feat: add community enhancements — password reset, audit logs, multi-source backup

Three community-requested features:

1. CLI password reset: `backupx reset-password --username admin --password xxx`
   Docker users can run via `docker exec`. No full app init needed.

2. Audit logging: async fire-and-forget audit trail for all key operations
   (login, CRUD on tasks/targets/records, settings changes).
   New UI page at /audit with category filter and pagination.

3. Multi-source path backup: file backup tasks now support multiple source
   directories packed into a single tar archive. Backward compatible with
   existing single sourcePath field.

server/internal/service/audit_service.go

@@ -0,0 +1,68 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"backupx/server/internal/apperror"
+	"backupx/server/internal/model"
+	"backupx/server/internal/repository"
+)
+
+// AuditEntry 是记录审计日志的输入结构
+type AuditEntry struct {
+	UserID     uint
+	Username   string
+	Category   string // auth / storage_target / backup_task / backup_record / settings
+	Action     string // create / update / delete / login_success / login_failed / ...
+	TargetType string
+	TargetID   string
+	TargetName string
+	Detail     string
+	ClientIP   string
+}
+
+type AuditService struct {
+	repo repository.AuditLogRepository
+}
+
+func NewAuditService(repo repository.AuditLogRepository) *AuditService {
+	return &AuditService{repo: repo}
+}
+
+// Record 异步 fire-and-forget 写入审计日志，不阻塞业务逻辑
+func (s *AuditService) Record(entry AuditEntry) {
+	if s == nil || s.repo == nil {
+		return
+	}
+	go func() {
+		record := &model.AuditLog{
+			UserID:     entry.UserID,
+			Username:   entry.Username,
+			Category:   entry.Category,
+			Action:     entry.Action,
+			TargetType: entry.TargetType,
+			TargetID:   entry.TargetID,
+			TargetName: entry.TargetName,
+			Detail:     entry.Detail,
+			ClientIP:   entry.ClientIP,
+		}
+		if err := s.repo.Create(context.Background(), record); err != nil {
+			log.Printf("[audit] failed to write audit log: %v", err)
+		}
+	}()
+}
+
+// List 分页查询审计日志
+func (s *AuditService) List(ctx context.Context, category string, limit, offset int) (*repository.AuditLogListResult, error) {
+	result, err := s.repo.List(ctx, repository.AuditLogListOptions{
+		Category: category,
+		Limit:    limit,
+		Offset:   offset,
+	})
+	if err != nil {
+		return nil, apperror.Internal("AUDIT_LOG_LIST_FAILED", fmt.Sprintf("无法获取审计日志列表: %v", err), err)
+	}
+	return result, nil
+}

server/internal/service/auth_service.go

@@ -37,10 +37,11 @@ type UserOutput struct {
 }
 
 type AuthService struct {
-	users       repository.UserRepository
-	configs     repository.SystemConfigRepository
-	jwtManager  *security.JWTManager
-	rateLimiter *security.LoginRateLimiter
+	users        repository.UserRepository
+	configs      repository.SystemConfigRepository
+	jwtManager   *security.JWTManager
+	rateLimiter  *security.LoginRateLimiter
+	auditService *AuditService
 }
 
 func NewAuthService(
@@ -52,6 +53,10 @@ func NewAuthService(
 	return &AuthService{users: users, configs: configs, jwtManager: jwtManager, rateLimiter: rateLimiter}
 }
 
+func (s *AuthService) SetAuditService(auditService *AuditService) {
+	s.auditService = auditService
+}
+
 func (s *AuthService) SetupStatus(ctx context.Context) (bool, error) {
 	count, err := s.users.Count(ctx)
 	if err != nil {
@@ -97,6 +102,15 @@ func (s *AuthService) Setup(ctx context.Context, input SetupInput) (*AuthPayload
 		return nil, apperror.Internal("AUTH_TOKEN_FAILED", "无法生成访问令牌", err)
 	}
 
+	if s.auditService != nil {
+		s.auditService.Record(AuditEntry{
+			UserID: user.ID, Username: user.Username,
+			Category: "auth", Action: "setup",
+			TargetType: "user", TargetID: fmt.Sprintf("%d", user.ID), TargetName: user.Username,
+			Detail: "系统初始化，创建管理员账户",
+		})
+	}
+
 	return &AuthPayload{Token: token, User: ToUserOutput(user)}, nil
 }
 
@@ -113,9 +127,23 @@ func (s *AuthService) Login(ctx context.Context, input LoginInput, clientKey str
 		return nil, apperror.Internal("AUTH_LOOKUP_FAILED", "无法执行登录校验", err)
 	}
 	if user == nil {
+		if s.auditService != nil {
+			s.auditService.Record(AuditEntry{
+				Category: "auth", Action: "login_failed",
+				Detail: fmt.Sprintf("用户名不存在: %s", strings.TrimSpace(input.Username)),
+				ClientIP: clientKey,
+			})
+		}
 		return nil, apperror.Unauthorized("AUTH_INVALID_CREDENTIALS", "用户名或密码错误", nil)
 	}
 	if err := security.ComparePassword(user.PasswordHash, input.Password); err != nil {
+		if s.auditService != nil {
+			s.auditService.Record(AuditEntry{
+				UserID: user.ID, Username: user.Username,
+				Category: "auth", Action: "login_failed",
+				Detail: "密码错误", ClientIP: clientKey,
+			})
+		}
 		return nil, apperror.Unauthorized("AUTH_INVALID_CREDENTIALS", "用户名或密码错误", err)
 	}
 
