P2-05: forget command with retention policy

End-to-end forget plumbing — operator can create a forget schedule
with keep-* values, agent runs restic forget --keep-* … on the
schedule's cron (or via per-row Run-now), snapshot list shrinks,
UI updates.

* api.CommandRunPayload gains retention_policy json.RawMessage so
  the agent doesn't need a typed copy of the server-side struct.
* restic.ForgetPolicy mirrors restic's --keep-* flags. Empty()
  reports zero dimensions; restic wrapper RunForget refuses to
  run an empty policy (would delete every snapshot). Does NOT
  pass --prune — pruning lives behind a separate admin-only
  credential (P2-06); forget just rewrites the snapshot index.
* runner.RunForget mirrors RunBackup's envelope shape so the
  live log viewer works without special-casing. On success
  triggers reportSnapshots (forget shrinks the index, the host's
  snapshot count almost certainly changed).
* cmd/agent dispatcher handles MsgCommandRun with kind=forget,
  decodes RetentionPolicy from the wire, builds restic.ForgetPolicy.
* Server dispatchScheduleNow marshals the schedule's
  RetentionPolicy into the wire payload for kind=forget jobs.
  Refuses to dispatch a forget schedule with empty retention.
* validateSchedule rejects kind=forget without at least one keep-*
  dimension (new error code: missing_retention).
* UI schedule edit form gains a Kind dropdown (backup or forget;
  immutable on edit). Paths block toggles by kind via inline
  data-kind attributes. Form help-text explains the prune
  separation.

Other kinds (prune, check, unlock) deferred to P2-06..08; the
Kind dropdown only offers backup and forget today.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cmd/agent/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
@@ -279,6 +280,34 @@ func (d *dispatcher) runJob(ctx context.Context, p api.CommandRunPayload, tx wsc
 			}
 			slog.Info("agent: init job complete", "job_id", p.JobID)
 		}()
+	case api.JobForget:
+		var policy restic.ForgetPolicy
+		if len(p.RetentionPolicy) > 0 {
+			var raw struct {
+				KeepLast    *int `json:"keep_last,omitempty"`
+				KeepHourly  *int `json:"keep_hourly,omitempty"`
+				KeepDaily   *int `json:"keep_daily,omitempty"`
+				KeepWeekly  *int `json:"keep_weekly,omitempty"`
+				KeepMonthly *int `json:"keep_monthly,omitempty"`
+				KeepYearly  *int `json:"keep_yearly,omitempty"`
+			}
+			if err := json.Unmarshal(p.RetentionPolicy, &raw); err != nil {
+				return fmt.Errorf("forget: decode retention_policy: %w", err)
+			}
+			policy = restic.ForgetPolicy{
+				KeepLast: raw.KeepLast, KeepHourly: raw.KeepHourly,
+				KeepDaily: raw.KeepDaily, KeepWeekly: raw.KeepWeekly,
+				KeepMonthly: raw.KeepMonthly, KeepYearly: raw.KeepYearly,
+			}
+		}
+		slog.Info("agent: accepting forget job", "job_id", p.JobID, "policy", p.RetentionPolicy)
+		go func() {
+			if err := r.RunForget(ctx, p.JobID, policy); err != nil {
+				slog.Warn("agent: forget job failed", "job_id", p.JobID, "err", err)
+				return
+			}
+			slog.Info("agent: forget job complete", "job_id", p.JobID)
+		}()
 	default:
 		return fmt.Errorf("kind %q not implemented yet (Phase 2 lands the rest)", p.Kind)
 	}

internal/agent/runner/runner.go

@@ -205,6 +205,75 @@ func (r *Runner) RunInit(ctx context.Context, jobID string) error {
 	return nil
 }
 
