chore: promote changelog [Unreleased] → [01.40.00]

chore(release): build 01.40.00 [skip ci]
Merge pull request 'feat: Complete config.xml, access.xml + ACL enforcement audit (#137 )' (#138 ) from feat/config-acl-audit into main
2026-06-23 19:18:42 +00:00 · 2026-06-23 19:18:28 +00:00 · 2026-06-23 19:17:48 +00:00 · 2026-06-23 14:16:54 -05:00 · 2026-06-23 14:04:12 -05:00 · 2026-06-23 18:37:04 +00:00
74 changed files with 7039 additions and 411 deletions
@@ -1,76 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-name: "Publish to Composer"
-
-on:
-  push:
-    tags:
-      - 'v*'
-      - '[0-9]*.[0-9]*.[0-9]*'
-  release:
-    types: [published]
-  workflow_dispatch:
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
-jobs:
-  publish:
-    name: Publish Package
-    runs-on: ubuntu-latest
-    if: >-
-      !contains(github.event.head_commit.message, '[skip ci]') &&
-      !contains(github.event.head_commit.message, '[skip publish]')
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup PHP
-        run: |
-          if ! command -v php &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-
-      - name: Install dependencies
-        run: composer install --no-dev --no-interaction --prefer-dist --quiet
-
-      - name: Determine version
-        id: version
-        run: |
-          VERSION=$(php -r "echo json_decode(file_get_contents('composer.json'))->version;")
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "Package version: ${VERSION}"
-
-      # Gitea Composer Registry — auto-publishes from tags
-      # The tag push itself registers the package at:
-      # https://git.mokoconsulting.tech/api/packages/MokoConsulting/composer
-      - name: Verify Gitea registry
-        run: |
-          echo "Gitea Composer registry auto-publishes from tags."
-          echo "Package available at: ${GITEA_URL}/api/packages/MokoConsulting/composer"
-          echo "Install: composer require mokoconsulting/mokocli"
-
-      # Packagist — notify of new version
-      - name: Notify Packagist
-        if: secrets.PACKAGIST_TOKEN != ''
-        run: |
-          VERSION="${{ steps.version.outputs.version }}"
-          echo "Notifying Packagist of version ${VERSION}..."
-          curl -sf -X POST \
-            -H "Content-Type: application/json" \
-            -d '{"repository":{"url":"https://git.mokoconsulting.tech/MokoConsulting/mokocli"}}' \
-            "https://packagist.org/api/update-package?username=mokoconsulting&apiToken=${{ secrets.PACKAGIST_TOKEN }}" \
-            && echo "Packagist notified" \
-            || echo "::warning::Packagist notification failed (package may not be registered yet)"
-
-      - name: Summary
-        run: |
-          VERSION="${{ steps.version.outputs.version }}"
-          echo "## Composer Package Published" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Registry | Status |" >> $GITHUB_STEP_SUMMARY
-          echo "|----------|--------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Gitea | \`composer require mokoconsulting/mokocli:${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Packagist | \`composer require mokoconsulting/mokocli\` |" >> $GITHUB_STEP_SUMMARY
@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: mokocli.Automation
-# VERSION: 01.31.00
+# VERSION: 01.40.00
 # BRIEF: Auto-create feature branch when an issue is opened

 name: "Universal: Issue Branch"
@@ -1,82 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Security
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.gitea/workflows/security-audit.yml
-# VERSION: 01.00.00
-# BRIEF: Dependency vulnerability scanning for composer and npm packages
-
-name: "Universal: Security Audit"
-
-on:
-  schedule:
-    - cron: '0 6 * * 1'  # Weekly on Monday at 06:00 UTC
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'composer.json'
-      - 'composer.lock'
-      - 'package.json'
-      - 'package-lock.json'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-env:
-  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
-  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
-
-jobs:
-  audit:
-    name: Dependency Audit
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Composer audit
-        if: hashFiles('composer.lock') != ''
-        run: |
-          echo "=== Composer Security Audit ==="
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli composer >/dev/null 2>&1
-          fi
-          composer audit --format=plain 2>&1 | tee /tmp/composer-audit.txt
-          RESULT=$?
-          if [ $RESULT -ne 0 ]; then
-            echo "::warning::Composer vulnerabilities found"
-            echo "composer_vulnerable=true" >> "$GITHUB_ENV"
-          else
-            echo "No known vulnerabilities in composer dependencies"
-          fi
-
-      - name: NPM audit
-        if: hashFiles('package-lock.json') != ''
-        run: |
-          echo "=== NPM Security Audit ==="
-          npm audit --production 2>&1 | tee /tmp/npm-audit.txt || true
-          if npm audit --production 2>&1 | grep -q "found 0 vulnerabilities"; then
-            echo "No known vulnerabilities in npm dependencies"
-          else
-            echo "::warning::NPM vulnerabilities found"
-            echo "npm_vulnerable=true" >> "$GITHUB_ENV"
-          fi
-
-      - name: Notify on vulnerabilities
-        if: env.composer_vulnerable == 'true' || env.npm_vulnerable == 'true'
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          curl -sS \
-            -H "Title: ${REPO} has vulnerable dependencies" \
-            -H "Tags: lock,warning" \
-            -H "Priority: high" \
-            -d "Security audit found vulnerabilities. Review dependency updates." \
-            "${NTFY_URL}/${NTFY_TOPIC}" || true
@@ -1,26 +1,30 @@
 # Changelog
 ## [Unreleased]

-## [01.31.00] --- 2026-06-22
+## [01.40.00] --- 2026-06-23

-## [01.31.00] --- 2026-06-22
+
+## [01.40.00] --- 2026-06-23
+
+## [01.39.01] --- 2026-06-23
+
+## [01.39.01] --- 2026-06-23

 ### Added
- REST API endpoints for content snapshots: list, create, restore, delete, download (#54)
- Automatic archive integrity verification after backup creation (#65)
- CLI command `mokosuitebackup:snapshot` for create, restore, list, and delete operations (#55)
+- MokoRestore: post-restore reset options — passwords, hits, versions, sessions, cache (#131)
+- MokoRestore: per-table conflict resolution — replace, skip, merge, data-only per table (#132)
+- MokoRestore: preset buttons — "All Replace", "All Skip", "Everything except users"
+- MokoRestore: auto-detect sanitized passwords and prompt for reset
+- Data sanitization: passwords, emails, sessions in backup profile settings (#129)
+- Manual purge: delete all backups older than a selected date with count preview (#119)
+- CPanel admin dashboard module with backup status, quick actions, and profile buttons (#105)
+- 7z archive format via system 7za/7z binary with optional password encryption (#122)
+- SFTP remote file browser: browse remote server directories to select backup path (#98)

-## [01.30.00] --- 2026-06-22
+### Fixed
+- MokoRestore: data-only mode now uses REPLACE INTO to handle existing rows
+- MokoRestore: temporary password is now randomly generated (not hardcoded "changeme")

-## [01.30.00] --- 2026-06-22
+## [01.38.05] --- 2026-06-23

-### Changed
- Remote upload failure no longer marks the entire backup as failed — local archive is preserved with status 'complete' (#66)
-
-### Added
- Snapshots now capture tags, custom fields, field values, and field-category mappings when articles are included (#57)
- Snapshot retention settings: max count and max age with automatic cleanup (#63)
-
-## [01.27.03] --- 2026-06-21
-
-## [01.27.03] --- 2026-06-21
+## [01.38.05] --- 2026-06-23
@@ -1,50 +1,80 @@
 # MokoSuiteBackup

-<!-- VERSION: 01.31.00 -->
-
 Full-site backup and restore for Joomla — database, files, and configuration.

-## Overview
-
-MokoSuiteBackup is a comprehensive backup solution for Joomla 4/5/6 sites. It creates complete site backups including the database, files, and configuration, packaged into downloadable ZIP archives. Supports multiple backup profiles, scheduled backups via CLI/cron, and a REST API for remote management.
+| Field | Value |
+|---|---|
+| **Package** | `pkg_mokosuitebackup` |
+| **Type** | Joomla Package (8 sub-extensions) |
+| **Joomla** | 6.x+ |
+| **PHP** | 8.1+ |
+| **License** | GPL-3.0-or-later |

 ## Features

- Full site backup (database + files + configuration)
- Database-only backup mode
- Files-only backup mode
- Multiple backup profiles with independent configurations
- File and directory exclusion filters
- Table exclusion filters for database backups
- Step-based backup engine (avoids PHP timeout on large sites)
- CLI script for cron/scheduled backups
- REST API (Joomla Web Services) for remote management
- Backup record management (list, download, delete)
- Automatic old backup cleanup (configurable retention)
- Admin dashboard with backup history and storage usage
+### Backup
+- Full site, database-only, files-only, and differential backup modes
+- Pre-flight validation — checks directory, disk space, extensions, credentials before starting
+- Auto-verify archive integrity after creation
+- Stepped AJAX engine prevents timeout on shared hosting
+- AES-256 ZIP encryption with configurable password
+- Configurable archive naming with placeholders ([HOST], [DATE], [SITE_NAME], etc.)
+- Data sanitization — optionally clear user passwords, emails, and sessions in backup
+
+### Content Snapshots
+- Lightweight JSON snapshots of articles, categories, and modules
+- Includes tags, custom fields, workflow associations
+- Restore modes: Replace (clean slate) or Merge (upsert)
+- Selective article restore — browse and pick individual items
+- Automatic retention (max count + max age)
+- Scheduled snapshot task via com_scheduler
+
+### Remote Storage
+- SFTP with SSH key file authentication (key stored base64-encoded in database)
+- Amazon S3 and S3-compatible (DigitalOcean Spaces, Wasabi, MinIO)
+- Google Drive with OAuth2 and resumable uploads
+- Graceful degradation — local backup preserved if upload fails
+
+### MokoRestore Standalone Wizard
+- 9-step restore wizard that works without Joomla installed
+- Per-table conflict resolution: Replace / Skip / Merge / Data Only
+- Post-restore actions: reset passwords, hits, versions, sessions, cache
+- Auto-detect sanitized passwords and prompt for reset
+- Standalone mode: restore.php scans directory for ZIP files
+- Wrapped mode: restore.php bundled inside backup ZIP
+- Security gate with filesystem verification
+
+### Notifications
+- Email on success/failure per profile
+- ntfy push notifications
+- Notifications for restore and snapshot operations
+
+### Admin Dashboard
+- Last backup status, next scheduled, total count, storage used
+- Snapshot widget with latest info and type badges
+- 30-day backup trend chart
+- Per-profile storage breakdown
+- System health checks
+
+### CLI
+- `mokosuitebackup:run --profile=1` — run backup
+- `mokosuitebackup:restore 1 --files-only --db-only --password=xxx`
+- `mokosuitebackup:snapshot create|restore|list|delete`
+
+### REST API
+- Backup: start, list, download, delete, profiles
+- Snapshots: create, list, restore, delete, download
+- Profile credentials masked in API responses

 ## Installation

-1. Download `pkg_mokobackup-*.zip` from [Releases](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteBackup/releases)
+1. Download from [Releases](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteBackup/releases)
 2. Joomla Administrator > Extensions > Install
-3. System plugin enabled automatically on install
+3. Components > MokoSuiteBackup > Dashboard

-## Configuration
+## Documentation

- **Component**: Administrator > Components > MokoSuiteBackup
- **Profiles**: Create backup profiles with different file/database filters
- **System Plugin**: Configure scheduled backup triggers and notifications
- **CLI**: `php cli/mokobackup.php --profile=1` for cron-based backups
-
-## REST API
-
-The webservices plugin exposes endpoints compatible with the MokoBackup MCP server:
-
- `POST /api/index.php/v1/mokobackup/backup` — Start a backup
- `GET /api/index.php/v1/mokobackup/backups` — List backup records
- `GET /api/index.php/v1/mokobackup/backup/:id/download` — Download archive
- `DELETE /api/index.php/v1/mokobackup/backup/:id` — Delete backup record
- `GET /api/index.php/v1/mokobackup/profiles` — List backup profiles
+See the [Wiki](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteBackup/wiki) for guides and reference.

 ## License

@@ -1 +0,0 @@
-<!DOCTYPE html><title></title>
@@ -12,5 +12,8 @@
 		<action name="mokosuitebackup.backup.download" title="COM_MOKOSUITEBACKUP_ACTION_BACKUP_DOWNLOAD" />
 		<action name="mokosuitebackup.backup.restore" title="COM_MOKOSUITEBACKUP_ACTION_BACKUP_RESTORE" />
 		<action name="mokosuitebackup.snapshot.manage" title="COM_MOKOSUITEBACKUP_ACTION_SNAPSHOT_MANAGE" />
+		<action name="mokosuitebackup.backup.purge" title="COM_MOKOSUITEBACKUP_ACTION_BACKUP_PURGE" />
+		<action name="mokosuitebackup.backup.compare" title="COM_MOKOSUITEBACKUP_ACTION_BACKUP_COMPARE" />
+		<action name="mokosuitebackup.backup.browse" title="COM_MOKOSUITEBACKUP_ACTION_BACKUP_BROWSE" />
 	</section>
 </access>
@@ -124,6 +124,7 @@ class BackupsController extends ApiController
 		// Strip sensitive credentials before serialization
 		$sensitiveFields = [
 			'ftp_password', 'ftp_username',
+			'sftp_password', 'sftp_key_data', 'sftp_passphrase',
 			's3_access_key', 's3_secret_key',
 			'gdrive_client_secret', 'gdrive_refresh_token',
 			'encryption_password', 'ntfy_token',
@@ -36,7 +36,7 @@ class SnapshotsController extends ApiController
 	 */
 	public function displayList(): static
 	{
-		if (!$this->app->getIdentity()->authorise('core.manage', 'com_mokosuitebackup')) {
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.snapshot.manage', 'com_mokosuitebackup')) {
 			$this->app->setHeader('status', 403);
 			echo json_encode(['errors' => [['title' => 'Access denied']]]);
 			$this->app->close();
@@ -250,7 +250,7 @@ class SnapshotsController extends ApiController
 	 */
 	public function download(): static
 	{
-		if (!$this->app->getIdentity()->authorise('core.manage', 'com_mokosuitebackup')) {
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.snapshot.manage', 'com_mokosuitebackup')) {
 			$this->app->setHeader('status', 403);
 			echo json_encode(['errors' => [['title' => 'Access denied']]]);
 			$this->app->close();
@@ -39,6 +39,73 @@
 		</field>
 	</fieldset>

+	<fieldset name="defaults" label="COM_MOKOJOOMBACKUP_CONFIG_DEFAULTS">
+		<field
+			name="default_archive_format"
+			type="list"
+			label="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_FORMAT"
+			description="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_FORMAT_DESC"
+			default="zip"
+		>
+			<option value="zip">ZIP</option>
+			<option value="tar.gz">tar.gz</option>
+			<option value="7z">7z</option>
+		</field>
+		<field
+			name="default_mokorestore"
+			type="list"
+			label="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_MOKORESTORE"
+			description="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_MOKORESTORE_DESC"
+			default="0"
+		>
+			<option value="0">COM_MOKOJOOMBACKUP_MOKORESTORE_NONE</option>
+			<option value="1">COM_MOKOJOOMBACKUP_MOKORESTORE_WRAPPED</option>
+			<option value="standalone">COM_MOKOJOOMBACKUP_MOKORESTORE_STANDALONE</option>
+		</field>
+		<field
+			name="default_sanitize_passwords"
+			type="radio"
+			label="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_PW"
+			description="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_PW_DESC"
+			default="0"
+			class="btn-group"
+		>
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+		<field
+			name="default_sanitize_emails"
+			type="radio"
+			label="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_EMAIL"
+			description="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_EMAIL_DESC"
+			default="0"
+			class="btn-group"
+		>
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+		<field
+			name="default_sanitize_sessions"
+			type="radio"
+			label="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_SESS"
+			description="COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_SESS_DESC"
+			default="1"
+			class="btn-group"
+		>
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+		<field
+			name="log_retention_days"
+			type="number"
+			label="COM_MOKOJOOMBACKUP_CONFIG_LOG_RETENTION"
+			description="COM_MOKOJOOMBACKUP_CONFIG_LOG_RETENTION_DESC"
+			default="90"
+			min="0"
+			max="365"
+		/>
+	</fieldset>
+
 	<fieldset name="webcron" label="COM_MOKOJOOMBACKUP_CONFIG_WEBCRON">
 		<field
 			name="webcron_secret"
@@ -172,6 +239,32 @@
 		</field>
 	</fieldset>

+	<fieldset name="ntfy" label="COM_MOKOJOOMBACKUP_CONFIG_NTFY">
+		<field
+			name="ntfy_server"
+			type="text"
+			label="COM_MOKOJOOMBACKUP_CONFIG_NTFY_SERVER"
+			description="COM_MOKOJOOMBACKUP_CONFIG_NTFY_SERVER_DESC"
+			default="https://ntfy.sh"
+			filter="url"
+		/>
+		<field
+			name="ntfy_topic"
+			type="text"
+			label="COM_MOKOJOOMBACKUP_CONFIG_NTFY_TOPIC"
+			description="COM_MOKOJOOMBACKUP_CONFIG_NTFY_TOPIC_DESC"
+			default=""
+			filter="string"
+		/>
+		<field
+			name="ntfy_token"
+			type="password"
+			label="COM_MOKOJOOMBACKUP_CONFIG_NTFY_TOKEN"
+			description="COM_MOKOJOOMBACKUP_CONFIG_NTFY_TOKEN_DESC"
+			default=""
+		/>
+	</fieldset>
+
 	<fieldset name="permissions" label="JCONFIG_PERMISSIONS_LABEL"
 		description="JCONFIG_PERMISSIONS_DESC">
 		<field
@@ -40,6 +40,7 @@
 		>
 			<option value="zip">ZIP</option>
 			<option value="tar.gz">tar.gz</option>
+			<option value="7z">COM_MOKOJOOMBACKUP_FORMAT_7Z</option>
 		</field>
 		<field
 			name="compression_level"
@@ -72,23 +73,25 @@
 		/>
 		<field
 			name="archive_name_format"
-			type="text"
+			type="PlaceholderText"
 			label="COM_MOKOJOOMBACKUP_FIELD_ARCHIVE_NAME_FORMAT"
 			description="COM_MOKOJOOMBACKUP_FIELD_ARCHIVE_NAME_FORMAT_DESC"
-			default="[host]_[datetime]_profile[profile_id]"
+			default="[HOST]_[DATETIME]_profile[PROFILE_ID]"
 			maxlength="512"
-			hint="[host]_[datetime]_profile[profile_id]"
+			hint="[HOST]_[DATETIME]_profile[PROFILE_ID]"
+			placeholders="[HOST],[DATETIME],[DATE],[TIME],[YEAR],[MONTH],[DAY],[HOUR],[MINUTE],[SECOND],[PROFILE_ID],[PROFILE_NAME],[SITE_NAME],[TYPE],[RANDOM]"
+			addfieldprefix="Joomla\Component\MokoSuiteBackup\Administrator\Field"
 		/>
 		<field
 			name="include_mokorestore"
-			type="radio"
+			type="list"
 			label="COM_MOKOJOOMBACKUP_FIELD_INCLUDE_MOKORESTORE"
 			description="COM_MOKOJOOMBACKUP_FIELD_INCLUDE_MOKORESTORE_DESC"
 			default="0"
-			class="btn-group"
 		>
-			<option value="1">JYES</option>
-			<option value="0">JNO</option>
+			<option value="0">COM_MOKOJOOMBACKUP_MOKORESTORE_NONE</option>
+			<option value="1">COM_MOKOJOOMBACKUP_MOKORESTORE_WRAPPED</option>
+			<option value="standalone">COM_MOKOJOOMBACKUP_MOKORESTORE_STANDALONE</option>
 		</field>
 		<field
 			name="encryption_password"
@@ -99,6 +102,54 @@
 		/>
 	</fieldset>

+	<fieldset name="sanitization" label="COM_MOKOJOOMBACKUP_FIELDSET_SANITIZATION">
+		<field
+			name="sanitize_passwords"
+			type="radio"
+			label="COM_MOKOJOOMBACKUP_FIELD_SANITIZE_PASSWORDS"
+			description="COM_MOKOJOOMBACKUP_FIELD_SANITIZE_PASSWORDS_DESC"
+			default="0"
+			class="btn-group"
+		>
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+		<field
+			name="preserve_super_admin"
+			type="radio"
+			label="COM_MOKOJOOMBACKUP_FIELD_PRESERVE_SUPER_ADMIN"
+			description="COM_MOKOJOOMBACKUP_FIELD_PRESERVE_SUPER_ADMIN_DESC"
+			default="1"
+			class="btn-group"
+			showon="sanitize_passwords:1"
+		>
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+		<field
+			name="sanitize_emails"
+			type="radio"
+			label="COM_MOKOJOOMBACKUP_FIELD_SANITIZE_EMAILS"
+			description="COM_MOKOJOOMBACKUP_FIELD_SANITIZE_EMAILS_DESC"
+			default="0"
+			class="btn-group"
+		>
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+		<field
+			name="sanitize_sessions"
+			type="radio"
+			label="COM_MOKOJOOMBACKUP_FIELD_SANITIZE_SESSIONS"
+			description="COM_MOKOJOOMBACKUP_FIELD_SANITIZE_SESSIONS_DESC"
+			default="1"
+			class="btn-group"
+		>
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+	</fieldset>
+
 	<fieldset name="sidebar" label="COM_MOKOJOOMBACKUP_FIELDSET_STATUS">
 		<field
 			name="id"
@@ -159,7 +210,7 @@
 			default="none"
 		>
 			<option value="none">COM_MOKOJOOMBACKUP_REMOTE_NONE</option>
-			<option value="ftp">COM_MOKOJOOMBACKUP_REMOTE_FTP</option>
+			<option value="sftp">COM_MOKOJOOMBACKUP_REMOTE_SFTP</option>
 			<option value="google_drive">COM_MOKOJOOMBACKUP_REMOTE_GDRIVE</option>
 			<option value="s3">COM_MOKOJOOMBACKUP_REMOTE_S3</option>
 		</field>
@@ -174,6 +225,81 @@
 			<option value="1">JYES</option>
 			<option value="0">JNO</option>
 		</field>
+
+		<!-- SFTP fields (shown when remote_storage = sftp) -->
+		<field
+			name="sftp_host"
+			type="text"
+			label="COM_MOKOJOOMBACKUP_FIELD_SFTP_HOST"
+			description="COM_MOKOJOOMBACKUP_FIELD_SFTP_HOST_DESC"
+			maxlength="255"
+			showon="remote_storage:sftp"
+		/>
+		<field
+			name="sftp_port"
+			type="number"
+			label="COM_MOKOJOOMBACKUP_FIELD_SFTP_PORT"
+			description="COM_MOKOJOOMBACKUP_FIELD_SFTP_PORT_DESC"
+			default="22"
+			min="1"
+			max="65535"
+			showon="remote_storage:sftp"
+		/>
+		<field
+			name="sftp_username"
+			type="text"
+			label="COM_MOKOJOOMBACKUP_FIELD_SFTP_USERNAME"
+			description="COM_MOKOJOOMBACKUP_FIELD_SFTP_USERNAME_DESC"
+			maxlength="255"
+			showon="remote_storage:sftp"
+		/>
+		<field
+			name="sftp_auth_type"
+			type="list"
+			label="COM_MOKOJOOMBACKUP_FIELD_SFTP_AUTH_TYPE"
+			description="COM_MOKOJOOMBACKUP_FIELD_SFTP_AUTH_TYPE_DESC"
+			default="key"
+			showon="remote_storage:sftp"
+		>
+			<option value="password">COM_MOKOJOOMBACKUP_SFTP_AUTH_PASSWORD</option>
+			<option value="key">COM_MOKOJOOMBACKUP_SFTP_AUTH_KEY</option>
+			<option value="key_passphrase">COM_MOKOJOOMBACKUP_SFTP_AUTH_KEY_PASSPHRASE</option>
+		</field>
+		<field
+			name="sftp_password"
+			type="password"
+			label="COM_MOKOJOOMBACKUP_FIELD_SFTP_PASSWORD"
+			description="COM_MOKOJOOMBACKUP_FIELD_SFTP_PASSWORD_DESC"
+			maxlength="255"
+			showon="remote_storage:sftp[AND]sftp_auth_type:password"
+		/>
+		<field
+			name="sftp_key_data"
+			type="SshKey"
+			label="COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY"
+			description="COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_DESC"
+			filter="raw"
+			showon="remote_storage:sftp[AND]sftp_auth_type:key,key_passphrase"
+			addfieldprefix="Joomla\Component\MokoSuiteBackup\Administrator\Field"
+		/>
+		<field
+			name="sftp_passphrase"
+			type="password"
+			label="COM_MOKOJOOMBACKUP_FIELD_SFTP_PASSPHRASE"
+			description="COM_MOKOJOOMBACKUP_FIELD_SFTP_PASSPHRASE_DESC"
+			maxlength="255"
+			showon="remote_storage:sftp[AND]sftp_auth_type:key_passphrase"
+		/>
+		<field
+			name="sftp_path"
+			type="SftpPath"
+			label="COM_MOKOJOOMBACKUP_FIELD_SFTP_PATH"
+			description="COM_MOKOJOOMBACKUP_FIELD_SFTP_PATH_DESC"
+			default="/backups"
+			maxlength="512"
+			showon="remote_storage:sftp"
+			addfieldprefix="Joomla\Component\MokoSuiteBackup\Administrator\Field"
+		/>
 	</fieldset>

 	<fieldset name="retention" label="COM_MOKOJOOMBACKUP_FIELDSET_RETENTION">
@@ -33,6 +33,12 @@ COM_MOKOJOOMBACKUP_DASHBOARD_QUICK_ACTIONS="Quick Actions"
 COM_MOKOJOOMBACKUP_DASHBOARD_SCHEDULED_TASKS="Scheduled Tasks"
 COM_MOKOJOOMBACKUP_DASHBOARD_UPDATE_SITE="Update Site"
 COM_MOKOJOOMBACKUP_DASHBOARD_SYSTEM_HEALTH="System Health"
+COM_MOKOJOOMBACKUP_DASHBOARD_SNAPSHOTS="Content Snapshots"
+COM_MOKOJOOMBACKUP_DASHBOARD_VIEW_ALL="View All"
+COM_MOKOJOOMBACKUP_DASHBOARD_LATEST_SNAPSHOT="Latest"
+COM_MOKOJOOMBACKUP_DASHBOARD_NO_SNAPSHOTS="No snapshots yet. Create one from the Content Snapshots view."
+COM_MOKOJOOMBACKUP_DASHBOARD_STORAGE_BREAKDOWN="Storage by Profile"
+COM_MOKOJOOMBACKUP_DASHBOARD_BACKUP_TREND="Backup Trend (30 days)"

 ; Backups view
 COM_MOKOJOOMBACKUP_BACKUPS_TITLE="Backup Records"
@@ -44,6 +50,22 @@ COM_MOKOJOOMBACKUP_DOWNLOAD="Download"
 ; Backup detail view
 COM_MOKOJOOMBACKUP_BACKUP_DETAIL="Backup Detail"
 COM_MOKOJOOMBACKUP_VIEW_LOG="Backup Log"
+COM_MOKOJOOMBACKUP_BROWSE_ARCHIVE="Browse Archive Contents"
+COM_MOKOJOOMBACKUP_BROWSE_COL_NAME="Name"
+COM_MOKOJOOMBACKUP_BROWSE_COL_SIZE="Size"
+COM_MOKOJOOMBACKUP_BROWSE_COL_COMPRESSED="Compressed"
+; Backup comparison
+COM_MOKOJOOMBACKUP_TOOLBAR_COMPARE="Compare"
+COM_MOKOJOOMBACKUP_COMPARE_TITLE="Backup Comparison"
+COM_MOKOJOOMBACKUP_COMPARE_LOADING="Loading comparison..."
+COM_MOKOJOOMBACKUP_COMPARE_FIELD="Field"
+COM_MOKOJOOMBACKUP_COMPARE_BACKUP="Backup"
+COM_MOKOJOOMBACKUP_COMPARE_DELTA="Delta"
+COM_MOKOJOOMBACKUP_COMPARE_DB_SIZE="DB Size"
+COM_MOKOJOOMBACKUP_COMPARE_FILES_COUNT="Files Count"
+COM_MOKOJOOMBACKUP_COMPARE_TABLES_COUNT="Tables Count"
+COM_MOKOJOOMBACKUP_COMPARE_DURATION="Duration"
+COM_MOKOJOOMBACKUP_COMPARE_SELECT_TWO="Please select exactly two backup records to compare."
 COM_MOKOJOOMBACKUP_FIELD_CHECKSUM="SHA-256 Checksum"
 COM_MOKOJOOMBACKUP_FIELD_PATH="File Path"
 COM_MOKOJOOMBACKUP_FIELD_DB_SIZE="DB Size"
@@ -56,6 +78,12 @@ COM_MOKOJOOMBACKUP_NO_PROFILES="No backup profiles found."
 COM_MOKOJOOMBACKUP_PROFILE_NEW="New Profile"
 COM_MOKOJOOMBACKUP_PROFILE_EDIT="Edit Profile"

+; Profile actions
+COM_MOKOJOOMBACKUP_RUN_BACKUP="Run"
+COM_MOKOJOOMBACKUP_RUN_BACKUP_NOW="Run Backup Now"
+COM_MOKOJOOMBACKUP_VIEW_BACKUPS="View Backups"
+COM_MOKOJOOMBACKUP_HEADING_BACKUPS="Backups"
+
 ; Table headings
 COM_MOKOJOOMBACKUP_HEADING_DESCRIPTION="Description"
 COM_MOKOJOOMBACKUP_HEADING_PROFILE="Profile"
@@ -91,6 +119,7 @@ COM_MOKOJOOMBACKUP_FIELD_TABLES_COUNT="Tables Count"
 ; Archive settings
 COM_MOKOJOOMBACKUP_FIELD_ARCHIVE_FORMAT="Archive Format"
 COM_MOKOJOOMBACKUP_FIELD_ARCHIVE_FORMAT_DESC="Format for the backup archive file"
+COM_MOKOJOOMBACKUP_FORMAT_7Z="7z (requires 7za CLI)"
 COM_MOKOJOOMBACKUP_FIELD_COMPRESSION="Compression Level"
 COM_MOKOJOOMBACKUP_FIELD_COMPRESSION_DESC="Higher compression = smaller file but slower"
 COM_MOKOJOOMBACKUP_COMPRESSION_NONE="None (fastest)"
@@ -102,11 +131,25 @@ COM_MOKOJOOMBACKUP_FIELD_ENCRYPTION_PASSWORD_DESC="Set a password to encrypt the
 COM_MOKOJOOMBACKUP_FIELD_SPLIT_SIZE="Split Size (MB)"
 COM_MOKOJOOMBACKUP_FIELD_SPLIT_SIZE_DESC="Split archive into parts of this size in MB. 0 = no splitting."
 COM_MOKOJOOMBACKUP_FIELD_BACKUP_DIR="Backup Directory"
-COM_MOKOJOOMBACKUP_FIELD_BACKUP_DIR_DESC="Directory where backup archives are stored. Supports placeholders: [HOME] (user home directory), [host], [date], [year], [month], [day], [profile_name], [site_name], [type]. Use [HOME]/backups to store outside the web root. Absolute paths (starting with /) are used as-is; relative paths resolve from the Joomla root."
+COM_MOKOJOOMBACKUP_FIELD_BACKUP_DIR_DESC="Directory where backup archives are stored. Supports placeholders: [HOME] (user home directory), [HOST], [DATE], [YEAR], [MONTH], [DAY], [PROFILE_NAME], [SITE_NAME], [TYPE]. Use [HOME]/backups to store outside the web root. Absolute paths (starting with /) are used as-is; relative paths resolve from the Joomla root."
 COM_MOKOJOOMBACKUP_FIELD_ARCHIVE_NAME_FORMAT="Archive Name Format"
-COM_MOKOJOOMBACKUP_FIELD_ARCHIVE_NAME_FORMAT_DESC="Filename template for backup archives (without extension). Placeholders: [host] hostname, [date] Ymd, [time] His, [datetime] Ymd_His, [year] [month] [day] [hour] [minute] [second], [profile_id], [profile_name], [site_name], [type], [random]."
-COM_MOKOJOOMBACKUP_FIELD_INCLUDE_MOKORESTORE="Include Restore Script"
-COM_MOKOJOOMBACKUP_FIELD_INCLUDE_MOKORESTORE_DESC="Include MokoRestore (standalone restore.php) inside the backup archive. Creates a self-contained package that can restore the site on a blank server without Joomla installed."
+COM_MOKOJOOMBACKUP_FIELD_ARCHIVE_NAME_FORMAT_DESC="Filename template for backup archives (without extension). Placeholders: [HOST] hostname, [DATE] Ymd, [TIME] His, [DATETIME] Ymd_His, [YEAR] [MONTH] [DAY] [HOUR] [MINUTE] [SECOND], [PROFILE_ID], [PROFILE_NAME], [SITE_NAME], [TYPE], [RANDOM]."
+COM_MOKOJOOMBACKUP_FIELD_INCLUDE_MOKORESTORE="MokoRestore Script"
+COM_MOKOJOOMBACKUP_FIELD_INCLUDE_MOKORESTORE_DESC="Include the MokoRestore standalone restore wizard. 'Wrapped' bundles it inside the backup ZIP. 'Standalone' generates a separate restore.php that scans for backup ZIPs in its directory — ideal for remote servers."
+COM_MOKOJOOMBACKUP_MOKORESTORE_NONE="None"
+COM_MOKOJOOMBACKUP_MOKORESTORE_WRAPPED="Wrapped (inside backup ZIP)"
+COM_MOKOJOOMBACKUP_MOKORESTORE_STANDALONE="Standalone (separate restore.php)"
+
+; Data Sanitization
+COM_MOKOJOOMBACKUP_FIELDSET_SANITIZATION="Data Sanitization"
+COM_MOKOJOOMBACKUP_FIELD_SANITIZE_PASSWORDS="Sanitize User Passwords"
+COM_MOKOJOOMBACKUP_FIELD_SANITIZE_PASSWORDS_DESC="Replace all user password hashes with an invalid value. Users will not be able to log in with the restored backup without resetting their password. Ideal for sharing backups, creating demo/staging sites, or GDPR compliance."
+COM_MOKOJOOMBACKUP_FIELD_PRESERVE_SUPER_ADMIN="Preserve Super Admin Password"
+COM_MOKOJOOMBACKUP_FIELD_PRESERVE_SUPER_ADMIN_DESC="Keep the password for Super Users (group ID 8) intact. You will still be able to log in as a Super Admin after restoring."
+COM_MOKOJOOMBACKUP_FIELD_SANITIZE_EMAILS="Sanitize User Emails"
+COM_MOKOJOOMBACKUP_FIELD_SANITIZE_EMAILS_DESC="Replace all user email addresses with dummy values (user123@sanitized.example.com). Prevents accidental emails being sent to real users from a cloned/staging site. Super admin emails are preserved if 'Preserve Super Admin' is enabled."
+COM_MOKOJOOMBACKUP_FIELD_SANITIZE_SESSIONS="Clear Session Data"
+COM_MOKOJOOMBACKUP_FIELD_SANITIZE_SESSIONS_DESC="Exclude active session data from the backup. This logs out all users and prevents session hijacking when the backup is restored on another server. Enabled by default."

 ; Exclusion filter fields
 COM_MOKOJOOMBACKUP_FIELD_EXCLUDE_DIRS="Exclude Directories"
@@ -220,7 +263,35 @@ COM_MOKOJOOMBACKUP_VERIFY_FAILED="INTEGRITY CHECK FAILED — archive has been mo
 COM_MOKOJOOMBACKUP_VERIFY_NO_CHECKSUM="No checksum stored for this backup. Only backups created after this update can be verified."

 ; S3 storage
+COM_MOKOJOOMBACKUP_REMOTE_SFTP="SFTP (SSH File Transfer)"
 COM_MOKOJOOMBACKUP_REMOTE_S3="Amazon S3 / S3-Compatible"
+
+; SFTP fields
+COM_MOKOJOOMBACKUP_FIELDSET_SFTP="SFTP Settings"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_HOST="SFTP Host"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_HOST_DESC="SFTP server hostname or IP address"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_PORT="SFTP Port"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_PORT_DESC="SSH port (default: 22)"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_USERNAME="SSH Username"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_USERNAME_DESC="Username for SSH authentication"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_PASSWORD="SSH Password"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_PASSWORD_DESC="Password for SSH authentication. Leave blank if using a key file."
+COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY="SSH Private Key"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_DESC="Upload or paste your SSH private key (e.g. id_rsa or id_ed25519). The key is stored securely in the database and written to a temp file with 0600 permissions only during upload, then deleted. Leave blank to use password authentication."
+COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_UPLOAD="Upload Key File"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_REPLACE="Replace Key"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_LOADED="Key loaded"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_NONE="No key file"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_CLEAR="Remove Key"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_AUTH_TYPE="Authentication Type"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_AUTH_TYPE_DESC="Choose how to authenticate with the SFTP server."
+COM_MOKOJOOMBACKUP_SFTP_AUTH_PASSWORD="Password"
+COM_MOKOJOOMBACKUP_SFTP_AUTH_KEY="Key File"
+COM_MOKOJOOMBACKUP_SFTP_AUTH_KEY_PASSPHRASE="Key File + Passphrase"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_PASSPHRASE="Key Passphrase"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_PASSPHRASE_DESC="Passphrase for the private key, if encrypted. Leave blank for unencrypted keys."
+COM_MOKOJOOMBACKUP_FIELD_SFTP_PATH="Remote Path"
+COM_MOKOJOOMBACKUP_FIELD_SFTP_PATH_DESC="Directory on the remote server to upload backups to"
 COM_MOKOJOOMBACKUP_FIELDSET_S3="S3 Storage Settings"
 COM_MOKOJOOMBACKUP_FIELD_S3_ENDPOINT="S3 Endpoint"
 COM_MOKOJOOMBACKUP_FIELD_S3_ENDPOINT_DESC="S3 API endpoint URL. Leave blank for AWS S3. For Wasabi, MinIO, Backblaze B2, enter their endpoint URL."
@@ -343,6 +414,38 @@ COM_MOKOJOOMBACKUP_SNAPSHOTS_N_DELETED="%d snapshot(s) deleted."
 COM_MOKOJOOMBACKUP_SNAPSHOTS_1_DELETED="1 snapshot deleted."
 COM_MOKOJOOMBACKUP_SNAPSHOTS_DELETE_ERRORS="Failed to delete snapshot(s): %s"

+; Component Options — Defaults
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULTS="Profile Defaults"
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_FORMAT="Default Archive Format"
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_FORMAT_DESC="Archive format used when creating new profiles. Can be overridden per profile."
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_MOKORESTORE="Default MokoRestore Mode"
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_MOKORESTORE_DESC="MokoRestore mode for new profiles. None, Wrapped (inside ZIP), or Standalone (separate file)."
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_PW="Default: Sanitize Passwords"
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_PW_DESC="Whether new profiles should sanitize user passwords by default."
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_EMAIL="Default: Sanitize Emails"
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_EMAIL_DESC="Whether new profiles should sanitize user emails by default."
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_SESS="Default: Clear Sessions"
+COM_MOKOJOOMBACKUP_CONFIG_DEFAULT_SANITIZE_SESS_DESC="Whether new profiles should clear session data by default."
+COM_MOKOJOOMBACKUP_CONFIG_LOG_RETENTION="Log Retention (days)"
+COM_MOKOJOOMBACKUP_CONFIG_LOG_RETENTION_DESC="Days to keep .log files alongside backup archives. Set to 0 for unlimited."
+
+; Component Options — ntfy
+COM_MOKOJOOMBACKUP_CONFIG_NTFY="Push Notifications (ntfy)"
+COM_MOKOJOOMBACKUP_CONFIG_NTFY_SERVER="Global ntfy Server"
+COM_MOKOJOOMBACKUP_CONFIG_NTFY_SERVER_DESC="Default ntfy server URL. Per-profile settings override this."
+COM_MOKOJOOMBACKUP_CONFIG_NTFY_TOPIC="Global ntfy Topic"
+COM_MOKOJOOMBACKUP_CONFIG_NTFY_TOPIC_DESC="Default ntfy topic for backup notifications. Per-profile settings override this."
+COM_MOKOJOOMBACKUP_CONFIG_NTFY_TOKEN="Global ntfy Token"
+COM_MOKOJOOMBACKUP_CONFIG_NTFY_TOKEN_DESC="Default access token for private ntfy topics. Per-profile settings override this."
+
+; ACL — additional actions
+COM_MOKOSUITEBACKUP_ACTION_BACKUP_PURGE="Purge Old Backups"
+COM_MOKOSUITEBACKUP_ACTION_BACKUP_PURGE_DESC="Allows users to bulk-delete backups older than a specific date."
+COM_MOKOSUITEBACKUP_ACTION_BACKUP_COMPARE="Compare Backups"
+COM_MOKOSUITEBACKUP_ACTION_BACKUP_COMPARE_DESC="Allows users to compare two backup records side-by-side."
+COM_MOKOSUITEBACKUP_ACTION_BACKUP_BROWSE="Browse Archives"
+COM_MOKOSUITEBACKUP_ACTION_BACKUP_BROWSE_DESC="Allows users to view file listings inside backup archives without extracting."
+
 ; Snapshot ACL
 COM_MOKOSUITEBACKUP_ACTION_SNAPSHOT_MANAGE="Manage Snapshots"
 COM_MOKOSUITEBACKUP_ACTION_SNAPSHOT_MANAGE_DESC="Allows users in this group to create and restore content snapshots. Snapshots only affect articles, categories, and modules — not the full site."
@@ -365,6 +468,33 @@ COM_MOKOJOOMBACKUP_WEBCRON_IP_NONE="No IP restrictions — any IP can trigger we
 COM_MOKOJOOMBACKUP_WEBCRON_IP_PLACEHOLDER="Enter IP address"
 COM_MOKOJOOMBACKUP_WEBCRON_IP_ADD="Add"

