fix: resolve lint issues for make check compliance

fix: increase API token entropy from 128 to 256 bits
Change token random bytes from 16 to 32, producing tokens with upaas_ prefix + 64 hex characters instead of 32.
2026-02-19 23:43:41 -08:00 · 2026-02-19 23:43:22 -08:00 · 2026-02-19 23:43:22 -08:00 · 2026-02-19 23:43:22 -08:00
75 changed files with 2090 additions and 4501 deletions
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -1,16 +0,0 @@
-name: Check
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4, 2024-10-13
-
-      - name: Build (runs make check inside Dockerfile)
-        run: docker build .
--- a/33
+++ b/33
@@ -1,37 +1,26 @@
-# Lint stage — fast feedback on formatting and lint issues
-# golangci/golangci-lint:v2.10.1
-FROM golangci/golangci-lint@sha256:ea84d14c2fef724411be7dc45e09e6ef721d748315252b02df19a7e3113ee763 AS lint
-
-WORKDIR /src
-COPY go.mod go.sum ./
-RUN go mod download
-
-COPY . .
-
-RUN make fmt-check
-RUN make lint
-
-# Build stage — tests and compilation
-# golang:1.25-alpine
-FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
-
-# Force BuildKit to run the lint stage by creating a stage dependency
-COPY --from=lint /src/go.sum /dev/null
+# Build stage
+FROM golang:1.25-alpine AS builder

 RUN apk add --no-cache git make gcc musl-dev

+# Install golangci-lint v2
+RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+RUN go install golang.org/x/tools/cmd/goimports@latest
+
 WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download

 COPY . .

-RUN make test
+# Run all checks - build fails if any check fails
+RUN make check
+
+# Build the binary
 RUN make build

 # Runtime stage
-# alpine:3.19
-FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1
+FROM alpine:3.19

 RUN apk add --no-cache ca-certificates tzdata git openssh-client docker-cli

--- a/15
+++ b/15
@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt fmt-check test check clean
+.PHONY: all build lint fmt test check clean

 BINARY := upaasd
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
@@ -18,15 +18,20 @@ fmt:
 	goimports -w .
 	npx prettier --write --tab-width 4 static/js/*.js

-fmt-check:
-	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
-
 test:
 	go test -v -race -cover ./...

 # Check runs all validation without making changes
 # Used by CI and Docker build - fails if anything is wrong
-check: fmt-check lint test
+check:
+	@echo "==> Checking formatting..."
+	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
+	@echo "==> Running linter..."
+	golangci-lint run --config .golangci.yml ./...
+	@echo "==> Running tests..."
+	go test -v -race ./...
+	@echo "==> Building..."
+	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/upaasd
 	@echo "==> All checks passed!"

 clean:
--- a/README.md
+++ b/README.md
@@ -157,8 +157,8 @@ Environment variables:
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `PORT` | HTTP listen port | 8080 |
-| `UPAAS_DATA_DIR` | Data directory for SQLite and keys | `./data` (local dev only — use absolute path for Docker) |
-| `UPAAS_HOST_DATA_DIR` | Host path for DATA_DIR (when running in container) | *(none — must be set to an absolute path)* |
+| `UPAAS_DATA_DIR` | Data directory for SQLite and keys | ./data |
+| `UPAAS_HOST_DATA_DIR` | Host path for DATA_DIR (when running in container) | same as DATA_DIR |
 | `UPAAS_DOCKER_HOST` | Docker socket path | unix:///var/run/docker.sock |
 | `DEBUG` | Enable debug logging | false |
 | `SENTRY_DSN` | Sentry error reporting DSN | "" |
@@ -176,35 +176,8 @@ docker run -d \
  upaas
 ```

-### Docker Compose
-
-```yaml
-services:
-  upaas:
-    build: .
-    restart: unless-stopped
-    ports:
-      - "8080:8080"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ${HOST_DATA_DIR}:/var/lib/upaas
-    environment:
-      - UPAAS_HOST_DATA_DIR=${HOST_DATA_DIR}
-      # Optional: uncomment to enable debug logging
-      # - DEBUG=true
-      # Optional: Sentry error reporting
-      # - SENTRY_DSN=https://...
-      # Optional: Prometheus metrics auth
-      # - METRICS_USERNAME=prometheus
-      # - METRICS_PASSWORD=secret
-```
-
-**Important**: You **must** set `HOST_DATA_DIR` to an **absolute path** on the host before running
-`docker compose up`. This value is bind-mounted into the container and passed as `UPAAS_HOST_DATA_DIR`
-so that Docker bind mounts during builds resolve correctly. Relative paths (e.g. `./data`) will break
-container builds because the Docker daemon resolves paths relative to the host, not the container.
-
-Example: `HOST_DATA_DIR=/srv/upaas/data docker compose up -d`
+**Important**: When running µPaaS inside a container, set `UPAAS_HOST_DATA_DIR` to the host path
+that maps to `UPAAS_DATA_DIR`. This is required for Docker bind mounts during builds to work correctly.

 Session secrets are automatically generated on first startup and persisted to `$UPAAS_DATA_DIR/session.key`.

--- a/cmd/upaasd/main.go
+++ b/cmd/upaasd/main.go
@@ -4,20 +4,20 @@ package main
 import (
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
-	"sneak.berlin/go/upaas/internal/server"
-	"sneak.berlin/go/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/server"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"

 	_ "github.com/joho/godotenv/autoload"
 )
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,20 @@
+services:
+  upaas:
+    build: .
+    restart: unless-stopped
+    ports:
+      - "8080:8080"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - upaas-data:/var/lib/upaas
+    # environment:
+      # Optional: uncomment to enable debug logging
+      # - DEBUG=true
+      # Optional: Sentry error reporting
+      # - SENTRY_DSN=https://...
+      # Optional: Prometheus metrics auth
+      # - METRICS_USERNAME=prometheus
+      # - METRICS_PASSWORD=secret
+
+volumes:
+  upaas-data:
--- a/go.mod
+++ b/go.mod
@@ -1,4 +1,4 @@
-module sneak.berlin/go/upaas
+module git.eeqj.de/sneak/upaas

 go 1.25

@@ -19,7 +19,6 @@ require (
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
 	golang.org/x/crypto v0.46.0
-	golang.org/x/time v0.12.0
 )

 require (
@@ -75,6 +74,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -13,8 +13,8 @@ import (
 	"github.com/spf13/viper"
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )

 // defaultPort is the default HTTP server port.
@@ -51,7 +51,7 @@ type Config struct {
 	MaintenanceMode bool
 	MetricsUsername string
 	MetricsPassword string
-	SessionSecret   string `json:"-"`
+	SessionSecret   string //nolint:gosec // not a hardcoded credential, loaded from env/file
 	CORSOrigins     string
 	params          *Params
 	log             *slog.Logger
--- a/internal/database/database.go
+++ b/internal/database/database.go
@@ -14,8 +14,8 @@ import (
 	_ "github.com/mattn/go-sqlite3" // SQLite driver
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )

 // dataDirPermissions is the file permission for the data directory.
@@ -176,6 +176,13 @@ func HashWebhookSecret(secret string) string {
 	return hex.EncodeToString(sum[:])
 }

+// HashAPIToken returns the hex-encoded SHA-256 hash of an API token.
+func HashAPIToken(token string) string {
+	sum := sha256.Sum256([]byte(token))
+
+	return hex.EncodeToString(sum[:])
+}
+
 func (d *Database) backfillWebhookSecretHashes(ctx context.Context) error {
 	rows, err := d.database.QueryContext(ctx,
 		"SELECT id, webhook_secret FROM apps WHERE webhook_secret_hash = '' AND webhook_secret != ''")
--- a/internal/database/hash_test.go
+++ b/internal/database/hash_test.go
@@ -5,7 +5,7 @@ import (

 	"github.com/stretchr/testify/assert"

-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )

 func TestHashWebhookSecret(t *testing.T) {
--- a/internal/database/migrations.go
+++ b/internal/database/migrations.go
@@ -113,9 +113,9 @@ func (d *Database) applyMigration(ctx context.Context, filename string) error {
 		return fmt.Errorf("failed to record migration: %w", err)
 	}

-	err = transaction.Commit()
-	if err != nil {
-		return fmt.Errorf("failed to commit migration: %w", err)
+	commitErr := transaction.Commit()
+	if commitErr != nil {
+		return fmt.Errorf("failed to commit migration: %w", commitErr)
 	}

 	return nil
--- a/internal/database/migrations/007_add_api_tokens.sql
+++ b/internal/database/migrations/007_add_api_tokens.sql
@@ -0,0 +1,12 @@
+CREATE TABLE IF NOT EXISTS api_tokens (
+    id TEXT PRIMARY KEY,
+    user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    name TEXT NOT NULL,
+    token_hash TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    expires_at DATETIME,
+    last_used_at DATETIME
+);
+
+CREATE INDEX idx_api_tokens_user_id ON api_tokens(user_id);
+CREATE INDEX idx_api_tokens_token_hash ON api_tokens(token_hash);
--- a/internal/database/testing.go
+++ b/internal/database/testing.go
@@ -1,41 +0,0 @@
-package database
-
-import (
-	"log/slog"
-	"os"
-	"testing"
-
-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/logger"
-)
-
-// NewTestDatabase creates an in-memory Database for testing.
-// It runs migrations so all tables are available.
-func NewTestDatabase(t *testing.T) *Database {
-	t.Helper()
-
-	tmpDir := t.TempDir()
-
-	cfg := &config.Config{
-		DataDir: tmpDir,
-	}
-
-	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	logWrapper := logger.NewForTest(log)
-
-	db, err := New(nil, Params{
-		Logger: logWrapper,
-		Config: cfg,
-	})
-	if err != nil {
-		t.Fatalf("failed to create test database: %v", err)
-	}
-
-	t.Cleanup(func() {
-		if db.database != nil {
-			_ = db.database.Close()
-		}
-	})
-
-	return db
-}
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -14,7 +14,7 @@ import (
 	"strconv"
 	"strings"

-	dockertypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/image"
@@ -25,9 +25,8 @@ import (
 	"github.com/docker/go-connections/nat"
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )

 // sshKeyPermissions is the file permission for SSH private keys.
@@ -117,7 +116,7 @@ type BuildImageOptions struct {
 func (c *Client) BuildImage(
 	ctx context.Context,
 	opts BuildImageOptions,
-) (ImageID, error) {
+) (string, error) {
 	if c.docker == nil {
 		return "", ErrNotConnected
 	}
@@ -189,7 +188,7 @@ func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 func (c *Client) CreateContainer(
 	ctx context.Context,
 	opts CreateContainerOptions,
-) (ContainerID, error) {
+) (string, error) {
 	if c.docker == nil {
 		return "", ErrNotConnected
 	}
@@ -242,18 +241,18 @@ func (c *Client) CreateContainer(
 		return "", fmt.Errorf("failed to create container: %w", err)
 	}

-	return ContainerID(resp.ID), nil
+	return resp.ID, nil
 }

 // StartContainer starts a container.
-func (c *Client) StartContainer(ctx context.Context, containerID ContainerID) error {
+func (c *Client) StartContainer(ctx context.Context, containerID string) error {
 	if c.docker == nil {
 		return ErrNotConnected
 	}

 	c.log.Info("starting container", "id", containerID)

-	err := c.docker.ContainerStart(ctx, containerID.String(), container.StartOptions{})
+	err := c.docker.ContainerStart(ctx, containerID, container.StartOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to start container: %w", err)
 	}
@@ -262,7 +261,7 @@ func (c *Client) StartContainer(ctx context.Context, containerID ContainerID) er
 }

 // StopContainer stops a container.
-func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) error {
+func (c *Client) StopContainer(ctx context.Context, containerID string) error {
 	if c.docker == nil {
 		return ErrNotConnected
 	}
@@ -271,7 +270,7 @@ func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) err

 	timeout := stopTimeoutSeconds

-	err := c.docker.ContainerStop(ctx, containerID.String(), container.StopOptions{Timeout: &timeout})
+	err := c.docker.ContainerStop(ctx, containerID, container.StopOptions{Timeout: &timeout})
 	if err != nil {
 		return fmt.Errorf("failed to stop container: %w", err)
 	}
@@ -282,7 +281,7 @@ func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) err
 // RemoveContainer removes a container.
 func (c *Client) RemoveContainer(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 	force bool,
 ) error {
 	if c.docker == nil {
@@ -291,7 +290,7 @@ func (c *Client) RemoveContainer(

 	c.log.Info("removing container", "id", containerID, "force", force)

-	err := c.docker.ContainerRemove(ctx, containerID.String(), container.RemoveOptions{Force: force})
+	err := c.docker.ContainerRemove(ctx, containerID, container.RemoveOptions{Force: force})
 	if err != nil {
 		return fmt.Errorf("failed to remove container: %w", err)
 	}
@@ -302,7 +301,7 @@ func (c *Client) RemoveContainer(
 // ContainerLogs returns the logs for a container.
 func (c *Client) ContainerLogs(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 	tail string,
 ) (string, error) {
 	if c.docker == nil {
@@ -315,7 +314,7 @@ func (c *Client) ContainerLogs(
 		Tail:       tail,
 	}

-	reader, err := c.docker.ContainerLogs(ctx, containerID.String(), opts)
+	reader, err := c.docker.ContainerLogs(ctx, containerID, opts)
 	if err != nil {
 		return "", fmt.Errorf("failed to get container logs: %w", err)
 	}
@@ -338,13 +337,13 @@ func (c *Client) ContainerLogs(
 // IsContainerRunning checks if a container is running.
 func (c *Client) IsContainerRunning(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 ) (bool, error) {
 	if c.docker == nil {
 		return false, ErrNotConnected
 	}

-	inspect, err := c.docker.ContainerInspect(ctx, containerID.String())
+	inspect, err := c.docker.ContainerInspect(ctx, containerID)
 	if err != nil {
 		return false, fmt.Errorf("failed to inspect container: %w", err)
 	}
@@ -355,13 +354,13 @@ func (c *Client) IsContainerRunning(
 // IsContainerHealthy checks if a container is healthy.
 func (c *Client) IsContainerHealthy(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 ) (bool, error) {
 	if c.docker == nil {
 		return false, ErrNotConnected
 	}

-	inspect, err := c.docker.ContainerInspect(ctx, containerID.String())
+	inspect, err := c.docker.ContainerInspect(ctx, containerID)
 	if err != nil {
 		return false, fmt.Errorf("failed to inspect container: %w", err)
 	}
@@ -379,7 +378,7 @@ const LabelUpaasID = "upaas.id"

 // ContainerInfo contains basic information about a container.
 type ContainerInfo struct {
-	ID      ContainerID
+	ID      string
 	Running bool
 }

@@ -414,7 +413,7 @@ func (c *Client) FindContainerByAppID(
 	ctr := containers[0]

 	return &ContainerInfo{
-		ID:      ContainerID(ctr.ID),
+		ID:      ctr.ID,
 		Running: ctr.State == "running",
 	}, nil
 }
@@ -483,8 +482,8 @@ func (c *Client) CloneRepo(

 // RemoveImage removes a Docker image by ID or tag.
 // It returns nil if the image was successfully removed or does not exist.
-func (c *Client) RemoveImage(ctx context.Context, imageID ImageID) error {
-	_, err := c.docker.ImageRemove(ctx, imageID.String(), image.RemoveOptions{
+func (c *Client) RemoveImage(ctx context.Context, imageID string) error {
+	_, err := c.docker.ImageRemove(ctx, imageID, image.RemoveOptions{
 		Force:         true,
 		PruneChildren: true,
 	})
@@ -498,7 +497,7 @@ func (c *Client) RemoveImage(ctx context.Context, imageID ImageID) error {
 func (c *Client) performBuild(
 	ctx context.Context,
 	opts BuildImageOptions,
-) (ImageID, error) {
+) (string, error) {
 	// Create tar archive of build context
 	tarArchive, err := archive.TarWithOptions(opts.ContextDir, &archive.TarOptions{})
 	if err != nil {
@@ -513,7 +512,7 @@ func (c *Client) performBuild(
 	}()

 	// Build image
-	resp, err := c.docker.ImageBuild(ctx, tarArchive, dockertypes.ImageBuildOptions{
+	resp, err := c.docker.ImageBuild(ctx, tarArchive, types.ImageBuildOptions{
 		Dockerfile: opts.DockerfilePath,
 		Tags:       opts.Tags,
 		Remove:     true,
@@ -543,7 +542,7 @@ func (c *Client) performBuild(
 			return "", fmt.Errorf("failed to inspect image: %w", inspectErr)
 		}

-		return ImageID(inspect.ID), nil
+		return inspect.ID, nil
 	}

 	return "", nil
@@ -604,22 +603,22 @@ func (c *Client) performClone(ctx context.Context, cfg *cloneConfig) (*CloneResu
 		}
 	}()

-	gitContainerID, err := c.createGitContainer(ctx, cfg)
+	containerID, err := c.createGitContainer(ctx, cfg)
 	if err != nil {
 		return nil, err
 	}

 	defer func() {
-		_ = c.docker.ContainerRemove(ctx, gitContainerID.String(), container.RemoveOptions{Force: true})
+		_ = c.docker.ContainerRemove(ctx, containerID, container.RemoveOptions{Force: true})
 	}()

-	return c.runGitClone(ctx, gitContainerID)
+	return c.runGitClone(ctx, containerID)
 }

 func (c *Client) createGitContainer(
 	ctx context.Context,
 	cfg *cloneConfig,
-) (ContainerID, error) {
+) (string, error) {
 	gitSSHCmd := "ssh -i /keys/deploy_key -o StrictHostKeyChecking=no"

 	// Build the git command using environment variables to avoid shell injection.