@@ -124,6 +152,15 @@ func (s *AuthService) Login(ctx context.Context, input LoginInput, clientKey str
 	if err != nil {
 		return nil, apperror.Internal("AUTH_TOKEN_FAILED", "无法生成访问令牌", err)
 	}
+
+	if s.auditService != nil {
+		s.auditService.Record(AuditEntry{
+			UserID: user.ID, Username: user.Username,
+			Category: "auth", Action: "login_success",
+			Detail: "登录成功", ClientIP: clientKey,
+		})
+	}
+
 	return &AuthPayload{Token: token, User: ToUserOutput(user)}, nil
 }
 
@@ -170,6 +207,15 @@ func (s *AuthService) ChangePassword(ctx context.Context, subject string, input
 	if err := s.users.Update(ctx, user); err != nil {
 		return apperror.Internal("AUTH_UPDATE_FAILED", "密码修改失败", err)
 	}
+
+	if s.auditService != nil {
+		s.auditService.Record(AuditEntry{
+			UserID: user.ID, Username: user.Username,
+			Category: "auth", Action: "change_password",
+			Detail: "密码修改成功",
+		})
+	}
+
 	return nil
 }
 

server/internal/service/backup_execution_service.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 	"time"
 
 	"backupx/server/internal/apperror"
@@ -37,11 +38,35 @@ func (noopBackupNotifier) NotifyBackupResult(context.Context, BackupExecutionNot
 	return nil
 }
 
+type StorageUploadResultItem struct {
+	StorageTargetID   uint   `json:"storageTargetId"`
+	StorageTargetName string `json:"storageTargetName"`
+	Status            string `json:"status"`
+	StoragePath       string `json:"storagePath,omitempty"`
+	FileSize          int64  `json:"fileSize,omitempty"`
+	Error             string `json:"error,omitempty"`
+}
+
 type DownloadedArtifact struct {
 	FileName string
 	Reader   io.ReadCloser
 }
 
