sdtk-ops-kit 0.2.0

package/assets/toolkit/toolkit/install.ps1

@@ -0,0 +1,138 @@
+param(
+  [Parameter(Mandatory = $true)]
+  [ValidateSet('codex', 'claude')]
+  [string]$Runtime,
+
+  [string]$ProjectPath,
+
+  [ValidateSet('project', 'user', '')]
+  [string]$Scope = '',
+
+  [switch]$Force,
+  [switch]$SkipRuntimeAssets,
+  [switch]$SkipSkills,
+  [switch]$Quiet
+)
+
+$ErrorActionPreference = 'Stop'
+Set-StrictMode -Version Latest
+
+function Copy-File {
+  param(
+    [Parameter(Mandatory = $true)][string]$SourcePath,
+    [Parameter(Mandatory = $true)][string]$DestinationPath,
+    [Parameter(Mandatory = $true)][bool]$Overwrite
+  )
+
+  if (-not (Test-Path -LiteralPath $SourcePath)) {
+    throw "Missing source file: $SourcePath"
+  }
+
+  if ((Test-Path -LiteralPath $DestinationPath) -and -not $Overwrite) {
+    if (-not $Quiet) {
+      Write-Warning "Already exists (skipping). Use -Force to overwrite: $DestinationPath"
+    }
+    return
+  }
+
+  $parent = Split-Path -Parent $DestinationPath
+  if ($parent -and -not (Test-Path -LiteralPath $parent)) {
+    New-Item -ItemType Directory -Force -Path $parent | Out-Null
+  }
+
+  Copy-Item -LiteralPath $SourcePath -Destination $DestinationPath -Force
+}
+
+function Resolve-OrCreateDirectory {
+  param(
+    [Parameter(Mandatory = $true)][string]$Path
+  )
+
+  if (-not (Test-Path -LiteralPath $Path)) {
+    New-Item -ItemType Directory -Force -Path $Path | Out-Null
+  }
+
+  return (Resolve-Path -LiteralPath $Path).Path
+}
+
+$toolkitRoot = (Resolve-Path -LiteralPath $PSScriptRoot).Path
+if (-not $ProjectPath) {
+  $ProjectPath = (Get-Location).Path
+}
+$projectRoot = Resolve-OrCreateDirectory -Path $ProjectPath
+
+if (-not $Scope) {
+  $Scope = if ($Runtime -eq 'claude') { 'project' } else { 'user' }
+}
+
+if ($Runtime -eq 'codex' -and $Scope -eq 'project') {
+  Write-Error "Codex does not support project-local skills. Use -Scope user instead."
+  exit 1
+}
+
+if ($SkipSkills) {
+  if (-not $Quiet) {
+    Write-Warning "-SkipSkills is deprecated. Use -SkipRuntimeAssets instead."
+  }
+  $SkipRuntimeAssets = $true
+}
+
+if (-not $Quiet) {
+  Write-Host "SDTK-OPS installer"
+  Write-Host "  Runtime: $Runtime"
+  Write-Host "  Scope:   $Scope"
+  Write-Host "  Project: $projectRoot"
+  Write-Host ""
+}
+
+$sharedFiles = @(
+  'AGENTS.md',
+  'sdtk-spec.config.json',
+  'sdtk-spec.config.profiles.example.json'
+)
+
+foreach ($fileName in $sharedFiles) {
+  Copy-File `
+    -SourcePath (Join-Path $toolkitRoot $fileName) `
+    -DestinationPath (Join-Path $projectRoot $fileName) `
+    -Overwrite ([bool]$Force)
+
+  if (-not $Quiet) {
+    Write-Host "  [OK] $fileName"
+  }
+}
+
+if (-not $SkipRuntimeAssets) {
+  $scriptPath = if ($Runtime -eq 'claude') {
+    Join-Path $toolkitRoot 'scripts/install-claude-skills.ps1'
+  } else {
+    Join-Path $toolkitRoot 'scripts/install-codex-skills.ps1'
+  }
+
+  if (-not (Test-Path -LiteralPath $scriptPath)) {
+    throw "Missing runtime installer: $scriptPath"
+  }
+
+  if (-not $Quiet) {
+    Write-Host ""
+    Write-Host "Installing $Runtime runtime assets..."
+  }
+
+  $params = @{
+    Scope = $Scope
+    Quiet = [bool]$Quiet
+  }
+  if ($Runtime -eq 'claude') {
+    $params.ProjectPath = $projectRoot
+  }
+  if ($Force) {
+    $params.Force = $true
+  }
+
+  & $scriptPath @params
+}
+
+if (-not $Quiet) {
+  Write-Host ""
+  Write-Host "SDTK-OPS installation complete."
+}