@@ -676,16 +675,16 @@ func (c *Client) createGitContainer(
 		return "", fmt.Errorf("failed to create git container: %w", err)
 	}

-	return ContainerID(resp.ID), nil
+	return resp.ID, nil
 }

-func (c *Client) runGitClone(ctx context.Context, containerID ContainerID) (*CloneResult, error) {
-	err := c.docker.ContainerStart(ctx, containerID.String(), container.StartOptions{})
+func (c *Client) runGitClone(ctx context.Context, containerID string) (*CloneResult, error) {
+	err := c.docker.ContainerStart(ctx, containerID, container.StartOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to start git container: %w", err)
 	}

-	statusCh, errCh := c.docker.ContainerWait(ctx, containerID.String(), container.WaitConditionNotRunning)
+	statusCh, errCh := c.docker.ContainerWait(ctx, containerID, container.WaitConditionNotRunning)

 	select {
 	case err := <-errCh:
--- a/internal/docker/types.go
+++ b/internal/docker/types.go
@@ -1,13 +0,0 @@
-package docker
-
-// ImageID is a Docker image identifier (ID or tag).
-type ImageID string
-
-// String implements the fmt.Stringer interface.
-func (id ImageID) String() string { return string(id) }
-
-// ContainerID is a Docker container identifier.
-type ContainerID string
-
-// String implements the fmt.Stringer interface.
-func (id ContainerID) String() string { return string(id) }
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -7,7 +7,8 @@ import (

 	"github.com/go-chi/chi/v5"

-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
 )

 // apiAppResponse is the JSON representation of an app.
@@ -73,13 +74,18 @@ func deploymentToAPI(d *models.Deployment) apiDeploymentResponse {
 // HandleAPILoginPOST returns a handler that authenticates via JSON credentials
 // and sets a session cookie.
 func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
+	type loginRequest struct {
+		Username string `json:"username"`
+		Password string `json:"password"` //nolint:gosec // request field, not a hardcoded credential
+	}
+
 	type loginResponse struct {
 		UserID   int64  `json:"userId"`
 		Username string `json:"username"`
 	}

 	return func(writer http.ResponseWriter, request *http.Request) {
-		var req map[string]string
+		var req loginRequest

 		decodeErr := json.NewDecoder(request.Body).Decode(&req)
 		if decodeErr != nil {
@@ -90,10 +96,7 @@ func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
 			return
 		}

-		username := req["username"]
-		credential := req["password"]
-
-		if username == "" || credential == "" {
+		if req.Username == "" || req.Password == "" {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "username and password are required"},
 				http.StatusBadRequest)
@@ -101,7 +104,7 @@ func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
 			return
 		}

-		user, authErr := h.auth.Authenticate(request.Context(), username, credential)
+		user, authErr := h.auth.Authenticate(request.Context(), req.Username, req.Password)
 		if authErr != nil {
 			h.respondJSON(writer, request,
 				map[string]string{"error": "invalid credentials"},
@@ -174,6 +177,106 @@ func (h *Handlers) HandleAPIGetApp() http.HandlerFunc {
 	}
 }

+// HandleAPICreateApp returns a handler that creates a new app.
+func (h *Handlers) HandleAPICreateApp() http.HandlerFunc {
+	type createRequest struct {
+		Name           string `json:"name"`
+		RepoURL        string `json:"repoUrl"`
+		Branch         string `json:"branch"`
+		DockerfilePath string `json:"dockerfilePath"`
+		DockerNetwork  string `json:"dockerNetwork"`
+		NtfyTopic      string `json:"ntfyTopic"`
+		SlackWebhook   string `json:"slackWebhook"`
+	}
+
+	return func(writer http.ResponseWriter, request *http.Request) {
+		var req createRequest
+
+		decodeErr := json.NewDecoder(request.Body).Decode(&req)
+		if decodeErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "invalid JSON body"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		if req.Name == "" || req.RepoURL == "" {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "name and repo_url are required"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		nameErr := validateAppName(req.Name)
+		if nameErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "invalid app name: " + nameErr.Error()},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		createdApp, createErr := h.appService.CreateApp(request.Context(), app.CreateAppInput{
+			Name:           req.Name,
+			RepoURL:        req.RepoURL,
+			Branch:         req.Branch,
+			DockerfilePath: req.DockerfilePath,
+			DockerNetwork:  req.DockerNetwork,
+			NtfyTopic:      req.NtfyTopic,
+			SlackWebhook:   req.SlackWebhook,
+		})
+		if createErr != nil {
+			h.log.Error("api: failed to create app", "error", createErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to create app"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request, appToAPI(createdApp), http.StatusCreated)
+	}
+}
+
+// HandleAPIDeleteApp returns a handler that deletes an app.
+func (h *Handlers) HandleAPIDeleteApp() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, err := h.appService.GetApp(request.Context(), appID)
+		if err != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "internal server error"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		if application == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "app not found"},
+				http.StatusNotFound)
+
+			return
+		}
+
+		deleteErr := h.appService.DeleteApp(request.Context(), application)
+		if deleteErr != nil {
+			h.log.Error("api: failed to delete app", "error", deleteErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "failed to delete app"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request,
+			map[string]string{"status": "deleted"}, http.StatusOK)
+	}
+}
+
 // deploymentsPageLimit is the default number of deployments per page.
 const deploymentsPageLimit = 20

@@ -220,6 +323,35 @@ func (h *Handlers) HandleAPIListDeployments() http.HandlerFunc {
 	}
 }

+// HandleAPITriggerDeploy returns a handler that triggers a deployment for an app.
+func (h *Handlers) HandleAPITriggerDeploy() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, err := h.appService.GetApp(request.Context(), appID)
+		if err != nil || application == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "app not found"},
+				http.StatusNotFound)
+
+			return
+		}
+
+		deployErr := h.deploy.Deploy(request.Context(), application, nil, true)
+		if deployErr != nil {
+			h.log.Error("api: failed to trigger deploy", "error", deployErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": deployErr.Error()},
+				http.StatusConflict)
+
+			return
+		}
+
+		h.respondJSON(writer, request,
+			map[string]string{"status": "deploying"}, http.StatusAccepted)
+	}
+}
+
 // HandleAPIWhoAmI returns a handler that shows the current authenticated user.
 func (h *Handlers) HandleAPIWhoAmI() http.HandlerFunc {
 	type whoAmIResponse struct {
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
@@ -10,8 +10,6 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-
-	"sneak.berlin/go/upaas/internal/service/app"
 )

 // apiRouter builds a chi router with the API routes using session auth middleware.
@@ -25,7 +23,10 @@ func apiRouter(tc *testContext) http.Handler {
 			apiR.Use(tc.middleware.APISessionAuth())
 			apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
 			apiR.Get("/apps", tc.handlers.HandleAPIListApps())
+			apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
 			apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
+			apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
+			apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
 			apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
 		})
 	})
@@ -61,16 +62,23 @@ func setupAPITest(t *testing.T) (*testContext, []*http.Cookie) {
 	return tc, cookies
 }

-// apiGet makes an authenticated GET request using session cookies.
-func apiGet(
+// apiRequest makes an authenticated API request using session cookies.
+func apiRequest(
 	t *testing.T,
 	tc *testContext,
 	cookies []*http.Cookie,
-	path string,
+	method, path string,
+	body string,
 ) *httptest.ResponseRecorder {
 	t.Helper()

-	req := httptest.NewRequest(http.MethodGet, path, nil)
+	var req *http.Request
+	if body != "" {
+		req = httptest.NewRequest(method, path, strings.NewReader(body))
+		req.Header.Set("Content-Type", "application/json")
+	} else {
+		req = httptest.NewRequest(method, path, nil)
+	}

 	for _, c := range cookies {
 		req.AddCookie(c)
@@ -167,7 +175,7 @@ func TestAPIWhoAmI(t *testing.T) {

 	tc, cookies := setupAPITest(t)

-	rr := apiGet(t, tc, cookies, "/api/v1/whoami")
+	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/whoami", "")
 	assert.Equal(t, http.StatusOK, rr.Code)

 	var resp map[string]any
@@ -180,7 +188,7 @@ func TestAPIListAppsEmpty(t *testing.T) {

 	tc, cookies := setupAPITest(t)

-	rr := apiGet(t, tc, cookies, "/api/v1/apps")
+	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps", "")
 	assert.Equal(t, http.StatusOK, rr.Code)

 	var apps []any
@@ -188,23 +196,52 @@ func TestAPIListAppsEmpty(t *testing.T) {
 	assert.Empty(t, apps)
 }

+func TestAPICreateApp(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	body := `{"name":"test-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	assert.Equal(t, http.StatusCreated, rr.Code)
+
+	var app map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
+	assert.Equal(t, "test-app", app["name"])
+	assert.Equal(t, "pending", app["status"])
+}
+
+func TestAPICreateAppValidation(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	body := `{"name":"","repoUrl":""}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
 func TestAPIGetApp(t *testing.T) {
 	t.Parallel()

 	tc, cookies := setupAPITest(t)

-	created, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
-		Name:    "my-app",
-		RepoURL: "https://github.com/example/repo",
-	})
-	require.NoError(t, err)
+	body := `{"name":"my-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)

-	rr := apiGet(t, tc, cookies, "/api/v1/apps/"+created.ID)
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusOK, rr.Code)

-	var resp map[string]any
-	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
-	assert.Equal(t, "my-app", resp["name"])
+	var app map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
+	assert.Equal(t, "my-app", app["name"])
 }

 func TestAPIGetAppNotFound(t *testing.T) {
@@ -212,7 +249,29 @@ func TestAPIGetAppNotFound(t *testing.T) {

 	tc, cookies := setupAPITest(t)

-	rr := apiGet(t, tc, cookies, "/api/v1/apps/nonexistent")
+	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/nonexistent", "")
+	assert.Equal(t, http.StatusNotFound, rr.Code)
+}
+
+func TestAPIDeleteApp(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+
+	body := `{"name":"delete-me","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	rr = apiRequest(t, tc, cookies, http.MethodDelete, "/api/v1/apps/"+appID, "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusNotFound, rr.Code)
 }

@@ -221,13 +280,17 @@ func TestAPIListDeployments(t *testing.T) {

 	tc, cookies := setupAPITest(t)

-	created, err := tc.appSvc.CreateApp(t.Context(), app.CreateAppInput{
-		Name:    "deploy-app",
-		RepoURL: "https://github.com/example/repo",
-	})
-	require.NoError(t, err)
+	body := `{"name":"deploy-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)

-	rr := apiGet(t, tc, cookies, "/api/v1/apps/"+created.ID+"/deployments")
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
 	assert.Equal(t, http.StatusOK, rr.Code)

 	var deployments []any
--- a/internal/handlers/api_token_test.go
+++ b/internal/handlers/api_token_test.go
@@ -0,0 +1,293 @@
+package handlers_test
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// tokenRouter builds a chi router with token + app API routes.
+func tokenRouter(tc *testContext) http.Handler {
+	r := chi.NewRouter()
+
+	r.Route("/api/v1", func(apiR chi.Router) {
+		apiR.Post("/login", tc.handlers.HandleAPILoginPOST())
+
+		apiR.Group(func(apiR chi.Router) {
+			apiR.Use(tc.middleware.APISessionAuth())
+			apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
+			apiR.Post("/tokens", tc.handlers.HandleAPICreateToken())
+			apiR.Get("/tokens", tc.handlers.HandleAPIListTokens())
+			apiR.Delete(
+				"/tokens/{tokenID}",
+				tc.handlers.HandleAPIDeleteToken(),
+			)
+			apiR.Get("/apps", tc.handlers.HandleAPIListApps())
+		})
+	})
+
+	return r
+}
+
+func TestAPICreateToken(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+	r := tokenRouter(tc)
+
+	body := `{"name":"my-ci-token"}`
+	req := httptest.NewRequest(
+		http.MethodPost, "/api/v1/tokens",
+		strings.NewReader(body),
+	)
+	req.Header.Set("Content-Type", "application/json")
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusCreated, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "my-ci-token", resp["name"])
+	assert.Contains(t, resp["token"], "upaas_")
+	assert.NotEmpty(t, resp["id"])
+}
+
+func TestAPICreateTokenMissingName(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+	r := tokenRouter(tc)
+
+	body := `{"name":""}`
+	req := httptest.NewRequest(
+		http.MethodPost, "/api/v1/tokens",
+		strings.NewReader(body),
+	)
+	req.Header.Set("Content-Type", "application/json")
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
+func TestAPIListTokens(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+	r := tokenRouter(tc)
+
+	// Create two tokens.
+	for _, name := range []string{"token-a", "token-b"} {
+		body := `{"name":"` + name + `"}`
+		req := httptest.NewRequest(
+			http.MethodPost, "/api/v1/tokens",
+			strings.NewReader(body),
+		)
+		req.Header.Set("Content-Type", "application/json")
+
+		for _, c := range cookies {
+			req.AddCookie(c)
+		}
+
+		rr := httptest.NewRecorder()
+		r.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusCreated, rr.Code)
+	}
+
+	// List tokens.
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/tokens", nil)
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var tokens []map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &tokens))
+	assert.Len(t, tokens, 2)
+
+	// Plaintext token must NOT appear in list.
+	for _, tok := range tokens {
+		assert.Nil(t, tok["token"])
+	}
+}
+
+func TestAPIDeleteToken(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+	r := tokenRouter(tc)
+
+	// Create a token.
+	body := `{"name":"delete-me"}`
+	req := httptest.NewRequest(
+		http.MethodPost, "/api/v1/tokens",
+		strings.NewReader(body),
+	)
+	req.Header.Set("Content-Type", "application/json")
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	tokenID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	// Delete it.
+	req = httptest.NewRequest(
+		http.MethodDelete, "/api/v1/tokens/"+tokenID, nil,
+	)
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr = httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	// List should be empty.
+	req = httptest.NewRequest(http.MethodGet, "/api/v1/tokens", nil)
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr = httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	var tokens []map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &tokens))
+	assert.Empty(t, tokens)
+}
+
+func TestAPIBearerTokenAuth(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+	r := tokenRouter(tc)
+
+	// Create a token via session auth.
+	body := `{"name":"bearer-test"}`
+	req := httptest.NewRequest(
+		http.MethodPost, "/api/v1/tokens",
+		strings.NewReader(body),
+	)
+	req.Header.Set("Content-Type", "application/json")
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	plaintext, ok := created["token"].(string)
+	require.True(t, ok)
+
+	// Use Bearer token to access an authenticated endpoint.
+	req = httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
+	req.Header.Set("Authorization", "Bearer "+plaintext)
+
+	rr = httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusOK, rr.Code)
+}
+
+func TestAPIBearerTokenInvalid(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+	r := tokenRouter(tc)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
+	req.Header.Set("Authorization", "Bearer upaas_invalidtoken1234567890ab")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func TestAPIBearerTokenRevoked(t *testing.T) {
+	t.Parallel()
+
+	tc, cookies := setupAPITest(t)
+	r := tokenRouter(tc)
+
+	// Create then delete a token.
+	body := `{"name":"revoke-test"}`
+	req := httptest.NewRequest(
+		http.MethodPost, "/api/v1/tokens",
+		strings.NewReader(body),
+	)
+	req.Header.Set("Content-Type", "application/json")
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	plaintext, ok := created["token"].(string)
+	require.True(t, ok)
+	tokenID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	// Delete (revoke) the token.
+	req = httptest.NewRequest(
+		http.MethodDelete, "/api/v1/tokens/"+tokenID, nil,
+	)
+
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+
+	rr = httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Code)
+
+	// Try to use the revoked token.
