	t.Logf("Initial active tasks: %d", initialActiveTasks)

 	// Start backup
-	scheduler.StartBackup(database.ID, false)
+	scheduler.StartBackup(database, false)

 	// Wait for backup to fail
 	WaitForBackupCompletion(t, database.ID, 0, 10*time.Second)
@@ -1069,7 +1081,8 @@ func Test_StartBackup_WhenBackupAlreadyInProgress_SkipsNewBackup(t *testing.T) {
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID

@@ -1088,7 +1101,7 @@ func Test_StartBackup_WhenBackupAlreadyInProgress_SkipsNewBackup(t *testing.T) {
 	assert.NoError(t, err)

 	// Try to start a new backup - should be skipped
-	GetBackupsScheduler().StartBackup(database.ID, false)
+	GetBackupsScheduler().StartBackup(database, false)

 	time.Sleep(200 * time.Millisecond)

@@ -1140,7 +1153,8 @@ func Test_RunPendingBackups_WhenLastBackupFailedWithIsSkipRetry_SkipsBackupEvenW
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig.RetentionTimePeriod = period.PeriodWeek
 	backupConfig.Storage = storage
 	backupConfig.StorageID = &storage.ID
 	backupConfig.IsRetryIfFailed = true
@@ -1242,7 +1256,8 @@ func Test_StartBackup_When2BackupsStartedForDifferentDatabases_BothUseCasesAreCa
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig1.IsBackupsEnabled = true
-	backupConfig1.StorePeriod = period.PeriodWeek
+	backupConfig1.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig1.RetentionTimePeriod = period.PeriodWeek
 	backupConfig1.Storage = storage
 	backupConfig1.StorageID = &storage.ID

@@ -1259,7 +1274,8 @@ func Test_StartBackup_When2BackupsStartedForDifferentDatabases_BothUseCasesAreCa
 		TimeOfDay: &timeOfDay,
 	}
 	backupConfig2.IsBackupsEnabled = true
-	backupConfig2.StorePeriod = period.PeriodWeek
+	backupConfig2.RetentionPolicyType = backups_config.RetentionPolicyTypeTimePeriod
+	backupConfig2.RetentionTimePeriod = period.PeriodWeek
 	backupConfig2.Storage = storage
 	backupConfig2.StorageID = &storage.ID

@@ -1268,10 +1284,10 @@ func Test_StartBackup_When2BackupsStartedForDifferentDatabases_BothUseCasesAreCa

 	// Start 2 backups simultaneously
 	t.Log("Starting backup for database1")
-	scheduler.StartBackup(database1.ID, false)
+	scheduler.StartBackup(database1, false)

 	t.Log("Starting backup for database2")
-	scheduler.StartBackup(database2.ID, false)
+	scheduler.StartBackup(database2, false)

 	// Wait up to 10 seconds for both backups to complete
 	t.Log("Waiting for both backups to complete...")
--- a/backend/internal/features/backups/backups/backuping/testing.go
+++ b/backend/internal/features/backups/backups/backuping/testing.go
@@ -8,6 +8,9 @@ import (
 	"testing"
 	"time"

+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	"databasus-backend/internal/features/backups/backups/usecases"
 	backups_config "databasus-backend/internal/features/backups/config"
@@ -19,9 +22,6 @@ import (
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	"databasus-backend/internal/util/encryption"
 	"databasus-backend/internal/util/logger"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
 )

 func CreateTestRouter() *gin.Engine {
--- a/backend/internal/features/backups/backups/common/dto.go
+++ b/backend/internal/features/backups/backups/common/dto.go
@@ -1,17 +1,38 @@
 package common

-import backups_config "databasus-backend/internal/features/backups/config"
+import (
+	"errors"

-type BackupType string
+	"github.com/google/uuid"

-const (
-	BackupTypeDefault   BackupType = "DEFAULT"   // For MySQL, MongoDB, PostgreSQL legacy (-Fc)
-	BackupTypeDirectory BackupType = "DIRECTORY" // PostgreSQL directory type (-Fd)
+	backups_config "databasus-backend/internal/features/backups/config"
 )

 type BackupMetadata struct {
-	EncryptionSalt *string
-	EncryptionIV   *string
-	Encryption     backups_config.BackupEncryption
-	Type           BackupType
+	BackupID       uuid.UUID                       `json:"backupId"`
+	EncryptionSalt *string                         `json:"encryptionSalt"`
+	EncryptionIV   *string                         `json:"encryptionIV"`
+	Encryption     backups_config.BackupEncryption `json:"encryption"`
+}
+
+func (m *BackupMetadata) Validate() error {
+	if m.BackupID == uuid.Nil {
+		return errors.New("backup ID is required")
+	}
+
+	if m.Encryption == "" {
+		return errors.New("encryption is required")
+	}
+
+	if m.Encryption == backups_config.BackupEncryptionEncrypted {
+		if m.EncryptionSalt == nil {
+			return errors.New("encryption salt is required when encryption is enabled")
+		}
+
+		if m.EncryptionIV == nil {
+			return errors.New("encryption IV is required when encryption is enabled")
+		}
+	}
+
+	return nil
 }
--- a/backend/internal/features/backups/backups/common/interfaces.go
+++ b/backend/internal/features/backups/backups/common/interfaces.go
@@ -7,6 +7,10 @@ type CountingWriter struct {
 	BytesWritten int64
 }

+func NewCountingWriter(writer io.Writer) *CountingWriter {
+	return &CountingWriter{Writer: writer}
+}
+
 func (cw *CountingWriter) Write(p []byte) (n int, err error) {
 	n, err = cw.Writer.Write(p)
 	cw.BytesWritten += int64(n)
@@ -16,7 +20,3 @@ func (cw *CountingWriter) Write(p []byte) (n int, err error) {
 func (cw *CountingWriter) GetBytesWritten() int64 {
 	return cw.BytesWritten
 }
-
-func NewCountingWriter(writer io.Writer) *CountingWriter {
-	return &CountingWriter{Writer: writer}
-}
--- a/backend/internal/features/backups/backups/controllers/controller.go
+++ b/backend/internal/features/backups/backups/controllers/controller.go
@@ -1,11 +1,8 @@
-package backups
+package backups_controllers

 import (
 	"context"
-	backups_core "databasus-backend/internal/features/backups/backups/core"
-	backups_download "databasus-backend/internal/features/backups/backups/download"
-	"databasus-backend/internal/features/databases"
-	users_middleware "databasus-backend/internal/features/users/middleware"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -13,10 +10,18 @@ import (

 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
+	backups_dto "databasus-backend/internal/features/backups/backups/dto"
+	backups_services "databasus-backend/internal/features/backups/backups/services"
+	"databasus-backend/internal/features/databases"
+	users_middleware "databasus-backend/internal/features/users/middleware"
+	files_utils "databasus-backend/internal/util/files"
 )

 type BackupController struct {
-	backupService *BackupService
+	backupService *backups_services.BackupService
 }

 func (c *BackupController) RegisterRoutes(router *gin.RouterGroup) {
@@ -41,7 +46,7 @@ func (c *BackupController) RegisterPublicRoutes(router *gin.RouterGroup) {
 // @Param database_id query string true "Database ID"
 // @Param limit query int false "Number of items per page" default(10)
 // @Param offset query int false "Offset for pagination" default(0)
-// @Success 200 {object} GetBackupsResponse
+// @Success 200 {object} backups_dto.GetBackupsResponse
 // @Failure 400
 // @Failure 401
 // @Failure 500
@@ -53,7 +58,7 @@ func (c *BackupController) GetBackups(ctx *gin.Context) {
 		return
 	}

-	var request GetBackupsRequest
+	var request backups_dto.GetBackupsRequest
 	if err := ctx.ShouldBindQuery(&request); err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -80,7 +85,7 @@ func (c *BackupController) GetBackups(ctx *gin.Context) {
 // @Tags backups
 // @Accept json
 // @Produce json
-// @Param request body MakeBackupRequest true "Backup creation data"
+// @Param request body backups_dto.MakeBackupRequest true "Backup creation data"
 // @Success 200 {object} map[string]string
 // @Failure 400
 // @Failure 401
@@ -93,7 +98,7 @@ func (c *BackupController) MakeBackup(ctx *gin.Context) {
 		return
 	}

-	var request MakeBackupRequest
+	var request backups_dto.MakeBackupRequest
 	if err := ctx.ShouldBindJSON(&request); err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -194,7 +199,7 @@ func (c *BackupController) GenerateDownloadToken(ctx *gin.Context) {

 	response, err := c.backupService.GenerateDownloadToken(user, id)
 	if err != nil {
-		if err == backups_download.ErrDownloadAlreadyInProgress {
+		if errors.Is(err, backups_download.ErrDownloadAlreadyInProgress) {
 			ctx.JSON(
 				http.StatusConflict,
 				gin.H{
@@ -245,7 +250,7 @@ func (c *BackupController) GetFile(ctx *gin.Context) {

 	downloadToken, rateLimiter, err := c.backupService.ValidateDownloadToken(token)
 	if err != nil {
-		if err == backups_download.ErrDownloadAlreadyInProgress {
+		if errors.Is(err, backups_download.ErrDownloadAlreadyInProgress) {
 			ctx.JSON(
 				http.StatusConflict,
 				gin.H{
@@ -304,16 +309,11 @@ func (c *BackupController) GetFile(ctx *gin.Context) {
 	_, err = io.Copy(ctx.Writer, rateLimitedReader)
 	if err != nil {
 		fmt.Printf("Error streaming file: %v\n", err)
-		return
 	}

 	c.backupService.WriteAuditLogForDownload(downloadToken.UserID, backup, database)
 }