package/assets/toolkit/toolkit/scripts/install-claude-skills.ps1

@@ -0,0 +1,81 @@
+param(
+  [string]$ProjectPath,
+  [ValidateSet('project', 'user')]
+  [string]$Scope = 'project',
+  [switch]$Force,
+  [switch]$Quiet
+)
+
+$ErrorActionPreference = 'Stop'
+Set-StrictMode -Version Latest
+
+$toolkitRoot = (Resolve-Path (Join-Path $PSScriptRoot '..')).Path
+$skillsSource = Join-Path $toolkitRoot 'skills'
+if (-not (Test-Path -LiteralPath $skillsSource)) {
+  throw "Missing toolkit skills source directory: $skillsSource"
+}
+
+$managedSkills = @(Get-ChildItem -LiteralPath $skillsSource -Directory | Sort-Object Name)
+if ($managedSkills.Count -ne 15) {
+  throw "Expected 15 managed SDTK-OPS skills but found $($managedSkills.Count)."
+}
+
+if ($Scope -eq 'user') {
+  $skillsDest = Join-Path $HOME '.claude/skills'
+} else {
+  if (-not $ProjectPath) {
+    throw "ProjectPath is required for Claude project scope installation."
+  }
+  if (-not (Test-Path -LiteralPath $ProjectPath)) {
+    New-Item -ItemType Directory -Force -Path $ProjectPath | Out-Null
+  }
+  $projectRoot = (Resolve-Path -LiteralPath $ProjectPath).Path
+  $skillsDest = Join-Path $projectRoot '.claude/skills'
+}
+
+New-Item -ItemType Directory -Force -Path $skillsDest | Out-Null
+
+$copied = 0
+$skipped = 0
+foreach ($skillDir in $managedSkills) {
+  $skillFile = Join-Path $skillDir.FullName 'SKILL.md'
+  if (-not (Test-Path -LiteralPath $skillFile)) {
+    throw "Managed skill is missing SKILL.md: $($skillDir.FullName)"
+  }
+
+  $destDir = Join-Path $skillsDest $skillDir.Name
+  if (Test-Path -LiteralPath $destDir) {
+    if (-not $Force) {
+      $skipped++
+      if (-not $Quiet) {
+        Write-Warning "Skill already installed (skipping). Use -Force to overwrite: $($skillDir.Name)"
+      }
+      continue
+    }
+    Remove-Item -LiteralPath $destDir -Recurse -Force
+  }
+
+  Copy-Item -LiteralPath $skillDir.FullName -Destination $destDir -Recurse -Force
+  $copied++
+  if (-not $Quiet) {
+    Write-Host "Installed: $($skillDir.Name)"
+  }
+}
+
+$installedNow = @(
+  Get-ChildItem -LiteralPath $skillsDest -Directory -ErrorAction SilentlyContinue |
+    Where-Object { $managedSkills.Name -contains $_.Name } |
+    Select-Object -ExpandProperty Name
+)
+if ($installedNow.Count -ne 15) {
+  throw "Claude skill install incomplete. Expected 15 managed skills at $skillsDest but found $($installedNow.Count)."
+}
+
+if (-not $Quiet) {
+  Write-Host ""
+  Write-Host "Install summary:"
+  Write-Host "- Scope: $Scope"
+  Write-Host "- Destination: $skillsDest"
+  Write-Host "- Copied: $copied"
+  Write-Host "- Skipped: $skipped"
+}