+	req = httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
+	req.Header.Set("Authorization", "Bearer "+plaintext)
+
+	rr = httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
--- a/internal/handlers/api_tokens.go
+++ b/internal/handlers/api_tokens.go
@@ -0,0 +1,220 @@
+package handlers
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/go-chi/chi/v5"
+
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/models"
+)
+
+// apiTokenResponse is the JSON representation of an API token.
+type apiTokenResponse struct {
+	ID         string  `json:"id"`
+	Name       string  `json:"name"`
+	CreatedAt  string  `json:"createdAt"`
+	ExpiresAt  *string `json:"expiresAt,omitempty"`
+	LastUsedAt *string `json:"lastUsedAt,omitempty"`
+}
+
+// apiTokenCreateResponse includes the plaintext token (shown once).
+type apiTokenCreateResponse struct {
+	apiTokenResponse
+
+	Token string `json:"token"`
+}
+
+func tokenToAPI(t *models.APIToken) apiTokenResponse {
+	resp := apiTokenResponse{
+		ID:        t.ID,
+		Name:      t.Name,
+		CreatedAt: t.CreatedAt.Format("2006-01-02T15:04:05Z"),
+	}
+
+	if t.ExpiresAt.Valid {
+		s := t.ExpiresAt.Time.Format("2006-01-02T15:04:05Z")
+		resp.ExpiresAt = &s
+	}
+
+	if t.LastUsedAt.Valid {
+		s := t.LastUsedAt.Time.Format("2006-01-02T15:04:05Z")
+		resp.LastUsedAt = &s
+	}
+
+	return resp
+}
+
+// createTokenRequest is the JSON body for token creation.
+type createTokenRequest struct {
+	Name string `json:"name"`
+}
+
+// createAndSaveToken generates a token, saves it, and returns
+// the plaintext and model.
+func (h *Handlers) createAndSaveToken(
+	ctx context.Context,
+	userID int64,
+	name string,
+) (string, *models.APIToken, error) {
+	plaintext, err := models.GenerateToken()
+	if err != nil {
+		return "", nil, fmt.Errorf("generating: %w", err)
+	}
+
+	token := models.NewAPIToken(h.db)
+	token.UserID = userID
+	token.Name = name
+	token.TokenHash = database.HashAPIToken(plaintext)
+
+	saveErr := token.Save(ctx)
+	if saveErr != nil {
+		return "", nil, fmt.Errorf("saving: %w", saveErr)
+	}
+
+	return plaintext, token, nil
+}
+
+// HandleAPICreateToken returns a handler that creates an API token.
+func (h *Handlers) HandleAPICreateToken() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		user, err := h.auth.GetCurrentUser(
+			request.Context(), request,
+		)
+		if err != nil || user == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "unauthorized"},
+				http.StatusUnauthorized)
+
+			return
+		}
+
+		var req createTokenRequest
+
+		decodeErr := json.NewDecoder(request.Body).Decode(&req)
+		if decodeErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "invalid JSON body"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		if req.Name == "" {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "name is required"},
+				http.StatusBadRequest)
+
+			return
+		}
+
+		plaintext, token, createErr := h.createAndSaveToken(
+			request.Context(), user.ID, req.Name,
+		)
+		if createErr != nil {
+			h.log.Error("api: token creation failed",
+				"error", createErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "internal error"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request, apiTokenCreateResponse{
+			apiTokenResponse: tokenToAPI(token),
+			Token:            plaintext,
+		}, http.StatusCreated)
+	}
+}
+
+// HandleAPIListTokens returns a handler that lists API tokens.
+func (h *Handlers) HandleAPIListTokens() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		user, err := h.auth.GetCurrentUser(
+			request.Context(), request,
+		)
+		if err != nil || user == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "unauthorized"},
+				http.StatusUnauthorized)
+
+			return
+		}
+
+		tokens, listErr := models.ListAPITokensByUser(
+			request.Context(), h.db, user.ID,
+		)
+		if listErr != nil {
+			h.log.Error("api: failed to list tokens",
+				"error", listErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "internal error"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		result := make([]apiTokenResponse, 0, len(tokens))
+		for _, t := range tokens {
+			result = append(result, tokenToAPI(t))
+		}
+
+		h.respondJSON(writer, request, result, http.StatusOK)
+	}
+}
+
+// HandleAPIDeleteToken returns a handler that revokes an API token.
+func (h *Handlers) HandleAPIDeleteToken() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		user, err := h.auth.GetCurrentUser(
+			request.Context(), request,
+		)
+		if err != nil || user == nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "unauthorized"},
+				http.StatusUnauthorized)
+
+			return
+		}
+
+		tokenID := chi.URLParam(request, "tokenID")
+
+		token, findErr := models.FindAPIToken(
+			request.Context(), h.db, tokenID,
+		)
+		if findErr != nil {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "internal error"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		if token == nil || token.UserID != user.ID {
+			h.respondJSON(writer, request,
+				map[string]string{"error": "token not found"},
+				http.StatusNotFound)
+
+			return
+		}
+
+		deleteErr := token.Delete(request.Context())
+		if deleteErr != nil {
+			h.log.Error("api: failed to delete token",
+				"error", deleteErr)
+			h.respondJSON(writer, request,
+				map[string]string{"error": "internal error"},
+				http.StatusInternalServerError)
+
+			return
+		}
+
+		h.respondJSON(writer, request,
+			map[string]string{"status": "deleted"},
+			http.StatusOK)
+	}
+}
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@@ -15,9 +15,9 @@ import (

 	"github.com/go-chi/chi/v5"

-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/templates"
 )

 const (
@@ -72,15 +72,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		nameErr := validateAppName(name)
 		if nameErr != nil {
 			data["Error"] = "Invalid app name: " + nameErr.Error()
-			h.renderTemplate(writer, tmpl, "app_new.html", data)
-
-			return
-		}
-
-		repoURLErr := validateRepoURL(repoURL)
-		if repoURLErr != nil {
-			data["Error"] = "Invalid repository URL: " + repoURLErr.Error()
-			h.renderTemplate(writer, tmpl, "app_new.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "app_new.html", data)

 			return
 		}
@@ -228,18 +220,7 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 				"App":   application,
 				"Error": "Invalid app name: " + nameErr.Error(),
 			}, request)
-			h.renderTemplate(writer, tmpl, "app_edit.html", data)
-
-			return
-		}
-
-		repoURLErr := validateRepoURL(request.FormValue("repo_url"))
-		if repoURLErr != nil {
-			data := h.addGlobals(map[string]any{
-				"App":   application,
-				"Error": "Invalid repository URL: " + repoURLErr.Error(),
-			}, request)
-			h.renderTemplate(writer, tmpl, "app_edit.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "app_edit.html", data)

 			return
 		}
@@ -518,7 +499,8 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}

-		_, _ = writer.Write([]byte(SanitizeLogs(logs))) // #nosec G705 -- logs sanitized, Content-Type is text/plain
+		//nolint:gosec // logs sanitized: ANSI escapes and control chars stripped
+		_, _ = writer.Write([]byte(SanitizeLogs(logs)))
 	}
 }

@@ -553,11 +535,11 @@ func (h *Handlers) HandleDeploymentLogsAPI() http.HandlerFunc {

 		logs := ""
 		if deployment.Logs.Valid {
-			logs = SanitizeLogs(deployment.Logs.String)
+			logs = deployment.Logs.String
 		}

 		response := map[string]any{
-			"logs":   logs,
+			"logs":   SanitizeLogs(logs),
 			"status": deployment.Status,
 		}

@@ -600,8 +582,8 @@ func (h *Handlers) HandleDeploymentLogDownload() http.HandlerFunc {
 			return
 		}

-		// Check if file exists — logPath is constructed internally, not from user input
-		_, err := os.Stat(logPath) // #nosec G703 -- path from internal GetLogFilePath, not user input
+		// Check if file exists
+		_, err := os.Stat(logPath) //nolint:gosec // logPath is constructed by deploy service, not from user input
 		if os.IsNotExist(err) {
 			http.NotFound(writer, request)

@@ -916,7 +898,7 @@ func (h *Handlers) HandleEnvVarAdd() http.HandlerFunc {
 func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
 		appID := chi.URLParam(request, "id")
-		envVarIDStr := chi.URLParam(request, "varID")
+		envVarIDStr := chi.URLParam(request, "envID")

 		envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
 		if parseErr != nil {
@@ -1022,14 +1004,6 @@ func (h *Handlers) HandleVolumeAdd() http.HandlerFunc {
 			return
 		}

-		pathErr := validateVolumePaths(hostPath, containerPath)
-		if pathErr != nil {
-			h.log.Error("invalid volume path", "error", pathErr)
-			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
-
-			return
-		}
-
 		volume := models.NewVolume(h.db)
 		volume.AppID = application.ID
 		volume.HostPath = hostPath
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -3,7 +3,7 @@ package handlers
 import (
 	"net/http"

-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )

 // HandleLoginGET returns the login page handler.
--- a/internal/handlers/dashboard.go
+++ b/internal/handlers/dashboard.go
@@ -4,8 +4,8 @@ import (
 	"net/http"
 	"time"

-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/templates"
 )

 // AppStats holds deployment statistics for an app.
--- a/internal/handlers/export_test.go
+++ b/internal/handlers/export_test.go
@@ -1,6 +0,0 @@
-package handlers
-
-// ValidateRepoURLForTest exports validateRepoURL for testing.
-func ValidateRepoURLForTest(repoURL string) error {
-	return validateRepoURL(repoURL)
-}
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -10,16 +10,16 @@ import (
 	"github.com/gorilla/csrf"
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/webhook"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/templates"
 )

 // Params contains dependencies for Handlers.
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -15,21 +15,21 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
-	"sneak.berlin/go/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 )

 type testContext struct {
@@ -169,10 +169,11 @@ func setupTestHandlers(t *testing.T) *testContext {
 	require.NoError(t, handlerErr)

 	mw, mwErr := middleware.New(fx.Lifecycle(nil), middleware.Params{
-		Logger:  logInstance,
-		Globals: globalInstance,
-		Config:  cfg,
-		Auth:    authSvc,
+		Logger:   logInstance,
+		Globals:  globalInstance,
+		Config:   cfg,
+		Auth:     authSvc,
+		Database: dbInstance,
 	})
 	require.NoError(t, mwErr)

@@ -404,25 +405,6 @@ func TestHandleDashboard(t *testing.T) {
 		assert.Equal(t, http.StatusOK, recorder.Code)
 		assert.Contains(t, recorder.Body.String(), "Applications")
 	})
-
-	t.Run("renders dashboard with apps without crashing on CSRFField", func(t *testing.T) {
-		t.Parallel()
-
-		testCtx := setupTestHandlers(t)
-
-		// Create an app so the template iterates over AppStats and hits .CSRFField
-		createTestApp(t, testCtx, "csrf-test-app")
-
-		request := httptest.NewRequest(http.MethodGet, "/", nil)
-		recorder := httptest.NewRecorder()
-
-		handler := testCtx.handlers.HandleDashboard()
-		handler.ServeHTTP(recorder, request)
-
-		assert.Equal(t, http.StatusOK, recorder.Code,
-			"dashboard should not 500 when apps exist (CSRFField must be accessible)")
-		assert.Contains(t, recorder.Body.String(), "csrf-test-app")
-	})
 }

 func TestHandleAppNew(t *testing.T) {
@@ -583,7 +565,7 @@ func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // inte
 			return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
 		},
 		chiParams: func(appID string, resourceID int64) map[string]string {
-			return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
+			return map[string]string{"id": appID, "envID": strconv.FormatInt(resourceID, 10)}
 		},
 		handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
 		verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
@@ -714,153 +696,6 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
 	assert.NotNil(t, found, "port should still exist after IDOR attempt")
 }

-// TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete
-// reads the "varID" chi URL parameter (matching the route definition {varID}),
-// not a mismatched name like "envID".
-func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
-	t.Parallel()
-
-	testCtx := setupTestHandlers(t)
-
-	createdApp := createTestApp(t, testCtx, "envdelete-param-app")
-
-	envVar := models.NewEnvVar(testCtx.database)
-	envVar.AppID = createdApp.ID
-	envVar.Key = "DELETE_ME"
-	envVar.Value = "gone"
-	require.NoError(t, envVar.Save(context.Background()))
-
-	// Use chi router with the real route pattern to test param name
-	r := chi.NewRouter()
-	r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete())
-
-	request := httptest.NewRequest(
-		http.MethodPost,
-		"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
-		nil,
-	)
-	recorder := httptest.NewRecorder()
-
-	r.ServeHTTP(recorder, request)
-
-	assert.Equal(t, http.StatusSeeOther, recorder.Code)
-
-	// Verify the env var was actually deleted
-	found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
-	require.NoError(t, findErr)
-	assert.Nil(t, found, "env var should be deleted when using correct route param")
-}
-
-// TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates
-// host and container paths (same as HandleVolumeEdit).
-func TestHandleVolumeAddValidatesPaths(t *testing.T) {
-	t.Parallel()
-
-	testCtx := setupTestHandlers(t)
-
-	createdApp := createTestApp(t, testCtx, "volume-validate-app")
-
-	tests := []struct {
-		name          string
-		hostPath      string
-		containerPath string
-		shouldCreate  bool
-	}{
-		{"relative host path rejected", "relative/path", "/container", false},
-		{"relative container path rejected", "/host", "relative/path", false},
-		{"unclean host path rejected", "/host/../etc", "/container", false},
-		{"valid paths accepted", "/host/data", "/container/data", true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			form := url.Values{}
-			form.Set("host_path", tt.hostPath)
-			form.Set("container_path", tt.containerPath)
-
-			request := httptest.NewRequest(
-				http.MethodPost,
-				"/apps/"+createdApp.ID+"/volumes",
-				strings.NewReader(form.Encode()),
-			)
-			request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-			request = addChiURLParams(request, map[string]string{"id": createdApp.ID})
-
-			recorder := httptest.NewRecorder()
-
-			handler := testCtx.handlers.HandleVolumeAdd()
-			handler.ServeHTTP(recorder, request)
-
-			assert.Equal(t, http.StatusSeeOther, recorder.Code)
-
-			// Check if volume was created by listing volumes
-			volumes, _ := createdApp.GetVolumes(context.Background())
-			found := false
-
-			for _, v := range volumes {
-				if v.HostPath == tt.hostPath && v.ContainerPath == tt.containerPath {
-					found = true
-					// Clean up for isolation
-					_ = v.Delete(context.Background())
-				}
-			}
-
-			if tt.shouldCreate {
-				assert.True(t, found, "volume should be created for valid paths")
-			} else {
-				assert.False(t, found, "volume should NOT be created for invalid paths")
-			}
-		})
-	}
-}
-
-// TestSetupRequiredExemptsHealthAndStaticAndAPI verifies that the SetupRequired
-// middleware allows /health, /s/*, and /api/* paths through even when setup is required.
-func TestSetupRequiredExemptsHealthAndStaticAndAPI(t *testing.T) {
-	t.Parallel()
-
-	testCtx := setupTestHandlers(t)
-
-	// No user created, so setup IS required
-	mw := testCtx.middleware.SetupRequired()
-
-	okHandler := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte("OK"))
-	})
-
-	wrapped := mw(okHandler)
-
-	exemptPaths := []string{"/health", "/s/style.css", "/s/js/app.js", "/api/v1/apps", "/api/v1/login"}
-
-	for _, path := range exemptPaths {
-		t.Run(path, func(t *testing.T) {
-			t.Parallel()
-
-			req := httptest.NewRequest(http.MethodGet, path, nil)
-			rr := httptest.NewRecorder()
-			wrapped.ServeHTTP(rr, req)
-
-			assert.Equal(t, http.StatusOK, rr.Code,
-				"path %s should be exempt from setup redirect", path)
-		})
-	}
-
-	// Non-exempt path should redirect to /setup
-	t.Run("non-exempt redirects", func(t *testing.T) {
-		t.Parallel()
-
-		req := httptest.NewRequest(http.MethodGet, "/", nil)
-		rr := httptest.NewRecorder()
-		wrapped.ServeHTTP(rr, req)
-
-		assert.Equal(t, http.StatusSeeOther, rr.Code)
-		assert.Equal(t, "/setup", rr.Header().Get("Location"))
-	})
-}
-
 func TestHandleCancelDeployRedirects(t *testing.T) {
 	t.Parallel()

--- a/internal/handlers/repo_url_validation.go
+++ b/internal/handlers/repo_url_validation.go
@@ -1,77 +0,0 @@
-package handlers
-
-import (
-	"errors"
-	"net/url"
-	"regexp"
-	"strings"
-)
-
-// Repo URL validation errors.