-type MakeBackupRequest struct {
-	DatabaseID uuid.UUID `json:"database_id" binding:"required"`
-}
-
 func (c *BackupController) generateBackupFilename(
 	backup *backups_core.Backup,
 	database *databases.Database,
@@ -322,7 +322,7 @@ func (c *BackupController) generateBackupFilename(
 	timestamp := backup.CreatedAt.Format("2006-01-02_15-04-05")

 	// Sanitize database name for filename (replace spaces and special chars)
-	safeName := sanitizeFilename(database.Name)
+	safeName := files_utils.SanitizeFilename(database.Name)

 	// Determine extension based on database type
 	extension := c.getBackupExtension(database.Type)
@@ -346,33 +346,6 @@ func (c *BackupController) getBackupExtension(
 	}
 }

-func sanitizeFilename(name string) string {
-	// Replace characters that are invalid in filenames
-	replacer := map[rune]rune{
-		' ':  '_',
-		'/':  '-',
-		'\\': '-',
-		':':  '-',
-		'*':  '-',
-		'?':  '-',
-		'"':  '-',
-		'<':  '-',
-		'>':  '-',
-		'|':  '-',
-	}
-
-	result := make([]rune, 0, len(name))
-	for _, char := range name {
-		if replacement, exists := replacer[char]; exists {
-			result = append(result, replacement)
-		} else {
-			result = append(result, char)
-		}
-	}
-
-	return string(result)
-}
-
 func (c *BackupController) startDownloadHeartbeat(ctx context.Context, userID uuid.UUID) {
 	ticker := time.NewTicker(backups_download.GetDownloadHeartbeatInterval())
 	defer ticker.Stop()
--- a/backend/internal/features/backups/backups/controllers/controller_test.go
+++ b/backend/internal/features/backups/backups/controllers/controller_test.go
@@ -1,4 +1,4 @@
-package backups
+package backups_controllers

 import (
 	"context"
@@ -7,6 +7,8 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"testing"
@@ -18,13 +20,18 @@ import (

 	"databasus-backend/internal/config"
 	audit_logs "databasus-backend/internal/features/audit_logs"
+	"databasus-backend/internal/features/backups/backups/backuping"
+	backups_common "databasus-backend/internal/features/backups/backups/common"
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_download "databasus-backend/internal/features/backups/backups/download"
+	backups_dto "databasus-backend/internal/features/backups/backups/dto"
+	backups_services "databasus-backend/internal/features/backups/backups/services"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/databases/databases/postgresql"
 	"databasus-backend/internal/features/storages"
 	local_storage "databasus-backend/internal/features/storages/models/local"
+	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
 	users_dto "databasus-backend/internal/features/users/dto"
 	users_enums "databasus-backend/internal/features/users/enums"
 	users_services "databasus-backend/internal/features/users/services"
@@ -32,6 +39,7 @@ import (
 	workspaces_models "databasus-backend/internal/features/workspaces/models"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	"databasus-backend/internal/util/encryption"
+	files_utils "databasus-backend/internal/util/files"
 	test_utils "databasus-backend/internal/util/testing"
 	"databasus-backend/internal/util/tools"
 )
@@ -114,7 +122,7 @@ func Test_GetBackups_PermissionsEnforced(t *testing.T) {
 			)

 			if tt.expectSuccess {
-				var response GetBackupsResponse
+				var response backups_dto.GetBackupsResponse
 				err := json.Unmarshal(testResp.Body, &response)
 				assert.NoError(t, err)
 				assert.GreaterOrEqual(t, len(response.Backups), 1)
@@ -209,7 +217,7 @@ func Test_CreateBackup_PermissionsEnforced(t *testing.T) {
 				testUserToken = nonMember.Token
 			}

-			request := MakeBackupRequest{DatabaseID: database.ID}
+			request := backups_dto.MakeBackupRequest{DatabaseID: database.ID}
 			testResp := test_utils.MakePostRequest(
 				t,
 				router,
@@ -240,7 +248,7 @@ func Test_CreateBackup_AuditLogWritten(t *testing.T) {
 	database := createTestDatabase("Test Database", workspace.ID, owner.Token, router)
 	enableBackupForDatabase(database.ID)

-	request := MakeBackupRequest{DatabaseID: database.ID}
+	request := backups_dto.MakeBackupRequest{DatabaseID: database.ID}
 	test_utils.MakePostRequest(
 		t,
 		router,
@@ -368,7 +376,7 @@ func Test_DeleteBackup_PermissionsEnforced(t *testing.T) {
 				ownerUser, err := userService.GetUserFromToken(owner.Token)
 				assert.NoError(t, err)

-				response, err := GetBackupService().GetBackups(ownerUser, database.ID, 10, 0)
+				response, err := backups_services.GetBackupService().GetBackups(ownerUser, database.ID, 10, 0)
 				assert.NoError(t, err)
 				assert.Equal(t, 0, len(response.Backups))
 			}
@@ -956,7 +964,7 @@ func Test_SanitizeFilename(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.input, func(t *testing.T) {
-			result := sanitizeFilename(tt.input)
+			result := files_utils.SanitizeFilename(tt.input)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
@@ -994,7 +1002,7 @@ func Test_CancelBackup_InProgressBackup_SuccessfullyCancelled(t *testing.T) {
 	assert.NoError(t, err)

 	// Register a cancellable context for the backup
-	GetBackupService().taskCancelManager.RegisterTask(backup.ID, func() {})
+	task_cancellation.GetTaskCancelManager().RegisterTask(backup.ID, func() {})

 	resp := test_utils.MakePostRequest(
 		t,
@@ -1086,7 +1094,7 @@ func Test_ConcurrentDownloadPrevention(t *testing.T) {

 	time.Sleep(50 * time.Millisecond)

-	service := GetBackupService()
+	service := backups_services.GetBackupService()
 	if !service.IsDownloadInProgress(owner.UserID) {
 		t.Log("Warning: First download completed before we could test concurrency")
 		<-downloadComplete
@@ -1187,7 +1195,7 @@ func Test_GenerateDownloadToken_BlockedWhenDownloadInProgress(t *testing.T) {

 	time.Sleep(50 * time.Millisecond)

-	service := GetBackupService()
+	service := backups_services.GetBackupService()
 	if !service.IsDownloadInProgress(owner.UserID) {
 		t.Log("Warning: First download completed before we could test token generation blocking")
 		<-downloadComplete
@@ -1244,6 +1252,86 @@ func Test_GenerateDownloadToken_BlockedWhenDownloadInProgress(t *testing.T) {
 	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }

+func Test_MakeBackup_VerifyBackupAndMetadataFilesExistInStorage(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database, _, storage := createTestDatabaseWithBackups(workspace, owner, router)
+
+	backuperNode := backuping.CreateTestBackuperNode()
+	backuperCancel := backuping.StartBackuperNodeForTest(t, backuperNode)
+	defer backuping.StopBackuperNodeForTest(t, backuperCancel, backuperNode)
+
+	scheduler := backuping.CreateTestScheduler()
+	schedulerCancel := backuping.StartSchedulerForTest(t, scheduler)
+	defer schedulerCancel()
+
+	backupRepo := &backups_core.BackupRepository{}
+	initialBackups, err := backupRepo.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+
+	request := backups_dto.MakeBackupRequest{DatabaseID: database.ID}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/backups",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+	)
+
+	backuping.WaitForBackupCompletion(t, database.ID, len(initialBackups), 30*time.Second)
+
+	backups, err := backupRepo.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Greater(t, len(backups), len(initialBackups))
+
+	backup := backups[0]
+	assert.Equal(t, backups_core.BackupStatusCompleted, backup.Status)
+
+	storageService := storages.GetStorageService()
+	backupStorage, err := storageService.GetStorageByID(backup.StorageID)
+	assert.NoError(t, err)
+
+	encryptor := encryption.GetFieldEncryptor()
+
+	backupFile, err := backupStorage.GetFile(encryptor, backup.FileName)
+	assert.NoError(t, err)
+	backupFile.Close()
+
+	metadataFile, err := backupStorage.GetFile(encryptor, backup.FileName+".metadata")
+	assert.NoError(t, err)
+
+	metadataContent, err := io.ReadAll(metadataFile)
+	assert.NoError(t, err)
+	metadataFile.Close()
+
+	var storageMetadata backups_common.BackupMetadata
+	err = json.Unmarshal(metadataContent, &storageMetadata)
+	assert.NoError(t, err)
+
+	assert.Equal(t, backup.ID, storageMetadata.BackupID)
+
+	if backup.EncryptionSalt != nil && storageMetadata.EncryptionSalt != nil {
+		assert.Equal(t, *backup.EncryptionSalt, *storageMetadata.EncryptionSalt)
+	}
+
+	if backup.EncryptionIV != nil && storageMetadata.EncryptionIV != nil {
+		assert.Equal(t, *backup.EncryptionIV, *storageMetadata.EncryptionIV)
+	}
+
+	assert.Equal(t, backup.Encryption, storageMetadata.Encryption)
+
+	err = backupRepo.DeleteByID(backup.ID)
+	assert.NoError(t, err)
+
+	databases.RemoveTestDatabase(database)
+	time.Sleep(50 * time.Millisecond)
+	storages.RemoveTestStorage(storage.ID)
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
+}
+
 func createTestRouter() *gin.Engine {
 	return CreateTestRouter()
 }
@@ -1366,11 +1454,24 @@ func createTestBackup(
 		panic(err)
 	}