+// RunForget executes a forget job against the configured repo with
+// the given retention policy. Same envelope shape as RunBackup so
+// the live log viewer + job lifecycle work without special-casing.
+// On success refreshes the snapshot projection (forget rewrites the
+// snapshot index — the host's snapshot list shrinks).
+func (r *Runner) RunForget(ctx context.Context, jobID string, policy restic.ForgetPolicy) error {
+	startedAt := time.Now().UTC()
+	startEnv, _ := api.Marshal(api.MsgJobStarted, jobID, api.JobStartedPayload{
+		JobID: jobID, Kind: api.JobForget, StartedAt: startedAt,
+	})
+	if err := r.tx.Send(startEnv); err != nil {
+		slog.Warn("runner: send job.started (forget)", "err", err)
+	}
+
+	env := restic.Env{
+		Bin:          r.cfg.ResticBin,
+		RepoURL:      r.cfg.RepoURL,
+		RepoUsername: r.cfg.RepoUsername,
+		RepoPassword: r.cfg.RepoPassword,
+	}
+
+	var seq atomic.Int64
+	handle := func(stream string, line string, _ any) {
+		now := time.Now().UTC()
+		logEnv, _ := api.Marshal(api.MsgLogStream, "", api.LogStreamLine{
+			JobID:   jobID,
+			Seq:     seq.Add(1),
+			TS:      now,
+			Stream:  api.LogStream(stream),
+			Payload: line,
+		})
+		_ = r.tx.Send(logEnv)
+	}
+
+	err := env.RunForget(ctx, policy, handle)
+	finishedAt := time.Now().UTC()
+
+	status := api.JobSucceeded
+	exit := 0
+	errMsg := ""
+	if err != nil {
+		status = api.JobFailed
+		exit = -1
+		errMsg = err.Error()
+	}
+	finEnv, _ := api.Marshal(api.MsgJobFinished, jobID, api.JobFinishedPayload{
+		JobID:      jobID,
+		Status:     status,
+		ExitCode:   exit,
+		FinishedAt: finishedAt,
+		Error:      errMsg,
+	})
+	_ = r.tx.Send(finEnv)
+
+	// Refresh the server's snapshot projection — forget rewrites the
+	// index so the host's snapshot list almost certainly shrunk.
+	if err == nil {
+		if rerr := r.reportSnapshots(ctx, env); rerr != nil {
+			slog.Warn("runner: snapshots.report after forget failed",
+				"job_id", jobID, "err", rerr)
+		}
+	}
+
+	if err != nil {
+		return fmt.Errorf("runner forget: %w", err)
+	}
+	return nil
+}
+
 // reportSnapshots calls `restic snapshots --json`, translates the
 // payload into the wire shape, and ships it as a snapshots.report
 // envelope. Bounded by a separate timeout so a sluggish repo doesn't

internal/api/messages.go

@@ -66,10 +66,14 @@ const (
 )
 
 // CommandRunPayload is the server → agent dispatch for a run-now job.
+// RetentionPolicy is populated for kind=forget jobs (raw JSON so the
+// agent doesn't need to share the typed struct definition with the
+// server's store package).
 type CommandRunPayload struct {
-	JobID string   `json:"job_id"`
+	JobID           string          `json:"job_id"`
-	Kind  JobKind  `json:"kind"`
+	Kind            JobKind         `json:"kind"`
-	Args  []string `json:"args,omitempty"`
+	Args            []string        `json:"args,omitempty"`
+	RetentionPolicy json.RawMessage `json:"retention_policy,omitempty"`
 }
 
 // CommandCancelPayload is the server → agent cancel signal.

internal/restic/runner.go

@@ -148,6 +148,88 @@ func (e Env) RunBackup(ctx context.Context, paths, excludes, tags []string, hand
 	return summary, nil
 }
 