package/assets/toolkit/toolkit/scripts/install-codex-skills.ps1

@@ -0,0 +1,127 @@
+param(
+  [ValidateSet('project', 'user')]
+  [string]$Scope = 'user',
+  [switch]$Force,
+  [switch]$Quiet
+)
+
+if ($Scope -eq 'project') {
+  Write-Error "Codex does not support project-local skills. Use -Scope user instead."
+  exit 1
+}
+
+$ErrorActionPreference = 'Stop'
+Set-StrictMode -Version Latest
+
+function Write-Utf8NoBomFile {
+  param(
+    [Parameter(Mandatory = $true)][string]$Path,
+    [Parameter(Mandatory = $true)][string]$Content
+  )
+
+  $utf8NoBom = New-Object System.Text.UTF8Encoding($false)
+  [System.IO.File]::WriteAllText($Path, $Content, $utf8NoBom)
+}
+
+function Rewrite-SkillFrontmatterName {
+  param(
+    [Parameter(Mandatory = $true)][string]$SkillFilePath,
+    [Parameter(Mandatory = $true)][string]$ExpectedName
+  )
+
+  $content = Get-Content -LiteralPath $SkillFilePath -Raw -Encoding UTF8
+  $newline = if ($content.Contains("`r`n")) { "`r`n" } else { "`n" }
+  $match = [regex]::Match(
+    $content,
+    '\A(?<prefix>\s*(?:<!--[\s\S]*?-->\s*)?)---\r?\n(?<frontmatter>[\s\S]*?)\r?\n---(?<suffix>[\s\S]*)\z'
+  )
+  if (-not $match.Success) {
+    throw "Skill file is missing a valid YAML frontmatter block: $SkillFilePath"
+  }
+
+  $frontmatter = $match.Groups['frontmatter'].Value
+  if ($frontmatter -notmatch '(?m)^name:\s*(?<name>[^\r\n]+)\s*$') {
+    throw "Skill file is missing a frontmatter name field: $SkillFilePath"
+  }
+
+  $updatedFrontmatter = [regex]::Replace(
+    $frontmatter,
+    '(?m)^name:\s*[^\r\n]+\s*$',
+    "name: $ExpectedName",
+    1
+  )
+
+  $updatedContent = $match.Groups['prefix'].Value + '---' + $newline + $updatedFrontmatter + $newline + '---' + $match.Groups['suffix'].Value
+  Write-Utf8NoBomFile -Path $SkillFilePath -Content $updatedContent
+}
+
+$toolkitRoot = (Resolve-Path (Join-Path $PSScriptRoot '..')).Path
+$skillsSource = Join-Path $toolkitRoot 'skills'
+if (-not (Test-Path -LiteralPath $skillsSource)) {
+  throw "Missing toolkit skills source directory: $skillsSource"
+}
+
+$managedSkills = @(Get-ChildItem -LiteralPath $skillsSource -Directory | Sort-Object Name)
+if ($managedSkills.Count -ne 15) {
+  throw "Expected 15 managed SDTK-OPS skills but found $($managedSkills.Count)."
+}
+
+$codexHome = if ($env:CODEX_HOME) { $env:CODEX_HOME } else { Join-Path $HOME '.codex' }
+$skillsDest = Join-Path $codexHome 'skills'
+New-Item -ItemType Directory -Force -Path $skillsDest | Out-Null
+
+$copied = 0
+$skipped = 0
+foreach ($skillDir in $managedSkills) {
+  $skillFile = Join-Path $skillDir.FullName 'SKILL.md'
+  if (-not (Test-Path -LiteralPath $skillFile)) {
+    throw "Managed skill is missing SKILL.md: $($skillDir.FullName)"
+  }
+
+  $destName = "sdtk-$($skillDir.Name)"
+  $destDir = Join-Path $skillsDest $destName
+  if (Test-Path -LiteralPath $destDir) {
+    if (-not $Force) {
+      $skipped++
+      if (-not $Quiet) {
+        Write-Warning "Skill already installed (skipping). Use -Force to overwrite: $destName"
+      }
+      continue
+    }
+    Remove-Item -LiteralPath $destDir -Recurse -Force
+  }
+
+  Copy-Item -LiteralPath $skillDir.FullName -Destination $destDir -Recurse -Force
+  try {
+    Rewrite-SkillFrontmatterName -SkillFilePath (Join-Path $destDir 'SKILL.md') -ExpectedName $destName
+  } catch {
+    if (Test-Path -LiteralPath $destDir) {
+      Remove-Item -LiteralPath $destDir -Recurse -Force
+    }
+    throw
+  }
+
+  $copied++
+  if (-not $Quiet) {
+    Write-Host "Installed: $destName"
+  }
+}
+
+$expectedNames = $managedSkills.Name | ForEach-Object { "sdtk-$_" }
+$installedNow = @(
+  Get-ChildItem -LiteralPath $skillsDest -Directory -ErrorAction SilentlyContinue |
+    Where-Object { $expectedNames -contains $_.Name } |
+    Select-Object -ExpandProperty Name
+)
+if ($installedNow.Count -ne 15) {
+  throw "Codex skill install incomplete. Expected 15 managed skills at $skillsDest but found $($installedNow.Count)."
+}
+
+if (-not $Quiet) {
+  Write-Host ""
+  Write-Host "Install summary:"
+  Write-Host "- Scope: user"
+  Write-Host "- Destination: $skillsDest"
+  Write-Host "- Copied: $copied"
+  Write-Host "- Skipped: $skipped"
+}