-	storages, err := storages.GetStorageService().GetStorages(user, *database.WorkspaceID)
-	if err != nil || len(storages) == 0 {
+	loadedStorages, err := storages.GetStorageService().GetStorages(user, *database.WorkspaceID)
+	if err != nil || len(loadedStorages) == 0 {
 		panic("No storage found for workspace")
 	}

+	// Filter out system storages
+	var nonSystemStorages []*storages.Storage
+	for _, storage := range loadedStorages {
+		if !storage.IsSystem {
+			nonSystemStorages = append(nonSystemStorages, storage)
+		}
+	}
+	if len(nonSystemStorages) == 0 {
+		panic("No non-system storage found for workspace")
+	}
+
+	storages := nonSystemStorages
+
 	backup := &backups_core.Backup{
 		ID:               uuid.New(),
 		DatabaseID:       database.ID,
@@ -1394,7 +1495,7 @@ func createTestBackup(
 		context.Background(),
 		encryption.GetFieldEncryptor(),
 		logger,
-		backup.ID,
+		backup.ID.String(),
 		reader,
 	); err != nil {
 		panic(fmt.Sprintf("Failed to create test backup file: %v", err))
@@ -1404,7 +1505,7 @@ func createTestBackup(
 }

 func createExpiredDownloadToken(backupID, userID uuid.UUID) string {
-	tokenService := GetBackupService().downloadTokenService
+	tokenService := backups_download.GetDownloadTokenService()
 	token, err := tokenService.Generate(backupID, userID)
 	if err != nil {
 		panic(fmt.Sprintf("Failed to generate download token: %v", err))
@@ -1707,3 +1808,84 @@ func Test_BandwidthThrottling_DynamicAdjustment(t *testing.T) {
 	storages.RemoveTestStorage(storage.ID)
 	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }
+
+func Test_DeleteBackup_RemovesBackupAndMetadataFilesFromDisk(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabase("Test Database", workspace.ID, owner.Token, router)
+	storage := createTestStorage(workspace.ID)
+
+	configService := backups_config.GetBackupConfigService()
+	backupConfig, err := configService.GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorageID = &storage.ID
+	backupConfig.Storage = storage
+	_, err = configService.SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	defer func() {
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	backuperNode := backuping.CreateTestBackuperNode()
+	backuperCancel := backuping.StartBackuperNodeForTest(t, backuperNode)
+	defer backuping.StopBackuperNodeForTest(t, backuperCancel, backuperNode)
+
+	scheduler := backuping.CreateTestScheduler()
+	schedulerCancel := backuping.StartSchedulerForTest(t, scheduler)
+	defer schedulerCancel()
+
+	backupRepo := &backups_core.BackupRepository{}
+	initialBackups, err := backupRepo.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+
+	request := backups_dto.MakeBackupRequest{DatabaseID: database.ID}
+	test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/backups",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+	)
+
+	backuping.WaitForBackupCompletion(t, database.ID, len(initialBackups), 30*time.Second)
+
+	backups, err := backupRepo.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Greater(t, len(backups), len(initialBackups))
+
+	backup := backups[0]
+	assert.Equal(t, backups_core.BackupStatusCompleted, backup.Status)
+
+	dataFolder := config.GetEnv().DataFolder
+	backupFilePath := filepath.Join(dataFolder, backup.FileName)
+	metadataFilePath := filepath.Join(dataFolder, backup.FileName+".metadata")
+
+	_, err = os.Stat(backupFilePath)
+	assert.NoError(t, err, "backup file should exist on disk before deletion")
+
+	_, err = os.Stat(metadataFilePath)
+	assert.NoError(t, err, "metadata file should exist on disk before deletion")
+
+	test_utils.MakeDeleteRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s", backup.ID.String()),
+		"Bearer "+owner.Token,
+		http.StatusNoContent,
+	)
+
+	_, err = os.Stat(backupFilePath)
+	assert.True(t, os.IsNotExist(err), "backup file should be removed from disk after deletion")
+
+	_, err = os.Stat(metadataFilePath)
+	assert.True(t, os.IsNotExist(err), "metadata file should be removed from disk after deletion")
+}
--- a/backend/internal/features/backups/backups/controllers/di.go
+++ b/backend/internal/features/backups/backups/controllers/di.go
@@ -0,0 +1,23 @@
+package backups_controllers
+
+import (
+	backups_services "databasus-backend/internal/features/backups/backups/services"
+	"databasus-backend/internal/features/databases"
+)
+
+var backupController = &BackupController{
+	backups_services.GetBackupService(),
+}
+
+func GetBackupController() *BackupController {
+	return backupController
+}
+
+var postgresWalBackupController = &PostgreWalBackupController{
+	databases.GetDatabaseService(),
+	backups_services.GetWalService(),
+}
+
+func GetPostgresWalBackupController() *PostgreWalBackupController {
+	return postgresWalBackupController
+}
--- a/backend/internal/features/backups/backups/controllers/postgres_wal_controller.go
+++ b/backend/internal/features/backups/backups/controllers/postgres_wal_controller.go
@@ -0,0 +1,339 @@
+package backups_controllers
+
+import (
+	"io"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+
+	backups_dto "databasus-backend/internal/features/backups/backups/dto"
+	backups_services "databasus-backend/internal/features/backups/backups/services"
+	"databasus-backend/internal/features/databases"
+)
+
+// PostgreWalBackupController handles WAL backup endpoints used by the databasus-cli agent.
+// Authentication is via a plain agent token in the Authorization header (no Bearer prefix).
+type PostgreWalBackupController struct {
+	databaseService *databases.DatabaseService
+	walService      *backups_services.PostgreWalBackupService
+}
+
+func (c *PostgreWalBackupController) RegisterRoutes(router *gin.RouterGroup) {
+	walRoutes := router.Group("/backups/postgres/wal")
+
+	walRoutes.GET("/next-full-backup-time", c.GetNextFullBackupTime)
+	walRoutes.GET("/is-wal-chain-valid-since-last-full-backup", c.IsWalChainValidSinceLastBackup)
+	walRoutes.POST("/error", c.ReportError)
+	walRoutes.POST("/upload/wal", c.UploadWalSegment)
+	walRoutes.POST("/upload/full-start", c.StartFullBackupUpload)
+	walRoutes.POST("/upload/full-complete", c.CompleteFullBackupUpload)
+	walRoutes.GET("/restore/plan", c.GetRestorePlan)
+	walRoutes.GET("/restore/download", c.DownloadBackupFile)
+}
+
+// GetNextFullBackupTime
+// @Summary Get next full backup time
+// @Description Returns the next scheduled full basebackup time for the authenticated database
+// @Tags backups-wal
+// @Produce json
+// @Security AgentToken
+// @Success 200 {object} backups_dto.GetNextFullBackupTimeResponse
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/next-full-backup-time [get]
+func (c *PostgreWalBackupController) GetNextFullBackupTime(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	response, err := c.walService.GetNextFullBackupTime(database)
+	if err != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, response)
+}
+
+// ReportError
+// @Summary Report agent error
+// @Description Records a fatal error from the agent against the database record and marks it as errored
+// @Tags backups-wal
+// @Accept json
+// @Security AgentToken
+// @Param request body backups_dto.ReportErrorRequest true "Error details"
+// @Success 200
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/error [post]
+func (c *PostgreWalBackupController) ReportError(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	var request backups_dto.ReportErrorRequest
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if err := c.walService.ReportError(database, request.Error); err != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.Status(http.StatusOK)
+}
+
+// IsWalChainValidSinceLastBackup
+// @Summary Check WAL chain validity since last full backup
+// @Description Checks whether the WAL chain is continuous since the last completed full backup.
+// Returns isValid=true if the chain is intact, or isValid=false with error details if not.
+// @Tags backups-wal
+// @Produce json
+// @Security AgentToken
+// @Success 200 {object} backups_dto.IsWalChainValidResponse
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/is-wal-chain-valid-since-last-full-backup [get]
+func (c *PostgreWalBackupController) IsWalChainValidSinceLastBackup(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	response, err := c.walService.IsWalChainValid(database)
+	if err != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, response)
+}
+
+// UploadWalSegment
+// @Summary Stream upload a WAL segment
+// @Description Accepts a zstd-compressed WAL segment binary stream and stores it in the database's configured storage.
+// WAL segments are accepted unconditionally.
+// @Tags backups-wal
+// @Accept application/octet-stream
+// @Security AgentToken
+// @Param X-Wal-Segment-Name header string true "24-hex WAL segment identifier (e.g. 0000000100000001000000AB)"
+// @Success 204
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/upload/wal [post]
+func (c *PostgreWalBackupController) UploadWalSegment(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	walSegmentName := ctx.GetHeader("X-Wal-Segment-Name")
+	if walSegmentName == "" {
+		ctx.JSON(
+			http.StatusBadRequest,
+			gin.H{"error": "X-Wal-Segment-Name is required for wal uploads"},
+		)
+		return
+	}
+
+	uploadErr := c.walService.UploadWalSegment(
+		ctx.Request.Context(),
+		database,
+		walSegmentName,
+		ctx.Request.Body,
+	)
+
+	if uploadErr != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": uploadErr.Error()})
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
+// StartFullBackupUpload
+// @Summary Stream upload a full basebackup (Phase 1)
+// @Description Accepts a zstd-compressed basebackup binary stream and stores it in the database's configured storage.
+// Returns a backupId that must be completed via /upload/full-complete with WAL segment names.
+// @Tags backups-wal
+// @Accept application/octet-stream
+// @Produce json
+// @Security AgentToken
+// @Success 200 {object} backups_dto.UploadBasebackupResponse
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/upload/full-start [post]
+func (c *PostgreWalBackupController) StartFullBackupUpload(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	backupID, uploadErr := c.walService.UploadBasebackup(
+		ctx.Request.Context(),
+		database,
+		ctx.Request.Body,
+	)
+
+	if uploadErr != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": uploadErr.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, backups_dto.UploadBasebackupResponse{
+		BackupID: backupID,
+	})
+}
+
+// CompleteFullBackupUpload
+// @Summary Complete a previously uploaded basebackup (Phase 2)
+// @Description Sets WAL segment names and marks the basebackup as completed, or marks it as failed if an error is provided.
+// @Tags backups-wal
+// @Accept json
+// @Security AgentToken
+// @Param request body backups_dto.FinalizeBasebackupRequest true "Completion details"
+// @Success 200
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/upload/full-complete [post]
+func (c *PostgreWalBackupController) CompleteFullBackupUpload(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	var request backups_dto.FinalizeBasebackupRequest
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if request.Error == nil && (request.StartSegment == "" || request.StopSegment == "") {
+		ctx.JSON(
+			http.StatusBadRequest,
+			gin.H{"error": "startSegment and stopSegment are required when no error is provided"},
+		)
+		return
+	}
+
+	if err := c.walService.FinalizeBasebackup(
+		database,
+		request.BackupID,
+		request.StartSegment,
+		request.StopSegment,
+		request.Error,
+	); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.Status(http.StatusOK)
+}
+
+// GetRestorePlan
+// @Summary Get restore plan
+// @Description Resolves the full backup and all required WAL segments needed for recovery. Validates the WAL chain is continuous.
+// @Tags backups-wal
+// @Produce json
+// @Security AgentToken
+// @Param backupId query string false "UUID of a specific full backup to restore from; defaults to the most recent"
+// @Success 200 {object} backups_dto.GetRestorePlanResponse
+// @Failure 400 {object} map[string]string "Broken WAL chain or no backups available"
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /backups/postgres/wal/restore/plan [get]
+func (c *PostgreWalBackupController) GetRestorePlan(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	var backupID *uuid.UUID
+	if raw := ctx.Query("backupId"); raw != "" {
+		parsed, parseErr := uuid.Parse(raw)
+		if parseErr != nil {
+			ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid backupId format"})
+			return
+		}
+
+		backupID = &parsed
+	}
+
+	response, planErr, err := c.walService.GetRestorePlan(database, backupID)
+	if err != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	if planErr != nil {
+		ctx.JSON(http.StatusBadRequest, planErr)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, response)
+}
+
+// DownloadBackupFile
+// @Summary Download a backup or WAL segment file for restore
+// @Description Retrieves the backup file by ID (validated against the authenticated database), decrypts it server-side if encrypted, and streams the zstd-compressed result to the agent
+// @Tags backups-wal
+// @Produce application/octet-stream
+// @Security AgentToken
+// @Param backupId query string true "Backup ID from the restore plan response"
+// @Success 200 {file} file
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Router /backups/postgres/wal/restore/download [get]
+func (c *PostgreWalBackupController) DownloadBackupFile(ctx *gin.Context) {
+	database, err := c.getDatabase(ctx)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid agent token"})
+		return
+	}
+
+	backupIDRaw := ctx.Query("backupId")
+	if backupIDRaw == "" {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "backupId is required"})
+		return
+	}
+
+	backupID, err := uuid.Parse(backupIDRaw)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid backupId format"})
+		return
+	}
+
+	reader, err := c.walService.DownloadBackupFile(database, backupID)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	defer func() { _ = reader.Close() }()
+
+	ctx.Header("Content-Type", "application/octet-stream")
+	ctx.Status(http.StatusOK)
+
+	_, _ = io.Copy(ctx.Writer, reader)
+}
+
+func (c *PostgreWalBackupController) getDatabase(
+	ctx *gin.Context,
+) (*databases.Database, error) {
+	token := ctx.GetHeader("Authorization")
+	return c.databaseService.GetDatabaseByAgentToken(token)
+}
--- a/backend/internal/features/backups/backups/controllers/postgres_wal_controller_test.go
+++ b/backend/internal/features/backups/backups/controllers/postgres_wal_controller_test.go
--- a/backend/internal/features/backups/backups/controllers/testing.go
+++ b/backend/internal/features/backups/backups/controllers/testing.go
@@ -1,17 +1,17 @@
-package backups
+package backups_controllers

