Add secrets directory support to backup/restore scripts

Extended backup and restore utilities to include the secrets/ directory
containing SSH keys for Oracle server access.

Changes:
- backup-secrets.sh: Added SECRET_DIRS array to backup entire directories as tar archives
- restore-secrets.sh: Added logic to detect and restore tar.enc directory archives
- Both scripts now handle:
  * Individual .env files (as before)
  * Complete directories (new: secrets/ with SSH keys)

Technical implementation:
- Directories are archived with tar and piped directly to openssl for encryption
- Uses tar -cf - to output to stdout, then pipes to openssl enc
- Restore decrypts and extracts in one step: openssl | tar -xf -
- Preserves directory structure and file permissions

Files backed up:
- reports-app/backend/.env and .env.prod
- reports-app/telegram-bot/.env and .env.prod
- secrets/ directory (SSH keys: roa_oracle_server, *.pub, .gitkeep)

Backup structure now includes:
- *.env.enc (individual encrypted files)
- secrets.tar.enc (encrypted tar archive of directory)

Tested successfully with encryption/decryption cycle.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

scripts/restore-secrets.sh

@@ -63,21 +63,38 @@ echo ""
 
 # List encrypted files in backup
 ENCRYPTED_FILES=()
+ENCRYPTED_DIRS=()
+
 for file in "${BACKUP_DIR}"/*.enc; do
     if [ -f "$file" ]; then
-        ENCRYPTED_FILES+=("$file")
+        filename=$(basename "$file")
+        # Check if it's a tar archive (directory backup)
+        if [[ "$filename" == *.tar.enc ]]; then
+            ENCRYPTED_DIRS+=("$file")
+        else
+            ENCRYPTED_FILES+=("$file")
+        fi
     fi
 done
 
-if [ ${#ENCRYPTED_FILES[@]} -eq 0 ]; then
+if [ ${#ENCRYPTED_FILES[@]} -eq 0 ] && [ ${#ENCRYPTED_DIRS[@]} -eq 0 ]; then
     echo -e "${RED}Error: No encrypted files found in backup${NC}"
     exit 1
 fi
 
-echo "Found ${#ENCRYPTED_FILES[@]} encrypted file(s):"
-for file in "${ENCRYPTED_FILES[@]}"; do
-    echo "  - $(basename "$file")"
-done
+echo "Found in backup:"
+if [ ${#ENCRYPTED_FILES[@]} -gt 0 ]; then
+    echo "  📄 ${#ENCRYPTED_FILES[@]} environment file(s):"
+    for file in "${ENCRYPTED_FILES[@]}"; do
+        echo "     - $(basename "$file")"
+    done
+fi
+if [ ${#ENCRYPTED_DIRS[@]} -gt 0 ]; then
+    echo "  📁 ${#ENCRYPTED_DIRS[@]} directory archive(s):"
+    for file in "${ENCRYPTED_DIRS[@]}"; do
+        echo "     - $(basename "$file")"
+    done
+fi
 echo ""
 
 # Ask for confirmation
@@ -145,6 +162,30 @@ for encrypted_file in "${ENCRYPTED_FILES[@]}"; do
     echo ""
 done
 
+# Restore directory archives
+for encrypted_file in "${ENCRYPTED_DIRS[@]}"; do
+    filename=$(basename "$encrypted_file" .enc)
+    dir_name=$(basename "$filename" .tar)
+
+    echo -e "Decrypting directory: ${GREEN}$dir_name${NC}"
+    echo -e "  Target: $dir_name/"
+
+    # Decrypt and extract tar archive
+    if openssl enc -aes-256-cbc -d -pbkdf2 \
+        -in "$encrypted_file" -pass pass:"$BACKUP_PASSWORD" 2>/dev/null | tar -xf - 2>/dev/null; then
+        echo -e "  ✅ Restored successfully"
+        RESTORED=$((RESTORED + 1))
+
+        # Count restored files
+        file_count=$(find "$dir_name" -type f 2>/dev/null | wc -l)
+        echo -e "  📁 Extracted ${file_count} file(s)"
+    else
+        echo -e "  ${RED}❌ Failed to decrypt/extract (wrong password?)${NC}"
+        FAILED=$((FAILED + 1))
+    fi
+    echo ""
+done
+
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 if [ $FAILED -eq 0 ]; then
     echo -e "${GREEN}✅ Restore completed successfully${NC}"