+// collectTargetIDs 获取任务关联的所有存储目标 ID
+func collectTargetIDs(task *model.BackupTask) []uint {
+	if len(task.StorageTargets) > 0 {
+		ids := make([]uint, len(task.StorageTargets))
+		for i, t := range task.StorageTargets {
+			ids[i] = t.ID
+		}
+		return ids
+	}
+	if task.StorageTargetID > 0 {
+		return []uint{task.StorageTargetID}
+	}
+	return nil
+}
+
 type BackupExecutionService struct {
 	tasks           repository.BackupTaskRepository
 	records         repository.BackupRecordRepository
@@ -194,7 +219,12 @@ func (s *BackupExecutionService) startTask(ctx context.Context, id uint, async b
 		return nil, apperror.New(404, "BACKUP_TASK_NOT_FOUND", "备份任务不存在", fmt.Errorf("backup task %d not found", id))
 	}
 	startedAt := s.now()
-	record := &model.BackupRecord{TaskID: task.ID, StorageTargetID: task.StorageTargetID, Status: "running", StartedAt: startedAt}
+	// 取第一个存储目标 ID 做兼容
+	primaryTargetID := task.StorageTargetID
+	if tids := collectTargetIDs(task); len(tids) > 0 {
+		primaryTargetID = tids[0]
+	}
+	record := &model.BackupRecord{TaskID: task.ID, StorageTargetID: primaryTargetID, Status: "running", StartedAt: startedAt}
 	if err := s.records.Create(ctx, record); err != nil {
 		return nil, apperror.Internal("BACKUP_RECORD_CREATE_FAILED", "无法创建备份记录", err)
 	}
@@ -224,10 +254,20 @@ func (s *BackupExecutionService) executeTask(ctx context.Context, task *model.Ba
 	var fileName string
 	var fileSize int64
 	var storagePath string
+	var uploadResults []StorageUploadResultItem
 	completeRecord := func() {
 		if finalizeErr := s.finalizeRecord(ctx, task, recordID, startedAt, status, errMessage, logger.String(), fileName, fileSize, storagePath); finalizeErr != nil {
 			logger.Errorf("写回备份记录失败：%v", finalizeErr)
 		}
+		// 写入多目标上传结果
+		if len(uploadResults) > 0 {
+			if resultsJSON, marshalErr := json.Marshal(uploadResults); marshalErr == nil {
+				if record, findErr := s.records.FindByID(ctx, recordID); findErr == nil && record != nil {
+					record.StorageUploadResults = string(resultsJSON)
+					_ = s.records.Update(ctx, record)
+				}
+			}
+		}
 		if err := s.notifier.NotifyBackupResult(ctx, BackupExecutionNotification{Task: task, Record: &model.BackupRecord{ID: recordID, TaskID: task.ID, Status: status, FileName: fileName, FileSize: fileSize, StoragePath: storagePath, ErrorMessage: errMessage, StartedAt: startedAt}, Error: buildOptionalError(errMessage)}); err != nil {
 			logger.Warnf("发送备份通知失败：%v", err)
 		}
@@ -241,12 +281,6 @@ func (s *BackupExecutionService) executeTask(ctx context.Context, task *model.Ba
 		logger.Errorf("构建任务运行时配置失败：%v", err)
 		return
 	}
-	provider, err := s.resolveProvider(ctx, task.StorageTargetID)
-	if err != nil {
-		errMessage = err.Error()
-		logger.Errorf("创建存储客户端失败：%v", err)
-		return
-	}
 	runner, err := s.runnerRegistry.Runner(spec.Type)
 	if err != nil {
 		errMessage = err.Error()
@@ -290,31 +324,83 @@ func (s *BackupExecutionService) executeTask(ctx context.Context, task *model.Ba
 	fileSize = info.Size()
 	fileName = filepath.Base(finalPath)
 	storagePath = backup.BuildStorageKey(task.Type, startedAt, fileName)
-	artifact, err := os.Open(finalPath)
-	if err != nil {
-		errMessage = err.Error()
-		logger.Errorf("打开备份文件失败：%v", err)
+
+	// 收集所有存储目标
+	targetIDs := collectTargetIDs(task)
+	if len(targetIDs) == 0 {
+		errMessage = "没有关联的存储目标"
+		logger.Errorf("没有关联的存储目标")
 		return
 	}
-	defer artifact.Close()
-	logger.Infof("开始上传备份到存储目标")
-	if err := provider.Upload(ctx, storagePath, artifact, fileSize, map[string]string{"taskId": fmt.Sprintf("%d", task.ID), "recordId": fmt.Sprintf("%d", recordID)}); err != nil {
-		errMessage = err.Error()
-		logger.Errorf("上传备份文件失败：%v", err)
-		return
-	}
-	if s.retention != nil {
-		cleanupResult, cleanupErr := s.retention.Cleanup(ctx, task, provider)
-		if cleanupErr != nil {
-			logger.Warnf("执行保留策略失败：%v", cleanupErr)
-		} else {
-			for _, warning := range cleanupResult.Warnings {
-				logger.Warnf("保留策略警告：%s", warning)
+
+	// 并行上传到所有目标
+	uploadResults = make([]StorageUploadResultItem, len(targetIDs))
+	var wg sync.WaitGroup
+	for i, tid := range targetIDs {
+		wg.Add(1)
+		go func(index int, targetID uint) {
+			defer wg.Done()
+			target, findErr := s.targets.FindByID(ctx, targetID)
+			targetName := fmt.Sprintf("target-%d", targetID)
+			if findErr == nil && target != nil {
+				targetName = target.Name
 			}
+			provider, resolveErr := s.resolveProvider(ctx, targetID)
+			if resolveErr != nil {
+				uploadResults[index] = StorageUploadResultItem{StorageTargetID: targetID, StorageTargetName: targetName, Status: "failed", Error: resolveErr.Error()}
+				logger.Warnf("存储目标 %s 创建客户端失败：%v", targetName, resolveErr)
+				return
+			}
+			artifact, openErr := os.Open(finalPath)
+			if openErr != nil {
+				uploadResults[index] = StorageUploadResultItem{StorageTargetID: targetID, StorageTargetName: targetName, Status: "failed", Error: openErr.Error()}
+				logger.Warnf("存储目标 %s 打开备份文件失败：%v", targetName, openErr)
+				return
+			}
+			defer artifact.Close()
+			logger.Infof("开始上传备份到存储目标：%s", targetName)
+			if uploadErr := provider.Upload(ctx, storagePath, artifact, fileSize, map[string]string{"taskId": fmt.Sprintf("%d", task.ID), "recordId": fmt.Sprintf("%d", recordID)}); uploadErr != nil {
+				uploadResults[index] = StorageUploadResultItem{StorageTargetID: targetID, StorageTargetName: targetName, Status: "failed", Error: uploadErr.Error()}
+				logger.Warnf("存储目标 %s 上传失败：%v", targetName, uploadErr)
+				return
+			}
+			uploadResults[index] = StorageUploadResultItem{StorageTargetID: targetID, StorageTargetName: targetName, Status: "success", StoragePath: storagePath, FileSize: fileSize}
+			logger.Infof("存储目标 %s 上传成功", targetName)
+			// 每个成功目标独立执行保留策略
+			if s.retention != nil {
+				cleanupResult, cleanupErr := s.retention.Cleanup(ctx, task, provider)
+				if cleanupErr != nil {
+					logger.Warnf("存储目标 %s 执行保留策略失败：%v", targetName, cleanupErr)
+				} else {
+					for _, warning := range cleanupResult.Warnings {
+						logger.Warnf("存储目标 %s 保留策略警告：%s", targetName, warning)
+					}
+				}
+			}
+		}(i, tid)
+	}
+	wg.Wait()
+
+	// 汇总结果：任意一个 success → 整体 success
+	anySuccess := false
+	var failedMessages []string
+	for _, r := range uploadResults {
+		if r.Status == "success" {
+			anySuccess = true
+		} else if r.Error != "" {
+			failedMessages = append(failedMessages, fmt.Sprintf("%s: %s", r.StorageTargetName, r.Error))
 		}
 	}
-	status = "success"
-	logger.Infof("备份执行完成")
+	if anySuccess {
+		status = "success"
+		if len(failedMessages) > 0 {
+			logger.Warnf("部分存储目标上传失败：%s", strings.Join(failedMessages, "; "))
+		}
+		logger.Infof("备份执行完成")
+	} else {
+		errMessage = strings.Join(failedMessages, "; ")
+		logger.Errorf("所有存储目标上传均失败")
+	}
 }
 