 import (
 	"testing"
 	"time"

+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+
 	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
 )

 func CreateTestRouter() *gin.Engine {
@@ -41,7 +41,7 @@ func WaitForBackupCompletion(
 	deadline := time.Now().UTC().Add(timeout)

 	for time.Now().UTC().Before(deadline) {
-		backups, err := backupRepository.FindByDatabaseID(databaseID)
+		backups, err := backups_core.GetBackupRepository().FindByDatabaseID(databaseID)
 		if err != nil {
 			t.Logf("WaitForBackupCompletion: error finding backups: %v", err)
 			time.Sleep(50 * time.Millisecond)
--- a/backend/internal/features/backups/backups/core/di.go
+++ b/backend/internal/features/backups/backups/core/di.go
@@ -0,0 +1,7 @@
+package backups_core
+
+var backupRepository = &BackupRepository{}
+
+func GetBackupRepository() *BackupRepository {
+	return backupRepository
+}
--- a/backend/internal/features/backups/backups/core/enums.go
+++ b/backend/internal/features/backups/backups/core/enums.go
@@ -8,3 +8,10 @@ const (
 	BackupStatusFailed     BackupStatus = "FAILED"
 	BackupStatusCanceled   BackupStatus = "CANCELED"
 )
+
+type PgWalUploadType string
+
+const (
+	PgWalUploadTypeBasebackup PgWalUploadType = "basebackup"
+	PgWalUploadTypeWal        PgWalUploadType = "wal"
+)
--- a/backend/internal/features/backups/backups/core/interfaces.go
+++ b/backend/internal/features/backups/backups/core/interfaces.go
@@ -8,8 +8,6 @@ import (
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/notifiers"
 	"databasus-backend/internal/features/storages"
-
-	"github.com/google/uuid"
 )

 type NotificationSender interface {
@@ -23,7 +21,7 @@ type NotificationSender interface {
 type CreateBackupUsecase interface {
 	Execute(
 		ctx context.Context,
-		backupID uuid.UUID,
+		backup *Backup,
 		backupConfig *backups_config.BackupConfig,
 		database *databases.Database,
 		storage *storages.Storage,
--- a/backend/internal/features/backups/backups/core/model.go
+++ b/backend/internal/features/backups/backups/core/model.go
@@ -1,14 +1,25 @@
 package backups_core

 import (
-	backups_config "databasus-backend/internal/features/backups/config"
+	"fmt"
 	"time"