+; Snapshot browse / detail view
+COM_MOKOJOOMBACKUP_SNAPSHOT_BROWSE="Browse Snapshot"
+COM_MOKOJOOMBACKUP_SNAPSHOT_TAB_ARTICLES="Articles"
+COM_MOKOJOOMBACKUP_SNAPSHOT_TAB_CATEGORIES="Categories"
+COM_MOKOJOOMBACKUP_SNAPSHOT_TAB_MODULES="Modules"
+COM_MOKOJOOMBACKUP_HEADING_STATE="State"
+COM_MOKOJOOMBACKUP_HEADING_POSITION="Position"
+COM_MOKOJOOMBACKUP_HEADING_MODULE_TYPE="Module Type"
+COM_MOKOJOOMBACKUP_HEADING_LEVEL="Level"
+COM_MOKOJOOMBACKUP_LOADING="Loading..."
+COM_MOKOJOOMBACKUP_SELECT_ALL="Select All"
+COM_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_SELECTED="Restore Selected"
+COM_MOKOJOOMBACKUP_SNAPSHOT_NO_ARTICLES_SELECTED="No articles selected for restore."
+
+; Purge
+COM_MOKOJOOMBACKUP_TOOLBAR_PURGE="Purge Old Backups"
+COM_MOKOJOOMBACKUP_PURGE_TITLE="Purge Old Backups"
+COM_MOKOJOOMBACKUP_PURGE_DESC="Delete all completed backup records older than the selected date. This permanently removes archive files, log files, and database records."
+COM_MOKOJOOMBACKUP_PURGE_DATE_LABEL="Delete all backups before this date"
+COM_MOKOJOOMBACKUP_PURGE_SUBMIT="Purge Backups"
+COM_MOKOJOOMBACKUP_PURGE_CONFIRM="Are you sure? This action cannot be undone."
+COM_MOKOJOOMBACKUP_PURGE_COUNT_MSG="This will permanently delete %d backup(s) and their archive files."
+COM_MOKOJOOMBACKUP_PURGE_NONE_FOUND="No completed backups found before the selected date."
+COM_MOKOJOOMBACKUP_PURGE_INVALID_DATE="Invalid date. Please select a valid date."
+COM_MOKOJOOMBACKUP_PURGE_SUCCESS="%d backup(s) purged successfully."
+COM_MOKOJOOMBACKUP_PURGE_PARTIAL="%d backup(s) purged, but %d could not be deleted."
+
 ; Errors
 COM_MOKOJOOMBACKUP_ERROR_FILE_NOT_FOUND="Backup archive file not found or has been deleted."
 COM_MOKOJOOMBACKUP_ERROR_NO_RECORD_SELECTED="No backup record selected for restore."
@@ -35,6 +35,10 @@ COM_MOKOJOOMBACKUP_PROFILES_TITLE="Backup Profiles"
 COM_MOKOJOOMBACKUP_TOOLBAR_BACKUP_NOW="Backup Now"
 COM_MOKOJOOMBACKUP_NO_BACKUPS="No backups found. Click 'Backup Now' to create your first backup."
 COM_MOKOJOOMBACKUP_NO_PROFILES="No backup profiles found."
+COM_MOKOJOOMBACKUP_RUN_BACKUP="Run"
+COM_MOKOJOOMBACKUP_RUN_BACKUP_NOW="Run Backup Now"
+COM_MOKOJOOMBACKUP_VIEW_BACKUPS="View Backups"
+COM_MOKOJOOMBACKUP_HEADING_BACKUPS="Backups"
 COM_MOKOJOOMBACKUP_UPDATE_SITE_NOTICE="To receive automatic updates, configure your <a href=\"%s\">Update Site</a> with your download key."
 COM_MOKOJOOMBACKUP_UPDATE_SITE_MISSING="MokoSuiteBackup update site not found. Reinstall the package to register the update server."
 COM_MOKOJOOMBACKUP_POSTINSTALL_UPDATE_SITE="MokoSuiteBackup installed successfully. Configure your <a href=\"%s\">Update Site</a> to receive automatic updates."
@@ -77,9 +81,38 @@ COM_MOKOJOOMBACKUP_FIELD_EXCLUDE_DATA="Data"
 COM_MOKOJOOMBACKUP_FIELD_EXCLUDE_STRUCTURE="Structure"
 COM_MOKOJOOMBACKUP_FIELD_TABLE_NAME="Table Name"
 COM_MOKOJOOMBACKUP_VIEW_LOG="Backup Log"
+COM_MOKOJOOMBACKUP_BROWSE_ARCHIVE="Browse Archive Contents"
+COM_MOKOJOOMBACKUP_BROWSE_COL_NAME="Name"
+COM_MOKOJOOMBACKUP_BROWSE_COL_SIZE="Size"
+COM_MOKOJOOMBACKUP_BROWSE_COL_COMPRESSED="Compressed"
+; Backup comparison
+COM_MOKOJOOMBACKUP_TOOLBAR_COMPARE="Compare"
+COM_MOKOJOOMBACKUP_COMPARE_TITLE="Backup Comparison"
+COM_MOKOJOOMBACKUP_COMPARE_LOADING="Loading comparison..."
+COM_MOKOJOOMBACKUP_COMPARE_FIELD="Field"
+COM_MOKOJOOMBACKUP_COMPARE_BACKUP="Backup"
+COM_MOKOJOOMBACKUP_COMPARE_DELTA="Delta"
+COM_MOKOJOOMBACKUP_COMPARE_DB_SIZE="DB Size"
+COM_MOKOJOOMBACKUP_COMPARE_FILES_COUNT="Files Count"
+COM_MOKOJOOMBACKUP_COMPARE_TABLES_COUNT="Tables Count"
+COM_MOKOJOOMBACKUP_COMPARE_DURATION="Duration"
+COM_MOKOJOOMBACKUP_COMPARE_SELECT_TWO="Please select exactly two backup records to compare."
 COM_MOKOJOOMBACKUP_FIELD_CHECKSUM="SHA-256 Checksum"
 COM_MOKOJOOMBACKUP_FIELD_PATH="File Path"
 COM_MOKOJOOMBACKUP_FIELD_DB_SIZE="DB Size"
 COM_MOKOJOOMBACKUP_FIELD_REMOTE="Remote Path"
 COM_MOKOJOOMBACKUP_FIELD_NOTIFY_USER_GROUPS="Notify User Groups"
 COM_MOKOJOOMBACKUP_FIELD_NOTIFY_USER_GROUPS_DESC="Select Joomla user groups whose members will receive backup notifications. Combined with email addresses above."
+
+; Purge
+COM_MOKOJOOMBACKUP_TOOLBAR_PURGE="Purge Old Backups"
+COM_MOKOJOOMBACKUP_PURGE_TITLE="Purge Old Backups"
+COM_MOKOJOOMBACKUP_PURGE_DESC="Delete all completed backup records older than the selected date. This permanently removes archive files, log files, and database records."
+COM_MOKOJOOMBACKUP_PURGE_DATE_LABEL="Delete all backups before this date"
+COM_MOKOJOOMBACKUP_PURGE_SUBMIT="Purge Backups"
+COM_MOKOJOOMBACKUP_PURGE_CONFIRM="Are you sure? This action cannot be undone."
+COM_MOKOJOOMBACKUP_PURGE_COUNT_MSG="This will permanently delete %d backup(s) and their archive files."
+COM_MOKOJOOMBACKUP_PURGE_NONE_FOUND="No completed backups found before the selected date."
+COM_MOKOJOOMBACKUP_PURGE_INVALID_DATE="Invalid date. Please select a valid date."
+COM_MOKOJOOMBACKUP_PURGE_SUCCESS="%d backup(s) purged successfully."
+COM_MOKOJOOMBACKUP_PURGE_PARTIAL="%d backup(s) purged, but %d could not be deleted."
@@ -7,7 +7,7 @@
 -->
 <extension type="component" method="upgrade">
 	<name>MokoSuiteBackup</name>
-	<version>01.31.00</version>
+	<version>01.40.00</version>
 	<creationDate>2026-06-02</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -7,7 +7,7 @@ CREATE TABLE IF NOT EXISTS `#__mokosuitebackup_profiles` (
 	`compression_level` TINYINT(1) UNSIGNED NOT NULL DEFAULT 5 COMMENT '0=none, 9=max',
 	`split_size`        INT(11) UNSIGNED NOT NULL DEFAULT 0 COMMENT '0=no split, otherwise MB per part',
 	`backup_dir`        VARCHAR(512) NOT NULL DEFAULT '[DEFAULT_DIR]',
-	`archive_name_format` VARCHAR(512) NOT NULL DEFAULT '[host]_[datetime]_profile[profile_id]' COMMENT 'Filename format with placeholders',
+	`archive_name_format` VARCHAR(512) NOT NULL DEFAULT '[HOST]_[DATETIME]_profile[PROFILE_ID]' COMMENT 'Filename format with placeholders',
 	`exclude_dirs`      TEXT NOT NULL COMMENT 'Newline-separated directory paths to exclude',
 	`exclude_files`     TEXT NOT NULL COMMENT 'Newline-separated filename patterns to exclude',
 	`exclude_tables`    TEXT NOT NULL COMMENT 'Newline-separated table names to exclude',
@@ -19,6 +19,14 @@ CREATE TABLE IF NOT EXISTS `#__mokosuitebackup_profiles` (
 	`ftp_path`          VARCHAR(512) NOT NULL DEFAULT '/backups',
 	`ftp_passive`       TINYINT(1) NOT NULL DEFAULT 1,
 	`ftp_ssl`           TINYINT(1) NOT NULL DEFAULT 0,
+	`sftp_host`         VARCHAR(255) NOT NULL DEFAULT '',
+	`sftp_port`         INT(5) UNSIGNED NOT NULL DEFAULT 22,
+	`sftp_username`     VARCHAR(255) NOT NULL DEFAULT '',
+	`sftp_auth_type`    VARCHAR(20) NOT NULL DEFAULT 'key',
+	`sftp_password`     VARCHAR(255) NOT NULL DEFAULT '',
+	`sftp_key_data`     MEDIUMTEXT,
+	`sftp_passphrase`   VARCHAR(255) NOT NULL DEFAULT '',
+	`sftp_path`         VARCHAR(512) NOT NULL DEFAULT '/backups',
 	`gdrive_client_id`     VARCHAR(255) NOT NULL DEFAULT '',
 	`gdrive_client_secret` VARCHAR(255) NOT NULL DEFAULT '',
 	`gdrive_refresh_token` VARCHAR(512) NOT NULL DEFAULT '',
@@ -31,7 +39,11 @@ CREATE TABLE IF NOT EXISTS `#__mokosuitebackup_profiles` (
 	`s3_path`              VARCHAR(512) NOT NULL DEFAULT '/backups',
 	`remote_keep_local`    TINYINT(1) NOT NULL DEFAULT 1 COMMENT 'Keep local copy after upload',
 	`encryption_password`  VARCHAR(255) NOT NULL DEFAULT '' COMMENT 'AES-256 archive encryption password (blank = no encryption)',
-	`include_mokorestore`    TINYINT(1) NOT NULL DEFAULT 0 COMMENT 'Include MokoRestore standalone restore script in archive',
+	`include_mokorestore`    VARCHAR(20) NOT NULL DEFAULT '0' COMMENT 'MokoRestore mode: 0=none, 1=wrapped, standalone',
+	`sanitize_passwords`    TINYINT(1) NOT NULL DEFAULT 0 COMMENT 'Replace user password hashes with invalid value',
+	`preserve_super_admin`  TINYINT(1) NOT NULL DEFAULT 1 COMMENT 'Keep super admin password when sanitizing',
+	`sanitize_emails`       TINYINT(1) NOT NULL DEFAULT 0 COMMENT 'Replace user emails with dummy values',
+	`sanitize_sessions`     TINYINT(1) NOT NULL DEFAULT 1 COMMENT 'Skip session table data',
 	`notify_email`         VARCHAR(512) NOT NULL DEFAULT '' COMMENT 'Comma-separated notification emails',
 	`notify_user_groups`   VARCHAR(255) NOT NULL DEFAULT '' COMMENT 'Comma-separated Joomla user group IDs',
 	`notify_on_success`    TINYINT(1) NOT NULL DEFAULT 0,
@@ -9,4 +9,4 @@ ALTER TABLE `#__mokosuitebackup_records` MODIFY `log` MEDIUMTEXT DEFAULT NULL;
 ALTER TABLE `#__mokosuitebackup_profiles` ADD COLUMN `notify_user_groups` VARCHAR(255) NOT NULL DEFAULT '' COMMENT 'Comma-separated Joomla user group IDs' AFTER `notify_email`;

 -- Add archive_name_format column with placeholder support
-ALTER TABLE `#__mokosuitebackup_profiles` ADD COLUMN `archive_name_format` VARCHAR(512) NOT NULL DEFAULT '[host]_[datetime]_profile[profile_id]' COMMENT 'Filename format with placeholders' AFTER `backup_dir`;
+ALTER TABLE `#__mokosuitebackup_profiles` ADD COLUMN `archive_name_format` VARCHAR(512) NOT NULL DEFAULT '[HOST]_[DATETIME]_profile[PROFILE_ID]' COMMENT 'Filename format with placeholders' AFTER `backup_dir`;
@@ -0,0 +1,10 @@
+-- MokoSuiteBackup 01.35.00 — SFTP support with key file storage
+
+ALTER TABLE `#__mokosuitebackup_profiles`
+    ADD COLUMN `sftp_host` VARCHAR(255) NOT NULL DEFAULT '' AFTER `ftp_ssl`,
+    ADD COLUMN `sftp_port` INT(5) UNSIGNED NOT NULL DEFAULT 22 AFTER `sftp_host`,
+    ADD COLUMN `sftp_username` VARCHAR(255) NOT NULL DEFAULT '' AFTER `sftp_port`,
+    ADD COLUMN `sftp_password` VARCHAR(255) NOT NULL DEFAULT '' AFTER `sftp_username`,
+    ADD COLUMN `sftp_key_data` MEDIUMTEXT AFTER `sftp_password`,
+    ADD COLUMN `sftp_passphrase` VARCHAR(255) NOT NULL DEFAULT '' AFTER `sftp_key_data`,
+    ADD COLUMN `sftp_path` VARCHAR(512) NOT NULL DEFAULT '/backups' AFTER `sftp_passphrase`;
@@ -0,0 +1,4 @@
+-- MokoSuiteBackup 01.36.00 — SFTP auth type column
+
+ALTER TABLE `#__mokosuitebackup_profiles`
+    ADD COLUMN `sftp_auth_type` VARCHAR(20) NOT NULL DEFAULT 'key' AFTER `sftp_username`;
@@ -0,0 +1,5 @@
+-- MokoSuiteBackup 01.39.00 — Change include_mokorestore from TINYINT to VARCHAR
+-- Needed to support 'standalone' value alongside 0/1
+
+ALTER TABLE `#__mokosuitebackup_profiles`
+    MODIFY COLUMN `include_mokorestore` VARCHAR(20) NOT NULL DEFAULT '0';
@@ -0,0 +1,34 @@
+-- MokoSuiteBackup 01.39.01 — Uppercase all placeholders in profile data
+
+UPDATE `#__mokosuitebackup_profiles` SET
+    `archive_name_format` = REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(
+        `archive_name_format`,
+        '[host]', '[HOST]'),
+        '[site_name]', '[SITE_NAME]'),
+        '[datetime]', '[DATETIME]'),
+        '[date]', '[DATE]'),
+        '[time]', '[TIME]'),
+        '[year]', '[YEAR]'),
+        '[month]', '[MONTH]'),
+        '[day]', '[DAY]'),
+        '[hour]', '[HOUR]'),
+        '[minute]', '[MINUTE]'),
+        '[second]', '[SECOND]'),
+        '[profile_id]', '[PROFILE_ID]'),
+        '[profile_name]', '[PROFILE_NAME]'),
+        '[type]', '[TYPE]'),
+        '[random]', '[RANDOM]')
+WHERE `archive_name_format` REGEXP '\\[[a-z]';
+
+UPDATE `#__mokosuitebackup_profiles` SET
+    `backup_dir` = REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(
+        `backup_dir`,
+        '[host]', '[HOST]'),
+        '[site_name]', '[SITE_NAME]'),
+        '[date]', '[DATE]'),
+        '[year]', '[YEAR]'),
+        '[month]', '[MONTH]'),
+        '[day]', '[DAY]'),
+        '[profile_id]', '[PROFILE_ID]'),
+        '[profile_name]', '[PROFILE_NAME]')
+WHERE `backup_dir` REGEXP '\\[[a-z]';
@@ -0,0 +1,7 @@
+-- MokoSuiteBackup 01.39.02 — Data sanitization columns
+
+ALTER TABLE `#__mokosuitebackup_profiles`
+    ADD COLUMN `sanitize_passwords` TINYINT(1) NOT NULL DEFAULT 0 AFTER `include_mokorestore`,
+    ADD COLUMN `preserve_super_admin` TINYINT(1) NOT NULL DEFAULT 1 AFTER `sanitize_passwords`,
+    ADD COLUMN `sanitize_emails` TINYINT(1) NOT NULL DEFAULT 0 AFTER `preserve_super_admin`,
+    ADD COLUMN `sanitize_sessions` TINYINT(1) NOT NULL DEFAULT 1 AFTER `sanitize_emails`;
@@ -15,9 +15,12 @@ namespace Joomla\Component\MokoSuiteBackup\Administrator\Controller;

 defined('_JEXEC') or die;

+use Joomla\CMS\Factory;
 use Joomla\CMS\MVC\Controller\BaseController;
 use Joomla\CMS\Session\Session;
+use Joomla\Component\MokoSuiteBackup\Administrator\Engine\PlaceholderResolver;
 use Joomla\Component\MokoSuiteBackup\Administrator\Engine\SteppedBackupEngine;
+use Joomla\Component\MokoSuiteBackup\Administrator\Engine\SteppedRestoreEngine;
 use Joomla\Component\MokoSuiteBackup\Administrator\Utility\BackupDirectory;

 class AjaxController extends BaseController
@@ -282,7 +285,32 @@ class AjaxController extends BaseController
 			return;
 		}

-		$resolved = BackupDirectory::resolve($rawPath);
+		/* Resolve all placeholders — both directory ([HOME], [DEFAULT_DIR])
+		   and name-level ([SITE_NAME], [HOST], [PROFILE_ID], etc.) */
+		$profileId = $this->input->getInt('profile_id', 0);
+
+		if ($profileId > 0) {
+			$db    = Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select('*')
+				->from($db->quoteName('#__mokosuitebackup_profiles'))
+				->where($db->quoteName('id') . ' = ' . $profileId);
+			$db->setQuery($query);
+			$profile = $db->loadObject();
+		}
+
+		if (empty($profile)) {
+			/* No profile context — create a minimal dummy for PlaceholderResolver */
+			$profile = (object) [
+				'id'          => 1,
+				'title'       => 'default',
+				'backup_type' => 'full',
+			];
+		}
+
+		$resolver = new PlaceholderResolver($profile);
+		$withNamePlaceholders = $resolver->resolve($rawPath);
+		$resolved = BackupDirectory::resolve($withNamePlaceholders);

 		if (BackupDirectory::hasPlaceholders($resolved)) {
 			$this->sendJson([
@@ -308,6 +336,727 @@ class AjaxController extends BaseController
 		]);
 	}

+	/**
+	 * Initialize a new stepped restore.
+	 * POST: task=ajax.restoreInit&id=123&restore_files=1&restore_db=1&preserve_config=1&encryption_password=
+	 */
+	public function restoreInit(): void
+	{
+		if (!Session::checkToken('get') && !Session::checkToken('post')) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid token'], 403);
+
+			return;
+		}
+
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.backup.restore', 'com_mokosuitebackup')) {
+			$this->sendJson(['error' => true, 'message' => 'Access denied'], 403);
+
+			return;
+		}
+
+		$recordId       = $this->input->getInt('id', 0);
+		$restoreFiles   = (bool) $this->input->getInt('restore_files', 1);
+		$restoreDb      = (bool) $this->input->getInt('restore_db', 1);
+		$preserveConfig = (bool) $this->input->getInt('preserve_config', 1);
+		$password       = $this->input->getString('encryption_password', '');
+
+		if (!$recordId) {
+			$this->sendJson(['error' => true, 'message' => 'Missing record ID']);
+
+			return;
+		}
+
+		$engine = new SteppedRestoreEngine();
+		$result = $engine->init($recordId, $restoreFiles, $restoreDb, $preserveConfig, $password);
+
+		$this->sendJson($result);
+	}
+
+	/**
+	 * Run the next step of a restore session.
+	 * POST: task=ajax.restoreStep&session_id=mb_...
+	 */
+	public function restoreStep(): void
+	{
+		if (!Session::checkToken('get') && !Session::checkToken('post')) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid token'], 403);
+
+			return;
+		}
+
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.backup.restore', 'com_mokosuitebackup')) {
+			$this->sendJson(['error' => true, 'message' => 'Access denied'], 403);
+
+			return;
+		}
+
+		$sessionId = $this->input->getString('session_id', '');
+
+		if (empty($sessionId)) {
+			$this->sendJson(['error' => true, 'message' => 'Missing session_id']);
+
+			return;
+		}
+
+		$engine = new SteppedRestoreEngine();
+		$result = $engine->runStep($sessionId);
+
+		$this->sendJson($result);
+	}
+
+	/**
+	 * Browse archive contents without extracting.
+	 * POST: task=ajax.browseArchive&id=123
+	 */
+	public function browseArchive(): void
+	{
+		if (!Session::checkToken('get') && !Session::checkToken('post')) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid token'], 403);
+
+			return;
+		}
+
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.backup.browse', 'com_mokosuitebackup')) {
+			$this->sendJson(['error' => true, 'message' => 'Access denied'], 403);
+
+			return;
+		}
+
+		$id = $this->input->getInt('id', 0);
+
+		if (!$id) {
+			$this->sendJson(['error' => true, 'message' => 'Missing record ID']);
+
+			return;
+		}
+
+		try {
+			$db    = \Joomla\CMS\Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select($db->quoteName(['absolute_path', 'status', 'filesexist']))
+				->from($db->quoteName('#__mokosuitebackup_records'))
+				->where($db->quoteName('id') . ' = ' . (int) $id);
+			$db->setQuery($query);
+			$record = $db->loadObject();
+		} catch (\Exception $e) {
+			error_log('MokoSuiteBackup: browseArchive() DB error for record ' . $id . ': ' . $e->getMessage());
+			$this->sendJson(['error' => true, 'message' => 'Failed to load backup record'], 500);
+
+			return;
+		}
+
+		if (!$record) {
+			$this->sendJson(['error' => true, 'message' => 'Record not found'], 404);
+
+			return;
+		}
+
+		if ($record->status !== 'complete' || !$record->filesexist) {
+			$this->sendJson(['error' => true, 'message' => 'Archive not available']);
+
+			return;
+		}
+
+		$archivePath = $record->absolute_path;
+
+		if (!is_file($archivePath)) {
+			$this->sendJson(['error' => true, 'message' => 'Archive file not found on disk']);
+
+			return;
+		}
+
+		$maxEntries = 500;
+
+		try {
+			$files      = [];
+			$totalFiles = 0;
+			$totalSize  = 0;
+			$truncated  = false;
+
+			$lower = strtolower($archivePath);
+
+			if (substr($lower, -4) === '.zip') {
+				$files = $this->browseZipArchive($archivePath, $maxEntries, $totalFiles, $totalSize, $truncated);
+			} elseif (substr($lower, -7) === '.tar.gz' || substr($lower, -4) === '.tgz') {
+				$files = $this->browseTarArchive($archivePath, $maxEntries, $totalFiles, $totalSize, $truncated);
+			} else {
+				$this->sendJson(['error' => true, 'message' => 'Unsupported archive format']);
+
+				return;
+			}
+		} catch (\Exception $e) {
+			error_log('MokoSuiteBackup: browseArchive() error for record ' . $id . ': ' . $e->getMessage());
+			$this->sendJson(['error' => true, 'message' => 'Failed to read archive: ' . $e->getMessage()]);
+
+			return;
+		}
+
+		$this->sendJson([
+			'error'       => false,
+			'files'       => $files,
+			'total_files' => $totalFiles,
+			'total_size'  => $totalSize,
+			'truncated'   => $truncated,
+		]);
+	}
+
+	/**
+	 * Browse a ZIP archive and return file entries.
+	 *
+	 * @param   string  $path        Absolute path to the ZIP file
+	 * @param   int     $maxEntries  Maximum entries to return
+	 * @param   int     &$totalFiles Total number of files (by reference)
+	 * @param   int     &$totalSize  Total uncompressed size (by reference)
+	 * @param   bool    &$truncated  Whether results were truncated (by reference)
+	 *
+	 * @return  array  List of file entry arrays
+	 */
+	private function browseZipArchive(string $path, int $maxEntries, int &$totalFiles, int &$totalSize, bool &$truncated): array
+	{
+		$zip = new \ZipArchive();
+
+		if ($zip->open($path, \ZipArchive::RDONLY) !== true) {
+			throw new \RuntimeException('Cannot open ZIP archive');
+		}
+
+		$files      = [];
+		$totalFiles = $zip->numFiles;
+
+		for ($i = 0; $i < $totalFiles; $i++) {
+			$stat = $zip->statIndex($i);
+
+			if ($stat === false) {
+				continue;
+			}
+
+			$totalSize += $stat['size'];
+
+			if (\count($files) < $maxEntries) {
+				$files[] = [
+					'name'            => $stat['name'],
+					'size'            => $stat['size'],
+					'compressed_size' => $stat['comp_size'],
+				];
+			}
+		}
+
+		$truncated = $totalFiles > $maxEntries;
+		$zip->close();
+
+		return $files;
+	}
+
+	/**
+	 * Browse a tar.gz archive and return file entries.
+	 *
+	 * @param   string  $path        Absolute path to the tar.gz file
+	 * @param   int     $maxEntries  Maximum entries to return
+	 * @param   int     &$totalFiles Total number of files (by reference)
+	 * @param   int     &$totalSize  Total uncompressed size (by reference)
+	 * @param   bool    &$truncated  Whether results were truncated (by reference)
+	 *
+	 * @return  array  List of file entry arrays
+	 */
+	private function browseTarArchive(string $path, int $maxEntries, int &$totalFiles, int &$totalSize, bool &$truncated): array
+	{
+		$phar  = new \PharData($path);
+		$files = [];
+
+		foreach (new \RecursiveIteratorIterator($phar) as $entry) {
+			$totalFiles++;
+			$entrySize = $entry->getSize();
+			$totalSize += $entrySize;
+
+			if (\count($files) < $maxEntries) {
+				// Strip the phar:// prefix and archive path to get relative name
+				$fullPath     = str_replace('\\', '/', $entry->getPathname());
+				$relativeName = preg_replace('#^phar://.+?\.tar\.gz/#i', '', $fullPath)
+					?: preg_replace('#^phar://.+?\.tgz/#i', '', $fullPath)
+					?: $fullPath;
+
+				$files[] = [
+					'name'            => $relativeName,
+					'size'            => $entrySize,
+					'compressed_size' => $entrySize,
+				];
+			}
+		}
+
+		$truncated = $totalFiles > $maxEntries;
+
+		return $files;
+	}
+
+	/**
+	 * Browse articles inside a snapshot — returns JSON list for the browse modal.
+	 * POST: task=ajax.browseSnapshot&id=123
+	 */
+	public function browseSnapshot(): void
+	{
+		if (!Session::checkToken('get') && !Session::checkToken('post')) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid token'], 403);
+
+			return;
+		}
+
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.snapshot.manage', 'com_mokosuitebackup')) {
+			$this->sendJson(['error' => true, 'message' => 'Access denied'], 403);
+
+			return;
+		}
+
+		$id = $this->input->getInt('id', 0);
+
+		if (!$id) {
+			$this->sendJson(['error' => true, 'message' => 'Missing snapshot ID']);
+
+			return;
+		}
+
+		$db    = \Joomla\CMS\Factory::getDbo();
+		$query = $db->getQuery(true)
+			->select('*')
+			->from($db->quoteName('#__mokosuitebackup_snapshots'))
+			->where($db->quoteName('id') . ' = ' . (int) $id);
+		$db->setQuery($query);
+		$record = $db->loadObject();
+
+		if (!$record) {
+			$this->sendJson(['error' => true, 'message' => 'Snapshot not found'], 404);
+
+			return;
+		}
+
+		if ($record->status !== 'complete') {
+			$this->sendJson(['error' => true, 'message' => 'Cannot browse a failed snapshot']);
+
+			return;
+		}
+
+		if (!is_file($record->data_file) || !is_readable($record->data_file)) {
+			$this->sendJson(['error' => true, 'message' => 'Snapshot data file not found']);
+
+			return;
+		}
+
+		$json = file_get_contents($record->data_file);
+
+		if ($json === false) {
+			$this->sendJson(['error' => true, 'message' => 'Cannot read snapshot file']);
+
+			return;
+		}
+
+		$data = json_decode($json, true);
+
+		if (json_last_error() !== JSON_ERROR_NONE) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid snapshot data']);
+
+			return;
+		}
+
+		$tables = $data['tables'] ?? [];
+
+		// Articles
+		$articles = [];
+
+		if (!empty($tables['#__content'])) {
+			foreach ($tables['#__content'] as $row) {
+				$articles[] = [
+					'id'      => (int) ($row['id'] ?? 0),
+					'title'   => $row['title'] ?? '',
+					'catid'   => (int) ($row['catid'] ?? 0),
+					'state'   => (int) ($row['state'] ?? 0),
+					'created' => $row['created'] ?? '',
+				];
+			}
+		}
+
+		// Categories
+		$categories = [];
+
+		if (!empty($tables['#__categories'])) {
+			foreach ($tables['#__categories'] as $row) {
+				$categories[] = [
+					'id'        => (int) ($row['id'] ?? 0),
+					'title'     => $row['title'] ?? '',
+					'extension' => $row['extension'] ?? '',
+					'published' => (int) ($row['published'] ?? 0),
+					'level'     => (int) ($row['level'] ?? 0),
+				];
+			}
+		}
+
+		// Modules
+		$modules = [];
+
+		if (!empty($tables['#__modules'])) {
+			foreach ($tables['#__modules'] as $row) {
+				$modules[] = [
+					'id'        => (int) ($row['id'] ?? 0),
+					'title'     => $row['title'] ?? '',
+					'module'    => $row['module'] ?? '',
+					'position'  => $row['position'] ?? '',
+					'published' => (int) ($row['published'] ?? 0),
+				];
+			}
+		}
+
+		$this->sendJson([
+			'error'            => false,
+			'articles'         => $articles,
+			'categories'       => $categories,
+			'modules'          => $modules,
+			'total_articles'   => \count($articles),
+			'total_categories' => \count($categories),
+			'total_modules'    => \count($modules),
+		]);
+	}
+
+	/**
+	 * Count backup records that would be purged before a given date.
+	 * POST: task=ajax.countPurge&date=2025-01-01
+	 */
+	public function countPurge(): void
+	{
+		if (!Session::checkToken('get') && !Session::checkToken('post')) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid token'], 403);
+
+			return;
+		}
+
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.backup.purge', 'com_mokosuitebackup')) {
+			$this->sendJson(['error' => true, 'message' => 'Access denied'], 403);
+
+			return;
+		}
+
+		$date = $this->input->getString('date', '');
+
+		if (empty($date) || !preg_match('/^\d{4}-\d{2}-\d{2}$/', $date)) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid date format. Expected YYYY-MM-DD.']);
+
+			return;
+		}
+
+		$cutoff = $date . ' 00:00:00';
+
+		try {
+			$db    = \Joomla\CMS\Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select('COUNT(*)')
+				->from($db->quoteName('#__mokosuitebackup_records'))
+				->where($db->quoteName('backupstart') . ' < ' . $db->quote($cutoff))
+				->where($db->quoteName('status') . ' = ' . $db->quote('complete'));
+			$db->setQuery($query);
+			$count = (int) $db->loadResult();
+		} catch (\Exception $e) {
+			error_log('MokoSuiteBackup: countPurge() DB error: ' . $e->getMessage());
+			$this->sendJson(['error' => true, 'message' => 'Database error'], 500);
+
+			return;
+		}
+
+		$this->sendJson([
+			'error' => false,
+			'count' => $count,
+			'date'  => $date,
+		]);
+	}
+
+	/**
+	 * Compare two backup records side-by-side.
+	 * POST: task=ajax.compareBackups&id1=123&id2=456
+	 */
+	public function compareBackups(): void
+	{
+		if (!Session::checkToken('get') && !Session::checkToken('post')) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid token'], 403);
+
+			return;
+		}
+
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.backup.compare', 'com_mokosuitebackup')) {
+			$this->sendJson(['error' => true, 'message' => 'Access denied'], 403);
+
+			return;
+		}
+
+		$id1 = $this->input->getInt('id1', 0);
+		$id2 = $this->input->getInt('id2', 0);
+
+		if (!$id1 || !$id2) {
+			$this->sendJson(['error' => true, 'message' => 'Two backup record IDs are required']);
+
+			return;
+		}
+
+		if ($id1 === $id2) {
+			$this->sendJson(['error' => true, 'message' => 'Please select two different backup records']);
+
+			return;
+		}
+
+		$fields = [
+			'r.id', 'r.description', 'r.status', 'r.backup_type',
+			'r.total_size', 'r.db_size', 'r.files_count', 'r.tables_count',
+			'r.backupstart', 'r.backupend',
+		];
+
+		try {
+			$db = \Joomla\CMS\Factory::getDbo();
+
+			$query = $db->getQuery(true)
+				->select($db->quoteName($fields))
+				->select($db->quoteName('p.title', 'profile_title'))
+				->from($db->quoteName('#__mokosuitebackup_records', 'r'))
+				->join('LEFT', $db->quoteName('#__mokosuitebackup_profiles', 'p')
+					. ' ON ' . $db->quoteName('p.id') . ' = ' . $db->quoteName('r.profile_id'))
+				->where($db->quoteName('r.id') . ' IN (' . (int) $id1 . ', ' . (int) $id2 . ')');
+
+			$db->setQuery($query);
+			$rows = $db->loadObjectList('id');
+		} catch (\Exception $e) {
+			error_log('MokoSuiteBackup: compareBackups() DB error: ' . $e->getMessage());
+			$this->sendJson(['error' => true, 'message' => 'Failed to load backup records'], 500);
+
+			return;
+		}
+
+		if (!isset($rows[$id1])) {
+			$this->sendJson(['error' => true, 'message' => 'Backup record #' . $id1 . ' not found'], 404);
+
+			return;
+		}
+
+		if (!isset($rows[$id2])) {
+			$this->sendJson(['error' => true, 'message' => 'Backup record #' . $id2 . ' not found'], 404);
+
+			return;
+		}
+
+		$b1 = $rows[$id1];
+		$b2 = $rows[$id2];
+
+		// Calculate durations in seconds
+		$duration1 = 0;
+		$duration2 = 0;
+
+		if ($b1->backupstart !== '0000-00-00 00:00:00' && $b1->backupend !== '0000-00-00 00:00:00') {
+			$duration1 = strtotime($b1->backupend) - strtotime($b1->backupstart);
+		}
+
+		if ($b2->backupstart !== '0000-00-00 00:00:00' && $b2->backupend !== '0000-00-00 00:00:00') {
+			$duration2 = strtotime($b2->backupend) - strtotime($b2->backupstart);
+		}
+
+		$formatRecord = function ($row) {
+			return [
+				'id'            => (int) $row->id,
+				'description'   => $row->description,
+				'status'        => $row->status,
+				'backup_type'   => $row->backup_type,
+				'total_size'    => (int) $row->total_size,
+				'db_size'       => (int) $row->db_size,
+				'files_count'   => (int) $row->files_count,
+				'tables_count'  => (int) $row->tables_count,
+				'backupstart'   => $row->backupstart,
+				'backupend'     => $row->backupend,
+				'profile_title' => $row->profile_title ?? '',
+			];
+		};
+
+		$this->sendJson([
+			'error'   => false,
+			'backup1' => $formatRecord($b1),
+			'backup2' => $formatRecord($b2),
+			'delta'   => [
+				'size_diff'             => (int) $b2->total_size - (int) $b1->total_size,
+				'files_diff'            => (int) $b2->files_count - (int) $b1->files_count,
+				'tables_diff'           => (int) $b2->tables_count - (int) $b1->tables_count,
+				'duration_diff_seconds' => $duration2 - $duration1,
+			],
+		]);
+	}
+
+	/**
+	 * Browse directories on a remote SFTP server for the path picker.
+	 * POST: task=ajax.browseSftpDir&profile_id=1&path=/some/path
+	 */
+	public function browseSftpDir(): void
+	{
+		if (!Session::checkToken('get') && !Session::checkToken('post')) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid token'], 403);
+
+			return;
+		}
+
+		if (!$this->app->getIdentity()->authorise('core.manage', 'com_mokosuitebackup')) {
+			$this->sendJson(['error' => true, 'message' => 'Access denied'], 403);
+
+			return;
+		}
+
+		$profileId = $this->input->getInt('profile_id', 0);
+
+		if (!$profileId) {
+			$this->sendJson(['error' => true, 'message' => 'Missing profile_id']);
+
+			return;
+		}
+
+		/* Load the profile to get SFTP credentials */
+		try {
+			$db    = Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select('*')
+				->from($db->quoteName('#__mokosuitebackup_profiles'))
+				->where($db->quoteName('id') . ' = ' . $profileId);
+			$db->setQuery($query);
+			$profile = $db->loadObject();
+		} catch (\Exception $e) {
+			$this->sendJson(['error' => true, 'message' => 'Failed to load profile'], 500);
+
+			return;
+		}
+
+		if (!$profile) {
+			$this->sendJson(['error' => true, 'message' => 'Profile not found'], 404);
+
+			return;
+		}
+
+		$host     = $profile->sftp_host ?? '';
+		$port     = (int) ($profile->sftp_port ?? 22);
+		$username = $profile->sftp_username ?? '';
+		$keyData  = $profile->sftp_key_data ?? '';
+		$password = $profile->sftp_password ?? '';
+
+		if (empty($host) || empty($username)) {
+			$this->sendJson(['error' => true, 'message' => 'SFTP host and username must be configured and saved before browsing']);
+
+			return;
+		}
+
+		if (empty($keyData) && empty($password)) {
+			$this->sendJson(['error' => true, 'message' => 'SFTP credentials (key or password) must be configured and saved before browsing']);
+
+			return;
+		}
+
+		$requestPath = $this->input->getString('path', '/');
+
+		/* Sanitize: must start with / and not contain shell meta-characters */
+		$requestPath = '/' . ltrim($requestPath, '/');
+
+		if (preg_match('/[;&|`$<>]/', $requestPath)) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid path characters']);
+
+			return;
+		}
+
+		$keyFile = null;
+
+		try {
+			/* Write temp key if using key auth (same pattern as SftpUploader) */
+			if (!empty($keyData)) {
+				$keyContent = base64_decode($keyData, true);
+
+				if ($keyContent === false) {
+					$keyContent = $keyData;
+				}
+
+				$keyFile = sys_get_temp_dir() . '/mokobackup-sftp-browse-' . bin2hex(random_bytes(8)) . '.key';
+
+				if (file_put_contents($keyFile, $keyContent) === false) {
+					throw new \RuntimeException('Cannot write temporary SSH key file');
+				}
+
+				chmod($keyFile, 0600);
+			}
+
+			/* Build SSH command to list directories */
+			$escapedPath = escapeshellarg($requestPath);
+			$remoteCmd   = 'ls -1pa ' . $escapedPath . ' 2>/dev/null | grep "/$"';
+
+			$parts = ['ssh', '-o', 'StrictHostKeyChecking=no', '-o', 'BatchMode=yes', '-o', 'ConnectTimeout=10'];
+
+			if ($port !== 22) {
+				$parts[] = '-p';
+				$parts[] = (string) $port;
+			}
+
+			if ($keyFile !== null) {
+				$parts[] = '-i';
+				$parts[] = escapeshellarg($keyFile);
+			}
+
+			$parts[] = escapeshellarg($username . '@' . $host);
+			$parts[] = escapeshellarg($remoteCmd);
+
+			$cmd = implode(' ', $parts);
+
+			$output   = [];
+			$exitCode = 0;
+			exec($cmd . ' 2>&1', $output, $exitCode);
+
+			/* exitCode 1 from grep means no matches (empty dir), which is OK */
+			if ($exitCode !== 0 && $exitCode !== 1) {
+				throw new \RuntimeException('SSH command failed (exit ' . $exitCode . '): ' . implode(' ', $output));
+			}
+
+			/* Parse output: each line is a directory name ending with / */
+			$dirs = [];
+
+			foreach ($output as $line) {
+				$line = trim($line);
+
+				if ($line === '' || $line === './' || $line === '../') {
+					continue;
+				}
+
+				$dirName = rtrim($line, '/');
+
+				if ($dirName === '' || $dirName === '.' || $dirName === '..') {
+					continue;
+				}
+
+				$fullPath = rtrim($requestPath, '/') . '/' . $dirName;
+
+				$dirs[] = [
+					'name' => $dirName,
+					'path' => $fullPath,
+				];
+			}
+
+			usort($dirs, fn($a, $b) => strcasecmp($a['name'], $b['name']));
+
+			/* Parent path */
+			$parent = null;
+
+			if ($requestPath !== '/') {
+				$parent = \dirname($requestPath);
+
+				if ($parent === '') {
+					$parent = '/';
+				}
+			}
+
+			$this->sendJson([
+				'error'   => false,
+				'current' => $requestPath,
+				'parent'  => $parent,
+				'dirs'    => $dirs,
+			]);
+		} catch (\Throwable $e) {
+			$this->sendJson(['error' => true, 'message' => 'SFTP browse failed: ' . $e->getMessage()]);
+		} finally {
+			if ($keyFile !== null && is_file($keyFile)) {
+				unlink($keyFile);
+			}
+		}
+	}
+
 	/**
 	 * Send a JSON response and close the application.
 	 */
@@ -15,6 +15,7 @@ defined('_JEXEC') or die;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\MVC\Controller\AdminController;
 use Joomla\CMS\Router\Route;
+use Joomla\CMS\Session\Session;
 use Joomla\Component\MokoSuiteBackup\Administrator\Engine\BackupEngine;
 use Joomla\Component\MokoSuiteBackup\Administrator\Engine\RestoreEngine;

@@ -34,7 +35,14 @@ class BackupsController extends AdminController
 	 */
 	public function start(): void
 	{
-		$this->checkToken();
+		/* Accept token from both GET (profile Run button) and POST (backup form).
+		   Joomla's checkToken() throws on failure, so try GET first. */
+		if (!Session::checkToken('get') && !Session::checkToken('post')) {
+			$this->setMessage(Text::_('JINVALID_TOKEN_NOTICE'), 'error');
+			$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=backups', false));
+
+			return;
+		}

 		if (!$this->app->getIdentity()->authorise('mokosuitebackup.backup.run', 'com_mokosuitebackup')) {
 			$this->setMessage(Text::_('JLIB_APPLICATION_ERROR_ACCESS_FORBIDDEN'), 'error');
@@ -157,6 +165,88 @@ class BackupsController extends AdminController
 		$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=backups', false));
 	}

+	/**
+	 * Purge (delete) all completed backup records older than a given date.
+	 *
+	 * Deletes archive files, log files, and database records.
+	 *
+	 * @return  void
+	 */
+	public function purge(): void
+	{
+		$this->checkToken();
+
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.backup.purge', 'com_mokosuitebackup')) {
+			$this->setMessage(Text::_('JLIB_APPLICATION_ERROR_ACCESS_FORBIDDEN'), 'error');
+			$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=backups', false));
+
+			return;
+		}
+
+		$cutoffDate = $this->input->getString('purge_date', '');
+
+		if (empty($cutoffDate) || !preg_match('/^\d{4}-\d{2}-\d{2}$/', $cutoffDate)) {
+			$this->setMessage(Text::_('COM_MOKOJOOMBACKUP_PURGE_INVALID_DATE'), 'error');
+			$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=backups', false));
+
+			return;
+		}
+
+		$cutoff = $cutoffDate . ' 00:00:00';
+
+		$db    = $this->app->getContainer()->get('DatabaseDriver');
+		$query = $db->getQuery(true)
+			->select($db->quoteName('id'))
+			->from($db->quoteName('#__mokosuitebackup_records'))
+			->where($db->quoteName('backupstart') . ' < ' . $db->quote($cutoff))
+			->where($db->quoteName('status') . ' = ' . $db->quote('complete'));
+		$db->setQuery($query);
+		$ids = $db->loadColumn();
+
+		if (empty($ids)) {
+			$this->setMessage(Text::_('COM_MOKOJOOMBACKUP_PURGE_NONE_FOUND'), 'warning');
+			$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=backups', false));
+
+			return;
+		}
+
+		$table   = $this->getModel('Backup')->getTable();
+		$deleted = 0;
+		$errors  = 0;
+
+		foreach ($ids as $id) {
+			if ($table->load((int) $id)) {
+				if ($table->delete()) {
+					$deleted++;
+				} else {
+					$errors++;
+				}
+			}
+
+			$table->reset();
+		}
+
+		if ($errors > 0) {
+			$this->setMessage(Text::sprintf('COM_MOKOJOOMBACKUP_PURGE_PARTIAL', $deleted, $errors), 'warning');
+		} else {
+			$this->setMessage(Text::sprintf('COM_MOKOJOOMBACKUP_PURGE_SUCCESS', $deleted));
+		}
+
+		$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=backups', false));
+	}
+
+	/**
+	 * No-op target for the purge toolbar button.
+	 *
+	 * The toolbar button needs a task so Joomla does not complain,
+	 * but the actual purge is triggered via the modal form which
+	 * submits to backups.purge. This method simply redirects back.
+	 */
+	public function purgeModal(): void
+	{
+		$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=backups', false));
+	}
+
 	/**
 	 * Verify integrity of a backup archive by re-computing SHA-256.
 	 */
@@ -16,6 +16,7 @@ use Joomla\CMS\Factory;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\MVC\Controller\AdminController;
 use Joomla\CMS\Router\Route;
+use Joomla\CMS\Session\Session;
 use Joomla\Component\MokoSuiteBackup\Administrator\Engine\SnapshotEngine;
 use Joomla\Component\MokoSuiteBackup\Administrator\Engine\SnapshotRestoreEngine;

@@ -106,6 +107,151 @@ class SnapshotsController extends AdminController
 		$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=snapshots', false));
 	}