 func (s *BackupExecutionService) finalizeRecord(ctx context.Context, task *model.BackupTask, recordID uint, startedAt time.Time, status string, errorMessage string, logContent string, fileName string, fileSize int64, storagePath string) error {
@@ -376,11 +462,18 @@ func (s *BackupExecutionService) buildTaskSpec(task *model.BackupTask, startedAt
 		}
 		password = string(plain)
 	}
+	sourcePaths := []string{}
+	if strings.TrimSpace(task.SourcePaths) != "" {
+		if err := json.Unmarshal([]byte(task.SourcePaths), &sourcePaths); err != nil {
+			return backup.TaskSpec{}, apperror.Internal("BACKUP_TASK_DECODE_FAILED", "无法解析源路径配置", err)
+		}
+	}
 	return backup.TaskSpec{
 		ID:                task.ID,
 		Name:              task.Name,
 		Type:              task.Type,
 		SourcePath:        task.SourcePath,
+		SourcePaths:       sourcePaths,
 		ExcludePatterns:   excludePatterns,
 		StorageTargetID:   task.StorageTargetID,
 		StorageTargetType: "",

server/internal/service/backup_record_service.go

@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"encoding/json"
 	"strings"
 	"time"
 
@@ -38,8 +39,9 @@ type BackupRecordSummary struct {
 
 type BackupRecordDetail struct {
 	BackupRecordSummary
-	LogContent string            `json:"logContent"`
-	LogEvents  []backup.LogEvent `json:"logEvents,omitempty"`
+	LogContent           string                    `json:"logContent"`
+	LogEvents            []backup.LogEvent         `json:"logEvents,omitempty"`
+	StorageUploadResults []StorageUploadResultItem  `json:"storageUploadResults,omitempty"`
 }
 
 type BackupRecordService struct {
@@ -130,5 +132,12 @@ func toBackupRecordDetail(item *model.BackupRecord, logHub *backup.LogHub) *Back
 			detail.LogContent = strings.Join(lines, "\n")
 		}
 	}
+	// 解析多目标上传结果
+	if strings.TrimSpace(item.StorageUploadResults) != "" {
+		var uploadResults []StorageUploadResultItem
+		if err := json.Unmarshal([]byte(item.StorageUploadResults), &uploadResults); err == nil {
+			detail.StorageUploadResults = uploadResults
+		}
+	}
 	return detail
 }

server/internal/service/backup_task_service.go

@@ -17,23 +17,25 @@ import (
 const backupTaskMaskedValue = "********"
 
 type BackupTaskUpsertInput struct {
-	Name            string   `json:"name" binding:"required,min=1,max=100"`
-	Type            string   `json:"type" binding:"required,oneof=file mysql sqlite postgresql pgsql"`
-	Enabled         bool     `json:"enabled"`
-	CronExpr        string   `json:"cronExpr" binding:"max=64"`
-	SourcePath      string   `json:"sourcePath" binding:"max=500"`
-	ExcludePatterns []string `json:"excludePatterns"`
-	DBHost          string   `json:"dbHost" binding:"max=255"`
-	DBPort          int      `json:"dbPort"`
-	DBUser          string   `json:"dbUser" binding:"max=100"`
-	DBPassword      string   `json:"dbPassword" binding:"max=255"`
-	DBName          string   `json:"dbName" binding:"max=255"`
-	DBPath          string   `json:"dbPath" binding:"max=500"`
-	StorageTargetID uint     `json:"storageTargetId" binding:"required"`
-	RetentionDays   int      `json:"retentionDays"`
-	Compression     string   `json:"compression" binding:"omitempty,oneof=gzip none"`
-	Encrypt         bool     `json:"encrypt"`
-	MaxBackups      int      `json:"maxBackups"`
+	Name             string   `json:"name" binding:"required,min=1,max=100"`
+	Type             string   `json:"type" binding:"required,oneof=file mysql sqlite postgresql pgsql"`
+	Enabled          bool     `json:"enabled"`
+	CronExpr         string   `json:"cronExpr" binding:"max=64"`
+	SourcePath       string   `json:"sourcePath" binding:"max=500"`
+	SourcePaths      []string `json:"sourcePaths"`
+	ExcludePatterns  []string `json:"excludePatterns"`
+	DBHost           string   `json:"dbHost" binding:"max=255"`
+	DBPort           int      `json:"dbPort"`
+	DBUser           string   `json:"dbUser" binding:"max=100"`
+	DBPassword       string   `json:"dbPassword" binding:"max=255"`
+	DBName           string   `json:"dbName" binding:"max=255"`
+	DBPath           string   `json:"dbPath" binding:"max=500"`
+	StorageTargetID  uint     `json:"storageTargetId"`                       // deprecated: 向后兼容
+	StorageTargetIDs []uint   `json:"storageTargetIds"`                      // 新增：多存储目标
+	RetentionDays    int      `json:"retentionDays"`
+	Compression      string   `json:"compression" binding:"omitempty,oneof=gzip none"`
+	Encrypt          bool     `json:"encrypt"`
+	MaxBackups       int      `json:"maxBackups"`
 }
 