package/assets/toolkit/toolkit/scripts/uninstall-claude-skills.ps1

@@ -0,0 +1,65 @@
+param(
+  [string]$ProjectPath,
+  [ValidateSet('project', 'user')]
+  [string]$Scope = 'project',
+  [switch]$All,
+  [switch]$Quiet
+)
+
+$ErrorActionPreference = 'Stop'
+Set-StrictMode -Version Latest
+
+$toolkitRoot = (Resolve-Path (Join-Path $PSScriptRoot '..')).Path
+$skillsSource = Join-Path $toolkitRoot 'skills'
+if (-not (Test-Path -LiteralPath $skillsSource)) {
+  throw "Missing toolkit skills source directory: $skillsSource"
+}
+
+$managedSkillNames = @(
+  Get-ChildItem -LiteralPath $skillsSource -Directory | Sort-Object Name | Select-Object -ExpandProperty Name
+)
+if ($managedSkillNames.Count -ne 15) {
+  throw "Expected 15 managed SDTK-OPS skills but found $($managedSkillNames.Count)."
+}
+
+if ($Scope -eq 'user') {
+  $skillsDest = Join-Path $HOME '.claude/skills'
+} else {
+  if (-not $ProjectPath) {
+    throw "ProjectPath is required for Claude project scope uninstall."
+  }
+  if (-not (Test-Path -LiteralPath $ProjectPath)) {
+    New-Item -ItemType Directory -Force -Path $ProjectPath | Out-Null
+  }
+  $projectRoot = (Resolve-Path -LiteralPath $ProjectPath).Path
+  $skillsDest = Join-Path $projectRoot '.claude/skills'
+}
+
+if (-not (Test-Path -LiteralPath $skillsDest)) {
+  if (-not $Quiet) {
+    Write-Host "Claude skills directory not found: $skillsDest"
+  }
+  exit 0
+}
+
+$removed = New-Object System.Collections.Generic.List[string]
+$missing = New-Object System.Collections.Generic.List[string]
+foreach ($name in $managedSkillNames) {
+  $dest = Join-Path $skillsDest $name
+  if (-not (Test-Path -LiteralPath $dest)) {
+    $missing.Add($name) | Out-Null
+    continue
+  }
+
+  Remove-Item -LiteralPath $dest -Recurse -Force
+  $removed.Add($name) | Out-Null
+}
+
+if (-not $Quiet) {
+  Write-Host ""
+  Write-Host "Uninstall summary:"
+  Write-Host "- Scope: $Scope"
+  Write-Host "- Destination: $skillsDest"
+  Write-Host "- Removed: $($removed.Count)"
+  Write-Host "- Missing/Skipped: $($missing.Count)"
+}

