migtools · mpryc · Nov 18, 2025
diff --git a/cmd/oadp-vmdp/README.md b/cmd/oadp-vmdp/README.md
@@ -0,0 +1,123 @@
+# OADP-VMDP User Guide
+
+This guide will help you create backups of your VM files and restore them when needed.
+
+## Prerequisites
+
+Your administrator should have provided you with:
+- S3 bucket name
+- S3 endpoint URL
+- Access key ID
+- Secret access key
+
+## First-Time Setup: Connect to Your Backup Storage Location (BSL)
+
+Before creating backups, you need to connect to your Backup Storage Location (BSL). The BSL can be an S3-compatible storage or a server. Run this command once:
+
+```bash
+oadp-vmdp bsl create s3 \
+  --bucket=YOUR_BUCKET_NAME \
+  --endpoint=YOUR_S3_ENDPOINT \
+  --access-key=YOUR_ACCESS_KEY \
+  --secret-access-key=YOUR_SECRET_KEY
+```
+
+You'll be prompted to set a password. **Remember this password** - you'll need it to restore your backups.
+
+## Creating a Backup
+
+To backup a folder or file:
+
+```bash
+oadp-vmdp backup create /path/to/folder
+```
+
+**Examples:**
+```bash
+# Backup your home directory
+oadp-vmdp backup create /home/myuser
+
+# Backup specific folders
+oadp-vmdp backup create /home/myuser/documents /home/myuser/photos
+
+# Backup a single file
+oadp-vmdp backup create /home/myuser/important-file.txt
+```
+
+## Listing Your Backups
+
+To see all your backups:
+
+```bash
+oadp-vmdp backup list
+```
+
+To see backups of a specific folder:
+
+```bash
+oadp-vmdp backup list /path/to/folder
+```
+
+## Restoring Files from a Backup
+
+To restore files to their original location:
+
+```bash
+oadp-vmdp backup restore /path/to/folder
+```
+
+To restore to a different location:
+
+```bash
+oadp-vmdp restore /path/to/folder --target=/path/to/restore/location
+```
+
+**Examples:**
+```bash
+# Restore your documents folder
+oadp-vmdp backup restore /home/myuser/documents
+
+# Restore to a different location
+oadp-vmdp restore /home/myuser/documents --target=/tmp/restored-docs
+
+# Restore a specific file
+oadp-vmdp backup restore /home/myuser/important-file.txt
+```
+
+## Connecting to an Existing BSL
+
+If you already created a BSL (Backup Storage Location) and need to reconnect (e.g., after a reboot):
+
+```bash
+oadp-vmdp bsl connect s3 \
+  --bucket=YOUR_BUCKET_NAME \
+  --endpoint=YOUR_S3_ENDPOINT \
+  --access-key=YOUR_ACCESS_KEY \
+  --secret-access-key=YOUR_SECRET_KEY
+```
+
+Enter the password you set during BSL creation.
+
+## Disconnecting from BSL
+
+When you're done:
+
+```bash
+oadp-vmdp bsl disconnect
+```
+
+## Common Tips
+
+- **Backup regularly**: Schedule regular backups of your important folders
+- **Test your restores**: Occasionally test restoring to make sure your backups work
+- **Keep your password safe**: Without it, you cannot restore your backups
+- **Check backup status**: Use `oadp-vmdp bsl status` to verify your BSL connection
+
+## Need Help?
+
+For more options and advanced features:
+```bash
+oadp-vmdp --help
+oadp-vmdp backup --help
+oadp-vmdp restore --help
+```
diff --git a/cmd/oadp-vmdp/args_processor.go b/cmd/oadp-vmdp/args_processor.go
@@ -0,0 +1,75 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+// argsProcessor handles preprocessing of command-line arguments before they reach kingpin.
+type argsProcessor struct{}
+
+// newArgsProcessor creates a new arguments processor.
+func newArgsProcessor() *argsProcessor {
+	return &argsProcessor{}
+}
+
+// processS3Prefix modifies os.Args to automatically prepend "oadp-vmdp/" to S3 --prefix flags.
+// This allows transparent prefix normalization without modifying core Kopia code.
+func (ap *argsProcessor) processS3Prefix() error {
+	// Look for S3-related commands and --prefix flag
+	inS3Context := false
+
+	for i := 0; i < len(os.Args); i++ {
+		arg := os.Args[i]
+
+		// Check if we're in an S3 context (repository/bsl create/connect s3)
+		if arg == "s3" {
+			inS3Context = true
+			continue
+		}
+
+		// If we're in S3 context, look for --prefix flag
+		if inS3Context {
+			// Handle --prefix=value format
+			if strings.HasPrefix(arg, "--prefix=") {
+				parts := strings.SplitN(arg, "=", 2)
+				if len(parts) == 2 {
+					userPrefix := parts[1]
+					normalized, err := NormalizeOADPPrefix(userPrefix)
+					if err != nil {
+						return err
+					}
+					os.Args[i] = fmt.Sprintf("--prefix=%s", normalized)
+				}
+				continue
+			}
+
+			// Handle --prefix value format (two separate args)
+			if arg == "--prefix" {
+				if i+1 < len(os.Args) {
+					userPrefix := os.Args[i+1]
+					normalized, err := NormalizeOADPPrefix(userPrefix)
+					if err != nil {
+						return err
+					}
+					os.Args[i+1] = normalized
+					i++ // Skip the next arg since we just processed it
+				}
+				continue
+			}
+		}
+	}
+
+	return nil
+}
+
+// processAllArgs runs all argument preprocessing steps.