 type BackupTaskToggleInput struct {
@@ -41,25 +43,28 @@ type BackupTaskToggleInput struct {
 }
 
 type BackupTaskSummary struct {
-	ID                uint       `json:"id"`
-	Name              string     `json:"name"`
-	Type              string     `json:"type"`
-	Enabled           bool       `json:"enabled"`
-	CronExpr          string     `json:"cronExpr"`
-	StorageTargetID   uint       `json:"storageTargetId"`
-	StorageTargetName string     `json:"storageTargetName"`
-	RetentionDays     int        `json:"retentionDays"`
-	Compression       string     `json:"compression"`
-	Encrypt           bool       `json:"encrypt"`
-	MaxBackups        int        `json:"maxBackups"`
-	LastRunAt         *time.Time `json:"lastRunAt,omitempty"`
-	LastStatus        string     `json:"lastStatus"`
-	UpdatedAt         time.Time  `json:"updatedAt"`
+	ID                 uint       `json:"id"`
+	Name               string     `json:"name"`
+	Type               string     `json:"type"`
+	Enabled            bool       `json:"enabled"`
+	CronExpr           string     `json:"cronExpr"`
+	StorageTargetID    uint       `json:"storageTargetId"`              // deprecated: 取第一个
+	StorageTargetName  string     `json:"storageTargetName"`            // deprecated: 取第一个
+	StorageTargetIDs   []uint     `json:"storageTargetIds"`
+	StorageTargetNames []string   `json:"storageTargetNames"`
+	RetentionDays      int        `json:"retentionDays"`
+	Compression        string     `json:"compression"`
+	Encrypt            bool       `json:"encrypt"`
+	MaxBackups         int        `json:"maxBackups"`
+	LastRunAt          *time.Time `json:"lastRunAt,omitempty"`
+	LastStatus         string     `json:"lastStatus"`
+	UpdatedAt          time.Time  `json:"updatedAt"`
 }
 
 type BackupTaskDetail struct {
 	BackupTaskSummary
 	SourcePath      string    `json:"sourcePath"`
+	SourcePaths     []string  `json:"sourcePaths"`
 	ExcludePatterns []string  `json:"excludePatterns"`
 	DBHost          string    `json:"dbHost"`
 	DBPort          int       `json:"dbPort"`
@@ -227,19 +232,33 @@ func (s *BackupTaskService) Toggle(ctx context.Context, id uint, enabled bool) (
 	return &returnValue, nil
 }
 