+	/**
+	 * Browse articles inside a snapshot — returns JSON for AJAX modal.
+	 */
+	public function browse(): void
+	{
+		if (!Session::checkToken('get') && !Session::checkToken('post')) {
+			$this->sendJson(['error' => true, 'message' => 'Invalid token'], 403);
+
+			return;
+		}
+
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.snapshot.manage', 'com_mokosuitebackup')) {
+			$this->sendJson(['error' => true, 'message' => 'Access denied'], 403);
+
+			return;
+		}
+
+		$id = $this->input->getInt('id', 0);
+
+		if (!$id) {
+			$this->sendJson(['error' => true, 'message' => 'Missing snapshot ID']);
+
+			return;
+		}
+
+		$db    = Factory::getDbo();
+		$query = $db->getQuery(true)
+			->select('*')
+			->from($db->quoteName('#__mokosuitebackup_snapshots'))
+			->where($db->quoteName('id') . ' = ' . $id);
+		$db->setQuery($query);
+		$record = $db->loadObject();
+
+		if (!$record) {
+			$this->sendJson(['error' => true, 'message' => 'Snapshot not found'], 404);
+
+			return;
+		}
+
+		if ($record->status !== 'complete') {
+			$this->sendJson(['error' => true, 'message' => 'Cannot browse a failed snapshot']);
+
+			return;
+		}
+
+		if (!is_file($record->data_file) || !is_readable($record->data_file)) {
+			$this->sendJson(['error' => true, 'message' => 'Snapshot data file not found']);
+
+			return;
+		}
+
+		$json = file_get_contents($record->data_file);
+
+		if ($json === false) {
+			$this->sendJson(['error' => true, 'message' => 'Cannot read snapshot file']);
+
+			return;
+		}
+
+		$data = json_decode($json, true);
+
+		if (json_last_error() !== JSON_ERROR_NONE || empty($data['tables']['#__content'])) {
+			$this->sendJson(['error' => true, 'message' => 'Snapshot does not contain articles']);
+
+			return;
+		}
+
+		$articles = [];
+
+		foreach ($data['tables']['#__content'] as $row) {
+			$articles[] = [
+				'id'      => (int) ($row['id'] ?? 0),
+				'title'   => $row['title'] ?? '',
+				'catid'   => (int) ($row['catid'] ?? 0),
+				'state'   => (int) ($row['state'] ?? 0),
+				'created' => $row['created'] ?? '',
+			];
+		}
+
+		$this->sendJson([
+			'error'    => false,
+			'articles' => $articles,
+			'total'    => count($articles),
+		]);
+	}
+
+	/**
+	 * Restore selected articles from a snapshot.
+	 */
+	public function restoreSelected(): void
+	{
+		$this->checkToken();
+
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.snapshot.manage', 'com_mokosuitebackup')) {
+			$this->setMessage(Text::_('JLIB_APPLICATION_ERROR_ACCESS_FORBIDDEN'), 'error');
+			$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=snapshots', false));
+
+			return;
+		}
+
+		$id         = $this->input->getInt('id', 0);
+		$articleIds = $this->input->get('article_ids', [], 'array');
+
+		if (!$id) {
+			$this->setMessage(Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_NO_RECORD'), 'error');
+			$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=snapshots', false));
+
+			return;
+		}
+
+		if (empty($articleIds)) {
+			$this->setMessage(Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_NO_ARTICLES_SELECTED'), 'error');
+			$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=snapshots', false));
+
+			return;
+		}
+
+		$engine = new SnapshotRestoreEngine();
+		$result = $engine->restoreSelectedArticles($id, $articleIds);
+
+		if ($result['success']) {
+			$this->setMessage($result['message']);
+		} else {
+			$this->setMessage($result['message'], 'error');
+		}
+
+		$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=snapshots', false));
+	}
+
+	/**
+	 * Send a JSON response and close the application.
+	 */
+	private function sendJson(array $data, int $status = 200): void
+	{
+		$app = $this->app;
+		$app->setHeader('status', $status);
+		$app->setHeader('Content-Type', 'application/json; charset=utf-8');
+		$app->setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
+		$app->sendHeaders();
+
+		echo json_encode($data);
+
+		$app->close();
+	}
+
 	/**
 	 * Delete snapshot records and their data files.
 	 */
@@ -113,7 +259,7 @@ class SnapshotsController extends AdminController
 	{
 		$this->checkToken();

-		if (!$this->app->getIdentity()->authorise('core.delete', 'com_mokosuitebackup')) {
+		if (!$this->app->getIdentity()->authorise('mokosuitebackup.snapshot.manage', 'com_mokosuitebackup')) {
 			$this->setMessage(Text::_('JLIB_APPLICATION_ERROR_ACCESS_FORBIDDEN'), 'error');
 			$this->setRedirect(Route::_('index.php?option=com_mokosuitebackup&view=snapshots', false));

@@ -87,8 +87,14 @@ class BackupEngine
 		$archiveFormat = $profile->archive_format ?? 'zip';
 		$archiveName   = '';
 		$archiver      = $this->createArchiver($archiveFormat);
+
+		// Pass encryption password to 7z archiver (handles it natively via -p flag)
+		if ($archiver instanceof SevenZipArchiver && !empty($profile->encryption_password)) {
+			$archiver->setEncryptionPassword($profile->encryption_password);
+		}
+
 		$archiveExt    = $archiver->getExtension();
-		$nameFormat    = $profile->archive_name_format ?? '[host]_[datetime]_profile[profile_id]';
+		$nameFormat    = $profile->archive_name_format ?? '[HOST]_[DATETIME]_profile[PROFILE_ID]';
 		$archiveName   = $resolver->resolve($nameFormat) . '.' . $archiveExt;

 		if (empty($description)) {
@@ -137,7 +143,19 @@ class BackupEngine
 			if ($profile->backup_type !== 'files') {
 				$this->log('Starting database dump...');
 				$sqlTempFile = $this->backupDir . '/.database-' . $tag . '.sql';
-				$dumper      = new DatabaseDumper($excludeTables);
+				$sanitizePasswords  = (bool) ($profile->sanitize_passwords ?? false);
+				$preserveSuperAdmin = (bool) ($profile->preserve_super_admin ?? false);
+				$sanitizeEmails     = (bool) ($profile->sanitize_emails ?? false);
+				$sanitizeSessions   = (bool) ($profile->sanitize_sessions ?? true);
+				$dumper      = new DatabaseDumper($excludeTables, $sanitizePasswords, $preserveSuperAdmin, $sanitizeEmails, $sanitizeSessions);
+
+				if ($sanitizePasswords) {
+					$this->log('User passwords will be sanitized' . ($preserveSuperAdmin ? ' (super admin preserved)' : ''));
+				}
+
+				if ($sanitizeEmails) {
+					$this->log('User emails will be sanitized');
+				}
 				$dbSize      = $dumper->dumpToFile($sqlTempFile);
 				$archiver->addFile($sqlTempFile, 'database.sql');
 				$tablesCount = $dumper->getTablesCount();
@@ -216,12 +234,14 @@ class BackupEngine
 			$encryptionPassword = $profile->encryption_password ?? '';

 			if (!empty($encryptionPassword)) {
-				if ($archiveFormat !== 'zip') {
-					$this->log('WARNING: AES-256 encryption only supported for ZIP archives — skipping encryption');
-				} else {
+				if ($archiveFormat === 'zip') {
 					$this->log('Encrypting archive with AES-256...');
 					$this->encryptArchive($archivePath, $encryptionPassword);
 					$this->log('Archive encrypted');
+				} elseif ($archiveFormat === '7z') {
+					$this->log('Archive encrypted with AES-256 (7z native encryption)');
+				} else {
+					$this->log('WARNING: AES-256 encryption only supported for ZIP and 7z archives — skipping encryption');
 				}
 			}

@@ -237,26 +257,32 @@ class BackupEngine
 			$this->verifyArchive($archivePath, $profile->backup_type);
 			$this->log('Archive integrity verified');

-			// Step 2.5: Wrap with MokoRestore script (if enabled)
-			$includeMokoRestore = (bool) ($profile->include_mokorestore ?? false);
+			// Step 2.5: MokoRestore script (if enabled)
+			$mokoRestoreMode = $profile->include_mokorestore ?? '0';
+			$restoreScriptPath = '';

-			if ($includeMokoRestore) {
+			if ($mokoRestoreMode === '1') {
+				// Wrapped mode: backup ZIP inside an outer ZIP with restore.php
 				$this->log('Wrapping with MokoRestore script...');
 				$mokoRestoreName = str_replace('.zip', '-mokorestore.zip', $archiveName);
 				$mokoRestorePath = $this->backupDir . '/' . $mokoRestoreName;
 				MokoRestore::wrap($archivePath, $mokoRestorePath);

-				// Replace the original archive with the wrapped one
 				if (is_file($archivePath) && !unlink($archivePath)) {
 					$this->log('WARNING: Could not remove pre-wrap archive');
 				}
 				rename($mokoRestorePath, $archivePath);
 				$totalSize = filesize($archivePath);
 				$sizeHuman = number_format($totalSize / 1048576, 2) . ' MB';
-				// Recompute checksum for the final wrapped archive
 				$checksum = hash_file('sha256', $archivePath);
 				$this->log('MokoRestore archive created: ' . $sizeHuman);
 				$this->log('SHA-256 (wrapped): ' . $checksum);
+			} elseif ($mokoRestoreMode === 'standalone') {
+				// Standalone mode: restore.php as a separate file next to the backup ZIP
+				$this->log('Generating standalone restore.php...');
+				$restoreScriptPath = $this->backupDir . '/restore.php';
+				MokoRestore::generateStandalone($restoreScriptPath);
+				$this->log('Standalone restore.php generated (' . number_format(filesize($restoreScriptPath)) . ' bytes)');
 			}

 			$remoteFilename = '';
@@ -277,6 +303,18 @@ class BackupEngine
 						$remoteFilename = $uploadResult['remote_path'] ?? $archiveName;
 						$this->log('Remote upload complete: ' . $uploadResult['message']);

+						// Upload standalone restore.php alongside the backup if in standalone mode
+						if (!empty($restoreScriptPath) && is_file($restoreScriptPath)) {
+							$this->log('Uploading standalone restore.php...');
+							$restoreUpload = $uploader->upload($restoreScriptPath, 'restore.php');
+
+							if ($restoreUpload['success']) {
+								$this->log('Standalone restore.php uploaded');
+							} else {
+								$this->log('WARNING: restore.php upload failed: ' . $restoreUpload['message']);
+							}
+						}
+
 						// Delete local copy if configured
 						if (empty($profile->remote_keep_local) && is_file($archivePath)) {
 							@unlink($archivePath);
@@ -296,7 +334,7 @@ class BackupEngine

 			// Write log file alongside the archive
 			$logContent = implode("\n", $this->log);
-			$logPath    = preg_replace('/\.(zip|tar\.gz)$/i', '.log', $archivePath);
+			$logPath    = preg_replace('/\.(zip|tar\.gz|7z)$/i', '.log', $archivePath);
 			if (@file_put_contents($logPath, $logContent) === false) {
 				error_log('MokoSuiteBackup: Could not write log file: ' . $logPath);
 			}
@@ -442,6 +480,7 @@ class BackupEngine
 		return match ($format) {
 			'zip'    => new ZipArchiver(),
 			'tar.gz' => new TarGzArchiver(),
+			'7z'     => new SevenZipArchiver(),
 			default  => throw new \InvalidArgumentException('Unknown archive format: ' . $format),
 		};
 	}
@@ -453,6 +492,7 @@ class BackupEngine
 	{
 		return match ($type) {
 			'ftp'          => new FtpUploader($profile),
+			'sftp'         => new SftpUploader($profile),
 			'google_drive' => new GoogleDriveUploader($profile),
 			's3'           => new S3Uploader($profile),
 			default        => throw new \InvalidArgumentException('Unknown remote storage type: ' . $type),
@@ -546,6 +586,13 @@ class BackupEngine
 			return;
 		}

+		// 7z verification via CLI
+		if ($extension === '7z') {
+			$this->verify7zArchive($archivePath);
+
+			return;
+		}
+
 		// ZIP verification
 		$zip = new \ZipArchive();

@@ -607,6 +654,64 @@ class BackupEngine
 		}
 	}

+	/**
+	 * Verify a 7z archive using the CLI binary.
+	 *
+	 * @param   string  $archivePath  Absolute path to the .7z file
+	 *
+	 * @throws  \RuntimeException  If the archive fails verification
+	 */
+	private function verify7zArchive(string $archivePath): void
+	{
+		// Test the archive with 7z t (test integrity)
+		$candidates = PHP_OS_FAMILY === 'Windows'
+			? ['7z', '7za', 'C:\\Program Files\\7-Zip\\7z.exe', 'C:\\Program Files (x86)\\7-Zip\\7z.exe']
+			: ['7za', '7z', '/usr/bin/7za', '/usr/bin/7z', '/usr/local/bin/7za', '/usr/local/bin/7z'];
+
+		$binary = null;
+
+		foreach ($candidates as $candidate) {
+			if (str_contains($candidate, DIRECTORY_SEPARATOR) || str_contains($candidate, '/')) {
+				if (is_file($candidate) && is_executable($candidate)) {
+					$binary = $candidate;
+					break;
+				}
+
+				continue;
+			}
+
+			$whichCmd = PHP_OS_FAMILY === 'Windows'
+				? 'where ' . escapeshellarg($candidate) . ' 2>NUL'
+				: 'which ' . escapeshellarg($candidate) . ' 2>/dev/null';
+
+			$result = trim((string) shell_exec($whichCmd));
+
+			if ($result !== '' && is_executable($result)) {
+				$binary = $result;
+				break;
+			}
+		}
+
+		if ($binary === null) {
+			// Cannot verify without the binary — log warning but don't fail
+			$this->log('WARNING: Cannot verify 7z archive (7z binary not found for test)');
+
+			return;
+		}
+
+		$cmd = escapeshellarg($binary) . ' t ' . escapeshellarg($archivePath) . ' -y 2>&1';
+		$output   = [];
+		$exitCode = 0;
+		exec($cmd, $output, $exitCode);
+
+		if ($exitCode !== 0) {
+			throw new \RuntimeException(
+				'Archive integrity check failed: 7z test exited with code ' . $exitCode
+				. ': ' . implode("\n", array_slice($output, -5))
+			);
+		}
+	}
+
 	/**
 	 * Dispatch the onMokoSuiteBackupAfterRun event so plugins (actionlog, etc.) can react.
 	 */
@@ -27,12 +27,35 @@ class DatabaseDumper

 	private int $tablesCount = 0;

+	/** @var bool Whether to sanitize user passwords */
+	private bool $sanitizePasswords = false;
+
+	/** @var bool Whether to preserve super admin password when sanitizing */
+	private bool $preserveSuperAdmin = false;
+
+	/** @var bool Whether to sanitize user emails */
+	private bool $sanitizeEmails = false;
+
+	/** @var bool Whether to clear session data */
+	private bool $sanitizeSessions = false;
+
+	/** Known invalid bcrypt hash used for sanitized passwords */
+	private const SANITIZED_HASH = '$2y$10$SANITIZED.MOKOSUITEBACKUP.INVALID.HASH.DO.NOT.USE.000000';
+
 	/**
-	 * @param   array  $excludeTables  Table names to exclude (with #__ prefix).
-	 *                                 Supports suffixes: :data-only, :structure-only.
-	 *                                 No suffix = exclude both (backward compatible).
+	 * @param   array  $excludeTables       Table names to exclude (with #__ prefix).
+	 * @param   bool   $sanitizePasswords   Replace user password hashes with invalid value
+	 * @param   bool   $preserveSuperAdmin  Keep super admin password when sanitizing
+	 * @param   bool   $sanitizeEmails      Replace user emails with sanitized placeholders
+	 * @param   bool   $sanitizeSessions    Skip session table data entirely
 	 */
-	public function __construct(array $excludeTables = [])
+	public function __construct(
+		array $excludeTables = [],
+		bool $sanitizePasswords = false,
+		bool $preserveSuperAdmin = false,
+		bool $sanitizeEmails = false,
+		bool $sanitizeSessions = false
+	)
 	{
 		foreach ($excludeTables as $entry) {
 			if (str_ends_with($entry, ':data-only')) {
@@ -43,6 +66,16 @@ class DatabaseDumper
 				$this->excludeBoth[] = $entry;
 			}
 		}
+
+		$this->sanitizePasswords  = $sanitizePasswords;
+		$this->preserveSuperAdmin = $preserveSuperAdmin;
+		$this->sanitizeEmails     = $sanitizeEmails;
+		$this->sanitizeSessions   = $sanitizeSessions;
+
+		/* If session sanitization is on, auto-exclude session table data */
+		if ($sanitizeSessions) {
+			$this->excludeDataOnly[] = '#__session';
+		}
 	}

 	/**
@@ -154,6 +187,7 @@ class DatabaseDumper
 				}

 				foreach ($rows as $row) {
+					$this->sanitizeRow($row, $abstractName, $db);
 					$values = [];

 					foreach ($row as $value) {
@@ -326,6 +360,7 @@ class DatabaseDumper
 				}

 				foreach ($rows as $row) {
+					$this->sanitizeRow($row, $abstractName, $db);
 					$values = [];

 					foreach ($row as $value) {
@@ -351,6 +386,86 @@ class DatabaseDumper
 		return filesize($filePath) ?: 0;
 	}

+	/**
+	 * Sanitize a row if it belongs to the users table and sanitization is enabled.
+	 *
+	 * Replaces the password column with an invalid hash so the backup
+	 * cannot be used to extract user credentials.
+	 */
+	private function sanitizeRow(array &$row, string $abstractTable, object $db): void
+	{
+		if ($abstractTable !== '#__users') {
+			return;
+		}
+
+		if (!$this->sanitizePasswords && !$this->sanitizeEmails) {
+			return;
+		}
+
+		if ($this->sanitizeEmails && isset($row['email']) && isset($row['id'])) {
+			$userId = (int) $row['id'];
+
+			/* Preserve super admin emails if preserving super admin */
+			if (!$this->preserveSuperAdmin || !$this->isSuperAdmin($userId, $db)) {
+				$row['email'] = 'user' . $userId . '@sanitized.example.com';
+			}
+		}
+
+		if (!$this->sanitizePasswords || !isset($row['password'])) {
+			return;
+		}
+
+		if ($this->preserveSuperAdmin && isset($row['id'])) {
+			if ($this->isSuperAdmin((int) $row['id'], $db)) {
+				return;
+			}
+		}
+
+		$row['password'] = self::SANITIZED_HASH;
+	}
+
+	/**
+	 * Check if a user ID belongs to the Super Users group (group_id = 8).
+	 */
+	private function isSuperAdmin(int $userId, object $db): bool
+	{
+		static $superAdminIds = null;
+
+		if ($superAdminIds === null) {
+			$prefix = $db->getPrefix();
+
+			try {
+				$db->setQuery(
+					$db->getQuery(true)
+						->select('DISTINCT ' . $db->quoteName('user_id'))
+						->from($db->quoteName($prefix . 'user_usergroup_map'))
+						->where($db->quoteName('group_id') . ' = 8')
+				);
+				$superAdminIds = array_map('intval', $db->loadColumn() ?: []);
+			} catch (\Throwable $e) {
+				$superAdminIds = [];
+			}
+		}
+
+		return in_array($userId, $superAdminIds, true);
+	}
+
+	/**
+	 * Check if passwords were sanitized (for use by callers to log the action).
+	 */
+	public function isPasswordSanitizationEnabled(): bool
+	{
+		return $this->sanitizePasswords;
+	}
+
+	/**
+	 * Get the sentinel hash used for sanitized passwords.
+	 */
+	public static function getSanitizedHash(): string
+	{
+		return self::SANITIZED_HASH;
+	}
+
 	public function getTablesCount(): int
 	{
 		return $this->tablesCount;
@@ -54,6 +54,191 @@ class MokoRestore
 		return $outputPath;
 	}

+	/**
+	 * Generate the standalone restore.php script as a separate file.
+	 *
+	 * Unlike the wrapped version, this script scans its own directory
+	 * for ZIP files and lets the user choose which one to restore from.
+	 *
+	 * @param   string  $outputPath  Where to write restore.php
+	 *
+	 * @return  string  Path to the generated script
+	 */
+	public static function generateStandalone(string $outputPath): string
+	{
+		$script = self::generateStandaloneScript();
+
+		if (file_put_contents($outputPath, $script) === false) {
+			throw new \RuntimeException('Cannot write standalone restore script: ' . $outputPath);
+		}
+
+		return $outputPath;
+	}
+
+	/**
+	 * Generate the standalone script content that scans for ZIPs.
+	 */
+	private static function generateStandaloneScript(): string
+	{
+		/* Take the normal backend but replace the hardcoded BACKUP_FILE
+		   with a directory scanner that finds ZIP files */
+		$php = self::generateBackend();
+
+		/* Replace the fixed BACKUP_FILE constant with dynamic scanner */
+		$php = str_replace(
+			"define('BACKUP_FILE', RESTORE_DIR . '/site-backup.zip');",
+			"/* BACKUP_FILE is set dynamically — see actionSelectBackup() below */\n" .
+			"define('BACKUP_FILE', ''); /* placeholder — overridden per request */",
+			$php
+		);
+
+		/* Inject the backup scanner function after the constants */
+		$scannerCode = <<<'SCANNER'
+
+/**
+ * Scan the restore directory for ZIP files that look like backups.
+ */
+function scanForBackups(): array
+{
+    $dir = RESTORE_DIR;
+    $files = [];
+
+    foreach (glob($dir . '/*.zip') as $path) {
+        $name = basename($path);
+
+        /* Skip the restore script wrapper if present */
+        if ($name === 'restore.php') {
+            continue;
+        }
+
+        $files[] = [
+            'name' => $name,
+            'path' => $path,
+            'size' => filesize($path),
+            'date' => date('Y-m-d H:i:s', filemtime($path)),
+        ];
+    }
+
+    /* Sort by modification time, newest first */
+    usort($files, fn($a, $b) => filemtime($b['path']) <=> filemtime($a['path']));
+
+    return $files;
+}
+
+/**
+ * Handle backup file selection and set the working file.
+ */
+function getSelectedBackupFile(): string
+{
+    if (!empty($_POST['backup_file'])) {
+        $selected = basename($_POST['backup_file']); /* sanitize — basename only */
+        $path = RESTORE_DIR . '/' . $selected;
+
+        if (is_file($path) && str_ends_with(strtolower($selected), '.zip')) {
+            return $path;
+        }
+    }
+
+    /* Auto-select if only one ZIP exists */
+    $backups = scanForBackups();
+
+    if (count($backups) === 1) {
+        return $backups[0]['path'];
+    }
+
+    return '';
+}
+
+SCANNER;
+
+		/* Insert scanner after the opening PHP section but before the action handlers */
+		$php = str_replace(
+			"/* ── Action Handlers",
+			$scannerCode . "\n/* ── Action Handlers",
+			$php
+		);
+
+		/* Modify actionExtract to use getSelectedBackupFile() instead of BACKUP_FILE */
+		$php = str_replace(
+			'$zip->open(BACKUP_FILE)',
+			'$zip->open(getSelectedBackupFile() ?: BACKUP_FILE)',
+			$php
+		);
+
+		/* Modify the pre-checks to use getSelectedBackupFile() */
+		$php = str_replace(
+			"file_exists(BACKUP_FILE)",
+			"(getSelectedBackupFile() !== '' || file_exists(BACKUP_FILE))",
+			$php
+		);
+
+		$html = self::generateFrontend();
+
+		/* Add backup file selector to the frontend before the extract step */
+		$selectorHtml = <<<'SELECTOR'
+<!-- Backup File Selector (standalone mode) -->
+<div id="mr-step-select" class="mr-step" style="display:none;">
+    <h2 class="mr-step-title">Select Backup File</h2>
+    <p class="mr-desc">Choose which backup archive to restore from.</p>
+    <div id="mr-backup-list"></div>
+    <input type="hidden" name="backup_file" id="mr-backup-file" value="">
+</div>
+<script>
+(function() {
+    var backups = <?php echo json_encode(scanForBackups()); ?>;
+    var list = document.getElementById('mr-backup-list');
+    var hiddenInput = document.getElementById('mr-backup-file');
+
+    if (backups.length === 0) {
+        var alert = document.createElement('div');
+        alert.className = 'mr-alert mr-alert-danger';
+        alert.textContent = 'No ZIP files found in this directory. Upload a backup archive first.';
+        list.appendChild(alert);
+    } else if (backups.length === 1) {
+        hiddenInput.value = backups[0].name;
+        var found = document.createElement('div');
+        found.className = 'mr-alert mr-alert-success';
+        var strong = document.createElement('strong');
+        strong.textContent = backups[0].name;
+        found.appendChild(document.createTextNode('Found: '));
+        found.appendChild(strong);
+        found.appendChild(document.createTextNode(' (' + (backups[0].size / 1048576).toFixed(1) + ' MB)'));
+        list.appendChild(found);
+    } else {
+        var group = document.createElement('div');
+        group.className = 'mr-field-group';
+        backups.forEach(function(b) {
+            var label = document.createElement('label');
+            label.style.cssText = 'display:block; padding:8px; margin:4px 0; border:1px solid #ddd; border-radius:4px; cursor:pointer;';
+            var radio = document.createElement('input');
+            radio.type = 'radio';
+            radio.name = 'backup_choice';
+            radio.value = b.name;
+            radio.style.marginRight = '8px';
+            radio.addEventListener('change', function() { hiddenInput.value = this.value; });
+            label.appendChild(radio);
+            var nameStrong = document.createElement('strong');
+            nameStrong.textContent = b.name;
+            label.appendChild(nameStrong);
+            label.appendChild(document.createTextNode(' \u2014 ' + (b.size / 1048576).toFixed(1) + ' MB \u2014 ' + b.date));
+            group.appendChild(label);
+        });
+        list.appendChild(group);
+    }
+})();
+</script>
+SELECTOR;
+
+		/* Insert the selector before the extract step in the HTML */
+		$html = str_replace(
+			'<!-- Step: Extract -->',
+			$selectorHtml . "\n<!-- Step: Extract -->",
+			$html
+		);
+
+		return $php . $html;
+	}
+
 	/**
 	 * Generate the standalone restore.php script.
 	 *
@@ -191,16 +376,19 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) {
 function handleAction(string $action, array $data): array
 {
    return match ($action) {
-        'preflight'  => actionPreflight(),
-        'extract'    => actionExtract($data),
-        'testdb'     => actionTestDb($data),
-        'database'   => actionDatabase($data),
-        'config'     => actionConfig($data),
-        'listAdmins' => actionListAdmins($data),
-        'resetAdmin' => actionResetAdmin($data),
-        'provision'  => actionProvision($data),
-        'cleanup'    => actionCleanup(),
-        default      => ['success' => false, 'message' => 'Unknown action: ' . $action],
+        'preflight'   => actionPreflight(),
+        'extract'     => actionExtract($data),
+        'scanTables'  => actionScanTables(),
+        'testdb'      => actionTestDb($data),
+        'database'    => actionDatabase($data),
+        'config'      => actionConfig($data),
+        'listAdmins'  => actionListAdmins($data),
+        'resetAdmin'  => actionResetAdmin($data),
+        'postRestore'      => actionPostRestore($data),
+        'detectSanitized'  => detectSanitizedPasswords($data),
+        'provision'        => actionProvision($data),
+        'cleanup'     => actionCleanup(),
+        default       => ['success' => false, 'message' => 'Unknown action: ' . $action],
    };
 }

@@ -366,6 +554,65 @@ function actionExtract(array $data): array
    ];
 }

+/**
+ * Parse database.sql and extract the list of table names.
+ * Returns table names using the abstract #__ prefix so the UI
+ * can display them before the user's target prefix is known.
+ */
+function actionScanTables(): array
+{
+    $sqlFile = RESTORE_DIR . '/database.sql';
+
+    if (!is_file($sqlFile)) {
+        return ['success' => true, 'tables' => [], 'message' => 'No database.sql found'];
+    }
+
+    $sql = file_get_contents($sqlFile);
+    $tables = [];
+
+    // Match DROP TABLE IF EXISTS `#__tablename` or CREATE TABLE ... `#__tablename`
+    if (preg_match_all('/(?:DROP\s+TABLE\s+IF\s+EXISTS|CREATE\s+TABLE(?:\s+IF\s+NOT\s+EXISTS)?)\s+`([^`]+)`/i', $sql, $matches)) {
+        foreach ($matches[1] as $name) {
+            if (!in_array($name, $tables, true)) {
+                $tables[] = $name;
+            }
+        }
+    }
+
+    // Sort alphabetically for easier scanning
+    sort($tables, SORT_STRING);
+
+    return [
+        'success' => true,
+        'tables'  => $tables,
+        'count'   => count($tables),
+    ];
+}
+
+/**
+ * Determine which table a SQL statement belongs to.
+ * Returns the table name (with the prefix already applied) or empty string.
+ */
+function getStatementTable(string $stmt): string
+{
+    // DROP TABLE IF EXISTS `prefix_tablename`
+    if (preg_match('/^DROP\s+TABLE\s+IF\s+EXISTS\s+`([^`]+)`/i', $stmt, $m)) {
+        return $m[1];
+    }
+
+    // CREATE TABLE `prefix_tablename` or CREATE TABLE IF NOT EXISTS `prefix_tablename`
+    if (preg_match('/^CREATE\s+TABLE(?:\s+IF\s+NOT\s+EXISTS)?\s+`([^`]+)`/i', $stmt, $m)) {
+        return $m[1];
+    }
+
+    // INSERT INTO `prefix_tablename`
+    if (preg_match('/^INSERT\s+INTO\s+`([^`]+)`/i', $stmt, $m)) {
+        return $m[1];
+    }
+
+    return '';
+}
+
 function actionTestDb(array $data): array
 {
    $host = $data['db_host'] ?? 'localhost';
@@ -423,10 +670,27 @@ function actionDatabase(array $data): array
    // Replace abstract #__ prefix with the user's target prefix
    $sql = str_replace('#__', $prefix, $sql);

+    // Decode per-table conflict resolution selections
+    // Keys are abstract table names (#__xxx), values are: replace|skip|merge|dataonly
+    $tableResolutions = [];
+
+    if (!empty($data['table_resolutions'])) {
+        $decoded = json_decode($data['table_resolutions'], true);
+
+        if (is_array($decoded)) {
+            // Remap from abstract #__ names to the real prefix
+            foreach ($decoded as $abstractName => $mode) {
+                $realName = str_replace('#__', $prefix, $abstractName);
+                $tableResolutions[$realName] = $mode;
+            }
+        }
+    }
+
    $parts      = explode(";\n", $sql);
    $statements = 0;
    $errors     = 0;
    $errorList  = [];
+    $skipped    = 0;

    foreach ($parts as $part) {
        $part = trim($part);
@@ -435,6 +699,42 @@ function actionDatabase(array $data): array
            continue;
        }

+        // Determine which table this statement belongs to
+        $table = getStatementTable($part);
+        $mode  = $tableResolutions[$table] ?? 'replace';
+
+        // Apply conflict resolution per table
+        if ($mode === 'skip') {
+            $skipped++;
+            continue;
+        }
+
+        $isDrop   = (bool) preg_match('/^DROP\s+TABLE/i', $part);
+        $isCreate = (bool) preg_match('/^CREATE\s+TABLE/i', $part);
+        $isInsert = (bool) preg_match('/^INSERT\s+INTO/i', $part);
+
+        if ($mode === 'merge') {
+            // Skip DROP and CREATE; convert INSERT INTO to INSERT IGNORE INTO
+            if ($isDrop || $isCreate) {
+                $skipped++;
+                continue;
+            }
+
+            if ($isInsert) {
+                $part = preg_replace('/^INSERT\s+INTO/i', 'INSERT IGNORE INTO', $part);
+            }
+        } elseif ($mode === 'dataonly') {
+            /* Skip DROP and CREATE; use REPLACE INTO for data (overwrites on duplicate key) */
+            if ($isDrop || $isCreate) {
+                $skipped++;
+                continue;
+            }
+            if ($isInsert) {
+                $part = preg_replace('/^INSERT\s+INTO/i', 'REPLACE INTO', $part);
+            }
+        }
+        // mode === 'replace' => execute everything as-is (default)
+
        try {
            $pdo->exec($part);
            $statements++;
@@ -449,11 +749,22 @@ function actionDatabase(array $data): array

    $pdo->exec('SET FOREIGN_KEY_CHECKS = 1');

+    $msg = "Executed {$statements} statements";
+
+    if ($skipped > 0) {
+        $msg .= " ({$skipped} skipped)";
+    }
+
+    if ($errors > 0) {
+        $msg .= " ({$errors} warnings)";
+    }
+
    return [
        'success'    => ($statements > 0 || $errors === 0),
-        'message'    => "Executed {$statements} statements" . ($errors ? " ({$errors} warnings)" : ''),
+        'message'    => $msg,
        'statements' => $statements,
        'errors'     => $errors,
+        'skipped'    => $skipped,
        'errorList'  => $errorList,
    ];
 }
@@ -804,6 +1115,128 @@ function actionResetAdmin(array $data): array
    return ['success' => true, 'message' => 'Admin password updated successfully'];
 }

+function actionPostRestore(array $data): array
+{
+    $pdo     = getDbConnection($data);
+    $prefix  = getValidatedPrefix($data);
+    $tasks   = json_decode($data['tasks'] ?? '[]', true) ?: [];
+    $results = [];
+
+    foreach ($tasks as $task) {
+        try {
+            switch ($task) {
+                case 'reset_passwords':
+                    /* Set all user passwords to a random temporary hash, block non-admin users */
+                    $tempPassword = bin2hex(random_bytes(8)); /* 16-char random hex */
+                    // clear activation tokens, and force password reset on next login.
+                    $tempHash = password_hash($tempPassword, PASSWORD_DEFAULT);
+                    $stmt = $pdo->prepare(
+                        "UPDATE {$prefix}users SET password = ?, activation = '', requireReset = 1"
+                    );
+                    $stmt->execute([$tempHash]);
+                    $affected = $stmt->rowCount();
+                    $results[] = "All {$affected} user password(s) reset to temporary password ({$tempPassword}) with forced reset";
+                    break;
+
+                case 'reset_hits':
+                    $pdo->exec("UPDATE {$prefix}content SET hits = 0");
+                    $results[] = 'Content hits reset to 0';
+                    break;
+
+                case 'clear_versions':
+                    try {
+                        $pdo->exec("TRUNCATE TABLE {$prefix}history");
+                        $results[] = 'Content version history cleared';
+                    } catch (PDOException $e) {
+                        $results[] = 'Version history: table not found (skipped)';
+                    }
+                    break;
+
+                case 'clear_sessions':
+                    $pdo->exec("TRUNCATE TABLE {$prefix}session");
+                    $results[] = 'Sessions cleared';
+                    break;
+
+                case 'clear_cache':
+                    // Clear Joomla cache tables
+                    foreach (['cache', 'cache_extension'] as $tbl) {
+                        try {
+                            $pdo->exec("TRUNCATE TABLE {$prefix}{$tbl}");
+                        } catch (PDOException $e) {
+                            // Table may not exist
+                        }
+                    }
+
+                    // Delete files in cache/ directory
+                    $cacheDir = RESTORE_DIR . '/cache';
+                    $cacheCount = 0;
+
+                    if (is_dir($cacheDir)) {
+                        $it = new RecursiveIteratorIterator(
+                            new RecursiveDirectoryIterator($cacheDir, RecursiveDirectoryIterator::SKIP_DOTS),
+                            RecursiveIteratorIterator::CHILD_FIRST
+                        );
+
+                        foreach ($it as $item) {
+                            if ($item->isFile()) {
+                                @unlink($item->getPathname());
+                                $cacheCount++;
+                            } elseif ($item->isDir()) {
+                                @rmdir($item->getPathname());
+                            }
+                        }
+                    }
+
+                    // Also clear administrator/cache/
+                    $adminCacheDir = RESTORE_DIR . '/administrator/cache';
+
+                    if (is_dir($adminCacheDir)) {
+                        $it = new RecursiveIteratorIterator(
+                            new RecursiveDirectoryIterator($adminCacheDir, RecursiveDirectoryIterator::SKIP_DOTS),
+                            RecursiveIteratorIterator::CHILD_FIRST
+                        );
+
+                        foreach ($it as $item) {
+                            if ($item->isFile()) {
+                                @unlink($item->getPathname());
+                                $cacheCount++;
+                            } elseif ($item->isDir()) {
+                                @rmdir($item->getPathname());
+                            }
+                        }
+                    }
+
+                    $results[] = "Cache tables cleared, {$cacheCount} cache file(s) removed";
+                    break;
+
+                default:
+                    $results[] = "Unknown task: {$task}";
+            }
+        } catch (Throwable $e) {
+            $results[] = "Error ({$task}): " . $e->getMessage();
+        }
+    }
+
+    return ['success' => true, 'results' => $results, 'message' => count($results) . ' post-restore task(s) completed'];
+}
+
+/**
+ * Detect whether the database contains sanitized sentinel password hashes.
+ * Returns true if any user has the MokoSuiteBackup sanitized placeholder hash.
+ */
+function detectSanitizedPasswords(array $data): array
+{
+    $pdo    = getDbConnection($data);
+    $prefix = getValidatedPrefix($data);
+    $sentinel = '$2y$10$SANITIZED.MOKOSUITEBACKUP.INVALID.HASH.DO.NOT.USE.000000';
+
+    $stmt = $pdo->prepare("SELECT COUNT(*) FROM {$prefix}users WHERE password = ?");
+    $stmt->execute([$sentinel]);
+    $count = (int) $stmt->fetchColumn();
+
+    return ['success' => true, 'detected' => $count > 0, 'count' => $count];
+}
+
 function actionProvision(array $data): array
 {
    $pdo    = getDbConnection($data);
@@ -1048,11 +1481,13 @@ body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica N
    <div class="mr-steps" id="stepBar">
        <div class="mr-step active" data-step="1"><span class="mr-num">1</span>Checks</div>
        <div class="mr-step" data-step="2"><span class="mr-num">2</span>Extract</div>
-        <div class="mr-step" data-step="3"><span class="mr-num">3</span>Database</div>
-        <div class="mr-step" data-step="4"><span class="mr-num">4</span>Configuration</div>
-        <div class="mr-step" data-step="5"><span class="mr-num">5</span>Admin</div>
-        <div class="mr-step" data-step="6"><span class="mr-num">6</span>Provisioning</div>
-        <div class="mr-step" data-step="7"><span class="mr-num">7</span>Complete</div>
+        <div class="mr-step" data-step="3"><span class="mr-num">3</span>Tables</div>
+        <div class="mr-step" data-step="4"><span class="mr-num">4</span>Database</div>
+        <div class="mr-step" data-step="5"><span class="mr-num">5</span>Configuration</div>
+        <div class="mr-step" data-step="6"><span class="mr-num">6</span>Admin</div>
+        <div class="mr-step" data-step="7"><span class="mr-num">7</span>Post-Restore</div>
+        <div class="mr-step" data-step="8"><span class="mr-num">8</span>Provisioning</div>
+        <div class="mr-step" data-step="9"><span class="mr-num">9</span>Complete</div>
    </div>

    <!-- Step 0: Security Verification -->
@@ -1107,8 +1542,36 @@ body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica N
        </div>
    </div>

-    <!-- Step 3: Database -->
+    <!-- Step 3: Table Conflict Resolution -->
    <div class="mr-panel" id="panel3">
+        <h2>Table Conflict Resolution</h2>
+        <p class="mr-desc">Choose how each table should be handled during database import. This lets you protect specific tables (e.g. users) from being overwritten.</p>
+        <div style="margin-bottom:1rem;display:flex;gap:0.5rem;flex-wrap:wrap">
+            <button class="mr-btn mr-btn-outline" style="font-size:0.8rem;padding:0.4rem 0.8rem" onclick="setAllTableMode('replace')">All Replace</button>
+            <button class="mr-btn mr-btn-outline" style="font-size:0.8rem;padding:0.4rem 0.8rem" onclick="setAllTableMode('skip')">All Skip</button>
+            <button class="mr-btn mr-btn-outline" style="font-size:0.8rem;padding:0.4rem 0.8rem" onclick="setAllTableMode('merge')">All Merge</button>
+            <button class="mr-btn mr-btn-outline" style="font-size:0.8rem;padding:0.4rem 0.8rem" onclick="presetExceptUsers()">Everything except users</button>
+        </div>
+        <div class="mr-alert mr-alert-info" style="font-size:0.85rem">
+            <strong>Modes:</strong>
+            <strong>Replace</strong> = drop + recreate + insert (default).
+            <strong>Skip</strong> = ignore entirely.
+            <strong>Merge</strong> = keep existing table, INSERT IGNORE new rows.
+            <strong>Data Only</strong> = keep schema, INSERT data as-is (assumes matching structure).
+        </div>
+        <div id="tableResolutionList" style="max-height:400px;overflow-y:auto;border:1px solid #e2e8f0;border-radius:8px;margin-top:1rem">
+            <div style="padding:1rem;color:#94a3b8;text-align:center">Scanning tables...</div>
+        </div>
+        <input type="hidden" id="tableResolutions" value="{}">
+        <div class="mr-status" id="tableScanStatus"></div>
+        <div class="mr-actions">
+            <button class="mr-btn mr-btn-outline" onclick="goStep(2)">Back</button>
+            <button class="mr-btn mr-btn-primary" id="btnTablesContinue" onclick="goStep(4)">Continue to Database</button>
+        </div>
+    </div>
+
+    <!-- Step 4: Database -->
+    <div class="mr-panel" id="panel4">
        <h2>Database Configuration</h2>
        <p class="mr-desc">Enter the database credentials for this server. The SQL dump will be imported.</p>
        <div class="mr-row">
@@ -1127,13 +1590,13 @@ body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica N
        <div class="mr-progress"><div class="mr-progress-bar" id="dbProgress" style="width:0%"></div></div>
        <div class="mr-status" id="dbStatus"></div>
        <div class="mr-actions">
-            <button class="mr-btn mr-btn-outline" onclick="goStep(2)">Back</button>
+            <button class="mr-btn mr-btn-outline" onclick="goStep(3)">Back</button>
            <button class="mr-btn mr-btn-primary" id="btnImport" onclick="runDatabase()">Import Database</button>
        </div>
    </div>

-    <!-- Step 4: Site Configuration -->
-    <div class="mr-panel" id="panel4">
+    <!-- Step 5: Site Configuration -->
+    <div class="mr-panel" id="panel5">
        <h2>Site Configuration</h2>
        <p class="mr-desc">Configure your site settings. Credentials were removed from the backup for security &mdash; enter the correct values for this server.</p>

@@ -1176,13 +1639,13 @@ body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica N
        </div>
        <div class="mr-status" id="configStatus"></div>
        <div class="mr-actions">
-            <button class="mr-btn mr-btn-outline" onclick="goStep(3)">Back</button>
+            <button class="mr-btn mr-btn-outline" onclick="goStep(4)">Back</button>
            <button class="mr-btn mr-btn-primary" id="btnConfig" onclick="runConfig()">Save Configuration</button>
        </div>
    </div>

-    <!-- Step 5: Admin Password Reset -->
-    <div class="mr-panel" id="panel5">
+    <!-- Step 6: Admin Password Reset -->
+    <div class="mr-panel" id="panel6">
        <h2>Super Admin Password</h2>
        <p class="mr-desc">Reset the password for a super administrator account. This is optional but recommended after restoring to a new server.</p>
        <div class="mr-field">
@@ -1195,16 +1658,40 @@ body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica N
        </div>
        <div class="mr-status" id="adminStatus"></div>
        <div class="mr-actions">
-            <button class="mr-btn mr-btn-outline" onclick="goStep(4)">Back</button>
+            <button class="mr-btn mr-btn-outline" onclick="goStep(5)">Back</button>
            <div>
-                <button class="mr-btn mr-btn-outline" onclick="goStep(6)">Skip</button>
+                <button class="mr-btn mr-btn-outline" onclick="goStep(7)">Skip</button>
                <button class="mr-btn mr-btn-primary" id="btnResetAdmin" onclick="runResetAdmin()">Reset Password</button>
            </div>
        </div>
    </div>

-    <!-- Step 6: Client Provisioning -->
-    <div class="mr-panel" id="panel6">
+    <!-- Step 7: Post-Restore Actions -->
+    <div class="mr-panel" id="panel7">
+        <h2>Post-Restore Actions</h2>
+        <p class="mr-desc">Optional reset tasks to clean up the restored database. These are especially useful when restoring a sanitized backup.</p>
+        <div class="mr-alert mr-alert-warn" id="postRestoreSanitizedWarn" style="display:none">
+            <strong>Sanitized passwords detected!</strong> This backup contains placeholder password hashes that will prevent all users from logging in. The "Reset all user passwords" option below is strongly recommended.
+        </div>
+        <ul class="mr-provision-list" id="postRestoreList">
+            <li><input type="checkbox" class="post-restore-task" id="prResetPasswords" value="reset_passwords"><span>Reset all user passwords</span><span class="mr-provision-desc">Set to random temporary password and force reset on next login</span></li>
+            <li><input type="checkbox" class="post-restore-task" value="reset_hits"><span>Reset content hits</span><span class="mr-provision-desc">Set all article hit counters to 0</span></li>
+            <li><input type="checkbox" class="post-restore-task" value="clear_versions"><span>Clear version history</span><span class="mr-provision-desc">Truncate the content version history table</span></li>
+            <li><input type="checkbox" class="post-restore-task" value="clear_sessions" checked><span>Clear sessions</span><span class="mr-provision-desc">Remove all active user sessions</span></li>
+            <li><input type="checkbox" class="post-restore-task" value="clear_cache" checked><span>Clear cache</span><span class="mr-provision-desc">Truncate cache tables and delete cache files</span></li>
+        </ul>
+        <div class="mr-status" id="postRestoreStatus"></div>
+        <div class="mr-actions">
+            <button class="mr-btn mr-btn-outline" onclick="goStep(6)">Back</button>
+            <div>
+                <button class="mr-btn mr-btn-outline" onclick="goStep(8)">Skip</button>
+                <button class="mr-btn mr-btn-primary" id="btnPostRestore" onclick="runPostRestore()">Run Selected Tasks</button>
+            </div>
+        </div>
+    </div>
+
+    <!-- Step 8: Client Provisioning -->
+    <div class="mr-panel" id="panel8">
        <h2>Client Provisioning</h2>
        <p class="mr-desc">Optional cleanup tasks for deploying this backup as a new client site. Check the tasks you want to run.</p>
        <ul class="mr-provision-list">
@@ -1219,16 +1706,16 @@ body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica N
        </ul>
        <div class="mr-status" id="provisionStatus"></div>
        <div class="mr-actions">
-            <button class="mr-btn mr-btn-outline" onclick="goStep(5)">Back</button>
+            <button class="mr-btn mr-btn-outline" onclick="goStep(7)">Back</button>
            <div>
-                <button class="mr-btn mr-btn-outline" onclick="goStep(7)">Skip</button>
+                <button class="mr-btn mr-btn-outline" onclick="goStep(9)">Skip</button>
                <button class="mr-btn mr-btn-primary" id="btnProvision" onclick="runProvision()">Run Selected Tasks</button>
            </div>
        </div>
    </div>