+func (ap *argsProcessor) processAllArgs() error {
+	// Process S3 prefix normalization
+	if err := ap.processS3Prefix(); err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/cmd/oadp-vmdp/command_filter.go b/cmd/oadp-vmdp/command_filter.go
@@ -0,0 +1,132 @@
+package main
+
+import (
+	"github.com/alecthomas/kingpin/v2"
+)
+
+// hiddenCommands defines top-level commands that should be hidden in OADP.
+// These are advanced/dangerous commands not needed for basic VM backup/restore.
+var hiddenCommands = map[string]bool{
+	"benchmark":    true, // Performance testing - not needed for users
+	"diff":         true, // Advanced repository comparison
+	"list":         true, // Advanced file listing - use 'backup list' instead
+	"notification": true, // Server-specific feature
+	"server":       true, // Server mode not used in OADP
+	"policy":       true, // Advanced policy management - use defaults
+	"mount":        true, // FUSE mounting - not supported in containers
+	"maintenance":  true, // Advanced maintenance - handled automatically
+}
+
+// hiddenRepositorySubcommands defines repository subcommands to hide.
+// Only keep: connect, create, disconnect, status
+var hiddenRepositorySubcommands = map[string]bool{
+	"repair":            true, // Dangerous - can corrupt repository
+	"set-client":        true, // Advanced configuration
+	"set-parameters":    true, // Advanced configuration
+	"sync-to":           true, // Advanced replication feature
+	"throttle":          true, // Advanced performance tuning
+	"change-password":   true, // Use OADP password management instead
+	"validate-provider": true, // Internal testing command
+	"upgrade":           true, // Dangerous - can break compatibility
+}
+
+// hiddenSnapshotSubcommands defines snapshot subcommands to hide.
+// Only keep: create, delete, list, restore
+var hiddenSnapshotSubcommands = map[string]bool{
+	"copy-history":  true, // Advanced history management
+	"move-history":  true, // Advanced history management
+	"estimate":      true, // Advanced analysis
+	"expire":        true, // Handled automatically by retention policy
+	"fix":           true, // Dangerous - can corrupt snapshots
+	"migrate":       true, // Advanced migration feature
+	"pin":           true, // Advanced retention management
+	"verify":        true, // Advanced verification - use defaults
+}
+
+// commandFilter handles hiding unwanted commands from the CLI.
+type commandFilter struct {
+	kp *kingpin.Application
+}
+
+// newCommandFilter creates a new command filter for the given kingpin application.
+func newCommandFilter(kp *kingpin.Application) *commandFilter {
+	return &commandFilter{
+		kp: kp,
+	}
+}
+
+// apply walks the command tree and hides unwanted commands.
+func (f *commandFilter) apply() {
+	// Hide top-level commands
+	f.hideTopLevelCommands()
+
+	// Hide subcommands within repository/snapshot
+	f.hideSubcommands()
+}
+
+// hideTopLevelCommands hides top-level commands that shouldn't be exposed.
+func (f *commandFilter) hideTopLevelCommands() {
+	// Note: kingpin doesn't expose a direct way to iterate commands,
+	// so we'll mark them as hidden when we know they exist
+	//
+	// Since we can't easily iterate, we'll take a different approach:
+	// We'll let the setup happen normally and then mark specific commands as hidden
+}
+
+// hideSubcommands hides subcommands within specific command groups.
+func (f *commandFilter) hideSubcommands() {
+	// Same challenge as above - kingpin doesn't expose command iteration
+	// We'll need to mark commands as hidden if they exist
+}
+
+// shouldHideCommand checks if a top-level command should be hidden.
+func shouldHideCommand(cmdName string) bool {
+	return hiddenCommands[cmdName]
+}
+
+// shouldHideRepositorySubcommand checks if a repository subcommand should be hidden.
+func shouldHideRepositorySubcommand(subcmdName string) bool {
+	return hiddenRepositorySubcommands[subcmdName]
+}
+
+// shouldHideSnapshotSubcommand checks if a snapshot subcommand should be hidden.
+func shouldHideSnapshotSubcommand(subcmdName string) bool {
+	return hiddenSnapshotSubcommands[subcmdName]
+}
+
+// getVisibleCommands returns a list of commands that should be visible in OADP.
+func getVisibleCommands() []string {
+	return []string{
+		"repository", // Aliased as "bsl"
+		"snapshot",   // Aliased as "backup"
+		"cache",      // Cache management
+		"blob",       // Low-level blob operations (hidden in main help)
+		"content",    // Low-level content operations (hidden in main help)
+		"index",      // Index operations (hidden in main help)
+		"logs",       // Log management
+		"session",    // Session management
+		"restore",    // File restore
+		"show",       // Show repository objects
+		"manifest",   // Manifest operations
+	}
+}
+
+// getVisibleRepositorySubcommands returns allowed repository subcommands.
+func getVisibleRepositorySubcommands() []string {
+	return []string{
+		"connect",
+		"create",
+		"disconnect",
+		"status",
+	}
+}
+
+// getVisibleSnapshotSubcommands returns allowed snapshot subcommands.
+func getVisibleSnapshotSubcommands() []string {
+	return []string{
+		"create",
+		"delete",
+		"list",
+		"restore",
+	}
+}