+// ForgetPolicy mirrors restic forget's --keep-* flags. All optional;
+// nil/zero means "don't pass that flag." Caller passes whatever the
+// schedule's RetentionPolicy carries.
+type ForgetPolicy struct {
+	KeepLast    *int
+	KeepHourly  *int
+	KeepDaily   *int
+	KeepWeekly  *int
+	KeepMonthly *int
+	KeepYearly  *int
+}
+
+// args returns the --keep-* CLI flags this policy translates into.
+// Empty slice if the policy is empty (caller should reject before
+// calling RunForget — restic refuses to forget without any keep-*).
+func (p ForgetPolicy) args() []string {
+	out := []string{}
+	add := func(flag string, v *int) {
+		if v != nil {
+			out = append(out, flag, fmt.Sprintf("%d", *v))
+		}
+	}
+	add("--keep-last", p.KeepLast)
+	add("--keep-hourly", p.KeepHourly)
+	add("--keep-daily", p.KeepDaily)
+	add("--keep-weekly", p.KeepWeekly)
+	add("--keep-monthly", p.KeepMonthly)
+	add("--keep-yearly", p.KeepYearly)
+	return out
+}
+
+// Empty reports whether no retention dimensions are set. restic
+// forget refuses to run without at least one keep-* flag (it would
+// delete every snapshot), so the agent rejects empty policies before
+// invoking restic.
+func (p ForgetPolicy) Empty() bool {
+	return p.KeepLast == nil && p.KeepHourly == nil &&
+		p.KeepDaily == nil && p.KeepWeekly == nil &&
+		p.KeepMonthly == nil && p.KeepYearly == nil
+}
+
+// RunForget executes `restic forget --keep-* … --json` against the
+// configured repo. Does NOT pass --prune — pruning lives behind a
+// separate, admin-only credential (see spec §4.3 / P2-06). Restic
+// just rewrites the snapshot index; the actual data deletion waits
+// for the next prune. Returns nil on a clean exit.
+func (e Env) RunForget(ctx context.Context, policy ForgetPolicy, handle LineHandler) error {
+	if policy.Empty() {
+		return fmt.Errorf("restic forget: refusing to run with empty retention policy (would delete every snapshot)")
+	}
+	args := append([]string{"forget", "--json"}, policy.args()...)
+	cmd := exec.CommandContext(ctx, e.Bin, args...)
+	cmd.Env = e.envSlice()
+	cmd.Dir = e.WorkDir
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return fmt.Errorf("restic forget: stdout pipe: %w", err)
+	}
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return fmt.Errorf("restic forget: stderr pipe: %w", err)
+	}
+
+	if err := cmd.Start(); err != nil {
+		return fmt.Errorf("restic forget: start: %w", err)
+	}
+
+	done := make(chan error, 2)
+	go func() { done <- pumpPlain(stdout, "stdout", handle) }()
+	go func() { done <- pumpPlain(stderr, "stderr", handle) }()
+	for i := 0; i < 2; i++ {
+		if err := <-done; err != nil && handle != nil {
+			handle("event", fmt.Sprintf("pump error: %v", err), nil)
+		}
+	}
+	if werr := cmd.Wait(); werr != nil {
+		return fmt.Errorf("restic forget: %w", werr)
+	}
+	return nil
+}
+
 // RunInit executes `restic init` against the configured repo. Returns
 // nil on success. Restic init's output is small and not JSON-rich;
 // we tee stdout/stderr verbatim through handle so the operator sees

internal/server/http/schedule_push.go

@@ -187,6 +187,21 @@ func (s *Server) dispatchScheduleNow(ctx context.Context, hostID, scheduleID str
 		args = append(args, sched.Paths...)
 	}
 
+	// forget jobs need the retention policy on the wire — restic
+	// refuses to run without keep-* flags, and the agent doesn't
+	// hold a copy of the schedule (server is the source of truth).
+	var retentionJSON json.RawMessage
+	if sched.Kind == string(api.JobForget) {
+		if sched.RetentionPolicy == (store.RetentionPolicy{}) {
+			return "", errFmtf("schedule has no retention policy — refusing to forget (would delete every snapshot)")
+		}
+		b, err := json.Marshal(sched.RetentionPolicy)
+		if err != nil {
+			return "", errFmtf("marshal retention policy: %s", err)
+		}
+		retentionJSON = b
+	}
+
 	jobID := ulid.Make().String()
 	now := time.Now().UTC()
 	if err := s.deps.Store.CreateJob(ctx, store.Job{
@@ -202,9 +217,10 @@ func (s *Server) dispatchScheduleNow(ctx context.Context, hostID, scheduleID str
 	}
 