 	"github.com/google/uuid"
+
+	backups_config "databasus-backend/internal/features/backups/config"
+	files_utils "databasus-backend/internal/util/files"
+)
+
+type PgWalBackupType string
+
+const (
+	PgWalBackupTypeFullBackup PgWalBackupType = "PG_FULL_BACKUP"
+	PgWalBackupTypeWalSegment PgWalBackupType = "PG_WAL_SEGMENT"
 )

 type Backup struct {
-	ID uuid.UUID `json:"id" gorm:"column:id;type:uuid;primaryKey"`
+	ID       uuid.UUID `json:"id"       gorm:"column:id;type:uuid;primaryKey"`
+	FileName string    `json:"fileName" gorm:"column:file_name;type:text;not null"`

 	DatabaseID uuid.UUID `json:"databaseId" gorm:"column:database_id;type:uuid;not null"`
 	StorageID  uuid.UUID `json:"storageId"  gorm:"column:storage_id;type:uuid;not null"`
@@ -25,5 +36,24 @@ type Backup struct {
 	EncryptionIV   *string                         `json:"-"          gorm:"column:encryption_iv"`
 	Encryption     backups_config.BackupEncryption `json:"encryption" gorm:"column:encryption;type:text;not null;default:'NONE'"`

-	CreatedAt time.Time `json:"createdAt" gorm:"column:created_at"`
+	// Postgres WAL backup specific fields
+	PgWalBackupType                 *PgWalBackupType `json:"pgWalBackupType"                 gorm:"column:pg_wal_backup_type;type:text"`
+	PgFullBackupWalStartSegmentName *string          `json:"pgFullBackupWalStartSegmentName" gorm:"column:pg_wal_start_segment;type:text"`
+	PgFullBackupWalStopSegmentName  *string          `json:"pgFullBackupWalStopSegmentName"  gorm:"column:pg_wal_stop_segment;type:text"`
+	PgVersion                       *string          `json:"pgVersion"                       gorm:"column:pg_version;type:text"`
+	PgWalSegmentName                *string          `json:"pgWalSegmentName"                gorm:"column:pg_wal_segment_name;type:text"`
+
+	UploadCompletedAt *time.Time `json:"uploadCompletedAt" gorm:"column:upload_completed_at"`
+	CreatedAt         time.Time  `json:"createdAt"         gorm:"column:created_at"`
+}
+
+func (b *Backup) GenerateFilename(dbName string) {
+	timestamp := time.Now().UTC()
+
+	b.FileName = fmt.Sprintf(
+		"%s-%s-%s",
+		files_utils.SanitizeFilename(dbName),
+		timestamp.Format("20060102-150405"),
+		b.ID.String(),
+	)
 }
--- a/backend/internal/features/backups/backups/core/repository.go
+++ b/backend/internal/features/backups/backups/core/repository.go
@@ -1,13 +1,13 @@
 package backups_core

 import (
-	"databasus-backend/internal/storage"
 	"errors"
-
 	"time"

 	"github.com/google/uuid"
 	"gorm.io/gorm"
+
+	"databasus-backend/internal/storage"
 )

 type BackupRepository struct{}
@@ -88,7 +88,7 @@ func (r *BackupRepository) FindLastByDatabaseID(databaseID uuid.UUID) (*Backup,
 		Where("database_id = ?", databaseID).
 		Order("created_at DESC").
 		First(&backup).Error; err != nil {
-		if err == gorm.ErrRecordNotFound {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, nil
 		}

@@ -245,3 +245,152 @@ func (r *BackupRepository) FindOldestByDatabaseExcludingInProgress(

 	return backups, nil
 }
+
+func (r *BackupRepository) FindCompletedFullWalBackupByID(
+	databaseID uuid.UUID,
+	backupID uuid.UUID,
+) (*Backup, error) {
+	var backup Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND id = ? AND pg_wal_backup_type = ? AND status = ?",
+			databaseID,
+			backupID,
+			PgWalBackupTypeFullBackup,
+			BackupStatusCompleted,
+		).
+		First(&backup).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return &backup, nil
+}
+
+func (r *BackupRepository) FindCompletedWalSegmentsAfter(
+	databaseID uuid.UUID,
+	afterSegmentName string,
+) ([]*Backup, error) {
+	var backups []*Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND pg_wal_backup_type = ? AND pg_wal_segment_name >= ? AND status = ?",
+			databaseID,
+			PgWalBackupTypeWalSegment,
+			afterSegmentName,
+			BackupStatusCompleted,
+		).
+		Order("pg_wal_segment_name ASC").
+		Find(&backups).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return backups, nil
+}
+
+func (r *BackupRepository) FindLastCompletedFullWalBackupByDatabaseID(
+	databaseID uuid.UUID,
+) (*Backup, error) {
+	var backup Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND pg_wal_backup_type = ? AND status = ?",
+			databaseID,
+			PgWalBackupTypeFullBackup,
+			BackupStatusCompleted,
+		).
+		Order("created_at DESC").
+		First(&backup).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return &backup, nil
+}
+
+func (r *BackupRepository) FindWalSegmentByName(
+	databaseID uuid.UUID,
+	segmentName string,
+) (*Backup, error) {
+	var backup Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND pg_wal_backup_type = ? AND pg_wal_segment_name = ?",
+			databaseID,
+			PgWalBackupTypeWalSegment,
+			segmentName,
+		).
+		First(&backup).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return &backup, nil
+}
+
+func (r *BackupRepository) FindStaleUploadedBasebackups(olderThan time.Time) ([]*Backup, error) {
+	var backups []*Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"status = ? AND upload_completed_at IS NOT NULL AND upload_completed_at < ?",
+			BackupStatusInProgress,
+			olderThan,
+		).
+		Find(&backups).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return backups, nil
+}
+
+func (r *BackupRepository) FindLastWalSegmentAfter(
+	databaseID uuid.UUID,
+	afterSegmentName string,
+) (*Backup, error) {
+	var backup Backup
+
+	err := storage.
+		GetDb().
+		Where(
+			"database_id = ? AND pg_wal_backup_type = ? AND pg_wal_segment_name > ? AND status = ?",
+			databaseID,
+			PgWalBackupTypeWalSegment,
+			afterSegmentName,
+			BackupStatusCompleted,
+		).
+		Order("pg_wal_segment_name DESC").
+		First(&backup).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return &backup, nil
+}
--- a/backend/internal/features/backups/backups/download/di.go
+++ b/backend/internal/features/backups/backups/download/di.go
@@ -13,9 +13,11 @@ var downloadTokenRepository = &DownloadTokenRepository{}

 var downloadTracker = NewDownloadTracker(cache_utils.GetValkeyClient())

-var bandwidthManager *BandwidthManager
-var downloadTokenService *DownloadTokenService
-var downloadTokenBackgroundService *DownloadTokenBackgroundService
+var (
+	bandwidthManager               *BandwidthManager
+	downloadTokenService           *DownloadTokenService
+	downloadTokenBackgroundService *DownloadTokenBackgroundService
+)

 func init() {
 	env := config.GetEnv()
--- a/backend/internal/features/backups/backups/download/rate_limiter.go
+++ b/backend/internal/features/backups/backups/download/rate_limiter.go
@@ -66,9 +66,7 @@ func (rl *RateLimiter) Wait(bytes int64) {
 		tokensNeeded := float64(bytes) - rl.availableTokens
 		waitTime := time.Duration(tokensNeeded/float64(rl.bytesPerSecond)*1000) * time.Millisecond

-		if waitTime < time.Millisecond {
-			waitTime = time.Millisecond
-		}
+		waitTime = max(waitTime, time.Millisecond)

 		rl.mu.Unlock()
 		time.Sleep(waitTime)
--- a/backend/internal/features/backups/backups/download/repository.go
+++ b/backend/internal/features/backups/backups/download/repository.go
@@ -2,12 +2,14 @@ package backups_download

 import (
 	"crypto/rand"
-	"databasus-backend/internal/storage"
 	"encoding/base64"
+	"errors"
 	"time"

 	"github.com/google/uuid"
 	"gorm.io/gorm"
+
+	"databasus-backend/internal/storage"
 )

 type DownloadTokenRepository struct{}
@@ -28,9 +30,8 @@ func (r *DownloadTokenRepository) FindByToken(token string) (*DownloadToken, err
 	err := storage.GetDb().
 		Where("token = ?", token).
 		First(&downloadToken).Error
-
 	if err != nil {
-		if err == gorm.ErrRecordNotFound {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, nil
 		}
 		return nil, err
--- a/backend/internal/features/backups/backups/download/tracking.go
+++ b/backend/internal/features/backups/backups/download/tracking.go
@@ -1,12 +1,13 @@
 package backups_download

 import (
-	cache_utils "databasus-backend/internal/util/cache"
 	"errors"
 	"time"

 	"github.com/google/uuid"
 	"github.com/valkey-io/valkey-go"
+
+	cache_utils "databasus-backend/internal/util/cache"
 )

 const (
@@ -16,9 +17,7 @@ const (
 	downloadHeartbeatDelay = 3 * time.Second
 )