package/assets/toolkit/toolkit/scripts/uninstall-codex-skills.ps1

@@ -0,0 +1,53 @@
+param(
+  [switch]$All,
+  [switch]$Quiet
+)
+
+$ErrorActionPreference = 'Stop'
+Set-StrictMode -Version Latest
+
+$toolkitRoot = (Resolve-Path (Join-Path $PSScriptRoot '..')).Path
+$skillsSource = Join-Path $toolkitRoot 'skills'
+if (-not (Test-Path -LiteralPath $skillsSource)) {
+  throw "Missing toolkit skills source directory: $skillsSource"
+}
+
+$managedSkillNames = @(
+  Get-ChildItem -LiteralPath $skillsSource -Directory |
+    Sort-Object Name |
+    ForEach-Object { "sdtk-$($_.Name)" }
+)
+if ($managedSkillNames.Count -ne 15) {
+  throw "Expected 15 managed SDTK-OPS skills but found $($managedSkillNames.Count)."
+}
+
+$codexHome = if ($env:CODEX_HOME) { $env:CODEX_HOME } else { Join-Path $HOME '.codex' }
+$skillsDest = Join-Path $codexHome 'skills'
+if (-not (Test-Path -LiteralPath $skillsDest)) {
+  if (-not $Quiet) {
+    Write-Host "Codex skills directory not found: $skillsDest"
+  }
+  exit 0
+}
+
+$removed = New-Object System.Collections.Generic.List[string]
+$missing = New-Object System.Collections.Generic.List[string]
+foreach ($name in $managedSkillNames) {
+  $dest = Join-Path $skillsDest $name
+  if (-not (Test-Path -LiteralPath $dest)) {
+    $missing.Add($name) | Out-Null
+    continue
+  }
+
+  Remove-Item -LiteralPath $dest -Recurse -Force
+  $removed.Add($name) | Out-Null
+}
+
+if (-not $Quiet) {
+  Write-Host ""
+  Write-Host "Uninstall summary:"
+  Write-Host "- Scope: user"
+  Write-Host "- Destination: $skillsDest"
+  Write-Host "- Removed: $($removed.Count)"
+  Write-Host "- Missing/Skipped: $($missing.Count)"
+}

package/assets/toolkit/toolkit/sdtk-spec.config.json

@@ -0,0 +1,6 @@
+{
+  "toolkit": "SDTK-OPS",
+  "version": "1.0.0",
+  "skills_path": "toolkit/skills",
+  "skill_prefix": "ops-"
+}

package/assets/toolkit/toolkit/sdtk-spec.config.profiles.example.json

@@ -0,0 +1,12 @@
+{
+  "$comment": "Example profiles config for SDTK-OPS. Copy to sdtk-spec.config.profiles.json and customize for your internal runtime targets.",
+  "profiles": {
+    "default": {
+      "stack": {
+        "backend": "UPDATE_ME",
+        "frontend": "UPDATE_ME",
+        "database": "UPDATE_ME"
+      }
+    }
+  }
+}