-    <!-- Step 7: Complete -->
-    <div class="mr-panel" id="panel7">
+    <!-- Step 9: Complete -->
+    <div class="mr-panel" id="panel9">
        <h2>Installation Complete</h2>
        <p class="mr-desc">Your Joomla site has been restored and configured.</p>
        <div class="mr-alert mr-alert-success">
@@ -1299,7 +1786,9 @@ function goStep(n) {
        else if (sn < n) s.classList.add('done');
    });

-    if (n === 5) loadAdmins();
+    if (n === 3) scanTables();
+    if (n === 6) loadAdmins();
+    if (n === 7) checkSanitizedPasswords();
 }

 function setStatus(id, msg, type) {
@@ -1436,7 +1925,111 @@ async function runExtract() {
    }
 }

-// Step 3
+// Step 3: Table Conflict Resolution
+let tableList = [];
+
+async function scanTables() {
+    const container = document.getElementById('tableResolutionList');
+
+    // Only scan once
+    if (tableList.length > 0) return;
+
+    log('Scanning database.sql for table names...');
+    const r = await post('scanTables');
+
+    if (!r.success || !r.tables || r.tables.length === 0) {
+        container.innerHTML = '<div style="padding:1rem;color:#94a3b8;text-align:center">No tables found in database.sql (or file not present). You can skip this step.</div>';
+        setStatus('tableScanStatus', r.tables ? 'No tables found' : (r.message || 'Scan failed'), r.success ? '' : 'error');
+        log(r.message || 'No tables found');
+        return;
+    }
+
+    tableList = r.tables;
+    log('Found ' + r.count + ' tables');
+    setStatus('tableScanStatus', 'Found ' + r.count + ' tables', 'success');
+
+    renderTableList();
+}
+
+function renderTableList() {
+    const container = document.getElementById('tableResolutionList');
+    container.innerHTML = '';
+
+    var resolutions = {};
+
+    tableList.forEach(function(name) {
+        var row = document.createElement('div');
+        row.style.cssText = 'display:flex;align-items:center;justify-content:space-between;padding:0.5rem 0.75rem;border-bottom:1px solid #f1f5f9;font-size:0.85rem;';
+
+        var label = document.createElement('span');
+        label.style.cssText = 'font-family:monospace;color:#334155;word-break:break-all;flex:1;margin-right:0.75rem;';
+        label.textContent = name;
+
+        var sel = document.createElement('select');
+        sel.dataset.table = name;
+        sel.className = 'table-mode-select';
+        sel.style.cssText = 'padding:0.3rem 0.5rem;border:1px solid #d1d5db;border-radius:4px;font-size:0.8rem;min-width:120px;background:#fff;';
+
+        var modes = [
+            ['replace', 'Replace'],
+            ['skip', 'Skip'],
+            ['merge', 'Merge'],
+            ['dataonly', 'Data Only']
+        ];
+
+        modes.forEach(function(m) {
+            var opt = document.createElement('option');
+            opt.value = m[0];
+            opt.textContent = m[1];
+            sel.appendChild(opt);
+        });
+
+        sel.addEventListener('change', updateTableResolutions);
+
+        row.appendChild(label);
+        row.appendChild(sel);
+        container.appendChild(row);
+
+        resolutions[name] = 'replace';
+    });
+
+    document.getElementById('tableResolutions').value = JSON.stringify(resolutions);
+}
+
+function updateTableResolutions() {
+    var resolutions = {};
+    document.querySelectorAll('.table-mode-select').forEach(function(sel) {
+        resolutions[sel.dataset.table] = sel.value;
+    });
+    document.getElementById('tableResolutions').value = JSON.stringify(resolutions);
+}
+
+function setAllTableMode(mode) {
+    document.querySelectorAll('.table-mode-select').forEach(function(sel) {
+        sel.value = mode;
+    });
+    updateTableResolutions();
+    log('Set all tables to: ' + mode);
+}
+
+function presetExceptUsers() {
+    var userTables = ['#__users', '#__user_usergroup_map', '#__user_profiles'];
+
+    document.querySelectorAll('.table-mode-select').forEach(function(sel) {
+        var tableName = sel.dataset.table;
+
+        if (userTables.indexOf(tableName) !== -1) {
+            sel.value = 'skip';
+        } else {
+            sel.value = 'replace';
+        }
+    });
+
+    updateTableResolutions();
+    log('Preset: Replace all except user tables (skipped)');
+}
+
+// Step 4
 function getDbParams() {
    return {
        db_host: document.getElementById('dbHost').value,
@@ -1462,7 +2055,12 @@ async function runDatabase() {
    log('Importing database...');

    dbConfig = getDbParams();
-    const r = await post('database', dbConfig);
+    // Include table conflict resolution selections
+    var tableRes = document.getElementById('tableResolutions');
+    var dbParams = Object.assign({}, dbConfig, {
+        table_resolutions: tableRes ? tableRes.value : '{}'
+    });
+    const r = await post('database', dbParams);

    document.getElementById('dbProgress').style.width = '100%';
    setBtnLoading(btn, false);
@@ -1470,17 +2068,20 @@ async function runDatabase() {
    if (r.success) {
        setStatus('dbStatus', r.message, 'success');
        log(r.message);
+        if (r.skipped && r.skipped > 0) {
+            log('  Skipped ' + r.skipped + ' statements due to conflict resolution');
+        }
        if (r.errorList && r.errorList.length > 0) {
            r.errorList.forEach(function(e) { log('  Warning: ' + e); });
        }
-        setTimeout(function() { goStep(4); }, 500);
+        setTimeout(function() { goStep(5); }, 500);
    } else {
        setStatus('dbStatus', r.message, 'error');
        log('FAILED: ' + r.message);
    }
 }

-// Step 4
+// Step 5
 async function runConfig() {
    const btn = document.getElementById('btnConfig');
    setBtnLoading(btn, true);
@@ -1501,14 +2102,14 @@ async function runConfig() {
    if (r.success) {
        setStatus('configStatus', r.message, 'success');
        log(r.message);
-        setTimeout(function() { goStep(5); }, 500);
+        setTimeout(function() { goStep(6); }, 500);
    } else {
        setStatus('configStatus', r.message, 'error');
        log('FAILED: ' + r.message);
    }
 }

-// Step 5
+// Step 6
 async function loadAdmins() {
    const sel = document.getElementById('adminSelect');
    while (sel.firstChild) sel.removeChild(sel.firstChild);
@@ -1553,20 +2154,65 @@ async function runResetAdmin() {
    if (r.success) {
        setStatus('adminStatus', r.message, 'success');
        log(r.message);
-        setTimeout(function() { goStep(6); }, 500);
+        setTimeout(function() { goStep(7); }, 500);
    } else {
        setStatus('adminStatus', r.message, 'error');
        log('FAILED: ' + r.message);
    }
 }

-// Step 6
+// Step 7: Post-Restore
+async function checkSanitizedPasswords() {
+    log('Checking for sanitized password hashes...');
+
+    try {
+        const r = await post('detectSanitized', dbConfig);
+
+        if (r.success && r.detected) {
+            document.getElementById('postRestoreSanitizedWarn').style.display = '';
+            document.getElementById('prResetPasswords').checked = true;
+            log('WARNING: ' + r.count + ' user(s) have sanitized placeholder passwords');
+        } else {
+            document.getElementById('postRestoreSanitizedWarn').style.display = 'none';
+            log('No sanitized passwords detected');
+        }
+    } catch (e) {
+        log('Could not check for sanitized passwords: ' + e.message);
+    }
+}
+
+async function runPostRestore() {
+    const btn = document.getElementById('btnPostRestore');
+    const tasks = [];
+    document.querySelectorAll('.post-restore-task:checked').forEach(function(cb) { tasks.push(cb.value); });
+
+    if (tasks.length === 0) { goStep(8); return; }
+
+    setBtnLoading(btn, true);
+    log('Running ' + tasks.length + ' post-restore task(s)...');
+
+    const params = Object.assign({}, dbConfig, { tasks: JSON.stringify(tasks) });
+    const r = await post('postRestore', params);
+
+    setBtnLoading(btn, false);
+
+    if (r.success) {
+        setStatus('postRestoreStatus', r.message, 'success');
+        r.results.forEach(function(msg) { log('  ' + msg); });
+        setTimeout(function() { goStep(8); }, 500);
+    } else {
+        setStatus('postRestoreStatus', r.message, 'error');
+        log('FAILED: ' + r.message);
+    }
+}
+
+// Step 8
 async function runProvision() {
    const btn = document.getElementById('btnProvision');
    const tasks = [];
    document.querySelectorAll('.prov-task:checked').forEach(function(cb) { tasks.push(cb.value); });

-    if (tasks.length === 0) { goStep(7); return; }
+    if (tasks.length === 0) { goStep(9); return; }

    setBtnLoading(btn, true);
    log('Running ' + tasks.length + ' provisioning tasks...');
@@ -1579,14 +2225,14 @@ async function runProvision() {
    if (r.success) {
        setStatus('provisionStatus', r.message, 'success');
        r.results.forEach(function(msg) { log('  ' + msg); });
-        setTimeout(function() { goStep(7); }, 500);
+        setTimeout(function() { goStep(9); }, 500);
    } else {
        setStatus('provisionStatus', r.message, 'error');
        log('FAILED: ' + r.message);
    }
 }

-// Step 7
+// Step 9
 async function runCleanup() {
    log('Cleaning up restore files...');
    const r = await post('cleanup');
@@ -236,6 +236,297 @@ class NotificationSender
 		}
 	}

+	/**
+	 * Send a restore/snapshot notification via email and ntfy.
+	 *
+	 * @param   object  $profile  Profile object with notification settings
+	 * @param   string  $type     One of: site_restore, snapshot_create, snapshot_restore
+	 * @param   array   $details  Context: record_id, content_types, row_count, mode, user, etc.
+	 * @param   string  $log      Operation log text
+	 *
+	 * @return  bool  True if at least one notification was sent
+	 */
+	public static function sendRestoreNotification(object $profile, string $type, array $details, string $log = ''): bool
+	{
+		$emailSent = self::sendRestoreEmail($profile, $type, $details, $log);
+		$ntfySent  = self::sendRestoreNtfy($profile, $type, $details);
+
+		return $emailSent || $ntfySent;
+	}
+
+	/**
+	 * Load the default profile (ID 1) for notification settings.
+	 *
+	 * @return  object|null  Profile object or null if not found
+	 */
+	public static function getDefaultProfile(): ?object
+	{
+		try {
+			$db    = Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select('*')
+				->from($db->quoteName('#__mokosuitebackup_profiles'))
+				->where($db->quoteName('id') . ' = 1');
+			$db->setQuery($query);
+
+			return $db->loadObject() ?: null;
+		} catch (\Throwable $e) {
+			error_log('MokoSuiteBackup: Cannot load default profile: ' . $e->getMessage());
+
+			return null;
+		}
+	}
+
+	/**
+	 * Build subject and body for a restore/snapshot notification email.
+	 */
+	private static function buildRestoreMessage(string $type, array $details, string $siteName, string $siteUrl): array
+	{
+		$user = $details['user'] ?? 'Unknown';
+
+		switch ($type) {
+			case 'site_restore':
+				$subject = "[MokoSuiteBackup] RESTORE: Site restored — {$siteName}";
+				$options  = [];
+
+				if (!empty($details['restore_files'])) {
+					$options[] = 'Files';
+				}
+
+				if (!empty($details['restore_db'])) {
+					$options[] = 'Database';
+				}
+
+				if (!empty($details['preserve_config'])) {
+					$options[] = 'Config preserved';
+				}
+
+				$body = "MokoSuiteBackup — Site Restore Notification\n"
+					. "=============================================\n\n"
+					. "Site:        {$siteName}\n"
+					. "URL:         {$siteUrl}\n"
+					. "Action:      Full site restore\n"
+					. "Record ID:   " . ($details['record_id'] ?? 'N/A') . "\n"
+					. "Options:     " . (empty($options) ? 'N/A' : implode(', ', $options)) . "\n"
+					. "Triggered by: {$user}\n";
+				break;
+
+			case 'snapshot_create':
+				$types = $details['content_types'] ?? [];
+				$typesStr = !empty($types) ? implode(', ', $types) : 'N/A';
+
+				$subject = "[MokoSuiteBackup] SNAPSHOT: Content snapshot created — {$siteName}";
+				$body = "MokoSuiteBackup — Snapshot Created\n"
+					. "===================================\n\n"
+					. "Site:           {$siteName}\n"
+					. "URL:            {$siteUrl}\n"
+					. "Action:         Snapshot created\n"
+					. "Content types:  {$typesStr}\n"
+					. "Articles:       " . ($details['articles_count'] ?? 0) . "\n"
+					. "Categories:     " . ($details['categories_count'] ?? 0) . "\n"
+					. "Modules:        " . ($details['modules_count'] ?? 0) . "\n"
+					. "Triggered by:   {$user}\n";
+				break;
+
+			case 'snapshot_restore':
+				$types = $details['content_types'] ?? [];
+				$typesStr = !empty($types) ? implode(', ', $types) : 'N/A';
+
+				$subject = "[MokoSuiteBackup] RESTORE: Snapshot restored — {$siteName}";
+				$body = "MokoSuiteBackup — Snapshot Restore Notification\n"
+					. "================================================\n\n"
+					. "Site:           {$siteName}\n"
+					. "URL:            {$siteUrl}\n"
+					. "Action:         Snapshot restore\n"
+					. "Mode:           " . ($details['mode'] ?? 'N/A') . "\n"
+					. "Content types:  {$typesStr}\n"
+					. "Rows restored:  " . ($details['row_count'] ?? 0) . "\n"
+					. "Triggered by:   {$user}\n";
+				break;
+
+			default:
+				$subject = "[MokoSuiteBackup] NOTIFICATION: {$type} — {$siteName}";
+				$body = "MokoSuiteBackup Notification\n"
+					. "============================\n\n"
+					. "Site:    {$siteName}\n"
+					. "URL:     {$siteUrl}\n"
+					. "Type:    {$type}\n"
+					. "Details: " . json_encode($details) . "\n";
+				break;
+		}
+
+		$body .= "\n--\n"
+			. "MokoSuiteBackup — https://mokoconsulting.tech\n";
+
+		return ['subject' => $subject, 'body' => $body];
+	}
+
+	/**
+	 * Send a restore/snapshot notification email.
+	 */
+	private static function sendRestoreEmail(object $profile, string $type, array $details, string $log = ''): bool
+	{
+		$notifyEmail      = trim($profile->notify_email ?? '');
+		$notifyUserGroups = $profile->notify_user_groups ?? '';
+
+		$groupEmails = self::resolveUserGroupEmails($notifyUserGroups);
+
+		if (empty($notifyEmail) && empty($groupEmails)) {
+			return false;
+		}
+
+		// Restore notifications are always "success" events — use notify_on_success preference
+		if (empty($profile->notify_on_success)) {
+			return false;
+		}
+
+		try {
+			$mailer   = Factory::getMailer();
+			$config   = Factory::getApplication()->getConfig();
+			$siteName = $config->get('sitename', 'Joomla Site');
+			$siteUrl  = Uri::root();
+
+			$recipients = array_map('trim', explode(',', $notifyEmail));
+			$recipients = array_merge($recipients, $groupEmails);
+			$recipients = array_unique(array_filter($recipients, fn($e) => filter_var($e, FILTER_VALIDATE_EMAIL)));
+
+			if (empty($recipients)) {
+				return false;
+			}
+
+			foreach ($recipients as $recipient) {
+				$mailer->addRecipient($recipient);
+			}
+
+			$message = self::buildRestoreMessage($type, $details, $siteName, $siteUrl);
+			$mailer->setSubject($message['subject']);
+
+			$body = $message['body'];
+
+			// Append log excerpt if provided (last 30 lines)
+			if (!empty($log)) {
+				$logLines = explode("\n", $log);
+				$excerpt  = array_slice($logLines, -30);
+				$body .= "\n--- Log (last 30 lines) ---\n"
+					. implode("\n", $excerpt) . "\n";
+			}
+
+			$mailer->setBody($body);
+			$mailer->isHtml(false);
+
+			return $mailer->Send();
+		} catch (\Throwable $e) {
+			error_log('MokoSuiteBackup restore notification error: ' . $e->getMessage());
+
+			return false;
+		}
+	}
+
+	/**
+	 * Send a restore/snapshot push notification via ntfy.
+	 */
+	private static function sendRestoreNtfy(object $profile, string $type, array $details): bool
+	{
+		$topic  = trim($profile->ntfy_topic ?? '');
+		$server = trim($profile->ntfy_server ?? 'https://ntfy.sh');
+		$token  = trim($profile->ntfy_token ?? '');
+
+		if ($topic === '') {
+			return false;
+		}
+
+		// Restore notifications are always "success" events — use notify_on_success preference
+		if (empty($profile->notify_on_success)) {
+			return false;
+		}
+
+		if (!function_exists('curl_init')) {
+			error_log('MokoSuiteBackup: ntfy notifications require ext-curl');
+
+			return false;
+		}
+
+		try {
+			$config   = Factory::getApplication()->getConfig();
+			$siteName = $config->get('sitename', 'Joomla Site');
+
+			switch ($type) {
+				case 'site_restore':
+					$emoji = "\xF0\x9F\x94\x84"; // 🔄
+					$title = "{$emoji} Site Restored: {$siteName}";
+					$body  = "Record ID: " . ($details['record_id'] ?? 'N/A') . "\n"
+						. "Triggered by: " . ($details['user'] ?? 'Unknown');
+					break;
+
+				case 'snapshot_create':
+					$emoji = "\xF0\x9F\x93\xB8"; // 📸
+					$types = $details['content_types'] ?? [];
+					$title = "{$emoji} Snapshot Created: {$siteName}";
+					$body  = "Types: " . implode(', ', $types) . "\n"
+						. "Articles: " . ($details['articles_count'] ?? 0) . "\n"
+						. "Categories: " . ($details['categories_count'] ?? 0) . "\n"
+						. "Modules: " . ($details['modules_count'] ?? 0);
+					break;
+
+				case 'snapshot_restore':
+					$emoji = "\xF0\x9F\x94\x84"; // 🔄
+					$types = $details['content_types'] ?? [];
+					$title = "{$emoji} Snapshot Restored: {$siteName}";
+					$body  = "Mode: " . ($details['mode'] ?? 'N/A') . "\n"
+						. "Types: " . implode(', ', $types) . "\n"
+						. "Rows: " . ($details['row_count'] ?? 0);
+					break;
+
+				default:
+					$title = "MokoSuiteBackup: {$type} — {$siteName}";
+					$body  = json_encode($details);
+					break;
+			}
+
+			$url = rtrim($server, '/') . '/' . rawurlencode($topic);
+
+			$headers = [
+				'Title: ' . $title,
+				'Priority: 3',
+				'Tags: arrows_counterclockwise',
+			];
+
+			if ($token !== '') {
+				$headers[] = 'Authorization: Bearer ' . $token;
+			}
+
+			$ch = curl_init($url);
+			curl_setopt_array($ch, [
+				CURLOPT_POST           => true,
+				CURLOPT_POSTFIELDS     => $body,
+				CURLOPT_HTTPHEADER     => $headers,
+				CURLOPT_RETURNTRANSFER => true,
+				CURLOPT_TIMEOUT        => 10,
+				CURLOPT_CONNECTTIMEOUT => 5,
+			]);
+
+			$response = curl_exec($ch);
+			$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+			$error    = curl_error($ch);
+			curl_close($ch);
+
+			if ($error !== '') {
+				error_log('MokoSuiteBackup: ntfy error: ' . $error);
+				return false;
+			}
+
+			if ($httpCode < 200 || $httpCode >= 300) {
+				error_log('MokoSuiteBackup: ntfy returned HTTP ' . $httpCode . ': ' . substr((string) $response, 0, 200));
+				return false;
+			}
+
+			return true;
+		} catch (\Throwable $e) {
+			error_log('MokoSuiteBackup: ntfy restore notification error: ' . $e->getMessage());
+			return false;
+		}
+	}
+
 	/**
 	 * Resolve user group IDs to email addresses of group members.
 	 *
@@ -7,7 +7,7 @@
 * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
 * @license     GNU General Public License version 3 or later; see LICENSE
 *
- * Resolves placeholders like [host], [date], [profile_name] in backup
+ * Resolves placeholders like [HOST], [DATE], [PROFILE_NAME] in backup
 * directory paths and archive filename formats.
 */

@@ -24,21 +24,21 @@ class PlaceholderResolver
 	 * Supported placeholders and their descriptions (for documentation).
 	 */
 	public const PLACEHOLDERS = [
-		'[host]'         => 'Server hostname',
-		'[date]'         => 'Date as Ymd (e.g. 20260604)',
-		'[time]'         => 'Time as His (e.g. 143025)',
-		'[datetime]'     => 'Date and time as Ymd_His',
-		'[year]'         => 'Four-digit year',
-		'[month]'        => 'Two-digit month',
-		'[day]'          => 'Two-digit day',
-		'[hour]'         => 'Two-digit hour (24h)',
-		'[minute]'       => 'Two-digit minute',
-		'[second]'       => 'Two-digit second',
-		'[profile_id]'   => 'Backup profile ID',
-		'[profile_name]' => 'Profile title (sanitized)',
-		'[site_name]'    => 'Joomla site name (sanitized)',
-		'[type]'         => 'Backup type (full, database, files, differential)',
-		'[random]'       => 'Random 6-character hex string',
+		'[HOST]'         => 'Server hostname',
+		'[DATE]'         => 'Date as Ymd (e.g. 20260604)',
+		'[TIME]'         => 'Time as His (e.g. 143025)',
+		'[DATETIME]'     => 'Date and time as Ymd_His',
+		'[YEAR]'         => 'Four-digit year',
+		'[MONTH]'        => 'Two-digit month',
+		'[DAY]'          => 'Two-digit day',
+		'[HOUR]'         => 'Two-digit hour (24h)',
+		'[MINUTE]'       => 'Two-digit minute',
+		'[SECOND]'       => 'Two-digit second',
+		'[PROFILE_ID]'   => 'Backup profile ID',
+		'[PROFILE_NAME]' => 'Profile title (sanitized)',
+		'[SITE_NAME]'    => 'Joomla site name (sanitized)',
+		'[TYPE]'         => 'Backup type (full, database, files, differential)',
+		'[RANDOM]'       => 'Random 6-character hex string',
 		'[DEFAULT_DIR]'  => 'Default backup directory',
 		'[HOME]'         => 'Home directory of the PHP process owner',
 	];
@@ -62,21 +62,21 @@ class PlaceholderResolver
 		}

 		$this->replacements = [
-			'[host]'         => $hostname,
-			'[date]'         => $now->format('Ymd'),
-			'[time]'         => $now->format('His'),
-			'[datetime]'     => $now->format('Ymd_His'),
-			'[year]'         => $now->format('Y'),
-			'[month]'        => $now->format('m'),
-			'[day]'          => $now->format('d'),
-			'[hour]'         => $now->format('H'),
-			'[minute]'       => $now->format('i'),
-			'[second]'       => $now->format('s'),
-			'[profile_id]'   => (string) ($profile->id ?? '0'),
-			'[profile_name]' => $this->sanitize($profile->title ?? 'default'),
-			'[site_name]'    => $this->sanitize($siteName ?: 'joomla'),
-			'[type]'         => $profile->backup_type ?? 'full',
-			'[random]'       => bin2hex(random_bytes(3)),
+			'[HOST]'         => $hostname,
+			'[DATE]'         => $now->format('Ymd'),
+			'[TIME]'         => $now->format('His'),
+			'[DATETIME]'     => $now->format('Ymd_His'),
+			'[YEAR]'         => $now->format('Y'),
+			'[MONTH]'        => $now->format('m'),
+			'[DAY]'          => $now->format('d'),
+			'[HOUR]'         => $now->format('H'),
+			'[MINUTE]'       => $now->format('i'),
+			'[SECOND]'       => $now->format('s'),
+			'[PROFILE_ID]'   => (string) ($profile->id ?? '0'),
+			'[PROFILE_NAME]' => $this->sanitize($profile->title ?? 'default'),
+			'[SITE_NAME]'    => $this->sanitize($siteName ?: 'joomla'),
+			'[TYPE]'         => $profile->backup_type ?? 'full',
+			'[RANDOM]'       => bin2hex(random_bytes(3)),
 			'[DEFAULT_DIR]'  => BackupDirectory::getDefaultAbsolute(),
 			'[HOME]'         => BackupDirectory::getHomeDirectory(),
 		];
@@ -103,7 +103,7 @@ class PlaceholderResolver
 	 */
 	public function getHostname(): string
 	{
-		return $this->replacements['[host]'];
+		return $this->replacements['[HOST]'];
 	}

 	/**
@@ -111,7 +111,7 @@ class PlaceholderResolver
 	 */
 	public function getTag(): string
 	{
-		return $this->replacements['[datetime]'];
+		return $this->replacements['[DATETIME]'];
 	}

 	/**
@@ -278,6 +278,21 @@ class PreflightCheck

 				break;

+			case 'sftp':
+				if (empty($profile->sftp_host)) {
+					$this->warnings[] = 'SFTP host is not configured — remote upload will fail';
+				}
+
+				if (empty($profile->sftp_username)) {
+					$this->warnings[] = 'SFTP username is not configured — remote upload will fail';
+				}
+
+				if (empty($profile->sftp_key_data) && empty($profile->sftp_password)) {
+					$this->warnings[] = 'SFTP requires either a private key or password — remote upload will fail';
+				}
+
+				break;
+
 			case 'google_drive':
 				if (empty($profile->gdrive_client_id) || empty($profile->gdrive_client_secret)) {
 					$this->warnings[] = 'Google Drive OAuth credentials are not configured — remote upload will fail';
@@ -23,6 +23,7 @@ namespace Joomla\Component\MokoSuiteBackup\Administrator\Engine;
 defined('_JEXEC') or die;

 use Joomla\CMS\Factory;
+use Joomla\Event\Event;

 class RestoreEngine
 {
@@ -146,6 +147,29 @@ class RestoreEngine

 			$this->log('Restore complete');

+			// Send restore notification
+			try {
+				$profile = NotificationSender::getDefaultProfile();
+
+				if ($profile) {
+					$userId   = Factory::getApplication()->getIdentity()->id ?? 0;
+					$userName = Factory::getApplication()->getIdentity()->username ?? 'Unknown';
+
+					NotificationSender::sendRestoreNotification($profile, 'site_restore', [
+						'record_id'      => $recordId,
+						'restore_files'  => $restoreFiles,
+						'restore_db'     => $restoreDb,
+						'preserve_config' => $preserveConfig,
+						'user'           => $userName . ' (ID: ' . $userId . ')',
+					], implode("\n", $this->log));
+				}
+			} catch (\Throwable $e) {
+				error_log('MokoSuiteBackup: Restore notification failed: ' . $e->getMessage());
+			}
+
+			// Dispatch event for actionlog and other listeners
+			$this->dispatchAfterRestore(true, $recordId);
+
 			return [
 				'success' => true,
 				'message' => 'Restore complete from: ' . basename($archivePath),
@@ -165,6 +189,9 @@ class RestoreEngine
 				$this->recursiveDelete($this->stagingDir);
 			}

+			// Dispatch event for actionlog and other listeners
+			$this->dispatchAfterRestore(false, $recordId);
+
 			return [
 				'success' => false,
 				'message' => 'Restore failed: ' . $e->getMessage(),
@@ -265,6 +292,26 @@ class RestoreEngine
 		@rmdir($dir);
 	}

+	/**
+	 * Dispatch the onMokoSuiteBackupAfterRestore event so plugins (actionlog, etc.) can react.
+	 */
+	private function dispatchAfterRestore(bool $success, int $recordId): void
+	{
+		try {
+			$app = Factory::getApplication();
+
+			$event = new Event('onMokoSuiteBackupAfterRestore', [
+				'success'   => $success,
+				'record_id' => $recordId,
+			]);
+
+			$app->getDispatcher()->dispatch('onMokoSuiteBackupAfterRestore', $event);
+		} catch (\Throwable $e) {
+			// Never let a listener failure break the restore result, but log it
+			error_log('MokoSuiteBackup: onAfterRestore listener error: ' . $e->getMessage());
+		}
+	}
+
 	private function log(string $message): void
 	{
 		$this->log[] = '[' . date('H:i:s') . '] ' . $message;
@@ -0,0 +1,260 @@
+<?php
+
+/**
+ * @package     MokoSuiteBackup
+ * @subpackage  com_mokosuitebackup
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Joomla\Component\MokoSuiteBackup\Administrator\Engine;
+
+defined('_JEXEC') or die;
+
+/**
+ * 7z archiver using the 7za/7z CLI binary.
+ *
+ * Requires p7zip-full (Linux) or 7-Zip (Windows) to be installed on the server.
+ * Supports native AES-256 encryption via the -p flag.
+ */
+class SevenZipArchiver implements ArchiverInterface
+{
+	/** @var string Absolute path to the target archive */
+	private string $archivePath = '';
+
+	/** @var string[] Absolute paths of files to add */
+	private array $filePaths = [];
+
+	/** @var string[] Corresponding local names inside the archive */
+	private array $localNames = [];
+
+	/** @var string[] Temp files created by addFromString() that must be cleaned up */
+	private array $tempFiles = [];
+
+	/** @var string Optional encryption password */
+	private string $encryptionPassword = '';
+
+	/**
+	 * Set the encryption password for the archive.
+	 *
+	 * @param   string  $password  Password for AES-256 encryption
+	 */
+	public function setEncryptionPassword(string $password): void
+	{
+		$this->encryptionPassword = $password;
+	}
+
+	public function open(string $path): void
+	{
+		$this->archivePath = $path;
+		$this->filePaths   = [];
+		$this->localNames  = [];
+		$this->tempFiles   = [];
+
+		// Remove existing archive to avoid appending to stale data
+		if (is_file($path)) {
+			@unlink($path);
+		}
+	}
+
+	public function addFromString(string $localName, string $contents): void
+	{
+		// Write to a temp file so 7z can read it from disk
+		$tempDir  = \dirname($this->archivePath);
+		$tempFile = $tempDir . '/.7z-tmp-' . md5($localName . microtime(true)) . '-' . basename($localName);
+
+		if (file_put_contents($tempFile, $contents) === false) {
+			throw new \RuntimeException('SevenZipArchiver: cannot write temp file: ' . $tempFile);
+		}
+
+		$this->tempFiles[]  = $tempFile;
+		$this->filePaths[]  = $tempFile;
+		$this->localNames[] = $localName;
+	}
+
+	public function addFile(string $filePath, string $localName): void
+	{
+		$this->filePaths[]  = $filePath;
+		$this->localNames[] = $localName;
+	}
+
+	public function close(): void
+	{
+		try {
+			$this->buildArchive();
+		} finally {
+			// Always clean up temp files
+			foreach ($this->tempFiles as $tempFile) {
+				if (is_file($tempFile)) {
+					@unlink($tempFile);
+				}
+			}
+
+			$this->tempFiles = [];
+		}
+	}
+
+	public function getExtension(): string
+	{
+		return '7z';
+	}
+
+	/**
+	 * Build the 7z archive using the CLI binary.
+	 *
+	 * Writes a list file mapping local names to absolute paths, then invokes
+	 * 7za/7z to create the archive. Uses stdin rename pairs for correct
+	 * internal paths.
+	 */
+	private function buildArchive(): void
+	{
+		$binary = $this->findBinary();
+
+		if ($binary === null) {
+			throw new \RuntimeException(
+				'SevenZipArchiver: 7z/7za binary not found. '
+				. 'Install p7zip-full (Linux) or 7-Zip (Windows).'
+			);
+		}
+
+		if (empty($this->filePaths)) {
+			throw new \RuntimeException('SevenZipArchiver: no files to archive');
+		}
+
+		// Strategy: create a temporary staging directory with the correct
+		// directory structure, symlink or copy files, then archive the
+		// staging directory. This gives us correct internal paths.
+		$stagingDir = \dirname($this->archivePath) . '/.7z-staging-' . md5($this->archivePath . microtime(true));
+
+		if (!mkdir($stagingDir, 0755, true)) {
+			throw new \RuntimeException('SevenZipArchiver: cannot create staging directory: ' . $stagingDir);
+		}
+
+		try {
+			// Create the directory structure and link/copy files
+			foreach ($this->filePaths as $i => $sourcePath) {
+				$localName = $this->localNames[$i];
+				$targetPath = $stagingDir . '/' . $localName;
+				$targetDir  = \dirname($targetPath);
+
+				if (!is_dir($targetDir) && !mkdir($targetDir, 0755, true)) {
+					throw new \RuntimeException('SevenZipArchiver: cannot create directory: ' . $targetDir);
+				}
+
+				// Use symlink where possible (faster, no disk usage), fall back to copy
+				if (@symlink($sourcePath, $targetPath) === false) {
+					if (!copy($sourcePath, $targetPath)) {
+						throw new \RuntimeException('SevenZipArchiver: cannot copy file: ' . $sourcePath);
+					}
+				}
+			}
+
+			// Build command
+			$cmd = escapeshellarg($binary)
+				. ' a'
+				. ' -t7z'
+				. ' -mx=5'
+				. ' -mhe=on'
+				. ' ' . escapeshellarg($this->archivePath)
+				. ' ' . escapeshellarg($stagingDir . '/*');
+
+			// Add encryption if password is set
+			if ($this->encryptionPassword !== '') {
+				$cmd .= ' -p' . escapeshellarg($this->encryptionPassword);
+			}
+
+			// Suppress interactive prompts
+			$cmd .= ' -y';
+
+			// Redirect stderr to stdout for capture
+			$cmd .= ' 2>&1';
+
+			$output    = [];
+			$exitCode  = 0;
+			exec($cmd, $output, $exitCode);
+
+			if ($exitCode !== 0) {
+				$outputStr = implode("\n", $output);
+				throw new \RuntimeException(
+					'SevenZipArchiver: 7z exited with code ' . $exitCode . ': ' . $outputStr
+				);
+			}
+
+			if (!is_file($this->archivePath)) {
+				throw new \RuntimeException('SevenZipArchiver: archive was not created: ' . $this->archivePath);
+			}
+
+			// The archive contains paths relative to the staging dir.
+			// We need to verify that the internal structure doesn't include
+			// the staging dir name as a prefix. If 7z was given staging/*,
+			// the paths inside should be correct (relative to staging).
+		} finally {
+			// Remove staging directory
+			$this->removeDirectory($stagingDir);
+		}
+	}
+
+	/**
+	 * Locate the 7z or 7za binary.
+	 *
+	 * @return  string|null  Absolute path to binary, or null if not found
+	 */
+	private function findBinary(): ?string
+	{
+		// Check common binary names
+		$candidates = PHP_OS_FAMILY === 'Windows'
+			? ['7z', '7za', 'C:\\Program Files\\7-Zip\\7z.exe', 'C:\\Program Files (x86)\\7-Zip\\7z.exe']
+			: ['7za', '7z', '/usr/bin/7za', '/usr/bin/7z', '/usr/local/bin/7za', '/usr/local/bin/7z'];
+
+		foreach ($candidates as $candidate) {
+			// If it's an absolute path, check file existence
+			if (str_contains($candidate, DIRECTORY_SEPARATOR) || str_contains($candidate, '/')) {
+				if (is_file($candidate) && is_executable($candidate)) {
+					return $candidate;
+				}
+
+				continue;
+			}
+
+			// Use 'which' / 'where' to find in PATH
+			$whichCmd = PHP_OS_FAMILY === 'Windows'
+				? 'where ' . escapeshellarg($candidate) . ' 2>NUL'
+				: 'which ' . escapeshellarg($candidate) . ' 2>/dev/null';
+
+			$result = trim((string) shell_exec($whichCmd));
+
+			if ($result !== '' && is_executable($result)) {
+				return $result;
+			}
+		}
+
+		return null;
+	}
+
+	/**
+	 * Recursively remove a directory and its contents.
+	 */
+	private function removeDirectory(string $dir): void
+	{
+		if (!is_dir($dir)) {
+			return;
+		}
+
+		$items = new \RecursiveIteratorIterator(
+			new \RecursiveDirectoryIterator($dir, \RecursiveDirectoryIterator::SKIP_DOTS),
+			\RecursiveIteratorIterator::CHILD_FIRST
+		);
+
+		foreach ($items as $item) {
+			if ($item->isDir()) {
+				@rmdir($item->getPathname());
+			} else {
+				// Remove symlinks and files
+				@unlink($item->getPathname());
+			}
+		}
+
+		@rmdir($dir);
+	}
+}
@@ -0,0 +1,255 @@
+<?php
+
+/**
+ * @package     MokoSuiteBackup
+ * @subpackage  com_mokosuitebackup
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * SFTP uploader using the system sftp/scp binary with SSH key authentication.
+ *
+ * The private key is stored in the database (profile column) and written
+ * to a temp file with 0600 permissions at upload time, then deleted.
+ * This avoids leaving key files on the filesystem permanently.
+ */
+
+namespace Joomla\Component\MokoSuiteBackup\Administrator\Engine;
+
+defined('_JEXEC') or die;
+
+class SftpUploader implements RemoteUploaderInterface
+{
+	private string $host;
+	private int $port;
+	private string $username;
+	private string $keyData;
+	private string $passphrase;
+	private string $password;
+	private string $remotePath;
+
+	public function __construct(object $profile)
+	{
+		$this->host       = $profile->sftp_host ?? '';
+		$this->port       = (int) ($profile->sftp_port ?? 22);
+		$this->username   = $profile->sftp_username ?? '';
+		$this->keyData    = $profile->sftp_key_data ?? '';
+		$this->passphrase = $profile->sftp_passphrase ?? '';
+		$this->password   = $profile->sftp_password ?? '';
+		$this->remotePath = rtrim($profile->sftp_path ?? '/backups', '/');
+	}
+
+	public function upload(string $localPath, string $remoteName): array
+	{
+		if (empty($this->host)) {
+			return ['success' => false, 'message' => 'SFTP host is not configured'];
+		}
+
+		if (empty($this->username)) {
+			return ['success' => false, 'message' => 'SFTP username is not configured'];
+		}
+
+		if (empty($this->keyData) && empty($this->password)) {
+			return ['success' => false, 'message' => 'SFTP requires either a private key or password'];
+		}
+
+		$keyFile = null;
+
+		try {
+			/* Write key to temp file if using key auth */
+			if (!empty($this->keyData)) {
+				$keyFile = $this->writeTempKey();
+			}
+
+			/* Ensure remote directory exists */
+			$this->ensureRemoteDir($keyFile);
+
+			/* Upload via scp */
+			$remoteTarget = $this->username . '@' . $this->host . ':' . $this->remotePath . '/' . $remoteName;
+			$cmd = $this->buildScpCommand($localPath, $remoteTarget, $keyFile);
+
+			$output = [];
+			$exitCode = 0;
+			exec($cmd . ' 2>&1', $output, $exitCode);
+
+			if ($exitCode !== 0) {
+				$errorMsg = implode("\n", $output);
+				throw new \RuntimeException('scp failed (exit ' . $exitCode . '): ' . $errorMsg);
+			}
+
+			/* Verify upload by checking remote file size */
+			$remoteFile = $this->remotePath . '/' . $remoteName;
+			$remoteSize = $this->getRemoteFileSize($remoteFile, $keyFile);
+			$localSize  = filesize($localPath);
+
+			if ($remoteSize > 0 && $remoteSize !== $localSize) {
+				throw new \RuntimeException(
+					'Size mismatch after upload: local=' . $localSize . ' remote=' . $remoteSize
+				);
+			}
+
+			return [
+				'success'     => true,
+				'message'     => 'Uploaded via SFTP: ' . $remoteFile,
+				'remote_path' => $remoteFile,
+			];
+		} catch (\Throwable $e) {
+			return ['success' => false, 'message' => 'SFTP upload failed: ' . $e->getMessage()];
+		} finally {
+			$this->cleanupTempKey($keyFile);
+		}
+	}
+
+	public function testConnection(): array
+	{
+		if (empty($this->host)) {
+			return ['success' => false, 'message' => 'SFTP host is not configured'];
+		}
+
+		$keyFile = null;
+
+		try {
+			if (!empty($this->keyData)) {
+				$keyFile = $this->writeTempKey();
+			}
+
+			$cmd = $this->buildSshCommand('echo "MokoSuiteBackup connection test OK" && hostname', $keyFile);
+			$output = [];
+			$exitCode = 0;
+			exec($cmd . ' 2>&1', $output, $exitCode);
+
+			if ($exitCode !== 0) {
+				return ['success' => false, 'message' => 'SSH connection failed: ' . implode(' ', $output)];
+			}
+
+			return [
+				'success' => true,
+				'message' => 'Connected to ' . $this->host . ' — ' . implode(' ', $output),
+			];
+		} catch (\Throwable $e) {
+			return ['success' => false, 'message' => 'Connection test failed: ' . $e->getMessage()];
+		} finally {
+			$this->cleanupTempKey($keyFile);
+		}
+	}
+
+	/**
+	 * Write the private key from the database to a temp file with 0600 permissions.
+	 */
+	private function writeTempKey(): string
+	{
+		$tmpDir = sys_get_temp_dir();
+		$keyFile = $tmpDir . '/mokobackup-sftp-' . bin2hex(random_bytes(8)) . '.key';
+
+		/* Key is stored base64-encoded in the database — decode before writing */
+		$keyContent = base64_decode($this->keyData, true);
+
+		if ($keyContent === false) {
+			/* Fallback: might be raw PEM (legacy or paste) */
+			$keyContent = $this->keyData;
+		}
+
+		if (file_put_contents($keyFile, $keyContent) === false) {
+			throw new \RuntimeException('Cannot write temporary SSH key file');
+		}
+
+		chmod($keyFile, 0600);
+
+		return $keyFile;
+	}
+
+	/**
+	 * Delete the temp key file.
+	 */
+	private function cleanupTempKey(?string $keyFile): void
+	{
+		if ($keyFile !== null && is_file($keyFile)) {
+			unlink($keyFile);
+		}
+	}
+
+	/**
+	 * Ensure the remote directory exists via ssh mkdir -p.
+	 */
+	private function ensureRemoteDir(?string $keyFile): void
+	{
+		$escapedPath = escapeshellarg($this->remotePath);
+		$cmd = $this->buildSshCommand('mkdir -p ' . $escapedPath, $keyFile);
+
+		$output = [];
+		$exitCode = 0;
+		exec($cmd . ' 2>&1', $output, $exitCode);
+
+		/* mkdir -p exits 0 even if dir already exists, so only fail on non-zero */
+		if ($exitCode !== 0) {
+			throw new \RuntimeException('Cannot create remote directory: ' . implode(' ', $output));
+		}
+	}
+
+	/**
+	 * Get remote file size via ssh stat.
+	 */
+	private function getRemoteFileSize(string $remotePath, ?string $keyFile): int
+	{
+		$escapedPath = escapeshellarg($remotePath);
+		$cmd = $this->buildSshCommand('stat -c %s ' . $escapedPath . ' 2>/dev/null || echo -1', $keyFile);
+
+		$output = [];
+		exec($cmd . ' 2>&1', $output);
+
+		$size = (int) trim(implode('', $output));
+
+		return $size > 0 ? $size : 0;
+	}
+
+	/**
+	 * Build an scp command string with proper SSH options.
+	 */
+	private function buildScpCommand(string $localPath, string $remoteTarget, ?string $keyFile): string
+	{
+		$parts = ['scp', '-o', 'StrictHostKeyChecking=no', '-o', 'BatchMode=yes'];
+
+		if ($this->port !== 22) {
+			$parts[] = '-P';
+			$parts[] = (string) $this->port;
+		}
+
+		if ($keyFile !== null) {
+			$parts[] = '-i';
+			$parts[] = escapeshellarg($keyFile);
+		}
+
+		if (!empty($this->passphrase)) {
+			/* scp doesn't natively support passphrase via CLI — requires ssh-agent or expect.
+			   For now, key files should be unencrypted or use ssh-agent. */
+		}
+
+		$parts[] = escapeshellarg($localPath);
+		$parts[] = escapeshellarg($remoteTarget);
+
+		return implode(' ', $parts);
+	}
+
+	/**
+	 * Build an ssh command string for remote commands.
+	 */
+	private function buildSshCommand(string $remoteCmd, ?string $keyFile): string
+	{
+		$parts = ['ssh', '-o', 'StrictHostKeyChecking=no', '-o', 'BatchMode=yes'];
+
+		if ($this->port !== 22) {
+			$parts[] = '-p';
+			$parts[] = (string) $this->port;
+		}
+
+		if ($keyFile !== null) {
+			$parts[] = '-i';
+			$parts[] = escapeshellarg($keyFile);
+		}
+
+		$parts[] = escapeshellarg($this->username . '@' . $this->host);
+		$parts[] = escapeshellarg($remoteCmd);
+
+		return implode(' ', $parts);
+	}
+}
@@ -17,6 +17,7 @@ defined('_JEXEC') or die;

 use Joomla\CMS\Factory;
 use Joomla\Component\MokoSuiteBackup\Administrator\Utility\BackupDirectory;
+use Joomla\Event\Event;

 class SnapshotEngine
 {
@@ -194,6 +195,29 @@ class SnapshotEngine

 			$this->log('Snapshot record created: ID ' . $record->id);