-var (
-	ErrDownloadAlreadyInProgress = errors.New("download already in progress for this user")
-)
+var ErrDownloadAlreadyInProgress = errors.New("download already in progress for this user")

 type DownloadTracker struct {
 	cache *cache_utils.CacheUtil[string]
--- a/backend/internal/features/backups/backups/dto.go
+++ b/backend/internal/features/backups/backups/dto.go
@@ -1,29 +0,0 @@
-package backups
-
-import (
-	backups_core "databasus-backend/internal/features/backups/backups/core"
-	"databasus-backend/internal/features/backups/backups/encryption"
-	"io"
-)
-
-type GetBackupsRequest struct {
-	DatabaseID string `form:"database_id" binding:"required"`
-	Limit      int    `form:"limit"`
-	Offset     int    `form:"offset"`
-}
-
-type GetBackupsResponse struct {
-	Backups []*backups_core.Backup `json:"backups"`
-	Total   int64                  `json:"total"`
-	Limit   int                    `json:"limit"`
-	Offset  int                    `json:"offset"`
-}
-
-type DecryptionReaderCloser struct {
-	*encryption.DecryptionReader
-	BaseReader io.ReadCloser
-}
-
-func (r *DecryptionReaderCloser) Close() error {
-	return r.BaseReader.Close()
-}
--- a/backend/internal/features/backups/backups/dto/dto.go
+++ b/backend/internal/features/backups/backups/dto/dto.go
@@ -0,0 +1,90 @@
+package backups_dto
+
+import (
+	"io"
+	"time"
+
+	"github.com/google/uuid"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	"databasus-backend/internal/features/backups/backups/encryption"
+)
+
+type GetBackupsRequest struct {
+	DatabaseID string `form:"database_id" binding:"required"`
+	Limit      int    `form:"limit"`
+	Offset     int    `form:"offset"`
+}
+
+type GetBackupsResponse struct {
+	Backups []*backups_core.Backup `json:"backups"`
+	Total   int64                  `json:"total"`
+	Limit   int                    `json:"limit"`
+	Offset  int                    `json:"offset"`
+}
+
+type DecryptionReaderCloser struct {
+	*encryption.DecryptionReader
+	BaseReader io.ReadCloser
+}
+
+func (r *DecryptionReaderCloser) Close() error {
+	return r.BaseReader.Close()
+}
+
+type MakeBackupRequest struct {
+	DatabaseID uuid.UUID `json:"database_id" binding:"required"`
+}
+
+type GetNextFullBackupTimeResponse struct {
+	NextFullBackupTime *time.Time `json:"nextFullBackupTime"`
+}
+
+type ReportErrorRequest struct {
+	Error string `json:"error" binding:"required"`
+}
+
+type IsWalChainValidResponse struct {
+	IsValid               bool   `json:"isValid"`
+	Error                 string `json:"error,omitempty"`
+	LastContiguousSegment string `json:"lastContiguousSegment,omitempty"`
+}
+
+type RestorePlanFullBackup struct {
+	BackupID                  uuid.UUID `json:"id"`
+	FullBackupWalStartSegment string    `json:"fullBackupWalStartSegment"`
+	FullBackupWalStopSegment  string    `json:"fullBackupWalStopSegment"`
+	PgVersion                 string    `json:"pgVersion"`
+	CreatedAt                 time.Time `json:"createdAt"`
+	SizeBytes                 int64     `json:"sizeBytes"`
+}
+
+type RestorePlanWalSegment struct {
+	BackupID    uuid.UUID `json:"backupId"`
+	SegmentName string    `json:"segmentName"`
+	SizeBytes   int64     `json:"sizeBytes"`
+}
+
+type GetRestorePlanErrorResponse struct {
+	Error                 string `json:"error"`
+	Message               string `json:"message"`
+	LastContiguousSegment string `json:"lastContiguousSegment,omitempty"`
+}
+
+type GetRestorePlanResponse struct {
+	FullBackup             RestorePlanFullBackup   `json:"fullBackup"`
+	WalSegments            []RestorePlanWalSegment `json:"walSegments"`
+	TotalSizeBytes         int64                   `json:"totalSizeBytes"`
+	LatestAvailableSegment string                  `json:"latestAvailableSegment"`
+}
+
+type UploadBasebackupResponse struct {
+	BackupID uuid.UUID `json:"backupId"`
+}
+
+type FinalizeBasebackupRequest struct {
+	BackupID     uuid.UUID `json:"backupId"     binding:"required"`
+	StartSegment string    `json:"startSegment"`
+	StopSegment  string    `json:"stopSegment"`
+	Error        *string   `json:"error"`
+}
--- a/backend/internal/features/backups/backups/encryption/decrypting_reader.go
+++ b/backend/internal/features/backups/backups/encryption/decrypting_reader.go
@@ -4,6 +4,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"

