refactor: export SanitizeTail and DefaultLogTail directly instead of wrapping

- Rename sanitizeTail → SanitizeTail (exported)
- Rename defaultLogTail → DefaultLogTail (exported)
- Delete export_test.go (no longer needed)
- Update test to reference handlers.SanitizeTail/DefaultLogTail directly

internal/handlers/app.go

@@ -382,22 +382,22 @@ func (h *Handlers) HandleAppDeployments() http.HandlerFunc {
 	}
 }
 
-// defaultLogTail is the default number of log lines to fetch.
-const defaultLogTail = "500"
+// DefaultLogTail is the default number of log lines to fetch.
+const DefaultLogTail = "500"
 
 // maxLogTail is the maximum allowed value for the tail parameter.
 const maxLogTail = 500
 
-// sanitizeTail validates and clamps the tail query parameter.
+// SanitizeTail validates and clamps the tail query parameter.
 // It returns a numeric string clamped to maxLogTail, or the default if invalid.
-func sanitizeTail(raw string) string {
+func SanitizeTail(raw string) string {
 	if raw == "" {
-		return defaultLogTail
+		return DefaultLogTail
 	}
 
 	n, err := strconv.Atoi(raw)
 	if err != nil || n < 1 {
-		return defaultLogTail
+		return DefaultLogTail
 	}
 
 	if n > maxLogTail {
@@ -428,7 +428,7 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}
 
-		tail := sanitizeTail(request.URL.Query().Get("tail"))
+		tail := SanitizeTail(request.URL.Query().Get("tail"))
 
 		logs, logsErr := h.docker.ContainerLogs(
 			request.Context(),

internal/handlers/export_test.go

@@ -1,9 +0,0 @@
-package handlers
-
-// ExportedSanitizeTail wraps sanitizeTail for external tests.
-func ExportedSanitizeTail(input string) string {
-	return sanitizeTail(input)
-}
-
-// ExportedDefaultLogTail exports defaultLogTail for external tests.
-const ExportedDefaultLogTail = defaultLogTail

internal/handlers/tail_validation_test.go

@@ -14,16 +14,16 @@ func TestSanitizeTail(t *testing.T) {
 		input    string
 		expected string
 	}{
-		{"empty uses default", "", handlers.ExportedDefaultLogTail},
+		{"empty uses default", "", handlers.DefaultLogTail},
 		{"valid small number", "50", "50"},
 		{"valid max boundary", "500", "500"},
 		{"exceeds max clamped", "501", "500"},
 		{"very large clamped", "999999", "500"},
-		{"non-numeric uses default", "abc", handlers.ExportedDefaultLogTail},
-		{"all keyword uses default", "all", handlers.ExportedDefaultLogTail},
-		{"negative uses default", "-1", handlers.ExportedDefaultLogTail},
-		{"zero uses default", "0", handlers.ExportedDefaultLogTail},
-		{"float uses default", "1.5", handlers.ExportedDefaultLogTail},
+		{"non-numeric uses default", "abc", handlers.DefaultLogTail},
+		{"all keyword uses default", "all", handlers.DefaultLogTail},
+		{"negative uses default", "-1", handlers.DefaultLogTail},
+		{"zero uses default", "0", handlers.DefaultLogTail},
+		{"float uses default", "1.5", handlers.DefaultLogTail},
 		{"one is valid", "1", "1"},
 	}
 
@@ -31,7 +31,7 @@ func TestSanitizeTail(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
-			got := handlers.ExportedSanitizeTail(tc.input)
+			got := handlers.SanitizeTail(tc.input)
 			if got != tc.expected {
 				t.Errorf("sanitizeTail(%q) = %q, want %q", tc.input, got, tc.expected)
 			}

internal/service/auth/auth.go

@@ -10,7 +10,6 @@ import (
 	"log/slog"
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/gorilla/sessions"
 	"go.uber.org/fx"
@@ -269,7 +268,7 @@ func (svc *Service) DestroySession(
 		return fmt.Errorf("failed to get session: %w", err)
 	}
 
-	session.Options.MaxAge = -1 * int(time.Second)
+	session.Options.MaxAge = -1
 
 	saveErr := session.Save(request, respWriter)
 	if saveErr != nil {

internal/service/auth/auth_test.go

@@ -369,3 +369,38 @@ func TestAuthenticate(testingT *testing.T) {
 		assert.ErrorIs(t, err, auth.ErrInvalidCredentials)
 	})
 }
+
+func TestDestroySessionMaxAge(testingT *testing.T) {
+	testingT.Parallel()
+
+	testingT.Run("sets MaxAge to exactly -1", func(t *testing.T) {
+		t.Parallel()
+
+		svc, cleanup := setupTestService(t)
+		defer cleanup()
+
+		recorder := httptest.NewRecorder()
+		request := httptest.NewRequest(http.MethodGet, "/", nil)
+
+		err := svc.DestroySession(recorder, request)
+		require.NoError(t, err)
+
+		// Check the Set-Cookie header to verify MaxAge is -1 (immediate expiry).
+		// With MaxAge = -1, the cookie should have Max-Age=0 in the HTTP header
+		// (per http.Cookie semantics: negative MaxAge means delete now).
+		cookies := recorder.Result().Cookies()
+		require.NotEmpty(t, cookies, "expected a Set-Cookie header")
+
+		found := false
+
+		for _, c := range cookies {
+			if c.MaxAge < 0 {
+				found = true
+
+				break
+			}
+		}
+
+		assert.True(t, found, "expected a cookie with negative MaxAge (deletion)")
+	})
+}