-var (
-	errRepoURLEmpty   = errors.New("repository URL must not be empty")
-	errRepoURLScheme  = errors.New("file:// URLs are not allowed for security reasons")
-	errRepoURLInvalid = errors.New("repository URL must use https://, http://, ssh://, git://, or git@host:path format")
-	errRepoURLNoHost  = errors.New("repository URL must include a host")
-	errRepoURLNoPath  = errors.New("repository URL must include a path")
-)
-
-// scpLikeRepoRe matches SCP-like git URLs: git@host:path (e.g. git@github.com:user/repo.git).
-// Only the "git" user is allowed, as that is the standard for SSH deploy keys.
-var scpLikeRepoRe = regexp.MustCompile(`^git@[a-zA-Z0-9._-]+:.+$`)
-
-// allowedRepoSchemes lists the URL schemes accepted for repository URLs.
-//
-//nolint:gochecknoglobals // package-level constant map parsed once
-var allowedRepoSchemes = map[string]bool{
-	"https": true,
-	"http":  true,
-	"ssh":   true,
-	"git":   true,
-}
-
-// validateRepoURL checks that the given repository URL is valid and uses an allowed scheme.
-func validateRepoURL(repoURL string) error {
-	if strings.TrimSpace(repoURL) == "" {
-		return errRepoURLEmpty
-	}
-
-	// Reject path traversal in any URL format
-	if strings.Contains(repoURL, "..") {
-		return errRepoURLInvalid
-	}
-
-	// Check for SCP-like git URLs first (git@host:path)
-	if scpLikeRepoRe.MatchString(repoURL) {
-		return nil
-	}
-
-	// Reject file:// explicitly
-	if strings.HasPrefix(strings.ToLower(repoURL), "file://") {
-		return errRepoURLScheme
-	}
-
-	return validateParsedRepoURL(repoURL)
-}
-
-// validateParsedRepoURL validates a standard URL-format repository URL.
-func validateParsedRepoURL(repoURL string) error {
-	parsed, err := url.Parse(repoURL)
-	if err != nil {
-		return errRepoURLInvalid
-	}
-
-	if !allowedRepoSchemes[strings.ToLower(parsed.Scheme)] {
-		return errRepoURLInvalid
-	}
-
-	if parsed.Host == "" {
-		return errRepoURLNoHost
-	}
-
-	if parsed.Path == "" || parsed.Path == "/" {
-		return errRepoURLNoPath
-	}
-
-	return nil
-}
--- a/internal/handlers/repo_url_validation_test.go
+++ b/internal/handlers/repo_url_validation_test.go
@@ -1,60 +0,0 @@
-package handlers_test
-
-import (
-	"testing"
-
-	"sneak.berlin/go/upaas/internal/handlers"
-)
-
-func TestValidateRepoURL(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name    string
-		url     string
-		wantErr bool
-	}{
-		// Valid URLs
-		{name: "https URL", url: "https://github.com/user/repo.git", wantErr: false},
-		{name: "http URL", url: "http://github.com/user/repo.git", wantErr: false},
-		{name: "ssh URL", url: "ssh://git@github.com/user/repo.git", wantErr: false},
-		{name: "git URL", url: "git://github.com/user/repo.git", wantErr: false},
-		{name: "SCP-like URL", url: "git@github.com:user/repo.git", wantErr: false},
-		{name: "SCP-like with dots", url: "git@git.example.com:org/repo.git", wantErr: false},
-		{name: "https without .git", url: "https://github.com/user/repo", wantErr: false},
-		{name: "https with port", url: "https://git.example.com:8443/user/repo.git", wantErr: false},
-
-		// Invalid URLs
-		{name: "empty string", url: "", wantErr: true},
-		{name: "whitespace only", url: "   ", wantErr: true},
-		{name: "file URL", url: "file:///etc/passwd", wantErr: true},
-		{name: "file URL uppercase", url: "FILE:///etc/passwd", wantErr: true},
-		{name: "bare path", url: "/some/local/path", wantErr: true},
-		{name: "relative path", url: "../repo", wantErr: true},
-		{name: "just a word", url: "notaurl", wantErr: true},
-		{name: "ftp URL", url: "ftp://example.com/repo.git", wantErr: true},
-		{name: "no host https", url: "https:///path", wantErr: true},
-		{name: "no path https", url: "https://github.com", wantErr: true},
-		{name: "no path https trailing slash", url: "https://github.com/", wantErr: true},
-		{name: "SCP-like non-git user", url: "root@github.com:user/repo.git", wantErr: true},
-		{name: "SCP-like arbitrary user", url: "admin@github.com:user/repo.git", wantErr: true},
-		{name: "path traversal SCP", url: "git@github.com:../../etc/passwd", wantErr: true},
-		{name: "path traversal https", url: "https://github.com/user/../../../etc/passwd", wantErr: true},
-		{name: "path traversal in middle", url: "https://github.com/user/repo/../secret", wantErr: true},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			err := handlers.ValidateRepoURLForTest(tc.url)
-			if tc.wantErr && err == nil {
-				t.Errorf("ValidateRepoURLForTest(%q) = nil, want error", tc.url)
-			}
-
-			if !tc.wantErr && err != nil {
-				t.Errorf("ValidateRepoURLForTest(%q) = %v, want nil", tc.url, err)
-			}
-		})
-	}
-}
--- a/internal/handlers/sanitize_test.go
+++ b/internal/handlers/sanitize_test.go
@@ -3,7 +3,7 @@ package handlers_test
 import (
 	"testing"

-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
 )

 func TestSanitizeLogs(t *testing.T) { //nolint:funlen // table-driven tests
--- a/internal/handlers/setup.go
+++ b/internal/handlers/setup.go
@@ -3,7 +3,7 @@ package handlers
 import (
 	"net/http"

-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )

 const (
--- a/internal/handlers/tail_validation_test.go
+++ b/internal/handlers/tail_validation_test.go
@@ -3,7 +3,7 @@ package handlers_test
 import (
 	"testing"

-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
 )

 func TestSanitizeTail(t *testing.T) {
--- a/internal/handlers/webhook.go
+++ b/internal/handlers/webhook.go
@@ -6,7 +6,7 @@ import (

 	"github.com/go-chi/chi/v5"

-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )

 // maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
--- a/internal/healthcheck/healthcheck.go
+++ b/internal/healthcheck/healthcheck.go
@@ -8,10 +8,10 @@ import (

 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )

 // Params contains dependencies for Healthcheck.
--- a/internal/logger/logger.go
+++ b/internal/logger/logger.go
@@ -7,7 +7,7 @@ import (

 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
 )

 // Params contains dependencies for Logger.
--- a/internal/logger/testing.go
+++ b/internal/logger/testing.go
@@ -1,11 +0,0 @@
-package logger
-
-import "log/slog"
-
-// NewForTest creates a Logger wrapping the given slog.Logger, for use in tests.
-func NewForTest(log *slog.Logger) *Logger {
-	return &Logger{
-		log:   log,
-		level: new(slog.LevelVar),
-	}
-}
--- a/internal/middleware/bearer_auth_test.go
+++ b/internal/middleware/bearer_auth_test.go
@@ -0,0 +1,160 @@
+package middleware_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/fx"
+
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
+)
+
+// setupMiddleware creates a Middleware with a real SQLite database for
+// integration testing.
+func setupMiddleware(t *testing.T) (*middleware.Middleware, *auth.Service, *database.Database) {
+	t.Helper()
+
+	tmpDir := t.TempDir()
+
+	globals.SetAppname("upaas-test")
+	globals.SetVersion("test")
+
+	globalsInst, err := globals.New(fx.Lifecycle(nil))
+	require.NoError(t, err)
+
+	loggerInst, err := logger.New(
+		fx.Lifecycle(nil),
+		logger.Params{Globals: globalsInst},
+	)
+	require.NoError(t, err)
+
+	cfg := &config.Config{
+		Port:          8080,
+		DataDir:       tmpDir,
+		SessionSecret: "test-secret-key-at-least-32-chars!!",
+	}
+	_ = filepath.Join(tmpDir, "upaas.db")
+
+	dbInst, err := database.New(fx.Lifecycle(nil), database.Params{
+		Logger: loggerInst,
+		Config: cfg,
+	})
+	require.NoError(t, err)
+
+	authSvc, err := auth.New(fx.Lifecycle(nil), auth.ServiceParams{
+		Logger:   loggerInst,
+		Config:   cfg,
+		Database: dbInst,
+	})
+	require.NoError(t, err)
+
+	mw, err := middleware.New(fx.Lifecycle(nil), middleware.Params{
+		Logger:   loggerInst,
+		Globals:  globalsInst,
+		Config:   cfg,
+		Auth:     authSvc,
+		Database: dbInst,
+	})
+	require.NoError(t, err)
+
+	return mw, authSvc, dbInst
+}
+
+func TestAPISessionAuth_BearerTokenSetsUserContext(t *testing.T) {
+	t.Parallel()
+
+	mw, authSvc, dbInst := setupMiddleware(t)
+	ctx := t.Context()
+
+	// Create a user.
+	user, err := authSvc.CreateUser(ctx, "testuser", "password123")
+	require.NoError(t, err)
+	require.NotNil(t, user)
+
+	// Create an API token for the user.
+	rawToken, err := models.GenerateToken()
+	require.NoError(t, err)
+
+	tokenHash := database.HashAPIToken(rawToken)
+	apiToken := models.NewAPIToken(dbInst)
+	apiToken.UserID = user.ID
+	apiToken.Name = "test-token"
+	apiToken.TokenHash = tokenHash
+
+	err = apiToken.Save(ctx)
+	require.NoError(t, err)
+
+	// Build a handler behind APISessionAuth that checks user context.
+	var gotUser *models.User
+
+	var getUserErr error
+
+	handler := mw.APISessionAuth()(http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {
+			gotUser, getUserErr = authSvc.GetCurrentUser(r.Context(), r)
+
+			w.WriteHeader(http.StatusOK)
+		},
+	))
+
+	// Make request with bearer token.
+	req := httptest.NewRequest(http.MethodGet, "/api/test", nil)
+	req.Header.Set("Authorization", "Bearer "+rawToken)
+
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+	require.NoError(t, getUserErr)
+	require.NotNil(t, gotUser, "GetCurrentUser should return the user for bearer auth")
+	assert.Equal(t, user.ID, gotUser.ID)
+	assert.Equal(t, "testuser", gotUser.Username)
+}
+
+func TestAPISessionAuth_NoBearerTokenReturns401(t *testing.T) {
+	t.Parallel()
+
+	mw, _, _ := setupMiddleware(t)
+
+	handler := mw.APISessionAuth()(http.HandlerFunc(
+		func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		},
+	))
+
+	req := httptest.NewRequest(http.MethodGet, "/api/test", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rec.Code)
+}
+
+func TestAPISessionAuth_InvalidBearerTokenReturns401(t *testing.T) {
+	t.Parallel()
+
+	mw, _, _ := setupMiddleware(t)
+
+	handler := mw.APISessionAuth()(http.HandlerFunc(
+		func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		},
+	))
+
+	req := httptest.NewRequest(http.MethodGet, "/api/test", nil)
+	req.Header.Set("Authorization", "Bearer invalid-token")
+
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rec.Code)
+}
--- a/internal/middleware/cors_test.go
+++ b/internal/middleware/cors_test.go
@@ -8,7 +8,7 @@ import (

 	"github.com/stretchr/testify/assert"

-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
 )

 //nolint:gosec // test credentials
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -18,10 +18,12 @@ import (
 	"go.uber.org/fx"
 	"golang.org/x/time/rate"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )

 // corsMaxAge is the maximum age for CORS preflight responses in seconds.
@@ -31,10 +33,11 @@ const corsMaxAge = 300
 type Params struct {
 	fx.In

-	Logger  *logger.Logger
-	Globals *globals.Globals
-	Config  *config.Config
-	Auth    *auth.Service
+	Logger   *logger.Logger
+	Globals  *globals.Globals
+	Config   *config.Config
+	Auth     *auth.Service
+	Database *database.Database
 }

 // Middleware provides HTTP middleware.
@@ -370,18 +373,36 @@ func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
 	}
 }

-// APISessionAuth returns middleware that requires session authentication for API routes.
-// Unlike SessionAuth, it returns JSON 401 responses instead of redirecting to /login.
+// bearerPrefix is the expected prefix for Authorization headers.
+const bearerPrefix = "Bearer "
+
+// APISessionAuth returns middleware that requires authentication
+// for API routes. It checks Bearer token first, then falls back
+// to session cookie. Returns JSON 401 on failure.
 func (m *Middleware) APISessionAuth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(
 			writer http.ResponseWriter,
 			request *http.Request,
 		) {
-			user, err := m.params.Auth.GetCurrentUser(request.Context(), request)
+			// Try Bearer token first.
+			if authedReq, ok := m.tryBearerAuth(request); ok {
+				next.ServeHTTP(writer, authedReq)
+
+				return
+			}
+
+			// Fall back to session cookie.
+			user, err := m.params.Auth.GetCurrentUser(
+				request.Context(), request,
+			)
 			if err != nil || user == nil {
 				writer.Header().Set("Content-Type", "application/json")
-				http.Error(writer, `{"error":"unauthorized"}`, http.StatusUnauthorized)
+				http.Error(
+					writer,
+					`{"error":"unauthorized"}`,
+					http.StatusUnauthorized,
+				)

 				return
 			}
@@ -411,14 +432,8 @@ func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 			}

 			if setupRequired {
-				path := request.URL.Path
-
-				// Allow access to setup page, health endpoint, static
-				// assets, and API routes even before setup is complete.
-				if path == "/setup" ||
-					path == "/health" ||
-					strings.HasPrefix(path, "/s/") ||
-					strings.HasPrefix(path, "/api/") {
+				// Allow access to setup page
+				if request.URL.Path == "/setup" {
 					next.ServeHTTP(writer, request)

 					return
@@ -440,3 +455,49 @@ func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 		})
 	}
 }
+
+// tryBearerAuth checks for a valid Bearer token in the
+// Authorization header. On success it returns a new request
+// with the authenticated user set on the context.
+func (m *Middleware) tryBearerAuth(
+	request *http.Request,
+) (*http.Request, bool) {
+	authHeader := request.Header.Get("Authorization")
+	if !strings.HasPrefix(authHeader, bearerPrefix) {
+		return request, false
+	}
+
+	rawToken := strings.TrimPrefix(authHeader, bearerPrefix)
+	if rawToken == "" {
+		return request, false
+	}
+
+	tokenHash := database.HashAPIToken(rawToken)
+
+	apiToken, err := models.FindAPITokenByHash(
+		request.Context(), m.params.Database, tokenHash,
+	)
+	if err != nil || apiToken == nil {
+		return request, false
+	}
+
+	if apiToken.IsExpired() {
+		return request, false
+	}
+
+	// Look up the user associated with the token.
+	user, err := models.FindUser(
+		request.Context(), m.params.Database, apiToken.UserID,
+	)
+	if err != nil || user == nil {
+		return request, false
+	}
+
+	// Update last_used_at (best effort).
+	_ = apiToken.TouchLastUsed(request.Context())
+
+	// Set the authenticated user on the request context.
+	ctx := auth.ContextWithUser(request.Context(), user)
+
+	return request.WithContext(ctx), true
+}
--- a/internal/middleware/ratelimit_test.go
+++ b/internal/middleware/ratelimit_test.go
@@ -9,7 +9,7 @@ import (

 	"github.com/stretchr/testify/assert"

-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
 )

 func newTestMiddleware(t *testing.T) *Middleware {
--- a/internal/models/api_token.go
+++ b/internal/models/api_token.go
@@ -0,0 +1,206 @@
+package models
+
+import (
+	"context"
+	"crypto/rand"
+	"database/sql"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/oklog/ulid/v2"
+
+	"git.eeqj.de/sneak/upaas/internal/database"
+)
+
+// tokenRandomBytes is the number of random bytes for token generation.
+const tokenRandomBytes = 32
+
+// tokenPrefix is prepended to generated API tokens.
+const tokenPrefix = "upaas_"
+
+// APIToken represents an API authentication token.
+type APIToken struct {
+	db *database.Database
+
+	ID         string
+	UserID     int64
+	Name       string
+	TokenHash  string
+	CreatedAt  time.Time
+	ExpiresAt  sql.NullTime
+	LastUsedAt sql.NullTime
+}
+
+// NewAPIToken creates a new APIToken with a database reference.
+func NewAPIToken(db *database.Database) *APIToken {
+	return &APIToken{db: db}
+}
+
+// GenerateToken generates a random API token string.
