# REPORT — felhom-controller v0.55.0 (Phase 3: auto off-drive Tier 2)

Tier 2 makes an **off-drive copy** of each HDD app's recovery unit + bulk userdata to a **different
physical disk** — the only off-drive protection browsable HDD userdata can get (PBS can't reach bind
mounts). Auto-enabled, auto-targeted, and — crucially — it **refuses rather than fills** the small guest
rootfs. Built, unit-tested, shipped, deployed, and live-validated on guest 9201. (Phases 1/2/2b shipped
as v0.52–0.54 — see git history.)

## What shipped
- **Engine** (`internal/backup/tier2.go`, `RunTier2`/`RunAllTier2`): rsync `-a --delete` mirror of the
  recovery unit (`backups/primary/<app>/`) and the app's `appdata/<app>/` → `<target>/backups/secondary/
  <app>/`. restic is **not** revived — a plain, browsable mirror.
- **Auto target selection:** prefer another registered user-data drive on a **different physical disk**
  (can hold bulk userdata); else the internal SSD for **small units only**. Off-disk enforced by
  `system.SamePhysicalDevice` (block-device identity — new exported helper, linux + non-linux stub),
  re-checked before the copy (defense in depth).
- **Rootfs-headroom guard (the safety):** the SSD target is the ~8 GB guest rootfs, so a size-aware
  guard (`tier2FitsHeadroom`, unit-tested) **refuses** unless the unit fits leaving a reserve free
  (`max(2 GB, 20% of total)`). When nothing fits, it records an **honest** "needs a 2nd HDD" status —
  never silently no-ops, never endangers the rootfs.
- **Status + UI:** results persist via the surviving `settings.CrossDriveBackup`. `buildAppBackupRows`
  now **populates** the "2. mentés" card — real target ("belső SSD (csak DB/konfiguráció)" vs an external
  drive) on success, or the honest no-target reason. Notifications via the surviving
  `NotifyCrossDrive{Completed,Failed}` hooks.
- **Scheduling + trigger:** daily `tier2-backup` (03:30, after the DB dump); manual `POST /api/backup/tier2`.
- Fixed a stale pre-existing test (`TestBackupCopiesOnPath`, which still used the old
  `felhom-data/backups/secondary` layout) to the Model-A in-guest layout Tier 2 actually uses.

## Live validation (guest 9201)
- **Happy path:** triggered Tier 2 → *"Tier 2 copied romm → /mnt/sys_drive/felhom-data/backups/secondary/
  romm (77.1 KB) [SSD: DB/config only]"*. The recovery unit landed on the SSD, **off** the felhom-usb
  source (block devices 2065 vs 64518 — off-disk confirmed), auto-picking the SSD (no 2nd drive).
- **Refuse path (rootfs-headroom guard):** placed a 1 GB userdata dummy (SSD had 2.3 GB free) → Tier 2
  **refused**: *"nincs elég hely a belső SSD-n — a nagy fájlok off-drive mentéséhez 2. meghajtó (vagy
  távoli tárhely) szükséges"*, and did **not** copy the 1 GB to the rootfs. Removed the dummy; re-trigger
  restored the successful small-unit copy.
- **UI end-to-end:** the backups page "2. mentés" card renders *Sikeres → belső SSD (csak
  DB/konfiguráció)* for RomM.
- Demo left clean (dummy removed; RomM's intended small Tier 2 copy remains on the SSD).

## Notes / follow-ups
- **Off-disk identity** uses block-device (`Stat_t.Dev`) equality — correct for the felhom layout
  (external drive vs system rootfs). Two partitions on one physical disk would look "different"; the
  agent's `DiskInfo.DurableID` is the stronger guarantee for that case (future hardening).
- Non-HDD apps (data on the rootfs, already in PBS) are skipped by Tier 2; their "2. mentés" card shows
  "Nincs 2." — cosmetically it could be hidden for non-HDD apps (Phase 4 polish).
- The single-drive demo can only Tier 2 to the SSD (small units); a 2nd HDD would let bulk userdata copy
  off-drive — the engine already prefers it when present.

## Still ahead
Phase 4: FileBrowser scoping (hide recovery units), deploy-UI "DB runs on the fast internal drive" note,
monitoring storage-bar sort + descriptions. The README backup-paths section's stale restic/secondary
text should be rewritten alongside.