+			// Send snapshot creation notification
+			try {
+				$profile = NotificationSender::getDefaultProfile();
+
+				if ($profile) {
+					$userName = Factory::getApplication()->getIdentity()->username ?? 'Unknown';
+					$userIdVal = Factory::getApplication()->getIdentity()->id ?? 0;
+
+					NotificationSender::sendRestoreNotification($profile, 'snapshot_create', [
+						'content_types'    => array_values($validTypes),
+						'articles_count'   => $counts['articles'],
+						'categories_count' => $counts['categories'],
+						'modules_count'    => $counts['modules'],
+						'user'             => $userName . ' (ID: ' . $userIdVal . ')',
+					], implode("\n", $this->log));
+				}
+			} catch (\Throwable $e) {
+				error_log('MokoSuiteBackup: Snapshot creation notification failed: ' . $e->getMessage());
+			}
+
+			// Dispatch event for actionlog and other listeners
+			$this->dispatchAfterSnapshot(true, $record->id, array_values($validTypes));
+
 			return [
 				'success' => true,
 				'message' => sprintf(
@@ -207,6 +231,9 @@ class SnapshotEngine
 		} catch (\Exception $e) {
 			$this->log('FATAL: ' . $e->getMessage());

+			// Dispatch event for actionlog and other listeners
+			$this->dispatchAfterSnapshot(false, 0, $contentTypes);
+
 			return [
 				'success' => false,
 				'message' => 'Snapshot failed: ' . $e->getMessage(),
@@ -307,6 +334,27 @@ class SnapshotEngine
 		return $db->loadAssocList() ?: [];
 	}

+	/**
+	 * Dispatch the onMokoSuiteBackupAfterSnapshot event so plugins (actionlog, etc.) can react.
+	 */
+	private function dispatchAfterSnapshot(bool $success, int $snapshotId, array $contentTypes): void
+	{
+		try {
+			$app = Factory::getApplication();
+
+			$event = new Event('onMokoSuiteBackupAfterSnapshot', [
+				'success'       => $success,
+				'snapshot_id'   => $snapshotId,
+				'content_types' => $contentTypes,
+			]);
+
+			$app->getDispatcher()->dispatch('onMokoSuiteBackupAfterSnapshot', $event);
+		} catch (\Throwable $e) {
+			// Never let a listener failure break the snapshot result, but log it
+			error_log('MokoSuiteBackup: onAfterSnapshot listener error: ' . $e->getMessage());
+		}
+	}
+
 	private function log(string $message): void
 	{
 		$this->log[] = '[' . date('H:i:s') . '] ' . $message;
@@ -19,6 +19,7 @@ namespace Joomla\Component\MokoSuiteBackup\Administrator\Engine;
 defined('_JEXEC') or die;

 use Joomla\CMS\Factory;
+use Joomla\Event\Event;

 class SnapshotRestoreEngine
 {
@@ -151,6 +152,28 @@ class SnapshotRestoreEngine

 			$this->log('Restore complete: ' . $totalRows . ' total rows');

+			// Send snapshot restore notification
+			try {
+				$profile = NotificationSender::getDefaultProfile();
+
+				if ($profile) {
+					$userName  = Factory::getApplication()->getIdentity()->username ?? 'Unknown';
+					$userIdVal = Factory::getApplication()->getIdentity()->id ?? 0;
+
+					NotificationSender::sendRestoreNotification($profile, 'snapshot_restore', [
+						'mode'          => $mode,
+						'content_types' => $restoreTypes,
+						'row_count'     => $totalRows,
+						'user'          => $userName . ' (ID: ' . $userIdVal . ')',
+					], implode("\n", $this->log));
+				}
+			} catch (\Throwable $e) {
+				error_log('MokoSuiteBackup: Snapshot restore notification failed: ' . $e->getMessage());
+			}
+
+			// Dispatch event for actionlog and other listeners
+			$this->dispatchAfterSnapshotRestore(true, $snapshotId, $mode);
+
 			return [
 				'success' => true,
 				'message' => sprintf('Snapshot restored (%s mode): %d rows across %d tables', $mode, $totalRows, count($tablesToRestore)),
@@ -166,6 +189,9 @@ class SnapshotRestoreEngine

 			$this->log('FATAL: ' . $e->getMessage());

+			// Dispatch event for actionlog and other listeners
+			$this->dispatchAfterSnapshotRestore(false, $snapshotId, $mode);
+
 			return [
 				'success' => false,
 				'message' => 'Restore failed: ' . $e->getMessage(),
@@ -367,6 +393,208 @@ class SnapshotRestoreEngine
 		return array_unique($tables);
 	}

+	/**
+	 * Restore only selected articles (and their related rows) from a snapshot.
+	 *
+	 * Uses merge/upsert mode: updates existing rows by ID, inserts missing ones.
+	 *
+	 * @param   int    $snapshotId  Snapshot record ID
+	 * @param   array  $articleIds  Article IDs to restore
+	 *
+	 * @return  array{success: bool, message: string, restored?: int, log?: string}
+	 */
+	public function restoreSelectedArticles(int $snapshotId, array $articleIds): array
+	{
+		if (empty($articleIds)) {
+			return ['success' => false, 'message' => 'No article IDs provided'];
+		}
+
+		$articleIds = array_map('intval', $articleIds);
+		$articleIds = array_filter($articleIds, fn($id) => $id > 0);
+
+		if (empty($articleIds)) {
+			return ['success' => false, 'message' => 'No valid article IDs provided'];
+		}
+
+		$db = Factory::getDbo();
+
+		// Load snapshot record
+		$query = $db->getQuery(true)
+			->select('*')
+			->from($db->quoteName('#__mokosuitebackup_snapshots'))
+			->where($db->quoteName('id') . ' = ' . $snapshotId);
+		$db->setQuery($query);
+		$record = $db->loadObject();
+
+		if (!$record) {
+			return ['success' => false, 'message' => 'Snapshot not found: ' . $snapshotId];
+		}
+
+		if ($record->status !== 'complete') {
+			return ['success' => false, 'message' => 'Cannot restore from failed snapshot'];
+		}
+
+		if (!is_file($record->data_file) || !is_readable($record->data_file)) {
+			return ['success' => false, 'message' => 'Snapshot file not found: ' . $record->data_file];
+		}
+
+		$this->log('Loading snapshot file: ' . basename($record->data_file));
+
+		$json = file_get_contents($record->data_file);
+
+		if ($json === false) {
+			return ['success' => false, 'message' => 'Cannot read snapshot file'];
+		}
+
+		$data = json_decode($json, true);
+
+		if (json_last_error() !== JSON_ERROR_NONE) {
+			return ['success' => false, 'message' => 'Snapshot file contains invalid JSON: ' . json_last_error_msg()];
+		}
+
+		if (!is_array($data) || empty($data['tables'])) {
+			return ['success' => false, 'message' => 'Invalid snapshot data format: missing tables key'];
+		}
+
+		$contentTable = $data['tables']['#__content'] ?? [];
+
+		if (empty($contentTable)) {
+			return ['success' => false, 'message' => 'Snapshot does not contain articles'];
+		}
+
+		// Filter #__content rows to only selected article IDs
+		$selectedRows = array_filter($contentTable, fn($row) => in_array((int) ($row['id'] ?? 0), $articleIds, true));
+
+		if (empty($selectedRows)) {
+			return ['success' => false, 'message' => 'None of the selected article IDs exist in this snapshot'];
+		}
+
+		$foundIds = array_map(fn($row) => (int) $row['id'], $selectedRows);
+		$this->log('Restoring ' . count($selectedRows) . ' articles: IDs ' . implode(', ', $foundIds));
+
+		// Filter workflow_associations for selected articles
+		$workflowRows = [];
+
+		if (!empty($data['tables']['#__workflow_associations'])) {
+			$workflowRows = array_filter(
+				$data['tables']['#__workflow_associations'],
+				fn($row) => in_array((int) ($row['item_id'] ?? 0), $foundIds, true)
+			);
+		}
+
+		// Filter tag_map entries for selected articles
+		$tagMapRows = [];
+
+		if (!empty($data['tables']['#__contentitem_tag_map'])) {
+			$tagMapRows = array_filter(
+				$data['tables']['#__contentitem_tag_map'],
+				fn($row) => in_array((int) ($row['content_item_id'] ?? 0), $foundIds, true)
+					&& str_starts_with($row['type_alias'] ?? '', 'com_content.')
+			);
+		}
+
+		$prefix    = $db->getPrefix();
+		$totalRows = 0;
+
+		try {
+			$db->transactionStart();
+
+			// Restore articles using merge/upsert
+			$realTable = str_replace('#__', $prefix, '#__content');
+			$rowCount  = $this->restoreMerge($db, $realTable, '#__content', array_values($selectedRows));
+			$totalRows += $rowCount;
+			$this->log('  #__content: ' . $rowCount . ' rows restored');
+
+			// Restore workflow associations
+			if (!empty($workflowRows)) {
+				$realTable = str_replace('#__', $prefix, '#__workflow_associations');
+				$rowCount  = $this->restoreMerge($db, $realTable, '#__workflow_associations', array_values($workflowRows));
+				$totalRows += $rowCount;
+				$this->log('  #__workflow_associations: ' . $rowCount . ' rows restored');
+			}
+
+			// Restore tag map entries
+			if (!empty($tagMapRows)) {
+				$realTable = str_replace('#__', $prefix, '#__contentitem_tag_map');
+				$rowCount  = $this->restoreMerge($db, $realTable, '#__contentitem_tag_map', array_values($tagMapRows));
+				$totalRows += $rowCount;
+				$this->log('  #__contentitem_tag_map: ' . $rowCount . ' rows restored');
+			}
+
+			$db->transactionCommit();
+
+			$this->log('Selective restore complete: ' . $totalRows . ' total rows');
+
+			// Send notification
+			try {
+				$profile = NotificationSender::getDefaultProfile();
+
+				if ($profile) {
+					$userName  = Factory::getApplication()->getIdentity()->username ?? 'Unknown';
+					$userIdVal = Factory::getApplication()->getIdentity()->id ?? 0;
+
+					NotificationSender::sendRestoreNotification($profile, 'snapshot_selective_restore', [
+						'mode'        => 'selective',
+						'article_ids' => $foundIds,
+						'row_count'   => $totalRows,
+						'user'        => $userName . ' (ID: ' . $userIdVal . ')',
+					], implode("\n", $this->log));
+				}
+			} catch (\Throwable $e) {
+				error_log('MokoSuiteBackup: Selective restore notification failed: ' . $e->getMessage());
+			}
+
+			// Dispatch event for actionlog and other listeners
+			$this->dispatchAfterSnapshotRestore(true, $snapshotId, 'selective');
+
+			return [
+				'success'  => true,
+				'message'  => sprintf('Restored %d articles (%d total rows)', count($selectedRows), $totalRows),
+				'restored' => count($selectedRows),
+				'log'      => implode("\n", $this->log),
+			];
+		} catch (\Throwable $e) {
+			try {
+				$db->transactionRollback();
+				$this->log('Transaction rolled back');
+			} catch (\Exception $rollbackEx) {
+				$this->log('Rollback failed: ' . $rollbackEx->getMessage());
+			}
+
+			$this->log('FATAL: ' . $e->getMessage());
+
+			// Dispatch event for actionlog and other listeners
+			$this->dispatchAfterSnapshotRestore(false, $snapshotId, 'selective');
+
+			return [
+				'success' => false,
+				'message' => 'Selective restore failed: ' . $e->getMessage(),
+				'log'     => implode("\n", $this->log),
+			];
+		}
+	}
+
+	/**
+	 * Dispatch the onMokoSuiteBackupAfterSnapshotRestore event so plugins (actionlog, etc.) can react.
+	 */
+	private function dispatchAfterSnapshotRestore(bool $success, int $snapshotId, string $mode): void
+	{
+		try {
+			$app = Factory::getApplication();
+
+			$event = new Event('onMokoSuiteBackupAfterSnapshotRestore', [
+				'success'     => $success,
+				'snapshot_id' => $snapshotId,
+				'mode'        => $mode,
+			]);
+
+			$app->getDispatcher()->dispatch('onMokoSuiteBackupAfterSnapshotRestore', $event);
+		} catch (\Throwable $e) {
+			// Never let a listener failure break the restore result, but log it
+			error_log('MokoSuiteBackup: onAfterSnapshotRestore listener error: ' . $e->getMessage());
+		}
+	}
+
 	private function log(string $message): void
 	{
 		$this->log[] = '[' . date('H:i:s') . '] ' . $message;
@@ -81,9 +81,21 @@ class SteppedBackupEngine
 			return ['error' => true, 'message' => 'Cannot create backup directory: ' . $backupDir];
 		}

-		$now         = date('Y-m-d H:i:s');
-		$tag         = $resolver->getTag();
-		$nameFormat  = $profile->archive_name_format ?? '[host]_[datetime]_profile[profile_id]';
+		$now           = date('Y-m-d H:i:s');
+		$tag           = $resolver->getTag();
+		$archiveFormat = $profile->archive_format ?? 'zip';
+		$nameFormat    = $profile->archive_name_format ?? '[HOST]_[DATETIME]_profile[PROFILE_ID]';
+
+		// The stepped engine uses ZipArchive batch-by-batch, so only ZIP is
+		// supported.  For 7z / tar.gz the non-stepped BackupEngine must be used.
+		if ($archiveFormat !== 'zip') {
+			return [
+				'error'   => true,
+				'message' => 'The stepped backup engine only supports ZIP format. '
+					. 'Please use the CLI or API backup for ' . $archiveFormat . ' archives.',
+			];
+		}
+
 		$archiveName = $resolver->resolve($nameFormat) . '.zip';

 		$session->archivePath = $backupDir . '/' . $archiveName;
@@ -410,6 +422,7 @@ class SteppedBackupEngine

 			$uploader = match ($session->remoteStorage) {
 				'ftp'          => new FtpUploader($profile),
+				'sftp'         => new SftpUploader($profile),
 				'google_drive' => new GoogleDriveUploader($profile),
 				's3'           => new S3Uploader($profile),
 				default        => throw new \InvalidArgumentException('Unknown storage: ' . $session->remoteStorage),
@@ -0,0 +1,753 @@
+<?php
+
+/**
+ * @package     MokoSuiteBackup
+ * @subpackage  com_mokosuitebackup
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * AJAX step-based restore engine for shared hosting.
+ *
+ * Each call to runStep() performs one unit of work within the PHP time
+ * limit, saves state, and returns. The browser JS fires the next step.
+ *
+ * Phases: extract -> files -> database -> config -> cleanup -> complete
+ */
+
+namespace Joomla\Component\MokoSuiteBackup\Administrator\Engine;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+
+class SteppedRestoreEngine
+{
+	/**
+	 * Number of files to copy per step during the files phase.
+	 */
+	private const FILE_BATCH_SIZE = 200;
+
+	/**
+	 * Number of SQL statements to execute per step during the database phase.
+	 */
+	private const SQL_BATCH_SIZE = 500;
+
+	/**
+	 * Initialize a new stepped restore session.
+	 *
+	 * @param   int     $recordId       Backup record ID to restore from
+	 * @param   bool    $restoreFiles   Whether to restore files
+	 * @param   bool    $restoreDb      Whether to restore the database
+	 * @param   bool    $preserveConfig Keep current configuration.php
+	 * @param   string  $password       Decryption password (for encrypted archives)
+	 *
+	 * @return  array{session_id: string, phase: string, progress: int, message: string}
+	 */
+	public function init(int $recordId, bool $restoreFiles = true, bool $restoreDb = true, bool $preserveConfig = true, string $password = ''): array
+	{
+		if (!extension_loaded('zip')) {
+			return ['error' => true, 'message' => 'PHP ext-zip is required for restore operations'];
+		}
+
+		$db = Factory::getDbo();
+
+		// Load backup record
+		$query = $db->getQuery(true)
+			->select('*')
+			->from($db->quoteName('#__mokosuitebackup_records'))
+			->where($db->quoteName('id') . ' = ' . $recordId);
+		$db->setQuery($query);
+		$record = $db->loadObject();
+
+		if (!$record) {
+			return ['error' => true, 'message' => 'Backup record not found: ' . $recordId];
+		}
+
+		if ($record->status !== 'complete') {
+			return ['error' => true, 'message' => 'Cannot restore from incomplete backup (status: ' . $record->status . ')'];
+		}
+
+		$archivePath = $record->absolute_path;
+
+		if (!is_file($archivePath) || !is_readable($archivePath)) {
+			return ['error' => true, 'message' => 'Backup archive not found: ' . $archivePath];
+		}
+
+		// Create session
+		$session = SteppedSession::create();
+		$session->recordId      = $recordId;
+		$session->archivePath   = $archivePath;
+		$session->archiveName   = basename($archivePath);
+		$session->description   = 'Restore from: ' . ($record->description ?: basename($archivePath));
+
+		// Store restore-specific settings as dynamic properties via the session's
+		// generic save/load (SteppedSession serialises all public properties).
+		// We repurpose some existing fields and add restore-specific ones to the
+		// session data stored on disk.
+		$session->phase = 'extract';
+
+		// Build staging directory path
+		$safeTag = preg_replace('/[^a-zA-Z0-9_-]/', '', $record->tag ?: 'restore');
+		$stagingDir = JPATH_ROOT . '/tmp/mokosuitebackup-restore-' . $safeTag . '-' . substr($session->sessionId, 3);
+
+		// Estimate total steps
+		$totalSteps = 1; // extract step
+
+		if ($restoreFiles) {
+			$totalSteps += 1; // at least one files step (will adjust after extraction)
+		}
+
+		if ($restoreDb) {
+			$totalSteps += 1; // at least one database step (will adjust after extraction)
+		}
+
+		$totalSteps += 1; // config step
+		$totalSteps += 1; // cleanup step
+
+		$session->totalSteps  = $totalSteps;
+		$session->currentStep = 0;
+		$session->statusMessage = 'Initializing restore...';
+
+		// Store restore-specific data in session log metadata
+		// We'll use a JSON file alongside the session for restore state
+		$restoreState = [
+			'staging_dir'     => $stagingDir,
+			'restore_files'   => $restoreFiles,
+			'restore_db'      => $restoreDb,
+			'preserve_config' => $preserveConfig,
+			'password'        => $password,
+			'config_backup'   => '',
+			'file_list'       => [],
+			'file_index'      => 0,
+			'sql_file'        => '',
+			'sql_offset'      => 0,
+			'sql_done'        => false,
+			'sql_executed'    => 0,
+		];
+
+		$this->saveRestoreState($session->sessionId, $restoreState);
+
+		$session->log('Restore initialized for record #' . $recordId . ': ' . $record->description);
+		$session->log('Archive: ' . $archivePath);
+		$session->log('Options: files=' . ($restoreFiles ? 'yes' : 'no')
+			. ', database=' . ($restoreDb ? 'yes' : 'no')
+			. ', preserve_config=' . ($preserveConfig ? 'yes' : 'no'));
+		$session->save();
+
+		return [
+			'session_id' => $session->sessionId,
+			'phase'      => $session->phase,
+			'progress'   => $session->getProgress(),
+			'message'    => $session->statusMessage,
+		];
+	}
+
+	/**
+	 * Run the next step of a restore session.
+	 *
+	 * @return  array{session_id: string, phase: string, progress: int, message: string, done?: bool}
+	 */
+	public function runStep(string $sessionId): array
+	{
+		$session = SteppedSession::load($sessionId);
+
+		if (!$session) {
+			return ['error' => true, 'message' => 'Session not found: ' . $sessionId];
+		}
+
+		$restoreState = $this->loadRestoreState($sessionId);
+
+		if (!$restoreState) {
+			return ['error' => true, 'message' => 'Restore state not found for session: ' . $sessionId];
+		}
+
+		try {
+			switch ($session->phase) {
+				case 'extract':
+					$this->stepExtract($session, $restoreState);
+					break;
+
+				case 'files':
+					$this->stepFiles($session, $restoreState);
+					break;
+
+				case 'database':
+					$this->stepDatabase($session, $restoreState);
+					break;
+
+				case 'config':
+					$this->stepConfig($session, $restoreState);
+					break;
+
+				case 'cleanup':
+					$this->stepCleanup($session, $restoreState);
+					break;
+
+				case 'complete':
+					$this->destroyRestoreState($sessionId);
+					$session->destroy();
+
+					return [
+						'session_id' => $sessionId,
+						'phase'      => 'complete',
+						'progress'   => 100,
+						'message'    => 'Restore complete: ' . $session->archiveName,
+						'done'       => true,
+					];
+			}
+
+			$this->saveRestoreState($sessionId, $restoreState);
+			$session->save();
+
+			return [
+				'session_id' => $sessionId,
+				'phase'      => $session->phase,
+				'progress'   => $session->getProgress(),
+				'message'    => $session->statusMessage,
+				'done'       => $session->phase === 'complete',
+			];
+		} catch (\Throwable $e) {
+			$session->log('FATAL: ' . $e->getMessage());
+
+			// Restore config on failure if we preserved it
+			if (!empty($restoreState['config_backup']) && $restoreState['preserve_config']) {
+				@file_put_contents(JPATH_ROOT . '/configuration.php', $restoreState['config_backup']);
+				$session->log('Configuration.php restored after failure');
+			}
+
+			// Clean up staging on failure
+			$stagingDir = $restoreState['staging_dir'] ?? '';
+
+			if (!empty($stagingDir) && is_dir($stagingDir)) {
+				$this->recursiveDelete($stagingDir);
+			}
+
+			$this->destroyRestoreState($sessionId);
+			$session->destroy();
+
+			return ['error' => true, 'message' => 'Restore failed: ' . $e->getMessage()];
+		}
+	}
+
+	/**
+	 * Extract phase: extract archive to staging directory.
+	 */
+	private function stepExtract(SteppedSession $session, array &$state): void
+	{
+		$stagingDir  = $state['staging_dir'];
+		$archivePath = $session->archivePath;
+		$password    = $state['password'];
+
+		// Clean existing staging dir
+		if (is_dir($stagingDir)) {
+			$this->recursiveDelete($stagingDir);
+		}
+
+		if (!mkdir($stagingDir, 0755, true)) {
+			throw new \RuntimeException('Cannot create staging directory: ' . $stagingDir);
+		}
+
+		$session->log('Extracting archive: ' . basename($archivePath));
+
+		// Detect format and extract
+		if (JpaUnarchiver::isJpaFile($archivePath)) {
+			$session->log('Detected JPA format (Akeeba Backup archive)');
+			$jpa   = new JpaUnarchiver($archivePath, $stagingDir);
+			$count = $jpa->extract();
+			$session->log('Extracted ' . $count . ' files from JPA');
+		} elseif (str_ends_with($archivePath, '.tar.gz') || str_ends_with($archivePath, '.tgz')) {
+			$session->log('Detected tar.gz format');
+			$phar = new \PharData($archivePath);
+
+			// Validate entries for path traversal
+			foreach (new \RecursiveIteratorIterator($phar) as $entry) {
+				$entryName = $entry->getPathname();
+				$relative  = substr($entryName, strlen('phar://' . $archivePath) + 1);
+
+				if (str_contains($relative, '../') || str_contains($relative, '..\\')
+					|| str_starts_with($relative, '/') || str_starts_with($relative, '\\')) {
+					throw new \RuntimeException('Archive contains unsafe path: ' . $relative);
+				}
+			}
+
+			$phar->extractTo($stagingDir, null, true);
+			$session->log('Extracted tar.gz archive');
+		} else {
+			$this->extractZipArchive($archivePath, $stagingDir, $password, $session);
+		}
+
+		$session->log('Extraction complete');
+
+		// Preserve configuration.php before any files are copied
+		if ($state['preserve_config'] && is_file(JPATH_ROOT . '/configuration.php')) {
+			$state['config_backup'] = file_get_contents(JPATH_ROOT . '/configuration.php');
+			$session->log('Current configuration.php preserved');
+		}
+
+		// Build file list for the files phase
+		if ($state['restore_files']) {
+			$fileList = $this->scanStagingFiles($stagingDir);
+			$state['file_list']  = $fileList;
+			$state['file_index'] = 0;
+
+			$fileBatches = (int) ceil(count($fileList) / self::FILE_BATCH_SIZE);
+			$session->log('Files to restore: ' . count($fileList) . ' (' . $fileBatches . ' batches)');
+		}
+
+		// Check for SQL file
+		$sqlFile = $stagingDir . '/database.sql';
+
+		if ($state['restore_db'] && is_file($sqlFile)) {
+			$state['sql_file']   = $sqlFile;
+			$state['sql_offset'] = 0;
+			$state['sql_done']   = false;
+
+			// Estimate SQL batches by counting lines
+			$lineCount = 0;
+			$fh = fopen($sqlFile, 'r');
+
+			if ($fh) {
+				while (fgets($fh) !== false) {
+					$lineCount++;
+				}
+
+				fclose($fh);
+			}
+
+			// Rough estimate: each statement ~2 lines on average
+			$estimatedStatements = max(1, (int) ($lineCount / 2));
+			$sqlBatches = (int) ceil($estimatedStatements / self::SQL_BATCH_SIZE);
+			$session->log('SQL file found: ~' . $estimatedStatements . ' statements (' . $sqlBatches . ' batches)');
+		} elseif ($state['restore_db']) {
+			$session->log('No database.sql found in archive — skipping database restore');
+			$state['restore_db'] = false;
+		}
+
+		// Recalculate total steps now that we know the actual counts
+		$totalSteps = 1; // extract (done)
+
+		if ($state['restore_files']) {
+			$totalSteps += max(1, (int) ceil(count($state['file_list']) / self::FILE_BATCH_SIZE));
+		}
+
+		if ($state['restore_db'] && !empty($state['sql_file'])) {
+			$totalSteps += max(1, $sqlBatches ?? 1);
+		}
+
+		$totalSteps += 1; // config
+		$totalSteps += 1; // cleanup
+
+		$session->totalSteps  = $totalSteps;
+		$session->currentStep = 1;
+
+		// Move to next phase
+		if ($state['restore_files']) {
+			$session->phase = 'files';
+		} elseif ($state['restore_db'] && !empty($state['sql_file'])) {
+			$session->phase = 'database';
+		} else {
+			$session->phase = 'config';
+		}
+
+		$session->statusMessage = 'Archive extracted — starting restore...';
+	}
+
+	/**
+	 * Files phase: copy a batch of files from staging to JPATH_ROOT.
+	 */
+	private function stepFiles(SteppedSession $session, array &$state): void
+	{
+		$fileList   = $state['file_list'];
+		$fileIndex  = $state['file_index'];
+		$stagingDir = $state['staging_dir'];
+		$totalFiles = count($fileList);
+
+		if ($fileIndex >= $totalFiles) {
+			// Files phase complete
+			$session->log('Files phase complete: ' . $totalFiles . ' files restored');
+
+			if ($state['restore_db'] && !empty($state['sql_file'])) {
+				$session->phase = 'database';
+			} else {
+				$session->phase = 'config';
+			}
+
+			return;
+		}
+
+		$batchEnd = min($fileIndex + self::FILE_BATCH_SIZE, $totalFiles);
+		$copied   = 0;
+		$sourceBase = rtrim($stagingDir, '/\\');
+		$targetBase = rtrim(JPATH_ROOT, '/\\');
+
+		// Files that should never be overwritten during restore
+		$skipFiles = ['configuration.php', 'configuration.php.bak', '.htaccess', 'web.config'];
+		$excludeFiles = ['database.sql'];
+
+		for ($i = $fileIndex; $i < $batchEnd; $i++) {
+			$relativePath = $fileList[$i];
+			$sourcePath   = $sourceBase . '/' . $relativePath;
+			$targetPath   = $targetBase . '/' . $relativePath;
+			$basename     = basename($relativePath);
+			$dirPart      = dirname($relativePath);
+
+			// Skip excluded files
+			if (in_array($basename, $excludeFiles, true)) {
+				continue;
+			}
+
+			// Skip protected files at root level
+			if (($dirPart === '' || $dirPart === '.') && in_array($basename, $skipFiles, true)) {
+				continue;
+			}
+
+			if (!is_file($sourcePath)) {
+				continue;
+			}
+
+			// Ensure parent directory exists
+			$parentDir = dirname($targetPath);
+
+			if (!is_dir($parentDir)) {
+				mkdir($parentDir, 0755, true);
+			}
+
+			if (copy($sourcePath, $targetPath)) {
+				$perms = fileperms($sourcePath);
+
+				if ($perms !== false) {
+					@chmod($targetPath, $perms);
+				}
+
+				$copied++;
+			}
+		}
+
+		$state['file_index'] = $batchEnd;
+
+		$session->currentStep++;
+		$batchNum   = (int) ceil($batchEnd / self::FILE_BATCH_SIZE);
+		$totalBatch = (int) ceil($totalFiles / self::FILE_BATCH_SIZE);
+		$session->statusMessage = "Restoring files batch {$batchNum}/{$totalBatch} ({$copied} files copied)";
+		$session->log("Files batch {$batchNum}: {$copied} files copied ({$batchEnd}/{$totalFiles})");
+
+		// Check if we're done with files
+		if ($batchEnd >= $totalFiles) {
+			$session->log('Files phase complete: ' . $totalFiles . ' files processed');
+
+			if ($state['restore_db'] && !empty($state['sql_file'])) {
+				$session->phase = 'database';
+			} else {
+				$session->phase = 'config';
+			}
+		}
+	}
+
+	/**
+	 * Database phase: import SQL statements in batches.
+	 */
+	private function stepDatabase(SteppedSession $session, array &$state): void
+	{
+		if ($state['sql_done'] || empty($state['sql_file'])) {
+			$session->log('Database phase complete: ' . $state['sql_executed'] . ' statements executed');
+			$session->phase = 'config';
+
+			return;
+		}
+
+		$sqlFile = $state['sql_file'];
+		$offset  = $state['sql_offset'];
+
+		$db     = Factory::getDbo();
+		$prefix = $db->getPrefix();
+
+		$handle = fopen($sqlFile, 'r');
+
+		if ($handle === false) {
+			throw new \RuntimeException('Cannot open SQL file: ' . $sqlFile);
+		}
+
+		// Seek to the byte offset where we left off
+		if ($offset > 0) {
+			fseek($handle, $offset);
+		}
+
+		$statementsExecuted = 0;
+		$currentStatement   = '';
+		$inMultiLineComment = false;
+
+		while (($line = fgets($handle)) !== false) {
+			$trimmed = trim($line);
+
+			// Skip empty lines
+			if ($trimmed === '') {
+				continue;
+			}
+
+			// Skip single-line comments
+			if (str_starts_with($trimmed, '--') || str_starts_with($trimmed, '#')) {
+				continue;
+			}
+
+			// Handle multi-line comments
+			if (str_starts_with($trimmed, '/*')) {
+				$inMultiLineComment = true;
+			}
+
+			if ($inMultiLineComment) {
+				if (str_contains($trimmed, '*/')) {
+					$inMultiLineComment = false;
+				}
+
+				continue;
+			}
+
+			// Accumulate the statement
+			$currentStatement .= $line;
+
+			// Check if statement is complete (ends with semicolon)
+			if (str_ends_with($trimmed, ';')) {
+				$statement = trim($currentStatement);
+				$currentStatement = '';
+
+				if (empty($statement)) {
+					continue;
+				}
+
+				// Replace abstract #__ prefix with the current site's prefix
+				$statement = str_replace('#__', $prefix, $statement);
+
+				try {
+					$db->setQuery($statement);
+					$db->execute();
+				} catch (\Exception $e) {
+					error_log('MokoSuiteBackup SQL import warning: ' . $e->getMessage());
+				}
+
+				$statementsExecuted++;
+				$state['sql_executed']++;
+
+				// Check if we've hit the batch limit
+				if ($statementsExecuted >= self::SQL_BATCH_SIZE) {
+					$state['sql_offset'] = ftell($handle);
+					fclose($handle);
+
+					$session->currentStep++;
+					$session->statusMessage = 'Importing database... (' . $state['sql_executed'] . ' statements executed)';
+					$session->log('Database batch: ' . $statementsExecuted . ' statements (total: ' . $state['sql_executed'] . ')');
+
+					return;
+				}
+			}
+		}
+
+		// Handle any remaining statement without trailing semicolon
+		$remaining = trim($currentStatement);
+
+		if (!empty($remaining)) {
+			$remaining = str_replace('#__', $prefix, $remaining);
+
+			try {
+				$db->setQuery($remaining);
+				$db->execute();
+				$state['sql_executed']++;
+			} catch (\Exception $e) {
+				error_log('MokoSuiteBackup SQL import warning (final): ' . $e->getMessage());
+			}
+		}
+
+		fclose($handle);
+
+		$state['sql_done'] = true;
+		$session->currentStep++;
+		$session->phase = 'config';
+		$session->statusMessage = 'Database import complete: ' . $state['sql_executed'] . ' statements';
+		$session->log('Database import complete: ' . $state['sql_executed'] . ' statements executed');
+	}
+
+	/**
+	 * Config phase: restore preserved configuration.php.
+	 */
+	private function stepConfig(SteppedSession $session, array &$state): void
+	{
+		if ($state['preserve_config'] && !empty($state['config_backup'])) {
+			file_put_contents(JPATH_ROOT . '/configuration.php', $state['config_backup']);
+			$session->log('Configuration.php restored to pre-restore state');
+		}
+
+		$session->currentStep++;
+		$session->phase = 'cleanup';
+		$session->statusMessage = 'Configuration restored — cleaning up...';
+	}
+
+	/**
+	 * Cleanup phase: remove staging directory.
+	 */
+	private function stepCleanup(SteppedSession $session, array &$state): void
+	{
+		$stagingDir = $state['staging_dir'];
+
+		if (!empty($stagingDir) && is_dir($stagingDir)) {
+			$this->recursiveDelete($stagingDir);
+			$session->log('Staging directory cleaned up');
+		}
+
+		$session->currentStep++;
+		$session->phase = 'complete';
+		$session->statusMessage = 'Restore complete: ' . $session->archiveName;
+		$session->log('Restore complete');
+	}
+
+	/**
+	 * Extract a ZIP archive to the staging directory with path traversal protection.
+	 */
+	private function extractZipArchive(string $archivePath, string $stagingDir, string $password, SteppedSession $session): void
+	{
+		$zip    = new \ZipArchive();
+		$result = $zip->open($archivePath);
+
+		if ($result !== true) {
+			throw new \RuntimeException('Cannot open archive (error code: ' . $result . ')');
+		}
+
+		if (!empty($password)) {
+			$zip->setPassword($password);
+			$session->log('Decryption password set');
+		}
+
+		// Validate all entries before extraction (path traversal protection)
+		for ($i = 0; $i < $zip->numFiles; $i++) {
+			$entryName = $zip->getNameIndex($i);
+
+			if ($entryName === false) {
+				continue;
+			}
+
+			if (str_contains($entryName, '../') || str_contains($entryName, '..\\')
+				|| str_starts_with($entryName, '/') || str_starts_with($entryName, '\\')) {
+				$zip->close();
+				throw new \RuntimeException('Archive contains unsafe path: ' . $entryName);
+			}
+		}
+
+		if (!$zip->extractTo($stagingDir)) {
+			$zip->close();
+
+			throw new \RuntimeException(
+				'Failed to extract archive. '
+				. (!empty($password) ? 'Check that the decryption password is correct.' : 'The archive may be encrypted — provide a password.')
+			);
+		}
+
+		$session->log('Extracted ' . $zip->numFiles . ' entries');
+		$zip->close();
+	}
+
+	/**
+	 * Scan the staging directory and return a flat list of relative file paths.
+	 */
+	private function scanStagingFiles(string $stagingDir): array
+	{
+		$files    = [];
+		$baseLen  = strlen(rtrim($stagingDir, '/\\')) + 1;
+
+		$iterator = new \RecursiveIteratorIterator(
+			new \RecursiveDirectoryIterator($stagingDir, \FilesystemIterator::SKIP_DOTS),
+			\RecursiveIteratorIterator::SELF_FIRST
+		);
+
+		foreach ($iterator as $item) {
+			if ($item->isFile()) {
+				$relativePath = substr($item->getPathname(), $baseLen);
+				// Normalise directory separators
+				$relativePath = str_replace('\\', '/', $relativePath);
+				$files[] = $relativePath;
+			}
+		}
+
+		return $files;
+	}
+
+	/**
+	 * Recursively delete a directory and all its contents.
+	 */
+	private function recursiveDelete(string $dir): void
+	{
+		if (!is_dir($dir)) {
+			return;
+		}
+
+		$items = new \RecursiveIteratorIterator(
+			new \RecursiveDirectoryIterator($dir, \FilesystemIterator::SKIP_DOTS),
+			\RecursiveIteratorIterator::CHILD_FIRST
+		);
+
+		foreach ($items as $item) {
+			if ($item->isDir()) {
+				@rmdir($item->getPathname());
+			} else {
+				@unlink($item->getPathname());
+			}
+		}
+
+		@rmdir($dir);
+	}
+
+	/**
+	 * Save restore-specific state to a JSON file alongside the session.
+	 */
+	private function saveRestoreState(string $sessionId, array $state): void
+	{
+		$path = $this->getRestoreStatePath($sessionId);
+
+		if (file_put_contents($path, json_encode($state, JSON_PRETTY_PRINT)) === false) {
+			throw new \RuntimeException('Cannot save restore state: ' . $path);
+		}
+	}
+
+	/**
+	 * Load restore-specific state from disk.
+	 */
+	private function loadRestoreState(string $sessionId): ?array
+	{
+		$path = $this->getRestoreStatePath($sessionId);
+
+		if (!is_file($path)) {
+			return null;
+		}
+
+		$data = json_decode(file_get_contents($path), true);
+
+		return is_array($data) ? $data : null;
+	}
+
+	/**
+	 * Delete restore state file.
+	 */
+	private function destroyRestoreState(string $sessionId): void
+	{
+		$path = $this->getRestoreStatePath($sessionId);
+
+		if (is_file($path)) {
+			@unlink($path);
+		}
+	}
+
+	/**
+	 * Get the file path for restore-specific state.
+	 */
+	private function getRestoreStatePath(string $sessionId): string
+	{
+		$safe = preg_replace('/[^a-zA-Z0-9_-]/', '', $sessionId);
+		$dir  = JPATH_ROOT . '/tmp/mokosuitebackup-sessions';
+
+		if (!is_dir($dir)) {
+			if (!mkdir($dir, 0755, true)) {
+				throw new \RuntimeException('Cannot create session directory: ' . $dir);
+			}
+		}
+
+		return $dir . '/' . $safe . '.restore.json';
+	}
+}
@@ -52,15 +52,15 @@ class FolderPickerField extends FormField
 		$placeholders = [
 			'[DEFAULT_DIR]'  => BackupDirectory::getDefaultAbsolute(),
 			'[HOME]'         => BackupDirectory::getHomeDirectory(),
-			'[host]'         => $hostname,
-			'[site_name]'    => $sanitizedSiteName ?: 'joomla',
-			'[profile_id]'   => '1',
-			'[profile_name]' => 'default',
-			'[type]'         => 'full',
-			'[year]'         => date('Y'),
-			'[month]'        => date('m'),
-			'[day]'          => date('d'),
-			'[date]'         => date('Ymd'),
+			'[HOST]'         => $hostname,
+			'[SITE_NAME]'    => $sanitizedSiteName ?: 'joomla',
+			'[PROFILE_ID]'   => '1',
+			'[PROFILE_NAME]' => 'default',
+			'[TYPE]'         => 'full',
+			'[YEAR]'         => date('Y'),
+			'[MONTH]'        => date('m'),
+			'[DAY]'          => date('d'),
+			'[DATE]'         => date('Ymd'),
 		];