+func GenerateToken() (string, error) {
+	b := make([]byte, tokenRandomBytes)
+
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", fmt.Errorf("generating token: %w", err)
+	}
+
+	return tokenPrefix + hex.EncodeToString(b), nil
+}
+
+// Save inserts the API token into the database.
+func (t *APIToken) Save(ctx context.Context) error {
+	if t.ID == "" {
+		t.ID = ulid.Make().String()
+	}
+
+	query := `INSERT INTO api_tokens
+		(id, user_id, name, token_hash, expires_at)
+		VALUES (?, ?, ?, ?, ?)`
+
+	_, err := t.db.Exec(
+		ctx, query,
+		t.ID, t.UserID, t.Name, t.TokenHash, t.ExpiresAt,
+	)
+	if err != nil {
+		return fmt.Errorf("inserting api token: %w", err)
+	}
+
+	return t.Reload(ctx)
+}
+
+// Reload refreshes the token from the database.
+func (t *APIToken) Reload(ctx context.Context) error {
+	row := t.db.QueryRow(ctx,
+		`SELECT id, user_id, name, token_hash,
+			created_at, expires_at, last_used_at
+		 FROM api_tokens WHERE id = ?`, t.ID)
+
+	return t.scan(row)
+}
+
+// Delete removes the token from the database.
+func (t *APIToken) Delete(ctx context.Context) error {
+	_, err := t.db.Exec(ctx,
+		"DELETE FROM api_tokens WHERE id = ?", t.ID)
+
+	return err
+}
+
+// TouchLastUsed updates the last_used_at timestamp.
+func (t *APIToken) TouchLastUsed(ctx context.Context) error {
+	_, err := t.db.Exec(ctx,
+		"UPDATE api_tokens SET last_used_at = ? WHERE id = ?",
+		time.Now().UTC(), t.ID)
+
+	return err
+}
+
+// IsExpired reports whether the token has expired.
+func (t *APIToken) IsExpired() bool {
+	return t.ExpiresAt.Valid && t.ExpiresAt.Time.Before(time.Now())
+}
+
+func (t *APIToken) scan(row *sql.Row) error {
+	return row.Scan(
+		&t.ID, &t.UserID, &t.Name, &t.TokenHash,
+		&t.CreatedAt, &t.ExpiresAt, &t.LastUsedAt,
+	)
+}
+
+// FindAPITokenByHash finds a token by its hash.
+//
+//nolint:nilnil // nil,nil is idiomatic for "not found"
+func FindAPITokenByHash(
+	ctx context.Context,
+	db *database.Database,
+	hash string,
+) (*APIToken, error) {
+	token := NewAPIToken(db)
+
+	row := db.QueryRow(ctx,
+		`SELECT id, user_id, name, token_hash,
+			created_at, expires_at, last_used_at
+		 FROM api_tokens WHERE token_hash = ?`, hash)
+
+	err := token.scan(row)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, nil
+		}
+
+		return nil, fmt.Errorf("finding api token by hash: %w", err)
+	}
+
+	return token, nil
+}
+
+// FindAPIToken finds a token by ID.
+//
+//nolint:nilnil // nil,nil is idiomatic for "not found"
+func FindAPIToken(
+	ctx context.Context,
+	db *database.Database,
+	id string,
+) (*APIToken, error) {
+	token := NewAPIToken(db)
+
+	row := db.QueryRow(ctx,
+		`SELECT id, user_id, name, token_hash,
+			created_at, expires_at, last_used_at
+		 FROM api_tokens WHERE id = ?`, id)
+
+	err := token.scan(row)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, nil
+		}
+
+		return nil, fmt.Errorf("finding api token: %w", err)
+	}
+
+	return token, nil
+}
+
+// ListAPITokensByUser returns all tokens for a user.
+func ListAPITokensByUser(
+	ctx context.Context,
+	db *database.Database,
+	userID int64,
+) ([]*APIToken, error) {
+	rows, err := db.Query(ctx,
+		`SELECT id, user_id, name, token_hash,
+			created_at, expires_at, last_used_at
+		 FROM api_tokens WHERE user_id = ?
+		 ORDER BY created_at DESC`, userID)
+	if err != nil {
+		return nil, fmt.Errorf("listing api tokens: %w", err)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var tokens []*APIToken
+
+	for rows.Next() {
+		t := NewAPIToken(db)
+
+		scanErr := rows.Scan(
+			&t.ID, &t.UserID, &t.Name, &t.TokenHash,
+			&t.CreatedAt, &t.ExpiresAt, &t.LastUsedAt,
+		)
+		if scanErr != nil {
+			return nil, fmt.Errorf("scanning api token: %w", scanErr)
+		}
+
+		tokens = append(tokens, t)
+	}
+
+	rowsErr := rows.Err()
+	if rowsErr != nil {
+		return nil, fmt.Errorf("iterating api tokens: %w", rowsErr)
+	}
+
+	return tokens, nil
+}
--- a/internal/models/app.go
+++ b/internal/models/app.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"time"

-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )

 // appColumns is the standard column list for app queries.
--- a/internal/models/deployment.go
+++ b/internal/models/deployment.go
@@ -5,10 +5,9 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
-	"strings"
 	"time"

-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )

 // DeploymentStatus represents the status of a deployment.
@@ -77,11 +76,7 @@ func (d *Deployment) Reload(ctx context.Context) error {
 	return d.scan(row)
 }

-// maxLogSize is the maximum size of deployment logs stored in the database (1MB).
-const maxLogSize = 1 << 20
-
 // AppendLog appends a log line to the deployment logs.
-// If the total log size exceeds maxLogSize, the oldest lines are truncated.
 func (d *Deployment) AppendLog(ctx context.Context, line string) error {
 	var currentLogs string

@@ -89,22 +84,7 @@ func (d *Deployment) AppendLog(ctx context.Context, line string) error {
 		currentLogs = d.Logs.String
 	}

-	newLogs := currentLogs + line + "\n"
-
-	if len(newLogs) > maxLogSize {
-		// Keep the most recent logs that fit within the limit.
-		// Find a newline after the truncation point to avoid partial lines.
-		truncateAt := len(newLogs) - maxLogSize
-		idx := strings.Index(newLogs[truncateAt:], "\n")
-
-		if idx >= 0 {
-			newLogs = "[earlier logs truncated]\n" + newLogs[truncateAt+idx+1:]
-		} else {
-			newLogs = "[earlier logs truncated]\n" + newLogs[truncateAt:]
-		}
-	}
-
-	d.Logs = sql.NullString{String: newLogs, Valid: true}
+	d.Logs = sql.NullString{String: currentLogs + line + "\n", Valid: true}

 	return d.Save(ctx)
 }
--- a/internal/models/env_var.go
+++ b/internal/models/env_var.go
@@ -7,7 +7,7 @@ import (
 	"errors"
 	"fmt"

-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )

 // EnvVar represents an environment variable for an app.
--- a/internal/models/label.go
+++ b/internal/models/label.go
@@ -7,7 +7,7 @@ import (
 	"errors"
 	"fmt"

-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )

 // Label represents a Docker label for an app container.
--- a/internal/models/models_test.go
+++ b/internal/models/models_test.go
@@ -10,11 +10,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )

 // Test constants to satisfy goconst linter.
--- a/internal/models/port.go
+++ b/internal/models/port.go
@@ -6,7 +6,7 @@ import (
 	"errors"
 	"fmt"

-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )

 // PortProtocol represents the protocol for a port mapping.
--- a/internal/models/user.go
+++ b/internal/models/user.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"time"

-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )

 // User represents a user in the system.
--- a/internal/models/volume.go
+++ b/internal/models/volume.go
@@ -6,7 +6,7 @@ import (
 	"errors"
 	"fmt"

-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )

 // Volume represents a volume mount for an app container.
--- a/internal/models/webhook_event.go
+++ b/internal/models/webhook_event.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"time"

-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )

 // WebhookEvent represents a received webhook event.
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -8,7 +8,7 @@ import (
 	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"

-	"sneak.berlin/go/upaas/static"
+	"git.eeqj.de/sneak/upaas/static"
 )

 // requestTimeout is the maximum duration for handling a request.
@@ -114,8 +114,16 @@ func (s *Server) SetupRoutes() {
 			r.Get("/whoami", s.handlers.HandleAPIWhoAmI())

 			r.Get("/apps", s.handlers.HandleAPIListApps())
+			r.Post("/apps", s.handlers.HandleAPICreateApp())
 			r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
+			r.Delete("/apps/{id}", s.handlers.HandleAPIDeleteApp())
+			r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy())
 			r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
+
+			// API token management
+			r.Post("/tokens", s.handlers.HandleAPICreateToken())
+			r.Get("/tokens", s.handlers.HandleAPIListTokens())
+			r.Delete("/tokens/{tokenID}", s.handlers.HandleAPIDeleteToken())
 		})
 	})

--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -12,11 +12,11 @@ import (
 	"github.com/go-chi/chi/v5"
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
 )

 // Params contains dependencies for Server.
--- a/internal/service/app/app.go
+++ b/internal/service/app/app.go
@@ -14,10 +14,10 @@ import (

 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/ssh"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/ssh"
 )

 // ServiceParams contains dependencies for Service.
--- a/internal/service/app/app_test.go
+++ b/internal/service/app/app_test.go
@@ -8,12 +8,12 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
 )

 func setupTestService(t *testing.T) (*app.Service, func()) {
--- a/internal/service/auth/auth.go
+++ b/internal/service/auth/auth.go
@@ -15,10 +15,10 @@ import (
 	"go.uber.org/fx"
 	"golang.org/x/crypto/argon2"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )

 const (
@@ -26,6 +26,21 @@ const (
 	sessionUserID = "user_id"
 )

+// contextKeyUser is the context key for storing the authenticated user.
+type contextKeyUser struct{}
+
+// ContextWithUser returns a new context with the given user attached.
+func ContextWithUser(ctx context.Context, user *models.User) context.Context {
+	return context.WithValue(ctx, contextKeyUser{}, user)
+}
+
+// UserFromContext retrieves the user from the context, if set.
+func UserFromContext(ctx context.Context) *models.User {
+	user, _ := ctx.Value(contextKeyUser{}).(*models.User)
+
+	return user
+}
+
 // Argon2 parameters.
 const (
 	argonTime    = 1
@@ -239,6 +254,11 @@ func (svc *Service) GetCurrentUser(
 	ctx context.Context,
 	request *http.Request,
 ) (*models.User, error) {
+	// Check context first (set by bearer token auth).
+	if user := UserFromContext(ctx); user != nil {
+		return user, nil
+	}
+
 	session, sessionErr := svc.store.Get(request, sessionName)
 	if sessionErr != nil {
 		// Session error means no user - this is not an error condition
--- a/internal/service/auth/auth_test.go
+++ b/internal/service/auth/auth_test.go
@@ -12,11 +12,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )

 func setupTestService(t *testing.T) (*auth.Service, func()) {
--- a/internal/service/deploy/deploy.go
+++ b/internal/service/deploy/deploy.go
@@ -17,12 +17,12 @@ import (

 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
 )

 // Time constants.
@@ -251,8 +251,8 @@ func New(lc fx.Lifecycle, params ServiceParams) (*Service, error) {
 }

 // GetBuildDir returns the build directory path for an app.
-func (svc *Service) GetBuildDir(appName string) string {
-	return filepath.Join(svc.config.DataDir, "builds", appName)
+func (svc *Service) GetBuildDir(appID string) string {
+	return filepath.Join(svc.config.DataDir, "builds", appID)
 }

 // GetLogFilePath returns the path to the log file for a deployment.
@@ -417,13 +417,15 @@ func (svc *Service) executeRollback(

 	svc.removeOldContainer(ctx, app, deployment)

-	rollbackOpts, err := svc.buildContainerOptions(ctx, app, docker.ImageID(previousImageID))
+	rollbackOpts, err := svc.buildContainerOptions(ctx, app, deployment.ID)
 	if err != nil {
 		svc.failDeployment(bgCtx, app, deployment, err)

 		return fmt.Errorf("failed to build container options: %w", err)
 	}

+	rollbackOpts.Image = previousImageID
+
 	containerID, err := svc.docker.CreateContainer(ctx, rollbackOpts)
 	if err != nil {
 		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to create rollback container: %w", err))
@@ -431,8 +433,8 @@ func (svc *Service) executeRollback(
 		return fmt.Errorf("failed to create rollback container: %w", err)
 	}

-	deployment.ContainerID = sql.NullString{String: containerID.String(), Valid: true}
-	_ = deployment.AppendLog(bgCtx, "Rollback container created: "+containerID.String())
+	deployment.ContainerID = sql.NullString{String: containerID, Valid: true}
+	_ = deployment.AppendLog(bgCtx, "Rollback container created: "+containerID)

 	startErr := svc.docker.StartContainer(ctx, containerID)
 	if startErr != nil {
@@ -514,7 +516,7 @@ func (svc *Service) buildImageWithTimeout(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-) (docker.ImageID, error) {
+) (string, error) {
 	buildCtx, cancel := context.WithTimeout(ctx, buildTimeout)
 	defer cancel()

@@ -539,7 +541,7 @@ func (svc *Service) deployContainerWithTimeout(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
+	imageID string,
 ) error {
 	deployCtx, cancel := context.WithTimeout(ctx, deployTimeout)
 	defer cancel()
@@ -667,7 +669,7 @@ func (svc *Service) checkCancelled(
 	bgCtx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
+	imageID string,
 ) error {
 	if !errors.Is(deployCtx.Err(), context.Canceled) {
 		return nil
@@ -687,7 +689,7 @@ func (svc *Service) cleanupCancelledDeploy(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
+	imageID string,
 ) {
 	// Clean up the intermediate Docker image if one was built
 	if imageID != "" {
@@ -695,11 +697,11 @@ func (svc *Service) cleanupCancelledDeploy(
 		if removeErr != nil {
 			svc.log.Error("failed to remove image from cancelled deploy",
 				"error", removeErr, "app", app.Name, "image", imageID)
-			_ = deployment.AppendLog(ctx, "WARNING: failed to clean up image "+imageID.String()+": "+removeErr.Error())
+			_ = deployment.AppendLog(ctx, "WARNING: failed to clean up image "+imageID+": "+removeErr.Error())
 		} else {
 			svc.log.Info("cleaned up image from cancelled deploy",
 				"app", app.Name, "image", imageID)
-			_ = deployment.AppendLog(ctx, "Cleaned up intermediate image: "+imageID.String())
+			_ = deployment.AppendLog(ctx, "Cleaned up intermediate image: "+imageID)
 		}
 	}

@@ -816,7 +818,7 @@ func (svc *Service) buildImage(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-) (docker.ImageID, error) {
+) (string, error) {
 	workDir, cleanup, err := svc.cloneRepository(ctx, app, deployment)
 	if err != nil {
 		return "", err
@@ -850,8 +852,8 @@ func (svc *Service) buildImage(
 		return "", fmt.Errorf("failed to build image: %w", err)
 	}

-	deployment.ImageID = sql.NullString{String: imageID.String(), Valid: true}
-	_ = deployment.AppendLog(ctx, "Image built: "+imageID.String())
+	deployment.ImageID = sql.NullString{String: imageID, Valid: true}
+	_ = deployment.AppendLog(ctx, "Image built: "+imageID)

 	return imageID, nil
 }
@@ -1009,16 +1011,16 @@ func (svc *Service) removeOldContainer(
 		svc.log.Warn("failed to remove old container", "error", removeErr)
 	}

-	_ = deployment.AppendLog(ctx, "Old container removed: "+string(containerInfo.ID[:12]))
+	_ = deployment.AppendLog(ctx, "Old container removed: "+containerInfo.ID[:12])
 }

 func (svc *Service) createAndStartContainer(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
-) (docker.ContainerID, error) {
-	containerOpts, err := svc.buildContainerOptions(ctx, app, imageID)
+	_ string,
+) (string, error) {
+	containerOpts, err := svc.buildContainerOptions(ctx, app, deployment.ID)
 	if err != nil {
 		svc.failDeployment(ctx, app, deployment, err)

@@ -1038,8 +1040,8 @@ func (svc *Service) createAndStartContainer(
 		return "", fmt.Errorf("failed to create container: %w", err)
 	}

-	deployment.ContainerID = sql.NullString{String: containerID.String(), Valid: true}
-	_ = deployment.AppendLog(ctx, "Container created: "+containerID.String())
+	deployment.ContainerID = sql.NullString{String: containerID, Valid: true}
+	_ = deployment.AppendLog(ctx, "Container created: "+containerID)

 	startErr := svc.docker.StartContainer(ctx, containerID)
 	if startErr != nil {
@@ -1062,7 +1064,7 @@ func (svc *Service) createAndStartContainer(
 func (svc *Service) buildContainerOptions(
 	ctx context.Context,
 	app *models.App,
-	imageID docker.ImageID,
+	deploymentID int64,
 ) (docker.CreateContainerOptions, error) {
 	envVars, err := app.GetEnvVars(ctx)
 	if err != nil {
@@ -1096,7 +1098,7 @@ func (svc *Service) buildContainerOptions(

 	return docker.CreateContainerOptions{
 		Name:    "upaas-" + app.Name,
-		Image:   imageID.String(),
+		Image:   fmt.Sprintf("upaas-%s:%d", app.Name, deploymentID),
 		Env:     envMap,
 		Labels:  buildLabelMap(app, labels),
 		Volumes: buildVolumeMounts(volumes),
@@ -1146,9 +1148,9 @@ func buildPortMappings(ports []*models.Port) []docker.PortMapping {
 func (svc *Service) updateAppRunning(
 	ctx context.Context,
 	app *models.App,
-	imageID docker.ImageID,
+	imageID string,
 ) error {
-	app.ImageID = sql.NullString{String: imageID.String(), Valid: true}
+	app.ImageID = sql.NullString{String: imageID, Valid: true}
 	app.Status = models.AppStatusRunning

 	saveErr := app.Save(ctx)
--- a/internal/service/deploy/deploy_cancel_test.go
+++ b/internal/service/deploy/deploy_cancel_test.go
@@ -9,7 +9,7 @@ import (

 	"github.com/stretchr/testify/assert"

-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )

 func TestCancelActiveDeploy_NoExisting(t *testing.T) {
--- a/internal/service/deploy/deploy_cleanup_test.go
+++ b/internal/service/deploy/deploy_cleanup_test.go
@@ -10,8 +10,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )

 func TestCleanupCancelledDeploy_RemovesBuildDir(t *testing.T) {
--- a/internal/service/deploy/deploy_container_test.go
+++ b/internal/service/deploy/deploy_container_test.go
@@ -1,45 +0,0 @@
-package deploy_test
-
-import (
-	"context"
-	"log/slog"
-	"os"
-	"testing"
-
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/deploy"
-)
-
-func TestBuildContainerOptionsUsesImageID(t *testing.T) {
-	t.Parallel()
-
-	db := database.NewTestDatabase(t)
-
-	app := models.NewApp(db)
-	app.Name = "myapp"
-
-	err := app.Save(context.Background())
-	if err != nil {
-		t.Fatalf("failed to save app: %v", err)
-	}
-
-	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	svc := deploy.NewTestService(log)
-
-	const expectedImageID = docker.ImageID("sha256:abc123def456")
-
-	opts, err := svc.BuildContainerOptionsExported(context.Background(), app, expectedImageID)
-	if err != nil {
-		t.Fatalf("buildContainerOptions returned error: %v", err)
-	}
-
-	if opts.Image != expectedImageID.String() {
-		t.Errorf("expected Image=%q, got %q", expectedImageID, opts.Image)
-	}
-
-	if opts.Name != "upaas-myapp" {
-		t.Errorf("expected Name=%q, got %q", "upaas-myapp", opts.Name)
-	}
-}
--- a/internal/service/deploy/export_test.go
+++ b/internal/service/deploy/export_test.go
@@ -8,9 +8,8 @@ import (
 	"path/filepath"
 	"strings"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/docker"
 )

 // NewTestService creates a Service with minimal dependencies for testing.