package/assets/toolkit/toolkit/skills/ops-backup/SKILL.md

@@ -0,0 +1,93 @@
+<!-- Based on agency-agents by AgentLand Contributors (MIT License, 2025). Adapted for SDTK-OPS. -->
+---
+name: ops-backup
+description: Backup and disaster recovery. Use when designing backup strategies, disaster recovery plans, or restore procedures -- covers RTO/RPO definition, backup verification, and cross-region replication.
+---
+
+# Ops Backup
+
+## Overview
+
+Backups are only valuable if they can be restored inside the time and data-loss limits the business expects. Define recovery targets first, automate execution, store copies away from the primary failure zone, and test restores on a schedule.
+
+## The Iron Law
+
+```
+NO BACKUP STRATEGY IS COMPLETE UNTIL A RESTORE HAS BEEN TESTED
+```
+
+## RTO And RPO Framework
+
+- **RTO**
+  - recovery time objective
+  - how long the service can be unavailable
+- **RPO**
+  - recovery point objective
+  - how much data loss is acceptable
+
+## Service Tiers
+
+| Tier | RPO | RTO | Replication Scope |
+|------|-----|-----|-------------------|
+| Critical | under 5 min | under 30 min | cross-region |
+| Important | under 1 hour | under 4 hours | cross-availability-zone |
+| Standard | under 24 hours | under 24 hours | same region |
+
+## Backup Strategies
+
+| Strategy | When To Use | Typical RPO | Storage Cost |
+|----------|-------------|-------------|--------------|
+| Full | small datasets or periodic baselines | longer | high |
+| Incremental | regular backups with storage efficiency | medium | low |
+| Differential | simpler restore chain with moderate storage use | medium | medium |
+| Continuous replication | critical systems with near-real-time recovery needs | very low | high |
+
+## <HARD-GATE>
+
+Do not claim backup coverage until all are true:
+- execution is automated
+- backup data is encrypted at rest with GPG, KMS, or equivalent
+- an off-site copy exists in a different region or failure domain
+- retention and cleanup are enforced automatically
+- restore testing happens at least quarterly with documented results
+- monitoring alerts fire on backup failure
+
+## Monthly Restore Drill
+
+Run this procedure:
+1. select a recent backup at random
+2. restore it into an isolated environment
+3. verify data integrity
+4. verify the application can use the restored data
+5. record total restore time and any issues
+6. update the runbook if the drill exposed gaps
+
+## Disaster Recovery Plan Template
+
+| Component | Primary Region | DR Region | Failover Method | RTO |
+|-----------|----------------|-----------|-----------------|-----|
+| api | primary-a | secondary-a | redeploy from immutable artifact | 30 min |
+| database | primary-a | secondary-a | replica promote or restore | 30 min |
+| object storage | primary-a | secondary-a | replicated bucket failover | 60 min |
+
+## Script Patterns
+
+Use `./references/backup-script-patterns.md` for backup, encryption, verification, upload, and retention patterns. Treat provider-specific storage commands as replaceable implementation details.
+
+## Common Mistakes
+
+| Mistake | Why it fails |
+|---------|--------------|
+| Never test restores | Teams discover backup gaps during the outage |
+| Keep backup copies in the same failure domain | Regional or account-level failure destroys recovery path |
+| Skip encryption | Backup media becomes a security incident |
+| No retention policy | Storage grows without limit and old data stays forever |
+| Manual backup execution | The process fails precisely when people are busiest |
+
+## Execution Handoff
+
+After backup design is approved:
+- implement storage and retention changes through `ops-infra-plan`
+- validate restore evidence with `ops-verify`
+- use `ops-monitor` so backup failures page the right team
+

package/assets/toolkit/toolkit/skills/ops-backup/references/backup-script-patterns.md