 		$placeholdersJson = json_encode($placeholders);
@@ -96,51 +96,140 @@ class FolderPickerField extends FormField
 		<span class="icon-folder-open" aria-hidden="true"></span>
 		Browse
 	</button>
-	<button type="button" class="btn btn-outline-info" data-bs-toggle="modal" data-bs-target="#{$id}_helpModal" title="Available placeholders">
+	<button type="button" class="btn btn-outline-info" id="{$id}_helpBtn" title="Help — placeholders, paths, and examples">
 		<span class="icon-question-circle" aria-hidden="true"></span>
 	</button>
 </div>
+<div class="mt-1 mb-1" id="{$id}_placeholders" style="display:flex; flex-wrap:wrap; gap:4px;">
+	<span class="text-muted small me-1" style="line-height:24px;">Insert:</span>
+	<button type="button" class="btn btn-outline-secondary btn-sm py-0 px-1 moko-ph-insert" data-field="{$id}" data-ph="[HOME]" title="Home directory">[HOME]</button>
+	<button type="button" class="btn btn-outline-secondary btn-sm py-0 px-1 moko-ph-insert" data-field="{$id}" data-ph="[DEFAULT_DIR]" title="Default backup dir">[DEFAULT_DIR]</button>
+	<button type="button" class="btn btn-outline-secondary btn-sm py-0 px-1 moko-ph-insert" data-field="{$id}" data-ph="[HOST]" title="Server hostname">[HOST]</button>
+	<button type="button" class="btn btn-outline-secondary btn-sm py-0 px-1 moko-ph-insert" data-field="{$id}" data-ph="[SITE_NAME]" title="Joomla site name">[SITE_NAME]</button>
+	<button type="button" class="btn btn-outline-secondary btn-sm py-0 px-1 moko-ph-insert" data-field="{$id}" data-ph="[DATE]" title="Date (Ymd)">[DATE]</button>
+	<button type="button" class="btn btn-outline-secondary btn-sm py-0 px-1 moko-ph-insert" data-field="{$id}" data-ph="[PROFILE_ID]" title="Profile ID">[PROFILE_ID]</button>
+	<button type="button" class="btn btn-outline-secondary btn-sm py-0 px-1 moko-ph-insert" data-field="{$id}" data-ph="[PROFILE_NAME]" title="Profile name">[PROFILE_NAME]</button>
+	<button type="button" class="btn btn-outline-secondary btn-sm py-0 px-1 moko-ph-insert" data-field="{$id}" data-ph="[TYPE]" title="Backup type">[TYPE]</button>
+</div>
 <div class="mt-1" id="{$id}_status">
 	<small class="{$statusClass}">
 		<span class="{$statusIcon}" aria-hidden="true"></span>
 		{$statusDetail}
 	</small>
 </div>
+<div class="mt-1" id="{$id}_resolved" style="font-size:0.8rem; line-height:1.6;">
+</div>
 <div id="{$id}_defaultwarn" class="alert alert-warning alert-sm mt-1 py-1 px-2" style="display:none; font-size:0.85rem;">
 	<span class="icon-warning-circle" aria-hidden="true"></span>
 	The default backup directory is inside the web root. Backup archives may be directly downloadable if <code>.htaccess</code> is not supported. For better security, use a path outside the web root.
 </div>
 <div class="modal fade" id="{$id}_helpModal" tabindex="-1" aria-labelledby="{$id}_helpLabel" aria-hidden="true">
-	<div class="modal-dialog">
+	<div class="modal-dialog modal-lg">
 		<div class="modal-content">
 			<div class="modal-header">
-				<h5 class="modal-title" id="{$id}_helpLabel">Backup Directory Placeholders</h5>
+				<h5 class="modal-title" id="{$id}_helpLabel">Backup Directory — Help</h5>
 				<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
 			</div>
 			<div class="modal-body">
-				<p>Use these placeholders in the backup directory path. They are resolved at backup time.</p>
+
+				<h6 class="text-primary">How Path Resolution Works</h6>
+				<p>The backup directory path is resolved at backup time. You can use <strong>absolute paths</strong>, <strong>relative paths</strong>, or <strong>placeholder paths</strong>.</p>
+
+				<div class="card mb-3">
+					<div class="card-header fw-bold">Absolute Paths</div>
+					<div class="card-body py-2">
+						<p class="mb-1">Start with <code>/</code> (Linux) or a drive letter (Windows). Used as-is.</p>
+						<ul class="mb-0">
+							<li><code>/home/user/backups</code> — Fixed path on the server</li>
+							<li><code>/var/backups/joomla</code> — System backup directory</li>
+						</ul>
+					</div>
+				</div>
+
+				<div class="card mb-3">
+					<div class="card-header fw-bold">Relative Paths</div>
+					<div class="card-body py-2">
+						<p class="mb-1">Paths that do <strong>not</strong> start with <code>/</code> are resolved relative to the Joomla root directory, using the same conventions as URL paths:</p>
+						<table class="table table-sm mb-2">
+							<thead><tr><th>Path</th><th>Meaning</th><th>Resolves To</th></tr></thead>
+							<tbody>
+								<tr><td><code>backups</code></td><td>Subdirectory of Joomla root</td><td><code>{$jRoot}/backups</code></td></tr>
+								<tr><td><code>./backups</code></td><td>Same as above (explicit current dir)</td><td><code>{$jRoot}/backups</code></td></tr>
+								<tr><td><code>../backups</code></td><td>One level <strong>above</strong> Joomla root</td><td>Parent of <code>{$jRoot}</code></td></tr>
+								<tr><td><code>../../backups</code></td><td>Two levels above Joomla root</td><td>Grandparent of <code>{$jRoot}</code></td></tr>
+							</tbody>
+						</table>
+						<div class="alert alert-warning py-1 px-2 mb-0" style="font-size:0.85rem;">
+							<strong>Warning:</strong> Relative paths that stay inside the web root may expose backup files to direct download if .htaccess is not supported. Use <code>../</code> or <code>[HOME]</code> to store backups outside the web root.
+						</div>
+					</div>
+				</div>
+
+				<div class="card mb-3">
+					<div class="card-header fw-bold">Placeholder Paths (Recommended)</div>
+					<div class="card-body py-2">
+						<p class="mb-1">Use <code>[PLACEHOLDER]</code> tokens that are replaced with actual values at backup time. This makes paths <strong>portable</strong> across servers.</p>
+						<ul class="mb-0">
+							<li><code>[HOME]/backups</code> — User's home directory + /backups</li>
+							<li><code>[HOME]/[HOST]/backups</code> — Per-site subdirectory under home</li>
+							<li><code>[DEFAULT_DIR]</code> — Joomla's default backup directory</li>
+						</ul>
+					</div>
+				</div>
+
+				<h6 class="text-primary mt-3">Available Placeholders</h6>
 				<table class="table table-sm table-striped">
-					<thead><tr><th>Placeholder</th><th>Description</th><th>Example</th></tr></thead>
+					<thead><tr><th>Placeholder</th><th>Description</th><th>Current Value</th></tr></thead>
 					<tbody>
-						<tr><td><code>[HOME]</code></td><td>Home directory of the server user</td><td><code>{$placeholders['[HOME]']}</code></td></tr>
-						<tr><td><code>[DEFAULT_DIR]</code></td><td>Default backup directory (inside web root)</td><td><code>{$placeholders['[DEFAULT_DIR]']}</code></td></tr>
-						<tr><td><code>[host]</code></td><td>Server hostname</td><td><code>{$placeholders['[host]']}</code></td></tr>
-						<tr><td><code>[site_name]</code></td><td>Joomla site name</td><td><code>{$placeholders['[site_name]']}</code></td></tr>
-						<tr><td><code>[date]</code></td><td>Date (Ymd)</td><td><code>{$placeholders['[date]']}</code></td></tr>
-						<tr><td><code>[year]</code></td><td>Four-digit year</td><td><code>{$placeholders['[year]']}</code></td></tr>
-						<tr><td><code>[month]</code></td><td>Two-digit month</td><td><code>{$placeholders['[month]']}</code></td></tr>
-						<tr><td><code>[day]</code></td><td>Two-digit day</td><td><code>{$placeholders['[day]']}</code></td></tr>
-						<tr><td><code>[profile_id]</code></td><td>Backup profile ID</td><td><code>1</code></td></tr>
-						<tr><td><code>[profile_name]</code></td><td>Profile title</td><td><code>default</code></td></tr>
-						<tr><td><code>[type]</code></td><td>Backup type</td><td><code>full</code></td></tr>
+						<tr><td><code>[HOME]</code></td><td>Home directory of the PHP process owner. Detected from environment, POSIX, or JPATH_ROOT.</td><td><code>{$placeholders['[HOME]']}</code></td></tr>
+						<tr><td><code>[DEFAULT_DIR]</code></td><td>Default backup directory inside the Joomla web root. Protected by .htaccess but not recommended for production.</td><td><code>{$placeholders['[DEFAULT_DIR]']}</code></td></tr>
+						<tr><td><code>[HOST]</code></td><td>Server hostname from HTTP_HOST. Sanitized to alphanumeric, dots, and hyphens.</td><td><code>{$placeholders['[HOST]']}</code></td></tr>
+						<tr><td><code>[SITE_NAME]</code></td><td>Joomla site name from Global Configuration. Spaces become hyphens, special characters stripped.</td><td><code>{$placeholders['[SITE_NAME]']}</code></td></tr>
+						<tr><td><code>[DATE]</code></td><td>Current date in Ymd format (e.g. 20260623).</td><td><code>{$placeholders['[DATE]']}</code></td></tr>
+						<tr><td><code>[YEAR]</code></td><td>Four-digit year.</td><td><code>{$placeholders['[YEAR]']}</code></td></tr>
+						<tr><td><code>[MONTH]</code></td><td>Two-digit month (01-12).</td><td><code>{$placeholders['[MONTH]']}</code></td></tr>
+						<tr><td><code>[DAY]</code></td><td>Two-digit day (01-31).</td><td><code>{$placeholders['[DAY]']}</code></td></tr>
+						<tr><td><code>[PROFILE_ID]</code></td><td>Numeric ID of the backup profile being used.</td><td><code>1</code></td></tr>
+						<tr><td><code>[PROFILE_NAME]</code></td><td>Title of the backup profile, sanitized for filesystem use.</td><td><code>default</code></td></tr>
+						<tr><td><code>[TYPE]</code></td><td>Backup type: full, database, files, or differential.</td><td><code>full</code></td></tr>
 					</tbody>
 				</table>
-				<h6>Recommended Paths</h6>
-				<ul class="list-unstyled">
-					<li><code>[HOME]/backups</code> — Outside web root (recommended)</li>
-					<li><code>[HOME]/backups/[host]</code> — Per-site subdirectory</li>
-					<li><code>[DEFAULT_DIR]</code> — Inside web root (protected by .htaccess)</li>
-				</ul>
+
+				<h6 class="text-primary mt-3">Recommended Configurations</h6>
+				<table class="table table-sm">
+					<thead><tr><th>Use Case</th><th>Path</th><th>Notes</th></tr></thead>
+					<tbody>
+						<tr>
+							<td><strong>Single site, secure</strong></td>
+							<td><code>[HOME]/backups</code></td>
+							<td>Outside web root. Best for most sites.</td>
+						</tr>
+						<tr>
+							<td><strong>Multiple sites on one server</strong></td>
+							<td><code>[HOME]/backups/[HOST]</code></td>
+							<td>Each site gets its own subdirectory.</td>
+						</tr>
+						<tr>
+							<td><strong>Date-organized</strong></td>
+							<td><code>[HOME]/backups/[YEAR]/[MONTH]</code></td>
+							<td>Backups sorted by year and month.</td>
+						</tr>
+						<tr>
+							<td><strong>Per-profile</strong></td>
+							<td><code>[HOME]/backups/[PROFILE_NAME]</code></td>
+							<td>Separate directory for each backup profile.</td>
+						</tr>
+						<tr>
+							<td><strong>Shared hosting (default)</strong></td>
+							<td><code>[DEFAULT_DIR]</code></td>
+							<td>Inside web root, protected by .htaccess. Use only if you cannot write outside web root.</td>
+						</tr>
+					</tbody>
+				</table>
+
+				<div class="alert alert-info py-2 mt-3 mb-0">
+					<strong>Tip:</strong> The directory is created automatically if it doesn't exist. Placeholders are resolved fresh each time a backup runs, so date-based paths create new directories over time.
+				</div>
 			</div>
 			<div class="modal-footer">
 				<button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>
@@ -155,6 +244,56 @@ class FolderPickerField extends FormField
 </div>
 <script>
 (function() {
+	/* Clickable placeholder insertion at cursor position */
+	document.querySelectorAll('.moko-ph-insert[data-field="{$id}"]').forEach(function(btn) {
+		btn.addEventListener('click', function(e) {
+			e.preventDefault();
+			var target = document.getElementById(this.getAttribute('data-field'));
+			var ph = this.getAttribute('data-ph');
+			if (!target) return;
+			var start = target.selectionStart || 0;
+			var end = target.selectionEnd || 0;
+			var val = target.value;
+			target.value = val.substring(0, start) + ph + val.substring(end);
+			/* Move cursor to after the inserted placeholder */
+			var newPos = start + ph.length;
+			target.setSelectionRange(newPos, newPos);
+			target.focus();
+			/* Trigger input event so status updates */
+			target.dispatchEvent(new Event('input', { bubbles: true }));
+		});
+	});
+
+	/* Help button — open modal with Bootstrap 5 or fallback */
+	var helpBtn = document.getElementById('{$id}_helpBtn');
+	var helpModal = document.getElementById('{$id}_helpModal');
+	if (helpBtn && helpModal) {
+		helpBtn.addEventListener('click', function(e) {
+			e.preventDefault();
+			if (typeof bootstrap !== 'undefined' && bootstrap.Modal) {
+				var modal = bootstrap.Modal.getOrCreateInstance(helpModal);
+				modal.show();
+			} else {
+				helpModal.classList.add('show');
+				helpModal.style.display = 'block';
+				helpModal.setAttribute('aria-hidden', 'false');
+				document.body.classList.add('modal-open');
+				var backdrop = document.createElement('div');
+				backdrop.className = 'modal-backdrop fade show';
+				backdrop.id = '{$id}_backdrop';
+				document.body.appendChild(backdrop);
+				helpModal.querySelector('.btn-close, [data-bs-dismiss]').addEventListener('click', function() {
+					helpModal.classList.remove('show');
+					helpModal.style.display = 'none';
+					helpModal.setAttribute('aria-hidden', 'true');
+					document.body.classList.remove('modal-open');
+					var bd = document.getElementById('{$id}_backdrop');
+					if (bd) bd.remove();
+				});
+			}
+		});
+	}
+
 	var fieldId = '{$id}';
 	var btn = document.getElementById(fieldId + '_btn');
 	var browser = document.getElementById(fieldId + '_browser');
@@ -162,7 +301,7 @@ class FolderPickerField extends FormField
 	var input = document.getElementById(fieldId);
 	var placeholders = {$placeholdersJson};

-	// Resolve placeholders in a path (forward: [site_name] -> actual value)
+	// Resolve placeholders in a path (forward: [SITE_NAME] -> actual value)
 	function resolve(path) {
 		for (var key in placeholders) {
 			path = path.split(key).join(placeholders[key]);
@@ -253,8 +392,54 @@ class FolderPickerField extends FormField
 		});
 	}

+	/* Show which placeholders are in use and their resolved values */
+	var resolvedDiv = document.getElementById(fieldId + '_resolved');
+
+	function updateResolvedDisplay() {
+		while (resolvedDiv.firstChild) resolvedDiv.removeChild(resolvedDiv.firstChild);
+		var val = input.value || '';
+		var found = false;
+
+		for (var key in placeholders) {
+			if (val.indexOf(key) !== -1 && placeholders[key]) {
+				found = true;
+				var badge = document.createElement('span');
+				badge.className = 'badge bg-light text-dark border me-1 mb-1';
+				badge.style.fontSize = '0.75rem';
+				badge.style.fontFamily = 'monospace';
+
+				var keySpan = document.createElement('strong');
+				keySpan.textContent = key;
+				badge.appendChild(keySpan);
+
+				badge.appendChild(document.createTextNode(' = '));
+
+				var valSpan = document.createElement('span');
+				valSpan.className = 'text-primary';
+				valSpan.textContent = placeholders[key];
+				badge.appendChild(valSpan);
+
+				resolvedDiv.appendChild(badge);
+			}
+		}
+
+		if (found) {
+			var fullResolved = document.createElement('div');
+			fullResolved.className = 'mt-1';
+			var arrow = document.createElement('span');
+			arrow.className = 'text-muted';
+			arrow.textContent = 'EXAMPLE: ';
+			fullResolved.appendChild(arrow);
+			var code = document.createElement('code');
+			code.textContent = resolve(val);
+			fullResolved.appendChild(code);
+			resolvedDiv.appendChild(fullResolved);
+		}
+	}
+
 	input.addEventListener('input', function() {
 		clearTimeout(checkTimer);
+		updateResolvedDisplay();
 		checkTimer = setTimeout(checkDirPermissions, 400);
 	});

@@ -368,6 +553,7 @@ class FolderPickerField extends FormField

 	// Run initial check on page load
 	setDefaultDirWarning();
+	updateResolvedDisplay();
 	checkDirPermissions();
 })();
 </script>
@@ -0,0 +1,78 @@
+<?php
+
+/**
+ * @package     MokoSuiteBackup
+ * @subpackage  com_mokosuitebackup
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * Text field with clickable placeholder pills that insert at cursor position.
+ * Used for backup directory and archive name format fields.
+ */
+
+namespace Joomla\Component\MokoSuiteBackup\Administrator\Field;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Form\FormField;
+
+class PlaceholderTextField extends FormField
+{
+	protected $type = 'PlaceholderText';
+
+	protected function getInput(): string
+	{
+		$value = htmlspecialchars($this->value ?? $this->default ?? '', ENT_QUOTES, 'UTF-8');
+		$id    = htmlspecialchars($this->id, ENT_QUOTES, 'UTF-8');
+		$name  = htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8');
+		$hint  = htmlspecialchars($this->element['hint'] ?? '', ENT_QUOTES, 'UTF-8');
+		$max   = (int) ($this->element['maxlength'] ?? 512);
+
+		$placeholderAttr = (string) ($this->element['placeholders'] ?? '');
+		$placeholders = array_filter(array_map('trim', explode(',', $placeholderAttr)));
+
+		if (empty($placeholders)) {
+			$placeholders = ['[HOST]', '[DATE]', '[DATETIME]', '[TIME]', '[YEAR]', '[MONTH]', '[DAY]',
+				'[HOUR]', '[MINUTE]', '[SECOND]', '[PROFILE_ID]', '[PROFILE_NAME]', '[SITE_NAME]', '[TYPE]', '[RANDOM]'];
+		}
+
+		$html = '<input type="text" name="' . $name . '" id="' . $id . '" value="' . $value . '"'
+			. ' class="form-control" maxlength="' . $max . '"'
+			. ($hint ? ' placeholder="' . $hint . '"' : '') . '>';
+
+		$html .= '<div class="mt-1" style="display:flex; flex-wrap:wrap; gap:4px;">';
+		$html .= '<span class="text-muted small me-1" style="line-height:24px;">Insert:</span>';
+
+		foreach ($placeholders as $ph) {
+			$html .= '<button type="button" class="btn btn-outline-secondary btn-sm py-0 px-1 moko-ph-insert"'
+				. ' data-field="' . $id . '" data-ph="' . htmlspecialchars($ph) . '">'
+				. htmlspecialchars($ph) . '</button>';
+		}
+
+		$html .= '</div>';
+
+		$html .= <<<JS
+<script>
+document.querySelectorAll('.moko-ph-insert[data-field="{$id}"]').forEach(function(btn) {
+	btn.addEventListener('click', function(e) {
+		e.preventDefault();
+		var target = document.getElementById(this.getAttribute('data-field'));
+		var ph = this.getAttribute('data-ph');
+		if (!target) return;
+		var start = target.selectionStart || 0;
+		var end = target.selectionEnd || 0;
+		var val = target.value;
+		target.value = val.substring(0, start) + ph + val.substring(end);
+		var newPos = start + ph.length;
+		target.setSelectionRange(newPos, newPos);
+		target.focus();
+		target.dispatchEvent(new Event('input', { bubbles: true }));
+	});
+});
+</script>
+JS;
+
+		return $html;
+	}
+}
@@ -0,0 +1,253 @@
+<?php
+
+/**
+ * @package     MokoSuiteBackup
+ * @subpackage  com_mokosuitebackup
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * SFTP remote path field with Browse Remote button and modal directory browser.
+ */
+
+namespace Joomla\Component\MokoSuiteBackup\Administrator\Field;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Form\FormField;
+
+class SftpPathField extends FormField
+{
+	protected $type = 'SftpPath';
+
+	protected function getInput(): string
+	{
+		$value = htmlspecialchars($this->value ?: $this->default, ENT_QUOTES, 'UTF-8');
+		$id    = htmlspecialchars($this->id, ENT_QUOTES, 'UTF-8');
+		$name  = htmlspecialchars($this->name, ENT_QUOTES, 'UTF-8');
+
+		return <<<HTML
+<div class="input-group">
+	<input type="text" name="{$name}" id="{$id}" value="{$value}"
+		class="form-control" maxlength="512"
+		placeholder="/backups" />
+	<button type="button" class="btn btn-outline-secondary" id="{$id}_browseBtn"
+		title="Browse directories on the remote SFTP server">
+		<span class="icon-folder-open" aria-hidden="true"></span>
+		Browse Remote
+	</button>
+</div>
+<div class="modal fade" id="{$id}_sftpModal" tabindex="-1" aria-labelledby="{$id}_sftpModalLabel" aria-hidden="true">
+	<div class="modal-dialog">
+		<div class="modal-content">
+			<div class="modal-header">
+				<h5 class="modal-title" id="{$id}_sftpModalLabel">
+					<span class="icon-folder-open" aria-hidden="true"></span>
+					Browse Remote SFTP Directory
+				</h5>
+				<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+			</div>
+			<div class="modal-body">
+				<div id="{$id}_sftpStatus" class="mb-2">
+					<small class="text-muted">Click "Browse Remote" to connect...</small>
+				</div>
+				<div id="{$id}_sftpCurrent" class="mb-2 p-2 bg-light border rounded" style="font-family:monospace; font-size:0.85rem;">
+					/
+				</div>
+				<div id="{$id}_sftpTree" class="border rounded" style="max-height:350px; overflow-y:auto;">
+				</div>
+				<div class="mt-2">
+					<small class="text-muted">
+						Click a directory to navigate into it. Click "Select This Directory" to use the current path.
+						<br>SFTP credentials must be saved in the profile before browsing.
+					</small>
+				</div>
+			</div>
+			<div class="modal-footer">
+				<button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+				<button type="button" class="btn btn-primary" id="{$id}_sftpSelect">
+					<span class="icon-checkmark" aria-hidden="true"></span>
+					Select This Directory
+				</button>
+			</div>
+		</div>
+	</div>
+</div>
+<script>
+(function() {
+	var fieldId   = '{$id}';
+	var input     = document.getElementById(fieldId);
+	var browseBtn = document.getElementById(fieldId + '_browseBtn');
+	var modalEl   = document.getElementById(fieldId + '_sftpModal');
+	var treeEl    = document.getElementById(fieldId + '_sftpTree');
+	var statusEl  = document.getElementById(fieldId + '_sftpStatus');
+	var currentEl = document.getElementById(fieldId + '_sftpCurrent');
+	var selectBtn = document.getElementById(fieldId + '_sftpSelect');
+	var currentPath = '/';
+
+	function getProfileId() {
+		var el = document.getElementById('jform_id');
+		return el ? parseInt(el.value, 10) || 0 : 0;
+	}
+
+	function showModal() {
+		if (typeof bootstrap !== 'undefined' && bootstrap.Modal) {
+			var modal = bootstrap.Modal.getOrCreateInstance(modalEl);
+			modal.show();
+		}
+	}
+
+	function hideModal() {
+		if (typeof bootstrap !== 'undefined' && bootstrap.Modal) {
+			var modal = bootstrap.Modal.getInstance(modalEl);
+			if (modal) modal.hide();
+		}
+	}
+
+	/**
+	 * Set the status message using safe DOM methods (no innerHTML).
+	 * @param {string} cssClass  - CSS class for the small element
+	 * @param {string} iconClass - Icon CSS class (e.g. 'icon-spinner icon-spin'), or empty
+	 * @param {string} text      - Plain text message
+	 */
+	function setStatus(cssClass, iconClass, text) {
+		while (statusEl.firstChild) statusEl.removeChild(statusEl.firstChild);
+		var small = document.createElement('small');
+		small.className = cssClass;
+		if (iconClass) {
+			var icon = document.createElement('span');
+			icon.className = iconClass;
+			icon.setAttribute('aria-hidden', 'true');
+			small.appendChild(icon);
+			small.appendChild(document.createTextNode(' '));
+		}
+		small.appendChild(document.createTextNode(text));
+		statusEl.appendChild(small);
+	}
+
+	function loadSftpDir(path) {
+		currentPath = path;
+		currentEl.textContent = path;
+		while (treeEl.firstChild) treeEl.removeChild(treeEl.firstChild);
+		setStatus('text-muted', 'icon-spinner icon-spin', 'Connecting to remote server...');
+
+		var profileId = getProfileId();
+		if (!profileId) {
+			setStatus('text-danger', '', 'Please save the profile first so SFTP credentials are available.');
+			return;
+		}
+
+		var form = new URLSearchParams();
+		form.append('task', 'ajax.browseSftpDir');
+		form.append('profile_id', profileId);
+		form.append('path', path);
+
+		var tokenName = Joomla.getOptions('csrf.token') || '';
+		if (tokenName) form.append(tokenName, '1');
+
+		fetch('index.php?option=com_mokosuitebackup&format=json', {
+			method: 'POST',
+			body: form,
+			headers: { 'X-Requested-With': 'XMLHttpRequest' }
+		})
+		.then(function(r) {
+			if (!r.ok) throw new Error('Server error (HTTP ' + r.status + ')');
+			return r.json();
+		})
+		.then(function(data) {
+			if (data.error) {
+				setStatus('text-danger', 'icon-warning', data.message || 'Error');
+				return;
+			}
+			var count = data.dirs ? data.dirs.length : 0;
+			setStatus('text-success', 'icon-publish', 'Connected \u2014 ' + count + ' subdirectories');
+			currentPath = data.current || path;
+			currentEl.textContent = currentPath;
+			renderSftpTree(data);
+		})
+		.catch(function(err) {
+			setStatus('text-danger', 'icon-warning', err.message);
+		});
+	}
+
+	function renderSftpTree(data) {
+		while (treeEl.firstChild) treeEl.removeChild(treeEl.firstChild);
+		var list = document.createElement('div');
+		list.className = 'list-group list-group-flush';
+
+		/* Parent / back button */
+		if (data.parent !== null && data.parent !== undefined) {
+			var up = document.createElement('a');
+			up.href = '#';
+			up.className = 'list-group-item list-group-item-action py-1';
+			var upIcon = document.createElement('span');
+			upIcon.className = 'icon-arrow-up-4';
+			upIcon.setAttribute('aria-hidden', 'true');
+			up.appendChild(upIcon);
+			up.appendChild(document.createTextNode(' .. (parent directory)'));
+			up.addEventListener('click', function(e) {
+				e.preventDefault();
+				loadSftpDir(data.parent);
+			});
+			list.appendChild(up);
+		}
+
+		/* Directory entries */
+		var dirs = data.dirs || [];
+
+		dirs.forEach(function(dir) {
+			var item = document.createElement('a');
+			item.href = '#';
+			item.className = 'list-group-item list-group-item-action py-1';
+			var folderIcon = document.createElement('span');
+			folderIcon.className = 'icon-folder';
+			folderIcon.setAttribute('aria-hidden', 'true');
+			item.appendChild(folderIcon);
+			item.appendChild(document.createTextNode(' ' + dir.name));
+
+			item.addEventListener('click', function(e) {
+				e.preventDefault();
+				loadSftpDir(dir.path);
+			});
+
+			/* Double-click to select and close */
+			item.addEventListener('dblclick', function(e) {
+				e.preventDefault();
+				input.value = dir.path;
+				input.dispatchEvent(new Event('change', { bubbles: true }));
+				hideModal();
+			});
+
+			list.appendChild(item);
+		});
+
+		if (dirs.length === 0) {
+			var empty = document.createElement('div');
+			empty.className = 'list-group-item text-muted py-2';
+			empty.textContent = '(no subdirectories)';
+			list.appendChild(empty);
+		}
+
+		treeEl.appendChild(list);
+	}
+
+	/* Browse button click */
+	browseBtn.addEventListener('click', function(e) {
+		e.preventDefault();
+		var startPath = input.value.trim() || '/';
+		showModal();
+		loadSftpDir(startPath);
+	});
+
+	/* Select button — use the current directory */
+	selectBtn.addEventListener('click', function(e) {
+		e.preventDefault();
+		input.value = currentPath;
+		input.dispatchEvent(new Event('change', { bubbles: true }));
+		hideModal();
+	});
+})();
+</script>
+HTML;
+	}
+}
@@ -0,0 +1,109 @@
+<?php
+
+/**
+ * @package     MokoSuiteBackup
+ * @subpackage  com_mokosuitebackup
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * Custom field for SSH private key input.
+ * Supports both file upload (via FileReader JS) and paste-in textarea.
+ * The key content is stored in the database, not as a file on disk.
+ */
+
+namespace Joomla\Component\MokoSuiteBackup\Administrator\Field;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Form\FormField;
+use Joomla\CMS\Language\Text;
+
+class SshKeyField extends FormField
+{
+	protected $type = 'SshKey';
+
+	protected function getInput(): string
+	{
+		$value = $this->value ?? '';
+		$id    = $this->id;
+		$name  = $this->name;
+
+		$hasKey = !empty($value) && str_contains($value, 'PRIVATE KEY');
+
+		$html = '<div id="' . htmlspecialchars($id) . '-wrapper">';
+
+		/* Status badge */
+		if ($hasKey) {
+			$html .= '<span class="badge bg-success me-2">'
+				. '<span class="icon-lock" aria-hidden="true"></span> '
+				. Text::_('COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_LOADED')
+				. '</span>';
+		}
+
+		/* File upload button */
+		$html .= '<label class="btn btn-outline-secondary btn-sm" for="' . htmlspecialchars($id) . '-file">';
+		$html .= '<span class="icon-upload" aria-hidden="true"></span> ';
+		$html .= $hasKey ? Text::_('COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_REPLACE') : Text::_('COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_UPLOAD');
+		$html .= '</label>';
+		$html .= '<input type="file" id="' . htmlspecialchars($id) . '-file"'
+			. ' accept=".pem,.key,.openssh,.ppk,*" style="display:none;"'
+			. ' onchange="mokoSshKeyFileSelected(\'' . htmlspecialchars($id) . '\', this)">';
+
+		$html .= '<span id="' . htmlspecialchars($id) . '-status" class="ms-2 text-muted small"></span>';
+
+		if ($hasKey) {
+			$html .= ' <button type="button" class="btn btn-sm btn-outline-danger ms-2"'
+				. ' onclick="mokoSshKeyClear(\'' . htmlspecialchars($id) . '\')">'
+				. '<span class="icon-times" aria-hidden="true"></span> '
+				. Text::_('COM_MOKOJOOMBACKUP_FIELD_SFTP_KEY_CLEAR')
+				. '</button>';
+		}
+
+		/* Hidden field — key data is NEVER rendered as visible text.
+		   On existing keys, we submit a sentinel value to preserve the DB value
+		   unless a new file is uploaded or clear is clicked. */
+		if ($hasKey) {
+			$html .= '<input type="hidden" name="' . htmlspecialchars($name) . '" id="' . htmlspecialchars($id) . '"'
+				. ' value="__KEEP_EXISTING__">';
+		} else {
+			$html .= '<input type="hidden" name="' . htmlspecialchars($name) . '" id="' . htmlspecialchars($id) . '"'
+				. ' value="">';
+		}
+
+		$html .= '</div>';
+		$html .= $this->getScript();
+
+		return $html;
+	}
+
+	private function getScript(): string
+	{
+		return <<<'JS'
+<script>
+function mokoSshKeyFileSelected(fieldId, input) {
+	if (!input.files || !input.files[0]) return;
+	var file = input.files[0];
+	var reader = new FileReader();
+	reader.onload = function(e) {
+		/* Base64 encode the key before storing in the hidden field */
+		var content = e.target.result;
+		var encoded = btoa(content);
+		document.getElementById(fieldId).value = encoded;
+		var status = document.getElementById(fieldId + '-status');
+		if (status) status.textContent = file.name + ' uploaded';
+	};
+	reader.readAsText(file);
+}
+
+function mokoSshKeyClear(fieldId) {
+	document.getElementById(fieldId).value = '';
+	var status = document.getElementById(fieldId + '-status');
+	if (status) status.textContent = 'Key removed';
+	var fileInput = document.getElementById(fieldId + '-file');
+	if (fileInput) fileInput.value = '';
+}
+</script>
+JS;
+	}
+}
@@ -198,6 +198,90 @@ class DashboardModel extends BaseDatabaseModel
 		return false;
 	}

+	/**
+	 * Get latest snapshot info for the dashboard widget.
+	 */
+	public function getLatestSnapshot(): ?object
+	{
+		$db    = $this->getDatabase();
+
+		try {
+			$query = $db->getQuery(true)
+				->select('*')
+				->from($db->quoteName('#__mokosuitebackup_snapshots'))
+				->where($db->quoteName('status') . ' = ' . $db->quote('complete'))
+				->order($db->quoteName('created') . ' DESC');
+			$db->setQuery($query, 0, 1);
+
+			return $db->loadObject() ?: null;
+		} catch (\Throwable $e) {
+			return null;
+		}
+	}
+
+	/**
+	 * Get snapshot count.
+	 */
+	public function getSnapshotCount(): int
+	{
+		$db = $this->getDatabase();
+
+		try {
+			$query = $db->getQuery(true)
+				->select('COUNT(*)')
+				->from($db->quoteName('#__mokosuitebackup_snapshots'));
+			$db->setQuery($query);
+
+			return (int) $db->loadResult();
+		} catch (\Throwable $e) {
+			return 0;
+		}
+	}
+
+	/**
+	 * Get backup size trend data for the last 30 days.
+	 * Returns array of {date, total_size, count, status} grouped by day.
+	 */
+	public function getBackupTrend(): array
+	{
+		$db     = $this->getDatabase();
+		$cutoff = date('Y-m-d', strtotime('-30 days'));
+
+		$query = $db->getQuery(true)
+			->select('DATE(' . $db->quoteName('backupstart') . ') AS backup_date')
+			->select('SUM(' . $db->quoteName('total_size') . ') AS day_size')
+			->select('COUNT(*) AS day_count')
+			->select('SUM(CASE WHEN ' . $db->quoteName('status') . ' = ' . $db->quote('fail') . ' THEN 1 ELSE 0 END) AS fail_count')
+			->from($db->quoteName('#__mokosuitebackup_records'))
+			->where('DATE(' . $db->quoteName('backupstart') . ') >= ' . $db->quote($cutoff))
+			->group('DATE(' . $db->quoteName('backupstart') . ')')
+			->order('backup_date ASC');
+		$db->setQuery($query);
+
+		return $db->loadObjectList() ?: [];
+	}
+
+	/**
+	 * Get storage breakdown by profile.
+	 */
+	public function getStorageByProfile(): array
+	{
+		$db = $this->getDatabase();
+
+		$query = $db->getQuery(true)
+			->select('p.title AS profile_title')
+			->select('COUNT(*) AS backup_count')
+			->select('COALESCE(SUM(r.total_size), 0) AS total_size')
+			->from($db->quoteName('#__mokosuitebackup_records', 'r'))
+			->join('LEFT', $db->quoteName('#__mokosuitebackup_profiles', 'p') . ' ON p.id = r.profile_id')
+			->where($db->quoteName('r.status') . ' = ' . $db->quote('complete'))
+			->group($db->quoteName('r.profile_id'))
+			->order('total_size DESC');
+		$db->setQuery($query);
+
+		return $db->loadObjectList() ?: [];
+	}
+
 	/**
 	 * Get published backup profiles for the quick-action selector.
 	 *
@@ -40,6 +40,13 @@ class ProfilesModel extends ListModel
 		$query->select('a.*')
 			->from($db->quoteName('#__mokosuitebackup_profiles', 'a'));

+		// Subquery: count of backup records per profile
+		$subQuery = $db->getQuery(true)
+			->select('COUNT(*)')
+			->from($db->quoteName('#__mokosuitebackup_records', 'r'))
+			->where($db->quoteName('r.profile_id') . ' = ' . $db->quoteName('a.id'));
+		$query->select('(' . $subQuery . ') AS ' . $db->quoteName('backup_count'));
+
 		$published = $this->getState('filter.published');

 		if (is_numeric($published)) {
@@ -25,6 +25,23 @@ class ProfileTable extends Table

 	public function store($updateNulls = true): bool
 	{
+		/* Handle SSH key sentinel — when __KEEP_EXISTING__ is submitted,
+		   preserve the current DB value instead of overwriting with the sentinel.
+		   This prevents the key from being exposed in the form HTML. */
+		if (isset($this->sftp_key_data) && $this->sftp_key_data === '__KEEP_EXISTING__') {
+			if ($this->id) {
+				$db    = $this->getDbo();
+				$query = $db->getQuery(true)
+					->select($db->quoteName('sftp_key_data'))
+					->from($db->quoteName($this->_tbl))
+					->where($db->quoteName('id') . ' = ' . (int) $this->id);
+				$db->setQuery($query);
+				$this->sftp_key_data = $db->loadResult() ?: '';
+			} else {
+				$this->sftp_key_data = '';
+			}
+		}
+
 		$result = parent::store($updateNulls);

 		if ($result && !empty($this->backup_dir)) {
@@ -272,6 +272,6 @@ HTACCESS;
 	 */
 	public static function logPathFromArchive(string $archivePath): string
 	{
-		return preg_replace('/\.(zip|tar\.gz)$/i', '.log', $archivePath);
+		return preg_replace('/\.(zip|tar\.gz|7z)$/i', '.log', $archivePath);
 	}
 }
@@ -120,12 +120,22 @@ class HtmlView extends BaseHtmlView
 			ToolbarHelper::custom('backups.restore', 'upload', '', 'COM_MOKOJOOMBACKUP_TOOLBAR_RESTORE', true);
 		}

-		ToolbarHelper::custom('backups.verify', 'shield', '', 'COM_MOKOJOOMBACKUP_TOOLBAR_VERIFY', true);
+		if ($user->authorise('core.manage', 'com_mokosuitebackup')) {
+			ToolbarHelper::custom('backups.verify', 'shield', '', 'COM_MOKOJOOMBACKUP_TOOLBAR_VERIFY', true);
+		}
+
+		if ($user->authorise('mokosuitebackup.backup.compare', 'com_mokosuitebackup')) {
+			ToolbarHelper::custom('backups.compare', 'copy', '', 'COM_MOKOJOOMBACKUP_TOOLBAR_COMPARE', true);
+		}

 		if ($user->authorise('core.delete', 'com_mokosuitebackup')) {
 			ToolbarHelper::deleteList('JGLOBAL_CONFIRM_DELETE', 'backups.delete');
 		}

+		if ($user->authorise('mokosuitebackup.backup.purge', 'com_mokosuitebackup')) {
+			ToolbarHelper::custom('backups.purgeModal', 'trash', '', 'COM_MOKOJOOMBACKUP_TOOLBAR_PURGE', false);
+		}
+
 		if ($user->authorise('core.admin', 'com_mokosuitebackup')) {
 			ToolbarHelper::preferences('com_mokosuitebackup');
 		}
@@ -24,18 +24,26 @@ class HtmlView extends BaseHtmlView
 	public array $systemHealth = [];
 	public array $profiles = [];
 	public bool $defaultDirWarning = false;
+	public ?object $latestSnapshot = null;
+	public int $snapshotCount = 0;
+	public array $backupTrend = [];
+	public array $storageByProfile = [];

 	public function display($tpl = null): void
 	{
 		/** @var \Joomla\Component\MokoSuiteBackup\Administrator\Model\DashboardModel $model */
 		$model = $this->getModel();

-		$this->lastBackup       = $model->getLastBackup();
-		$this->nextScheduled    = $model->getNextScheduled();
-		$this->stats            = $model->getStats();
-		$this->systemHealth     = $model->getSystemHealth();
-		$this->profiles         = $model->getProfiles();
+		$this->lastBackup        = $model->getLastBackup();
+		$this->nextScheduled     = $model->getNextScheduled();
+		$this->stats             = $model->getStats();
+		$this->systemHealth      = $model->getSystemHealth();
+		$this->profiles          = $model->getProfiles();
 		$this->defaultDirWarning = $model->isUsingDefaultBackupDir();
+		$this->latestSnapshot    = $model->getLatestSnapshot();
+		$this->snapshotCount     = $model->getSnapshotCount();
+		$this->backupTrend       = $model->getBackupTrend();
+		$this->storageByProfile  = $model->getStorageByProfile();

 		$this->addToolbar();

@@ -15,6 +15,9 @@ defined('_JEXEC') or die;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\MVC\View\HtmlView as BaseHtmlView;
+use Joomla\CMS\Router\Route;
+use Joomla\CMS\Session\Session;
+use Joomla\CMS\Toolbar\Toolbar;
 use Joomla\CMS\Toolbar\ToolbarHelper;

 class HtmlView extends BaseHtmlView
@@ -48,6 +51,27 @@ class HtmlView extends BaseHtmlView
 			ToolbarHelper::save('profile.save');
 		}

+		if (!$isNew) {
+			$toolbar = Toolbar::getInstance();
+			$profileId = (int) $this->item->id;
+
+			// "Run Backup Now" button — links to backup start with CSRF token
+			if ($user->authorise('mokosuitebackup.backup.run', 'com_mokosuitebackup')) {
+				$runUrl = Route::_('index.php?option=com_mokosuitebackup&view=backups&task=backups.start&profile_id=' . $profileId . '&' . Session::getFormToken() . '=1');
+				$toolbar->linkButton('run-backup', 'COM_MOKOJOOMBACKUP_RUN_BACKUP_NOW')
+					->url($runUrl)
+					->icon('icon-play')
+					->buttonClass('btn btn-success');
+			}
+
+			// "View Backups" link button
+			$backupsUrl = Route::_('index.php?option=com_mokosuitebackup&view=backups&filter[PROFILE_ID]=' . $profileId);
+			$toolbar->linkButton('view-backups', 'COM_MOKOJOOMBACKUP_VIEW_BACKUPS')
+				->url($backupsUrl)
+				->icon('icon-database')
+				->buttonClass('btn btn-info');
+		}
+
 		ToolbarHelper::cancel('profile.cancel', $isNew ? 'JTOOLBAR_CANCEL' : 'JTOOLBAR_CLOSE');
 	}
 }
@@ -94,6 +94,28 @@ $ajaxUrl   = Route::_('index.php?option=com_mokosuitebackup&format=json', false)
 			</tbody>
 		</table>

+		<?php if ($this->item->status === 'complete' && !empty($this->item->filesexist)) : ?>
+		<!-- Archive Browser -->
+		<h4 class="mt-4">
+			<span class="icon-folder-open" aria-hidden="true"></span>
+			<?php echo Text::_('COM_MOKOJOOMBACKUP_BROWSE_ARCHIVE'); ?>
+		</h4>
+		<div id="mb-detail-browse" class="bg-light rounded" style="max-height:400px; overflow-y:auto;">
+			<div id="mb-detail-browse-summary" class="p-2 text-muted" style="font-size:0.85rem;"></div>
+			<table class="table table-sm table-striped mb-0">
+				<thead>
+					<tr>
+						<th><?php echo Text::_('COM_MOKOJOOMBACKUP_BROWSE_COL_NAME'); ?></th>
+						<th class="text-end" style="width:100px;"><?php echo Text::_('COM_MOKOJOOMBACKUP_BROWSE_COL_SIZE'); ?></th>
+						<th class="text-end" style="width:120px;"><?php echo Text::_('COM_MOKOJOOMBACKUP_BROWSE_COL_COMPRESSED'); ?></th>
+					</tr>
+				</thead>
+				<tbody id="mb-detail-browse-tbody">
+				</tbody>
+			</table>
+		</div>
+		<?php endif; ?>
+
 		<!-- Backup Log -->
 		<h4 class="mt-4"><?php echo Text::_('COM_MOKOJOOMBACKUP_VIEW_LOG'); ?></h4>
 		<div id="mb-detail-log" class="bg-light p-3 rounded" style="max-height:400px; overflow-y:auto;">
@@ -104,22 +126,105 @@ $ajaxUrl   = Route::_('index.php?option=com_mokosuitebackup&format=json', false)

 <script>
 (function() {
-	var form = new URLSearchParams();
-	form.append('task', 'ajax.viewLog');
-	form.append('id', <?php echo (int) $this->item->id; ?>);
-	form.append(<?php echo json_encode($ajaxToken); ?>, '1');
+	var AJAX_URL = <?php echo json_encode($ajaxUrl); ?>;
+	var TOKEN_NAME = <?php echo json_encode($ajaxToken); ?>;

-	fetch(<?php echo json_encode($ajaxUrl); ?>, {
-		method: 'POST',
-		body: form,
-		headers: { 'X-Requested-With': 'XMLHttpRequest' }
-	})
-	.then(function(r) { return r.json(); })
+	function postAjax(params) {
+		var form = new URLSearchParams();
+		form.append(TOKEN_NAME, '1');
+		for (var k in params) {
+			if (params.hasOwnProperty(k)) {
+				form.append(k, params[k]);
+			}
+		}
+		return fetch(AJAX_URL, {
+			method: 'POST',
+			body: form,
+			headers: { 'X-Requested-With': 'XMLHttpRequest' }
+		}).then(function(r) { return r.json(); });
+	}
+
+	// Load log
+	postAjax({ task: 'ajax.viewLog', id: <?php echo (int) $this->item->id; ?> })
 	.then(function(data) {
 		document.getElementById('mb-detail-log-body').textContent = data.error ? data.message : data.log;
 	})
 	.catch(function(err) {
 		document.getElementById('mb-detail-log-body').textContent = 'Error: ' + err.message;
 	});
+
+	<?php if ($this->item->status === 'complete' && !empty($this->item->filesexist)) : ?>
+	// Load archive contents
+	function formatFileSize(bytes) {
+		if (bytes === 0) return '0 B';
+		var units = ['B', 'KB', 'MB', 'GB'];
+		var i = Math.floor(Math.log(bytes) / Math.log(1024));
+		if (i >= units.length) i = units.length - 1;
+		return (bytes / Math.pow(1024, i)).toFixed(i === 0 ? 0 : 1) + ' ' + units[i];
+	}
+
+	function browseSetMessage(tbody, message, cssClass) {
+		tbody.textContent = '';
+		var tr = document.createElement('tr');
+		var td = document.createElement('td');
+		td.setAttribute('colspan', '3');
+		td.className = cssClass || 'text-center';
+		td.textContent = message;
+		tr.appendChild(td);
+		tbody.appendChild(tr);
+	}
+
+	function browseAddFileRow(tbody, file) {
+		var tr = document.createElement('tr');
+
+		var tdName = document.createElement('td');
+		tdName.style.wordBreak = 'break-all';
+		tdName.style.fontSize = '0.85rem';
+		var code = document.createElement('code');
+		code.textContent = file.name;
+		tdName.appendChild(code);
+		tr.appendChild(tdName);
+
+		var tdSize = document.createElement('td');
+		tdSize.className = 'text-end text-nowrap';
+		tdSize.textContent = formatFileSize(file.size);
+		tr.appendChild(tdSize);
+
+		var tdComp = document.createElement('td');
+		tdComp.className = 'text-end text-nowrap';
+		tdComp.textContent = formatFileSize(file.compressed_size);
+		tr.appendChild(tdComp);
+
+		tbody.appendChild(tr);
+	}
+
+	var browseTbody = document.getElementById('mb-detail-browse-tbody');
+	var browseSummary = document.getElementById('mb-detail-browse-summary');
+	browseSetMessage(browseTbody, 'Loading...');
+
+	postAjax({ task: 'ajax.browseArchive', id: <?php echo (int) $this->item->id; ?> })
+	.then(function(data) {
+		if (data.error) {
+			browseSetMessage(browseTbody, data.message || 'Error', 'text-danger');
+			return;
+		}
+		browseTbody.textContent = '';
+		if (data.files.length === 0) {
+			browseSetMessage(browseTbody, 'Archive is empty', 'text-center text-muted');
+		} else {
+			for (var i = 0; i < data.files.length; i++) {
+				browseAddFileRow(browseTbody, data.files[i]);
+			}
+		}
+		var text = data.total_files + ' files, ' + formatFileSize(data.total_size) + ' uncompressed';
+		if (data.truncated) {
+			text += ' (showing first ' + data.files.length + ')';
+		}
+		browseSummary.textContent = text;
+	})
+	.catch(function(err) {
+		browseSetMessage(browseTbody, 'Error: ' + err.message, 'text-danger');
+	});
+	<?php endif; ?>
 })();
 </script>
@@ -155,6 +155,13 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 											</span>
 										<?php endif; ?>
 									<?php endif; ?>
+									<?php if ($item->status === 'complete' && $item->filesexist) : ?>
+									<button type="button" class="btn btn-sm btn-outline-info mb-browse-archive"
+											data-id="<?php echo (int) $item->id; ?>"
+											title="<?php echo Text::_('COM_MOKOJOOMBACKUP_BROWSE_ARCHIVE'); ?>">
+										<span class="icon-folder-open"></span>
+									</button>
+									<?php endif; ?>
 									<button type="button" class="btn btn-sm btn-outline-secondary mb-view-log"
 											data-id="<?php echo (int) $item->id; ?>"
 											title="<?php echo Text::_('COM_MOKOJOOMBACKUP_VIEW_LOG'); ?>">
@@ -184,6 +191,10 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 <div id="mokosuitebackup-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:10000;">
 	<div style="max-width:500px; margin:10% auto; background:#fff; border-radius:8px; padding:2rem; box-shadow:0 4px 20px rgba(0,0,0,0.3);">
 		<h3 id="mb-modal-title" style="margin:0 0 1rem;">Backup in Progress</h3>
+		<div class="alert alert-warning py-1 px-2 mb-2" style="font-size:0.85rem;">
+			<span class="icon-warning-circle" aria-hidden="true"></span>
+			<strong>Do not navigate away or close this window</strong> while the backup is running.
+		</div>
 		<div style="background:#e9ecef; border-radius:4px; overflow:hidden; height:24px; margin-bottom:0.5rem;">
 			<div id="mb-progress-bar" style="height:100%; background:#0d6efd; transition:width 0.3s; width:0%; display:flex; align-items:center; justify-content:center; color:#fff; font-size:0.8rem; font-weight:bold;">0%</div>
 		</div>
@@ -346,6 +357,106 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 		}
 	});