@@ -81,12 +80,3 @@ func (svc *Service) CleanupCancelledDeploy(
 func (svc *Service) GetBuildDirExported(appName string) string {
 	return svc.GetBuildDir(appName)
 }
-
-// BuildContainerOptionsExported exposes buildContainerOptions for testing.
-func (svc *Service) BuildContainerOptionsExported(
-	ctx context.Context,
-	app *models.App,
-	imageID docker.ImageID,
-) (docker.CreateContainerOptions, error) {
-	return svc.buildContainerOptions(ctx, app, imageID)
-}
--- a/internal/service/notify/notify.go
+++ b/internal/service/notify/notify.go
@@ -10,13 +10,12 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
-	"net/url"
 	"time"

 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )

 // HTTP client timeout.
@@ -248,15 +247,10 @@ func (svc *Service) sendNtfy(
 ) error {
 	svc.log.Debug("sending ntfy notification", "topic", topic, "title", title)

-	parsedURL, err := url.ParseRequestURI(topic)
-	if err != nil {
-		return fmt.Errorf("invalid ntfy topic URL: %w", err)
-	}
-
 	request, err := http.NewRequestWithContext(
 		ctx,
 		http.MethodPost,
-		parsedURL.String(),
+		topic,
 		bytes.NewBufferString(message),
 	)
 	if err != nil {
@@ -266,7 +260,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", svc.ntfyPriority(priority))

-	resp, err := svc.client.Do(request) // #nosec G704 -- URL from validated config, not user input
+	resp, err := svc.client.Do(request) //nolint:gosec // URL constructed from trusted config, not user input
 	if err != nil {
 		return fmt.Errorf("failed to send ntfy request: %w", err)
 	}
@@ -346,15 +340,10 @@ func (svc *Service) sendSlack(
 		return fmt.Errorf("failed to marshal slack payload: %w", err)
 	}

-	parsedWebhookURL, err := url.ParseRequestURI(webhookURL)
-	if err != nil {
-		return fmt.Errorf("invalid slack webhook URL: %w", err)
-	}
-
 	request, err := http.NewRequestWithContext(
 		ctx,
 		http.MethodPost,
-		parsedWebhookURL.String(),
+		webhookURL,
 		bytes.NewBuffer(body),
 	)
 	if err != nil {
@@ -363,7 +352,7 @@ func (svc *Service) sendSlack(

 	request.Header.Set("Content-Type", "application/json")

-	resp, err := svc.client.Do(request) // #nosec G704 -- URL from validated config, not user input
+	resp, err := svc.client.Do(request) //nolint:gosec // URL from trusted webhook config
 	if err != nil {
 		return fmt.Errorf("failed to send slack request: %w", err)
 	}
--- a/internal/service/webhook/types.go
+++ b/internal/service/webhook/types.go
@@ -1,10 +0,0 @@
-package webhook
-
-// UnparsedURL is a URL stored as a plain string without parsing.
-// Use this instead of string when the value is known to be a URL
-// but should not be parsed into a net/url.URL (e.g. webhook URLs,
-// compare URLs from external payloads).
-type UnparsedURL string
-
-// String implements the fmt.Stringer interface.
-func (u UnparsedURL) String() string { return string(u) }
--- a/internal/service/webhook/webhook.go
+++ b/internal/service/webhook/webhook.go
@@ -10,11 +10,10 @@ import (

 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/database"
-
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )

 // ServiceParams contains dependencies for Service.
@@ -48,24 +47,24 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 //
 //nolint:tagliatelle // Field names match Gitea API (snake_case)
 type GiteaPushPayload struct {
-	Ref        string      `json:"ref"`
-	Before     string      `json:"before"`
-	After      string      `json:"after"`
-	CompareURL UnparsedURL `json:"compare_url"`
+	Ref        string `json:"ref"`
+	Before     string `json:"before"`
+	After      string `json:"after"`
+	CompareURL string `json:"compare_url"`
 	Repository struct {
-		FullName string      `json:"full_name"`
-		CloneURL UnparsedURL `json:"clone_url"`
-		SSHURL   string      `json:"ssh_url"`
-		HTMLURL  UnparsedURL `json:"html_url"`
+		FullName string `json:"full_name"`
+		CloneURL string `json:"clone_url"`
+		SSHURL   string `json:"ssh_url"`
+		HTMLURL  string `json:"html_url"`
 	} `json:"repository"`
 	Pusher struct {
 		Username string `json:"username"`
 		Email    string `json:"email"`
 	} `json:"pusher"`
 	Commits []struct {
-		ID      string      `json:"id"`
-		URL     UnparsedURL `json:"url"`
-		Message string      `json:"message"`
+		ID      string `json:"id"`
+		URL     string `json:"url"`
+		Message string `json:"message"`
 		Author  struct {
 			Name  string `json:"name"`
 			Email string `json:"email"`
@@ -105,7 +104,7 @@ func (svc *Service) HandleWebhook(
 	event.EventType = eventType
 	event.Branch = branch
 	event.CommitSHA = sql.NullString{String: commitSHA, Valid: commitSHA != ""}
-	event.CommitURL = sql.NullString{String: commitURL.String(), Valid: commitURL != ""}
+	event.CommitURL = sql.NullString{String: commitURL, Valid: commitURL != ""}
 	event.Payload = sql.NullString{String: string(payload), Valid: true}
 	event.Matched = matched
 	event.Processed = false
@@ -169,7 +168,7 @@ func extractBranch(ref string) string {

 // extractCommitURL extracts the commit URL from the webhook payload.
 // Prefers the URL from the head commit, falls back to constructing from repo URL.
-func extractCommitURL(payload GiteaPushPayload) UnparsedURL {
+func extractCommitURL(payload GiteaPushPayload) string {
 	// Try to find the URL from the head commit (matching After SHA)
 	for _, commit := range payload.Commits {
 		if commit.ID == payload.After && commit.URL != "" {
@@ -179,7 +178,7 @@ func extractCommitURL(payload GiteaPushPayload) UnparsedURL {

 	// Fall back to constructing URL from repo HTML URL
 	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
+		return payload.Repository.HTMLURL + "/commit/" + payload.After
 	}

 	return ""
--- a/internal/service/webhook/webhook_test.go
+++ b/internal/service/webhook/webhook_test.go
@@ -12,15 +12,15 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"

-	"sneak.berlin/go/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 )

 type testDeps struct {
--- a/internal/ssh/keygen.go
+++ b/internal/ssh/keygen.go
@@ -12,7 +12,7 @@ import (

 // KeyPair contains an SSH key pair.
 type KeyPair struct {
-	PrivateKey string `json:"-"`
+	PrivateKey string //nolint:gosec // field name describes SSH key material, not a hardcoded secret
 	PublicKey  string
 }

--- a/internal/ssh/keygen_test.go
+++ b/internal/ssh/keygen_test.go
@@ -4,9 +4,9 @@ import (
 	"strings"
 	"testing"

+	"git.eeqj.de/sneak/upaas/internal/ssh"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"sneak.berlin/go/upaas/internal/ssh"
 )

 func TestGenerateKeyPair(t *testing.T) {
--- a/static/js/alpine.min.js
+++ b/static/js/alpine.min.js
--- a/static/js/app-detail.js
+++ b/static/js/app-detail.js
@@ -1,194 +0,0 @@
-/**
- * upaas - App Detail Page Component
- *
- * Handles the single-app view: status polling, container logs,
- * build logs, and recent deployments list.
- */
-
-document.addEventListener("alpine:init", () => {
-  Alpine.data("appDetail", (config) => ({
-    appId: config.appId,
-    currentDeploymentId: config.initialDeploymentId,
-    appStatus: config.initialStatus || "unknown",
-    containerLogs: "Loading container logs...",
-    containerStatus: "unknown",
-    buildLogs: config.initialDeploymentId
-      ? "Loading build logs..."
-      : "No deployments yet",
-    buildStatus: config.initialBuildStatus || "unknown",
-    showBuildLogs: !!config.initialDeploymentId,
-    deploying: false,
-    deployments: [],
-    // Track whether user wants auto-scroll (per log pane)
-    _containerAutoScroll: true,
-    _buildAutoScroll: true,
-    _pollTimer: null,
-
-    init() {
-      this.deploying = Alpine.store("utils").isDeploying(this.appStatus);
-      this.fetchAll();
-      this._schedulePoll();
-
-      // Set up scroll listeners after DOM is ready
-      this.$nextTick(() => {
-        this._initScrollTracking(this.$refs.containerLogsWrapper, '_containerAutoScroll');
-        this._initScrollTracking(this.$refs.buildLogsWrapper, '_buildAutoScroll');
-      });
-    },
-
-    _schedulePoll() {
-      if (this._pollTimer) clearTimeout(this._pollTimer);
-      const interval = Alpine.store("utils").isDeploying(this.appStatus) ? 1000 : 10000;
-      this._pollTimer = setTimeout(() => {
-        this.fetchAll();
-        this._schedulePoll();
-      }, interval);
-    },
-
-    _initScrollTracking(el, flag) {
-      if (!el) return;
-      el.addEventListener('scroll', () => {
-        this[flag] = Alpine.store("utils").isScrolledToBottom(el);
-      }, { passive: true });
-    },
-
-    fetchAll() {
-      this.fetchAppStatus();
-      // Only fetch logs when the respective pane is visible
-      if (this.$refs.containerLogsWrapper && this._isElementVisible(this.$refs.containerLogsWrapper)) {
-        this.fetchContainerLogs();
-      }
-      if (this.showBuildLogs && this.$refs.buildLogsWrapper && this._isElementVisible(this.$refs.buildLogsWrapper)) {
-        this.fetchBuildLogs();
-      }
-      this.fetchRecentDeployments();
-    },
-
-    _isElementVisible(el) {
-      if (!el) return false;
-      // Check if element is in viewport (roughly)
-      const rect = el.getBoundingClientRect();
-      return rect.bottom > 0 && rect.top < window.innerHeight;
-    },
-
-    async fetchAppStatus() {
-      try {
-        const res = await fetch(`/apps/${this.appId}/status`);
-        const data = await res.json();
-        const wasDeploying = this.deploying;
-        this.appStatus = data.status;
-        this.deploying = Alpine.store("utils").isDeploying(data.status);
-
-        // Re-schedule polling when deployment state changes
-        if (this.deploying !== wasDeploying) {
-          this._schedulePoll();
-        }
-
-        if (
-          data.latestDeploymentID &&
-          data.latestDeploymentID !== this.currentDeploymentId
-        ) {
-          this.currentDeploymentId = data.latestDeploymentID;
-          this.showBuildLogs = true;
-          this.fetchBuildLogs();
-        }
-      } catch (err) {
-        console.error("Status fetch error:", err);
-      }
-    },
-
-    async fetchContainerLogs() {
-      try {
-        const res = await fetch(`/apps/${this.appId}/container-logs`);
-        const data = await res.json();
-        const newLogs = data.logs || "No logs available";
-        const changed = newLogs !== this.containerLogs;
-        this.containerLogs = newLogs;
-        this.containerStatus = data.status;
-        if (changed && this._containerAutoScroll) {
-          this.$nextTick(() => {
-            Alpine.store("utils").scrollToBottom(this.$refs.containerLogsWrapper);
-          });
-        }
-      } catch (err) {
-        this.containerLogs = "Failed to fetch logs";
-      }
-    },
-
-    async fetchBuildLogs() {
-      if (!this.currentDeploymentId) return;
-      try {
-        const res = await fetch(
-          `/apps/${this.appId}/deployments/${this.currentDeploymentId}/logs`,
-        );
-        const data = await res.json();
-        const newLogs = data.logs || "No build logs available";
-        const changed = newLogs !== this.buildLogs;
-        this.buildLogs = newLogs;
-        this.buildStatus = data.status;
-        if (changed && this._buildAutoScroll) {
-          this.$nextTick(() => {
-            Alpine.store("utils").scrollToBottom(this.$refs.buildLogsWrapper);
-          });
-        }
-      } catch (err) {
-        this.buildLogs = "Failed to fetch logs";
-      }
-    },
-
-    async fetchRecentDeployments() {
-      try {
-        const res = await fetch(`/apps/${this.appId}/recent-deployments`);
-        const data = await res.json();
-        this.deployments = data.deployments || [];
-      } catch (err) {
-        console.error("Deployments fetch error:", err);
-      }
-    },
-
-    submitDeploy() {
-      this.deploying = true;
-    },
-
-    get statusBadgeClass() {
-      return Alpine.store("utils").statusBadgeClass(this.appStatus);
-    },
-
-    get statusLabel() {
-      return Alpine.store("utils").statusLabel(this.appStatus);
-    },
-
-    get containerStatusBadgeClass() {
-      return (
-        Alpine.store("utils").statusBadgeClass(this.containerStatus) +
-        " text-xs"
-      );
-    },
-
-    get containerStatusLabel() {
-      return Alpine.store("utils").statusLabel(this.containerStatus);
-    },
-
-    get buildStatusBadgeClass() {
-      return (
-        Alpine.store("utils").statusBadgeClass(this.buildStatus) + " text-xs"
-      );
-    },
-
-    get buildStatusLabel() {
-      return Alpine.store("utils").statusLabel(this.buildStatus);
-    },
-
-    deploymentStatusClass(status) {
-      return Alpine.store("utils").statusBadgeClass(status);
-    },
-
-    deploymentStatusLabel(status) {
-      return Alpine.store("utils").statusLabel(status);
-    },
-
-    formatTime(isoTime) {
-      return Alpine.store("utils").formatRelativeTime(isoTime);
-    },
-  }));
-});
--- a/static/js/app.js
+++ b/static/js/app.js
@@ -0,0 +1,581 @@
+/**
+ * upaas - Frontend JavaScript with Alpine.js
+ */
+
+document.addEventListener("alpine:init", () => {
+  // ============================================
+  // Global Utilities Store
+  // ============================================
+  Alpine.store("utils", {
+    /**
+     * Format a date string as relative time (e.g., "5 minutes ago")
+     */
+    formatRelativeTime(dateStr) {
+      if (!dateStr) return "";
+      const date = new Date(dateStr);
+      const now = new Date();
+      const diffMs = now - date;
+      const diffSec = Math.floor(diffMs / 1000);
+      const diffMin = Math.floor(diffSec / 60);
+      const diffHour = Math.floor(diffMin / 60);
+      const diffDay = Math.floor(diffHour / 24);
+
+      if (diffSec < 60) return "just now";
+      if (diffMin < 60)
+        return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
+      if (diffHour < 24)
+        return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
+      if (diffDay < 7)
+        return diffDay + (diffDay === 1 ? " day ago" : " days ago");
+      return date.toLocaleDateString();
+    },
+
+    /**
+     * Get the badge class for a given status
+     */
+    statusBadgeClass(status) {
+      if (status === "running" || status === "success") return "badge-success";
+      if (status === "building" || status === "deploying")
+        return "badge-warning";
+      if (status === "failed" || status === "error") return "badge-error";
+      return "badge-neutral";
+    },
+
+    /**
+     * Format status for display (capitalize first letter)
+     */
+    statusLabel(status) {
+      if (!status) return "";
+      return status.charAt(0).toUpperCase() + status.slice(1);
+    },
+
+    /**
+     * Check if status indicates active deployment
+     */
+    isDeploying(status) {
+      return status === "building" || status === "deploying";
+    },
+
+    /**
+     * Scroll an element to the bottom
+     */
+    scrollToBottom(el) {
+      if (el) {
+        requestAnimationFrame(() => {
+          el.scrollTop = el.scrollHeight;
+        });
+      }
+    },
+
+    /**
+     * Check if a scrollable element is at (or near) the bottom.