@@ -0,0 +1,108 @@
+<!-- Based on agency-agents by AgentLand Contributors (MIT License, 2025). Adapted for SDTK-OPS. -->
+
+# Backup Script Patterns
+
+## Shell Pattern
+
+```bash
+#!/usr/bin/env bash
+set -euo pipefail
+
+BACKUP_ROOT="${BACKUP_ROOT:-/backups}"
+LOG_FILE="${LOG_FILE:-/var/log/backup.log}"
+RETENTION_DAYS="${RETENTION_DAYS:-30}"
+ENCRYPTION_KEY="${ENCRYPTION_KEY:?Set ENCRYPTION_KEY to a passphrase file or key reference}"
+OBJECT_STORE_TARGET="${OBJECT_STORE_TARGET:?Set OBJECT_STORE_TARGET to the remote backup location}"
+NOTIFICATION_WEBHOOK="${NOTIFICATION_WEBHOOK:?Set NOTIFICATION_WEBHOOK through the environment}"
+
+log() {
+  echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
+}
+
+notify_failure() {
+  local message="$1"
+  curl -X POST -H 'Content-type: application/json' \
+    --data "{\"text\":\"Backup failed: $message\"}" \
+    "$NOTIFICATION_WEBHOOK"
+}
+
+handle_error() {
+  local error_message="$1"
+  log "ERROR: $error_message"
+  notify_failure "$error_message"
+  exit 1
+}
+
+backup_database() {
+  local db_name="$1"
+  local backup_file="${BACKUP_ROOT}/db/${db_name}_$(date +%Y%m%d_%H%M%S).sql.gz"
+
+  mkdir -p "$(dirname "$backup_file")"
+
+  if ! pg_dump -h "$DB_HOST" -U "$DB_USER" -d "$db_name" | gzip > "$backup_file"; then
+    handle_error "Database backup failed for $db_name"
+  fi
+
+  if ! gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
+    --s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \
+    --passphrase-file "$ENCRYPTION_KEY" "$backup_file"; then
+    handle_error "Database backup encryption failed for $db_name"
+  fi
+
+  rm "$backup_file"
+  log "Database backup completed for $db_name"
+}
+
+backup_files() {
+  local source_dir="$1"
+  local backup_name="$2"
+  local backup_file="${BACKUP_ROOT}/files/${backup_name}_$(date +%Y%m%d_%H%M%S).tar.gz.gpg"
+
+  mkdir -p "$(dirname "$backup_file")"
+
+  if ! tar -czf - -C "$source_dir" . | \
+    gpg --cipher-algo AES256 --compress-algo 0 --s2k-mode 3 \
+      --s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \
+      --passphrase-file "$ENCRYPTION_KEY" \
+      --output "$backup_file"; then
+    handle_error "File backup failed for $source_dir"
+  fi
+
+  log "File backup completed for $source_dir"
+}
+
+verify_backup() {
+  local backup_file="$1"
+
+  if ! gpg --quiet --batch --passphrase-file "$ENCRYPTION_KEY" \
+    --decrypt "$backup_file" > /dev/null 2>&1; then
+    handle_error "Backup integrity check failed for $backup_file"
+  fi
+
+  log "Backup integrity verified for $backup_file"
+}
+
+upload_backup() {
+  local local_file="$1"
+  local remote_path="$2"
+
+  if ! cloud-storage-copy "$local_file" "${OBJECT_STORE_TARGET}/${remote_path}"; then
+    handle_error "Remote upload failed for $local_file"
+  fi
+
+  log "Remote upload completed for $local_file"
+}
+
+cleanup_old_backups() {
+  find "$BACKUP_ROOT" -name "*.gpg" -mtime +"$RETENTION_DAYS" -delete
+  log "Cleanup completed"
+}
+```
+
+## Pattern Notes
+
+- keep notification endpoints in environment variables, never in version control
+- replace `cloud-storage-copy` with the provider-specific upload command used by your platform
+- verify every backup after encryption and before declaring success
+- keep restore testing separate from production systems
+