From 43cde0eefd8ecc7fd95478971c184d2851b77df1 Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Thu, 26 Feb 2026 02:56:00 -0800
Subject: [PATCH 1/2] test: add failing test for dashboard CSRFField (refs
 #146)

---
 internal/handlers/handlers_test.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/internal/handlers/handlers_test.go b/internal/handlers/handlers_test.go
index 49da78a..5cb6b9c 100644
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -404,6 +404,24 @@ func TestHandleDashboard(t *testing.T) {
 		assert.Equal(t, http.StatusOK, recorder.Code)
 		assert.Contains(t, recorder.Body.String(), "Applications")
 	})
+
+	t.Run("renders dashboard with apps without crashing on CSRFField", func(t *testing.T) {
+		t.Parallel()
+
+		testCtx := setupTestHandlers(t)
+
+		// Create an app so the template iterates over AppStats and hits .CSRFField
+		createTestApp(t, testCtx, "csrf-test-app")
+
+		request := httptest.NewRequest(http.MethodGet, "/", nil)
+		recorder := httptest.NewRecorder()
+
+		handler := testCtx.handlers.HandleDashboard()
+		handler.ServeHTTP(recorder, request)
+
+		assert.Equal(t, http.StatusOK, recorder.Code, "dashboard should not 500 when apps exist (CSRFField must be accessible)")
+		assert.Contains(t, recorder.Body.String(), "csrf-test-app")
+	})
 }
 
 func TestHandleAppNew(t *testing.T) {

From c22a2877d55605a01db0255c476a76b52f63877f Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Thu, 26 Feb 2026 02:56:12 -0800
Subject: [PATCH 2/2] fix: pass CSRFField to dashboard template (closes #146)

---
 internal/handlers/handlers_test.go | 3 ++-
 templates/dashboard.html           | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/internal/handlers/handlers_test.go b/internal/handlers/handlers_test.go
index 5cb6b9c..ce54f8f 100644
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -419,7 +419,8 @@ func TestHandleDashboard(t *testing.T) {
 		handler := testCtx.handlers.HandleDashboard()
 		handler.ServeHTTP(recorder, request)
 
-		assert.Equal(t, http.StatusOK, recorder.Code, "dashboard should not 500 when apps exist (CSRFField must be accessible)")
+		assert.Equal(t, http.StatusOK, recorder.Code,
+			"dashboard should not 500 when apps exist (CSRFField must be accessible)")
 		assert.Contains(t, recorder.Body.String(), "csrf-test-app")
 	})
 }
diff --git a/templates/dashboard.html b/templates/dashboard.html
index bf96b60..ff66e1c 100644
--- a/templates/dashboard.html
+++ b/templates/dashboard.html
@@ -69,7 +69,7 @@
                             <a href="/apps/{{.App.ID}}" class="btn-text text-sm py-1 px-2">View</a>
                             <a href="/apps/{{.App.ID}}/edit" class="btn-secondary text-sm py-1 px-2">Edit</a>
                             <form method="POST" action="/apps/{{.App.ID}}/deploy" class="inline">
-                {{ .CSRFField }}
+                {{ $.CSRFField }}
                                 <button type="submit" class="btn-success text-sm py-1 px-2">Deploy</button>
                             </form>
                         </div>