@@ -69,7 +70,7 @@ func NewDecryptionReader(
 func (r *DecryptionReader) Read(p []byte) (n int, err error) {
 	for len(r.buffer) < len(p) && !r.eof {
 		if err := r.readAndDecryptChunk(); err != nil {
-			if err == io.EOF {
+			if errors.Is(err, io.EOF) {
 				r.eof = true
 				break
 			}
--- a/backend/internal/features/backups/backups/encryption/setup.go
+++ b/backend/internal/features/backups/backups/encryption/setup.go
@@ -0,0 +1,45 @@
+package encryption
+
+import (
+	"encoding/base64"
+	"fmt"
+	"io"
+
+	"github.com/google/uuid"
+)
+
+// EncryptionSetup holds the result of setting up encryption for a backup stream.
+type EncryptionSetup struct {
+	Writer      *EncryptionWriter
+	SaltBase64  string
+	NonceBase64 string
+}
+
+// SetupEncryptionWriter generates salt/nonce, creates an EncryptionWriter, and
+// returns the base64-encoded salt and nonce for storage on the backup record.
+func SetupEncryptionWriter(
+	baseWriter io.Writer,
+	masterKey string,
+	backupID uuid.UUID,
+) (*EncryptionSetup, error) {
+	salt, err := GenerateSalt()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate salt: %w", err)
+	}
+
+	nonce, err := GenerateNonce()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+
+	encWriter, err := NewEncryptionWriter(baseWriter, masterKey, backupID, salt, nonce)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create encryption writer: %w", err)
+	}
+
+	return &EncryptionSetup{
+		Writer:      encWriter,
+		SaltBase64:  base64.StdEncoding.EncodeToString(salt),
+		NonceBase64: base64.StdEncoding.EncodeToString(nonce),
+	}, nil
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Rostislav Dugin	f0064b4be3	Merge pull request #448 from databasus/develop FIX (agent): Fix lock test	2026-03-17 16:41:47 +03:00
Rostislav Dugin	94505bab3f	FIX (agent): Fix lock test	2026-03-17 16:41:07 +03:00
Rostislav Dugin	9acf3cff09	Merge pull request #447 from databasus/develop Develop	2026-03-17 16:36:45 +03:00
Rostislav Dugin	0d7e147df6	FIX (wal): Allow to save error via /complete endpoint	2026-03-17 16:33:00 +03:00
Rostislav Dugin	1394b47570	FIX (agent): Fix linting issues	2026-03-17 14:55:16 +03:00
Rostislav Dugin	a9865ae3e4	Merge pull request #446 from databasus/develop Develop	2026-03-17 14:39:24 +03:00
Rostislav Dugin	4b5478e60a	FEATURE (upgrader): Add background upgrading of the agent	2026-03-17 14:38:32 +03:00
Rostislav Dugin	6355301903	FIX (agent): Respect API responses status code when retying	2026-03-16 22:13:47 +03:00
Rostislav Dugin	29b403a9c6	FIX (wal): Enforce streaming without RAM buffering over base backup	2026-03-16 21:53:40 +03:00
Rostislav Dugin	12606053f4	FEATURE (params): Rename WAL dir param	2026-03-16 17:50:09 +03:00
Rostislav Dugin	904b386378	FIX (logger): Limit logger to 5Mb	2026-03-16 17:31:37 +03:00
Rostislav Dugin	1d9738b808	FEATURE (agent): Make zstd compression 5 by default	2026-03-16 15:52:37 +03:00
Databasus	58b37f4c92	Merge pull request #443 from gogo199432/main feat(helm): add service annotations support	2026-03-16 15:47:26 +03:00
gordon	6c4f814c94	feat(helm): add service annotations support	2026-03-15 16:45:51 +01:00
Rostislav Dugin	bcd13c27d3	FIX (agent): Add lock file watcher to exit from process in case of lock file deletion	2026-03-15 18:04:03 +03:00
Rostislav Dugin	120f9600bf	FEATURE (agent): Add check for PG >= 15 for WAL	2026-03-15 17:48:13 +03:00
Rostislav Dugin	563c7c1d64	FEATURE (agent): Add running as daemon	2026-03-15 17:37:13 +03:00
Rostislav Dugin	68f15f7661	FEATURE (agent): Add WAL streaming	2026-03-15 14:04:54 +03:00
Rostislav Dugin	627d96a00d	FIX (backups): Do not validate chain on WAL uploading	2026-03-15 13:13:42 +03:00
Rostislav Dugin	02b9a9ec8d	FEATURE (agent): Add locking to ensure single running instance	2026-03-14 13:55:57 +03:00
Rostislav Dugin	415dda8752	Merge pull request #440 from databasus/develop FIX (local storage): Add fallback for file movement via renaming to s…	2026-03-14 13:38:39 +03:00
Rostislav Dugin	3faf85796a	FIX (local storage): Add fallback for file movement via renaming to support cross-device movement	2026-03-14 13:32:29 +03:00
Rostislav Dugin	edd2759f5a	Merge pull request #439 from databasus/develop FIX (ci \ cd): Add e2e agent docker-compose to repo	2026-03-14 13:17:03 +03:00
Rostislav Dugin	c283856f38	FIX (ci \ cd): Add e2e agent docker-compose to repo	2026-03-14 13:15:34 +03:00
Rostislav Dugin	6059e1a33b	Merge pull request #438 from databasus/develop FIX (ci \ cd): Exclude agent e2e from docker ignore	2026-03-14 13:11:53 +03:00
Rostislav Dugin	2deda2e7ea	FIX (ci \ cd): Exclude agent e2e from docker ignore	2026-03-14 13:11:27 +03:00
Rostislav Dugin	acf1143752	Merge pull request #437 from databasus/develop FIX (ci \ cd): Update e2e tests for agent to run on GitHub workers	2026-03-14 12:54:56 +03:00
Rostislav Dugin	889063a8b4	FIX (ci \ cd): Update e2e tests for agent to run on GitHub workers	2026-03-14 12:54:32 +03:00
Rostislav Dugin	a1e20e7b10	Merge pull request #436 from databasus/develop FIX (linting): Add E2E to linting	2026-03-14 12:48:23 +03:00
Rostislav Dugin	7e76945550	FIX (linting): Add E2E to linting	2026-03-14 12:47:43 +03:00
Rostislav Dugin	d98acfc4af	Merge pull request #435 from databasus/develop FEATURE (agent): Add postgres verification and e2e tests for agent	2026-03-14 12:43:51 +03:00
Rostislav Dugin	0ffc7c8c96	FEATURE (agent): Add postgres verification and e2e tests for agent	2026-03-14 12:43:13 +03:00
Rostislav Dugin	1b011bdcd4	Merge pull request #432 from databasus/develop Develop	2026-03-13 18:51:50 +03:00
Rostislav Dugin	7e209ff537	REFACTOR (linters): Apply linters fixes	2026-03-13 18:50:57 +03:00
Rostislav Dugin	f712e3a437	FEATURE (linters): Introduce more strict linters	2026-03-13 18:03:38 +03:00
Rostislav Dugin	bcd7d8e1aa	REFACTOR (formatters): Apply formatters auto fixes	2026-03-13 17:53:00 +03:00
Rostislav Dugin	880a7488e9	FEATURE (formatters): Add gofumpt and gci formatters	2026-03-13 17:50:07 +03:00
Rostislav Dugin	ca4d483f2c	REFACTOR (golines): Apply golines fixes	2026-03-13 17:47:46 +03:00
Rostislav Dugin	1b511410a6	FEATURE (formatters): Fix config of golines	2026-03-13 17:47:29 +03:00
Rostislav Dugin	c8edff8046	FEATURE (golangci-lint): Upgrade golangci-lint to 2.11.3 in CI \ CD	2026-03-13 17:41:14 +03:00
Rostislav Dugin	f60e3d956b	FEAUTRE (go): Upgrade Go version to 1.26.1	2026-03-13 17:37:39 +03:00
Rostislav Dugin	f2cb9022f2	FEATURE (agent): Setup agent directory, pre-commit and CI\CD workflow	2026-03-13 17:23:00 +03:00
Rostislav Dugin	4b3f36eea2	Merge pull request #429 from databasus/develop FIX (readme): Add info about Anthropic and Open AI support via OSS pr…	2026-03-12 09:38:01 +03:00
Rostislav Dugin	460063e7a5	FIX (readme): Add info about Anthropic and Open AI support via OSS programs	2026-03-12 09:34:42 +03:00
Rostislav Dugin	a0f02b253e	Merge pull request #427 from databasus/develop FIX (retention): Fix GFS retention while hourly backups prevent daily…	2026-03-11 15:36:27 +03:00
Rostislav Dugin	812f11bc2f	FIX (retention): Fix GFS retention while hourly backups prevent daily from cleanup	2026-03-11 15:35:53 +03:00
Rostislav Dugin	e796e3ddf0	Merge pull request #426 from databasus/develop FIX (mysql): Detect supported compression levels	2026-03-11 12:53:35 +03:00
Rostislav Dugin	c96d3db337	FIX (mysql): Detect supported compression levels	2026-03-11 12:52:41 +03:00
Rostislav Dugin	ed6c3a2034	Merge pull request #425 from databasus/develop Develop	2026-03-11 12:31:19 +03:00
Rostislav Dugin	05115047c3	FEATURE (version): Reload frontend if faced version mismatch with backend	2026-03-11 12:28:07 +03:00
Rostislav Dugin	446b96c6c0	FEATURE (arch): Add architecture to Databasus version in the bottom left of UI	2026-03-11 11:39:53 +03:00
Rostislav Dugin	36a0448da1	Merge pull request #420 from databasus/develop FEATURE (email): Add skipping TLS for email notifier	2026-03-08 22:53:45 +03:00
Rostislav Dugin	8e392cfeab	FEATURE (email): Add skipping TLS for email notifier	2026-03-08 22:48:28 +03:00
Rostislav Dugin	6683db1e52	Merge pull request #419 from databasus/develop FIX (issues): Add DB version to issues template	2026-03-08 22:22:52 +03:00
Rostislav Dugin	703b883936	FIX (issues): Add DB version to issues template	2026-03-08 22:22:26 +03:00
Rostislav Dugin	e818bcff82	Merge pull request #415 from databasus/develop Develop	2026-03-06 09:45:11 +03:00
Rostislav Dugin	b2f98f1332	FIX (mysql\mariadb): Increase max allowed packet size over restore for MySQL\MariaDB	2026-03-06 09:44:17 +03:00
Rostislav Dugin	230cc27ea6	FEATURE (backups): Add WAL API	2026-03-06 08:10:29 +03:00
Rostislav Dugin	cd197ff94b	Merge pull request #410 from databasus/develop FIX (readme): Update README	2026-03-01 10:43:47 +03:00
Rostislav Dugin	91f35a3e17	FIX (readme): Update README	2026-03-01 10:43:17 +03:00
Rostislav Dugin	30c2e2d156	Merge pull request #403 from databasus/develop FIX (smtp): Add SMTP from field to env variables	2026-02-25 22:23:08 +03:00
Rostislav Dugin	ef7c5b45e6	FIX (smtp): Add SMTP from field to env variables	2026-02-25 22:13:04 +03:00
Rostislav Dugin	920c98e229	Merge pull request #397 from databasus/develop FIX (migrations): Fix version of migrations tool goose	2026-02-22 23:43:55 +03:00