 	env, err := api.Marshal(api.MsgCommandRun, jobID, api.CommandRunPayload{
-		JobID: jobID,
+		JobID:           jobID,
-		Kind:  api.JobKind(sched.Kind),
+		Kind:            api.JobKind(sched.Kind),
-		Args:  args,
+		Args:            args,
+		RetentionPolicy: retentionJSON,
 	})
 	if err != nil {
 		return "", errFmtf("marshal command.run: %s", err)

internal/server/http/schedules.go

@@ -268,6 +268,11 @@ func validateSchedule(s *scheduleAPI) (code, msg string) {
 	if s.Kind == api.JobBackup && len(s.Paths) == 0 {
 		return "missing_paths", "backup schedules require at least one path"
 	}
+	// forget needs at least one keep-* dimension; otherwise restic
+	// would happily delete every snapshot.
+	if s.Kind == api.JobForget && (s.RetentionPolicy == store.RetentionPolicy{}) {
+		return "missing_retention", "forget schedules require at least one Keep-* value"
+	}
 	// Hooks are only meaningful on backup schedules (spec §14.3).
 	if s.Kind != api.JobBackup && (s.PreHook != "" || s.PostHook != "") {
 		return "hooks_not_allowed", "pre_hook / post_hook only apply to backup schedules"

internal/server/http/ui_schedules.go

@@ -34,6 +34,9 @@ type scheduleEditPage struct {
 	IsNew         bool
 	ScheduleID    string
 	Error         string
+	// Kind is settable on create, immutable on edit. The form's
+	// kind picker is hidden when !IsNew.
+	Kind          string
 	// Form values — strings so partial input survives validation
 	// errors (e.g. operator typed "abc" into keep_last).
 	CronExpr      string
@@ -110,6 +113,7 @@ func (s *Server) handleUIScheduleNewGet(w stdhttp.ResponseWriter, r *stdhttp.Req
 	view.Page = scheduleEditPage{
 		Host:     *host,
 		IsNew:    true,
+		Kind:     string(api.JobBackup),
 		CronExpr: "0 3 * * *",
 		Enabled:  true,
 	}
@@ -147,6 +151,7 @@ func (s *Server) handleUIScheduleEditGet(w stdhttp.ResponseWriter, r *stdhttp.Re
 		Host:        *host,
 		IsNew:       false,
 		ScheduleID:  sched.ID,
+		Kind:        sched.Kind,
 		CronExpr:    sched.CronExpr,
 		PathsRaw:    strings.Join(sched.Paths, "\n"),
 		ExcludesRaw: strings.Join(sched.Excludes, "\n"),
@@ -202,6 +207,7 @@ func (s *Server) handleUIScheduleSave(w stdhttp.ResponseWriter, r *stdhttp.Reque
 		Host:          *host,
 		IsNew:         scheduleID == "",
 		ScheduleID:    scheduleID,
+		Kind:          strings.TrimSpace(r.PostForm.Get("kind")),
 		CronExpr:      strings.TrimSpace(r.PostForm.Get("cron_expr")),
 		PathsRaw:      r.PostForm.Get("paths"),
 		ExcludesRaw:   r.PostForm.Get("excludes"),
@@ -217,6 +223,16 @@ func (s *Server) handleUIScheduleSave(w stdhttp.ResponseWriter, r *stdhttp.Reque
 		Enabled:       r.PostForm.Get("enabled") == "on",
 		Manual:        r.PostForm.Get("manual") == "on",
 	}
+	// Kind is immutable on edit — use the existing schedule's kind
+	// regardless of what the form submitted.
+	if !page.IsNew {
+		if existing, err := s.deps.Store.GetSchedule(r.Context(), hostID, scheduleID); err == nil {
+			page.Kind = existing.Kind
+		}
+	}
+	if page.Kind == "" {
+		page.Kind = string(api.JobBackup)
+	}
 
 	// Convert the raw form values into store-shape data, surfacing
 	// the first parse error as a banner.
@@ -238,13 +254,16 @@ func (s *Server) handleUIScheduleSave(w stdhttp.ResponseWriter, r *stdhttp.Reque
 	}
 