+     * Tolerance of 30px accounts for rounding and partial lines.
+     */
+    isScrolledToBottom(el, tolerance = 30) {
+      if (!el) return true;
+      return el.scrollHeight - el.scrollTop - el.clientHeight <= tolerance;
+    },
+
+    /**
+     * Copy text to clipboard
+     */
+    async copyToClipboard(text, button) {
+      try {
+        await navigator.clipboard.writeText(text);
+        return true;
+      } catch (err) {
+        // Fallback for older browsers
+        const textArea = document.createElement("textarea");
+        textArea.value = text;
+        textArea.style.position = "fixed";
+        textArea.style.left = "-9999px";
+        document.body.appendChild(textArea);
+        textArea.select();
+        try {
+          document.execCommand("copy");
+          document.body.removeChild(textArea);
+          return true;
+        } catch (e) {
+          document.body.removeChild(textArea);
+          return false;
+        }
+      }
+    },
+  });
+
+  // ============================================
+  // Copy Button Component
+  // ============================================
+  Alpine.data("copyButton", (targetId) => ({
+    copied: false,
+    async copy() {
+      const target = document.getElementById(targetId);
+      if (!target) return;
+      const text = target.textContent || target.value;
+      const success = await Alpine.store("utils").copyToClipboard(text);
+      if (success) {
+        this.copied = true;
+        setTimeout(() => {
+          this.copied = false;
+        }, 2000);
+      }
+    },
+  }));
+
+  // ============================================
+  // Confirm Action Component
+  // ============================================
+  Alpine.data("confirmAction", (message) => ({
+    confirm(event) {
+      if (!window.confirm(message)) {
+        event.preventDefault();
+      }
+    },
+  }));
+
+  // ============================================
+  // Auto-dismiss Alert Component
+  // ============================================
+  Alpine.data("autoDismiss", (delay = 5000) => ({
+    show: true,
+    init() {
+      setTimeout(() => {
+        this.dismiss();
+      }, delay);
+    },
+    dismiss() {
+      this.show = false;
+      setTimeout(() => {
+        this.$el.remove();
+      }, 300);
+    },
+  }));
+
+  // ============================================
+  // Relative Time Component
+  // ============================================
+  Alpine.data("relativeTime", (isoTime) => ({
+    display: "",
+    init() {
+      this.update();
+      // Update every minute
+      setInterval(() => this.update(), 60000);
+    },
+    update() {
+      this.display = Alpine.store("utils").formatRelativeTime(isoTime);
+    },
+  }));
+
+  // ============================================
+  // App Detail Page Component
+  // ============================================
+  Alpine.data("appDetail", (config) => ({
+    appId: config.appId,
+    currentDeploymentId: config.initialDeploymentId,
+    appStatus: config.initialStatus || "unknown",
+    containerLogs: "Loading container logs...",
+    containerStatus: "unknown",
+    buildLogs: config.initialDeploymentId
+      ? "Loading build logs..."
+      : "No deployments yet",
+    buildStatus: config.initialBuildStatus || "unknown",
+    showBuildLogs: !!config.initialDeploymentId,
+    deploying: false,
+    deployments: [],
+    // Track whether user wants auto-scroll (per log pane)
+    _containerAutoScroll: true,
+    _buildAutoScroll: true,
+    _pollTimer: null,
+
+    init() {
+      this.deploying = Alpine.store("utils").isDeploying(this.appStatus);
+      this.fetchAll();
+      this._schedulePoll();
+
+      // Set up scroll listeners after DOM is ready
+      this.$nextTick(() => {
+        this._initScrollTracking(this.$refs.containerLogsWrapper, '_containerAutoScroll');
+        this._initScrollTracking(this.$refs.buildLogsWrapper, '_buildAutoScroll');
+      });
+    },
+
+    _schedulePoll() {
+      if (this._pollTimer) clearTimeout(this._pollTimer);
+      const interval = Alpine.store("utils").isDeploying(this.appStatus) ? 1000 : 10000;
+      this._pollTimer = setTimeout(() => {
+        this.fetchAll();
+        this._schedulePoll();
+      }, interval);
+    },
+
+    _initScrollTracking(el, flag) {
+      if (!el) return;
+      el.addEventListener('scroll', () => {
+        this[flag] = Alpine.store("utils").isScrolledToBottom(el);
+      }, { passive: true });
+    },
+
+    fetchAll() {
+      this.fetchAppStatus();
+      // Only fetch logs when the respective pane is visible
+      if (this.$refs.containerLogsWrapper && this._isElementVisible(this.$refs.containerLogsWrapper)) {
+        this.fetchContainerLogs();
+      }
+      if (this.showBuildLogs && this.$refs.buildLogsWrapper && this._isElementVisible(this.$refs.buildLogsWrapper)) {
+        this.fetchBuildLogs();
+      }
+      this.fetchRecentDeployments();
+    },
+
+    _isElementVisible(el) {
+      if (!el) return false;
+      // Check if element is in viewport (roughly)
+      const rect = el.getBoundingClientRect();
+      return rect.bottom > 0 && rect.top < window.innerHeight;
+    },
+
+    async fetchAppStatus() {
+      try {
+        const res = await fetch(`/apps/${this.appId}/status`);
+        const data = await res.json();
+        const wasDeploying = this.deploying;
+        this.appStatus = data.status;
+        this.deploying = Alpine.store("utils").isDeploying(data.status);
+
+        // Re-schedule polling when deployment state changes
+        if (this.deploying !== wasDeploying) {
+          this._schedulePoll();
+        }
+
+        if (
+          data.latestDeploymentID &&
+          data.latestDeploymentID !== this.currentDeploymentId
+        ) {
+          this.currentDeploymentId = data.latestDeploymentID;
+          this.showBuildLogs = true;
+          this.fetchBuildLogs();
+        }
+      } catch (err) {
+        console.error("Status fetch error:", err);
+      }
+    },
+
+    async fetchContainerLogs() {
+      try {
+        const res = await fetch(`/apps/${this.appId}/container-logs`);
+        const data = await res.json();
+        const newLogs = data.logs || "No logs available";
+        const changed = newLogs !== this.containerLogs;
+        this.containerLogs = newLogs;
+        this.containerStatus = data.status;
+        if (changed && this._containerAutoScroll) {
+          this.$nextTick(() => {
+            Alpine.store("utils").scrollToBottom(this.$refs.containerLogsWrapper);
+          });
+        }
+      } catch (err) {
+        this.containerLogs = "Failed to fetch logs";
+      }
+    },
+
+    async fetchBuildLogs() {
+      if (!this.currentDeploymentId) return;
+      try {
+        const res = await fetch(
+          `/apps/${this.appId}/deployments/${this.currentDeploymentId}/logs`,
+        );
+        const data = await res.json();
+        const newLogs = data.logs || "No build logs available";
+        const changed = newLogs !== this.buildLogs;
+        this.buildLogs = newLogs;
+        this.buildStatus = data.status;
+        if (changed && this._buildAutoScroll) {
+          this.$nextTick(() => {
+            Alpine.store("utils").scrollToBottom(this.$refs.buildLogsWrapper);
+          });
+        }
+      } catch (err) {
+        this.buildLogs = "Failed to fetch logs";
+      }
+    },
+
+    async fetchRecentDeployments() {
+      try {
+        const res = await fetch(`/apps/${this.appId}/recent-deployments`);
+        const data = await res.json();
+        this.deployments = data.deployments || [];
+      } catch (err) {
+        console.error("Deployments fetch error:", err);
+      }
+    },
+
+    submitDeploy() {
+      this.deploying = true;
+    },
+
+    get statusBadgeClass() {
+      return Alpine.store("utils").statusBadgeClass(this.appStatus);
+    },
+
+    get statusLabel() {
+      return Alpine.store("utils").statusLabel(this.appStatus);
+    },
+
+    get containerStatusBadgeClass() {
+      return (
+        Alpine.store("utils").statusBadgeClass(this.containerStatus) +
+        " text-xs"
+      );
+    },
+
+    get containerStatusLabel() {
+      return Alpine.store("utils").statusLabel(this.containerStatus);
+    },
+
+    get buildStatusBadgeClass() {
+      return (
+        Alpine.store("utils").statusBadgeClass(this.buildStatus) + " text-xs"
+      );
+    },
+
+    get buildStatusLabel() {
+      return Alpine.store("utils").statusLabel(this.buildStatus);
+    },
+
+    deploymentStatusClass(status) {
+      return Alpine.store("utils").statusBadgeClass(status);
+    },
+
+    deploymentStatusLabel(status) {
+      return Alpine.store("utils").statusLabel(status);
+    },
+
+    formatTime(isoTime) {
+      return Alpine.store("utils").formatRelativeTime(isoTime);
+    },
+  }));
+
+  // ============================================
+  // Deployment Card Component (for individual deployment cards)
+  // ============================================
+  Alpine.data("deploymentCard", (config) => ({
+    appId: config.appId,
+    deploymentId: config.deploymentId,
+    logs: "",
+    status: config.status || "",
+    pollInterval: null,
+    _autoScroll: true,
+
+    init() {
+      // Read initial logs from script tag (avoids escaping issues)
+      const initialLogsEl = this.$el.querySelector(".initial-logs");
+      this.logs = initialLogsEl?.textContent || "Loading...";
+
+      // Set up scroll tracking
+      this.$nextTick(() => {
+        const wrapper = this.$refs.logsWrapper;
+        if (wrapper) {
+          wrapper.addEventListener('scroll', () => {
+            this._autoScroll = Alpine.store("utils").isScrolledToBottom(wrapper);
+          }, { passive: true });
+        }
+      });
+
+      // Only poll if deployment is in progress
+      if (Alpine.store("utils").isDeploying(this.status)) {
+        this.fetchLogs();
+        this.pollInterval = setInterval(() => this.fetchLogs(), 1000);
+      }
+    },
+
+    destroy() {
+      if (this.pollInterval) {
+        clearInterval(this.pollInterval);
+      }
+    },
+
+    async fetchLogs() {
+      try {
+        const res = await fetch(
+          `/apps/${this.appId}/deployments/${this.deploymentId}/logs`,
+        );
+        const data = await res.json();
+        const newLogs = data.logs || "No logs available";
+        const logsChanged = newLogs !== this.logs;
+        this.logs = newLogs;
+        this.status = data.status;
+
+        // Scroll to bottom only when content changes AND user hasn't scrolled up
+        if (logsChanged && this._autoScroll) {
+          this.$nextTick(() => {
+            Alpine.store("utils").scrollToBottom(this.$refs.logsWrapper);
+          });
+        }
+
+        // Stop polling if deployment is done
+        if (!Alpine.store("utils").isDeploying(data.status)) {
+          if (this.pollInterval) {
+            clearInterval(this.pollInterval);
+            this.pollInterval = null;
+          }
+          // Reload page to show final state with duration etc
+          window.location.reload();
+        }
+      } catch (err) {
+        console.error("Logs fetch error:", err);
+      }
+    },
+
+    get statusBadgeClass() {
+      return Alpine.store("utils").statusBadgeClass(this.status);
+    },
+
+    get statusLabel() {
+      return Alpine.store("utils").statusLabel(this.status);
+    },
+  }));
+
+  // ============================================
+  // Deployments History Page Component
+  // ============================================
+  Alpine.data("deploymentsPage", (config) => ({
+    appId: config.appId,
+    currentDeploymentId: null,
+    isDeploying: false,
+
+    init() {
+      // Check for in-progress deployments on page load
+      const inProgressCard = document.querySelector(
+        '[data-status="building"], [data-status="deploying"]',
+      );
+      if (inProgressCard) {
+        this.currentDeploymentId = parseInt(
+          inProgressCard.getAttribute("data-deployment-id"),
+          10,
+        );
+        this.isDeploying = true;
+      }
+
+      this.fetchAppStatus();
+      this._scheduleStatusPoll();
+    },
+
+    _statusPollTimer: null,
+
+    _scheduleStatusPoll() {
+      if (this._statusPollTimer) clearTimeout(this._statusPollTimer);
+      const interval = this.isDeploying ? 1000 : 10000;
+      this._statusPollTimer = setTimeout(() => {
+        this.fetchAppStatus();
+        this._scheduleStatusPoll();
+      }, interval);
+    },
+
+    async fetchAppStatus() {
+      try {
+        const res = await fetch(`/apps/${this.appId}/status`);
+        const data = await res.json();
+        // Use deployment status, not app status - it's more reliable during transitions
+        const deploying = Alpine.store("utils").isDeploying(
+          data.latestDeploymentStatus,
+        );
+
+        // Detect new deployment
+        if (
+          data.latestDeploymentID &&
+          data.latestDeploymentID !== this.currentDeploymentId
+        ) {
+          // Check if we have a card for this deployment
+          const hasCard = document.querySelector(
+            `[data-deployment-id="${data.latestDeploymentID}"]`,
+          );
+
+          if (deploying && !hasCard) {
+            // New deployment started but no card exists - reload to show it
+            window.location.reload();
+
+            return;
+          }
+
+          this.currentDeploymentId = data.latestDeploymentID;
+        }
+
+        // Update deploying state based on latest deployment status
+        if (deploying && !this.isDeploying) {
+          this.isDeploying = true;
+          this._scheduleStatusPoll(); // Switch to fast polling
+        } else if (!deploying && this.isDeploying) {
+          // Deployment finished - reload to show final state
+          this.isDeploying = false;
+          window.location.reload();
+        }
+      } catch (err) {
+        console.error("Status fetch error:", err);
+      }
+    },
+
+    submitDeploy() {
+      this.isDeploying = true;
+    },
+
+    formatTime(isoTime) {
+      return Alpine.store("utils").formatRelativeTime(isoTime);
+    },
+  }));
+
+  // ============================================
+  // Dashboard Page - Relative Time Updates
+  // ============================================
+  Alpine.data("dashboard", () => ({
+    init() {
+      // Update relative times every minute
+      setInterval(() => {
+        this.$el.querySelectorAll("[data-time]").forEach((el) => {
+          const time = el.getAttribute("data-time");
+          if (time) {
+            el.textContent = Alpine.store("utils").formatRelativeTime(time);
+          }
+        });
+      }, 60000);
+    },
+  }));
+});
+
+// ============================================
+// Legacy support - expose utilities globally
+// ============================================
+window.upaas = {
+  // These are kept for backwards compatibility but templates should use Alpine.js
+  formatRelativeTime(dateStr) {
+    if (!dateStr) return "";
+    const date = new Date(dateStr);
+    const now = new Date();
+    const diffMs = now - date;
+    const diffSec = Math.floor(diffMs / 1000);
+    const diffMin = Math.floor(diffSec / 60);
+    const diffHour = Math.floor(diffMin / 60);
+    const diffDay = Math.floor(diffHour / 24);
+
+    if (diffSec < 60) return "just now";
+    if (diffMin < 60)
+      return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
+    if (diffHour < 24)
+      return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
+    if (diffDay < 7)
+      return diffDay + (diffDay === 1 ? " day ago" : " days ago");
+    return date.toLocaleDateString();
+  },
+  // Placeholder functions - templates should migrate to Alpine.js
+  initAppDetailPage() {},
+  initDeploymentsPage() {},
+};
+
+// Update relative times on page load for non-Alpine elements
+document.addEventListener("DOMContentLoaded", () => {
+  document.querySelectorAll(".relative-time[data-time]").forEach((el) => {
+    const time = el.getAttribute("data-time");
+    if (time) {
+      el.textContent = window.upaas.formatRelativeTime(time);
+    }
+  });
+});
--- a/static/js/components.js
+++ b/static/js/components.js
@@ -1,71 +0,0 @@
-/**
- * upaas - Reusable Alpine.js Components
- *
- * Small, self-contained components: copy button, confirm dialog,
- * auto-dismiss alerts, and relative time display.