+// resolveStorageTargetIDs 统一处理新旧字段，返回有效的存储目标 ID 列表
+func resolveStorageTargetIDs(input BackupTaskUpsertInput) []uint {
+	if len(input.StorageTargetIDs) > 0 {
+		return input.StorageTargetIDs
+	}
+	if input.StorageTargetID > 0 {
+		return []uint{input.StorageTargetID}
+	}
+	return nil
+}
+
 func (s *BackupTaskService) validateInput(ctx context.Context, existing *model.BackupTask, input BackupTaskUpsertInput) error {
 	if strings.TrimSpace(input.Name) == "" {
 		return apperror.BadRequest("BACKUP_TASK_INVALID", "任务名称不能为空", nil)
 	}
-	if input.StorageTargetID == 0 {
-		return apperror.BadRequest("BACKUP_TASK_INVALID", "请选择存储目标", nil)
+	targetIDs := resolveStorageTargetIDs(input)
+	if len(targetIDs) == 0 {
+		return apperror.BadRequest("BACKUP_TASK_INVALID", "请选择至少一个存储目标", nil)
 	}
-	target, err := s.targets.FindByID(ctx, input.StorageTargetID)
-	if err != nil {
-		return apperror.Internal("BACKUP_TASK_STORAGE_LOOKUP_FAILED", "无法检查存储目标", err)
-	}
-	if target == nil {
-		return apperror.BadRequest("BACKUP_STORAGE_TARGET_INVALID", "关联的存储目标不存在", nil)
+	for _, tid := range targetIDs {
+		target, err := s.targets.FindByID(ctx, tid)
+		if err != nil {
+			return apperror.Internal("BACKUP_TASK_STORAGE_LOOKUP_FAILED", "无法检查存储目标", err)
+		}
+		if target == nil {
+			return apperror.BadRequest("BACKUP_STORAGE_TARGET_INVALID", fmt.Sprintf("关联的存储目标 %d 不存在", tid), nil)
+		}
 	}
 	if input.RetentionDays < 0 {
 		return apperror.BadRequest("BACKUP_TASK_INVALID", "保留天数不能小于 0", nil)
@@ -260,7 +279,8 @@ func (s *BackupTaskService) validateInput(ctx context.Context, existing *model.B
 func validateTaskTypeSpecificFields(input BackupTaskUpsertInput, passwordRequired bool) error {
 	switch normalizeBackupTaskType(input.Type) {
 	case "file":
-		if strings.TrimSpace(input.SourcePath) == "" {
+		hasSourcePaths := len(resolveSourcePaths(input)) > 0
+		if !hasSourcePaths {
 			return apperror.BadRequest("BACKUP_TASK_INVALID", "文件备份必须填写源路径", nil)
 		}
 	case "mysql", "postgresql":
@@ -294,6 +314,10 @@ func (s *BackupTaskService) buildTask(existing *model.BackupTask, input BackupTa
 	if err != nil {
 		return nil, apperror.BadRequest("BACKUP_TASK_INVALID", "排除规则格式不合法", err)
 	}
+	sourcePathsJSON, err := encodeSourcePaths(resolveSourcePaths(input))
+	if err != nil {
+		return nil, apperror.BadRequest("BACKUP_TASK_INVALID", "源路径格式不合法", err)
+	}
 	passwordCiphertext := ""
 	if existing != nil {
 		passwordCiphertext = existing.DBPasswordCiphertext
@@ -313,12 +337,30 @@ func (s *BackupTaskService) buildTask(existing *model.BackupTask, input BackupTa
 	if maxBackups == 0 {
 		maxBackups = 10
 	}
+	targetIDs := resolveStorageTargetIDs(input)
+	// 保持旧字段兼容：取第一个
+	primaryTargetID := uint(0)
+	if len(targetIDs) > 0 {
+		primaryTargetID = targetIDs[0]
+	}
+	// 构建多对多关联
+	storageTargets := make([]model.StorageTarget, len(targetIDs))
+	for i, tid := range targetIDs {
+		storageTargets[i] = model.StorageTarget{ID: tid}
+	}
+	// 向后兼容：SourcePath 取第一个
+	resolvedPaths := resolveSourcePaths(input)
+	primarySourcePath := strings.TrimSpace(input.SourcePath)
+	if len(resolvedPaths) > 0 {
+		primarySourcePath = resolvedPaths[0]
+	}
 	item := &model.BackupTask{
 		Name:                 strings.TrimSpace(input.Name),
 		Type:                 normalizeBackupTaskType(input.Type),
 		Enabled:              input.Enabled,
 		CronExpr:             strings.TrimSpace(input.CronExpr),
-		SourcePath:           strings.TrimSpace(input.SourcePath),
+		SourcePath:           primarySourcePath,
+		SourcePaths:          sourcePathsJSON,
 		ExcludePatterns:      excludePatterns,
 		DBHost:               strings.TrimSpace(input.DBHost),
 		DBPort:               input.DBPort,
@@ -326,7 +368,8 @@ func (s *BackupTaskService) buildTask(existing *model.BackupTask, input BackupTa
 		DBPasswordCiphertext: passwordCiphertext,
 		DBName:               strings.TrimSpace(input.DBName),
 		DBPath:               strings.TrimSpace(input.DBPath),
-		StorageTargetID:      input.StorageTargetID,
+		StorageTargetID:      primaryTargetID,
+		StorageTargets:       storageTargets,
 		RetentionDays:        input.RetentionDays,
 		Compression:          compression,
 		Encrypt:              input.Encrypt,
@@ -346,9 +389,14 @@ func (s *BackupTaskService) toDetail(item *model.BackupTask) (*BackupTaskDetail,
 	if err != nil {
 		return nil, apperror.Internal("BACKUP_TASK_DECODE_FAILED", "无法解析备份任务配置", err)
 	}
+	sourcePaths, err := decodeSourcePaths(item.SourcePaths)
+	if err != nil {
+		return nil, apperror.Internal("BACKUP_TASK_DECODE_FAILED", "无法解析源路径配置", err)
+	}
 	detail := &BackupTaskDetail{
 		BackupTaskSummary: toBackupTaskSummary(item),
 		SourcePath:        item.SourcePath,
+		SourcePaths:       sourcePaths,
 		ExcludePatterns:   excludePatterns,
 		DBHost:            item.DBHost,
 		DBPort:            item.DBPort,
@@ -364,25 +412,45 @@ func (s *BackupTaskService) toDetail(item *model.BackupTask) (*BackupTaskDetail,
 }
 