 	// Validate against the same rules the JSON API uses. Manual
-	// schedules skip the cron-expr requirement; everything else
+	// schedules skip the cron-expr requirement; forget schedules
-	// applies the same.
+	// require a non-empty retention policy. Other validation
+	// (kind in allowed set, paths required for backup, hooks
+	// rejected on non-backup) lives in validateSchedule.
 	apiShape := scheduleAPI{
-		Kind:     api.JobBackup,
+		Kind:            api.JobKind(page.Kind),
-		CronExpr: page.CronExpr,
+		CronExpr:        page.CronExpr,
-		Paths:    paths,
+		Paths:           paths,
-		Manual:   page.Manual,
+		Manual:          page.Manual,
+		RetentionPolicy: retention,
 	}
 	if code, msg := validateSchedule(&apiShape); code != "" {
 		page.Error = uiErrorMessage(code, msg)
@@ -256,7 +275,7 @@ func (s *Server) handleUIScheduleSave(w stdhttp.ResponseWriter, r *stdhttp.Reque
 		row := store.Schedule{
 			ID:              ulid.Make().String(),
 			HostID:          hostID,
-			Kind:            string(api.JobBackup),
+			Kind:            page.Kind,
 			CronExpr:        page.CronExpr,
 			Paths:           paths,
 			Excludes:        excludes,
@@ -500,6 +519,8 @@ func uiErrorMessage(code, msg string) string {
 		return "Cron expression doesn't parse: " + msg
 	case "missing_paths":
 		return "At least one backup path is required (one per line)."
+	case "missing_retention":
+		return "Forget schedules need at least one Keep-* value, otherwise restic would delete every snapshot."
 	case "invalid_kind":
 		return "Unsupported schedule kind."
 	default:

tasks.md

@@ -102,7 +102,7 @@ Sizes: **S** = under a day, **M** = 1–3 days, **L** = 3–7 days.
 - [x] **P2-03** (M) Agent local scheduler. New `internal/agent/scheduler` package wraps `robfig/cron/v3` — `Apply(ScheduleSetPayload, Sender)` stops the prior cron (waits for in-flight entries), rebuilds from scratch (skipping disabled entries + skipping bad cron exprs with a warn log), starts, and emits `schedule.ack`. On a tick the entry sends a new `schedule.fire` envelope to the server with `{schedule_id, scheduled_at}`. The server's `OnScheduleFire` callback (`dispatchScheduledJob`) looks up the schedule, builds args from kind, persists a `jobs` row with `actor_kind=schedule` + `scheduled_id`, and ships `command.run` back on the same conn — agent runs the job through the existing dispatcher. Tx is swapped on every Apply so reconnect is handled naturally (cron entries that fire against a dropped tx log + skip the tick). `CreateJob` now writes `scheduled_id`; this column was in the schema since 0001 but never populated. Tests: scheduler unit tests cover ack-on-apply, cron tick → fire envelope, disabled-entries silent, replace-prior-state stops the old cron. Server-side end-to-end test covers fire → command.run with the right job_id/kind/args, plus jobs row with actor_kind=schedule + scheduled_id linking back. **Deferred:** persistence of next-fire times across agent restarts (a missed fire window during downtime simply fires once on reconnect — desirable behaviour).
 - [x] **P2-04.5** (S) Manual schedules — kill `host.default_paths`. Two independent path lists (host.default_paths fed Run-now while schedule.paths fed cron) was a real footgun that could put divergent file sets in the same repo. Replaced with a `manual` flag on schedules: same data shape, no cron, fires only via Run-now. Migration 0007 drops `host.default_paths` (ALTER TABLE DROP COLUMN — no rebuild dance, the original draft used the parent-table-rebuild pattern and FK cascade wiped every dependent table on the smoke env), seeds a manual schedule from any non-empty default_paths, and renames `enrollment_tokens.default_paths` → `initial_paths`. Add-host form retitled "Initial schedule · manual" so the operator knows where the paths land. Per-schedule Run-now button (`POST /hosts/{id}/schedules/{sid}/run`) reuses the same `dispatchScheduleNow` path used by `schedule.fire`. Dashboard's per-host Run-now picks the host's only enabled manual schedule, then falls back to the only enabled schedule, else returns "pick one in Schedules tab" — keeps one-click for the common case. Schedule edit form gains a "Manual schedule" toggle that hides the cron field when checked. Agent skips manual schedules in cron build. Validator allows missing cron when manual=true.
 - [x] **P2-04** (M) Schedule editor UI. New "Schedules" sub-tab on host detail (header + run-now panel preserved across the snapshot/schedule pages). List view shows status, cron, paths, retention summary (`store.RetentionPolicy.Summary()` renders "last=7, d=14, w=4"), tags, and edit/delete buttons. The header carries a "version N · agent in sync / agent at vM" indicator backed by `host_schedule_version` + `applied_schedule_version`. Create/edit form covers cron expr (with quick-pick presets), paths textarea, excludes textarea, tags (comma-separated), retention (six numeric inputs mirroring restic's `--keep-*` flags), bandwidth caps, enabled toggle. Form validation re-renders with the operator's typed input still in place. Each save fires `pushScheduleSetAsync` so an online agent re-arms within a few seconds. Hooks UI deferred to P2-15 (lands when the hook execution path does).
-- [ ] **P2-05** (M) `forget` command with retention policy (keep-last/daily/weekly/monthly/yearly)
+- [x] **P2-05** (M) `forget` command with retention policy. Wire: `api.CommandRunPayload` gains `retention_policy json.RawMessage`. Restic wrapper: `restic.ForgetPolicy` mirrors restic's `--keep-*` flags + `args()` helper; `restic.Env.RunForget` rejects empty policy (would delete every snapshot), runs `restic forget --json --keep-* …`. Crucially does **not** pass `--prune` — pruning lives behind a separate admin-only credential (P2-06); forget just rewrites the snapshot index. Agent runner: `RunForget(jobID, policy)` mirrors `RunBackup`'s envelope shape; on success runs `reportSnapshots` since forget shrinks the host's snapshot list. Agent dispatcher: `case api.JobForget:` decodes retention from the wire and dispatches. Server `dispatchScheduleNow`: for `kind=forget` schedules, marshals `RetentionPolicy` into the wire payload (refuses if empty). UI: schedule edit form gains a Kind dropdown (Backup or Forget; immutable on edit), Paths block hides for forget, validator rejects forget without retention. Agent skips manual-mode forget schedules in cron (same as backup). End-to-end: operator creates a forget schedule with keep-last=N → cron fires → `schedule.fire` → server resolves schedule + retention → `command.run` with `kind=forget` + retention payload → agent runs `restic forget --keep-last N` → snapshots refresh → UI reflects shrunk count. Run-now button on the schedule row also dispatches.
 - [ ] **P2-06** (M) `prune` command (admin-only, uses non-append-only credential)
 - [ ] **P2-07** (S) `check` command (random subset + `--read-data-subset`)
 - [ ] **P2-08** (S) `unlock` command

web/templates/pages/schedule_edit.html

@@ -37,7 +37,31 @@
 
     <div class="col-span-7 panel rounded-[7px] px-8 py-7">
 
-      <h3 class="text-[13px] font-semibold uppercase tracking-[0.08em] text-ink-mute mb-4">When</h3>
+      <h3 class="text-[13px] font-semibold uppercase tracking-[0.08em] text-ink-mute mb-4">Kind</h3>
+      <div class="mb-7">
+        {{if $page.IsNew}}
+          <label class="field-label" for="se-kind">What does this schedule do?</label>
+          <select id="se-kind" name="kind" class="field mono"
+                  onchange="document.querySelectorAll('[data-kind]').forEach(el => { el.style.display = el.dataset.kind === this.value ? '' : 'none'; });">
+            <option value="backup" {{if eq $page.Kind "backup"}}selected{{end}}>backup — snapshot the configured paths</option>
+            <option value="forget" {{if eq $page.Kind "forget"}}selected{{end}}>forget — apply retention policy (rewrite the snapshot index)</option>
+          </select>
+          <div class="field-help">
+            <span class="mono text-ink-mid">backup</span> reads files and writes a snapshot.
+            <span class="mono text-ink-mid">forget</span> trims the index by your <strong>Keep-*</strong> rules without deleting data —
+            an admin-only <span class="mono text-ink-mid">prune</span> job (P2-06) reclaims the disk space later.
+            Other kinds (<span class="mono text-ink-mid">prune</span>, <span class="mono text-ink-mid">check</span>, <span class="mono text-ink-mid">unlock</span>) land in P2-06..08.
+          </div>
+        {{else}}
+          <input type="hidden" name="kind" value="{{$page.Kind}}">
+          <div class="text-[13px] text-ink-mid">
+            Kind: <span class="mono text-ink">{{$page.Kind}}</span>
+            <span class="text-ink-fade">— immutable on edit; delete and recreate to switch kind.</span>
+          </div>
+        {{end}}
+      </div>
+
+      <h3 class="text-[13px] font-semibold uppercase tracking-[0.08em] text-ink-mute mb-4 pt-6 border-t border-line-soft">When</h3>
 