- */
-
-document.addEventListener("alpine:init", () => {
-  // ============================================
-  // Copy Button Component
-  // ============================================
-  Alpine.data("copyButton", (targetId) => ({
-    copied: false,
-    async copy() {
-      const target = document.getElementById(targetId);
-      if (!target) return;
-      const text = target.textContent || target.value;
-      const success = await Alpine.store("utils").copyToClipboard(text);
-      if (success) {
-        this.copied = true;
-        setTimeout(() => {
-          this.copied = false;
-        }, 2000);
-      }
-    },
-  }));
-
-  // ============================================
-  // Confirm Action Component
-  // ============================================
-  Alpine.data("confirmAction", (message) => ({
-    confirm(event) {
-      if (!window.confirm(message)) {
-        event.preventDefault();
-      }
-    },
-  }));
-
-  // ============================================
-  // Auto-dismiss Alert Component
-  // ============================================
-  Alpine.data("autoDismiss", (delay = 5000) => ({
-    show: true,
-    init() {
-      setTimeout(() => {
-        this.dismiss();
-      }, delay);
-    },
-    dismiss() {
-      this.show = false;
-      setTimeout(() => {
-        this.$el.remove();
-      }, 300);
-    },
-  }));
-
-  // ============================================
-  // Relative Time Component
-  // ============================================
-  Alpine.data("relativeTime", (isoTime) => ({
-    display: "",
-    init() {
-      this.update();
-      // Update every minute
-      setInterval(() => this.update(), 60000);
-    },
-    update() {
-      this.display = Alpine.store("utils").formatRelativeTime(isoTime);
-    },
-  }));
-});
--- a/static/js/dashboard.js
+++ b/static/js/dashboard.js
@@ -1,21 +0,0 @@
-/**
- * upaas - Dashboard Page Component
- *
- * Periodically updates relative timestamps on the main dashboard.
- */
-
-document.addEventListener("alpine:init", () => {
-  Alpine.data("dashboard", () => ({
-    init() {
-      // Update relative times every minute
-      setInterval(() => {
-        this.$el.querySelectorAll("[data-time]").forEach((el) => {
-          const time = el.getAttribute("data-time");
-          if (time) {
-            el.textContent = Alpine.store("utils").formatRelativeTime(time);
-          }
-        });
-      }, 60000);
-    },
-  }));
-});
--- a/static/js/deployment.js
+++ b/static/js/deployment.js
@@ -1,176 +0,0 @@
-/**
- * upaas - Deployment Components
- *
- * Deployment card (individual deployment log viewer) and
- * deployments history page (list of all deployments).
- */
-
-document.addEventListener("alpine:init", () => {
-  // ============================================
-  // Deployment Card Component (for individual deployment cards)
-  // ============================================
-  Alpine.data("deploymentCard", (config) => ({
-    appId: config.appId,
-    deploymentId: config.deploymentId,
-    logs: "",
-    status: config.status || "",
-    pollInterval: null,
-    _autoScroll: true,
-
-    init() {
-      // Read initial logs from script tag (avoids escaping issues)
-      const initialLogsEl = this.$el.querySelector(".initial-logs");
-      this.logs = initialLogsEl?.dataset.logs || "Loading...";
-
-      // Set up scroll tracking
-      this.$nextTick(() => {
-        const wrapper = this.$refs.logsWrapper;
-        if (wrapper) {
-          wrapper.addEventListener('scroll', () => {
-            this._autoScroll = Alpine.store("utils").isScrolledToBottom(wrapper);
-          }, { passive: true });
-        }
-      });
-
-      // Only poll if deployment is in progress
-      if (Alpine.store("utils").isDeploying(this.status)) {
-        this.fetchLogs();
-        this.pollInterval = setInterval(() => this.fetchLogs(), 1000);
-      }
-    },
-
-    destroy() {
-      if (this.pollInterval) {
-        clearInterval(this.pollInterval);
-      }
-    },
-
-    async fetchLogs() {
-      try {
-        const res = await fetch(
-          `/apps/${this.appId}/deployments/${this.deploymentId}/logs`,
-        );
-        const data = await res.json();
-        const newLogs = data.logs || "No logs available";
-        const logsChanged = newLogs !== this.logs;
-        this.logs = newLogs;
-        this.status = data.status;
-
-        // Scroll to bottom only when content changes AND user hasn't scrolled up
-        if (logsChanged && this._autoScroll) {
-          this.$nextTick(() => {
-            Alpine.store("utils").scrollToBottom(this.$refs.logsWrapper);
-          });
-        }
-
-        // Stop polling if deployment is done
-        if (!Alpine.store("utils").isDeploying(data.status)) {
-          if (this.pollInterval) {
-            clearInterval(this.pollInterval);
-            this.pollInterval = null;
-          }
-          // Reload page to show final state with duration etc
-          window.location.reload();
-        }
-      } catch (err) {
-        console.error("Logs fetch error:", err);
-      }
-    },
-
-    get statusBadgeClass() {
-      return Alpine.store("utils").statusBadgeClass(this.status);
-    },
-
-    get statusLabel() {
-      return Alpine.store("utils").statusLabel(this.status);
-    },
-  }));
-
-  // ============================================
-  // Deployments History Page Component
-  // ============================================
-  Alpine.data("deploymentsPage", (config) => ({
-    appId: config.appId,
-    currentDeploymentId: null,
-    isDeploying: false,
-
-    init() {
-      // Check for in-progress deployments on page load
-      const inProgressCard = document.querySelector(
-        '[data-status="building"], [data-status="deploying"]',
-      );
-      if (inProgressCard) {
-        this.currentDeploymentId = parseInt(
-          inProgressCard.getAttribute("data-deployment-id"),
-          10,
-        );
-        this.isDeploying = true;
-      }
-
-      this.fetchAppStatus();
-      this._scheduleStatusPoll();
-    },
-
-    _statusPollTimer: null,
-
-    _scheduleStatusPoll() {
-      if (this._statusPollTimer) clearTimeout(this._statusPollTimer);
-      const interval = this.isDeploying ? 1000 : 10000;
-      this._statusPollTimer = setTimeout(() => {
-        this.fetchAppStatus();
-        this._scheduleStatusPoll();
-      }, interval);
-    },
-
-    async fetchAppStatus() {
-      try {
-        const res = await fetch(`/apps/${this.appId}/status`);
-        const data = await res.json();
-        // Use deployment status, not app status - it's more reliable during transitions
-        const deploying = Alpine.store("utils").isDeploying(
-          data.latestDeploymentStatus,
-        );
-
-        // Detect new deployment
-        if (
-          data.latestDeploymentID &&
-          data.latestDeploymentID !== this.currentDeploymentId
-        ) {
-          // Check if we have a card for this deployment
-          const hasCard = document.querySelector(
-            `[data-deployment-id="${data.latestDeploymentID}"]`,
-          );
-
-          if (deploying && !hasCard) {
-            // New deployment started but no card exists - reload to show it
-            window.location.reload();
-
-            return;
-          }
-
-          this.currentDeploymentId = data.latestDeploymentID;
-        }
-
-        // Update deploying state based on latest deployment status
-        if (deploying && !this.isDeploying) {
-          this.isDeploying = true;
-          this._scheduleStatusPoll(); // Switch to fast polling
-        } else if (!deploying && this.isDeploying) {
-          // Deployment finished - reload to show final state
-          this.isDeploying = false;
-          window.location.reload();
-        }
-      } catch (err) {
-        console.error("Status fetch error:", err);
-      }
-    },
-
-    submitDeploy() {
-      this.isDeploying = true;
-    },
-
-    formatTime(isoTime) {
-      return Alpine.store("utils").formatRelativeTime(isoTime);
-    },
-  }));
-});
--- a/static/js/utils.js
+++ b/static/js/utils.js
@@ -1,143 +0,0 @@
-/**
- * upaas - Global Utilities Store
- *
- * Shared formatting, status helpers, and clipboard utilities used across all pages.
- */
-
-document.addEventListener("alpine:init", () => {
-  Alpine.store("utils", {
-    /**
-     * Format a date string as relative time (e.g., "5 minutes ago")
-     */
-    formatRelativeTime(dateStr) {
-      if (!dateStr) return "";
-      const date = new Date(dateStr);
-      const now = new Date();
-      const diffMs = now - date;
-      const diffSec = Math.floor(diffMs / 1000);
-      const diffMin = Math.floor(diffSec / 60);
-      const diffHour = Math.floor(diffMin / 60);
-      const diffDay = Math.floor(diffHour / 24);
-
-      if (diffSec < 60) return "just now";
-      if (diffMin < 60)
-        return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
-      if (diffHour < 24)
-        return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
-      if (diffDay < 7)
-        return diffDay + (diffDay === 1 ? " day ago" : " days ago");
-      return date.toLocaleDateString();
-    },
-
-    /**
-     * Get the badge class for a given status
-     */
-    statusBadgeClass(status) {
-      if (status === "running" || status === "success") return "badge-success";
-      if (status === "building" || status === "deploying")
-        return "badge-warning";
-      if (status === "failed" || status === "error") return "badge-error";
-      return "badge-neutral";
-    },
-
-    /**
-     * Format status for display (capitalize first letter)
-     */
-    statusLabel(status) {
-      if (!status) return "";
-      return status.charAt(0).toUpperCase() + status.slice(1);
-    },
-
-    /**
-     * Check if status indicates active deployment
-     */
-    isDeploying(status) {
-      return status === "building" || status === "deploying";
-    },
-
-    /**
-     * Scroll an element to the bottom
-     */
-    scrollToBottom(el) {
-      if (el) {
-        requestAnimationFrame(() => {
-          el.scrollTop = el.scrollHeight;
-        });
-      }
-    },
-
-    /**
-     * Check if a scrollable element is at (or near) the bottom.
-     * Tolerance of 30px accounts for rounding and partial lines.
-     */
-    isScrolledToBottom(el, tolerance = 30) {
-      if (!el) return true;
-      return el.scrollHeight - el.scrollTop - el.clientHeight <= tolerance;
-    },
-
-    /**
-     * Copy text to clipboard
-     */
-    async copyToClipboard(text, button) {
-      try {
-        await navigator.clipboard.writeText(text);
-        return true;
-      } catch (err) {
-        // Fallback for older browsers
-        const textArea = document.createElement("textarea");
-        textArea.value = text;
-        textArea.style.position = "fixed";
-        textArea.style.left = "-9999px";
-        document.body.appendChild(textArea);
-        textArea.select();
-        try {
-          document.execCommand("copy");
-          document.body.removeChild(textArea);
-          return true;
-        } catch (e) {
-          document.body.removeChild(textArea);
-          return false;
-        }
-      }
-    },
-  });
-});
-
-// ============================================
-// Legacy support - expose utilities globally
-// ============================================
-window.upaas = {
-  // These are kept for backwards compatibility but templates should use Alpine.js
-  formatRelativeTime(dateStr) {
-    if (!dateStr) return "";
-    const date = new Date(dateStr);
-    const now = new Date();
-    const diffMs = now - date;
-    const diffSec = Math.floor(diffMs / 1000);
-    const diffMin = Math.floor(diffSec / 60);
-    const diffHour = Math.floor(diffMin / 60);
-    const diffDay = Math.floor(diffHour / 24);
-
-    if (diffSec < 60) return "just now";
-    if (diffMin < 60)
-      return diffMin + (diffMin === 1 ? " minute ago" : " minutes ago");
-    if (diffHour < 24)
-      return diffHour + (diffHour === 1 ? " hour ago" : " hours ago");
-    if (diffDay < 7)
-      return diffDay + (diffDay === 1 ? " day ago" : " days ago");
-    return date.toLocaleDateString();
-  },
-  // Placeholder functions - templates should migrate to Alpine.js
-  initAppDetailPage() {},
-  initDeploymentsPage() {},
-};
-
-// Update relative times on page load for non-Alpine elements
-document.addEventListener("DOMContentLoaded", () => {
-  document.querySelectorAll(".relative-time[data-time]").forEach((el) => {
-    const time = el.getAttribute("data-time");
-    if (time) {
-      el.textContent = window.upaas.formatRelativeTime(time);
-    }
-  });
-});
--- a/templates/base.html
+++ b/templates/base.html
@@ -15,11 +15,7 @@
    </div>
    {{template "footer" .}}
    <script defer src="/s/js/alpine.min.js"></script>
-    <script src="/s/js/utils.js"></script>
-    <script src="/s/js/components.js"></script>
-    <script src="/s/js/app-detail.js"></script>
-    <script src="/s/js/deployment.js"></script>
-    <script src="/s/js/dashboard.js"></script>
+    <script src="/s/js/app.js"></script>
 </body>
 </html>
 {{end}}
--- a/templates/dashboard.html
+++ b/templates/dashboard.html
@@ -69,7 +69,7 @@
                            <a href="/apps/{{.App.ID}}" class="btn-text text-sm py-1 px-2">View</a>
                            <a href="/apps/{{.App.ID}}/edit" class="btn-secondary text-sm py-1 px-2">Edit</a>
                            <form method="POST" action="/apps/{{.App.ID}}/deploy" class="inline">
-                {{ $.CSRFField }}
+                {{ .CSRFField }}
                                <button type="submit" class="btn-success text-sm py-1 px-2">Deploy</button>
                            </form>
                        </div>
--- a/templates/deployments.html
+++ b/templates/deployments.html
@@ -98,7 +98,7 @@
                        title="Scroll to bottom"
                    >↓ Follow</button>
                </div>
-                {{if .Logs.Valid}}<div hidden class="initial-logs" data-logs="{{.Logs.String}}"></div>{{end}}
+                {{if .Logs.Valid}}<script type="text/plain" class="initial-logs">{{.Logs.String}}</script>{{end}}
            </div>
            {{end}}
        </div>
Author	SHA1	Message	Date
clawbot	e73409b567	fix: resolve lint issues for make check compliance	2026-02-19 23:43:41 -08:00
clawbot	a891fb2489	fix: increase API token entropy from 128 to 256 bits Change token random bytes from 16 to 32, producing tokens with upaas_ prefix + 64 hex characters instead of 32.	2026-02-19 23:43:22 -08:00
clawbot	96eea71c54	fix: set authenticated user on request context in bearer token auth tryBearerAuth validated the bearer token but never looked up the associated user or set it on the request context. This meant downstream handlers calling GetCurrentUser would get nil even with a valid token. Changes: - Add ContextWithUser/UserFromContext helpers in auth package - tryBearerAuth now looks up the user by token's UserID and sets it on the request context via auth.ContextWithUser - GetCurrentUser checks context first before falling back to session cookie - Add integration tests for bearer auth user context	2026-02-19 23:43:22 -08:00
clawbot	7387ba6b5c	feat: add API token authentication (closes #87 ) - Add api_tokens table migration (007) - Add APIToken model with CRUD operations - Generate tokens with upaas_ prefix + 32 hex chars - Store SHA-256 hash of tokens (not plaintext) - Update APISessionAuth middleware to check Bearer tokens - Add POST/GET/DELETE /api/v1/tokens endpoints - Token creation returns plaintext once; list never exposes it - Expired and revoked tokens are rejected - Tests for creation, listing, deletion, bearer auth, revocation	2026-02-19 23:43:22 -08:00