Rostislav Dugin	2a19a96aae	FIX (migrations): Fix version of migrations tool goose	2026-02-22 23:43:23 +03:00
Rostislav Dugin	75aa2108d9	Merge pull request #396 from databasus/develop FIX (email): Use current OS hostname instead of default localhost	2026-02-22 23:33:28 +03:00
Rostislav Dugin	0a0040839e	FIX (email): Use current OS hostname instead of default localhost	2026-02-22 23:31:25 +03:00
Rostislav Dugin	ff4f795ece	Merge pull request #394 from databasus/develop FIX (nas): Add NAS share validation	2026-02-22 16:05:38 +03:00
Rostislav Dugin	dc05502580	FIX (nas): Add NAS share validation	2026-02-22 15:56:30 +03:00
Rostislav Dugin	1ca38f5583	Merge pull request #390 from databasus/develop FEATURE (templates): Add PR template	2026-02-21 15:58:21 +03:00
Rostislav Dugin	40b3ff61c7	FEATURE (templates): Add PR template	2026-02-21 15:53:01 +03:00
Rostislav Dugin	e1b245a573	Merge pull request #389 from databasus/develop Develop	2026-02-21 14:57:56 +03:00
Rostislav Dugin	fdf29b71f2	FIX (mongodb): Fix direct connection string parsing	2026-02-21 14:56:48 +03:00
Rostislav Dugin	49da981c21	Merge pull request #388 from databasus/main Merge main into dev	2026-02-21 14:53:31 +03:00
Rostislav Dugin	9d611d3559	REFACTOR (mongodb): Refactor direct connection PR	2026-02-21 14:43:47 +03:00
ujstor	22cab53dab	feature/mongodb-directConnection (#377 ) FEATURE (mongodb): Add direct connection	2026-02-21 14:10:28 +03:00
Rostislav Dugin	d761c4156c	Merge pull request #385 from databasus/develop FIX (readme): Fix README typo	2026-02-20 17:17:45 +03:00
Rostislav Dugin	cbb8b82711	FIX (readme): Fix README typo	2026-02-20 17:01:44 +03:00
Rostislav Dugin	8e3d1e5bff	Merge pull request #384 from databasus/develop FIX (backups): Do not reload backups if request already in progress	2026-02-20 15:04:19 +03:00
Rostislav Dugin	349e7f0ee8	FIX (backups): Do not reload backups if request already in progress	2026-02-20 14:43:07 +03:00
Rostislav Dugin	3a274e135b	Merge pull request #383 from databasus/develop FEATURE (backups): Add GFS retention policy	2026-02-20 14:33:29 +03:00
Rostislav Dugin	61e937bc2a	FEATURE (backups): Add GFS retention policy	2026-02-20 14:31:56 +03:00
Rostislav Dugin	f67919fe1a	Merge pull request #374 from databasus/develop FIX (backups): Fix backup download and clean up	2026-02-18 12:53:10 +03:00
Rostislav Dugin	91ee5966d8	FIX (backups): Fix backup download and clean up	2026-02-18 12:52:35 +03:00
Rostislav Dugin	d77d7d69a3	Merge pull request #371 from databasus/develop FEATURE (backups): Add metadata alongsize with backup files itself to…	2026-02-17 19:54:53 +03:00
Rostislav Dugin	fc88b730d5	FEATURE (backups): Add metadata alongsize with backup files itself to make them recovarable without Databasus	2026-02-17 19:52:08 +03:00
Rostislav Dugin	1f1d80245f	Merge pull request #368 from databasus/develop FIX (restores): Increase restore timeout to 23 hours instead of 1 hour	2026-02-17 14:56:58 +03:00
Rostislav Dugin	16a29cf458	FIX (restores): Increase restore timeout to 23 hours instead of 1 hour	2026-02-17 14:56:25 +03:00
Rostislav Dugin	43e04500ac	Merge pull request #367 from databasus/develop FEATURE (backups): Add meaningful names for backups	2026-02-17 14:50:21 +03:00
Rostislav Dugin	cee3022f85	FEATURE (backups): Add meaningful names for backups	2026-02-17 14:49:33 +03:00
Rostislav Dugin	f46d92c480	Merge pull request #365 from databasus/develop FIX (audit logs): Get rid of IDs in audit logs and improve naming log…	2026-02-15 01:10:54 +03:00
Rostislav Dugin	10677238d7	FIX (audit logs): Get rid of IDs in audit logs and improve naming logging	2026-02-15 01:06:39 +03:00
Rostislav Dugin	2553203fcf	Merge pull request #363 from databasus/develop FIX (sign up): Return authorization token on sign up to avoid 2-step …	2026-02-15 00:09:00 +03:00
Rostislav Dugin	7b05bd8000	FIX (sign up): Return authorization token on sign up to avoid 2-step sign up	2026-02-15 00:08:01 +03:00
Rostislav Dugin	8d45728f73	Merge pull request #362 from databasus/develop FEATURE (auth): Add optional CloudFlare Turnstile for sign in \ sign …	2026-02-14 23:19:12 +03:00
Rostislav Dugin	c70ad82c95	FEATURE (auth): Add optional CloudFlare Turnstile for sign in \ sign up \ password reset	2026-02-14 23:11:36 +03:00
Rostislav Dugin	e4bc34d319	Merge pull request #361 from databasus/develop Develop	2026-02-13 16:57:25 +03:00
Rostislav Dugin	257ae85da7	FIX (postgres): Fix read-only issue when user cannot access tables and partitions created after user creation	2026-02-13 16:56:56 +03:00
Rostislav Dugin	b42c820bb2	FIX (mariadb): Fix events exclusion	2026-02-13 16:21:48 +03:00
Rostislav Dugin	da5c13fb11	Merge pull request #356 from databasus/develop FIX (mysql & mariadb): Fix creation of backups with exremely large SQ…	2026-02-10 22:40:06 +03:00
Rostislav Dugin	35180360e5	FIX (mysql & mariadb): Fix creation of backups with exremely large SQL statements to avoid OOM	2026-02-10 22:38:18 +03:00
Rostislav Dugin	e4f6cd7a5d	Merge pull request #349 from databasus/develop Develop	2026-02-09 16:42:00 +03:00
Rostislav Dugin	d7b8e6d56a	Merge branch 'develop' of https://github.com/databasus/databasus into develop	2026-02-09 16:40:46 +03:00
Rostislav Dugin	6016f23fb2	FEATURE (svr): Add SVR support	2026-02-09 16:39:51 +03:00
Rostislav Dugin	e7c4ee8f6f	Merge pull request #345 from databasus/develop Develop	2026-02-08 23:38:42 +03:00
Rostislav Dugin	a75702a01b	Merge pull request #342 from wuast94/patch-1 Add image source label to dockerfiles	2026-02-08 23:38:18 +03:00
Rostislav Dugin	81a21eb907	FEATURE (google drive): Change OAuth authorization flow to local address instead of databasus.com	2026-02-08 23:32:13 +03:00
Marc	33d6bf0147	Add image source label to dockerfiles To get changelogs shown with Renovate a docker container has to add the source label described in the OCI Image Format Specification. For reference: https://github.com/renovatebot/renovate/blob/main/lib/modules/datasource/docker/readme.md	2026-02-05 23:30:37 +01:00
Rostislav Dugin	6eb53bb07b	Merge pull request #341 from databasus/develop Develop	2026-02-06 00:25:30 +03:00
Rostislav Dugin	6ac04270b9	FEATURE (healthcheck): Add checking whether backup nodes available for primary node	2026-02-06 00:24:34 +03:00
Rostislav Dugin	b0510d7c21	FIX (logging): Add login to VictoriaLogs logger	2026-02-06 00:18:09 +03:00
Rostislav Dugin	dc5f271882	Merge pull request #339 from databasus/develop FIX (storages): Do not remove system storage on any workspace deletion	2026-02-05 01:32:46 +03:00
Rostislav Dugin	8f718771c9	FIX (storages): Do not remove system storage on any workspace deletion	2026-02-05 01:32:21 +03:00
Rostislav Dugin	d8eea05dca	Merge pull request #332 from databasus/develop FIX (script): Fix script creation in playground head x2	2026-02-02 20:46:35 +03:00
Rostislav Dugin	b2a94274d7	FIX (script): Fix script creation in playground head x2	2026-02-02 20:44:52 +03:00
Rostislav Dugin	77c2712ebb	Merge pull request #331 from databasus/develop FIX (script): Fix script creation in playground head	2026-02-02 19:47:44 +03:00
Rostislav Dugin	a9dc29f82c	FIX (script): Fix script creation in playground head	2026-02-02 19:47:15 +03:00
Rostislav Dugin	c934a45dca	Merge pull request #330 from databasus/develop FIX (storages): Fix storage edit in playground	2026-02-02 18:51:47 +03:00
Rostislav Dugin	d4acdf2826	FIX (storages): Fix storage edit in playground	2026-02-02 18:48:19 +03:00
Rostislav Dugin	49753c4fc0	Merge pull request #329 from databasus/develop FIX (s3): Fix S3 prefill in playground on form edit	2026-02-02 18:14:07 +03:00
Rostislav Dugin	c6aed6b36d	FIX (s3): Fix S3 prefill in playground on form edit	2026-02-02 18:12:44 +03:00
Rostislav Dugin	3060b4266a	Merge pull request #328 from databasus/develop Develop	2026-02-02 17:53:05 +03:00
Rostislav Dugin	ebeb597f17	FEATURE (playground): Add support of Rybbit script for playground	2026-02-02 17:50:31 +03:00
Rostislav Dugin	4783784325	FIX (playground): Do not show whitelist message in playground	2026-02-02 16:53:01 +03:00
Rostislav Dugin	bd41433bdb	Merge branch 'develop' of https://github.com/databasus/databasus into develop	2026-02-02 16:50:18 +03:00
Rostislav Dugin	a9073787d2	FIX (audit logs): In dark mode show white text in audit logs	2026-02-02 16:44:49 +03:00
Rostislav Dugin	0890bf8f09	Merge pull request #327 from artemkalugin01/access-management-href-fix Fix href in settings for access-management#global-settings	2026-02-02 16:12:25 +03:00
artem.kalugin	f8c11e8802	Fix href typo in settings for access-management#global-settings	2026-02-02 12:59:56 +03:00
Rostislav Dugin	e798d82fc1	Merge pull request #325 from databasus/develop FIX (storages): Fix default storage type prefill in playground	2026-02-01 20:12:12 +03:00
Rostislav Dugin	81a01585ee	FIX (storages): Fix default storage type prefill in playground	2026-02-01 20:07:12 +03:00
Rostislav Dugin	a8465c1a10	Merge pull request #324 from databasus/develop FIX (storages): Limit local storage usage in playground	2026-02-01 19:20:34 +03:00
Rostislav Dugin	a9e5db70f6	FIX (storages): Limit local storage usage in playground	2026-02-01 19:18:54 +03:00