 func toBackupTaskSummary(item *model.BackupTask) BackupTaskSummary {
-	storageTargetName := ""
-	if item != nil {
-		storageTargetName = item.StorageTarget.Name
+	// 从多对多关联提取 IDs 和 Names
+	var targetIDs []uint
+	var targetNames []string
+	if len(item.StorageTargets) > 0 {
+		for _, t := range item.StorageTargets {
+			targetIDs = append(targetIDs, t.ID)
+			targetNames = append(targetNames, t.Name)
+		}
+	} else if item.StorageTargetID > 0 {
+		// 回退到旧字段
+		targetIDs = []uint{item.StorageTargetID}
+		targetNames = []string{item.StorageTarget.Name}
+	}
+	// 向后兼容：取第一个
+	primaryID := uint(0)
+	primaryName := ""
+	if len(targetIDs) > 0 {
+		primaryID = targetIDs[0]
+	}
+	if len(targetNames) > 0 {
+		primaryName = targetNames[0]
 	}
 	return BackupTaskSummary{
-		ID:                item.ID,
-		Name:              item.Name,
-		Type:              normalizeBackupTaskType(item.Type),
-		Enabled:           item.Enabled,
-		CronExpr:          item.CronExpr,
-		StorageTargetID:   item.StorageTargetID,
-		StorageTargetName: storageTargetName,
-		RetentionDays:     item.RetentionDays,
-		Compression:       item.Compression,
-		Encrypt:           item.Encrypt,
-		MaxBackups:        item.MaxBackups,
-		LastRunAt:         item.LastRunAt,
-		LastStatus:        item.LastStatus,
-		UpdatedAt:         item.UpdatedAt,
+		ID:                 item.ID,
+		Name:               item.Name,
+		Type:               normalizeBackupTaskType(item.Type),
+		Enabled:            item.Enabled,
+		CronExpr:           item.CronExpr,
+		StorageTargetID:    primaryID,
+		StorageTargetName:  primaryName,
+		StorageTargetIDs:   targetIDs,
+		StorageTargetNames: targetNames,
+		RetentionDays:      item.RetentionDays,
+		Compression:        item.Compression,
+		Encrypt:            item.Encrypt,
+		MaxBackups:         item.MaxBackups,
+		LastRunAt:          item.LastRunAt,
+		LastStatus:         item.LastStatus,
+		UpdatedAt:          item.UpdatedAt,
 	}
 }
 
@@ -408,6 +476,47 @@ func decodeExcludePatterns(value string) ([]string, error) {
 	return items, nil
 }
 
+// resolveSourcePaths 统一处理 sourcePaths / sourcePath，返回有效路径列表
+func resolveSourcePaths(input BackupTaskUpsertInput) []string {
+	if len(input.SourcePaths) > 0 {
+		var cleaned []string
+		for _, p := range input.SourcePaths {
+			if trimmed := strings.TrimSpace(p); trimmed != "" {
+				cleaned = append(cleaned, trimmed)
+			}
+		}
+		if len(cleaned) > 0 {
+			return cleaned
+		}
+	}
+	if sp := strings.TrimSpace(input.SourcePath); sp != "" {
+		return []string{sp}
+	}
+	return nil
+}
+
+func encodeSourcePaths(paths []string) (string, error) {
+	if len(paths) == 0 {
+		return "[]", nil
+	}
+	encoded, err := json.Marshal(paths)
+	if err != nil {
+		return "", err
+	}
+	return string(encoded), nil
+}
+
+func decodeSourcePaths(value string) ([]string, error) {
+	if strings.TrimSpace(value) == "" || strings.TrimSpace(value) == "[]" {
+		return []string{}, nil
+	}
+	var items []string
+	if err := json.Unmarshal([]byte(value), &items); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 func normalizeBackupTaskType(value string) string {
 	normalized := strings.TrimSpace(strings.ToLower(value))
 	if normalized == "pgsql" {