       <div class="mb-5">
         <label class="flex items-center gap-2.5 cursor-pointer text-[13px]">
@@ -65,20 +89,22 @@
         </div>
       </div>
 
-      <h3 class="text-[13px] font-semibold uppercase tracking-[0.08em] text-ink-mute mb-4 pt-6 border-t border-line-soft">Paths</h3>
+      <div data-kind="backup" {{if ne $page.Kind "backup"}}style="display: none;"{{end}}>
-      <div class="mb-5">
+        <h3 class="text-[13px] font-semibold uppercase tracking-[0.08em] text-ink-mute mb-4 pt-6 border-t border-line-soft">Paths</h3>
-        <label class="field-label" for="se-paths">Backup paths <span class="text-ink-fade font-normal">· one per line</span></label>
+        <div class="mb-5">
-        <textarea id="se-paths" name="paths" rows="4" class="field mono"
+          <label class="field-label" for="se-paths">Backup paths <span class="text-ink-fade font-normal">· one per line</span></label>
-                  style="resize: vertical;"
+          <textarea id="se-paths" name="paths" rows="4" class="field mono"
-                  placeholder="/etc&#10;/home&#10;/var/lib/postgresql">{{$page.PathsRaw}}</textarea>
+                    style="resize: vertical;"
-        <div class="field-help">What <span class="mono text-ink-mid">restic backup</span> walks. The agent runs as root with <span class="mono text-ink-mid">CAP_DAC_READ_SEARCH</span>, so any readable path is fair game.</div>
+                    placeholder="/etc&#10;/home&#10;/var/lib/postgresql">{{$page.PathsRaw}}</textarea>
-      </div>
+          <div class="field-help">What <span class="mono text-ink-mid">restic backup</span> walks. The agent runs as root with <span class="mono text-ink-mid">CAP_DAC_READ_SEARCH</span>, so any readable path is fair game.</div>
-      <div class="mb-7">
+        </div>
-        <label class="field-label" for="se-excludes">Excludes <span class="text-ink-fade font-normal">· optional, one per line</span></label>
+        <div class="mb-7">
-        <textarea id="se-excludes" name="excludes" rows="3" class="field mono"
+          <label class="field-label" for="se-excludes">Excludes <span class="text-ink-fade font-normal">· optional, one per line</span></label>
-                  style="resize: vertical;"
+          <textarea id="se-excludes" name="excludes" rows="3" class="field mono"
-                  placeholder="*.tmp&#10;node_modules&#10;.cache">{{$page.ExcludesRaw}}</textarea>
+                    style="resize: vertical;"
-        <div class="field-help">Passed straight through as <span class="mono text-ink-mid">--exclude</span> args.</div>
+                    placeholder="*.tmp&#10;node_modules&#10;.cache">{{$page.ExcludesRaw}}</textarea>
+          <div class="field-help">Passed straight through as <span class="mono text-ink-mid">--exclude</span> args.</div>
+        </div>
       </div>
 
       <h3 class="text-[13px] font-semibold uppercase tracking-[0.08em] text-ink-mute mb-4 pt-6 border-t border-line-soft">Tags <span class="text-ink-fade font-normal">· optional</span></h3>