+	// AJAX stepped restore
+	var restoreRunning = false;
+
+	function showRestoreProgress() {
+		restoreRunning = true;
+		document.getElementById('mb-restore-modal').style.display = 'none';
+		document.getElementById('mb-restore-progress-modal').style.display = 'block';
+	}
+
+	function hideRestoreProgress() {
+		restoreRunning = false;
+		document.getElementById('mb-restore-progress-modal').style.display = 'none';
+	}
+
+	function updateRestoreProgress(progress, message, phase) {
+		var bar = document.getElementById('mb-restore-progress-bar');
+		bar.style.width = progress + '%';
+		bar.textContent = progress + '%';
+		document.getElementById('mb-restore-status').textContent = message;
+		document.getElementById('mb-restore-phase').textContent = 'Phase: ' + phase;
+	}
+
+	window.addEventListener('beforeunload', function(e) {
+		if (restoreRunning) {
+			e.preventDefault();
+			e.returnValue = '';
+		}
+	});
+
+	async function startSteppedRestore(e) {
+		e.preventDefault();
+
+		var recordId       = document.getElementById('mb-restore-record-id').value;
+		var restoreFiles   = document.getElementById('mb-restore-files').checked ? 1 : 0;
+		var restoreDb      = document.getElementById('mb-restore-db').checked ? 1 : 0;
+		var preserveConfig = document.getElementById('mb-restore-config').checked ? 1 : 0;
+		var password       = document.getElementById('mb-restore-password').value;
+
+		showRestoreProgress();
+		updateRestoreProgress(0, 'Initializing restore...', 'init');
+
+		try {
+			var initResult = await postAjax({
+				task: 'ajax.restoreInit',
+				id: recordId,
+				restore_files: restoreFiles,
+				restore_db: restoreDb,
+				preserve_config: preserveConfig,
+				encryption_password: password
+			});
+
+			if (initResult.error) {
+				updateRestoreProgress(0, 'ERROR: ' + initResult.message, 'failed');
+				document.getElementById('mb-restore-title').textContent = 'Restore Failed';
+				setTimeout(hideRestoreProgress, 5000);
+				return;
+			}
+
+			var sessionId = initResult.session_id;
+			updateRestoreProgress(initResult.progress, initResult.message, initResult.phase);
+
+			var done = false;
+			while (!done) {
+				var stepResult = await postAjax({
+					task: 'ajax.restoreStep',
+					session_id: sessionId
+				});
+
+				if (stepResult.error) {
+					updateRestoreProgress(0, 'ERROR: ' + stepResult.message, 'failed');
+					document.getElementById('mb-restore-title').textContent = 'Restore Failed';
+					setTimeout(hideRestoreProgress, 5000);
+					return;
+				}
+
+				updateRestoreProgress(stepResult.progress, stepResult.message, stepResult.phase);
+				done = stepResult.done || false;
+			}
+
+			document.getElementById('mb-restore-title').textContent = 'Restore Complete';
+			setTimeout(function() {
+				hideRestoreProgress();
+				location.reload();
+			}, 2000);
+
+		} catch (err) {
+			updateRestoreProgress(0, 'ERROR: ' + err.message, 'failed');
+			document.getElementById('mb-restore-title').textContent = 'Restore Failed';
+			setTimeout(hideRestoreProgress, 5000);
+		}
+	}
+
+	// Attach the AJAX restore handler to the restore form
+	document.addEventListener('DOMContentLoaded', function() {
+		var restoreForm = document.getElementById('mb-restore-form');
+		if (restoreForm) {
+			restoreForm.addEventListener('submit', startSteppedRestore);
+		}
+	});
+
 	// View Log modal handler
 	document.addEventListener('click', function(e) {
 		var btn = e.target.closest('.mb-view-log');
@@ -385,6 +496,93 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 			document.getElementById('mb-log-modal').style.display = 'none';
 		}
 	});
+
+	// Browse Archive modal handler
+	function formatFileSize(bytes) {
+		if (bytes === 0) return '0 B';
+		var units = ['B', 'KB', 'MB', 'GB'];
+		var i = Math.floor(Math.log(bytes) / Math.log(1024));
+		if (i >= units.length) i = units.length - 1;
+		return (bytes / Math.pow(1024, i)).toFixed(i === 0 ? 0 : 1) + ' ' + units[i];
+	}
+
+	function browseSetMessage(tbody, message, cssClass) {
+		tbody.textContent = '';
+		var tr = document.createElement('tr');
+		var td = document.createElement('td');
+		td.setAttribute('colspan', '3');
+		td.className = cssClass || 'text-center';
+		td.textContent = message;
+		tr.appendChild(td);
+		tbody.appendChild(tr);
+	}
+
+	function browseAddFileRow(tbody, file) {
+		var tr = document.createElement('tr');
+
+		var tdName = document.createElement('td');
+		tdName.style.wordBreak = 'break-all';
+		tdName.style.fontSize = '0.85rem';
+		var code = document.createElement('code');
+		code.textContent = file.name;
+		tdName.appendChild(code);
+		tr.appendChild(tdName);
+
+		var tdSize = document.createElement('td');
+		tdSize.className = 'text-end text-nowrap';
+		tdSize.textContent = formatFileSize(file.size);
+		tr.appendChild(tdSize);
+
+		var tdComp = document.createElement('td');
+		tdComp.className = 'text-end text-nowrap';
+		tdComp.textContent = formatFileSize(file.compressed_size);
+		tr.appendChild(tdComp);
+
+		tbody.appendChild(tr);
+	}
+
+	document.addEventListener('click', function(e) {
+		var btn = e.target.closest('.mb-browse-archive');
+		if (!btn) return;
+		e.preventDefault();
+		var recordId = btn.getAttribute('data-id');
+		var modal = document.getElementById('mb-browse-modal');
+		var tbody = document.getElementById('mb-browse-tbody');
+		var summary = document.getElementById('mb-browse-summary');
+		browseSetMessage(tbody, 'Loading...');
+		summary.textContent = '';
+		modal.style.display = 'block';
+
+		postAjax({ task: 'ajax.browseArchive', id: recordId })
+		.then(function(data) {
+			if (data.error) {
+				browseSetMessage(tbody, data.message || 'Error', 'text-danger');
+				return;
+			}
+			tbody.textContent = '';
+			if (data.files.length === 0) {
+				browseSetMessage(tbody, 'Archive is empty', 'text-center text-muted');
+			} else {
+				for (var i = 0; i < data.files.length; i++) {
+					browseAddFileRow(tbody, data.files[i]);
+				}
+			}
+			var text = data.total_files + ' files, ' + formatFileSize(data.total_size) + ' uncompressed';
+			if (data.truncated) {
+				text += ' (showing first ' + data.files.length + ')';
+			}
+			summary.textContent = text;
+		})
+		.catch(function(err) {
+			browseSetMessage(tbody, 'Error: ' + err.message, 'text-danger');
+		});
+	});
+
+	document.addEventListener('click', function(e) {
+		if (e.target.id === 'mb-browse-modal' || e.target.classList.contains('mb-browse-close')) {
+			document.getElementById('mb-browse-modal').style.display = 'none';
+		}
+	});
 })();
 </script>

@@ -443,6 +641,18 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 	</div>
 </div>

+<!-- Restore Progress Modal -->
+<div id="mb-restore-progress-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:10000;">
+	<div style="max-width:500px; margin:10% auto; background:#fff; border-radius:8px; padding:2rem; box-shadow:0 4px 20px rgba(0,0,0,0.3);">
+		<h3 id="mb-restore-title" style="margin:0 0 1rem;">Restore in Progress</h3>
+		<div style="background:#e9ecef; border-radius:4px; overflow:hidden; height:24px; margin-bottom:0.5rem;">
+			<div id="mb-restore-progress-bar" style="height:100%; background:#dc3545; transition:width 0.3s; width:0%; display:flex; align-items:center; justify-content:center; color:#fff; font-size:0.8rem; font-weight:bold;">0%</div>
+		</div>
+		<p id="mb-restore-status" style="color:#666; font-size:0.9rem; margin:0.5rem 0;">Initializing...</p>
+		<p id="mb-restore-phase" style="color:#999; font-size:0.8rem; margin:0;">Phase: init</p>
+	</div>
+</div>
+
 <!-- Log Viewer Modal -->
 <div id="mb-log-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:10000;">
 	<div style="max-width:700px; margin:5% auto; background:#fff; border-radius:8px; box-shadow:0 4px 20px rgba(0,0,0,0.3); display:flex; flex-direction:column; max-height:80vh;">
@@ -455,3 +665,351 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 		</div>
 	</div>
 </div>
+
+<!-- Archive Browser Modal -->
+<div id="mb-browse-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:10000;">
+	<div style="max-width:800px; margin:5% auto; background:#fff; border-radius:8px; box-shadow:0 4px 20px rgba(0,0,0,0.3); display:flex; flex-direction:column; max-height:80vh;">
+		<div style="display:flex; justify-content:space-between; align-items:center; padding:1rem 1.5rem; border-bottom:1px solid #dee2e6;">
+			<h4 style="margin:0;">
+				<span class="icon-folder-open" aria-hidden="true"></span>
+				<?php echo Text::_('COM_MOKOJOOMBACKUP_BROWSE_ARCHIVE'); ?>
+			</h4>
+			<button type="button" class="btn-close mb-browse-close" aria-label="Close"></button>
+		</div>
+		<div style="padding:0.75rem 1.5rem; border-bottom:1px solid #dee2e6; background:#f8f9fa;">
+			<small id="mb-browse-summary" class="text-muted"></small>
+		</div>
+		<div style="padding:0; overflow-y:auto; flex:1;">
+			<table class="table table-sm table-striped mb-0">
+				<thead>
+					<tr>
+						<th><?php echo Text::_('COM_MOKOJOOMBACKUP_BROWSE_COL_NAME'); ?></th>
+						<th class="text-end" style="width:100px;"><?php echo Text::_('COM_MOKOJOOMBACKUP_BROWSE_COL_SIZE'); ?></th>
+						<th class="text-end" style="width:120px;"><?php echo Text::_('COM_MOKOJOOMBACKUP_BROWSE_COL_COMPRESSED'); ?></th>
+					</tr>
+				</thead>
+				<tbody id="mb-browse-tbody">
+				</tbody>
+			</table>
+		</div>
+	</div>
+</div>
+
+<!-- Purge Backups Modal -->
+<?php $canDelete = $user->authorise('core.delete', 'com_mokosuitebackup'); ?>
+<?php if ($canDelete) : ?>
+<div id="mb-purge-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:10000;">
+	<div style="max-width:500px; margin:8% auto; background:#fff; border-radius:8px; box-shadow:0 4px 20px rgba(0,0,0,0.3);">
+		<div style="display:flex; justify-content:space-between; align-items:center; padding:1rem 1.5rem; border-bottom:1px solid #dee2e6;">
+			<h4 style="margin:0;">
+				<span class="icon-trash" aria-hidden="true"></span>
+				<?php echo Text::_('COM_MOKOJOOMBACKUP_PURGE_TITLE'); ?>
+			</h4>
+			<button type="button" class="btn-close mb-purge-close" aria-label="Close"></button>
+		</div>
+		<form action="<?php echo Route::_('index.php?option=com_mokosuitebackup&task=backups.purge'); ?>" method="post" id="mb-purge-form">
+			<div style="padding:1.5rem;">
+				<p><?php echo Text::_('COM_MOKOJOOMBACKUP_PURGE_DESC'); ?></p>
+				<div class="mb-3">
+					<label for="mb-purge-date" class="form-label fw-bold"><?php echo Text::_('COM_MOKOJOOMBACKUP_PURGE_DATE_LABEL'); ?></label>
+					<input type="date" class="form-control" id="mb-purge-date" name="purge_date" required>
+				</div>
+				<div id="mb-purge-count-wrapper" style="display:none;">
+					<div class="alert alert-danger mb-0" id="mb-purge-count-msg"></div>
+				</div>
+				<div id="mb-purge-none-wrapper" style="display:none;">
+					<div class="alert alert-info mb-0"><?php echo Text::_('COM_MOKOJOOMBACKUP_PURGE_NONE_FOUND'); ?></div>
+				</div>
+			</div>
+			<div style="padding:0 1.5rem 1.5rem; text-align:right;">
+				<button type="button" class="btn btn-secondary mb-purge-close"><?php echo Text::_('JCANCEL'); ?></button>
+				<button type="submit" class="btn btn-danger" id="mb-purge-submit" disabled>
+					<span class="icon-trash" aria-hidden="true"></span>
+					<?php echo Text::_('COM_MOKOJOOMBACKUP_PURGE_SUBMIT'); ?>
+				</button>
+			</div>
+			<?php echo HTMLHelper::_('form.token'); ?>
+		</form>
+	</div>
+</div>
+<?php endif; ?>
+
+<!-- Backup Comparison Modal -->
+<div id="mb-compare-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:10000;">
+	<div style="max-width:800px; margin:5% auto; background:#fff; border-radius:8px; box-shadow:0 4px 20px rgba(0,0,0,0.3); display:flex; flex-direction:column; max-height:85vh;">
+		<div style="display:flex; justify-content:space-between; align-items:center; padding:1rem 1.5rem; border-bottom:1px solid #dee2e6;">
+			<h4 style="margin:0;">
+				<span class="icon-copy" aria-hidden="true"></span>
+				<?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_TITLE'); ?>
+			</h4>
+			<button type="button" class="btn-close mb-compare-close" aria-label="Close"></button>
+		</div>
+		<div style="padding:1rem 1.5rem; overflow-y:auto; flex:1;">
+			<div id="mb-compare-loading" style="text-align:center; padding:2rem;">
+				<span class="icon-spinner icon-spin" aria-hidden="true"></span>
+				<?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_LOADING'); ?>
+			</div>
+			<div id="mb-compare-error" style="display:none;" class="alert alert-danger"></div>
+			<table id="mb-compare-table" class="table table-striped" style="display:none;">
+				<thead>
+					<tr>
+						<th><?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_FIELD'); ?></th>
+						<th><?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_BACKUP'); ?> 1</th>
+						<th><?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_BACKUP'); ?> 2</th>
+						<th><?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_DELTA'); ?></th>
+					</tr>
+				</thead>
+				<tbody id="mb-compare-body"></tbody>
+			</table>
+		</div>
+	</div>
+</div>
+
+<script>
+(function() {
+	var COMPARE_AJAX_URL = <?php echo json_encode($ajaxUrl); ?>;
+	var COMPARE_TOKEN = <?php echo json_encode($ajaxToken); ?>;
+
+	function mbCmpFormatBytes(bytes) {
+		if (bytes === 0) return '0 B';
+		var units = ['B', 'KB', 'MB', 'GB'];
+		var i = Math.floor(Math.log(Math.abs(bytes)) / Math.log(1024));
+		if (i >= units.length) i = units.length - 1;
+		return (bytes / Math.pow(1024, i)).toFixed(2) + ' ' + units[i];
+	}
+
+	function mbCmpFormatDuration(seconds) {
+		if (seconds <= 0) return '0s';
+		var m = Math.floor(seconds / 60);
+		var s = seconds % 60;
+		return m > 0 ? m + 'm ' + s + 's' : s + 's';
+	}
+
+	function mbCmpDeltaCell(value, unit) {
+		if (value === 0) return '<span class="text-muted">&mdash;</span>';
+		var isPositive = value > 0;
+		var colorClass = isPositive ? 'text-danger' : 'text-success';
+		var display;
+		if (unit === 'bytes') {
+			display = (isPositive ? '+' : '') + mbCmpFormatBytes(value);
+		} else if (unit === 'duration') {
+			display = (isPositive ? '+' : '-') + mbCmpFormatDuration(Math.abs(value));
+		} else {
+			display = (isPositive ? '+' : '') + value.toLocaleString();
+		}
+		return '<span class="fw-bold ' + colorClass + '">' + display + '</span>';
+	}
+
+	function mbShowCompareModal(id1, id2) {
+		var modal = document.getElementById('mb-compare-modal');
+		var loading = document.getElementById('mb-compare-loading');
+		var errorEl = document.getElementById('mb-compare-error');
+		var table = document.getElementById('mb-compare-table');
+		var body = document.getElementById('mb-compare-body');
+
+		modal.style.display = 'block';
+		loading.style.display = 'block';
+		errorEl.style.display = 'none';
+		table.style.display = 'none';
+		body.innerHTML = '';
+
+		var form = new URLSearchParams();
+		form.append('task', 'ajax.compareBackups');
+		form.append('id1', id1);
+		form.append('id2', id2);
+		form.append(COMPARE_TOKEN, '1');
+
+		fetch(COMPARE_AJAX_URL, {
+			method: 'POST',
+			body: form,
+			headers: { 'X-Requested-With': 'XMLHttpRequest' }
+		})
+		.then(function(r) { return r.json(); })
+		.then(function(data) {
+			loading.style.display = 'none';
+
+			if (data.error) {
+				errorEl.textContent = data.message || 'Error loading comparison';
+				errorEl.style.display = 'block';
+				return;
+			}
+
+			var b1 = data.backup1;
+			var b2 = data.backup2;
+			var d = data.delta;
+
+			var dur1 = 0, dur2 = 0;
+			if (b1.backupstart !== '0000-00-00 00:00:00' && b1.backupend !== '0000-00-00 00:00:00') {
+				dur1 = (new Date(b1.backupend).getTime() - new Date(b1.backupstart).getTime()) / 1000;
+			}
+			if (b2.backupstart !== '0000-00-00 00:00:00' && b2.backupend !== '0000-00-00 00:00:00') {
+				dur2 = (new Date(b2.backupend).getTime() - new Date(b2.backupstart).getTime()) / 1000;
+			}
+
+			var rows = [
+				['<?php echo Text::_('JGRID_HEADING_ID', true); ?>', '#' + b1.id, '#' + b2.id, ''],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_DESCRIPTION', true); ?>', b1.description || '&mdash;', b2.description || '&mdash;', ''],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_PROFILE', true); ?>', b1.profile_title || '&mdash;', b2.profile_title || '&mdash;', ''],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_STATUS', true); ?>', b1.status, b2.status, ''],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_TYPE', true); ?>', b1.backup_type, b2.backup_type, ''],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_SIZE', true); ?>', mbCmpFormatBytes(b1.total_size), mbCmpFormatBytes(b2.total_size), mbCmpDeltaCell(d.size_diff, 'bytes')],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_DB_SIZE', true); ?>', mbCmpFormatBytes(b1.db_size), mbCmpFormatBytes(b2.db_size), mbCmpDeltaCell(b2.db_size - b1.db_size, 'bytes')],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_FILES_COUNT', true); ?>', b1.files_count.toLocaleString(), b2.files_count.toLocaleString(), mbCmpDeltaCell(d.files_diff, 'number')],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_TABLES_COUNT', true); ?>', b1.tables_count.toLocaleString(), b2.tables_count.toLocaleString(), mbCmpDeltaCell(d.tables_diff, 'number')],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_DATE', true); ?>', b1.backupstart, b2.backupstart, ''],
+				['<?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_DURATION', true); ?>', mbCmpFormatDuration(dur1), mbCmpFormatDuration(dur2), mbCmpDeltaCell(d.duration_diff_seconds, 'duration')],
+			];
+
+			var html = '';
+			for (var i = 0; i < rows.length; i++) {
+				html += '<tr><td class="fw-bold">' + rows[i][0] + '</td><td>' + rows[i][1] + '</td><td>' + rows[i][2] + '</td><td>' + rows[i][3] + '</td></tr>';
+			}
+			body.innerHTML = html;
+			table.style.display = 'table';
+		})
+		.catch(function(err) {
+			loading.style.display = 'none';
+			errorEl.textContent = 'Error: ' + err.message;
+			errorEl.style.display = 'block';
+		});
+	}
+
+	// Close compare modal
+	document.addEventListener('click', function(e) {
+		if (e.target.id === 'mb-compare-modal' || e.target.classList.contains('mb-compare-close')) {
+			document.getElementById('mb-compare-modal').style.display = 'none';
+		}
+	});
+
+	// Intercept Compare toolbar button
+	document.addEventListener('DOMContentLoaded', function() {
+		var compareBtn = document.querySelector('[onclick*="backups.compare"], .button-copy');
+		if (compareBtn) {
+			compareBtn.addEventListener('click', function(e) {
+				e.preventDefault();
+				e.stopPropagation();
+
+				var checked = document.querySelectorAll('input[name="cid[]"]:checked');
+				if (checked.length !== 2) {
+					alert('<?php echo Text::_('COM_MOKOJOOMBACKUP_COMPARE_SELECT_TWO', true); ?>');
+					return false;
+				}
+
+				mbShowCompareModal(checked[0].value, checked[1].value);
+				return false;
+			}, true);
+		}
+	});
+})();
+</script>
+
+<?php if ($canDelete) : ?>
+<script>
+(function() {
+	var PURGE_AJAX_URL = <?php echo json_encode($ajaxUrl); ?>;
+	var PURGE_TOKEN = <?php echo json_encode($ajaxToken); ?>;
+	var purgeCountTimer = null;
+
+	// Intercept Purge toolbar button to show the modal
+	document.addEventListener('DOMContentLoaded', function() {
+		var purgeBtn = document.querySelector('[onclick*="backups.purgeModal"], .button-trash');
+		if (purgeBtn) {
+			purgeBtn.addEventListener('click', function(e) {
+				e.preventDefault();
+				e.stopPropagation();
+				// Reset modal state
+				document.getElementById('mb-purge-date').value = '';
+				document.getElementById('mb-purge-count-wrapper').style.display = 'none';
+				document.getElementById('mb-purge-none-wrapper').style.display = 'none';
+				document.getElementById('mb-purge-submit').disabled = true;
+				document.getElementById('mb-purge-modal').style.display = 'block';
+				return false;
+			}, true);
+		}
+
+		// Date change triggers count lookup with debounce
+		var dateInput = document.getElementById('mb-purge-date');
+		if (dateInput) {
+			dateInput.addEventListener('change', function() {
+				if (purgeCountTimer) clearTimeout(purgeCountTimer);
+				purgeCountTimer = setTimeout(fetchPurgeCount, 300);
+			});
+		}
+
+		// Close modal
+		document.addEventListener('click', function(e) {
+			if (e.target.id === 'mb-purge-modal' || e.target.classList.contains('mb-purge-close')) {
+				document.getElementById('mb-purge-modal').style.display = 'none';
+			}
+		});
+
+		// Confirm on submit
+		var purgeForm = document.getElementById('mb-purge-form');
+		if (purgeForm) {
+			purgeForm.addEventListener('submit', function(e) {
+				var msg = document.getElementById('mb-purge-count-msg').textContent;
+				if (!confirm(msg + '\n\n<?php echo Text::_('COM_MOKOJOOMBACKUP_PURGE_CONFIRM', true); ?>')) {
+					e.preventDefault();
+				}
+			});
+		}
+	});
+
+	function fetchPurgeCount() {
+		var dateVal = document.getElementById('mb-purge-date').value;
+		var countWrapper = document.getElementById('mb-purge-count-wrapper');
+		var noneWrapper = document.getElementById('mb-purge-none-wrapper');
+		var countMsg = document.getElementById('mb-purge-count-msg');
+		var submitBtn = document.getElementById('mb-purge-submit');
+
+		if (!dateVal) {
+			countWrapper.style.display = 'none';
+			noneWrapper.style.display = 'none';
+			submitBtn.disabled = true;
+			return;
+		}
+
+		countMsg.textContent = '<?php echo Text::_('COM_MOKOJOOMBACKUP_LOADING', true); ?>';
+		countWrapper.style.display = 'block';
+		noneWrapper.style.display = 'none';
+		submitBtn.disabled = true;
+
+		var form = new URLSearchParams();
+		form.append('task', 'ajax.countPurge');
+		form.append('date', dateVal);
+		form.append(PURGE_TOKEN, '1');
+
+		fetch(PURGE_AJAX_URL, {
+			method: 'POST',
+			body: form,
+			headers: { 'X-Requested-With': 'XMLHttpRequest' }
+		})
+		.then(function(r) { return r.json(); })
+		.then(function(data) {
+			if (data.error) {
+				countMsg.textContent = data.message || 'Error';
+				countWrapper.style.display = 'block';
+				noneWrapper.style.display = 'none';
+				submitBtn.disabled = true;
+			} else if (data.count === 0) {
+				countWrapper.style.display = 'none';
+				noneWrapper.style.display = 'block';
+				submitBtn.disabled = true;
+			} else {
+				var text = '<?php echo Text::_('COM_MOKOJOOMBACKUP_PURGE_COUNT_MSG', true); ?>';
+				countMsg.textContent = text.replace('%d', data.count);
+				countWrapper.style.display = 'block';
+				noneWrapper.style.display = 'none';
+				submitBtn.disabled = false;
+			}
+		})
+		.catch(function(err) {
+			countMsg.textContent = 'Error: ' + err.message;
+			countWrapper.style.display = 'block';
+			noneWrapper.style.display = 'none';
+			submitBtn.disabled = true;
+		});
+	}
+})();
+</script>
+<?php endif; ?>
@@ -109,6 +109,122 @@ document.querySelectorAll('.mb-tile').forEach(function(tile) {
 });
 </script>

+<!-- Row 1b: Snapshot Widget -->
+<div class="row mb-3">
+	<div class="col-md-6">
+		<div class="card h-100">
+			<div class="card-header d-flex justify-content-between align-items-center">
+				<h5 class="card-title mb-0">
+					<span class="icon-camera" aria-hidden="true"></span>
+					<?php echo Text::_('COM_MOKOJOOMBACKUP_DASHBOARD_SNAPSHOTS'); ?>
+				</h5>
+				<a href="<?php echo Route::_('index.php?option=com_mokosuitebackup&view=snapshots'); ?>" class="btn btn-sm btn-outline-secondary">
+					<?php echo Text::_('COM_MOKOJOOMBACKUP_DASHBOARD_VIEW_ALL'); ?>
+				</a>
+			</div>
+			<div class="card-body">
+				<?php if ($this->latestSnapshot) : ?>
+					<?php $types = json_decode($this->latestSnapshot->content_types, true) ?: []; ?>
+					<p class="mb-1">
+						<strong><?php echo Text::_('COM_MOKOJOOMBACKUP_DASHBOARD_LATEST_SNAPSHOT'); ?>:</strong>
+						<?php echo $this->escape($this->latestSnapshot->description); ?>
+					</p>
+					<p class="mb-1 text-muted">
+						<?php echo HTMLHelper::_('date', $this->latestSnapshot->created, Text::_('DATE_FORMAT_LC4')); ?>
+						&mdash;
+						<?php foreach ($types as $type) : ?>
+							<span class="badge bg-secondary"><?php echo $this->escape($type); ?></span>
+						<?php endforeach; ?>
+					</p>
+					<p class="mb-0">
+						<small class="text-muted">
+							<?php echo (int) $this->latestSnapshot->articles_count; ?> articles,
+							<?php echo (int) $this->latestSnapshot->categories_count; ?> categories,
+							<?php echo (int) $this->latestSnapshot->modules_count; ?> modules
+							&mdash; <?php echo $this->snapshotCount; ?> total snapshots
+						</small>
+					</p>
+				<?php else : ?>
+					<p class="text-muted mb-0"><?php echo Text::_('COM_MOKOJOOMBACKUP_DASHBOARD_NO_SNAPSHOTS'); ?></p>
+				<?php endif; ?>
+			</div>
+		</div>
+	</div>
+
+	<!-- Storage Breakdown by Profile -->
+	<div class="col-md-6">
+		<div class="card h-100">
+			<div class="card-header">
+				<h5 class="card-title mb-0">
+					<span class="icon-folder-open" aria-hidden="true"></span>
+					<?php echo Text::_('COM_MOKOJOOMBACKUP_DASHBOARD_STORAGE_BREAKDOWN'); ?>
+				</h5>
+			</div>
+			<div class="card-body">
+				<?php if (!empty($this->storageByProfile)) : ?>
+					<?php
+					$maxSize = max(array_column($this->storageByProfile, 'total_size')) ?: 1;
+					$colors  = ['#0d6efd', '#198754', '#ffc107', '#dc3545', '#6f42c1', '#0dcaf0'];
+					?>
+					<?php foreach ($this->storageByProfile as $i => $profile) : ?>
+						<?php $pct = round(($profile->total_size / $maxSize) * 100); ?>
+						<div class="mb-2">
+							<div class="d-flex justify-content-between small">
+								<span><?php echo $this->escape($profile->profile_title ?: 'Unknown'); ?> (<?php echo (int) $profile->backup_count; ?>)</span>
+								<span><?php echo HTMLHelper::_('number.bytes', $profile->total_size); ?></span>
+							</div>
+							<div style="background:#e9ecef; border-radius:3px; height:8px; overflow:hidden;">
+								<div style="width:<?php echo $pct; ?>%; height:100%; background:<?php echo $colors[$i % count($colors)]; ?>; border-radius:3px;"></div>
+							</div>
+						</div>
+					<?php endforeach; ?>
+				<?php else : ?>
+					<p class="text-muted mb-0"><?php echo Text::_('COM_MOKOJOOMBACKUP_DASHBOARD_NO_BACKUPS'); ?></p>
+				<?php endif; ?>
+			</div>
+		</div>
+	</div>
+</div>
+
+<!-- Backup Trend (30 days) -->
+<?php if (!empty($this->backupTrend)) : ?>
+<div class="row mb-3">
+	<div class="col-12">
+		<div class="card">
+			<div class="card-header">
+				<h5 class="card-title mb-0">
+					<span class="icon-chart" aria-hidden="true"></span>
+					<?php echo Text::_('COM_MOKOJOOMBACKUP_DASHBOARD_BACKUP_TREND'); ?>
+				</h5>
+			</div>
+			<div class="card-body">
+				<?php
+				$maxDaySize = max(array_column($this->backupTrend, 'day_size')) ?: 1;
+				?>
+				<div style="display:flex; align-items:flex-end; gap:2px; height:120px; overflow-x:auto;">
+					<?php foreach ($this->backupTrend as $day) : ?>
+						<?php
+						$barHeight = max(4, round(($day->day_size / $maxDaySize) * 100));
+						$barColor  = $day->fail_count > 0 ? '#dc3545' : '#198754';
+						$tooltip   = date('M j', strtotime($day->backup_date))
+							. ' — ' . $day->day_count . ' backup(s), '
+							. number_format($day->day_size / 1048576, 1) . ' MB'
+							. ($day->fail_count > 0 ? ', ' . $day->fail_count . ' failed' : '');
+						?>
+						<div style="flex:1; min-width:8px; max-width:24px; height:<?php echo $barHeight; ?>%; background:<?php echo $barColor; ?>; border-radius:2px 2px 0 0; cursor:default;"
+							 title="<?php echo htmlspecialchars($tooltip); ?>"></div>
+					<?php endforeach; ?>
+				</div>
+				<div class="d-flex justify-content-between mt-1">
+					<small class="text-muted"><?php echo date('M j', strtotime('-30 days')); ?></small>
+					<small class="text-muted"><?php echo date('M j'); ?></small>
+				</div>
+			</div>
+		</div>
+	</div>
+</div>
+<?php endif; ?>
+
 <!-- Row 2: Quick Actions -->
 <div class="row mb-3">
 	<div class="col-md-6">
@@ -189,6 +305,10 @@ document.querySelectorAll('.mb-tile').forEach(function(tile) {
 <div id="mokosuitebackup-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:10000;">
 	<div style="max-width:500px; margin:10% auto; background:#fff; border-radius:8px; padding:2rem; box-shadow:0 4px 20px rgba(0,0,0,0.3);">
 		<h3 id="mb-modal-title" style="margin:0 0 1rem;">Backup in Progress</h3>
+		<div class="alert alert-warning py-1 px-2 mb-2" style="font-size:0.85rem;">
+			<span class="icon-warning-circle" aria-hidden="true"></span>
+			<strong>Do not navigate away or close this window</strong> while the backup is running.
+		</div>
 		<div style="background:#e9ecef; border-radius:4px; overflow:hidden; height:24px; margin-bottom:0.5rem;">
 			<div id="mb-progress-bar" style="height:100%; background:#0d6efd; transition:width 0.3s; width:0%; display:flex; align-items:center; justify-content:center; color:#fff; font-size:0.8rem; font-weight:bold;">0%</div>
 		</div>
@@ -14,6 +14,7 @@ use Joomla\CMS\HTML\HTMLHelper;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Layout\LayoutHelper;
 use Joomla\CMS\Router\Route;
+use Joomla\CMS\Session\Session;

 HTMLHelper::_('behavior.multiselect');

@@ -45,9 +46,15 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 								<th scope="col" class="w-10">
 									<?php echo HTMLHelper::_('searchtools.sort', 'COM_MOKOJOOMBACKUP_HEADING_TYPE', 'a.backup_type', $listDirn, $listOrder); ?>
 								</th>
+								<th scope="col" class="w-5 text-center">
+									<?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_BACKUPS'); ?>
+								</th>
 								<th scope="col" class="w-10">
 									<?php echo HTMLHelper::_('searchtools.sort', 'JSTATUS', 'a.published', $listDirn, $listOrder); ?>
 								</th>
+								<th scope="col" class="w-10 text-center">
+									<?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_ACTIONS'); ?>
+								</th>
 								<th scope="col" class="w-5">
 									<?php echo HTMLHelper::_('searchtools.sort', 'JGRID_HEADING_ID', 'a.id', $listDirn, $listOrder); ?>
 								</th>
@@ -70,9 +77,26 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 								<td>
 									<?php echo $this->escape($item->backup_type); ?>
 								</td>
+								<td class="text-center">
+									<a href="<?php echo Route::_('index.php?option=com_mokosuitebackup&view=backups&filter[PROFILE_ID]=' . $item->id); ?>">
+										<span class="badge bg-<?php echo ($item->backup_count > 0) ? 'info' : 'secondary'; ?>">
+											<?php echo (int) $item->backup_count; ?>
+										</span>
+									</a>
+								</td>
 								<td>
 									<?php echo HTMLHelper::_('jgrid.published', $item->published, $i, 'profiles.'); ?>
 								</td>
+								<td class="text-center">
+									<?php if ($item->published == 1) : ?>
+										<a href="<?php echo Route::_('index.php?option=com_mokosuitebackup&view=backups&task=backups.start&profile_id=' . $item->id . '&' . Session::getFormToken() . '=1'); ?>"
+										   class="btn btn-sm btn-outline-success"
+										   title="<?php echo Text::_('COM_MOKOJOOMBACKUP_RUN_BACKUP'); ?>">
+											<span class="icon-play" aria-hidden="true"></span>
+											<?php echo Text::_('COM_MOKOJOOMBACKUP_RUN_BACKUP'); ?>
+										</a>
+									<?php endif; ?>
+								</td>
 								<td>
 									<?php echo (int) $item->id; ?>
 								</td>
@@ -99,6 +99,12 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 								</td>
 								<td>
 									<?php if ($item->status === 'complete' && $canManage) : ?>
+										<button type="button" class="btn btn-sm btn-outline-primary mb-snapshot-browse"
+												data-id="<?php echo (int) $item->id; ?>"
+												data-desc="<?php echo $this->escape($item->description); ?>"
+												title="<?php echo Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_BROWSE'); ?>">
+											<span class="icon-search"></span>
+										</button>
 										<button type="button" class="btn btn-sm btn-outline-success mb-snapshot-restore"
 												data-id="<?php echo (int) $item->id; ?>"
 												data-types="<?php echo $this->escape($item->content_types); ?>"
@@ -227,6 +233,116 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 	</div>
 </div>

+<!-- Browse Snapshot Detail Modal -->
+<div id="mb-snapshot-browse-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:10000;">
+	<div style="max-width:800px; margin:5% auto; background:#fff; border-radius:8px; box-shadow:0 4px 20px rgba(0,0,0,0.3); max-height:80vh; display:flex; flex-direction:column;">
+		<div style="display:flex; justify-content:space-between; align-items:center; padding:1rem 1.5rem; border-bottom:1px solid #dee2e6;">
+			<h4 style="margin:0;" id="mb-browse-title"><?php echo Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_BROWSE'); ?></h4>
+			<button type="button" class="btn-close mb-modal-close" aria-label="Close"></button>
+		</div>
+		<form action="<?php echo Route::_('index.php?option=com_mokosuitebackup&task=snapshots.restoreSelected'); ?>" method="post" id="mb-snapshot-browse-form">
+			<input type="hidden" name="id" id="mb-browse-id" value="">
+			<div style="padding:1rem 1.5rem; overflow-y:auto; flex:1;">
+				<div id="mb-browse-loading" class="text-center py-4">
+					<span class="spinner-border spinner-border-sm" role="status"></span>
+					<?php echo Text::_('COM_MOKOJOOMBACKUP_LOADING'); ?>
+				</div>
+				<div id="mb-browse-error" class="alert alert-danger" style="display:none;"></div>
+				<div id="mb-browse-content" style="display:none;">
+
+					<!-- Bootstrap tabs -->
+					<ul class="nav nav-tabs" id="mb-browse-tabs" role="tablist">
+						<li class="nav-item" role="presentation">
+							<button class="nav-link active" id="mb-tab-articles-btn" data-bs-toggle="tab" data-bs-target="#mb-tab-articles" type="button" role="tab" aria-controls="mb-tab-articles" aria-selected="true">
+								<?php echo Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_TAB_ARTICLES'); ?>
+								<span class="badge bg-secondary ms-1" id="mb-tab-articles-count">0</span>
+							</button>
+						</li>
+						<li class="nav-item" role="presentation">
+							<button class="nav-link" id="mb-tab-categories-btn" data-bs-toggle="tab" data-bs-target="#mb-tab-categories" type="button" role="tab" aria-controls="mb-tab-categories" aria-selected="false">
+								<?php echo Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_TAB_CATEGORIES'); ?>
+								<span class="badge bg-secondary ms-1" id="mb-tab-categories-count">0</span>
+							</button>
+						</li>
+						<li class="nav-item" role="presentation">
+							<button class="nav-link" id="mb-tab-modules-btn" data-bs-toggle="tab" data-bs-target="#mb-tab-modules" type="button" role="tab" aria-controls="mb-tab-modules" aria-selected="false">
+								<?php echo Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_TAB_MODULES'); ?>
+								<span class="badge bg-secondary ms-1" id="mb-tab-modules-count">0</span>
+							</button>
+						</li>
+					</ul>
+					<div class="tab-content pt-3" id="mb-browse-tabs-content">
+
+						<!-- Articles tab -->
+						<div class="tab-pane fade show active" id="mb-tab-articles" role="tabpanel" aria-labelledby="mb-tab-articles-btn">
+							<div class="mb-2">
+								<label class="form-check form-check-inline">
+									<input type="checkbox" class="form-check-input" id="mb-browse-select-all">
+									<span class="form-check-label fw-bold"><?php echo Text::_('COM_MOKOJOOMBACKUP_SELECT_ALL'); ?></span>
+								</label>
+								<span class="text-muted ms-2" id="mb-browse-count"></span>
+							</div>
+							<table class="table table-sm table-striped" id="mb-browse-table">
+								<thead>
+									<tr>
+										<th class="w-1"></th>
+										<th>ID</th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_TITLE'); ?></th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_STATE'); ?></th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_DATE'); ?></th>
+									</tr>
+								</thead>
+								<tbody id="mb-browse-tbody"></tbody>
+							</table>
+						</div>
+
+						<!-- Categories tab -->
+						<div class="tab-pane fade" id="mb-tab-categories" role="tabpanel" aria-labelledby="mb-tab-categories-btn">
+							<table class="table table-sm table-striped" id="mb-browse-categories-table">
+								<thead>
+									<tr>
+										<th>ID</th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_TITLE'); ?></th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_TYPE'); ?></th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_STATE'); ?></th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_LEVEL'); ?></th>
+									</tr>
+								</thead>
+								<tbody id="mb-browse-categories-tbody"></tbody>
+							</table>
+						</div>
+
+						<!-- Modules tab -->
+						<div class="tab-pane fade" id="mb-tab-modules" role="tabpanel" aria-labelledby="mb-tab-modules-btn">
+							<table class="table table-sm table-striped" id="mb-browse-modules-table">
+								<thead>
+									<tr>
+										<th>ID</th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_TITLE'); ?></th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_MODULE_TYPE'); ?></th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_POSITION'); ?></th>
+										<th><?php echo Text::_('COM_MOKOJOOMBACKUP_HEADING_STATE'); ?></th>
+									</tr>
+								</thead>
+								<tbody id="mb-browse-modules-tbody"></tbody>
+							</table>
+						</div>
+
+					</div>
+				</div>
+			</div>
+			<div style="padding:0.75rem 1.5rem; border-top:1px solid #dee2e6; text-align:right;">
+				<button type="button" class="btn btn-secondary mb-modal-close"><?php echo Text::_('JCANCEL'); ?></button>
+				<button type="submit" class="btn btn-success" id="mb-browse-restore-btn" disabled>
+					<span class="icon-upload" aria-hidden="true"></span>
+					<?php echo Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_SELECTED'); ?>
+				</button>
+			</div>
+			<?php echo HTMLHelper::_('form.token'); ?>
+		</form>
+	</div>
+</div>
+
 <script>
 (function() {
 	// Create Snapshot — intercept toolbar button
@@ -287,7 +403,7 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 			var label = document.createElement('label');
 			label.className = 'form-check-label';
 			label.setAttribute('for', 'mb-rtype-' + type);
-			label.textContent = typeLabels[type] || type;
+			label.textContent = typeLabels[TYPE] || type;

 			div.appendChild(input);
 			div.appendChild(label);
@@ -312,13 +428,204 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 		document.getElementById('mb-replace-warning').style.display = isReplace ? 'block' : 'none';
 	}