server/internal/service/database_discovery_service.go

@@ -0,0 +1,141 @@
+package service
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"backupx/server/internal/apperror"
+	"backupx/server/internal/backup"
+)
+
+type DatabaseDiscoverInput struct {
+	Type     string `json:"type" binding:"required,oneof=mysql postgresql"`
+	Host     string `json:"host" binding:"required"`
+	Port     int    `json:"port" binding:"required,min=1"`
+	User     string `json:"user" binding:"required"`
+	Password string `json:"password" binding:"required"`
+}
+
+type DatabaseDiscoverResult struct {
+	Databases []string `json:"databases"`
+}
+
+type DatabaseDiscoveryService struct {
+	executor backup.CommandExecutor
+}
+
+func NewDatabaseDiscoveryService(executor backup.CommandExecutor) *DatabaseDiscoveryService {
+	return &DatabaseDiscoveryService{executor: executor}
+}
+
+func (s *DatabaseDiscoveryService) Discover(ctx context.Context, input DatabaseDiscoverInput) (*DatabaseDiscoverResult, error) {
+	switch strings.TrimSpace(strings.ToLower(input.Type)) {
+	case "mysql":
+		return s.discoverMySQL(ctx, input)
+	case "postgresql":
+		return s.discoverPostgreSQL(ctx, input)
+	default:
+		return nil, apperror.BadRequest("DATABASE_DISCOVER_INVALID_TYPE", "不支持的数据库类型", nil)
+	}
+}
+
+func (s *DatabaseDiscoveryService) discoverMySQL(ctx context.Context, input DatabaseDiscoverInput) (*DatabaseDiscoverResult, error) {
+	mysqlPath, err := s.executor.LookPath("mysql")
+	if err != nil {
+		return nil, apperror.BadRequest("DATABASE_DISCOVER_MYSQL_NOT_FOUND", "系统未安装 mysql 客户端", err)
+	}
+
+	timeout, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+
+	var stdout, stderr bytes.Buffer
+	args := []string{
+		fmt.Sprintf("--host=%s", input.Host),
+		fmt.Sprintf("--port=%d", input.Port),
+		fmt.Sprintf("--user=%s", input.User),
+		"-e", "SHOW DATABASES",
+		"--skip-column-names",
+	}
+	env := []string{fmt.Sprintf("MYSQL_PWD=%s", input.Password)}
+
+	if err := s.executor.Run(timeout, mysqlPath, args, backup.CommandOptions{
+		Stdout: &stdout,
+		Stderr: &stderr,
+		Env:    env,
+	}); err != nil {
+		errMsg := strings.TrimSpace(stderr.String())
+		if errMsg == "" {
+			errMsg = err.Error()
+		}
+		return nil, apperror.BadRequest("DATABASE_DISCOVER_MYSQL_FAILED", fmt.Sprintf("连接 MySQL 失败：%s", sanitizeMessage(errMsg)), err)
+	}
+
+	systemDBs := map[string]bool{
+		"information_schema": true,
+		"performance_schema": true,
+		"mysql":              true,
+		"sys":                true,
+	}
+
+	var databases []string
+	for _, line := range strings.Split(stdout.String(), "\n") {
+		db := strings.TrimSpace(line)
+		if db == "" || systemDBs[db] {
+			continue
+		}
+		databases = append(databases, db)
+	}
+
+	return &DatabaseDiscoverResult{Databases: databases}, nil
+}
+
+func (s *DatabaseDiscoveryService) discoverPostgreSQL(ctx context.Context, input DatabaseDiscoverInput) (*DatabaseDiscoverResult, error) {
+	psqlPath, err := s.executor.LookPath("psql")
+	if err != nil {
+		return nil, apperror.BadRequest("DATABASE_DISCOVER_PSQL_NOT_FOUND", "系统未安装 psql 客户端", err)
+	}
+
+	timeout, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+
+	var stdout, stderr bytes.Buffer
+	args := []string{
+		"-h", input.Host,
+		"-p", fmt.Sprintf("%d", input.Port),
+		"-U", input.User,
+		"-d", "postgres",
+		"-t", "-A",
+		"-c", "SELECT datname FROM pg_database WHERE datistemplate = false ORDER BY datname",
+	}
+	env := []string{fmt.Sprintf("PGPASSWORD=%s", input.Password)}
+
+	if err := s.executor.Run(timeout, psqlPath, args, backup.CommandOptions{
+		Stdout: &stdout,
+		Stderr: &stderr,
+		Env:    env,
+	}); err != nil {
+		errMsg := strings.TrimSpace(stderr.String())
+		if errMsg == "" {
+			errMsg = err.Error()
+		}
+		return nil, apperror.BadRequest("DATABASE_DISCOVER_PSQL_FAILED", fmt.Sprintf("连接 PostgreSQL 失败：%s", sanitizeMessage(errMsg)), err)
+	}
+
+	skipDBs := map[string]bool{
+		"postgres": true,
+	}
+
+	var databases []string
+	for _, line := range strings.Split(stdout.String(), "\n") {
+		db := strings.TrimSpace(line)
+		if db == "" || skipDBs[db] || strings.HasPrefix(db, "template") {
+			continue
+		}
+		databases = append(databases, db)
+	}
+
+	return &DatabaseDiscoverResult{Databases: databases}, nil
+}

server/internal/service/storage_target_service.go

@@ -53,6 +53,7 @@ type StorageTargetSummary struct {
 	Type            string     `json:"type"`
 	Description     string     `json:"description"`
 	Enabled         bool       `json:"enabled"`
+	Starred         bool       `json:"starred"`
 	ConfigVersion   int        `json:"configVersion"`
 	LastTestedAt    *time.Time `json:"lastTestedAt"`
 	LastTestStatus  string     `json:"lastTestStatus"`
@@ -209,6 +210,22 @@ func (s *StorageTargetService) Delete(ctx context.Context, id uint) error {
 	return nil
 }
 
+func (s *StorageTargetService) ToggleStar(ctx context.Context, id uint) (*StorageTargetSummary, error) {
+	item, err := s.targets.FindByID(ctx, id)
+	if err != nil {
+		return nil, apperror.Internal("STORAGE_TARGET_GET_FAILED", "无法获取存储目标详情", err)
+	}
+	if item == nil {
+		return nil, apperror.New(http.StatusNotFound, "STORAGE_TARGET_NOT_FOUND", "存储目标不存在", fmt.Errorf("storage target %d not found", id))
+	}
+	item.Starred = !item.Starred
+	if err := s.targets.Update(ctx, item); err != nil {
+		return nil, apperror.Internal("STORAGE_TARGET_UPDATE_FAILED", "无法更新存储目标收藏状态", err)
+	}
+	summary := toStorageTargetSummary(item)
+	return &summary, nil
+}
+
 func (s *StorageTargetService) TestConnection(ctx context.Context, input StorageTargetTestInput) error {
 	item, err := s.buildStorageTargetForTest(ctx, input)
 	if err != nil {
@@ -493,6 +510,7 @@ func toStorageTargetSummary(item *model.StorageTarget) StorageTargetSummary {
 		Type:            item.Type,
 		Description:     item.Description,
 		Enabled:         item.Enabled,
+		Starred:         item.Starred,
 		ConfigVersion:   item.ConfigVersion,
 		LastTestedAt:    item.LastTestedAt,
 		LastTestStatus:  item.LastTestStatus,