+	// Browse Snapshot — click handler
+	document.addEventListener('click', function(e) {
+		var btn = e.target.closest('.mb-snapshot-browse');
+		if (!btn) return;
+		e.preventDefault();
+
+		var id   = btn.getAttribute('data-id');
+		var desc = btn.getAttribute('data-desc');
+
+		document.getElementById('mb-browse-id').value = id;
+		document.getElementById('mb-browse-title').textContent = 'Browse: ' + desc;
+
+		// Reset modal state
+		document.getElementById('mb-browse-loading').style.display = 'block';
+		document.getElementById('mb-browse-error').style.display = 'none';
+		document.getElementById('mb-browse-content').style.display = 'none';
+		document.getElementById('mb-browse-restore-btn').disabled = true;
+		document.getElementById('mb-browse-select-all').checked = false;
+
+		// Reset to Articles tab
+		var firstTab = document.querySelector('#mb-tab-articles-btn');
+		if (firstTab && typeof bootstrap !== 'undefined') {
+			var tab = new bootstrap.Tab(firstTab);
+			tab.show();
+		}
+
+		document.getElementById('mb-snapshot-browse-modal').style.display = 'block';
+
+		// Fetch snapshot content via AJAX
+		var token = <?php echo json_encode(Session::getFormToken()); ?>;
+		var url = 'index.php?option=com_mokosuitebackup&task=ajax.browseSnapshot&id=' + encodeURIComponent(id) + '&' + token + '=1';
+
+		fetch(url, { method: 'POST', headers: { 'X-Requested-With': 'XMLHttpRequest' } })
+			.then(function(response) { return response.json(); })
+			.then(function(data) {
+				document.getElementById('mb-browse-loading').style.display = 'none';
+
+				if (data.error) {
+					document.getElementById('mb-browse-error').textContent = data.message;
+					document.getElementById('mb-browse-error').style.display = 'block';
+					return;
+				}
+
+				var stateLabels = { '1': 'Published', '0': 'Unpublished', '-1': 'Trashed', '-2': 'Archived' };
+				var stateBadges = { '1': 'bg-success', '0': 'bg-secondary', '-1': 'bg-danger', '-2': 'bg-info' };
+
+				// --- Articles ---
+				var tbody = document.getElementById('mb-browse-tbody');
+				while (tbody.firstChild) tbody.removeChild(tbody.firstChild);
+
+				(data.articles || []).forEach(function(article) {
+					var tr = document.createElement('tr');
+
+					var tdCheck = document.createElement('td');
+					var cb = document.createElement('input');
+					cb.type = 'checkbox';
+					cb.className = 'form-check-input mb-browse-article-cb';
+					cb.name = 'article_ids[]';
+					cb.value = article.id;
+					tdCheck.appendChild(cb);
+					tr.appendChild(tdCheck);
+
+					var tdId = document.createElement('td');
+					tdId.textContent = article.id;
+					tr.appendChild(tdId);
+
+					var tdTitle = document.createElement('td');
+					tdTitle.textContent = article.title;
+					tr.appendChild(tdTitle);
+
+					var tdState = document.createElement('td');
+					var badge = document.createElement('span');
+					badge.className = 'badge ' + (stateBadges[String(article.state)] || 'bg-secondary');
+					badge.textContent = stateLabels[String(article.state)] || 'Unknown';
+					tdState.appendChild(badge);
+					tr.appendChild(tdState);
+
+					var tdDate = document.createElement('td');
+					tdDate.textContent = article.created ? article.created.substring(0, 10) : '';
+					tr.appendChild(tdDate);
+
+					tbody.appendChild(tr);
+				});
+
+				document.getElementById('mb-browse-count').textContent = data.total_articles + ' article(s)';
+				document.getElementById('mb-tab-articles-count').textContent = data.total_articles;
+
+				// --- Categories ---
+				var catTbody = document.getElementById('mb-browse-categories-tbody');
+				while (catTbody.firstChild) catTbody.removeChild(catTbody.firstChild);
+
+				(data.categories || []).forEach(function(cat) {
+					var tr = document.createElement('tr');
+
+					var tdId = document.createElement('td');
+					tdId.textContent = cat.id;
+					tr.appendChild(tdId);
+
+					var tdTitle = document.createElement('td');
+					tdTitle.textContent = '\u2003'.repeat(Math.max(0, cat.level - 1)) + cat.title;
+					tr.appendChild(tdTitle);
+
+					var tdExt = document.createElement('td');
+					tdExt.textContent = cat.extension;
+					tr.appendChild(tdExt);
+
+					var tdState = document.createElement('td');
+					var badge = document.createElement('span');
+					badge.className = 'badge ' + (stateBadges[String(cat.published)] || 'bg-secondary');
+					badge.textContent = stateLabels[String(cat.published)] || 'Unknown';
+					tdState.appendChild(badge);
+					tr.appendChild(tdState);
+
+					var tdLevel = document.createElement('td');
+					tdLevel.textContent = cat.level;
+					tr.appendChild(tdLevel);
+
+					catTbody.appendChild(tr);
+				});
+
+				document.getElementById('mb-tab-categories-count').textContent = data.total_categories;
+
+				// --- Modules ---
+				var modTbody = document.getElementById('mb-browse-modules-tbody');
+				while (modTbody.firstChild) modTbody.removeChild(modTbody.firstChild);
+
+				(data.modules || []).forEach(function(mod) {
+					var tr = document.createElement('tr');
+
+					var tdId = document.createElement('td');
+					tdId.textContent = mod.id;
+					tr.appendChild(tdId);
+
+					var tdTitle = document.createElement('td');
+					tdTitle.textContent = mod.title;
+					tr.appendChild(tdTitle);
+
+					var tdType = document.createElement('td');
+					tdType.textContent = mod.module;
+					tr.appendChild(tdType);
+
+					var tdPos = document.createElement('td');
+					tdPos.textContent = mod.position;
+					tr.appendChild(tdPos);
+
+					var tdState = document.createElement('td');
+					var badge = document.createElement('span');
+					badge.className = 'badge ' + (stateBadges[String(mod.published)] || 'bg-secondary');
+					badge.textContent = stateLabels[String(mod.published)] || 'Unknown';
+					tdState.appendChild(badge);
+					tr.appendChild(tdState);
+
+					modTbody.appendChild(tr);
+				});
+
+				document.getElementById('mb-tab-modules-count').textContent = data.total_modules;
+
+				document.getElementById('mb-browse-content').style.display = 'block';
+			})
+			.catch(function(err) {
+				document.getElementById('mb-browse-loading').style.display = 'none';
+				document.getElementById('mb-browse-error').textContent = 'Failed to load snapshot content: ' + err.message;
+				document.getElementById('mb-browse-error').style.display = 'block';
+			});
+	});
+
+	// Browse — select all toggle
+	document.addEventListener('change', function(e) {
+		if (e.target.id === 'mb-browse-select-all') {
+			var checked = e.target.checked;
+			var checkboxes = document.querySelectorAll('.mb-browse-article-cb');
+			checkboxes.forEach(function(cb) { cb.checked = checked; });
+			updateBrowseRestoreBtn();
+		}
+
+		if (e.target.classList.contains('mb-browse-article-cb')) {
+			updateBrowseRestoreBtn();
+		}
+	});
+
+	function updateBrowseRestoreBtn() {
+		var checked = document.querySelectorAll('.mb-browse-article-cb:checked').length;
+		var btn = document.getElementById('mb-browse-restore-btn');
+		btn.disabled = checked === 0;
+		btn.textContent = checked > 0
+			? <?php echo json_encode(Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_SELECTED')); ?> + ' (' + checked + ')'
+			: <?php echo json_encode(Text::_('COM_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_SELECTED')); ?>;
+	}
+
 	// Close modals
 	document.addEventListener('click', function(e) {
 		if (e.target.classList.contains('mb-modal-close') ||
 			e.target.id === 'mb-snapshot-create-modal' ||
-			e.target.id === 'mb-snapshot-restore-modal') {
+			e.target.id === 'mb-snapshot-restore-modal' ||
+			e.target.id === 'mb-snapshot-browse-modal') {
 			document.getElementById('mb-snapshot-create-modal').style.display = 'none';
 			document.getElementById('mb-snapshot-restore-modal').style.display = 'none';
+			document.getElementById('mb-snapshot-browse-modal').style.display = 'none';
 		}
 	});
 })();
@@ -0,0 +1,33 @@
+; MokoSuiteBackup — CPanel Module language file (en-GB)
+; @package     MokoSuiteBackup
+; @author      Moko Consulting <hello@mokoconsulting.tech>
+; @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+; @license     GPL-3.0-or-later
+
+MOD_MOKOSUITEBACKUP_CPANEL="MokoSuiteBackup CPanel"
+MOD_MOKOSUITEBACKUP_CPANEL_DESCRIPTION="Displays backup status, Backup Now buttons, and quick links on the admin dashboard."
+
+MOD_MOKOSUITEBACKUP_CPANEL_NOT_INSTALLED="MokoSuiteBackup is not installed or is disabled."
+
+MOD_MOKOSUITEBACKUP_CPANEL_LAST_BACKUP="Last Backup"
+MOD_MOKOSUITEBACKUP_CPANEL_STATUS_OK="Success"
+MOD_MOKOSUITEBACKUP_CPANEL_STATUS_FAIL="Failed"
+MOD_MOKOSUITEBACKUP_CPANEL_NO_BACKUPS="No backups yet."
+MOD_MOKOSUITEBACKUP_CPANEL_FILES_TABLES="%d files, %d tables"
+
+MOD_MOKOSUITEBACKUP_CPANEL_NEXT_SCHEDULED="Next Scheduled"
+MOD_MOKOSUITEBACKUP_CPANEL_TOTAL="total"
+MOD_MOKOSUITEBACKUP_CPANEL_STREAK="streak"
+MOD_MOKOSUITEBACKUP_CPANEL_FAILED_7D="failed (7d)"
+
+MOD_MOKOSUITEBACKUP_CPANEL_BACKUP_NOW="Backup Now"
+MOD_MOKOSUITEBACKUP_CPANEL_BACKUP_IN_PROGRESS="Backup in Progress"
+MOD_MOKOSUITEBACKUP_CPANEL_BACKUP_COMPLETE="Backup Complete"
+MOD_MOKOSUITEBACKUP_CPANEL_DO_NOT_CLOSE="Do not navigate away or close this window while the backup is running."
+
+MOD_MOKOSUITEBACKUP_CPANEL_LINK_BACKUPS="View Backups"
+MOD_MOKOSUITEBACKUP_CPANEL_LINK_SNAPSHOT="Create Snapshot"
+MOD_MOKOSUITEBACKUP_CPANEL_LINK_PROFILES="View Profiles"
+
+MOD_MOKOSUITEBACKUP_CPANEL_PARAM_SHOW_BUTTONS="Show Backup Now Buttons"
+MOD_MOKOSUITEBACKUP_CPANEL_PARAM_SHOW_SCHEDULE="Show Next Scheduled"
@@ -0,0 +1,8 @@
+; MokoSuiteBackup — CPanel Module system language file (en-GB)
+; @package     MokoSuiteBackup
+; @author      Moko Consulting <hello@mokoconsulting.tech>
+; @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+; @license     GPL-3.0-or-later
+
+MOD_MOKOSUITEBACKUP_CPANEL="MokoSuiteBackup CPanel"
+MOD_MOKOSUITEBACKUP_CPANEL_DESCRIPTION="Displays backup status, Backup Now buttons, and quick links on the admin dashboard."
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * @package     MokoSuiteBackup
+ * @subpackage  mod_mokosuitebackup_cpanel
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ -->
+<extension type="module" client="administrator" method="upgrade">
+	<name>mod_mokosuitebackup_cpanel</name>
+	<version>01.40.00</version>
+	<creationDate>2026-06-23</creationDate>
+	<author>Moko Consulting</author>
+	<authorEmail>hello@mokoconsulting.tech</authorEmail>
+	<authorUrl>https://mokoconsulting.tech</authorUrl>
+	<copyright>Copyright (C) 2026 Moko Consulting. All rights reserved.</copyright>
+	<license>GPL-3.0-or-later</license>
+	<description>MOD_MOKOSUITEBACKUP_CPANEL_DESCRIPTION</description>
+
+	<namespace path="src">Joomla\Module\MokoSuiteBackupCpanel</namespace>
+
+	<files>
+		<folder>language</folder>
+		<folder>services</folder>
+		<folder>src</folder>
+		<folder>tmpl</folder>
+	</files>
+
+	<languages folder="language">
+		<language tag="en-GB">en-GB/mod_mokosuitebackup_cpanel.ini</language>
+		<language tag="en-GB">en-GB/mod_mokosuitebackup_cpanel.sys.ini</language>
+	</languages>
+
+	<config>
+		<fields name="params">
+			<fieldset name="basic">
+				<field
+					name="show_backup_buttons"
+					type="radio"
+					label="MOD_MOKOSUITEBACKUP_CPANEL_PARAM_SHOW_BUTTONS"
+					default="1"
+					class="btn-group btn-group-yesno"
+				>
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+				<field
+					name="show_schedule"
+					type="radio"
+					label="MOD_MOKOSUITEBACKUP_CPANEL_PARAM_SHOW_SCHEDULE"
+					default="1"
+					class="btn-group btn-group-yesno"
+				>
+					<option value="1">JYES</option>
+					<option value="0">JNO</option>
+				</field>
+			</fieldset>
+		</fields>
+	</config>
+</extension>
@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * @package     MokoSuiteBackup
+ * @subpackage  mod_mokosuitebackup_cpanel
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Extension\Service\Provider\HelperFactory;
+use Joomla\CMS\Extension\Service\Provider\Module;
+use Joomla\CMS\Extension\Service\Provider\ModuleDispatcherFactory;
+use Joomla\DI\Container;
+use Joomla\DI\ServiceProviderInterface;
+
+return new class () implements ServiceProviderInterface {
+	public function register(Container $container): void
+	{
+		$container->registerServiceProvider(new ModuleDispatcherFactory('\\Joomla\\Module\\MokoSuiteBackupCpanel'));
+		$container->registerServiceProvider(new HelperFactory('\\Joomla\\Module\\MokoSuiteBackupCpanel\\Administrator\\Helper'));
+		$container->registerServiceProvider(new Module());
+	}
+};
@@ -0,0 +1,72 @@
+<?php
+
+/**
+ * @package     MokoSuiteBackup
+ * @subpackage  mod_mokosuitebackup_cpanel
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Joomla\Module\MokoSuiteBackupCpanel\Administrator\Dispatcher;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Dispatcher\AbstractModuleDispatcher;
+use Joomla\CMS\Factory;
+use Joomla\Component\MokoSuiteBackup\Administrator\Helper\BackupStatusHelper;
+
+class Dispatcher extends AbstractModuleDispatcher
+{
+	/**
+	 * Returns the layout data for the module template.
+	 *
+	 * @return  array
+	 */
+	protected function getLayoutData(): array
+	{
+		$data = parent::getLayoutData();
+
+		$db = Factory::getContainer()->get('DatabaseDriver');
+
+		// Status summary from the shared helper
+		$status = BackupStatusHelper::getStatusSummary();
+
+		// Published profiles for "Backup Now" buttons
+		$profiles = [];
+
+		try {
+			$query = $db->getQuery(true)
+				->select($db->quoteName(['id', 'title', 'backup_type']))
+				->from($db->quoteName('#__mokosuitebackup_profiles'))
+				->where($db->quoteName('published') . ' = 1')
+				->order($db->quoteName('ordering') . ' ASC');
+			$db->setQuery($query);
+			$profiles = $db->loadObjectList() ?: [];
+		} catch (\Throwable $e) {
+			// Component may not be installed yet
+		}
+
+		// Next scheduled backup
+		$nextScheduled = null;
+
+		try {
+			$query = $db->getQuery(true)
+				->select($db->quoteName(['t.next_execution', 't.title']))
+				->from($db->quoteName('#__scheduler_tasks', 't'))
+				->where($db->quoteName('t.type') . ' = ' . $db->quote('mokosuitebackup.run_profile'))
+				->where($db->quoteName('t.state') . ' = 1')
+				->order($db->quoteName('t.next_execution') . ' ASC');
+			$db->setQuery($query, 0, 1);
+			$nextScheduled = $db->loadObject() ?: null;
+		} catch (\Throwable $e) {
+			// Scheduler may not exist
+		}
+
+		$data['status']        = $status;
+		$data['profiles']      = $profiles;
+		$data['nextScheduled'] = $nextScheduled;
+
+		return $data;
+	}
+}
@@ -0,0 +1,254 @@
+<?php
+
+/**
+ * @package     MokoSuiteBackup
+ * @subpackage  mod_mokosuitebackup_cpanel
+ * @author      Moko Consulting <hello@mokoconsulting.tech>
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\HTML\HTMLHelper;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\Router\Route;
+use Joomla\CMS\Session\Session;
+
+/** @var array $displayData */
+$status        = $displayData['status'];
+$profiles      = $displayData['profiles'];
+$nextScheduled = $displayData['nextScheduled'];
+$params        = $displayData['params'];
+
+$showButtons  = (int) $params->get('show_backup_buttons', 1);
+$showSchedule = (int) $params->get('show_schedule', 1);
+
+$latest    = $status['latest'] ?? null;
+$installed = $status['installed'] ?? false;
+$totals    = $status['totals'] ?? [];
+
+$ajaxToken = Session::getFormToken();
+$ajaxUrl   = Route::_('index.php?option=com_mokosuitebackup&format=json', false);
+
+$moduleId = 'mod-msb-cpanel-' . $displayData['module']->id;
+?>
+
+<?php if (!$installed) : ?>
+<div class="alert alert-warning mb-0">
+	<span class="icon-warning-circle" aria-hidden="true"></span>
+	<?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_NOT_INSTALLED'); ?>
+</div>
+<?php return; endif; ?>
+
+<div id="<?php echo $moduleId; ?>" class="mod-mokosuitebackup-cpanel">
+	<!-- Last Backup Status -->
+	<div class="mb-3">
+		<h6 class="text-muted text-uppercase small mb-2">
+			<span class="icon-database" aria-hidden="true"></span>
+			<?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_LAST_BACKUP'); ?>
+		</h6>
+		<?php if ($latest) : ?>
+			<div class="d-flex align-items-center justify-content-between">
+				<div>
+					<span class="badge <?php echo $latest['status'] === 'complete' ? 'bg-success' : 'bg-danger'; ?>">
+						<?php echo $latest['status'] === 'complete'
+							? Text::_('MOD_MOKOSUITEBACKUP_CPANEL_STATUS_OK')
+							: Text::_('MOD_MOKOSUITEBACKUP_CPANEL_STATUS_FAIL'); ?>
+					</span>
+					<span class="ms-1 small text-muted">
+						<?php echo htmlspecialchars($latest['profile'] ?? ''); ?>
+					</span>
+				</div>
+				<span class="small text-muted">
+					<?php echo HTMLHelper::_('date', $latest['backup_start'], Text::_('DATE_FORMAT_LC4')); ?>
+				</span>
+			</div>
+			<div class="small text-muted mt-1">
+				<?php echo HTMLHelper::_('number.bytes', (int) $latest['total_size']); ?>
+				&mdash; <?php echo Text::sprintf('MOD_MOKOSUITEBACKUP_CPANEL_FILES_TABLES', (int) $latest['files_count'], (int) $latest['tables_count']); ?>
+			</div>
+		<?php else : ?>
+			<p class="text-muted small mb-0"><?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_NO_BACKUPS'); ?></p>
+		<?php endif; ?>
+	</div>
+
+	<!-- Next Scheduled -->
+	<?php if ($showSchedule && $nextScheduled) : ?>
+	<div class="mb-3">
+		<h6 class="text-muted text-uppercase small mb-1">
+			<span class="icon-calendar" aria-hidden="true"></span>
+			<?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_NEXT_SCHEDULED'); ?>
+		</h6>
+		<div class="small">
+			<?php echo HTMLHelper::_('date', $nextScheduled->next_execution, Text::_('DATE_FORMAT_LC4')); ?>
+			<span class="text-muted">&mdash; <?php echo htmlspecialchars($nextScheduled->title); ?></span>
+		</div>
+	</div>
+	<?php endif; ?>
+
+	<!-- Stats row -->
+	<?php if (!empty($totals)) : ?>
+	<div class="d-flex gap-3 mb-3 small">
+		<div>
+			<span class="fw-bold"><?php echo (int) ($totals['all_time'] ?? 0); ?></span>
+			<span class="text-muted"><?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_TOTAL'); ?></span>
+		</div>
+		<div>
+			<span class="fw-bold text-success"><?php echo (int) ($totals['success_streak'] ?? 0); ?></span>
+			<span class="text-muted"><?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_STREAK'); ?></span>
+		</div>
+		<?php if (($totals['recent_failed'] ?? 0) > 0) : ?>
+		<div>
+			<span class="fw-bold text-danger"><?php echo (int) $totals['recent_failed']; ?></span>
+			<span class="text-muted"><?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_FAILED_7D'); ?></span>
+		</div>
+		<?php endif; ?>
+	</div>
+	<?php endif; ?>
+
+	<!-- Backup Now Buttons -->
+	<?php if ($showButtons && !empty($profiles)) : ?>
+	<div class="mb-3">
+		<h6 class="text-muted text-uppercase small mb-2">
+			<span class="icon-download" aria-hidden="true"></span>
+			<?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_BACKUP_NOW'); ?>
+		</h6>
+		<div class="d-flex flex-wrap gap-1">
+			<?php foreach ($profiles as $profile) : ?>
+			<button type="button"
+				class="btn btn-sm btn-outline-primary msb-cpanel-backup-btn"
+				data-profile-id="<?php echo (int) $profile->id; ?>"
+				data-module-id="<?php echo $moduleId; ?>">
+				<?php echo htmlspecialchars($profile->title); ?>
+				<span class="badge bg-secondary ms-1"><?php echo htmlspecialchars($profile->backup_type); ?></span>
+			</button>
+			<?php endforeach; ?>
+		</div>
+	</div>
+	<?php endif; ?>
+
+	<!-- Quick Links -->
+	<div class="list-group list-group-flush small">
+		<a href="<?php echo Route::_('index.php?option=com_mokosuitebackup&view=backups'); ?>"
+		   class="list-group-item list-group-item-action px-0 py-1">
+			<span class="icon-database" aria-hidden="true"></span>
+			<?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_LINK_BACKUPS'); ?>
+		</a>
+		<a href="<?php echo Route::_('index.php?option=com_mokosuitebackup&view=snapshots&task=snapshot.add'); ?>"
+		   class="list-group-item list-group-item-action px-0 py-1">
+			<span class="icon-camera" aria-hidden="true"></span>
+			<?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_LINK_SNAPSHOT'); ?>
+		</a>
+		<a href="<?php echo Route::_('index.php?option=com_mokosuitebackup&view=profiles'); ?>"
+		   class="list-group-item list-group-item-action px-0 py-1">
+			<span class="icon-cog" aria-hidden="true"></span>
+			<?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_LINK_PROFILES'); ?>
+		</a>
+	</div>
+
+	<!-- Stepped Backup Modal -->
+	<div id="<?php echo $moduleId; ?>-modal" style="display:none; position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.6); z-index:10000;">
+		<div style="max-width:500px; margin:10% auto; background:#fff; border-radius:8px; padding:2rem; box-shadow:0 4px 20px rgba(0,0,0,0.3);">
+			<h3 id="<?php echo $moduleId; ?>-modal-title" style="margin:0 0 1rem;"><?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_BACKUP_IN_PROGRESS'); ?></h3>
+			<div class="alert alert-warning py-1 px-2 mb-2" style="font-size:0.85rem;">
+				<span class="icon-warning-circle" aria-hidden="true"></span>
+				<strong><?php echo Text::_('MOD_MOKOSUITEBACKUP_CPANEL_DO_NOT_CLOSE'); ?></strong>
+			</div>
+			<div style="background:#e9ecef; border-radius:4px; overflow:hidden; height:24px; margin-bottom:0.5rem;">
+				<div id="<?php echo $moduleId; ?>-progress-bar" style="height:100%; background:#0d6efd; transition:width 0.3s; width:0%; display:flex; align-items:center; justify-content:center; color:#fff; font-size:0.8rem; font-weight:bold;">0%</div>
+			</div>
+			<p id="<?php echo $moduleId; ?>-status" style="color:#666; font-size:0.9rem; margin:0.5rem 0;">Initializing...</p>
+			<p id="<?php echo $moduleId; ?>-phase" style="color:#999; font-size:0.8rem; margin:0;">Phase: init</p>
+		</div>
+	</div>
+</div>
+
+<script>
+(function() {
+	var MOD_ID   = <?php echo json_encode($moduleId); ?>;
+	var AJAX_URL = <?php echo json_encode($ajaxUrl); ?>;
+	var TOKEN    = <?php echo json_encode($ajaxToken); ?>;
+
+	var running = false;
+
+	window.addEventListener('beforeunload', function(e) {
+		if (running) { e.preventDefault(); e.returnValue = ''; }
+	});
+
+	function el(id) { return document.getElementById(id); }
+
+	function showModal() {
+		running = true;
+		el(MOD_ID + '-modal').style.display = 'block';
+	}
+
+	function hideModal() {
+		running = false;
+		el(MOD_ID + '-modal').style.display = 'none';
+	}
+
+	function updateProgress(pct, msg, phase) {
+		var bar = el(MOD_ID + '-progress-bar');
+		bar.style.width = pct + '%';
+		bar.textContent = pct + '%';
+		el(MOD_ID + '-status').textContent = msg;
+		el(MOD_ID + '-phase').textContent = 'Phase: ' + phase;
+	}
+
+	async function postAjax(params) {
+		var form = new URLSearchParams();
+		form.append(TOKEN, '1');
+		for (var k in params) { form.append(k, params[k]); }
+		var res = await fetch(AJAX_URL, {
+			method: 'POST',
+			body: form,
+			headers: { 'X-Requested-With': 'XMLHttpRequest' }
+		});
+		return res.json();
+	}
+
+	async function startBackup(profileId) {
+		showModal();
+		updateProgress(0, 'Initializing backup...', 'init');
+
+		try {
+			var initResult = await postAjax({ task: 'ajax.init', profile_id: profileId });
+			if (initResult.error) {
+				updateProgress(0, 'ERROR: ' + initResult.message, 'failed');
+				setTimeout(hideModal, 5000);
+				return;
+			}
+
+			var sessionId = initResult.session_id;
+			updateProgress(initResult.progress, initResult.message, initResult.phase);
+
+			var done = false;
+			while (!done) {
+				var stepResult = await postAjax({ task: 'ajax.step', session_id: sessionId });
+				if (stepResult.error) {
+					updateProgress(0, 'ERROR: ' + stepResult.message, 'failed');
+					setTimeout(hideModal, 5000);
+					return;
+				}
+				updateProgress(stepResult.progress, stepResult.message, stepResult.phase);
+				done = stepResult.done || false;
+			}
+
+			el(MOD_ID + '-modal-title').textContent = <?php echo json_encode(Text::_('MOD_MOKOSUITEBACKUP_CPANEL_BACKUP_COMPLETE')); ?>;
+			setTimeout(function() { hideModal(); location.reload(); }, 2000);
+		} catch (err) {
+			updateProgress(0, 'ERROR: ' + err.message, 'failed');
+			setTimeout(hideModal, 5000);
+		}
+	}
+
+	document.addEventListener('DOMContentLoaded', function() {
+		document.querySelectorAll('#' + MOD_ID + ' .msb-cpanel-backup-btn').forEach(function(btn) {
+			btn.addEventListener('click', function() {
+				startBackup(this.getAttribute('data-profile-id'));
+			});
+		});
+	});
+})();
+</script>
@@ -7,3 +7,9 @@ PLG_ACTIONLOG_MOKOJOOMBACKUP_PROFILE_DELETED="User {username} deleted backup pro
 PLG_ACTIONLOG_MOKOJOOMBACKUP_RECORD_DELETED="User {username} deleted backup record &quot;{title}&quot; (ID: {id})"
 PLG_ACTIONLOG_MOKOJOOMBACKUP_BACKUP_COMPLETE="Backup completed: &quot;{title}&quot; (ID: {id}, profile: {profile_id}, origin: {origin})"
 PLG_ACTIONLOG_MOKOJOOMBACKUP_BACKUP_FAILED="Backup FAILED: &quot;{title}&quot; (ID: {id}, profile: {profile_id}, origin: {origin})"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_RESTORE_COMPLETE="User {username} restored backup #{id}"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_RESTORE_FAILED="User {username} attempted to restore backup #{id} but it FAILED"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_CREATED="User {username} created content snapshot (ID: {id}, types: {content_types})"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_FAILED="User {username} attempted to create content snapshot but it FAILED"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_COMPLETE="User {username} restored snapshot #{id} ({mode} mode)"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_FAILED="User {username} attempted to restore snapshot #{id} ({mode} mode) but it FAILED"
@@ -7,3 +7,9 @@ PLG_ACTIONLOG_MOKOJOOMBACKUP_PROFILE_DELETED="User {username} deleted backup pro
 PLG_ACTIONLOG_MOKOJOOMBACKUP_RECORD_DELETED="User {username} deleted backup record &quot;{title}&quot; (ID: {id})"
 PLG_ACTIONLOG_MOKOJOOMBACKUP_BACKUP_COMPLETE="Backup completed: &quot;{title}&quot; (ID: {id}, profile: {profile_id}, origin: {origin})"
 PLG_ACTIONLOG_MOKOJOOMBACKUP_BACKUP_FAILED="Backup FAILED: &quot;{title}&quot; (ID: {id}, profile: {profile_id}, origin: {origin})"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_RESTORE_COMPLETE="User {username} restored backup #{id}"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_RESTORE_FAILED="User {username} attempted to restore backup #{id} but it FAILED"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_CREATED="User {username} created content snapshot (ID: {id}, types: {content_types})"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_FAILED="User {username} attempted to create content snapshot but it FAILED"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_COMPLETE="User {username} restored snapshot #{id} ({mode} mode)"
+PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_FAILED="User {username} attempted to restore snapshot #{id} ({mode} mode) but it FAILED"
@@ -7,7 +7,7 @@
 -->
 <extension type="plugin" group="actionlog" method="upgrade">
 	<name>Action Log - MokoSuiteBackup</name>
-	<version>01.31.00</version>
+	<version>01.40.00</version>
 	<creationDate>2026-06-04</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -27,7 +27,10 @@ final class MokoSuiteBackupActionlog extends CMSPlugin implements SubscriberInte
 		return [
 			'onContentAfterSave'   => 'onContentAfterSave',
 			'onContentAfterDelete' => 'onContentAfterDelete',
-			'onMokoSuiteBackupAfterRun' => 'onMokoSuiteBackupAfterRun',
+			'onMokoSuiteBackupAfterRun'             => 'onMokoSuiteBackupAfterRun',
+			'onMokoSuiteBackupAfterRestore'         => 'onMokoSuiteBackupAfterRestore',
+			'onMokoSuiteBackupAfterSnapshot'        => 'onMokoSuiteBackupAfterSnapshot',
+			'onMokoSuiteBackupAfterSnapshotRestore' => 'onMokoSuiteBackupAfterSnapshotRestore',
 		];
 	}

@@ -130,6 +133,94 @@ final class MokoSuiteBackupActionlog extends CMSPlugin implements SubscriberInte
 		);
 	}

+	/**
+	 * Log when a backup is restored.
+	 */
+	public function onMokoSuiteBackupAfterRestore(Event $event): void
+	{
+		$args = $event->getArguments();
+
+		$success  = $args['success'] ?? false;
+		$recordId = $args['record_id'] ?? 0;
+
+		$messageKey = $success
+			? 'PLG_ACTIONLOG_MOKOJOOMBACKUP_RESTORE_COMPLETE'
+			: 'PLG_ACTIONLOG_MOKOJOOMBACKUP_RESTORE_FAILED';
+
+		$this->addLog(
+			[
+				$messageKey,
+				'id'       => $recordId,
+				'title'    => 'Backup #' . $recordId,
+				'userid'   => $this->getCurrentUserId(),
+				'username' => $this->getCurrentUserName(),
+			],
+			$messageKey,
+			'com_mokosuitebackup.backup',
+			$this->getCurrentUserId()
+		);
+	}
+
+	/**
+	 * Log when a content snapshot is created.
+	 */
+	public function onMokoSuiteBackupAfterSnapshot(Event $event): void
+	{
+		$args = $event->getArguments();
+
+		$success       = $args['success'] ?? false;
+		$snapshotId    = $args['snapshot_id'] ?? 0;
+		$contentTypes  = $args['content_types'] ?? [];
+
+		$messageKey = $success
+			? 'PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_CREATED'
+			: 'PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_FAILED';
+
+		$this->addLog(
+			[
+				$messageKey,
+				'id'            => $snapshotId,
+				'title'         => 'Snapshot #' . $snapshotId,
+				'content_types' => implode(', ', $contentTypes),
+				'userid'        => $this->getCurrentUserId(),
+				'username'      => $this->getCurrentUserName(),
+			],
+			$messageKey,
+			'com_mokosuitebackup.snapshot',
+			$this->getCurrentUserId()
+		);
+	}
+
+	/**
+	 * Log when a snapshot is restored.
+	 */
+	public function onMokoSuiteBackupAfterSnapshotRestore(Event $event): void
+	{
+		$args = $event->getArguments();
+
+		$success    = $args['success'] ?? false;
+		$snapshotId = $args['snapshot_id'] ?? 0;
+		$mode       = $args['mode'] ?? 'replace';
+
+		$messageKey = $success
+			? 'PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_COMPLETE'
+			: 'PLG_ACTIONLOG_MOKOJOOMBACKUP_SNAPSHOT_RESTORE_FAILED';
+
+		$this->addLog(
+			[
+				$messageKey,
+				'id'       => $snapshotId,
+				'title'    => 'Snapshot #' . $snapshotId,
+				'mode'     => $mode,
+				'userid'   => $this->getCurrentUserId(),
+				'username' => $this->getCurrentUserName(),
+			],
+			$messageKey,
+			'com_mokosuitebackup.snapshot',
+			$this->getCurrentUserId()
+		);
+	}
+
 	/**
 	 * Write an action log entry.
 	 */
@@ -7,7 +7,7 @@
 -->
 <extension type="plugin" group="console" method="upgrade">
 	<name>Console - MokoSuiteBackup</name>
-	<version>01.31.00</version>
+	<version>01.40.00</version>
 	<creationDate>2026-06-04</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -17,6 +17,7 @@ use Joomla\Component\MokoSuiteBackup\Administrator\Engine\RestoreEngine;
 use Joomla\Console\Command\AbstractCommand;
 use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Style\SymfonyStyle;

@@ -28,6 +29,10 @@ class RestoreCommand extends AbstractCommand
 	{
 		$this->setDescription('Restore a backup by record ID');
 		$this->addArgument('id', InputArgument::REQUIRED, 'Backup record ID to restore');
+		$this->addOption('files-only', null, InputOption::VALUE_NONE, 'Restore files only (skip database)');
+		$this->addOption('db-only', null, InputOption::VALUE_NONE, 'Restore database only (skip files)');
+		$this->addOption('no-preserve-config', null, InputOption::VALUE_NONE, 'Do not preserve current configuration.php');
+		$this->addOption('password', 'p', InputOption::VALUE_REQUIRED, 'Decryption password for encrypted archives', '');
 	}

 	protected function doExecute(InputInterface $input, OutputInterface $output): int
@@ -85,8 +90,22 @@ class RestoreCommand extends AbstractCommand
 			require_once $engineFile;
 		}

+		$filesOnly       = $input->getOption('files-only');
+		$dbOnly          = $input->getOption('db-only');
+		$preserveConfig  = !$input->getOption('no-preserve-config');
+		$password        = $input->getOption('password') ?: '';
+
+		$restoreFiles = !$dbOnly;
+		$restoreDb    = !$filesOnly;
+
+		if ($filesOnly) {
+			$io->note('Restoring files only (database will not be touched)');
+		} elseif ($dbOnly) {
+			$io->note('Restoring database only (files will not be touched)');
+		}
+
 		$engine = new RestoreEngine();
-		$result = $engine->restore($recordId);
+		$result = $engine->restore($recordId, $restoreFiles, $restoreDb, $preserveConfig, $password);

 		if ($result['success']) {
 			$io->success($result['message']);
@@ -7,7 +7,7 @@
 -->
 <extension type="plugin" group="content" method="upgrade">
 	<name>Content - MokoSuiteBackup</name>
-	<version>01.31.00</version>
+	<version>01.40.00</version>
 	<creationDate>2026-06-04</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <extension type="plugin" group="quickicon" method="upgrade">
 	<name>Quick Icon - MokoSuiteBackup</name>
-	<version>01.31.00</version>
+	<version>01.40.00</version>
 	<creationDate>2026-06-02</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -7,7 +7,7 @@
 -->
 <extension type="plugin" group="system" method="upgrade">
 	<name>System - MokoSuiteBackup</name>
-	<version>01.31.00</version>
+	<version>01.40.00</version>
 	<creationDate>2026-06-02</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * Task form: configure content snapshot parameters.
+ * This form appears in System > Scheduled Tasks when creating a
+ * "MokoSuiteBackup: Run Content Snapshot" task.
+ -->
+<form>
+	<fieldset name="run_snapshot">
+		<field name="content_types" type="checkboxes" label="Content Types" default="articles,categories,modules">
+			<option value="articles">Articles</option>
+			<option value="categories">Categories</option>
+			<option value="modules">Modules</option>
+		</field>
+		<field name="description_format" type="text" label="Description Format" default="[date] Scheduled snapshot" hint="Use [date], [datetime] placeholders" />
+	</fieldset>
+</form>
@@ -7,7 +7,7 @@
 -->
 <extension type="plugin" group="task" method="upgrade">
 	<name>Task - MokoSuiteBackup</name>
-	<version>01.31.00</version>
+	<version>01.40.00</version>
 	<creationDate>2026-06-02</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -43,6 +43,11 @@ final class MokoSuiteBackupTask extends CMSPlugin implements SubscriberInterface
 			'method'          => 'runBackupProfile',
 			'form'            => 'run_profile',
 		],
+		'mokosuitebackup.snapshot' => [
+			'langConstPrefix' => 'PLG_TASK_MOKOJOOMBACKUP_TASK_RUN_SNAPSHOT',
+			'method'          => 'runContentSnapshot',
+			'form'            => 'run_snapshot',
+		],
 	];

 	public static function getSubscribedEvents(): array
@@ -93,4 +98,51 @@ final class MokoSuiteBackupTask extends CMSPlugin implements SubscriberInterface

 		return Status::KNOCKOUT;
 	}
+
+	/**
+	 * Create a content snapshot using the configured content types.
+	 *
+	 * @param   ExecuteTaskEvent  $event  The task execution event
+	 *
+	 * @return  int  Status::OK on success, Status::KNOCKOUT on failure
+	 */
+	private function runContentSnapshot(ExecuteTaskEvent $event): int
+	{
+		$params        = $event->getArgument('params');
+		$contentTypes  = (array) ($params->content_types ?? ['articles', 'categories', 'modules']);
+		$descFormat    = (string) ($params->description_format ?? '[date] Scheduled snapshot');
+
+		// Resolve placeholders in the description
+		$description = str_replace(
+			['[date]', '[datetime]'],
+			[date('Y-m-d'), date('Y-m-d H:i:s')],
+			$descFormat
+		);
+
+		// Load the snapshot engine from the component
+		$engineFile = JPATH_ADMINISTRATOR . '/components/com_mokosuitebackup/src/Engine/SnapshotEngine.php';
+
+		if (!file_exists($engineFile)) {
+			$this->logTask('MokoSuiteBackup component not installed — cannot create snapshot.');
+
+			return Status::KNOCKOUT;
+		}
+
+		if (!class_exists('\\Joomla\\Component\\MokoSuiteBackup\\Administrator\\Engine\\SnapshotEngine')) {
+			require_once $engineFile;
+		}
+
+		$engine = new \Joomla\Component\MokoSuiteBackup\Administrator\Engine\SnapshotEngine();
+		$result = $engine->create($contentTypes, $description);
+
+		if ($result['success']) {
+			$this->logTask('Snapshot complete: ' . $result['message']);
+
+			return Status::OK;
+		}
+
+		$this->logTask('Snapshot failed: ' . $result['message']);
+
+		return Status::KNOCKOUT;
+	}
 }
@@ -7,7 +7,7 @@
 -->
 <extension type="plugin" group="webservices" method="upgrade">
 	<name>Web Services - MokoSuiteBackup</name>
-	<version>01.31.00</version>
+	<version>01.40.00</version>
 	<creationDate>2026-06-02</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -8,7 +8,7 @@
 <extension type="package" method="upgrade">
 	<name>Package - MokoSuiteBackup</name>
 	<packagename>mokosuitebackup</packagename>
-	<version>01.31.00</version>
+	<version>01.40.00</version>
 	<creationDate>2026-06-02</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -28,6 +28,7 @@
 		<file type="plugin" id="mokosuitebackup" group="console">plg_console_mokosuitebackup.zip</file>
 		<file type="plugin" id="mokosuitebackup" group="content">plg_content_mokosuitebackup.zip</file>
 		<file type="plugin" id="mokosuitebackup" group="actionlog">plg_actionlog_mokosuitebackup.zip</file>
+		<file type="module" id="mod_mokosuitebackup_cpanel" client="administrator">mod_mokosuitebackup_cpanel.zip</file>
 	</files>

 	<languages>
@@ -58,7 +58,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 			return false;
 		}

-		// Check required PHP extensions (warn but don't block install)
+		/* Check required PHP extensions (warn but don't block install) */
 		$requiredExts = ['zip', 'pdo', 'pdo_mysql', 'mbstring', 'curl'];
 		$missingExts  = array_filter($requiredExts, fn($ext) => !extension_loaded($ext));

@@ -71,7 +71,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 			);
 		}

-		// Save download key before Joomla re-registers the update site
+		/* Save download key before Joomla re-registers the update site */
 		if ($type === 'update') {
 			$this->preflight_saveKey();
 		}
@@ -138,43 +138,43 @@ class Pkg_MokoSuiteBackupInstallerScript
 			return;
 		}

-		// Restore download key if it was saved before update
+		/* Restore download key if it was saved before update */
 		if ($this->savedDownloadKey !== null) {
 			$this->restoreDownloadKey();
 		}

 		if ($type === 'install') {
-			// Enable all bundled plugins on fresh install
+			/* Enable all bundled plugins on fresh install */
 			$this->enableBundledPlugins();

-			// Create default backup directory in site root
+			/* Create default backup directory in site root */
 			$this->createBackupDirectory();

-			// Generate a random webcron secret word
+			/* Generate a random webcron secret word */
 			$this->generateWebcronSecret();

-			// Create default scheduled task for backup automation
+			/* Create default scheduled task for backup automation */
 			$this->createDefaultScheduledTask();
 		}

-		// Ensure submenu items exist and are up to date
-		// (Joomla may not add new submenu entries or update params on upgrades)
+		/* Ensure submenu items exist and are up to date */
+		/* (Joomla may not add new submenu entries or update params on upgrades) */
 		$this->ensureSubmenuItems();

-		// Fix package client_id — packages must be client_id=0 (site) for
-		// Joomla's updater to match the <client>site</client> in updates.xml
+		/* Fix package client_id — packages must be client_id=0 (site) for */
+		/* Joomla's updater to match the <client>site</client> in updates.xml */
 		$this->fixPackageClientId();

-		// Sync submenu icons in #__menu (Joomla doesn't update icons on upgrades)
+		/* Sync submenu icons in #__menu (Joomla doesn't update icons on upgrades) */
 		$this->syncMenuIcons();

-		// Warn if no license key configured
+		/* Warn if no license key configured */
 		$this->warnMissingLicenseKey();

-		// Migrate profiles with old default backup_dir values to [DEFAULT_DIR] placeholder
+		/* Migrate profiles with old default backup_dir values to [DEFAULT_DIR] placeholder */
 		$this->migrateDefaultBackupDir();

-		// Remind user to review backup profile settings
+		/* Remind user to review backup profile settings */
 		if ($type === 'install') {
 			$profileUrl = Route::_('index.php?option=com_mokosuitebackup&view=profiles');

@@ -196,7 +196,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 		try {
 			$db = Factory::getDbo();

-			// Load current component params
+			/* Load current component params */
 			$query = $db->getQuery(true)
 				->select($db->quoteName('params'))
 				->from($db->quoteName('#__extensions'))
@@ -208,7 +208,7 @@ class Pkg_MokoSuiteBackupInstallerScript

 			$params = json_decode($rawParams ?: '{}', true) ?: [];

-			// Only generate if not already set
+			/* Only generate if not already set */
 			if (!empty($params['webcron_secret'])) {
 				return;
 			}
@@ -286,7 +286,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 			return;
 		}

-		// Protect directory from direct web access
+		/* Protect directory from direct web access */
 		$htaccess = $backupDir . '/.htaccess';

 		if (!file_exists($htaccess)) {
@@ -361,7 +361,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 		try {
 			$db = Factory::getDbo();

-			// Check if a MokoSuiteBackup task already exists
+			/* Check if a MokoSuiteBackup task already exists */
 			$query = $db->getQuery(true)
 				->select('COUNT(*)')
 				->from($db->quoteName('#__scheduler_tasks'))
@@ -460,7 +460,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 		try {
 			$db = Factory::getDbo();

-			// Find the parent menu item for our component
+			/* Find the parent menu item for our component */
 			$query = $db->getQuery(true)
 				->select([$db->quoteName('id'), $db->quoteName('menutype')])
 				->from($db->quoteName('#__menu'))
@@ -476,7 +476,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 				return;
 			}

-			// Get the component extension_id
+			/* Get the component extension_id */
 			$query = $db->getQuery(true)
 				->select($db->quoteName('extension_id'))
 				->from($db->quoteName('#__extensions'))
@@ -492,7 +492,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 			}

 			foreach ($submenus as $submenu) {
-				// Check if this submenu item already exists
+				/* Check if this submenu item already exists */
 				$query = $db->getQuery(true)
 					->select([$db->quoteName('id'), $db->quoteName('params')])
 					->from($db->quoteName('#__menu'))
@@ -503,7 +503,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 				$existing = $db->loadObject();

 				if ($existing) {
-					// Merge menu_icon into existing params to preserve other settings
+					/* Merge menu_icon into existing params to preserve other settings */
 					$existingParams = json_decode($existing->params ?? '{}', true) ?: [];
 					$existingParams['menu_icon'] = $submenu['menu_icon'];
 					$mergedParams = json_encode($existingParams);
@@ -517,7 +517,7 @@ class Pkg_MokoSuiteBackupInstallerScript
 					continue;
 				}

-				// Use Joomla's MenuTable to create the item properly
+				/* Use Joomla's MenuTable to create the item properly */
 				$table = Factory::getApplication()
 					->bootComponent('com_menus')
 					->getMVCFactory()